Malware Analysis Report

2025-08-06 00:45

Sample ID 240403-w8jr9she34
Target 2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk
SHA256 17020d36302682ea80022bfe8a3f3d4cdf618cd46b8ca620c244cbd70c3fad4d
Tags
spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

17020d36302682ea80022bfe8a3f3d4cdf618cd46b8ca620c244cbd70c3fad4d

Threat Level: Shows suspicious behavior

The file 2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk was found to be: Shows suspicious behavior.

Malicious Activity Summary

spyware stealer

Executes dropped EXE

Reads user/profile data of web browsers

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

Suspicious behavior: LoadsDriver

Uses Volume Shadow Copy service COM API

Modifies data under HKEY_USERS

Suspicious use of FindShellTrayWindow

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Enumerates system info in registry

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Checks SCSI registry key(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-03 18:35

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-03 18:35

Reported

2024-04-03 18:38

Platform

win7-20240221-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe"

Network

N/A

Files

memory/2176-0-0x0000000140000000-0x0000000140592000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-03 18:35

Reported

2024-04-03 18:38

Platform

win10v2004-20240226-en

Max time kernel

41s

Max time network

45s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\spectrum.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe N/A
File opened for modification C:\Windows\System32\vds.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe N/A
File opened for modification C:\Windows\system32\vssvc.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe N/A
File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\5cc5d3a62a644d7f.bin C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\System32\msdtc.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe N/A
File opened for modification C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe N/A
File opened for modification C:\Windows\system32\SgrmBroker.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe N/A
File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe N/A
File opened for modification C:\Windows\System32\SensorDataService.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe N/A
File opened for modification C:\Windows\system32\AgentService.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe N/A
File opened for modification C:\Windows\system32\AppVClient.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe N/A
File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG C:\Windows\System32\msdtc.exe N/A
File opened for modification C:\Windows\SysWow64\perfhost.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe N/A
File opened for modification C:\Windows\system32\locator.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe N/A
File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe N/A
File opened for modification C:\Windows\system32\SearchIndexer.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe N/A
File opened for modification C:\Windows\System32\alg.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe N/A
File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe N/A
File opened for modification C:\Windows\System32\snmptrap.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe N/A
File opened for modification C:\Windows\system32\TieringEngineService.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe N/A
File opened for modification C:\Windows\system32\wbengine.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe N/A
File opened for modification C:\Program Files\Internet Explorer\iexplore.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_124281\javaws.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_124281\java.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe N/A
File opened for modification C:\Windows\DtcInstall.log C:\Windows\System32\msdtc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\TieringEngineService.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\TieringEngineService.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" C:\Windows\system32\fxssvc.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005877e8c6f585da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006f1305d1f585da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cb87fbc6f585da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000081fe6acff585da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133566429454719297" C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" C:\Windows\system32\fxssvc.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008e32e2cff585da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000075fca8cff585da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000922391cff585da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\fxssvc.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\TieringEngineService.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\TieringEngineService.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\AgentService.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: 33 N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2312 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe
PID 2312 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe
PID 2312 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2312 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4104 wrote to memory of 1552 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4104 wrote to memory of 1552 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4104 wrote to memory of 4284 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4104 wrote to memory of 4284 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4104 wrote to memory of 4284 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4104 wrote to memory of 4284 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4104 wrote to memory of 4284 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4104 wrote to memory of 4284 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4104 wrote to memory of 4284 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4104 wrote to memory of 4284 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4104 wrote to memory of 4284 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4104 wrote to memory of 4284 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4104 wrote to memory of 4284 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4104 wrote to memory of 4284 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4104 wrote to memory of 4284 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4104 wrote to memory of 4284 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4104 wrote to memory of 4284 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4104 wrote to memory of 4284 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4104 wrote to memory of 4284 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4104 wrote to memory of 4284 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4104 wrote to memory of 4284 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4104 wrote to memory of 4284 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4104 wrote to memory of 4284 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4104 wrote to memory of 4284 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4104 wrote to memory of 4284 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4104 wrote to memory of 4284 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4104 wrote to memory of 4284 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4104 wrote to memory of 4284 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4104 wrote to memory of 4284 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4104 wrote to memory of 4284 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4104 wrote to memory of 4284 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4104 wrote to memory of 4284 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4104 wrote to memory of 4284 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4104 wrote to memory of 4284 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4104 wrote to memory of 4284 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4104 wrote to memory of 4284 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4104 wrote to memory of 4284 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4104 wrote to memory of 4284 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4104 wrote to memory of 4284 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4104 wrote to memory of 4284 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4104 wrote to memory of 4744 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4104 wrote to memory of 4744 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4104 wrote to memory of 2776 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4104 wrote to memory of 2776 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4104 wrote to memory of 2776 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4104 wrote to memory of 2776 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4104 wrote to memory of 2776 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4104 wrote to memory of 2776 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4104 wrote to memory of 2776 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4104 wrote to memory of 2776 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4104 wrote to memory of 2776 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4104 wrote to memory of 2776 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4104 wrote to memory of 2776 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4104 wrote to memory of 2776 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4104 wrote to memory of 2776 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4104 wrote to memory of 2776 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4104 wrote to memory of 2776 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4104 wrote to memory of 2776 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4104 wrote to memory of 2776 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4104 wrote to memory of 2776 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe"

