Malware Analysis Report

2024-11-15 06:38

Sample ID 240604-bc9ctsgd58
Target 0538e06b06f6262cce356f13471c0580.bin
SHA256 346aec9cc4c999f9161fef5a62701af6d4d83de1eedbee968a6a73e5b2ece0ee
Tags
spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

346aec9cc4c999f9161fef5a62701af6d4d83de1eedbee968a6a73e5b2ece0ee

Threat Level: Shows suspicious behavior

The file 0538e06b06f6262cce356f13471c0580.bin was found to be: Shows suspicious behavior.

Malicious Activity Summary

spyware stealer

Executes dropped EXE

Reads user/profile data of web browsers

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Enumerates system info in registry

Checks SCSI registry key(s)

Suspicious use of FindShellTrayWindow

Uses Volume Shadow Copy service COM API

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: LoadsDriver

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

Modifies data under HKEY_USERS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-04 01:01

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-04 01:01

Reported

2024-06-04 01:03

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0538e06b06f6262cce356f13471c0580.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
N/A N/A C:\Windows\system32\fxssvc.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe N/A
N/A N/A C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe N/A
N/A N/A C:\Windows\System32\msdtc.exe N/A
N/A N/A \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE N/A
N/A N/A C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe N/A
N/A N/A C:\Windows\SysWow64\perfhost.exe N/A
N/A N/A C:\Windows\system32\locator.exe N/A
N/A N/A C:\Windows\System32\SensorDataService.exe N/A
N/A N/A C:\Windows\System32\snmptrap.exe N/A
N/A N/A C:\Windows\system32\spectrum.exe N/A
N/A N/A C:\Windows\System32\OpenSSH\ssh-agent.exe N/A
N/A N/A C:\Windows\system32\TieringEngineService.exe N/A
N/A N/A C:\Windows\system32\AgentService.exe N/A
N/A N/A C:\Windows\System32\vds.exe N/A
N/A N/A C:\Windows\system32\vssvc.exe N/A
N/A N/A C:\Windows\system32\wbengine.exe N/A
N/A N/A C:\Windows\system32\wbem\WmiApSrv.exe N/A
N/A N/A C:\Windows\system32\SearchIndexer.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe C:\Users\Admin\AppData\Local\Temp\0538e06b06f6262cce356f13471c0580.exe N/A
File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe C:\Users\Admin\AppData\Local\Temp\0538e06b06f6262cce356f13471c0580.exe N/A
File opened for modification C:\Windows\System32\alg.exe C:\Users\Admin\AppData\Local\Temp\0538e06b06f6262cce356f13471c0580.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\764a41afd590e271.bin C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe C:\Users\Admin\AppData\Local\Temp\0538e06b06f6262cce356f13471c0580.exe N/A
File opened for modification C:\Windows\System32\msdtc.exe C:\Users\Admin\AppData\Local\Temp\0538e06b06f6262cce356f13471c0580.exe N/A
File opened for modification C:\Windows\system32\TieringEngineService.exe C:\Users\Admin\AppData\Local\Temp\0538e06b06f6262cce356f13471c0580.exe N/A
File opened for modification C:\Windows\System32\snmptrap.exe C:\Users\Admin\AppData\Local\Temp\0538e06b06f6262cce356f13471c0580.exe N/A
File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe C:\Users\Admin\AppData\Local\Temp\0538e06b06f6262cce356f13471c0580.exe N/A
File opened for modification C:\Windows\System32\SensorDataService.exe C:\Users\Admin\AppData\Local\Temp\0538e06b06f6262cce356f13471c0580.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\SearchIndexer.exe C:\Users\Admin\AppData\Local\Temp\0538e06b06f6262cce356f13471c0580.exe N/A
File opened for modification C:\Windows\system32\AppVClient.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\SysWow64\perfhost.exe C:\Users\Admin\AppData\Local\Temp\0538e06b06f6262cce356f13471c0580.exe N/A
File opened for modification C:\Windows\system32\spectrum.exe C:\Users\Admin\AppData\Local\Temp\0538e06b06f6262cce356f13471c0580.exe N/A
File opened for modification C:\Windows\system32\SgrmBroker.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Users\Admin\AppData\Local\Temp\0538e06b06f6262cce356f13471c0580.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Users\Admin\AppData\Local\Temp\0538e06b06f6262cce356f13471c0580.exe N/A
File opened for modification C:\Windows\system32\AgentService.exe C:\Users\Admin\AppData\Local\Temp\0538e06b06f6262cce356f13471c0580.exe N/A
File opened for modification C:\Windows\System32\vds.exe C:\Users\Admin\AppData\Local\Temp\0538e06b06f6262cce356f13471c0580.exe N/A
File opened for modification C:\Windows\system32\msiexec.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\AppVClient.exe C:\Users\Admin\AppData\Local\Temp\0538e06b06f6262cce356f13471c0580.exe N/A
File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG C:\Windows\System32\msdtc.exe N/A
File opened for modification C:\Windows\system32\AgentService.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\SgrmBroker.exe C:\Users\Admin\AppData\Local\Temp\0538e06b06f6262cce356f13471c0580.exe N/A
File opened for modification C:\Windows\system32\vssvc.exe C:\Users\Admin\AppData\Local\Temp\0538e06b06f6262cce356f13471c0580.exe N/A
File opened for modification C:\Windows\system32\wbengine.exe C:\Users\Admin\AppData\Local\Temp\0538e06b06f6262cce356f13471c0580.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\System32\SensorDataService.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\0538e06b06f6262cce356f13471c0580.exe N/A
File opened for modification C:\Windows\system32\locator.exe C:\Users\Admin\AppData\Local\Temp\0538e06b06f6262cce356f13471c0580.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe C:\Users\Admin\AppData\Local\Temp\0538e06b06f6262cce356f13471c0580.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe C:\Users\Admin\AppData\Local\Temp\0538e06b06f6262cce356f13471c0580.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\0538e06b06f6262cce356f13471c0580.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe C:\Users\Admin\AppData\Local\Temp\0538e06b06f6262cce356f13471c0580.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95296\javaws.exe C:\Users\Admin\AppData\Local\Temp\0538e06b06f6262cce356f13471c0580.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe C:\Users\Admin\AppData\Local\Temp\0538e06b06f6262cce356f13471c0580.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe C:\Users\Admin\AppData\Local\Temp\0538e06b06f6262cce356f13471c0580.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95296\javaw.exe C:\Users\Admin\AppData\Local\Temp\0538e06b06f6262cce356f13471c0580.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe C:\Users\Admin\AppData\Local\Temp\0538e06b06f6262cce356f13471c0580.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Users\Admin\AppData\Local\Temp\0538e06b06f6262cce356f13471c0580.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe C:\Users\Admin\AppData\Local\Temp\0538e06b06f6262cce356f13471c0580.exe N/A
File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\0538e06b06f6262cce356f13471c0580.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe C:\Users\Admin\AppData\Local\Temp\0538e06b06f6262cce356f13471c0580.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe C:\Users\Admin\AppData\Local\Temp\0538e06b06f6262cce356f13471c0580.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe C:\Users\Admin\AppData\Local\Temp\0538e06b06f6262cce356f13471c0580.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe C:\Users\Admin\AppData\Local\Temp\0538e06b06f6262cce356f13471c0580.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe C:\Users\Admin\AppData\Local\Temp\0538e06b06f6262cce356f13471c0580.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\Install\{F4DF7669-184D-4D67-991D-8B1550DDF396}\chrome_installer.exe C:\Users\Admin\AppData\Local\Temp\0538e06b06f6262cce356f13471c0580.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Users\Admin\AppData\Local\Temp\0538e06b06f6262cce356f13471c0580.exe N/A
File opened for modification C:\Program Files\7-Zip\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\0538e06b06f6262cce356f13471c0580.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe C:\Users\Admin\AppData\Local\Temp\0538e06b06f6262cce356f13471c0580.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\updater.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe C:\Users\Admin\AppData\Local\Temp\0538e06b06f6262cce356f13471c0580.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe C:\Users\Admin\AppData\Local\Temp\0538e06b06f6262cce356f13471c0580.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe C:\Users\Admin\AppData\Local\Temp\0538e06b06f6262cce356f13471c0580.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe C:\Users\Admin\AppData\Local\Temp\0538e06b06f6262cce356f13471c0580.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe C:\Users\Admin\AppData\Local\Temp\0538e06b06f6262cce356f13471c0580.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe C:\Users\Admin\AppData\Local\Temp\0538e06b06f6262cce356f13471c0580.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe C:\Users\Admin\AppData\Local\Temp\0538e06b06f6262cce356f13471c0580.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95296\java.exe C:\Users\Admin\AppData\Local\Temp\0538e06b06f6262cce356f13471c0580.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe C:\Users\Admin\AppData\Local\Temp\0538e06b06f6262cce356f13471c0580.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Users\Admin\AppData\Local\Temp\0538e06b06f6262cce356f13471c0580.exe N/A
File opened for modification C:\Windows\DtcInstall.log C:\Windows\System32\msdtc.exe N/A
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Windows\System32\alg.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\TieringEngineService.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\TieringEngineService.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000060d62c01ab6da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000086e65ac01ab6da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c6c115c01ab6da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000843bcebf1ab6da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000001bc91c01ab6da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" C:\Windows\system32\fxssvc.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001fcea4c01ab6da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a24a3ec01ab6da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f3fd10c01ab6da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ff60f4bf1ab6da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\system32\SearchFilterHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000122418c01ab6da01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff C:\Windows\system32\SearchProtocolHost.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0538e06b06f6262cce356f13471c0580.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0538e06b06f6262cce356f13471c0580.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0538e06b06f6262cce356f13471c0580.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0538e06b06f6262cce356f13471c0580.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0538e06b06f6262cce356f13471c0580.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0538e06b06f6262cce356f13471c0580.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0538e06b06f6262cce356f13471c0580.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0538e06b06f6262cce356f13471c0580.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0538e06b06f6262cce356f13471c0580.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0538e06b06f6262cce356f13471c0580.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0538e06b06f6262cce356f13471c0580.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0538e06b06f6262cce356f13471c0580.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0538e06b06f6262cce356f13471c0580.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0538e06b06f6262cce356f13471c0580.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0538e06b06f6262cce356f13471c0580.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0538e06b06f6262cce356f13471c0580.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0538e06b06f6262cce356f13471c0580.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0538e06b06f6262cce356f13471c0580.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0538e06b06f6262cce356f13471c0580.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0538e06b06f6262cce356f13471c0580.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0538e06b06f6262cce356f13471c0580.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0538e06b06f6262cce356f13471c0580.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0538e06b06f6262cce356f13471c0580.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0538e06b06f6262cce356f13471c0580.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0538e06b06f6262cce356f13471c0580.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0538e06b06f6262cce356f13471c0580.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0538e06b06f6262cce356f13471c0580.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0538e06b06f6262cce356f13471c0580.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0538e06b06f6262cce356f13471c0580.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0538e06b06f6262cce356f13471c0580.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0538e06b06f6262cce356f13471c0580.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0538e06b06f6262cce356f13471c0580.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0538e06b06f6262cce356f13471c0580.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0538e06b06f6262cce356f13471c0580.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0538e06b06f6262cce356f13471c0580.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0538e06b06f6262cce356f13471c0580.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0538e06b06f6262cce356f13471c0580.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\fxssvc.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\TieringEngineService.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\TieringEngineService.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\AgentService.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: 33 N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1040 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\0538e06b06f6262cce356f13471c0580.exe C:\Users\Admin\AppData\Local\Temp\0538e06b06f6262cce356f13471c0580.exe
PID 1040 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\0538e06b06f6262cce356f13471c0580.exe C:\Users\Admin\AppData\Local\Temp\0538e06b06f6262cce356f13471c0580.exe
PID 1040 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\0538e06b06f6262cce356f13471c0580.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1040 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\0538e06b06f6262cce356f13471c0580.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2700 wrote to memory of 4408 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2700 wrote to memory of 4408 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2700 wrote to memory of 3876 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2700 wrote to memory of 3876 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2700 wrote to memory of 3876 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2700 wrote to memory of 3876 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2700 wrote to memory of 3876 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2700 wrote to memory of 3876 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2700 wrote to memory of 3876 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2700 wrote to memory of 3876 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2700 wrote to memory of 3876 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2700 wrote to memory of 3876 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2700 wrote to memory of 3876 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2700 wrote to memory of 3876 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2700 wrote to memory of 3876 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2700 wrote to memory of 3876 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2700 wrote to memory of 3876 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2700 wrote to memory of 3876 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2700 wrote to memory of 3876 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2700 wrote to memory of 3876 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2700 wrote to memory of 3876 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2700 wrote to memory of 3876 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2700 wrote to memory of 3876 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2700 wrote to memory of 3876 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2700 wrote to memory of 3876 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2700 wrote to memory of 3876 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2700 wrote to memory of 3876 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2700 wrote to memory of 3876 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2700 wrote to memory of 3876 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2700 wrote to memory of 3876 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2700 wrote to memory of 3876 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2700 wrote to memory of 3876 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2700 wrote to memory of 3876 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2700 wrote to memory of 4188 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2700 wrote to memory of 4188 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2700 wrote to memory of 4444 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2700 wrote to memory of 4444 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2700 wrote to memory of 4444 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2700 wrote to memory of 4444 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2700 wrote to memory of 4444 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2700 wrote to memory of 4444 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2700 wrote to memory of 4444 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2700 wrote to memory of 4444 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2700 wrote to memory of 4444 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2700 wrote to memory of 4444 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2700 wrote to memory of 4444 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2700 wrote to memory of 4444 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2700 wrote to memory of 4444 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2700 wrote to memory of 4444 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2700 wrote to memory of 4444 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2700 wrote to memory of 4444 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2700 wrote to memory of 4444 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2700 wrote to memory of 4444 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2700 wrote to memory of 4444 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2700 wrote to memory of 4444 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2700 wrote to memory of 4444 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2700 wrote to memory of 4444 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2700 wrote to memory of 4444 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2700 wrote to memory of 4444 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2700 wrote to memory of 4444 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\0538e06b06f6262cce356f13471c0580.exe

