Analysis Overview
SHA256
df54c8c36328948a77df913e7f1edaa9d36bef9e728f031f6f6b7680faca3027
Threat Level: Shows suspicious behavior
The file 2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Reads user/profile data of web browsers
Drops file in System32 directory
Drops file in Windows directory
Drops file in Program Files directory
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Modifies registry class
Checks SCSI registry key(s)
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Suspicious use of AdjustPrivilegeToken
Uses Volume Shadow Copy service COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-11 17:45
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-11 17:45
Reported
2024-06-11 17:48
Platform
win7-20240508-en
Max time kernel
121s
Max time network
127s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe"
Network
Files
memory/1368-0-0x0000000140000000-0x0000000140592000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-11 17:45
Reported
2024-06-11 17:48
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Executes dropped EXE
Reads user/profile data of web browsers
Drops file in System32 directory
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\kinit.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\ssvagent.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jconsole.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\uninstall\helper.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe | N/A |
| File opened for modification | \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE | C:\Users\Admin\AppData\Local\Temp\2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7z.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jstat.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\jabswitch.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\keytool.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\private_browsing.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Internet Explorer\iediagcmd.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Internet Explorer\ielowutil.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Internet Explorer\ieinstal.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jstatd.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\serialver.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\unpack200.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE | C:\Users\Admin\AppData\Local\Temp\2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jdb.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\orbd.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\maintenanceservice.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Internet Explorer\iexplore.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jcmd.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\crashreporter.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_99718\javaws.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\7zFM.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\dotnet\dotnet.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Internet Explorer\ielowutil.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jps.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\javaws.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe | N/A |