C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-03_3f28151e194a2cc7864d423bb3ec331f_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2a8,0x2a0,0x2a4,0x29c,0x2f0,0x140462458,0x140462468,0x140462478

C:\Windows\System32\alg.exe

C:\Windows\System32\alg.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa3f209758,0x7ffa3f209768,0x7ffa3f209778

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv

C:\Windows\system32\fxssvc.exe

C:\Windows\system32\fxssvc.exe

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1684 --field-trial-handle=1628,i,15376624773238480337,1914156623818709845,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 --field-trial-handle=1628,i,15376624773238480337,1914156623818709845,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2228 --field-trial-handle=1628,i,15376624773238480337,1914156623818709845,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3064 --field-trial-handle=1628,i,15376624773238480337,1914156623818709845,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3088 --field-trial-handle=1628,i,15376624773238480337,1914156623818709845,131072 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4048 --field-trial-handle=1628,i,15376624773238480337,1914156623818709845,131072 /prefetch:1

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"

C:\Windows\System32\msdtc.exe

C:\Windows\System32\msdtc.exe

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE

"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5040 --field-trial-handle=1628,i,15376624773238480337,1914156623818709845,131072 /prefetch:8

C:\Windows\SysWow64\perfhost.exe

C:\Windows\SysWow64\perfhost.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5260 --field-trial-handle=1628,i,15376624773238480337,1914156623818709845,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings

C:\Windows\system32\locator.exe

C:\Windows\system32\locator.exe

C:\Windows\System32\SensorDataService.exe

C:\Windows\System32\SensorDataService.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5160 --field-trial-handle=1628,i,15376624773238480337,1914156623818709845,131072 /prefetch:8

C:\Windows\System32\snmptrap.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\system32\spectrum.exe

C:\Windows\system32\spectrum.exe

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff65c527688,0x7ff65c527698,0x7ff65c5276a8

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff65c527688,0x7ff65c527698,0x7ff65c5276a8

C:\Windows\System32\OpenSSH\ssh-agent.exe

C:\Windows\System32\OpenSSH\ssh-agent.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc

C:\Windows\system32\TieringEngineService.exe

C:\Windows\system32\TieringEngineService.exe

C:\Windows\system32\AgentService.exe

C:\Windows\system32\AgentService.exe

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\SearchIndexer.exe /Embedding

C:\Windows\system32\SearchProtocolHost.exe

"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"