"C:\Users\Admin\AppData\Local\Temp\0538e06b06f6262cce356f13471c0580.exe"

C:\Users\Admin\AppData\Local\Temp\0538e06b06f6262cce356f13471c0580.exe

C:\Users\Admin\AppData\Local\Temp\0538e06b06f6262cce356f13471c0580.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=124.0.6367.202 --initial-client-data=0x2bc,0x2c0,0x2c4,0x290,0x2c8,0x1403796b8,0x1403796c4,0x1403796d0

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run

C:\Windows\System32\alg.exe

C:\Windows\System32\alg.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc8b88ab58,0x7ffc8b88ab68,0x7ffc8b88ab78

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv

C:\Windows\system32\fxssvc.exe

C:\Windows\system32\fxssvc.exe

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"

C:\Windows\System32\msdtc.exe

C:\Windows\System32\msdtc.exe

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE

"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\system32\locator.exe

C:\Windows\system32\locator.exe

C:\Windows\System32\SensorDataService.exe

C:\Windows\System32\SensorDataService.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\system32\spectrum.exe

C:\Windows\system32\spectrum.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1632 --field-trial-handle=1928,i,11933591766576700632,9035332000016090988,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2064 --field-trial-handle=1928,i,11933591766576700632,9035332000016090988,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2112 --field-trial-handle=1928,i,11933591766576700632,9035332000016090988,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3016 --field-trial-handle=1928,i,11933591766576700632,9035332000016090988,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3024 --field-trial-handle=1928,i,11933591766576700632,9035332000016090988,131072 /prefetch:1

C:\Windows\System32\OpenSSH\ssh-agent.exe

C:\Windows\System32\OpenSSH\ssh-agent.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc

C:\Windows\system32\TieringEngineService.exe

C:\Windows\system32\TieringEngineService.exe

C:\Windows\system32\AgentService.exe

C:\Windows\system32\AgentService.exe

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4400 --field-trial-handle=1928,i,11933591766576700632,9035332000016090988,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4480 --field-trial-handle=1928,i,11933591766576700632,9035332000016090988,131072 /prefetch:8

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4640 --field-trial-handle=1928,i,11933591766576700632,9035332000016090988,131072 /prefetch:8

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\SearchIndexer.exe /Embedding

C:\Windows\system32\SearchProtocolHost.exe

"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"