| File created | C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log | C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\java.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe | N/A |
| File opened for modification | C:\Windows\DtcInstall.log | C:\Windows\System32\msdtc.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\spectrum.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\spectrum.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName | C:\Windows\system32\spectrum.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 | C:\Windows\system32\spectrum.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\System32\SensorDataService.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\system32\spectrum.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\System32\SensorDataService.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\TieringEngineService.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system32\TieringEngineService.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" | C:\Windows\system32\SearchIndexer.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000038fada3027bcda01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" | C:\Windows\system32\SearchIndexer.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d55d1b3127bcda01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000eb77073827bcda01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" | C:\Windows\system32\SearchIndexer.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" | C:\Windows\system32\fxssvc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" | C:\Windows\system32\SearchIndexer.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" | C:\Windows\system32\fxssvc.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" | C:\Windows\system32\SearchIndexer.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009f78503127bcda01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000035c6153827bcda01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print" | C:\Windows\system32\fxssvc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" | C:\Windows\system32\SearchIndexer.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" | C:\Windows\system32\fxssvc.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c734a83127bcda01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe"
C:\Users\Admin\AppData\Local\Temp\2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe
C:\Users\Admin\AppData\Local\Temp\2024-06-11_14d08d46bd7e324c58a1162b75cfd126_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2c8,0x2cc,0x2d0,0x29c,0x2d4,0x140462458,0x140462468,0x140462478
C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff5a4eab58,0x7fff5a4eab68,0x7fff5a4eab78
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1616 --field-trial-handle=1908,i,8386706413199259181,16683728508607092848,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 --field-trial-handle=1908,i,8386706413199259181,16683728508607092848,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2228 --field-trial-handle=1908,i,8386706413199259181,16683728508607092848,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3076 --field-trial-handle=1908,i,8386706413199259181,16683728508607092848,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3084 --field-trial-handle=1908,i,8386706413199259181,16683728508607092848,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3916 --field-trial-handle=1908,i,8386706413199259181,16683728508607092848,131072 /prefetch:1
