Malware Analysis Report

2024-11-30 02:45

Sample ID 240407-wje3saad2y
Target 2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk
SHA256 b09a12c1dd4053b4d49d33bfb5ba49dcd288193933a5376b515f828cdbb12e85
Tags
spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

b09a12c1dd4053b4d49d33bfb5ba49dcd288193933a5376b515f828cdbb12e85

Threat Level: Shows suspicious behavior

The file 2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk was found to be: Shows suspicious behavior.

Malicious Activity Summary

spyware stealer

Reads user/profile data of web browsers

Executes dropped EXE

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Uses Volume Shadow Copy service COM API

Suspicious use of FindShellTrayWindow

Enumerates system info in registry

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious behavior: EnumeratesProcesses

Modifies data under HKEY_USERS

Checks processor information in registry

Checks SCSI registry key(s)

Suspicious behavior: LoadsDriver

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 17:56

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 17:56

Reported

2024-04-07 17:59

Platform

win10v2004-20240226-en

Max time kernel

156s

Max time network

162s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\5bb03ad2a644d7f.bin C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\SgrmBroker.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe N/A
File opened for modification C:\Windows\System32\vds.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe N/A
File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\System32\SensorDataService.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe N/A
File opened for modification C:\Windows\system32\SearchIndexer.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe N/A
File opened for modification C:\Windows\system32\AppVClient.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe N/A
File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG C:\Windows\System32\msdtc.exe N/A
File opened for modification C:\Windows\system32\wbengine.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe N/A
File opened for modification C:\Windows\system32\locator.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe N/A
File opened for modification C:\Windows\system32\spectrum.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe N/A
File opened for modification C:\Windows\system32\SgrmBroker.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe N/A
File opened for modification C:\Windows\System32\msdtc.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe N/A
File opened for modification C:\Windows\SysWow64\perfhost.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe N/A
File opened for modification C:\Windows\system32\TieringEngineService.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe N/A
File opened for modification C:\Windows\system32\vssvc.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe N/A
File opened for modification C:\Windows\system32\AppVClient.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\msiexec.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\System32\alg.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe N/A
File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe N/A
File opened for modification C:\Windows\System32\snmptrap.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe N/A
File opened for modification C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe N/A
File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\AgentService.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\System32\SensorDataService.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe N/A
File opened for modification C:\Windows\system32\AgentService.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_124281\javaws.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\dotnet\dotnet.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\Install\{13D35E3E-D723-4ADE-A208-2AB0A3B02FDA}\chrome_installer.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\FindExpand.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe C:\Windows\System32\alg.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe N/A
File opened for modification C:\Windows\DtcInstall.log C:\Windows\System32\msdtc.exe N/A
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Windows\System32\alg.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\TieringEngineService.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\TieringEngineService.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b532f10e1589da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000355adc101589da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f502e20f1589da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d11033101589da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dc393a101589da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" C:\Windows\system32\fxssvc.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133569862308512497" C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003544ad121589da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ed167c111589da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003d5077111589da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c548c60e1589da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" C:\Windows\system32\SearchProtocolHost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\fxssvc.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\TieringEngineService.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\TieringEngineService.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\AgentService.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: 33 N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4320 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe
PID 4320 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe C:\Users\Admin\AppData\Local\Temp\2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe
PID 4320 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4320 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4596 wrote to memory of 2796 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4596 wrote to memory of 2796 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4596 wrote to memory of 1156 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4596 wrote to memory of 1156 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4596 wrote to memory of 1156 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4596 wrote to memory of 1156 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4596 wrote to memory of 1156 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4596 wrote to memory of 1156 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4596 wrote to memory of 1156 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4596 wrote to memory of 1156 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4596 wrote to memory of 1156 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4596 wrote to memory of 1156 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4596 wrote to memory of 1156 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4596 wrote to memory of 1156 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4596 wrote to memory of 1156 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4596 wrote to memory of 1156 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4596 wrote to memory of 1156 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4596 wrote to memory of 1156 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4596 wrote to memory of 1156 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4596 wrote to memory of 1156 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4596 wrote to memory of 1156 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4596 wrote to memory of 1156 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4596 wrote to memory of 1156 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4596 wrote to memory of 1156 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4596 wrote to memory of 1156 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4596 wrote to memory of 1156 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4596 wrote to memory of 1156 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4596 wrote to memory of 1156 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4596 wrote to memory of 1156 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4596 wrote to memory of 1156 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4596 wrote to memory of 1156 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4596 wrote to memory of 1156 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4596 wrote to memory of 1156 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4596 wrote to memory of 1156 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4596 wrote to memory of 1156 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4596 wrote to memory of 1156 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4596 wrote to memory of 1156 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4596 wrote to memory of 1156 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4596 wrote to memory of 1156 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4596 wrote to memory of 1156 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4596 wrote to memory of 3472 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4596 wrote to memory of 3472 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4596 wrote to memory of 728 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4596 wrote to memory of 728 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4596 wrote to memory of 728 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4596 wrote to memory of 728 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4596 wrote to memory of 728 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4596 wrote to memory of 728 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4596 wrote to memory of 728 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4596 wrote to memory of 728 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4596 wrote to memory of 728 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4596 wrote to memory of 728 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4596 wrote to memory of 728 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4596 wrote to memory of 728 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4596 wrote to memory of 728 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4596 wrote to memory of 728 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4596 wrote to memory of 728 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4596 wrote to memory of 728 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4596 wrote to memory of 728 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4596 wrote to memory of 728 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe"

C:\Users\Admin\AppData\Local\Temp\2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2d8,0x2dc,0x2e8,0x2e4,0x2ec,0x140462458,0x140462468,0x140462478

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7fff2e599758,0x7fff2e599768,0x7fff2e599778

C:\Windows\System32\alg.exe

C:\Windows\System32\alg.exe

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1752 --field-trial-handle=1888,i,8081270859252225443,5588455445332388109,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 --field-trial-handle=1888,i,8081270859252225443,5588455445332388109,131072 /prefetch:8

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2216 --field-trial-handle=1888,i,8081270859252225443,5588455445332388109,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3176 --field-trial-handle=1888,i,8081270859252225443,5588455445332388109,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3168 --field-trial-handle=1888,i,8081270859252225443,5588455445332388109,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Windows\system32\fxssvc.exe

C:\Windows\system32\fxssvc.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4596 --field-trial-handle=1888,i,8081270859252225443,5588455445332388109,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4572 --field-trial-handle=1888,i,8081270859252225443,5588455445332388109,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4880 --field-trial-handle=1888,i,8081270859252225443,5588455445332388109,131072 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"

C:\Windows\System32\msdtc.exe

C:\Windows\System32\msdtc.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4632 --field-trial-handle=1888,i,8081270859252225443,5588455445332388109,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5264 --field-trial-handle=1888,i,8081270859252225443,5588455445332388109,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE

"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff716977688,0x7ff716977698,0x7ff7169776a8