C:\Windows\system32\SearchFilterHost.exe

"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4752 --field-trial-handle=1928,i,11933591766576700632,9035332000016090988,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4716 --field-trial-handle=1928,i,11933591766576700632,9035332000016090988,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4860 --field-trial-handle=1928,i,11933591766576700632,9035332000016090988,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2436 --field-trial-handle=1928,i,11933591766576700632,9035332000016090988,131072 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 pywolwnvd.biz udp
US 54.244.188.177:80 pywolwnvd.biz tcp
US 8.8.8.8:53 177.188.244.54.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 ssbzmoy.biz udp
SG 18.141.10.107:80 ssbzmoy.biz tcp
US 54.244.188.177:80 pywolwnvd.biz tcp
US 8.8.8.8:53 ssbzmoy.biz udp
SG 18.141.10.107:80 ssbzmoy.biz tcp
US 8.8.8.8:53 cvgrf.biz udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:443 www.google.com tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 234.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 195.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 107.10.141.18.in-addr.arpa udp
US 54.244.188.177:80 cvgrf.biz tcp
GB 142.250.187.196:443 www.google.com tcp
US 8.8.8.8:53 npukfztj.biz udp
US 8.8.8.8:53 cvgrf.biz udp
US 8.8.8.8:53 196.187.250.142.in-addr.arpa udp
GB 142.250.187.196:443 www.google.com udp
US 44.221.84.105:80 npukfztj.biz tcp
US 54.244.188.177:80 cvgrf.biz tcp
US 8.8.8.8:53 przvgke.biz udp
US 34.193.97.35:80 przvgke.biz tcp
US 8.8.8.8:53 npukfztj.biz udp
US 8.8.8.8:53 apis.google.com udp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 8.8.8.8:53 227.212.58.216.in-addr.arpa udp
GB 142.250.200.14:443 apis.google.com tcp
US 44.221.84.105:80 npukfztj.biz tcp
US 8.8.8.8:53 przvgke.biz udp
US 54.157.24.8:80 przvgke.biz tcp
US 54.157.24.8:80 przvgke.biz tcp
US 8.8.8.8:53 play.google.com udp
GB 142.250.179.238:443 play.google.com tcp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 14.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 8.24.157.54.in-addr.arpa udp
US 8.8.8.8:53 knjghuig.biz udp
SG 18.141.10.107:80 knjghuig.biz tcp
US 8.8.8.8:53 clients2.google.com udp
GB 142.250.187.238:443 clients2.google.com tcp
US 8.8.8.8:53 238.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 238.187.250.142.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 uhxqin.biz udp
US 8.8.8.8:53 anpmnmxo.biz udp
US 8.8.8.8:53 lpuegx.biz udp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 34.193.97.35:80 przvgke.biz tcp
US 8.8.8.8:53 35.97.193.34.in-addr.arpa udp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 knjghuig.biz udp
SG 18.141.10.107:80 knjghuig.biz tcp
US 8.8.8.8:53 uhxqin.biz udp
US 8.8.8.8:53 anpmnmxo.biz udp
US 8.8.8.8:53 lpuegx.biz udp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
RU 82.112.184.197:80 lpuegx.biz tcp
US 8.8.8.8:53 vjaxhpbji.biz udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 vjaxhpbji.biz udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 100.58.20.217.in-addr.arpa udp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 52.111.229.48:443 tcp
RU 82.112.184.197:80 vjaxhpbji.biz tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 xlfhhhm.biz udp
US 44.200.43.61:80 xlfhhhm.biz tcp
US 8.8.8.8:53 ifsaia.biz udp
SG 13.251.16.150:80 ifsaia.biz tcp
US 8.8.8.8:53 150.16.251.13.in-addr.arpa udp
US 8.8.8.8:53 61.43.200.44.in-addr.arpa udp
US 8.8.8.8:53 saytjshyf.biz udp
US 3.237.86.197:80 saytjshyf.biz tcp
US 8.8.8.8:53 vcddkls.biz udp
SG 18.141.10.107:80 vcddkls.biz tcp
US 8.8.8.8:53 197.86.237.3.in-addr.arpa udp
US 8.8.8.8:53 fwiwk.biz udp
US 34.193.97.35:80 fwiwk.biz tcp
US 34.193.97.35:80 fwiwk.biz tcp
US 8.8.8.8:53 tbjrpv.biz udp
IE 34.246.200.160:80 tbjrpv.biz tcp
US 8.8.8.8:53 deoci.biz udp
US 54.80.154.23:80 deoci.biz tcp
US 8.8.8.8:53 gytujflc.biz udp
US 208.100.26.245:80 gytujflc.biz tcp
US 8.8.8.8:53 qaynky.biz udp
SG 13.251.16.150:80 qaynky.biz tcp
US 8.8.8.8:53 160.200.246.34.in-addr.arpa udp
US 8.8.8.8:53 23.154.80.54.in-addr.arpa udp
US 8.8.8.8:53 245.26.100.208.in-addr.arpa udp
US 8.8.8.8:53 bumxkqgxu.biz udp
US 44.221.84.105:80 bumxkqgxu.biz tcp
US 8.8.8.8:53 dwrqljrr.biz udp
US 54.244.188.177:80 dwrqljrr.biz tcp
US 8.8.8.8:53 nqwjmb.biz udp
US 35.164.78.200:80 nqwjmb.biz tcp
US 8.8.8.8:53 xlfhhhm.biz udp
US 44.200.43.61:80 xlfhhhm.biz tcp
US 8.8.8.8:53 ytctnunms.biz udp
US 3.94.10.34:80 ytctnunms.biz tcp
US 8.8.8.8:53 ifsaia.biz udp
SG 13.251.16.150:80 ifsaia.biz tcp
US 8.8.8.8:53 200.78.164.35.in-addr.arpa udp
US 8.8.8.8:53 myups.biz udp
US 165.160.15.20:80 myups.biz tcp
US 8.8.8.8:53 oshhkdluh.biz udp
US 54.244.188.177:80 oshhkdluh.biz tcp
US 8.8.8.8:53 saytjshyf.biz udp
US 3.237.86.197:80 saytjshyf.biz tcp
US 8.8.8.8:53 yunalwv.biz udp
US 8.8.8.8:53 vcddkls.biz udp
SG 18.141.10.107:80 vcddkls.biz tcp
US 8.8.8.8:53 jpskm.biz udp
US 34.211.97.45:80 jpskm.biz tcp
US 8.8.8.8:53 34.10.94.3.in-addr.arpa udp
US 8.8.8.8:53 20.15.160.165.in-addr.arpa udp
US 8.8.8.8:53 lrxdmhrr.biz udp
US 54.244.188.177:80 lrxdmhrr.biz tcp
US 8.8.8.8:53 fwiwk.biz udp
US 34.193.97.35:80 fwiwk.biz tcp
US 8.8.8.8:53 wllvnzb.biz udp
SG 18.141.10.107:80 wllvnzb.biz tcp
US 8.8.8.8:53 45.97.211.34.in-addr.arpa udp
US 8.8.8.8:53 gnqgo.biz udp
US 54.80.154.23:80 gnqgo.biz tcp
US 8.8.8.8:53 jhvzpcfg.biz udp
US 3.237.86.197:80 jhvzpcfg.biz tcp
US 8.8.8.8:53 acwjcqqv.biz udp
SG 18.141.10.107:80 acwjcqqv.biz tcp
US 8.8.8.8:53 lejtdj.biz udp
US 8.8.8.8:53 vyome.biz udp
US 44.213.104.86:80 vyome.biz tcp
US 34.193.97.35:80 fwiwk.biz tcp
US 8.8.8.8:53 yauexmxk.biz udp
US 54.80.154.23:80 yauexmxk.biz tcp
US 8.8.8.8:53 iuzpxe.biz udp
SG 13.251.16.150:80 iuzpxe.biz tcp
US 8.8.8.8:53 86.104.213.44.in-addr.arpa udp
US 8.8.8.8:53 sxmiywsfv.biz udp
SG 13.251.16.150:80 sxmiywsfv.biz tcp
US 8.8.8.8:53 vrrazpdh.biz udp
US 34.211.97.45:80 vrrazpdh.biz tcp
US 8.8.8.8:53 ftxlah.biz udp
US 34.218.204.173:80 ftxlah.biz tcp
US 8.8.8.8:53 typgfhb.biz udp
SG 13.251.16.150:80 typgfhb.biz tcp
US 8.8.8.8:53 173.204.218.34.in-addr.arpa udp
US 8.8.8.8:53 esuzf.biz udp
US 34.211.97.45:80 esuzf.biz tcp
US 8.8.8.8:53 gvijgjwkh.biz udp
US 3.94.10.34:80 gvijgjwkh.biz tcp
US 8.8.8.8:53 qpnczch.biz udp
US 44.213.104.86:80 qpnczch.biz tcp
US 8.8.8.8:53 brsua.biz udp
IE 3.254.94.185:80 brsua.biz tcp
US 8.8.8.8:53 dlynankz.biz udp
DE 85.214.228.140:80 dlynankz.biz tcp
US 8.8.8.8:53 tbjrpv.biz udp
US 8.8.8.8:53 185.94.254.3.in-addr.arpa udp
US 8.8.8.8:53 140.228.214.85.in-addr.arpa udp
IE 34.246.200.160:80 tbjrpv.biz tcp
US 8.8.8.8:53 oflybfv.biz udp
US 44.200.43.61:80 oflybfv.biz tcp
US 8.8.8.8:53 deoci.biz udp
US 8.8.8.8:53 yhqqc.biz udp
US 54.80.154.23:80 deoci.biz tcp
US 34.211.97.45:80 yhqqc.biz tcp
US 8.8.8.8:53 gytujflc.biz udp
US 208.100.26.245:80 gytujflc.biz tcp
US 8.8.8.8:53 mnjmhp.biz udp
US 44.200.43.61:80 mnjmhp.biz tcp