C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4636 --field-trial-handle=1908,i,8386706413199259181,16683728508607092848,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x294,0x2a0,0x298,0x288,0x29c,0x14044ae48,0x14044ae58,0x14044ae68
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x2a4,0x2a8,0x2ac,0x2a0,0x2b0,0x14044ae48,0x14044ae58,0x14044ae68
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4772 --field-trial-handle=1908,i,8386706413199259181,16683728508607092848,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1564 --field-trial-handle=1908,i,8386706413199259181,16683728508607092848,131072 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pywolwnvd.biz | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | clients2.google.com | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | ssbzmoy.biz | udp |
| US | 8.8.8.8:53 | clients2.google.com | udp |
| US | 8.8.8.8:53 | cvgrf.biz | udp |
| US | 8.8.8.8:53 | npukfztj.biz | udp |
| US | 8.8.8.8:53 | clients2.google.com | udp |
| US | 8.8.8.8:53 | przvgke.biz | udp |
| US | 8.8.8.8:53 | clients2.google.com | udp |
| US | 8.8.8.8:53 | zlenh.biz | udp |
| US | 8.8.8.8:53 | knjghuig.biz | udp |
| US | 8.8.8.8:53 | clients2.google.com | udp |
| US | 8.8.8.8:53 | uhxqin.biz | udp |
| US | 8.8.8.8:53 | beacons.gcp.gvt2.com | udp |
| US | 8.8.8.8:53 | anpmnmxo.biz | udp |
| US | 8.8.8.8:53 | lpuegx.biz | udp |
| US | 8.8.8.8:53 | vjaxhpbji.biz | udp |
| US | 8.8.8.8:53 | beacons.gvt2.com | udp |
| US | 8.8.8.8:53 | xlfhhhm.biz | udp |
| US | 8.8.8.8:53 | ifsaia.biz | udp |
Files
memory/1784-0-0x0000000000510000-0x0000000000570000-memory.dmp
memory/1784-9-0x0000000000510000-0x0000000000570000-memory.dmp
memory/1784-8-0x0000000140000000-0x0000000140592000-memory.dmp
memory/1912-19-0x00000000006F0000-0x0000000000750000-memory.dmp
memory/1912-31-0x00000000006F0000-0x0000000000750000-memory.dmp
memory/1912-34-0x0000000140000000-0x000000014018A000-memory.dmp
C:\Users\Admin\AppData\Roaming\56c08b5eb4b1389a.bin
| MD5 | 55189096f09f854a817f8cf0aaa146b2 |
| SHA1 | 7cc1fc44a92fdcdc66d3c2356e03a31ce87d18a7 |
| SHA256 | dc0b0ca4c6b6b6dda201bc9ff94347b8b52ffe4cab87edc3bc73f1acef128c97 |
| SHA512 | 6a0d37aab97646f0709b09d215c4262bf1639cc6f2f9890ac1a2c07883d4f52486250d26ace5200577dd9a9056490eb074b24273c6676cfb469d0949771f9d9f |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
| MD5 | 2cd879c3b1b25f881f4b7ab71b67a095 |
| SHA1 | e8c477526bb5bdddd659fdd44606060d83e703ad |
| SHA256 | d15ec0b42a1305238584533da0ddd5ec2959a76896cabc74599185af8af9e92a |
| SHA512 | 95c25065ecb23b375e233d554beb9c5fb61d877f6b5586155d5b5931d270cedfd4508a8fde3dfee5073af2215b256d7cffde9f77923d41909d4168d9bc61123a |
memory/1784-41-0x0000000140000000-0x0000000140592000-memory.dmp
memory/1056-52-0x00000000006D0000-0x0000000000730000-memory.dmp