C:\Windows\SysWow64\perfhost.exe

C:\Windows\SysWow64\perfhost.exe

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5108 --field-trial-handle=1888,i,8081270859252225443,5588455445332388109,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff716977688,0x7ff716977698,0x7ff7169776a8

C:\Windows\system32\locator.exe

C:\Windows\system32\locator.exe

C:\Windows\System32\SensorDataService.exe

C:\Windows\System32\SensorDataService.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\system32\spectrum.exe

C:\Windows\system32\spectrum.exe

C:\Windows\System32\OpenSSH\ssh-agent.exe

C:\Windows\System32\OpenSSH\ssh-agent.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc

C:\Windows\system32\TieringEngineService.exe

C:\Windows\system32\TieringEngineService.exe

C:\Windows\system32\AgentService.exe

C:\Windows\system32\AgentService.exe

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\SearchIndexer.exe /Embedding

C:\Windows\system32\SearchProtocolHost.exe

"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"

C:\Windows\system32\SearchFilterHost.exe

"C:\Windows\system32\SearchFilterHost.exe" 0 908 916 924 8192 920 904

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1988 --field-trial-handle=1888,i,8081270859252225443,5588455445332388109,131072 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 pywolwnvd.biz udp
US 8.8.8.8:53 www.google.com udp
DE 172.217.16.196:443 www.google.com tcp
DE 172.217.16.196:443 www.google.com udp
US 8.8.8.8:53 106.18.217.172.in-addr.arpa udp
US 8.8.8.8:53 131.186.250.142.in-addr.arpa udp
US 8.8.8.8:53 196.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 67.185.250.142.in-addr.arpa udp
US 8.8.8.8:53 apis.google.com udp
DE 142.250.186.110:443 apis.google.com tcp
US 8.8.8.8:53 110.186.250.142.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 clients2.google.com udp
DE 216.58.206.46:443 clients2.google.com tcp
US 8.8.8.8:53 ssbzmoy.biz udp
ID 34.128.82.12:80 ssbzmoy.biz tcp
ID 34.128.82.12:80 ssbzmoy.biz tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 46.206.58.216.in-addr.arpa udp
US 8.8.8.8:53 cvgrf.biz udp
US 8.8.8.8:53 12.82.128.34.in-addr.arpa udp
US 104.198.2.251:80 cvgrf.biz tcp
US 104.198.2.251:80 cvgrf.biz tcp
US 8.8.8.8:53 npukfztj.biz udp
US 34.174.61.199:80 npukfztj.biz tcp
US 34.174.61.199:80 npukfztj.biz tcp
US 8.8.8.8:53 251.2.198.104.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 199.61.174.34.in-addr.arpa udp
US 8.8.8.8:53 przvgke.biz udp
US 72.52.178.23:80 przvgke.biz tcp
US 72.52.178.23:80 przvgke.biz tcp
US 72.52.178.23:80 przvgke.biz tcp
US 72.52.178.23:80 przvgke.biz tcp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 knjghuig.biz udp
US 8.8.8.8:53 23.178.52.72.in-addr.arpa udp
ID 34.128.82.12:80 knjghuig.biz tcp
ID 34.128.82.12:80 knjghuig.biz tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 uhxqin.biz udp
US 8.8.8.8:53 anpmnmxo.biz udp
US 8.8.8.8:53 lpuegx.biz udp
RU 82.112.184.197:80 lpuegx.biz tcp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
RU 82.112.184.197:80 lpuegx.biz tcp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 vjaxhpbji.biz udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 vjaxhpbji.biz udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 xlfhhhm.biz udp
US 34.29.71.138:80 xlfhhhm.biz tcp
US 8.8.8.8:53 xlfhhhm.biz udp
US 34.29.71.138:80 xlfhhhm.biz tcp
US 8.8.8.8:53 ifsaia.biz udp
SG 34.143.166.163:80 ifsaia.biz tcp
US 8.8.8.8:53 138.71.29.34.in-addr.arpa udp
US 8.8.8.8:53 saytjshyf.biz udp
US 34.67.9.172:80 saytjshyf.biz tcp
US 8.8.8.8:53 163.166.143.34.in-addr.arpa udp
US 8.8.8.8:53 172.9.67.34.in-addr.arpa udp
US 8.8.8.8:53 vcddkls.biz udp
ID 34.128.82.12:80 vcddkls.biz tcp
US 8.8.8.8:53 ifsaia.biz udp
SG 34.143.166.163:80 ifsaia.biz tcp
US 8.8.8.8:53 fwiwk.biz udp
US 67.225.218.6:80 fwiwk.biz tcp
US 8.8.8.8:53 saytjshyf.biz udp
US 34.67.9.172:80 saytjshyf.biz tcp
US 67.225.218.6:80 fwiwk.biz tcp
US 8.8.8.8:53 vcddkls.biz udp
US 8.8.8.8:53 tbjrpv.biz udp
ID 34.128.82.12:80 vcddkls.biz tcp
US 8.8.8.8:53 deoci.biz udp
US 34.174.78.212:80 deoci.biz tcp
US 8.8.8.8:53 6.218.225.67.in-addr.arpa udp
US 8.8.8.8:53 gytujflc.biz udp
US 208.100.26.245:80 gytujflc.biz tcp
US 8.8.8.8:53 qaynky.biz udp
SG 34.143.166.163:80 qaynky.biz tcp
US 8.8.8.8:53 fwiwk.biz udp
US 67.225.218.6:80 fwiwk.biz tcp
US 67.225.218.6:80 fwiwk.biz tcp
US 8.8.8.8:53 212.78.174.34.in-addr.arpa udp
US 8.8.8.8:53 245.26.100.208.in-addr.arpa udp
US 8.8.8.8:53 tbjrpv.biz udp
NL 34.91.32.224:80 tbjrpv.biz tcp
US 8.8.8.8:53 deoci.biz udp
US 8.8.8.8:53 bumxkqgxu.biz udp
US 34.174.78.212:80 deoci.biz tcp
US 34.174.61.199:80 bumxkqgxu.biz tcp