US 8.8.8.8:53 qaynky.biz udp
SG 13.251.16.150:80 qaynky.biz tcp
US 8.8.8.8:53 opowhhece.biz udp
US 18.208.156.248:80 opowhhece.biz tcp
US 8.8.8.8:53 zjbpaao.biz udp
US 8.8.8.8:53 jdhhbs.biz udp
SG 13.251.16.150:80 jdhhbs.biz tcp
US 8.8.8.8:53 bumxkqgxu.biz udp
US 44.221.84.105:80 bumxkqgxu.biz tcp
US 8.8.8.8:53 dwrqljrr.biz udp
US 54.244.188.177:80 dwrqljrr.biz tcp
US 8.8.8.8:53 248.156.208.18.in-addr.arpa udp
US 8.8.8.8:53 nqwjmb.biz udp
US 35.164.78.200:80 nqwjmb.biz tcp
US 8.8.8.8:53 mgmsclkyu.biz udp
IE 34.246.200.160:80 mgmsclkyu.biz tcp
US 8.8.8.8:53 warkcdu.biz udp
SG 18.141.10.107:80 warkcdu.biz tcp
US 8.8.8.8:53 ytctnunms.biz udp
US 3.94.10.34:80 ytctnunms.biz tcp
US 8.8.8.8:53 myups.biz udp
US 165.160.15.20:80 myups.biz tcp
US 8.8.8.8:53 gcedd.biz udp
SG 13.251.16.150:80 gcedd.biz tcp
US 8.8.8.8:53 oshhkdluh.biz udp
US 54.244.188.177:80 oshhkdluh.biz tcp
US 8.8.8.8:53 yunalwv.biz udp
US 8.8.8.8:53 jpskm.biz udp
US 34.211.97.45:80 jpskm.biz tcp
US 8.8.8.8:53 jwkoeoqns.biz udp
US 18.208.156.248:80 jwkoeoqns.biz tcp
US 8.8.8.8:53 xccjj.biz udp
US 44.213.104.86:80 xccjj.biz tcp
US 8.8.8.8:53 lrxdmhrr.biz udp
US 54.244.188.177:80 lrxdmhrr.biz tcp
US 8.8.8.8:53 hehckyov.biz udp
US 44.221.84.105:80 hehckyov.biz tcp
US 8.8.8.8:53 wllvnzb.biz udp
US 8.8.8.8:53 rynmcq.biz udp
SG 18.141.10.107:80 wllvnzb.biz tcp
US 54.244.188.177:80 rynmcq.biz tcp
US 8.8.8.8:53 uaafd.biz udp
IE 3.254.94.185:80 uaafd.biz tcp
US 8.8.8.8:53 eufxebus.biz udp
SG 18.141.10.107:80 eufxebus.biz tcp
US 8.8.8.8:53 gnqgo.biz udp
US 54.80.154.23:80 gnqgo.biz tcp
US 8.8.8.8:53 jhvzpcfg.biz udp
US 3.237.86.197:80 jhvzpcfg.biz tcp
US 8.8.8.8:53 acwjcqqv.biz udp
SG 18.141.10.107:80 acwjcqqv.biz tcp
US 8.8.8.8:53 pwlqfu.biz udp
IE 34.246.200.160:80 pwlqfu.biz tcp
US 8.8.8.8:53 rrqafepng.biz udp
US 44.200.43.61:80 rrqafepng.biz tcp
US 8.8.8.8:53 ctdtgwag.biz udp
US 3.94.10.34:80 ctdtgwag.biz tcp
US 8.8.8.8:53 lejtdj.biz udp
US 8.8.8.8:53 vyome.biz udp
US 8.8.8.8:53 tnevuluw.biz udp
US 44.213.104.86:80 vyome.biz tcp
US 35.164.78.200:80 tnevuluw.biz tcp
US 8.8.8.8:53 yauexmxk.biz udp
US 54.80.154.23:80 yauexmxk.biz tcp
US 8.8.8.8:53 iuzpxe.biz udp
US 8.8.8.8:53 whjovd.biz udp
SG 13.251.16.150:80 iuzpxe.biz tcp
SG 18.141.10.107:80 whjovd.biz tcp
US 8.8.8.8:53 sxmiywsfv.biz udp
SG 13.251.16.150:80 sxmiywsfv.biz tcp
US 8.8.8.8:53 gjogvvpsf.biz udp
US 8.8.8.8:53 reczwga.biz udp
US 3.237.86.197:80 reczwga.biz tcp
US 8.8.8.8:53 bghjpy.biz udp
US 34.211.97.45:80 bghjpy.biz tcp
US 8.8.8.8:53 vrrazpdh.biz udp
US 34.211.97.45:80 vrrazpdh.biz tcp
US 8.8.8.8:53 damcprvgv.biz udp
US 54.80.154.23:80 damcprvgv.biz tcp
US 8.8.8.8:53 ocsvqjg.biz udp
IE 3.254.94.185:80 ocsvqjg.biz tcp
US 8.8.8.8:53 ftxlah.biz udp
US 34.218.204.173:80 ftxlah.biz tcp
US 8.8.8.8:53 ywffr.biz udp
US 54.244.188.177:80 ywffr.biz tcp
US 8.8.8.8:53 typgfhb.biz udp
SG 13.251.16.150:80 typgfhb.biz tcp
US 8.8.8.8:53 ecxbwt.biz udp
US 54.244.188.177:80 ecxbwt.biz tcp
US 8.8.8.8:53 pectx.biz udp
US 44.213.104.86:80 pectx.biz tcp
US 8.8.8.8:53 zyiexezl.biz udp
US 54.80.154.23:80 zyiexezl.biz tcp
US 8.8.8.8:53 esuzf.biz udp
US 34.211.97.45:80 esuzf.biz tcp
US 8.8.8.8:53 banwyw.biz udp
US 3.237.86.197:80 banwyw.biz tcp
US 8.8.8.8:53 muapr.biz udp
US 8.8.8.8:53 wxgzshna.biz udp
US 8.8.8.8:53 zrlssa.biz udp
US 8.8.8.8:53 gvijgjwkh.biz udp
US 3.237.86.197:80 zrlssa.biz tcp
US 3.94.10.34:80 gvijgjwkh.biz tcp
US 8.8.8.8:53 jlqltsjvh.biz udp
US 8.8.8.8:53 qpnczch.biz udp
US 44.213.104.86:80 qpnczch.biz tcp
SG 18.141.10.107:80 jlqltsjvh.biz tcp
US 8.8.8.8:53 brsua.biz udp
IE 3.254.94.185:80 brsua.biz tcp
US 8.8.8.8:53 dlynankz.biz udp
DE 85.214.228.140:80 dlynankz.biz tcp
US 8.8.8.8:53 oflybfv.biz udp
US 44.200.43.61:80 oflybfv.biz tcp
US 8.8.8.8:53 yhqqc.biz udp
US 34.211.97.45:80 yhqqc.biz tcp
US 8.8.8.8:53 xyrgy.biz udp
US 54.80.154.23:80 xyrgy.biz tcp
US 8.8.8.8:53 htwqzczce.biz udp
US 44.208.124.139:80 htwqzczce.biz tcp
US 8.8.8.8:53 mnjmhp.biz udp
US 44.200.43.61:80 mnjmhp.biz tcp
US 8.8.8.8:53 opowhhece.biz udp
US 18.208.156.248:80 opowhhece.biz tcp
US 8.8.8.8:53 zjbpaao.biz udp
US 8.8.8.8:53 jdhhbs.biz udp
SG 13.251.16.150:80 jdhhbs.biz tcp
US 8.8.8.8:53 mgmsclkyu.biz udp
IE 34.246.200.160:80 mgmsclkyu.biz tcp
US 8.8.8.8:53 warkcdu.biz udp
SG 18.141.10.107:80 warkcdu.biz tcp
US 8.8.8.8:53 gcedd.biz udp
SG 13.251.16.150:80 gcedd.biz tcp
US 8.8.8.8:53 jwkoeoqns.biz udp
US 18.208.156.248:80 jwkoeoqns.biz tcp
US 8.8.8.8:53 xccjj.biz udp
US 44.213.104.86:80 xccjj.biz tcp
US 8.8.8.8:53 hehckyov.biz udp
US 44.208.124.139:80 htwqzczce.biz tcp
US 44.221.84.105:80 hehckyov.biz tcp
US 8.8.8.8:53 kvbjaur.biz udp
US 8.8.8.8:53 rynmcq.biz udp
US 54.244.188.177:80 rynmcq.biz tcp
US 54.244.188.177:80 rynmcq.biz tcp
US 8.8.8.8:53 139.124.208.44.in-addr.arpa udp
US 8.8.8.8:53 uaafd.biz udp
US 8.8.8.8:53 uphca.biz udp
IE 3.254.94.185:80 uaafd.biz tcp
US 44.221.84.105:80 uphca.biz tcp
US 8.8.8.8:53 fjumtfnz.biz udp
US 8.8.8.8:53 eufxebus.biz udp
US 34.211.97.45:80 fjumtfnz.biz tcp
SG 18.141.10.107:80 eufxebus.biz tcp
US 8.8.8.8:53 hlzfuyy.biz udp
US 34.211.97.45:80 hlzfuyy.biz tcp
US 8.8.8.8:53 rffxu.biz udp
IE 34.246.200.160:80 rffxu.biz tcp
US 8.8.8.8:53 pwlqfu.biz udp
IE 34.246.200.160:80 pwlqfu.biz tcp
US 8.8.8.8:53 cikivjto.biz udp
US 44.213.104.86:80 cikivjto.biz tcp
US 8.8.8.8:53 rrqafepng.biz udp
US 44.200.43.61:80 rrqafepng.biz tcp
US 8.8.8.8:53 qncdaagct.biz udp
US 34.218.204.173:80 qncdaagct.biz tcp
US 8.8.8.8:53 ctdtgwag.biz udp
US 3.94.10.34:80 ctdtgwag.biz tcp
US 8.8.8.8:53 tnevuluw.biz udp
US 35.164.78.200:80 tnevuluw.biz tcp
US 8.8.8.8:53 shpwbsrw.biz udp
SG 13.251.16.150:80 shpwbsrw.biz tcp
US 8.8.8.8:53 whjovd.biz udp
SG 18.141.10.107:80 whjovd.biz tcp
US 8.8.8.8:53 cjvgcl.biz udp
US 54.80.154.23:80 cjvgcl.biz tcp
US 8.8.8.8:53 neazudmrq.biz udp
US 3.237.86.197:80 neazudmrq.biz tcp
US 8.8.8.8:53 gjogvvpsf.biz udp
US 8.8.8.8:53 pgfsvwx.biz udp
US 54.80.154.23:80 pgfsvwx.biz tcp
US 8.8.8.8:53 aatcwo.biz udp
US 34.218.204.173:80 aatcwo.biz tcp
US 8.8.8.8:53 reczwga.biz udp
US 3.237.86.197:80 reczwga.biz tcp
US 8.8.8.8:53 bghjpy.biz udp
US 34.211.97.45:80 bghjpy.biz tcp
US 8.8.8.8:53 kcyvxytog.biz udp
US 18.208.156.248:80 kcyvxytog.biz tcp
US 8.8.8.8:53 nwdnxrd.biz udp
US 54.244.188.177:80 nwdnxrd.biz tcp
US 8.8.8.8:53 damcprvgv.biz udp
US 54.80.154.23:80 damcprvgv.biz tcp
US 8.8.8.8:53 ocsvqjg.biz udp
IE 3.254.94.185:80 ocsvqjg.biz tcp
US 8.8.8.8:53 ereplfx.biz udp
US 44.213.104.86:80 ereplfx.biz tcp
US 8.8.8.8:53 ywffr.biz udp
US 8.8.8.8:53 ptrim.biz udp
US 54.244.188.177:80 ywffr.biz tcp
SG 18.141.10.107:80 ptrim.biz tcp
US 8.8.8.8:53 ecxbwt.biz udp
US 54.244.188.177:80 ecxbwt.biz tcp
US 8.8.8.8:53 18.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 znwbniskf.biz udp
US 34.218.204.173:80 znwbniskf.biz tcp
US 8.8.8.8:53 pectx.biz udp
US 44.213.104.86:80 pectx.biz tcp
US 8.8.8.8:53 cpclnad.biz udp