C:\Windows\system32\SearchFilterHost.exe

"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896

Network

Country Destination Domain Proto
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 pywolwnvd.biz udp
US 8.8.8.8:53 33.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 3.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 10.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 172.217.16.228:443 www.google.com tcp
US 8.8.8.8:53 228.16.217.172.in-addr.arpa udp
GB 172.217.16.228:443 www.google.com udp
US 8.8.8.8:53 ssbzmoy.biz udp
US 8.8.8.8:53 clients2.google.com udp
ID 34.128.82.12:80 ssbzmoy.biz tcp
ID 34.128.82.12:80 ssbzmoy.biz tcp
GB 172.217.169.46:443 clients2.google.com tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 46.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 12.82.128.34.in-addr.arpa udp
US 8.8.8.8:53 cvgrf.biz udp
US 104.198.2.251:80 cvgrf.biz tcp
US 104.198.2.251:80 cvgrf.biz tcp
US 8.8.8.8:53 npukfztj.biz udp
US 8.8.8.8:53 251.2.198.104.in-addr.arpa udp
US 34.174.61.199:80 npukfztj.biz tcp
US 34.174.61.199:80 npukfztj.biz tcp
US 8.8.8.8:53 przvgke.biz udp
US 72.52.178.23:80 przvgke.biz tcp
US 72.52.178.23:80 przvgke.biz tcp
US 72.52.178.23:80 przvgke.biz tcp
US 72.52.178.23:80 przvgke.biz tcp
US 8.8.8.8:53 199.61.174.34.in-addr.arpa udp
US 8.8.8.8:53 23.178.52.72.in-addr.arpa udp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 knjghuig.biz udp
ID 34.128.82.12:80 knjghuig.biz tcp
ID 34.128.82.12:80 knjghuig.biz tcp
US 8.8.8.8:53 uhxqin.biz udp
US 8.8.8.8:53 anpmnmxo.biz udp
US 8.8.8.8:53 lpuegx.biz udp
RU 82.112.184.197:80 lpuegx.biz tcp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 227.97.18.2.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
RU 82.112.184.197:80 lpuegx.biz tcp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 5.11.19.2.in-addr.arpa udp

Files

memory/2312-0-0x0000000001FC0000-0x0000000002020000-memory.dmp

memory/2312-2-0x0000000140000000-0x0000000140592000-memory.dmp

memory/2312-7-0x0000000001FC0000-0x0000000002020000-memory.dmp

memory/1612-11-0x0000000000750000-0x00000000007B0000-memory.dmp

memory/1612-14-0x0000000140000000-0x0000000140592000-memory.dmp

memory/3940-18-0x0000000000700000-0x0000000000760000-memory.dmp

C:\Windows\System32\alg.exe

MD5 6956f18f798bcea24f5dbaadd813233c
SHA1 52a15fd4b7a7b9c03238dea64026c3908e0a21a4
SHA256 55266722326fb22f4292b1d4531e880d022c2fb9bbe2fc29bd75a6f3ac3e8605
SHA512 c6812c55a459d35f5530e888a0f119a788d3cecd74657e45c8238490939fc6c687e0adc64079f7fdc506bce7a520f9b7570444ab6e0c05d72f441256b1ee53e7

memory/3940-20-0x0000000140000000-0x00000001400AA000-memory.dmp

memory/1612-22-0x0000000000750000-0x00000000007B0000-memory.dmp

memory/2312-28-0x0000000001FC0000-0x0000000002020000-memory.dmp

C:\Users\Admin\AppData\Roaming\5cc5d3a62a644d7f.bin

MD5 4038b2933dde6b6b78b2f99b5ac715f4
SHA1 36800ba91627159b5d117f9adc779ab5751e6697
SHA256 bdda059be64a4b620c1492a50af07c653cd03d6e62235b7fd3e7b906b2a98c71
SHA512 1c1c9f0c53ad758607ba826356f628f0ca6f68f2412a787350a9375daa3b0f4dbabf857f06a6073f66f9641b0a95de6bcb242b056cc1bb66df70b5c211031796

memory/3940-32-0x0000000000700000-0x0000000000760000-memory.dmp

memory/2312-38-0x0000000140000000-0x0000000140592000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

MD5 b605879e08d2c37a89e0a7cf9cebb008
SHA1 547075286a6e5e6a304912cef29adf2a5379458d
SHA256 2a7688cdba662e4017878b44e559b7bf4889f2b32ff1c6ed70e020a2738e662a
SHA512 f18fb8e2df93b18cb2359c651e1dbbaf73225ff16912cec7dda24ef3e82d921690aa0690ca493375536159d8aa9ab660e45e2abe4cdbeaaa368f6f69bc090fe0