US 8.8.8.8:53 gytujflc.biz udp
US 8.8.8.8:53 dwrqljrr.biz udp
US 8.8.8.8:53 224.32.91.34.in-addr.arpa udp
US 208.100.26.245:80 gytujflc.biz tcp
US 34.41.229.245:80 dwrqljrr.biz tcp
US 8.8.8.8:53 qaynky.biz udp
SG 34.143.166.163:80 qaynky.biz tcp
US 8.8.8.8:53 nqwjmb.biz udp
US 8.8.8.8:53 bumxkqgxu.biz udp
US 34.174.61.199:80 bumxkqgxu.biz tcp
US 8.8.8.8:53 dwrqljrr.biz udp
US 34.41.229.245:80 dwrqljrr.biz tcp
US 8.8.8.8:53 245.229.41.34.in-addr.arpa udp
US 8.8.8.8:53 ytctnunms.biz udp
US 34.174.206.7:80 ytctnunms.biz tcp
US 34.174.206.7:80 ytctnunms.biz tcp
US 8.8.8.8:53 myups.biz udp
US 8.8.8.8:53 7.206.174.34.in-addr.arpa udp
US 165.160.15.20:80 myups.biz tcp
US 165.160.15.20:80 myups.biz tcp
US 8.8.8.8:53 oshhkdluh.biz udp
US 34.41.229.245:80 oshhkdluh.biz tcp
US 34.41.229.245:80 oshhkdluh.biz tcp
US 8.8.8.8:53 20.15.160.165.in-addr.arpa udp
US 8.8.8.8:53 yunalwv.biz udp
US 8.8.8.8:53 jpskm.biz udp
US 8.8.8.8:53 lrxdmhrr.biz udp
US 34.41.229.245:80 lrxdmhrr.biz tcp
US 34.41.229.245:80 lrxdmhrr.biz tcp
US 8.8.8.8:53 beacons.gcp.gvt2.com udp
US 192.178.49.163:443 beacons.gcp.gvt2.com tcp
US 8.8.8.8:53 163.49.178.192.in-addr.arpa udp
US 8.8.8.8:53 wllvnzb.biz udp
ID 34.128.82.12:80 wllvnzb.biz tcp
US 8.8.8.8:53 wllvnzb.biz udp
ID 34.128.82.12:80 wllvnzb.biz tcp
US 8.8.8.8:53 gnqgo.biz udp
US 34.174.78.212:80 gnqgo.biz tcp
US 8.8.8.8:53 jhvzpcfg.biz udp
US 34.67.9.172:80 jhvzpcfg.biz tcp
US 8.8.8.8:53 gnqgo.biz udp
US 8.8.8.8:53 acwjcqqv.biz udp
US 34.174.78.212:80 gnqgo.biz tcp
ID 34.128.82.12:80 acwjcqqv.biz tcp
US 8.8.8.8:53 jhvzpcfg.biz udp
US 34.67.9.172:80 jhvzpcfg.biz tcp
US 8.8.8.8:53 acwjcqqv.biz udp
ID 34.128.82.12:80 acwjcqqv.biz tcp
US 8.8.8.8:53 lejtdj.biz udp
US 8.8.8.8:53 vyome.biz udp
US 8.8.8.8:53 lejtdj.biz udp
US 8.8.8.8:53 yauexmxk.biz udp
US 34.174.78.212:80 yauexmxk.biz tcp
US 34.174.78.212:80 yauexmxk.biz tcp
US 8.8.8.8:53 iuzpxe.biz udp
SG 34.143.166.163:80 iuzpxe.biz tcp
SG 34.143.166.163:80 iuzpxe.biz tcp
US 8.8.8.8:53 sxmiywsfv.biz udp
SG 34.143.166.163:80 sxmiywsfv.biz tcp
SG 34.143.166.163:80 sxmiywsfv.biz tcp
US 8.8.8.8:53 vrrazpdh.biz udp
US 34.168.225.46:80 vrrazpdh.biz tcp
US 34.168.225.46:80 vrrazpdh.biz tcp
US 8.8.8.8:53 ftxlah.biz udp
US 34.94.160.21:80 ftxlah.biz tcp
US 34.94.160.21:80 ftxlah.biz tcp
US 8.8.8.8:53 typgfhb.biz udp
SG 34.143.166.163:80 typgfhb.biz tcp
SG 34.143.166.163:80 typgfhb.biz tcp
US 8.8.8.8:53 46.225.168.34.in-addr.arpa udp
US 8.8.8.8:53 21.160.94.34.in-addr.arpa udp
US 8.8.8.8:53 esuzf.biz udp
US 34.168.225.46:80 esuzf.biz tcp
US 34.168.225.46:80 esuzf.biz tcp
US 8.8.8.8:53 gvijgjwkh.biz udp
US 34.174.206.7:80 gvijgjwkh.biz tcp
US 34.174.206.7:80 gvijgjwkh.biz tcp
US 8.8.8.8:53 qpnczch.biz udp
US 34.162.170.92:80 qpnczch.biz tcp
US 34.162.170.92:80 qpnczch.biz tcp
US 8.8.8.8:53 brsua.biz udp
NL 35.204.181.10:80 brsua.biz tcp
NL 35.204.181.10:80 brsua.biz tcp
US 8.8.8.8:53 dlynankz.biz udp
DE 85.214.228.140:80 dlynankz.biz tcp
DE 85.214.228.140:80 dlynankz.biz tcp
US 8.8.8.8:53 oflybfv.biz udp
US 34.29.71.138:80 oflybfv.biz tcp
US 34.29.71.138:80 oflybfv.biz tcp
US 8.8.8.8:53 92.170.162.34.in-addr.arpa udp
US 8.8.8.8:53 10.181.204.35.in-addr.arpa udp
US 8.8.8.8:53 140.228.214.85.in-addr.arpa udp
US 8.8.8.8:53 yhqqc.biz udp
US 34.168.225.46:80 yhqqc.biz tcp
US 8.8.8.8:53 mnjmhp.biz udp
US 34.29.71.138:80 mnjmhp.biz tcp
US 8.8.8.8:53 opowhhece.biz udp
US 34.29.71.138:80 opowhhece.biz tcp
US 8.8.8.8:53 zjbpaao.biz udp
US 8.8.8.8:53 jdhhbs.biz udp
SG 34.143.166.163:80 jdhhbs.biz tcp
US 8.8.8.8:53 mgmsclkyu.biz udp
NL 34.91.32.224:80 mgmsclkyu.biz tcp
US 8.8.8.8:53 warkcdu.biz udp
ID 34.128.82.12:80 warkcdu.biz tcp
US 8.8.8.8:53 gcedd.biz udp
SG 34.143.166.163:80 gcedd.biz tcp
US 8.8.8.8:53 131.72.42.20.in-addr.arpa udp
US 8.8.8.8:53 jwkoeoqns.biz udp
US 34.41.229.245:80 jwkoeoqns.biz tcp
US 8.8.8.8:53 xccjj.biz udp
US 34.162.170.92:80 xccjj.biz tcp
US 8.8.8.8:53 hehckyov.biz udp
US 34.174.61.199:80 hehckyov.biz tcp
US 8.8.8.8:53 rynmcq.biz udp
US 8.8.8.8:53 uaafd.biz udp
US 104.155.138.21:80 uaafd.biz tcp
US 8.8.8.8:53 21.138.155.104.in-addr.arpa udp

Files

memory/4320-0-0x0000000000900000-0x0000000000960000-memory.dmp

memory/4320-2-0x0000000140000000-0x0000000140592000-memory.dmp

memory/2336-11-0x00000000020E0000-0x0000000002140000-memory.dmp

memory/4320-8-0x0000000000900000-0x0000000000960000-memory.dmp

memory/2336-13-0x0000000140000000-0x0000000140592000-memory.dmp

memory/2336-20-0x00000000020E0000-0x0000000002140000-memory.dmp

memory/4320-23-0x0000000000900000-0x0000000000960000-memory.dmp

memory/4320-26-0x0000000140000000-0x0000000140592000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