Files

memory/1040-9-0x0000000000800000-0x0000000000860000-memory.dmp

memory/3012-12-0x0000000001FC0000-0x0000000002020000-memory.dmp

C:\Users\Admin\AppData\Roaming\764a41afd590e271.bin

MD5 7f0e6e5afe5f3e108b3ef6d25dd94a2a
SHA1 327c553fc25b70a23b390a33dadcd4e3928446e5
SHA256 044a8ef96a1010e09cd9c75a5db98c44f63dff4eb2ccad7fe6f1509e8721edb4
SHA512 05a35e031ef657990c30d3e8281cbf562172ed9a5ad8491196ad068e3c6d95e0ef032fc9f8c3dfa5507648bd25b749941dda162c220637869a061fbe8152ddfa

memory/3620-28-0x00000000006C0000-0x0000000000720000-memory.dmp

memory/3620-27-0x0000000140000000-0x000000014018A000-memory.dmp

memory/3620-34-0x00000000006C0000-0x0000000000720000-memory.dmp

C:\Windows\System32\alg.exe

MD5 a1046a2d777390b4ff35207cd5ef47ee
SHA1 056e51565b9eab50ed23f834781c130cdc8dee86
SHA256 45001eb0124eacedae0842337dfe9219557e7afe2ac3a6b78d26975bbeee7e92
SHA512 229cc7797825276cb0015e83953fe9f84c15698e2a3087e4a00c7aef3ac85d2a7b0ad6b0d8453572e823de4ea5f055fba2eec06d4dc3d99cabce74e78b4283a9

memory/3012-21-0x0000000140000000-0x00000001404A3000-memory.dmp

memory/3012-18-0x0000000001FC0000-0x0000000002020000-memory.dmp

memory/1040-8-0x0000000140000000-0x00000001404A3000-memory.dmp

memory/1040-0-0x0000000000800000-0x0000000000860000-memory.dmp

memory/1040-37-0x0000000140000000-0x00000001404A3000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

MD5 ecca8993047150870094c763386eb4e0
SHA1 e77376a1868359b6270fe9924477d645bd5d7d1d
SHA256 bc2822a5efb199dcc655254b162e8e690280697a639ba9b6901133798470dafc
SHA512 28eee493fd526ef4227665583b28d600954d71babf027c2aa6bc8d72684d4ebe8b84436dd75a7fe29b6d17c8fd91f27a08e4d9deb53e8460a518bd7c09ca297c

C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

MD5 c2c21cba3d8f0fa1e35108c60501b53a
SHA1 9d07b60f455d771e2c3d441cd9d44b6d1f83bd1d
SHA256 be61d39d4fa36aa0de9b8dd3036c0b39e6e9545d13cdeeb31bb9478f741e68e6
SHA512 5c67c818cd04211fa42ccfa57d9df1c8db1f040e29d64ae69f37ec9c1ab124ea2ac18ce8958c84016f1d84b93e1a269a57dd65f5b019a3fa315ea6d99dd59ac9

memory/5104-53-0x0000000000680000-0x00000000006E0000-memory.dmp

memory/5104-52-0x0000000140000000-0x0000000140189000-memory.dmp

memory/5104-44-0x0000000000680000-0x00000000006E0000-memory.dmp

memory/4524-62-0x0000000000D80000-0x0000000000DE0000-memory.dmp

memory/4524-56-0x0000000000D80000-0x0000000000DE0000-memory.dmp

memory/4524-64-0x0000000140000000-0x0000000140135000-memory.dmp

C:\Windows\System32\FXSSVC.exe

MD5 d85e94b48d46c19178a3d722a5d4a7f1
SHA1 4bd1e8d871b8c458f67f05d69e471337818a5402
SHA256 f0f346342066a7780e62ce5b2eef70ae97af2cea2ad0572baa88b21d030f07e3
SHA512 e60b90b766209d009d5dcc198c37fb19198b669e6e89dcbf4b025e7e6ca60adc5e10703a0d02459df167bbec3ae21bc462f6df43ed0b580277a59a76042b61ea