C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

MD5 69ab6d7d61e50f5f6199070d59c5c42d
SHA1 a3d89c37662f34ea1714e10e99d9ba427aa27f53
SHA256 5f60df782084fa7dc65ae7dd47e94034941fd50cf9bf5a25668b0af44db120d8
SHA512 bdf94af8ba3d6c3cb236546a3fc3758b21006500cb9c1e8ee3480655e9cadbbef9557d954d379205f25fc861ae2324bd93d932cf964758ef035cbff745e24905

memory/3328-43-0x0000000140000000-0x00000001400A9000-memory.dmp

memory/3328-44-0x00000000006B0000-0x0000000000710000-memory.dmp

memory/3328-50-0x00000000006B0000-0x0000000000710000-memory.dmp

C:\Windows\System32\FXSSVC.exe

MD5 472ab2fbb28005489a8e564f0cfcd69b
SHA1 efd348cd5382f8ce5f1a903fb6d961dfb3c4dd8b
SHA256 0575ff010bf4dca1df8f0f07ed6cd716151ca3a8d135fbc44b53b82b465477a3
SHA512 a1d7ec09b427610a49b65702f14cd64b2be5ff95d8d8b043504dd6d6a975e49f735c3902d26edb1c0cfd5dab05d715b8d3732c11b785aacbc9edab1b00449b33

memory/1728-56-0x0000000140000000-0x0000000140135000-memory.dmp

memory/1728-57-0x0000000000E60000-0x0000000000EC0000-memory.dmp

memory/1728-63-0x0000000000E60000-0x0000000000EC0000-memory.dmp

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

MD5 d2ca8a94714501a325313aa12e44825d
SHA1 558bbb032e099367328739232bbcb469c62e40d7
SHA256 df3d5027e1ff31145bdf3ac03672604d65d2237c0545d7ddfd071eb44e1b18b9
SHA512 0ebbdacc406a51da5c9f743a627cb47951534124f273267fcb80086c89fe8b5f1e5ba24b24e7c19039e12ebfbd47b201b23d4419dda2a584838fd0fdd6a47aa0

memory/1688-68-0x0000000000440000-0x00000000004A0000-memory.dmp

memory/1688-67-0x0000000140000000-0x0000000140237000-memory.dmp

memory/1688-75-0x0000000000440000-0x00000000004A0000-memory.dmp

memory/1728-84-0x0000000000E60000-0x0000000000EC0000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

MD5 ef36a84ad2bc23f79d171c604b56de29
SHA1 38d6569cd30d096140e752db5d98d53cf304a8fc
SHA256 e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831
SHA512 dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

\??\pipe\crashpad_4104_EZCYRSNYUDKKUEKN

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1728-93-0x0000000140000000-0x0000000140135000-memory.dmp

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

MD5 517762db25ad70c0aaa5c4755d9c3a37
SHA1 674cbbcda4f3b813c7184b35e95d7fe3a604ffb4
SHA256 f1b2818c0172af5d17239329092529618814e19f84173d89ccca141e4e6dcd71
SHA512 fccae91e53d9e98aab47a7b7875b4a0af60c7cd162e38331168a8dd3769285040ccd22a73e0220faa819ab9a861a85653b6848a98f2cd4d5b15274412dbf09ca

memory/444-98-0x00000000001A0000-0x0000000000200000-memory.dmp

memory/444-99-0x0000000140000000-0x000000014022B000-memory.dmp

memory/1612-96-0x0000000140000000-0x0000000140592000-memory.dmp

memory/3940-105-0x0000000140000000-0x00000001400AA000-memory.dmp

memory/444-106-0x00000000001A0000-0x0000000000200000-memory.dmp

memory/444-107-0x00000000001A0000-0x0000000000200000-memory.dmp

memory/1688-109-0x0000000000440000-0x00000000004A0000-memory.dmp

memory/1688-113-0x0000000140000000-0x0000000140237000-memory.dmp

memory/1296-115-0x0000000140000000-0x00000001400CA000-memory.dmp

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

MD5 7b206066490e94147681def9d08f5dbf
SHA1 6f82ce44f17ff4653c8d3fe0fc744dbba3b73fd3
SHA256 86f40f0528319fb502e099e1683650136f8d86248914f8be99aa13d9e07c2a18
SHA512 3ce475c37a188dbfd362a1339061f3b10c9e0c5d814e1085ff61dc890d6a4ddd82dc207ebaaf66d50eefebef8b84ecf6c87bc053c63b7bd4c5c1a13e067d8f64