MD5 b605879e08d2c37a89e0a7cf9cebb008
SHA1 547075286a6e5e6a304912cef29adf2a5379458d
SHA256 2a7688cdba662e4017878b44e559b7bf4889f2b32ff1c6ed70e020a2738e662a
SHA512 f18fb8e2df93b18cb2359c651e1dbbaf73225ff16912cec7dda24ef3e82d921690aa0690ca493375536159d8aa9ab660e45e2abe4cdbeaaa368f6f69bc090fe0

C:\Users\Admin\AppData\Roaming\5bb03ad2a644d7f.bin

MD5 71526bbce90b3b7bc7f10922e8cfa1a4
SHA1 05b812e41e3428e8c6e3d54c9ade329f2b15a421
SHA256 51c7c210d10455b0b9870f0269322f9e5da34bed868bc714d9933cc153aa34c9
SHA512 03c9dc6e3b4e52b17b244336031f6c1526091f8b82b008224769dde432a278a8a2a300471d6856d6dafe2c7b02158dbe0da9694145943940e675799ba21f4ca3

C:\Windows\System32\alg.exe

MD5 8236bd47b5ada0c83723f4175a9a3ce9
SHA1 3b14c3feaf69186c1519b9d2a75bb6acbe79bb86
SHA256 4604e76f719fc08ca2b481eb5928f3eb0c30dcaf6854ebad3311951a9cdc5525
SHA512 297fb27ddbb88ee00faf8e5209471c38e89805c4afa948f618f5b2d1ae1a1e04a68bd3f8b2493c69fa862c804115e491fb0beac21090b043e24d4a0d3e0ec481

memory/2312-32-0x00000000006E0000-0x0000000000740000-memory.dmp

memory/2312-33-0x0000000140000000-0x00000001401E9000-memory.dmp

memory/2312-41-0x00000000006E0000-0x0000000000740000-memory.dmp

C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

MD5 c1202524ecbf527e5ea6d4103fa6ae81
SHA1 bccd1a4acdb0703afac1096e4cfeee554ff0d6f6
SHA256 c7d33d8aeda31a7c145488b3cfea849cab464e98fe8e4d40adcd07927a3c5abc
SHA512 39022496f4ef66c7073cc15751c845dbc138ead791947a8f5c4d31ea803f14b7a648691551c0ee37d15c5559c80e4360bd84daa67e9c1a743c56fcbecd73169a

memory/4848-48-0x0000000140000000-0x00000001401E8000-memory.dmp

memory/4848-47-0x0000000000690000-0x00000000006F0000-memory.dmp

memory/4848-55-0x0000000000690000-0x00000000006F0000-memory.dmp

\??\pipe\crashpad_4596_XTXEZVSUQJFOQMUD

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

MD5 ef36a84ad2bc23f79d171c604b56de29
SHA1 38d6569cd30d096140e752db5d98d53cf304a8fc
SHA256 e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831
SHA512 dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

C:\Windows\System32\FXSSVC.exe

MD5 5e6476b1a83b4a6c16dd04357b12b9bd
SHA1 72d4d10baced2869ad7b46badbc1b0809dd0caa5
SHA256 7b8d7c8069640164358b0f3a908acc1b5e884f9f8fa0db800d897933ecf9fa5e
SHA512 a821f9d52530ba2cd7588e0e20c3735f1c6b55a9f40a152eb781407412663438ca4a1a8a9166b1178689c39f20f76cd475b3bcbf50d3b415ef475913e4db9ba5

memory/4800-73-0x0000000140000000-0x0000000140135000-memory.dmp

memory/4800-74-0x0000000000D90000-0x0000000000DF0000-memory.dmp

memory/4800-80-0x0000000000D90000-0x0000000000DF0000-memory.dmp

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

MD5 e37c8d96afb9fc32fffd9e8c5b23ef0f
SHA1 f964272bdb6cb9804056d3cda9bd918cb5df5d7e
SHA256 d639c63d04ac077cd55797721fcf4f29f05ccf9af4b9b8bd13f82d1b23fb08b4
SHA512 ad9d1c9269bf5e2cbc6140db0800ae342bd9c721bf90216272287aece1a5c4c768dd5f38ef6395aee281be821249a5f80dd503a9655db0d17f46922b8f758ac2

memory/3988-84-0x0000000140000000-0x0000000140237000-memory.dmp

memory/3988-85-0x0000000000C50000-0x0000000000CB0000-memory.dmp

memory/4800-88-0x0000000000D90000-0x0000000000DF0000-memory.dmp

memory/4800-92-0x0000000140000000-0x0000000140135000-memory.dmp

memory/3988-95-0x0000000000C50000-0x0000000000CB0000-memory.dmp

memory/3988-94-0x0000000000C50000-0x0000000000CB0000-memory.dmp

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

MD5 fd0bd541eba501fb0d32eb775b929a06
SHA1 cb9332d4a451a8a2fe5fd3f552014649fe4232c1
SHA256 ba3210b5201790d71475051db081fb27e9c63289ceedbc47918e3af7178250ff
SHA512 bf0adb2bd4d0e85bf319216a0a11cb786838c18c59a27cc5dabaebc0cf56a550d6d91d25dcc5b6b2bb8b211d92747e8afcc2d2d42bba5a075aad444adb4f3f00

memory/4860-101-0x00000000001A0000-0x0000000000200000-memory.dmp

memory/2336-103-0x0000000140000000-0x0000000140592000-memory.dmp

memory/4860-105-0x0000000140000000-0x000000014022B000-memory.dmp

memory/4860-115-0x00000000001A0000-0x0000000000200000-memory.dmp

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

MD5 91f2ef5bfbf6835630774bb7743425ef
SHA1 d6cc06e613d6bb0a9cfa377cd2b6cdb59dbac182
SHA256 7c4be35e1c9772b8fa18d6b44160b859a9e0450788c7b13a21e34861a915a812
SHA512 963b2220ca9122ab47f4ca6dca4e5375a9b13be25a3c9a733796e29d3859474ea20cf4474a8accd9aecee01492510c12b94d96f8bfcd3cbe9bfdbe877a7c5990

memory/1132-121-0x0000000000C00000-0x0000000000C60000-memory.dmp

memory/2312-122-0x0000000140000000-0x00000001401E9000-memory.dmp

memory/1132-125-0x0000000140000000-0x0000000140209000-memory.dmp

memory/1132-129-0x0000000000C00000-0x0000000000C60000-memory.dmp

memory/1132-137-0x0000000000C00000-0x0000000000C60000-memory.dmp

memory/1132-136-0x0000000140000000-0x0000000140209000-memory.dmp

C:\Windows\System32\msdtc.exe

MD5 b419aebed06d8366cfc0fda3897ac689
SHA1 d13a516a65c889d85a1205555e733d0576b8fee3
SHA256 9cf93946d169189bfd43804465a6501b873657db91780fe9de942b3a299c4f8b
SHA512 8fafd0bbedab38322987d2158d918f153d276a21ec6b001af2a6949bd7007529a0fb29b31f6864ed78037f73dcae98b74ee478454de7cff2f7bdf69dc2f74a77

memory/4848-139-0x0000000140000000-0x00000001401E8000-memory.dmp

memory/388-142-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/388-147-0x0000000000D90000-0x0000000000DF0000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\9a18a37a-3fbf-4e81-8720-3faa94faa09d.tmp