memory/1056-46-0x00000000006D0000-0x0000000000730000-memory.dmp
C:\Windows\System32\FXSSVC.exe
| MD5 | 14df5d71b03369a75dec99574008bdc7 |
| SHA1 | d1fe7fbc7ae8b7eb14cd47cde7b8affd31842375 |
| SHA256 | bc14324b51bda2b9b2504306d6f64515bb4ae2f02d3b6f21df57ef37fc00a899 |
| SHA512 | 68d3f1bbd0b9b5f1185275ee9bc98c7ee0451d659308bbbb281783139a3c66d1799b128bb7c5ce8f627c6f20a018193f06034cabbbb37c141200c2233fcae390 |
memory/2400-66-0x0000000140000000-0x0000000140135000-memory.dmp
memory/2400-63-0x0000000000A00000-0x0000000000A60000-memory.dmp
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
| MD5 | eae289476278e8dfbaa4ed84686d4b10 |
| SHA1 | 4236d400c86b729263ab73807bd09b51bf7b793e |
| SHA256 | 436e72421f8d8d0910f964e1995d60b60d078e958f63db31e31c207ab52aee8d |
| SHA512 | b3648cb39b82b3569abdfc3b447b458da9609d3a1551600986b2983efb70321e978489065d8a2b6454f9f014a464b1a6ff394df0562f8bf75a8d52ed0707a323 |
memory/716-75-0x0000000000800000-0x0000000000860000-memory.dmp
memory/716-69-0x0000000000800000-0x0000000000860000-memory.dmp
memory/716-68-0x0000000140000000-0x000000014024B000-memory.dmp
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
| MD5 | 948655463bd5e46e4f53f16f404ff713 |
| SHA1 | dfa89f899c0f6a6a36655a38e23bf345e98cf4f2 |
| SHA256 | 814bb446eea4ad33d5dc891cbade0fe58e8c795beeea21419434077b61454971 |
| SHA512 | 01cf5628d504e69c12875f9634dc9c561e19c8ea7c55f7a350c4bfacf478fe90782c3974cdd76927d085dca7b9a0eaaa1dcc4e85d42c48d8c381a1a88bf443fd |
memory/4848-88-0x00000000001A0000-0x0000000000200000-memory.dmp
memory/4848-90-0x0000000140000000-0x000000014022B000-memory.dmp
C:\Windows\System32\msdtc.exe
| MD5 | 86988a50829a6395696d1a217fffaac4 |
| SHA1 | b393d15e1a023f87371735daff95e21bc39bd350 |
| SHA256 | 96eb22116ad693f3f3b9f3d869ffae23cb524f2415292f1af0178cfd28598efc |
| SHA512 | e91be88ab3c5b7ca462ed55acb7a70f01b8897a9e172b2a75d4b319ed7297a518921f1e43eadbca1d99ab8e2dcb9541ab4a473c3fd2149d64a9707d70e956123 |
memory/4568-105-0x0000000140000000-0x00000001401AF000-memory.dmp
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
| MD5 | fe28f8a05d14c113b7c29321db661382 |
| SHA1 | 37013a18297303314b9342dd579f13910a852841 |
| SHA256 | c9aa8a7db489e8366e990a93e8d5aef07c7d0f0f331440ef824c18865e28bad9 |
| SHA512 | 3aa0511173fb1b56e6ea9e057a4ff6446708b828954229d12bb842990923f16809234b29e7631042c38b3e3ac8260cc1d91065cb771d2816a8a636ff40eacf46 |
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
| MD5 | ba9ed45e6a32567bd41b9aa71efa2989 |
| SHA1 | 0c1ba0ed0cdd5bab4f874950869feb9f6afbf656 |
| SHA256 | 91e282a6f61ef7e1263922401dda2fa05817351970d88ac7ce440e53c5cd3b5c |
| SHA512 | 2c7f1f92af840fc0b34cac2ebb9ca8cc788f85b1000ce3b47b691982cf1b6dfb57b1b36182a5b56d40db88f3b096872782bcb2788dd36effeef4a323dd4ded3c |
C:\Windows\SysWOW64\perfhost.exe
| MD5 | 5ff1fb764509f6f04ed23cdb41bc0fe2 |
| SHA1 | 2eb3229c2a4d3129cda60e4418fd1f82415e3ebb |
| SHA256 | b3cc45e519f378559658843607e62ffc7e6ab376c9f8f91f25fdc2172744bea5 |
| SHA512 | dc707e557d006bf1cea835169a08f75f925d663754f15b73abf52f23255a2b8dae3ba4ae4dcba86cef428a755c3ec56f7d7880e67114d7ee580ed3003baec601 |
C:\Windows\System32\Locator.exe
| MD5 | e0270c292758ca1ab7a5e3afa9b63deb |
| SHA1 | efeb9ff668be67932ded67297f6a651923a264dd |