memory/1296-114-0x0000000001A50000-0x0000000001AB0000-memory.dmp

memory/1296-121-0x0000000001A50000-0x0000000001AB0000-memory.dmp

memory/1296-128-0x0000000140000000-0x00000001400CA000-memory.dmp

memory/1296-129-0x0000000001A50000-0x0000000001AB0000-memory.dmp

C:\Windows\System32\msdtc.exe

MD5 15ac5ac9af23dd385c31c4f6d064eac4
SHA1 6badf584e7cd6253f1f451ac171a3c6e9091686f
SHA256 df2bbd48ffb68b305f763c7be9d4dd5e1dcac0ec1c56c5e53649266597582007
SHA512 461fc6497ad080fd87e9617248d026c268193e1192bcc4dc2965aebe1910db441bc01701e5313a096f1aa66f2e6af84c30ccbb97987fbd0aa9f5ca16e6404a76

memory/3328-133-0x0000000140000000-0x00000001400A9000-memory.dmp

memory/2028-135-0x0000000140000000-0x00000001400B9000-memory.dmp

memory/2028-140-0x0000000000D50000-0x0000000000DB0000-memory.dmp

C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

MD5 1c1b1c1f6fc905ba5969bf294c082a22
SHA1 596810c5c1ce6c722c89d80272160fa08e549351
SHA256 429fdd29d4b550b5789f37b9f9be2fc2db023159673238053f40182ce69b879f
SHA512 b8763c1ba809ac3b5c657ee2e3b63df3c02aa82107353f12c2066ed44d3d8c608ff67de2a1e34a0f952bf9b79e22212da4b0e5e118df251c802331511e4d5055

memory/4080-146-0x0000000140000000-0x00000001400CF000-memory.dmp

memory/4080-154-0x0000000000810000-0x0000000000870000-memory.dmp

C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

MD5 39c976d26d44b56ef0e7926c5392c0f1
SHA1 714c9d25231ab9408127154ae49b68ec57ca8d01
SHA256 ec74c1c78c7f19a8b873264fd66f0dae440e39daaf68cc966011ccd81636f5c2
SHA512 af041d7d07142f89ef8f569b57f4f96d2da9a1bc77e6b53a97b1a6cdd9992f402bef97e3c70860197e7fc16ea029fd3a8c66f8185cab8487563b6a28d70c3ba2

memory/1656-160-0x0000000140000000-0x00000001400AB000-memory.dmp

memory/1656-169-0x0000000000BC0000-0x0000000000C20000-memory.dmp

C:\Windows\SysWOW64\perfhost.exe

MD5 a291886ae27e3780fcbeaa90c1b76355
SHA1 a6b727a070a5fc1f93fec77544b0ae71b0806fb4
SHA256 70f4460184acd12de8330397e0eda3da9efabae0d99bdf544a17ca77f08d69b5
SHA512 468684d859caf82adb8dd13ee34ab7661437a5eab52dab25c30a7d9f287c9bcd920cefd335bc9a8dec793909a3d5da650a625953b8d47c22311ff2200b083b3f

memory/444-172-0x0000000140000000-0x000000014022B000-memory.dmp

memory/3124-173-0x0000000000400000-0x0000000000497000-memory.dmp

memory/3124-180-0x0000000000760000-0x00000000007C7000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

MD5 99914b932bd37a50b983c5e7c90ae93b
SHA1 bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA256 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA512 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

C:\Windows\System32\Locator.exe

MD5 e103e184cb0b2f2ecf936e0a2e0664aa
SHA1 135fad0443b7c98374a28e5ff951be51a0899c4e
SHA256 ed4a16942d82d6deb714a5cde29fa568ead96603c86413394cdff5f027a77e80
SHA512 f1162a05d6d3d979efba8b57fa5e84fe39b18963ac7116a0fdd89a3cf9ff49c683b6f7525ef1aecbe0bce5d153b77431ac8ae659ada53dc008938b384b411508

memory/2980-192-0x0000000140000000-0x0000000140095000-memory.dmp

memory/2980-201-0x0000000000680000-0x00000000006E0000-memory.dmp

C:\Windows\System32\SensorDataService.exe

MD5 cbaedf0a9546145fc92734cadef4560f
SHA1 4c26b2412b92e093ff50fa295a68091b710f759a
SHA256 878f2c3fd871697666ed7b6c12e56a27c5aa93a71c60ca94a5104ef8bcb4aca3
SHA512 baf35f9729c421e980d17686a967b73b8ab46710e497b662afcfbe80a8512e101a36f6f3b5ea5a8f415e815f7b21200c92bd370f8d7976724970ec5e2f00a1aa