MD5 99914b932bd37a50b983c5e7c90ae93b
SHA1 bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA256 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA512 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

MD5 3b85682be2f8720d48bed76e1d5feb22
SHA1 6d76817f71dc218dd053720fa737db9efacf395e
SHA256 2ac57c94f5a9d090d49472ec731b2cd264c3bd4c01dabe91709b388497e27410
SHA512 3519385a47501fe03987d744bd758e415a998a4f1dfca86d10e6eb7268f787e301d3a6f16819635cfbe62a4a4da408d8d0c1994ad16a7f8a695d5459526ebf23

memory/1652-161-0x0000000140000000-0x000000014020E000-memory.dmp

memory/1652-173-0x00000000007F0000-0x0000000000850000-memory.dmp

C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

MD5 b14f2a95214cc5a6918768cc506323d5
SHA1 dcdbeb4feaa9384ea93794ef62af0174f4974dad
SHA256 9d977c7633553a18dd927191e0034577566ac91a0e42cc1ebf9c9d93423ce983
SHA512 33629b89b2860d9b3bd4417eb85504c8fda57c35d94005bf0a09faa3cc67c3c112eada5dadb823ab99108b68b004bb69b38ec26de20ef173ee93a227a502b0e9

memory/3988-177-0x0000000140000000-0x0000000140237000-memory.dmp

memory/236-180-0x0000000140000000-0x00000001401EA000-memory.dmp

memory/236-185-0x0000000000BC0000-0x0000000000C20000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

MD5 643ee415eea6e9253034428146d8497d
SHA1 aab4ce792eeedac3e5741a38bfe2b8943511790e
SHA256 ab6e6bbfd6e7fc54a09cc8f7689b4d97c1a7f3540e5daee6d2d6e1315c091d1d
SHA512 ef715c433ff0ff5c76bf1a5e26a07e9579a12e3ddc1326ec761704ebc35d1f22434339e545d7357add20d41e50de507f82eb469036aba3591e9f9a327471371b

C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

MD5 42a192cc9e49b4c238a379ac993dd318
SHA1 79bf314b162a0b2a02c9b76d0e419124d11ec945
SHA256 faa55389e7110a8e6be510ecf9c6260469bc7e4ebd246fc1ed18ca3d7c41002f
SHA512 fb4994327588d0de87dc20316907a2491f572f0c8859fd9a5c20b1c9667ac935a7623560cd10c1bc958a52ad12abb5e638894662947b1fc542998e2627117ab5

C:\Windows\SysWOW64\perfhost.exe

MD5 08ae5860ecf2045f6f89f7251c6e7440
SHA1 38abc9b49483d12480f2d741ce5290281c1a2911
SHA256 8bbeaf5100ee159d74ac50f6972fe05c7a152db6d16369a425317e747ea90a51
SHA512 2311156bfe4b7b400c5b011bcdf82d787fcbee22269d3e5f64d72230d94b8f237617dff6164e7cab7c76ddcae2f4c1b914c829a81a63a9d23c191b0d83c767f8

memory/4860-192-0x0000000140000000-0x000000014022B000-memory.dmp

memory/840-193-0x0000000000400000-0x00000000005D6000-memory.dmp

C:\Windows\TEMP\Crashpad\settings.dat

MD5 7806f070ee1bf48d945790a0c2a61355
SHA1 cd3804e5db65628f5a3c0a8accbcb6d10544280c
SHA256 6520df12afb6e96315f15e8777e8deeb8b25d5ac72136065c7d5accda00cd895
SHA512 c1c368d258f84828a08885a6c25894d96da5f1bdb66ae2828bf764213827289c4df027188338fede003a59c8bcdf64ab3eaceb0d20e62c8ec8620c921901c7bc

memory/840-207-0x00000000008B0000-0x0000000000917000-memory.dmp

C:\Program Files\Google\Chrome\Application\SetupMetrics\cf16d6ec-d24d-4c9b-9f05-9eacbc19eda6.tmp

MD5 6d971ce11af4a6a93a4311841da1a178
SHA1 cbfdbc9b184f340cbad764abc4d8a31b9c250176
SHA256 338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783
SHA512 c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

C:\Windows\System32\Locator.exe

MD5 8abeb7425549e9075f5acbcfef3873bf
SHA1 85e732e6da251c7899047d9b83cca5a82a8a9e84
SHA256 2aea71e4634184187893bc7ebbebb2979e611d32f6157e8900eea63dbdaa46c6
SHA512 a09350f83b04abedafc50fa3f47b57fa7a655e79c3178dc65efd0ed32bbbc5ef01d58bc7e5b85bb095a2bd525881b4199445eebd35f41a4af91bbbfb96785e94

memory/1320-222-0x0000000140000000-0x00000001401D4000-memory.dmp

memory/1320-230-0x0000000000730000-0x0000000000790000-memory.dmp

C:\Windows\System32\SensorDataService.exe

MD5 085f487da3809ef3c4bb0cc2c0819fc5
SHA1 e3ac233a0d4ed477744e314163a8fcb6ae8b6a25
SHA256 8f4e7a45ec83b98a35b678aec08a5b96e4ece4442dae044bebcdc8c50072250a
SHA512 b7c5f3f45f5641044f13bbe207f204236ea373d2a3b3477733b835af4c2155ee0163eaf15b2c55ce617612fa604f9400b9d3ae788e46c2dae70b7b50073c74ae

memory/388-234-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/3120-236-0x0000000140000000-0x00000001401D7000-memory.dmp

memory/388-242-0x0000000000D90000-0x0000000000DF0000-memory.dmp

memory/3120-244-0x00000000006B0000-0x0000000000710000-memory.dmp

C:\Windows\System32\snmptrap.exe

MD5 6d265669f1cd384e47f85ceb537e3332
SHA1 221dd4be9b8744b994acc46474873319ee02986a
SHA256 2843a82de12073581cd55129b6c6ee6c11f76a5c65cb15da4746eaef2d0e691b
SHA512 fade63625472d8d8f01adc5d5e5717cd3d98924565da37dae0a0b11168689c74687ddc2a8ffbd6aa4ab5b836cfd77a514c286d4e7e02cf30b21b2545b0b425a7

memory/1652-248-0x0000000140000000-0x000000014020E000-memory.dmp

memory/5008-252-0x0000000140000000-0x00000001401D5000-memory.dmp

memory/5008-257-0x0000000000500000-0x0000000000560000-memory.dmp

C:\Windows\System32\Spectrum.exe

MD5 e8ffc05554d1f0444d2d7bd39118d58c
SHA1 1fd47226df7b2660272a18de09db414191800820
SHA256 2aeec5c52971a8c8c6e304051a555ea6f2a4f29c108559124bc4b7ff6e90095d
SHA512 5ed909ee58c83e1a043eb10828cfb8e7b4579d5176cb521d057158c8c51d7a6cc32c896534a0973fd0c3fd0eccfc2d281242ff7f137b8d19237f9f262e6b7fd4