| SHA256 | 38de34b68bfa25107b08839774dea30d8bdf5f1f5b757b78ee172f1cfda3a830 |
| SHA512 | 2d851bd9df486eeadb578bb749a1f8c3f7d264927f35b600c358bdc790451da3f863fb9924bf3041957cc8ccbf31f5a93b97929520ee6c007f5ecf73f241c0ef |
C:\Windows\System32\SensorDataService.exe
| MD5 | fc5e816f1c56874792401c12b0afc2a4 |
| SHA1 | 7c00238750a4234a60ed3b8162a8cbe25c0f1cfe |
| SHA256 | e518e98fe573e0a28e1c5f6a405ba2c48d3e2fc77a8f474d28083042df14408b |
| SHA512 | 71a90247b1693413b853ff973e1c455778b4f609ad3d3a97a54921bbc3b7868cbf5bf4351ab1de6d863659950b21cd6475e9266f405cfbc529ed2a05d6e3583c |
C:\Windows\System32\snmptrap.exe
| MD5 | 3e34698ea63eec7d8b3b18a73a9caca7 |
| SHA1 | 029a096e8082fb82dd97eb9148c60cda223a852b |
| SHA256 | eb97dceb25e63629bec71868de33c6047b9a4b4e13196564bcf79fae35146651 |
| SHA512 | b92be5fcdf3a2e28934fe49c709c33f011ed467c9886168663d018f68179986c8e515584baaedc6f08ac4a60ac2ed6572ce574fa76087ef54d7e11bb65230f9a |
C:\Windows\System32\Spectrum.exe
| MD5 | 119331fa89fc1a8ae984a8c26fd58116 |
| SHA1 | ad1c8858d315260041d12b366f0ce6e5bcef848f |
| SHA256 | aa5358ddd9edf4f5c962385f9b76b7eff448ce2c9125d8d2702127ba4db0aed0 |
| SHA512 | 118a10723ebb091051453143f255b69121b6266d2292c9482990107aeb7ae7c3990fd858c905cd4b847697a1b713f5d59d2a08e61b3eed6bffa7d7921164db4d |
C:\Windows\System32\OpenSSH\ssh-agent.exe
| MD5 | e767248af8af5e2457ce72d05f46cd22 |
| SHA1 | c3d9296747ede9e56018d2058a2f90bb33bd1e9e |
| SHA256 | 71a53bc7c71401b589eeace74f92985788faa9058ef80358704632e8b677efc1 |
| SHA512 | 71df2faee29c3495bbc548b89330dc4c37ddc9ab8f850fa3e8cf4d87d28442b6cbb477f78a054e2b54b81741a992d0351e5a7432817a958615d9d9e3d8bdd45d |
C:\Windows\System32\TieringEngineService.exe
| MD5 | 27a2b3524a0bd63deb99cbfcb1f7f053 |
| SHA1 | 36fcc2b6cf7ff4d7141856feaec819ec637d1929 |
| SHA256 | 14067f83c19e46ec5386205aeab2d727b60657263f1122d8be36ea19efdf658e |
| SHA512 | 72d535d5d59e57e1ff0960cd7f226cf783768372f8a284efe5805e55a7d07725acdefdab4fcef056c61862f93cc1fc854d4677821f3765444ca689aceac94f91 |
C:\Windows\System32\VSSVC.exe
| MD5 | bb941e6e641ecd97f7e9197479c5d1f9 |
| SHA1 | 1ca8bb4bd39ab6fd32feb4c4ba187b9e12fc4446 |
| SHA256 | 8c16a3d7b86fc78dcd9ee09dc33c73e690b8baa222fe36f2f9c7c59343141030 |
| SHA512 | 0857420c089dd7bad66f378c190c295d54be6cbc4fa62778915d9c62b5c8174e1c0691995bf21434240a8bae6a21b27d72bf1400b1d014d749b88b4527ad2ddc |
C:\Windows\System32\SearchIndexer.exe
| MD5 | 18fbe8440fe2067413eacb8608a70cf2 |
| SHA1 | 43b9930b66edc36b31847a75a77212c7af76defa |
| SHA256 | 4f1a09a52d5d91f6a96ffb092a5dcd44845f0da42aa4983562a8cbbeb8711d94 |
| SHA512 | eba871449722b16442219864fdc3a1e8275b29c44e359ec69cd6bf579f2dcadd27805299878b6139bd401d44633bee261096d33546711c4aa99c1a78f5e39fad |
C:\Windows\System32\wbem\WmiApSrv.exe
| MD5 | 45550e002e40b689fed3119d006d1180 |
| SHA1 | 8eb04d3e55e9ae24ffc68e90544e31ab0abb557b |
| SHA256 | 46f2962c90b24ee96fddd32182ae14719fc3075759752554ede4edadb8c74b56 |
| SHA512 | 2d8813c00ee26a6648119e2046418e2688c5849c8cbc3ae2656c1ecd6ff4e6c059154a656d3666e701a939eb67aa7cb18efe09cdd3d1e0ffcb30b8c210756142 |
C:\Windows\System32\wbengine.exe
| MD5 | b2faf9a0475f9ad73802ad890c95fef7 |
| SHA1 | 2cd3ef0b82c7c1300e2518f268221fe7e5ab09d7 |