memory/2028-204-0x0000000140000000-0x00000001400B9000-memory.dmp

memory/4780-207-0x0000000140000000-0x00000001401D7000-memory.dmp

memory/4780-213-0x0000000000770000-0x00000000007D0000-memory.dmp

C:\Windows\System32\snmptrap.exe

MD5 c36b49c779f1762c310bd293e455d866
SHA1 96c566db82b6f38f8c968dd6fdacb4b39982b99a
SHA256 7094abbc11020df0cd3b91f0c86c1d23c6fbf18b4910ebf45f3490d3f4d64bf0
SHA512 14dedeb7733a990c11f7e0e16152a7ba15108c827ad2c884232167557c99eb29c2da75be022c414ba95d5720a4659f5b3844c1e1536cd24749b02922a885ffb8

memory/4080-219-0x0000000140000000-0x00000001400CF000-memory.dmp

memory/1208-221-0x0000000140000000-0x0000000140096000-memory.dmp

memory/1208-227-0x0000000000720000-0x0000000000780000-memory.dmp

C:\Windows\System32\Spectrum.exe

MD5 af10440d9abe68b72e3607eb42a448a1
SHA1 207f783780d08cf571091b309769ad7411551290
SHA256 b3dcb30767ae7c72c1a90e387251a7454a1936ca9a857a1b48e5322314c62013
SHA512 8d93ac034ed9e1f727853fa666171bb5fda970f13f8be82237856d64155d506be25da367093b5ae01e79a20eb8b37297a96a3f5a24f9913802160ddd7a334ba7

memory/1656-231-0x0000000140000000-0x00000001400AB000-memory.dmp

memory/1296-234-0x0000000140000000-0x0000000140169000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

MD5 1d2c4d485ced7955b711091163b4f6b1
SHA1 fd6ceba5e7bc75ac8576ca11b217463f0115a48a
SHA256 221973be64ffa5df3bd7da8391c34cfc57c4ed1c4185b8a2f1522172e14f1a0d
SHA512 905685e9988113587d70d516a8d1c7a7f1924b0f508581e14b94dbf9aa836b3e74d34fbd098094e387a1bd79cab7a76d39719416840cc2a60da0b38be5103d37

memory/1296-242-0x0000000000740000-0x00000000007A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

MD5 722ffae32ff2db00d33960bcdd16bc06
SHA1 c31db83e7f45cf5b34264bc54a3b4a2dd7273af0
SHA256 16988ae868443f33c1a113afa2e77fc841eb5963ea35bb5bac6fff4192c973bb
SHA512 866be0efd9f300c05af70b898ede5f9538cce8f026947f5cb0330a965190cfcb88df1b0fd6cc0e53d16bf7a97b08e6fd310be5b1bb66fe8428da3e08457cde41

C:\Windows\TEMP\Crashpad\settings.dat

MD5 7806f070ee1bf48d945790a0c2a61355
SHA1 cd3804e5db65628f5a3c0a8accbcb6d10544280c
SHA256 6520df12afb6e96315f15e8777e8deeb8b25d5ac72136065c7d5accda00cd895
SHA512 c1c368d258f84828a08885a6c25894d96da5f1bdb66ae2828bf764213827289c4df027188338fede003a59c8bcdf64ab3eaceb0d20e62c8ec8620c921901c7bc

C:\Windows\System32\OpenSSH\ssh-agent.exe

MD5 5da973abbe03d942e53cfac58f43dfbb
SHA1 1abba40e1f2d1aa74411e6a7ded43025132f01ae
SHA256 e052b6dcff5b3082477ff9fc12f98180a6021a548bf03110d732567f73c232a6
SHA512 20fb8144a17b8ad50604acacf79fb85b1306b87c268323330f4e50cf3a7d1e0578261bfa75b3e245c4e8c35149578db157756f9db181e7870f1ac9cf095aa5f4

memory/3124-251-0x0000000000400000-0x0000000000497000-memory.dmp

memory/5328-256-0x0000000140000000-0x0000000140102000-memory.dmp

C:\Program Files\Google\Chrome\Application\SetupMetrics\c6fc76aa-0a0c-4a7d-aaba-0d3043f0e0a5.tmp