memory/236-262-0x0000000140000000-0x00000001401EA000-memory.dmp

memory/5204-264-0x0000000140000000-0x0000000140169000-memory.dmp

memory/5204-271-0x0000000000720000-0x0000000000780000-memory.dmp

C:\Windows\System32\OpenSSH\ssh-agent.exe

MD5 d71cd6071ff4ec63df0953fa1777238a
SHA1 f5f14b079443bd3ae34424607e5eebd30f3f11b1
SHA256 c258786b8623b14eb8be14148304a8e3c61cffd54debd8bf51178d967f2cb6a7
SHA512 003c8c824b013838b13200490449b8784e257bce9f05647646052f4dd8ecd718f41a62cc2cdaae150ce0904308b96f75f063172e737fe9fcc0c12419d296f419

memory/840-275-0x0000000000400000-0x00000000005D6000-memory.dmp

memory/5332-278-0x0000000140000000-0x0000000140241000-memory.dmp

memory/5332-285-0x0000000000DA0000-0x0000000000E00000-memory.dmp

C:\Windows\System32\TieringEngineService.exe

MD5 b2a967e63d136d0d6462bf86506a87bc
SHA1 216678b63ecb6949b2b0ec42bbe5758e6c8f7f13
SHA256 bed432d2f5dac64a0186b06e1217073c09db6f142e3af3ace66171d4c79c460c
SHA512 d46bbc4289af8f6d4e5b95f52cbb9d23b5dfc51bdb911f9fdd2969adeb0b84bdd03eecc85207dd49c54218a98597da12fb1de8f5801f4ed5cf18b4d457bab17c

memory/5456-290-0x0000000140000000-0x0000000140221000-memory.dmp

memory/1320-288-0x0000000140000000-0x00000001401D4000-memory.dmp

memory/5456-297-0x0000000000890000-0x00000000008F0000-memory.dmp

C:\Windows\System32\AgentService.exe

MD5 87745c40b6b378fd6ef6a21d69bc7aeb
SHA1 76b13d2734b9cd3727dfb5bbeaeaf76afb591e07
SHA256 8681d483d666b913dbf19bf365ff0163b9d331eef4cfeea010bfbf1ce455c37a
SHA512 207442165d3d92aaf58eba3c9b746631e6327aa9036d901d703ed49c1297e82a2baf2b0a51dc2b3aa85b1ff3f91de392222a8f91cd845c7bf7cbb55b4d9694b2

memory/3120-301-0x0000000140000000-0x00000001401D7000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 28460536bc0f62a291685d86234338cf
SHA1 6bc4a9c6a83b129a722dc5dd2289011ef50d179c
SHA256 ffad73395d38777f9ed0ff4dbced0fb171647205e205f66144cf5c67e234b51f
SHA512 fa6e69a0cd0b5910c9a54b89ec88909ea150899002ec867971ec77e66dd67879ba73cdf0fd5bd414e6d93e7bfdf00ba59accd180803788195e1feaf385fd7d20

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe57a103.TMP

MD5 ef3aac392c0d75f931c89cbb67985e0f
SHA1 ce61a9a0890645f7551e4188f0dc09b324f56b63
SHA256 474bd435e067162d7364e95374e0fc4f6be9ea3202017cdb1eb05a7876f254ec
SHA512 22f026e8146699fdd24911bff6f5cfc0ea1cc131bd378e973e8fca5fc479c8eda9764b7a3a1acd9bbcf6f6cfab8763c04fe6c9a56e1b8e9ffd6316ed11c34703

memory/5596-308-0x0000000140000000-0x00000001401C0000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 6d8964d92187bf3aec183f806d0d5873
SHA1 9fa7a8fb813a4e96620458d5e71406bfbed34f72
SHA256 76badd1688fdfab7434574f96b42a798f2c3f9c1c60759b94436dd46eba064b0
SHA512 3fdd1331ccc83719634a8b597da2d068247d2e1be3043dc482936323e0bb3154d1202c6848ace6007aa2843928e5220831ca1b7143330f898fde39b66a59d4ae

memory/5596-325-0x0000000000C10000-0x0000000000C70000-memory.dmp

memory/5596-329-0x0000000140000000-0x00000001401C0000-memory.dmp

memory/5596-330-0x0000000000C10000-0x0000000000C70000-memory.dmp

C:\Windows\System32\vds.exe

MD5 75390610779b05b609e31ea468dd933d
SHA1 dcb5a13cc5eaa2fd41fcfdcf99d1674ad4babaa9
SHA256 de37b54e38fa765fbd33bb4678c186eeb1665071c972aa7802280756f1acb681
SHA512 a7cd543800ffc20bd40ff594fe844838cd94bc760d739d874e9e5ed707f798d07cbbcc56a289c22670a6189dbf5014e3b0d48360a65601511d469aa67baf2966

memory/5008-332-0x0000000140000000-0x00000001401D5000-memory.dmp

memory/5756-334-0x0000000140000000-0x0000000140147000-memory.dmp

memory/5008-342-0x0000000000500000-0x0000000000560000-memory.dmp

memory/5756-343-0x0000000000C10000-0x0000000000C70000-memory.dmp

C:\Windows\System32\VSSVC.exe

MD5 96543b2940e0bb7c904dbe6bc2b2f8b2
SHA1 7b2522981fe7667d81f3bc6284f96a3ad5821e95
SHA256 74049b31e2b63416b4ab2c7add56322e30c2ace6bdf150165944f4a8535acde9
SHA512 4b4e8c452b5143952989847d4fa0f12a547f73177584bbeceff5a0eb1a54a6b74e8ed3c476cb33fe647f9ace0de5b578d4e0fb33aa09d630a1ffd20b57b5cf48

memory/5204-346-0x0000000140000000-0x0000000140169000-memory.dmp

memory/5848-348-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/5848-356-0x0000000000710000-0x0000000000770000-memory.dmp