| SHA256 | a1c5ec9ab2a177b4d2d717d25597a82c24a1d7e758ec953f40ec34eb1f896a96 |
| SHA512 | df7364580a988cfe0dc08240496b84b7d1cace3d52c9437a75fe525bc62d81baa4cb26b5fdb833ba2eaf21eb3ba23c9e1d1fb2469af7926b441f9cf65af7a49e |
C:\Windows\System32\vds.exe
| MD5 | 8f85b3d1f79bd9fb76f509bfc48bfc53 |
| SHA1 | ac675ef6ee2696cb0a06b01874aade53513b4055 |
| SHA256 | caabf3e7806ccf56f5f143747ed265dfa306acb4b4d0cf956cb6092c84592a54 |
| SHA512 | cc07f17d337fb8f804240d97103b7e29b6a851efa046beb77ee577c6c26d3c4a3309e0ce1275373e060065da9eefde518945ea97549a195dac88296d0af2c519 |
memory/3620-223-0x0000000140000000-0x00000001401C0000-memory.dmp
C:\Windows\System32\AgentService.exe
| MD5 | 6a2b58e972b696cbcc2a8db8bc6f285c |
| SHA1 | 3b8b4825e9cf8ff3536f039024ebc81be0f1d8eb |
| SHA256 | c9615180692b42398138cfe6668bf2659e22216a7cd00fc1722238379748f6d5 |
| SHA512 | 89809e8d6537f67927188a913a3965c93da8ea66dbada43d713c0a3d5f92e007e0c1e9dddc94f24183f26d8f90a6136b396b41ff5806f8b0f717846d9b64ddb8 |
memory/2328-325-0x0000000000400000-0x0000000000577000-memory.dmp
memory/3032-330-0x0000000140000000-0x00000001401E2000-memory.dmp
memory/1688-335-0x0000000140000000-0x00000001401A6000-memory.dmp
memory/1332-338-0x0000000140000000-0x0000000140179000-memory.dmp
memory/1720-334-0x0000000140000000-0x0000000140216000-memory.dmp
memory/4876-333-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/4444-332-0x0000000140000000-0x0000000140147000-memory.dmp
memory/3748-331-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/3364-329-0x0000000140000000-0x0000000140169000-memory.dmp
memory/4584-328-0x0000000140000000-0x0000000140176000-memory.dmp
memory/4636-327-0x0000000140000000-0x00000001401D7000-memory.dmp
memory/4796-326-0x0000000140000000-0x0000000140175000-memory.dmp
memory/508-324-0x0000000140000000-0x000000014018B000-memory.dmp
memory/3520-323-0x0000000140000000-0x00000001401AF000-memory.dmp
memory/1564-322-0x0000000140000000-0x0000000140199000-memory.dmp
memory/4568-93-0x0000000000CD0000-0x0000000000D30000-memory.dmp
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
| MD5 | a18edb99178cec59bd41d043b973115a |
| SHA1 | 553a8834d1ed7adb4cfc2c61fe10761a32778053 |
| SHA256 | 5ea4b1bfa45cf45e8dee7ebf2203741640908381bab7d7cb26b9dd57c3db6e38 |
| SHA512 | 9666c8812b2253a1a3a8f7cc828b92a852a8abc100e688d77f5cf831c9338ee7a726257a91465099534a260ebbdeb0707eeb06e0d4c59868592ffa8b1693076e |
memory/4848-82-0x00000000001A0000-0x0000000000200000-memory.dmp
memory/2400-80-0x0000000140000000-0x0000000140135000-memory.dmp
memory/2400-78-0x0000000000A00000-0x0000000000A60000-memory.dmp
memory/2400-57-0x0000000000A00000-0x0000000000A60000-memory.dmp
memory/1056-55-0x0000000140000000-0x0000000140189000-memory.dmp
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
| MD5 | bd286f5c979e7defb0408f3a6b50b7ca |
| SHA1 | 33d25ebd3473eaf26f8b1f4ed9f55e01dfdf3e09 |
| SHA256 | b0de17629bc39e4b0a498b03a30c04f41c1b3c2e15405ffb345d3b14f88db91f |
| SHA512 | 4cf3cfd00072441efc09d3e60e2a2abc312523434706edb62f7b8fc12a85a9b051bc24ccad1c7b0fa477479cecbdb8f9923bcc9da9549484bc0acc7c5577a8e1 |
C:\Windows\system32\AppVClient.exe
| MD5 | 7ec4709cdf2015ca26075313309da235 |
| SHA1 | 7b4f799b8125c2f472f06cedb8ceb72929bb430b |