MD5 6d971ce11af4a6a93a4311841da1a178
SHA1 cbfdbc9b184f340cbad764abc4d8a31b9c250176
SHA256 338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783
SHA512 c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

memory/3124-273-0x0000000000760000-0x00000000007C7000-memory.dmp

memory/5328-275-0x0000000000DC0000-0x0000000000E20000-memory.dmp

C:\Windows\System32\TieringEngineService.exe

MD5 888e8291c5ba8d5309706904f397dcfc
SHA1 f6d3c43a40cf0346d895e02770a956272e068e0e
SHA256 d322aeefa5251b9373c120275ad6b5f6ada3eff66a5f86c63196f185b8dbfcc5
SHA512 fb13d796bf935e10af7c5cf5066ccaf9458318f306fde3023d9300a203b587fac49f8c4c78b33cefd2582c3eb70fa2f42394848be9f36e58abbaf4183d736c84

memory/2980-278-0x0000000140000000-0x0000000140095000-memory.dmp

memory/5556-279-0x0000000140000000-0x00000001400E2000-memory.dmp

memory/5556-288-0x00000000008B0000-0x0000000000910000-memory.dmp

C:\Windows\System32\AgentService.exe

MD5 65a52de0f9a7429939f81bfb6b26e2b1
SHA1 2dfaca36a73fa7687babc03a4955d987803a2571
SHA256 817818040db2914eb5c3681207161632f7f0072f48fc313e007d8b5c34216c8e
SHA512 a16c21500b9efad5c9100af9fb537a8ed89930b0dcb4dfd6cdde93900db1c19c14f8982567cc0af317cf2666a986c43c46b42d97ec066d4c78831f8dad4d3268

memory/4780-291-0x0000000140000000-0x00000001401D7000-memory.dmp

memory/5704-294-0x0000000140000000-0x00000001401C0000-memory.dmp

memory/5704-301-0x0000000000500000-0x0000000000560000-memory.dmp

memory/5704-305-0x0000000140000000-0x00000001401C0000-memory.dmp

memory/5704-306-0x0000000000500000-0x0000000000560000-memory.dmp

memory/1208-308-0x0000000140000000-0x0000000140096000-memory.dmp

C:\Windows\System32\vds.exe

MD5 483fc72ddae4ca018c51dd2f3a41ac11
SHA1 2d334b9c3aefde6d55738ba447ef2a34fcf62df3
SHA256 61197bc6924347427b8ee718ffcfebe820fedc3f38bf503b53769b584ef549eb
SHA512 4017bec5ff43fcf1c35f1e527ed3e5092a876be980ad3b6487eaf63b5a1fd4dd349ee250015b3c9a413bcea70e663730fd5c7acb2daa567eae62f0121c755b43

memory/5804-311-0x0000000140000000-0x0000000140147000-memory.dmp

memory/5804-317-0x0000000000BC0000-0x0000000000C20000-memory.dmp

C:\Windows\System32\VSSVC.exe

MD5 1d6ccf586d8e5efacb335630428cd5cf
SHA1 480b92862b20745f0be54926bc5c1384b3cd2990
SHA256 55dc4b0a3c2df2586e9aaf16dbfe04ec38690780ba6aa8de016d594a6150b4d9
SHA512 fc05cc69bc9cdf719669bab4f2648529a1ecba8d1647a12d14c30d45e9e398e901b88407594304a39bcbf56ad7180681248005c478e5f9c6db77112896c7c8c7

memory/1296-322-0x0000000140000000-0x0000000140169000-memory.dmp

memory/5920-323-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/5920-330-0x0000000000750000-0x00000000007B0000-memory.dmp

C:\Windows\System32\wbengine.exe

MD5 8821a0103c7a1d2ed2ca7d58cdaa4db0
SHA1 39bae8b4692ac040bd7ce8f9ddbdb1d69bc2bdb6
SHA256 6d416a3c051bf0e4af47ec11b78d7be39d016d1f7cb0d2017b3347d9108d58b8
SHA512 73006fb349ec3896ef06fa02b6604c9273d9059e8ca7ec2f7d080f60bce216c2404810b9764b6fd8da3ffb5c2639289863a67664dd7335615c3efdf37e83aeee