C:\Windows\System32\wbengine.exe

MD5 82b38a747d3fa178a6d918b338774767
SHA1 42b5a778399f0f76fbf369a852e56bf7932c6373
SHA256 1ec5d443dd18d4b98cfd0415a70ce9fe535bea3f0bde4c23dcd119a0d49082d6
SHA512 c5f52890b309fa32d78cd9c04dae9fd6743946efb1ebec3613c0623a3871b3b23c14f47a27179394e59856c59f39abbea954edd015602742ca5dda6ca6fcf541

memory/5332-359-0x0000000140000000-0x0000000140241000-memory.dmp

memory/5964-361-0x0000000140000000-0x0000000140216000-memory.dmp

memory/5964-369-0x0000000000BC0000-0x0000000000C20000-memory.dmp

C:\Windows\System32\wbem\WmiApSrv.exe

MD5 09122134c83e1a33f90dcae78c8c79a1
SHA1 2e4e502f72b0f03509508d7937dfd4d5f1f0dbd2
SHA256 2be2b2468dce00aadb58200064b2705f0b0d3fb24f7b154d81ccd69bd169ba61
SHA512 10bc35a1d6c77499db76d0f3b41fb8a10475609d3cd5a8d81d84f482cbeb389f538ed1866f91e636b59dcca0c1923fa963ff7e022dc7d85e43403c7becac920e

memory/5456-373-0x0000000140000000-0x0000000140221000-memory.dmp

C:\Windows\System32\SearchIndexer.exe

MD5 8a2c34ad1c40d4a2fac5c68b4f2814ae
SHA1 23adbbc9a13e747e0116e5d6acab834f915c00b5
SHA256 0e3945dc5ef439003863bdf9842941de03b7fed15042c857969d1e50bd078e4d
SHA512 a75cb030d5f960fe588f130ded2c572666d04906fa4c20c4d3c4b8e51083b926a6ece43c174ca8e0ddac9bc121c98d12771e83b920b3cf4448ce693f518f6093

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 58fe4ad02115421621ebce35417eccd9
SHA1 16ad03a0b0376e3d1036079f9b58da9b6dedbb30
SHA256 22edfe9f9d1018bb27baaf881418832c6c1ab5283ae58ac7fac43eb22e9f4923
SHA512 d8ad022aaedc9427dcad08c5ec2a64f23456c37b91ce1c14c120cbfe16323e59a76afb419641d172640dd4cc447d6eac4d80bcbc6182b8f4e546323aac6e5998

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 fb9702eb916b957cbfdb38e281d99358
SHA1 da1121c1efff024754ea3056574a46ef94973304
SHA256 02e72f7b6a350f2bc411db4ad199faa1ca1f54cd3fe59e19b0ae82c4ed07e104
SHA512 7c60540627cf906007af28960a9b830535c5abead53997a6e6fa0fc22f3ff49d6158fd5840cbda50c7a01cd5c634b01d788c9db25e6109ea4f216a9802544970

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 3276277cc4d05a6942e701bd5a434d51
SHA1 3d9181d715669e9f1b2dc3806e9d0cc937be9068
SHA256 191217edc262514f19fe3fd87fa2429cdf51d34c4130a9392af4b39ae99869db
SHA512 bc66d1fe2dcf640187ad0a68d497ff374710df40822c523e3736b2f3f6683d3d600d600b72fee59a3be8d5b22bb05580e2dea0bea40c9cec852c7676796b821c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 61d62558438ede7f331006d34e03811b
SHA1 a92136c0536b60b9b0295188d74efad47b341da7
SHA256 339f06c205888f7134889bec5087f44338402c9f58b2602162b5e6ce04d7fc54
SHA512 7168c4913abcadb8acdf223bccf0f39e8c498f1b24ddf125b05255fa718b596975de8ff904dda811cadd78f7c04717376ecf99b5111615545ef75e6d6dc117e8

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 63661c4e5302388dc76d0ae91f9d8323
SHA1 29e8247d3dd856a5f25071acfe18210cc3fd15d2
SHA256 7f470303f952e248ed892301c6e592893ac3ca4d73bce863c1cd74ff3b16cbae
SHA512 1628af306b7c3fe5a0570be8c321150ed371cd71626b31d6f01d3c66045c4352319f1758cd034e9df40cb480e9234189596a0dd088dc50295e51827367290edb

C:\Windows\system32\AppVClient.exe

MD5 674bf7c8517e58085a13ef4f58d43e36
SHA1 ea058d2b71842d0355ecc5462718023c2d0679ea
SHA256 34ae48dd7f03016e2353e9cda6c9dfcdc8eb0ec9d6b50e4d57f06b2e808bfe19
SHA512 b17210920c7f676c137574bbc80b332b1a9d9c96b64d335bd42e2b849961f3ff070a187f6691097e87c7620f863567aff2e5ceaf3802895091020122403f9113

C:\Windows\system32\SgrmBroker.exe

MD5 0cb513e936a6c6bd36c49baab094b096
SHA1 8d817b27d8ac91cf072b8e21303c48170f938d03
SHA256 0551d47db53fbd80891e483c521bdd195e3ae170901fb9a18b2523ba84b1b6d4
SHA512 ddb792c26018aa77e3300a2eec1b7b5191501e388bd268289d4871e7877e36ba88790c43742dff798a8d502903b35bb4a8b04f421e59ef85d87aefe5cc086d84

C:\Windows\system32\msiexec.exe

MD5 ba10d0b41b6c7c934cb99d2635a78240
SHA1 7f164422a9087d79e25ed7b0ff4f2b72b4953b6b
SHA256 6332cdc72a45ba860fae2c6b9605216c39cddd926eb179db87872648aaaddc86
SHA512 53c86345f6ba818f20966246b68aeceac091652215c19129812825fee9d1041590b14ced1e5346fbca48138176a78bd11bebad1e4d195c67b50aad7bd5304c6a

C:\Program Files\7-Zip\7zFM.exe

MD5 2daf149f33f2ba2972fe1f8d039a0df0
SHA1 2c77575ffbdf6a49482d17d63de1df97a93cda11
SHA256 83532591d57f78a95d558d1874b5bcb7eb4f79cc1c6f4a8b57110c6c79150695
SHA512 78d257286b4c365ee316e78d8a231add58e928bec94516e3c817179922b33ab146dd435dcd25aa1ad6454a3f31d7e85713cf422046762bf332b6c02e3e086948

C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

MD5 5b65264d0675507a4bf51eb202e03995
SHA1 1af5bd66be2865436f5b0e9bd0c02c29c1c50d23
SHA256 9c682715a36c400188f14f0cee5b69d8785ede70b2aee7f49752b364b84baf2c
SHA512 a03b79bd79bc98e2c9e1ad0bea6abd32043b121a7739b80bb11705ad7742abae9ae78ea52a376570ee870dcd6767385ff9c52a8b5db0f15b6b1b1ff12fbf309c

C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

MD5 6106cc789a1ddc2adbce091df21740d8
SHA1 bf18e9a73a1509b9c3b751920c7f5f04f787ec42
SHA256 a17a42c80423fb9c12eee5b20429a2a6d5e00ebf549c83b657cad368e2d24f0d
SHA512 122c527e31e2da6bfc91e7089dd5efea15edf785527295b00765ab6ecf70aebec9e2c222e803ce4a2badc051fd607ed90b8482f56410bfd4a31719899fe7cc36

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

MD5 803d5a1d08d377c274dd3d3853ec8194
SHA1 3efc8360693de14f3ee57244a7daddc581b19a85
SHA256 1b64a7c8aa54894f6790e1b9f96eb28283407f20e9af2b254617272c2ba1735d
SHA512 d026add4a471ba4dcccaf7ff4ae7b37817f65ba8bf22356b70a167fe7ffc2dde9b2d63d7cc6c241536919626f5da078e00646b24eb0e3bce66504fc766e5348f