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

MD5 bb4026e5c25dc1fcefff250322d95c62
SHA1 173de59d5ac2a19c4a441a311ce56dba292138c1
SHA256 d465aad56deabe9c0ccc08f8fab4fc863f1fa3daef2a077241a4504a7b78a47f
SHA512 9ebac3059b52bb6b1938a54ac59527b27ce73446904912e7bc4134cb4dde482d80724602de2fd3d47ead4223d69dec2c991cee51a8a0230c8a25f49a195efc5b

memory/1844-74-0x0000000000810000-0x0000000000870000-memory.dmp

memory/4524-79-0x0000000140000000-0x0000000140135000-memory.dmp

memory/3996-87-0x00000000001A0000-0x0000000000200000-memory.dmp

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

MD5 bbf19260339b7fda413af6aaa8ee8d92
SHA1 9504c6d6f23e14f090292c6bc6d7c17f3797398e
SHA256 7a145df14700fb614fc2690217ce80af3b389e213b89a1c7e96a7f295cb18945
SHA512 57c2a52361eaa3548fb16876593ba807e3f3d756c0e1ec420755636697ab8837985cf1063394241878404da0d63bff6d60015711fc1986f6c64b0bce5230e93c

memory/2984-93-0x0000000001A70000-0x0000000001AD0000-memory.dmp

memory/2984-105-0x0000000140000000-0x00000001401AF000-memory.dmp

C:\Windows\System32\msdtc.exe

MD5 070c51f755419c87db34085108ebd3c7
SHA1 00dddc5bbea8dfd8a466d7f306baf41613279c71
SHA256 98ff1ce740db253226b3519f871285d2100dcdf72f8d214b6b1309b24cc34fff
SHA512 bf150cca15484b9ecb3e29173550d58da47de59f81dde14401e6e8b721d806c8e4f6cd642e17f31b91eca91f32470ef526c39a8987450a15b174625eb334d00a

memory/2984-92-0x0000000140000000-0x00000001401AF000-memory.dmp

C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

MD5 5ac5f6323a0b04dd344aa890ac0be709
SHA1 7613e8bcbf33ff060cb9b3d124813f2f1b4464cc
SHA256 f26b270cd32d5a3f055cb897e6965f53f4a5cde34c962a0771f0ea39b5150ddf
SHA512 b04d782d859b7cb26ba06997b87525a8db5942307256292232e5526e2f753c0a536c022917d858f4ade3974bbc977d7422d19ec1240b38167855b82ae1e86bb1

memory/3996-91-0x0000000140000000-0x000000014022B000-memory.dmp

memory/3996-81-0x00000000001A0000-0x0000000000200000-memory.dmp

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

MD5 0be012e44ede9869b87e556073af2662
SHA1 a4093e32aea4e4428aeb0cf3a474ab0b761c68e5
SHA256 f495a6473eb3e5655db1e75ae341741dd949237838bd00a8236f3c279202086a
SHA512 6f8079219f5f62bf40ca76b57e1b6b7898d65e1cc35ea307e6a0de9b4edf7a07581950c557d20aca2f4bb84ecf7c35dc880a7cf8a62749f0f7db5433aceb603f

C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

MD5 404f5e2ea71a550c5b946b4b1cf83a72
SHA1 ffa27e885efa50a33ed2dad23715fdc5b5e877fe
SHA256 2d7c1bc2e5709b4fdc3f1aa16e28daed8342bf55abccfc13145dfd6cf110987e
SHA512 7fa41d988c7ce5c8f6cead3c216db745285d28ed075a4949ab465c77a4e051edc98fde822747149cd0748c772f39c4e97d57825c9de6b3cc10e4dd2d40da9023

memory/636-135-0x0000000140000000-0x000000014018B000-memory.dmp

memory/876-134-0x0000000140000000-0x00000001401AF000-memory.dmp

C:\Windows\SysWOW64\perfhost.exe

MD5 6df61ba946cd872d214114bbd0be0176
SHA1 6c0ea939590ecbea65db740a58cfb6b429bc6138
SHA256 030dad1a42183abe476b586378b85b026c2eddd73d7e572a225c4272ca43f4b4
SHA512 85039eb1ec7257f9b2fbff18d37f0185b713fb1c9bffbf90f8e83b8f018621c39a9fdc4dcd6d680e556ed217d400755ff7358898a479c1d00f53f419f7e2a9da

memory/2712-147-0x0000000000400000-0x0000000000577000-memory.dmp

memory/3620-146-0x0000000140000000-0x000000014018A000-memory.dmp

C:\Windows\System32\SensorDataService.exe

MD5 f52c00e389a6ca36404719d8a0fb450f
SHA1 616ae8b6bf9fa06a84438cefa6795616bab81141
SHA256 0b727198b1dc60fb5627d682461701d0c8074656beb8219040c890fcb728ebd4
SHA512 6d29dcc296134e31bd777f3b9e3c45cd3e1a065e6ed1fee7263baff1a2d401d18b71e17c8f094c33c411f8ef01a570575884a7d73ff0013523b90e7af6244f06

C:\Windows\System32\snmptrap.exe

MD5 8434060de8871493426a37f0ce75c1eb
SHA1 8319355189076a1640c289fa17ac844422ee00d2
SHA256 216f1681134eadf0a133b7386f13217f0f17ddb394dfd3bab63a7ffc262a8b85
SHA512 3dbe2ba8bb24cff83baa96d684896a63bd2e213b9edef8923e81510f00867bc5ba50dc11c8657c563f63f814d7c0a0f979387790a1665cc7ca34a471d5854ec7

C:\Windows\System32\Locator.exe

MD5 3f999ce74fcb1bb97e623d28dd7bd910
SHA1 5049f3159634335dd881b7c35fd58dc5b7d75fbd
SHA256 d5d05e31443d0b597b91b9b72cc345fd48171947660823b4fc015c950cf63a6a
SHA512 dd33146157aaaa8aeac8242ae3e508c6fbe1451faaeb841510e2ba3d4eda9eafc35cba6c04691129c80404db2aa0f83ba59895d45c94f685c986c96465de3d2f

\??\pipe\crashpad_2700_ZVZRENHZQGGKDGED

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

MD5 ef36a84ad2bc23f79d171c604b56de29
SHA1 38d6569cd30d096140e752db5d98d53cf304a8fc
SHA256 e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831
SHA512 dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

memory/3672-207-0x0000000140000000-0x0000000140169000-memory.dmp

memory/836-206-0x0000000140000000-0x0000000140176000-memory.dmp

memory/4196-201-0x0000000140000000-0x00000001401D7000-memory.dmp

memory/4892-199-0x0000000140000000-0x0000000140175000-memory.dmp

C:\Windows\System32\OpenSSH\ssh-agent.exe

MD5 b16ca6ad3cff55b6c771c2c8c760123c
SHA1 b5e5047bfb688cfcbd0c225bdafedd279a855dd4
SHA256 c4811bb1e52f8e9c9532fe44e90dcf5303a5ee812e2a71c496b97bd9cc406a0c
SHA512 88e42a015b135a8061725cf71ddf61f2737c1386a064b72ebc001fbaf157f5013376c82b377004c952608530626e8b1c2e1098d5182d80f874d803f7d652e3a4

C:\Windows\System32\Spectrum.exe

MD5 cd1ccbdcbf6ec97fb7227eaa0fb07c0a
SHA1 2819fc48540eabbf6cf3042f0d603501d6bd4595
SHA256 6c0979505ff5ca2261e7c2d08c7bfa2c6519cfa1ba1c57e069b4e8e792828350
SHA512 649c9220c8d2712dc9249aeaf9c210176213a7cda9ae6ed2e6f7828528534ff15237d1057f76e7c21ada243e0053329a6538e639f5f8c827626dcb34c8035257

memory/1340-131-0x0000000140000000-0x0000000140199000-memory.dmp

memory/3012-128-0x0000000140000000-0x00000001404A3000-memory.dmp

C:\Windows\System32\TieringEngineService.exe

MD5 55947b636d0304400b178d21f26f0574
SHA1 4d41f9c6979b04e5bd054c888c21f1b15582e77d
SHA256 33e6d2bbae23b6cef64029961a4b582569d5de14046706a96b9aff05bc6f048b
SHA512 fb63b68197a68809a6114bd50f65ec3bf758248a3a40daafc77183782b59807b15f1f2d14a52d75a2ba0739b4dacdd084514a9d1213edc98ad78a0737d6c0c4a

memory/1844-231-0x0000000140000000-0x000000014024B000-memory.dmp

memory/1616-242-0x0000000140000000-0x00000001401C2000-memory.dmp

C:\Windows\System32\AgentService.exe

MD5 ff902abbd31425d9c5cf012dc39866fe
SHA1 4b25c71d7a6ab5171d4baf9e352b99276f4bc8a6
SHA256 09ccc2851781543075b361dbd4571b8c172d95f49fe1593777b5c3646369ae68
SHA512 923d1ce9a3b800e762c5a909914fdcde3d88372a99d23428e0e2fcace904492fe351f781c9ddfc13e1fa6de73db9f5d64e7d0b9d4081d2f2c2e0454ab2b28fbd

memory/2984-228-0x0000000140000000-0x00000001401E2000-memory.dmp

memory/4524-77-0x0000000000D80000-0x0000000000DE0000-memory.dmp

memory/2472-255-0x0000000140000000-0x00000001401C0000-memory.dmp

memory/5044-265-0x0000000140000000-0x0000000140147000-memory.dmp

C:\Windows\System32\vds.exe

MD5 2ee7d93db5113be32c11216774b5d9f7
SHA1 6d7fdb2cbe821557a13e05f1d1b76d2e3925d07f
SHA256 9984f388f96581cf70941abec67422b5a335b37a736908d24981274ce215f30d
SHA512 d1eff20cab302844f48fa97ebe882771e5f2cb8eaa8b6c8d3c8a113bbb822e8ff89bce7f9442c86bd68993cd50eca281ad73c88d0eec0bec77c2ef53c3aedf85