| SHA256 | 3e9c54bed4c838214a5b1a091abfced8de43d52ea53035a4a7d1fad2abbedd74 |
| SHA512 | 0cb788f2ed01254f64078d053b6104e09e68028861b669d3358e428c5339c88f0775560869c1b3445d440776a708fcfbd1df7b4df32673e0396da7718bcc2e57 |
memory/1784-35-0x0000000000510000-0x0000000000570000-memory.dmp
memory/4952-30-0x0000000000840000-0x00000000008A0000-memory.dmp
memory/4952-29-0x0000000140000000-0x0000000140592000-memory.dmp
memory/4952-13-0x0000000000840000-0x00000000008A0000-memory.dmp
C:\Windows\System32\alg.exe
| MD5 | 90081004d72d41d4ad950e5235ba77d3 |
| SHA1 | 6a4b1c14138175dfb192cef262537165f69c630b |
| SHA256 | 5b81603c9eeb974ec45644c3f7b3044d54f211ef03bd50669b485472fa51341c |
| SHA512 | ec6b9222235239420329b112ee73cdb91b94f6e0ce25186a2c978ab63ed61a017363eda4a12dc7c975382fbb54b82c6c5c127c3b4a73d065dcbfa35d00601a7c |
\??\pipe\crashpad_1488_SIJPHKKHKPYHTNAL
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico
| MD5 | ef36a84ad2bc23f79d171c604b56de29 |
| SHA1 | 38d6569cd30d096140e752db5d98d53cf304a8fc |
| SHA256 | e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831 |
| SHA512 | dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be |
memory/716-462-0x0000000140000000-0x000000014024B000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
| MD5 | e97ecf726eeb711822c700e550ab220f |
| SHA1 | cd0e566f6036c35fc2f2b3a3712438e6eb89c530 |
| SHA256 | 2164d7164a3356ceaae06c2b30849d601f9f252a8606e2dddccd870432929ffc |
| SHA512 | a5cedfa9c26ddb0e2b0dd04f33a0a255b2e3e0085acb27a6f79f4fc12a8390be364d38b66590112b7a10a6fc423d6bdfd802b9b3e4f59bbb119334ca464e055f |
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
| MD5 | 4bd7e3fc295383805ab4e7c9d141c43b |
| SHA1 | 72d006bda7eed950662c7366152998fee5bedf8d |
| SHA256 | 987e92177309d6cbae6d199dcbf12866a104b14336d7e4823b40345d45fda9d3 |
| SHA512 | 79eca89273e8f36705992128ef0499f92229ddca8eca7a0ecdc9dd02f5a0b95696042f5f2169ba244714117169c17771d4c3758ea02039985333b2eb622c0c36 |
memory/5600-539-0x0000000140000000-0x000000014057B000-memory.dmp
memory/4952-543-0x0000000140000000-0x0000000140592000-memory.dmp
memory/5712-554-0x0000000140000000-0x000000014057B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
| MD5 | d2f65dca6ea93691f77f6f3c8103c572 |
| SHA1 | 320b334def778e7cc8c0e44b33ddd3514b5dfe40 |
| SHA256 | 6e578b17a5653f42fcd1bfba7e4d425efba8ab683814ccbce66aa12803076efe |
| SHA512 | 52a5c77d90d5f9fd6d9c4490a4fe0de6cb1c3fb1476b1f91f04bceece28f2b2598573f094f2608f0401b06ed478ab3cf3b82a67ae5cf576fdb5635198705eeb0 |
memory/5828-556-0x0000000140000000-0x000000014057B000-memory.dmp
C:\Windows\TEMP\Crashpad\settings.dat
| MD5 | b2c359ffd4bf582baf62f6e8adf87a6e |
| SHA1 | 8e9a26cf9202a00b2f38b9cf92a2cc0fa2e76b79 |
| SHA256 | ee8fad0e09119ff89b6f13fc18df351e81b41199adfc10acbfeccbbb88e02a9d |
| SHA512 | 1b1cddd7353d0e9300f1c661feda7f8d1a71e6d90279cb72c3adb51a7bce9c64e2fc87777926db50a8d41cc945445821d1b3cc1628f7446a7c03e64bcf8aff92 |
memory/5908-577-0x0000000140000000-0x000000014057B000-memory.dmp
memory/5828-578-0x0000000140000000-0x000000014057B000-memory.dmp
memory/5600-590-0x0000000140000000-0x000000014057B000-memory.dmp
C:\Program Files\Google\Chrome\Application\SetupMetrics\dceb0439-af8e-42a5-ad81-109410d85902.tmp