memory/5328-335-0x0000000140000000-0x0000000140102000-memory.dmp

memory/6064-339-0x0000000140000000-0x0000000140216000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 b4b584ba2b7c47812482fba2a6298b8e
SHA1 ac492b7ded8ec347f5e14b9dd1f3cfe32031a76a
SHA256 a7723aa8a0a0b741636d8d988d0fb8357499e89e2b389aeec31b224929f420e5
SHA512 6cafd8d9556ff5a52d346537d1a5559b7f8884c437fd246bf8a516b36f5ebecf1e4a6616617abc2ab755b634267a28086c28665dd79740ef51274fe57a25e9a7

memory/6064-349-0x0000000000BE0000-0x0000000000C40000-memory.dmp

C:\Windows\System32\wbem\WmiApSrv.exe

MD5 1d313e7741e971adce466bca766db5f5
SHA1 9ac7cf95c43b3616933268404532a993a95c2b99
SHA256 9e9fce9ce1aeb8ffd486283714165c5aba5c8a4414c4e6ba4713d782db4d7a46
SHA512 bc7330fc20c81cfa75d6588e0a07dfc44b944afa01f275a9de38ef966e93344bc538ac07e6b7f31d5c094e15c4c5049c77fceddbc6e6359cdf17b6a51d405b03

memory/5340-357-0x0000000140000000-0x00000001400C6000-memory.dmp

memory/5556-355-0x0000000140000000-0x00000001400E2000-memory.dmp

memory/5340-361-0x00000000006A0000-0x0000000000700000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 c9658b0d1ab8acb84815491fcc3e0701
SHA1 da5ca76602800b6b58c1931744ba021dd75d8b6d
SHA256 eb42767a8293477418dea0121575212b5db1a7b943c09feaf654ea58939b8cc9
SHA512 b116e1de1c9e99eeccf29242a2e92572bf190dc679e3e482b665236ad18d7c1b475726fb8ea035bab58bd74ab6670cd5e2d526bda2224255cc7fb32df674622d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe57a6cf.TMP

MD5 ef3aac392c0d75f931c89cbb67985e0f
SHA1 ce61a9a0890645f7551e4188f0dc09b324f56b63
SHA256 474bd435e067162d7364e95374e0fc4f6be9ea3202017cdb1eb05a7876f254ec
SHA512 22f026e8146699fdd24911bff6f5cfc0ea1cc131bd378e973e8fca5fc479c8eda9764b7a3a1acd9bbcf6f6cfab8763c04fe6c9a56e1b8e9ffd6316ed11c34703

C:\Windows\System32\SearchIndexer.exe

MD5 26ecdcbef6b4df0de753ba441173fafe
SHA1 b9f05c699bc3f9c9b9cdd4d7179d8144cdce3c0e
SHA256 67aa0371717eab1b5491693cf2688310a5762e3a8da0db2abee9af1fbd9a5beb
SHA512 341aebb16a787bec38750ac958ad2ecb7d22a8157c1ffbc420d09784db5467b5d8e4b31786c45ef02d6347e606ff9e203e63a981fa5495166ec212f5d7646cbf

memory/5576-377-0x0000000140000000-0x0000000140179000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 54492875107eb25977c5fd4de9de01f3
SHA1 f469abedb43a3fc616065c7b274799418fdf6198
SHA256 419047b193a03e4c0d8a363b88d3a153fab0ac38d224b913f25c42ef7b494079
SHA512 4884da9a36eccfa0d186a0ee58792d541057fdb11a92196002b0748b867a2a37fd74e1ee2483b6da3c6c28b9a8d20af688acd70249d826949fa9ac5234f8fa98

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 874505a4bd0b3c7a251b29dec266272c
SHA1 11eb4ce3cdb07c62035a5b772620996e7c5f6c14
SHA256 e5dcf9efdacc54c43e1997e42d20b11f27dae8989017d7202b9fcb37b944c867
SHA512 2c1ae425610a25505c2e3c5bce2301fc5aeb472e875af1693a9edfd2ee7f4ac1af4166f1620371ba48a2fc4c0a016648af687d2f2496ca50b27eb182915cbef0

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 a29ceb5d51879b655ed3eb21fc4e598c
SHA1 5167c242c590c78101b99d28b4f2d4279fd26f66
SHA256 272836eb8fa39385ebd2128314ed66b631967680301945945d44167d545aebff
SHA512 cfd4fafecc0576e961d7f0f692f837b83d092cbbaff98c0770010786094071f46902ac1da5d4b2ad9e81bce8c56e68a67a0970f6957fc651195f2607686b48d7