memory/1844-68-0x0000000000810000-0x0000000000870000-memory.dmp

memory/1844-67-0x0000000140000000-0x000000014024B000-memory.dmp

C:\Windows\System32\VSSVC.exe

MD5 3895b1b60ef050cfcca2537affa7d1f2
SHA1 21279edbf1af2268941932fe36b5f232c1594b67
SHA256 01a63cb3a642a2c19c2aede92a97a8b853b35b959dd01562cd0757bf063ff007
SHA512 3a53636e6765adab6ce7a4161b93ccca7e4e3cf974b6223f320201e157ab6a3a6f7e94c3d1102a4eb458fc1723bd99f95dda93b0ca8d6cb86795125524161c78

memory/4824-276-0x0000000140000000-0x00000001401FC000-memory.dmp

C:\Windows\System32\wbengine.exe

MD5 bdf83baa2daa13d9476725ff19cdb3db
SHA1 7fefc02af7076e585c981976dd1417507f285fb0
SHA256 5e1fe7753d262adce4267109d46cec4956486d29bc92409cc2a907d8e8b24067
SHA512 14bf816a3c32a474df574758196802a6443ff5655de85d49c10d5c1f5806767186651121f806a3a3db3c47ab555465965fabc712139864b3afddd8a41346329a

memory/3996-279-0x0000000140000000-0x000000014022B000-memory.dmp

memory/4868-288-0x0000000140000000-0x0000000140216000-memory.dmp

C:\Windows\System32\wbem\WmiApSrv.exe

MD5 e1f788a2b8b2efabf370b899730e9c6d
SHA1 1fe2c733956ee2e50df63a22c4f2913fd4276987
SHA256 755615f631102d30cf278e45ca239508fdfe376ba0d0c502c7b7f500efdbf991
SHA512 ab150d1f09960490a5ed3dc2b5a32712b3107c302350c1c7aa082c63127ff1d99ce9595d247cb22872e1ab986a0ece4a9367881144803fe4fe5723ef79263d1b

memory/3232-300-0x0000000140000000-0x00000001401A6000-memory.dmp

C:\Windows\System32\SearchIndexer.exe

MD5 4000bf73043206ad70bfc390656330b7
SHA1 dfddbd719f43424ca3d11f85af8fc4a5532f1bb7
SHA256 0a6977f004c8ba758360452bb6a55a3458ead57b16008612c7db31708e392c16
SHA512 499acb5ee24a07b271ca969014e08f510805fce1ccbcba15a0b46a43a7bc23697105122a4b7116195a1bfab583ad6a198e2631fc8e1781b80eb78ce9514adc9c

memory/636-303-0x0000000140000000-0x000000014018B000-memory.dmp

memory/4452-312-0x0000000140000000-0x0000000140179000-memory.dmp

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

MD5 8b8887883c46c36c0dfa29383b8c5c68
SHA1 2b55caea553d94b4961313e695c0d1d3dbf48be8
SHA256 687b36b1392e5503cde2b38566b7c0598c34fb86044d9940f8879f6c0e6e529c
SHA512 ab635a8ce717ffc0a569b5b2143da1c3743abfd7565b1ad30d9ddf7a306c31fe6475c3b8cdcf30c4e2be856d9f91ab0d65aa665761cc8d8958959ccddde00a1d

C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

MD5 f0163ab46f449cd7fef4864b1e4680c0
SHA1 f3aae1c1fef6f4711349eb9b7f3acebd030aefe2
SHA256 9f7e5e812dde33f6607c9022433e9d076563c60528e6e137a6bea81bf60f4b94
SHA512 b3e1fd42039f22321d6b98eb106ca58ee29fedf78b7475c9e7631ce36600c8329db27cdd2474c43c4c299670c148e05ac0b2e4ea551704495280a73df1fb7937

memory/5576-511-0x0000000140000000-0x000000014057B000-memory.dmp

memory/2712-501-0x0000000000400000-0x0000000000577000-memory.dmp

memory/3672-513-0x0000000140000000-0x0000000140169000-memory.dmp

memory/5652-516-0x0000000140000000-0x000000014057B000-memory.dmp

memory/5732-528-0x0000000140000000-0x000000014057B000-memory.dmp

C:\Windows\TEMP\Crashpad\settings.dat

MD5 95c33cc1969930fefbdb95f99b2a9882
SHA1 cd2cd226b2c6f6de0bb090f9ffadb8e643a23970
SHA256 53b715becb7434a9ec7cebf218a7397d5c30fb50f6d3ac578728024f00ba194e
SHA512 c5992c3d6c1d20ed54d7e8cee2d3ac42d929812b770ae770881b4d09475b23cdd5afb323f401ca81bee5566f09638581f8e86b717bfdaf11596e7398978070d6

memory/1616-529-0x0000000140000000-0x00000001401C2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

MD5 9978d7a7a29b2060f380b02438476538
SHA1 64748f47047481880e73e79d8a7ee2949936bdf0
SHA256 c6a38fafd28d7a2624802b13e682bf12ad48f0a8689312275664b6f376582590
SHA512 ce67e436e1dd24ee0542498fe1fd8900051f878b1cd1d82ff1b814ea1f6d839e1f2bb9832b3a146ad29a29fcb4356f9372d85abb0fea214b9bc4bc2d7730a011

memory/5772-552-0x0000000140000000-0x000000014057B000-memory.dmp

C:\Program Files\Google\Chrome\Application\SetupMetrics\a43bde27-42de-4e92-9347-36f9adc75389.tmp

MD5 6d971ce11af4a6a93a4311841da1a178
SHA1 cbfdbc9b184f340cbad764abc4d8a31b9c250176
SHA256 338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783
SHA512 c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

memory/5576-581-0x0000000140000000-0x000000014057B000-memory.dmp

memory/5732-570-0x0000000140000000-0x000000014057B000-memory.dmp

memory/4196-593-0x0000000140000000-0x00000001401D7000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 526a6f25af4a53698308aa21aa358790
SHA1 4f55b2d279f898a933b98680b618e4e3268d01d9
SHA256 c04980bc74c3ba581a80234836ad0ee891b36d3ab84c388fcc30762402cd8c58
SHA512 f2b232bb61a017273b2898e6d23ae94b314084a769245bf7b8281dda94151c1e9e8af9b2f7612ad046a1e32dfe36c49e5e78856e29ec2099e965014693dbf5b4

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 8e04f33675a07b4a0d91ba93082ee8c2
SHA1 3c21c769ffc9f84249b90c9ae38668cd6c060a18
SHA256 a1edf65f0bfd33edaff310b1cbba1817bc446240bf38f6ecf689ffa94da9c815
SHA512 20307aaae7e9ee1c61c5de671ed72358f5a9b987b4903acc7f548ea978a604a84096e54be2f15b8ba274b41d3fbaea7ec857cef006b75bf963e777473127e0e2

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe576225.TMP

MD5 17452b252e572ce0e1d15bd52b3d96dd
SHA1 76e11b2ee8ae5cfbac60be4c4f1609879da3586f
SHA256 078b9af3cc02d4ce24f484c105def6fa6ab3b239269d39b503bd592cd8721ca2
SHA512 23c427290207f4496388e375917532a84121cd606cf36e804d2c30439167068e4eb43930ed32d406fa86cca6cd7f38d3c4f2f3f0bfaa9e157c6cec6e1e8546cd

memory/5044-608-0x0000000140000000-0x0000000140147000-memory.dmp

memory/4824-609-0x0000000140000000-0x00000001401FC000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 5727f75d977424dfc0d502b93db16120
SHA1 a1ce74c8371835a770eda0e3ede7631a6d08fa70
SHA256 11b42ed60da38472f20fba9a151d59f47285f1e429fd1790097e5de8482b26b5
SHA512 0ce0755ec7cc33db422cfc49dd9f9a83998f36f0fc76205de6593af503b6dbc013a24fe165a75b0e02d73ec79862ac8d9d312ba231dd3be53a864073e01dedcc

memory/4868-619-0x0000000140000000-0x0000000140216000-memory.dmp

memory/3232-620-0x0000000140000000-0x00000001401A6000-memory.dmp

memory/4452-705-0x0000000140000000-0x0000000140179000-memory.dmp

memory/5652-706-0x0000000140000000-0x000000014057B000-memory.dmp

memory/5772-707-0x0000000140000000-0x000000014057B000-memory.dmp

C:\Windows\system32\AppVClient.exe

MD5 c4cb9bfc070aac791cf8b47e6efa391c
SHA1 dcf1a2c33126eebe290eb011875d4cc517680443
SHA256 0c76b00ae824b81f4881fd0f68c301103d32b608f23cce689380875aab286364
SHA512 b0387619071fe11ff3c7bdd62e894e2e00ce4e16791f04e45170af2e8a18f682fd8c41e2f9589d3b288e231c21a52bb65b100905e3fa70b803550133b4e92d35