| MD5 | 6d971ce11af4a6a93a4311841da1a178 |
| SHA1 | cbfdbc9b184f340cbad764abc4d8a31b9c250176 |
| SHA256 | 338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783 |
| SHA512 | c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f |
memory/1912-579-0x0000000140000000-0x000000014018A000-memory.dmp
memory/4636-595-0x0000000140000000-0x00000001401D7000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 3a8dd9da54cbadbf4b3d68f6da6cc048 |
| SHA1 | e753947c4c40e5e5f6f8de9b466e4412eda7e07d |
| SHA256 | 9e21d2b29fdfa39660ea9faa77d5fb24da108bb947ef5804073a9184f2a028dd |
| SHA512 | eaca386041fca535b6c432d9705f9f53928a51b7db2ca3a11c7d84a8787352cd03c0237ad151dcd979ee2563337130f07682b0ff95f9f901addc52e77f4cb367 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 535e91ebd755c30741f0d381cc3f2465 |
| SHA1 | dc7783345de5b0438aa69a50be8b4e21972ed871 |
| SHA256 | b6435dfdae21da06ff49228831b0e925453926f0e10272b7c0c460fb5e58984e |
| SHA512 | 9649a22fb5e42643c095f6102bd7989beb3935921c1c7bccf9ee06b945058889bfbf0f1c83a9ee4db2446fa01074291d583701325ac84268cc32f02d8ceb632f |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe57808a.TMP
| MD5 | 1f497c78bb1cefe5fae1f2d3e5c467dc |
| SHA1 | 12ec3f79d43fc239252d3812f8f0c2edc492bc51 |
| SHA256 | e7fedf1f3f9f65c94434b56a0a6b0be4a9773cb80c1fe09b6391adaec9849dbc |
| SHA512 | f7ce6b59abe22c099ba4ded438dae24ad228fad07f742fe053c580f2c052a91d5af99bc7616681f0f377f8b5bbbe7ae2defab99203bd1af816724a1e63b62e92 |
memory/4848-712-0x0000000140000000-0x000000014022B000-memory.dmp
memory/1332-714-0x0000000140000000-0x0000000140179000-memory.dmp
memory/1688-713-0x0000000140000000-0x00000001401A6000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_1
| MD5 | cd73efed37e42cf889ad0d96ac4de583 |
| SHA1 | 68c76b01f8d74a71b8a420d599e72b1971c52831 |
| SHA256 | 91ed963430c5eb419299f1a0dcfcb62f593e981d8f9dd1949c2238dbc768ccb7 |
| SHA512 | 56eea03b30bc739a261031ffdaede0d78f2677e4b7f84eb1c4e5be1a4d89d6fb2f8f7c3785d150aca0ae901e0e114e3a3f55861686ed2dfe752557d3190069fd |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_0
| MD5 | 64b4c3cca1f8c5dc777439bc23cf9a68 |
| SHA1 | 5bc003bab7e5171043d8dad29fd613b37cb187a7 |
| SHA256 | 6cd6d31addb6f31fb26918d798e8bb9e0eb801d447e26d2e27cb7c65e48e2242 |
| SHA512 | 14cdbf6709a012852bbb04178a6d02491799141b7552d63b70cfe877ccde3e233fd86c7d0c2bc40f3edf28b68d4a273f1ee57dd324a0b3f9bbae8c87ef603e12 |
memory/5712-736-0x0000000140000000-0x000000014057B000-memory.dmp
memory/5908-737-0x0000000140000000-0x000000014057B000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | edb4bf2ca7f7a521c6606588bf7b5e99 |
| SHA1 | 907d67b1fea9d1d66d760d3e9592caa581119c1e |
| SHA256 | feb3d34e527c40ae964a6ee77e310ac7795e3b629681883449fd01d9b93a5001 |
| SHA512 | abbbff9af0fadcb4e59ff9d234dda42180aa8901e22456586b5d66179f39531a673cb5dcf8baa38e111028391dcd8f871386f34169cf13fd67f9de1964dfea15 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | cbaacec3a01e966988abe4897477c995 |
| SHA1 | 4c725e345cf9bcaee71241a5621a311e4446aaa0 |
| SHA256 | eea8b9223bc8aed23a3193b2c7975dc80a3f0566e2e6e4b2632be884c996dbfe |
| SHA512 | 849f5c848f5e91562099e76d73e2845d3d6dcf2e923f36e87eca4aa4d3fe6158bd329b904612dbfb8bf95abe00c07c6f8cc30ee811477165f42104a8858d5dc3 |