C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

MD5 18c47151b2fda60ee8ff6c91c0c7a0f2
SHA1 faa813fa3ad0e9e6c5c88ca39acb3036b2cbb6da
SHA256 e5a0ae67becf98806b1ed82850f95b0e1ece287c07c29cd8db3672ae74c16140
SHA512 7b75d519bf583b8c67c96b053267cf5c61f00d5dd025fb50b54eca8cf616fba6784690d35c43be10c90fe5bcc425ce949ace472e88579b0c219868f7a338256a

C:\Program Files\dotnet\dotnet.exe

MD5 fcecf57d3d4cd49faa1c1654da8ff0c8
SHA1 7ea430319b2e4d4691215e912a13896ec19a19f4
SHA256 df432a8d7c03f14813ded3015482c3c4069bb245cbe9ad2a8bcb620fd8100539
SHA512 192ac54aef6417cdfc84a49185de50e812734c15bebc5b1a6fc381b5dbf08c14708b830a2769b5139a8126fb01e2494d55f461ebed8b1bc7885ed52148530e94

C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

MD5 1b77cf4c0597eeb9c03ab7d0d3275f76
SHA1 babfc88e1b0fe7a2d25b043629f43333e76979e7
SHA256 347fac8aa73b9c4bfbf997cb8a819a8e649df07450a2a6010be11a1e41c98c0d
SHA512 27b0b6c326764317cc9f8c0791b4b83c5db6af71d79a748df7926412e55a6c31698bd37ba1f62c1b106bc1de25d5066354611a5621054463ef4c22e80d0dc52c

C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

MD5 194b83c33121f907cc36a9d000a8bed2
SHA1 3e450315c0445240de5fb02462778f61315f8065
SHA256 7471a167e04a3f16ab28507c7b2f2e05b2266ee23d23514340d403d884377159
SHA512 701ccada604e869dca8b1392cf0c9e5b6a309201ecbcad8d1b12359de0d0347214e7ff645a55689ceb9cac4dbbf413e789043082a75fc82ee0856e3aeeb807d4

C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

MD5 82e34b87dbe32994edefb43363c53deb
SHA1 31e9d9ddaafc847d5c8b6b3903bd9ae3a38e5330
SHA256 a1fee4e9930dfac1fecd990fb24dcecb39b16a402c2788baa681a5efd6444217
SHA512 26a2515d73658a4b3b89c99442b69ece6decbf32c8660b764d181b9d735c2998ee097b25d01507520238b10c38747cd7faa8d54502155d969ce98aedfd1ea06d

C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

MD5 3d29f6e5968476aee431d50dda622fab
SHA1 e7286d56d9368584ff5a75f676e4c0f8b617319f
SHA256 baecd021917d6d4c0728db00c707ad13a5bae3eb36bdecd4b46110f1b2d9bff0
SHA512 0fd439f776f7d72623a613e4217d7a00f8ba67a9e384edd25602c215e2cdb6d4e4580239ddf02f090ff15d157fca2e3b7bc15c78abbfc03e9aeffc123ed45c23

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

MD5 60adfcf92fc545bc8b292270ea2633c6
SHA1 e7515700f08b8d2ae11eda1a536dde0a95ee8133
SHA256 1069a6a5163a05c839246e31bb4fbab1cfaf89355211096a90fe6dba5815c7f3
SHA512 72a08c8f2fdfef9b8a2c55cd7e3043ea9786025f562b67a9f63ca779b2a99c9ccc8d7f2764c49373a763fceb24b6cfa88a402121377297b3c0d209706f1847b7

C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

MD5 2fea14b1b0a28807e6e2838a76fc42e0
SHA1 5119a191833e717b0b93610e13703dc32b357414
SHA256 5312f4c208199ca5cdea8decb50ecfe9a627a940419f94bc32fcdf0b1ce56548
SHA512 75940dc82e9f976211df90a17a877ec5222961e3cd748bd569ee3565a7a76435064ca331f621bfe237809c42cbc70784a7f3580bf32690b37e822522c374d476

C:\Program Files\7-Zip\Uninstall.exe

MD5 4e8b7995a8e212c53817d87cc372ade1
SHA1 d27617f1fe93ada940d83c40c726abe09837b83c
SHA256 54572db295c6ce84c8c984774ad8d999a778140a458caad5976f6c618980635c
SHA512 794e5e6d3f315aa985f649504f1d006cb6f436edf7d9ea45b3ca258c79e0e4a87584570bdee3af7aa20bda6dbce712e09bc2ea4f990c44fea900730f1e0a4cd1

C:\Program Files\7-Zip\7zG.exe

MD5 10f5f9a257cfde0017bdde88948ff39b
SHA1 b92dd01b9bca91657355d2828a8798b97f1ae613
SHA256 0e64f8252cbac6e13704ef8824299b8e60c252498b48ac0414a5a9907cf3ed86
SHA512 d7391bfa11a8603cdb05372581c900b07fbe963ba3d581b3b8cfa6d0a696ae45dd6768e3ec8503336963e518ca41c67e8b6f7dee520d4d787ac5e8178141e85c

C:\Program Files\7-Zip\7z.exe

MD5 6b3fa34d5b22c3418c0cd32d704f3e26
SHA1 be75b8df9212eb7ebe81011633d4605cc809f23d
SHA256 724e002c2a984a0c42585bed174464492a2014f010e53f5efcca494a8e7b7b05
SHA512 aa3a50c3633ea9e8ba5cf49a84d9114348be278a984ee6306b6747db7125fa9337ec490342fd33778979d4e69beb3d60c4f4e9d8ba0a97a9c861518646b18374

C:\odt\office2016setup.exe

MD5 9bb61b707fbd4071d1735f0529008136
SHA1 3e22239bf7d7867965d013e9ea07cac5feccb28a
SHA256 f81056e812b5677b26981f70e541054aecf5cde782c347a40a82c3eebf1e40a1
SHA512 4fca0e6051bfc917b24a77b135b9f4438b902c28b500122246ea9f1f5932661b259d82f2781597509918c7d0e8fe7173bce4225e732e93641f1c7fa76661ec4f

C:\Program Files\Windows Media Player\wmpnetwk.exe

MD5 2bbfe5cab991a87f1d710d4e5c85796a
SHA1 2be8ade6f1f5500a525f18d3a45c09ec1145d750
SHA256 17f2d7aaabcb505ac0bd1fbbab4a9df09d812e087d75d1ced9aaf63dcd78ed60
SHA512 90d078650a8946e86717828ff79c0a3608b4b65a20a40f93bdfdba51f680bf4e353997d5c7677aef3f2ddb5d9372bace577af5a3e91b65e7d2cfdff193d050b3

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 17:56

Reported

2024-04-07 17:59

Platform

win7-20240221-en

Max time kernel

120s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-07_bd102a580ca351b70cc7c6ea03a156f3_ryuk.exe"

Network

N/A

Files

memory/2700-0-0x0000000140000000-0x0000000140592000-memory.dmp