C:\Program Files\Windows Media Player\wmpnetwk.exe

MD5 f9f4a4a39e43ca5e8c4e08fdec2df215
SHA1 f857b05254818f4efa9eff9013ad47f9788132fe
SHA256 ca9c92a9769404cd2735d3de6af2b30c912fe6a0f04d61543a035026ec00861b
SHA512 f2acdb818ce054fdc811fd09491783ad71e72f2b4aec79abfff0337031867bc470f63f94c6b5f893232f0cfff8d52c25034b38f595d97db059f38efb777df1c6

C:\Windows\system32\SgrmBroker.exe

MD5 f2be0ff7582889db666849f73ab64196
SHA1 17232663ced08cdd737c7103d1eac7934f037a1d
SHA256 a15dadcc20adadeedc3d58ff2f2d06d818c611178f7d1dbaf6b7581daa9c4337
SHA512 73630d106f5c9f6628e2a3b4b3364bd2fd71b33a51b21e917acbef7871d73332be7c3c45a529f81716377439dacc684cc7f8875cfa4d0580ea7e9a2a1c1a88dd

C:\Windows\system32\msiexec.exe

MD5 98ca8e6313106c86a496ffeb952618fa
SHA1 563f4b6137f7818b64204df492769922fb99a5e2
SHA256 b3f2bca9b23190e313239031a29c0c69c6871f82d9940dfab552fdb17803ad9d
SHA512 2f4908275dc6c44543ea2edbcdd8850f0e8c06d08f7a104a004ea8febea01ad74791aec7584240360a45dc272a5a2b375824652663fda9332e69730587822815

C:\Program Files\7-Zip\7zG.exe

MD5 e30d8d3df6c9ab338f1f85de374c18a0
SHA1 d3885aef9ffc7121961c7231068a7c59a2e91bab
SHA256 ff0aa1f8c9526075e78b0600a43334102e923fadaef3d9f3f51b31f04a5c7e73
SHA512 f4949ba2490cf91a3b653c74b89cce673cba5f7b23b91ff7b02b430ce97f43bb5e5dd128d0db802d17cced20ac6734a27216b6ec76a7ab2479f9662fb90d5125

C:\Program Files\7-Zip\7zFM.exe

MD5 9fb0139ac95f38ab51f3073e50e0bc4f
SHA1 d1c2b67cf5c8f2e1be30cc0ab4d06c73fdded0b8
SHA256 7bca3dd3d887f0d19af80338e65c07842e63f27636ac4a40bcd5a61109e4d6ed
SHA512 20ccb3bbe2ee7bee454646ae29597c34ef957aef7b013883b101f19926684667dfe3cdeb7b23f4fedcb78423ce4f0c75c199acdd79e40b850a296e67d5df2646

C:\Program Files\7-Zip\7z.exe

MD5 009396ef0e7bc54de6864aafcb9bd897
SHA1 57d5f96ca3e78ccf8f0f77cfba761201154f886a
SHA256 ce23d6cfd72dd9b2e50f0017aa2a7e436f6fbbb567d6e84d5042f4549888fbeb
SHA512 e6a941db7120ca9ec44ef49ab0c2068510462b9e38e3e76f82bbdb62e87fe70347f5a812da7b817b047faccd1cb40bea3c99a16fef91223a17b6b449f4adddc3

C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

MD5 fbdf33296858eba50f6fcc1529141b2d
SHA1 02891572a70873aed64420e78077d6d579afc259
SHA256 143304d41c53edc65eb56bdba42e98a393c7947ef5d56490e4f5712a59f670cc
SHA512 a0e19b5e3f1fe12844f64bf0bcd3af1385c330e40f6a280677f9c3b5cb9c1fd0bc39f5332a96f0018010fdc723fd364981324e3418dd88a90696b78d9cecd0d7

C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

MD5 5a38d80af4ab95e03d8bbd0d32eb210f
SHA1 3a322c07ba9aa2582159dfdbbd6c43b07b5a648e
SHA256 8ed41dd7613a9899be45c5f8ad00abd68a46bb8fb42233f379651c1fb6d22470
SHA512 961be87f014712432905c48d45286e920b83a2c4e93c5a7b461daadc4168cd2aeec1d9f3159ef96e717418d40464f3df92f9e711f2744022122a43a8712dd3c4

C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

MD5 ce6ce24343bce9bf6bddd458872f94c2
SHA1 d71c04c8592175d3b207ade98314b518bba4bf36
SHA256 ad3b9a5c1a8c3942a1bb5d720234a3115b7de175ab89a0b9b535260fd2578a93
SHA512 a5e9946082927dd7817aeab33b9fa2abd15cf4046e2c62882f8f69fc0ffea8b4c674d3ad4dee6c20ab033bf281e581a781921aae7553e2212bc806b523e7b293

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

MD5 432634f01658519894f5aa8bc1025162
SHA1 ee8dab6b3fa345b75eed43bb2afee74659eac117
SHA256 3753cd248b583db8a663c9da5bec92868852f7520e593b7b9f720252f961992b
SHA512 392cd978b6c67769768abbd3a4a75fffe7817a4705468e9963ececaad2bc645c8464f308ff86be65f0616722e7b26d9ac1f73046f47481a069cf9116ab3740ca

C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

MD5 4579036d5b0282e2e6b734838ef97271
SHA1 d0b6b48d67e557446b48b19787980fee79a8e9ab
SHA256 d8352271fa870c9a5c6d048a46e5ccb23540e26345cc6c720d22e024e2df0bec
SHA512 fbefe58425843c7a0d482e4ef5091af2d7a071dca1c83b5cfbbd4e05348c24ae41ee592e7b0043f496661a0a7a8486c1db1bf93a9af3b45aa0f6a5e0a58fde3f

C:\Program Files\7-Zip\Uninstall.exe

MD5 9857df57af4ae15222d59ea98c72e12b
SHA1 c3a8f7d8b07b8b066a68a63aaf6f826f11f2978a
SHA256 14767dfef1852716860c644943c8997beb0b21848c3a77ce41f587a6ce138cb9
SHA512 f40ff10263431154ff75c092f2c9be09f702e954b01c6845bb9496c1b7be61ebf9a9be340f6158ca38c69740b6fa1868308f67c99777943a75505648df27c07f

C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

MD5 710f83a0603f5a750e5a8f252819c9c4
SHA1 20c4face11a1cd08971e06ea39ebd045afd95d8b
SHA256 c34562c69efbe3bb1a1365b140c19d4132d1f96807fe05422e1ff24732e5ab80
SHA512 62f9fd9a3e326de40974285366df2c8af12b3fa04c946371c2873856ef889c061bd16d84a3e0db231820b9b430cb339badda3ccbdeb180b144a34f8c2d950755

C:\Program Files\dotnet\dotnet.exe

MD5 a9e27ad734aa5a2e2eb2561a03a6b10a
SHA1 01f963f23ebb71417d223df989c373e3915593be
SHA256 945f063cb384e55823fb83f8ea634c3406b8d861dbacf650e14a8869194a5ea9
SHA512 07473ad957c850b8082dec318ced808ede58aa2bb365e3c2a24f21fffe8365c5da5af67519a3211cfbd3cd501c8f99c561074d7a3728618dfe79f453d9093476

C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

MD5 b5dd83d5f1c2efdaa757b955d8d4fa03
SHA1 cc7dfe801ce75926383a75d3e4f3b4a994214a46
SHA256 71469cc652b5576677292e2d3b1d7e7275693ea8f8401bdbfb63ba3c962d1714
SHA512 9209b3ce0385c89cabbe99d0ac61c3fe9ee1eccfa192cb87b1c7cdbaee755b133586bedbae880afffa72b91c9bda6defcff09d60e1ac0c1cab1f0b4a1c5b717d

C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

MD5 3d64a8499148a15dc557562d4682836e
SHA1 1fa98e528609d0b9fe77604ff2437c75f2c7bea3
SHA256 6bd8ab419673d1cdfb237168f8f9ad21d7b256724171ba7f1b6328be06c249c9
SHA512 1fbfad1fb0a01be29a63a2f797ceda04a33ffe86837dd294fa5cc00bdd43c1c3ac7528660e395eb22d56223eb4e821c18193e55f0a07b5afffe58774e7736c6a