Malware Analysis Report

2025-06-15 20:00

Sample ID 240611-wc75zsvfrf
Target 2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk
SHA256 9cd0775071f6fbec6d846f0fffca9bc4b9de8044b4d7f4c1850b4ffed345c61f
Tags
spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

9cd0775071f6fbec6d846f0fffca9bc4b9de8044b4d7f4c1850b4ffed345c61f

Threat Level: Shows suspicious behavior

The file 2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk was found to be: Shows suspicious behavior.

Malicious Activity Summary

spyware stealer

Reads user/profile data of web browsers

Executes dropped EXE

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Enumerates system info in registry

Suspicious behavior: LoadsDriver

Checks SCSI registry key(s)

Checks processor information in registry

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Uses Volume Shadow Copy service COM API

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Modifies data under HKEY_USERS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-11 17:47

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-11 17:47

Reported

2024-06-11 17:50

Platform

win7-20240221-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe"

Network

N/A

Files

memory/2968-0-0x0000000140000000-0x0000000140592000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-11 17:47

Reported

2024-06-11 17:50

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
N/A N/A C:\Windows\system32\fxssvc.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe N/A
N/A N/A C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe N/A
N/A N/A C:\Windows\System32\msdtc.exe N/A
N/A N/A \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE N/A
N/A N/A C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe N/A
N/A N/A C:\Windows\SysWow64\perfhost.exe N/A
N/A N/A C:\Windows\system32\locator.exe N/A
N/A N/A C:\Windows\System32\SensorDataService.exe N/A
N/A N/A C:\Windows\System32\snmptrap.exe N/A
N/A N/A C:\Windows\system32\spectrum.exe N/A
N/A N/A C:\Windows\System32\OpenSSH\ssh-agent.exe N/A
N/A N/A C:\Windows\system32\TieringEngineService.exe N/A
N/A N/A C:\Windows\system32\AgentService.exe N/A
N/A N/A C:\Windows\System32\vds.exe N/A
N/A N/A C:\Windows\system32\vssvc.exe N/A
N/A N/A C:\Windows\system32\wbengine.exe N/A
N/A N/A C:\Windows\system32\wbem\WmiApSrv.exe N/A
N/A N/A C:\Windows\system32\SearchIndexer.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\TieringEngineService.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe N/A
File opened for modification C:\Windows\System32\vds.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe N/A
File opened for modification C:\Windows\system32\SearchIndexer.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe N/A
File opened for modification C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe N/A
File opened for modification C:\Windows\SysWow64\perfhost.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe N/A
File opened for modification C:\Windows\system32\locator.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe N/A
File opened for modification C:\Windows\system32\SgrmBroker.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe N/A
File opened for modification C:\Windows\System32\SensorDataService.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\spectrum.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe N/A
File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe N/A
File opened for modification C:\Windows\system32\AppVClient.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe N/A
File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe N/A
File opened for modification C:\Windows\System32\SensorDataService.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe N/A
File opened for modification C:\Windows\System32\snmptrap.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe N/A
File opened for modification C:\Windows\system32\vssvc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe N/A
File opened for modification C:\Windows\system32\wbengine.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe N/A
File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\52259bfb293b476c.bin C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\AppVClient.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\msiexec.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\SgrmBroker.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\AgentService.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\System32\alg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe N/A
File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe N/A
File opened for modification C:\Windows\system32\AgentService.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe N/A
File opened for modification C:\Windows\System32\msdtc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe N/A
File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG C:\Windows\System32\msdtc.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\java.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe C:\Windows\System32\alg.exe N/A
File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE C:\Users\Admin\AppData\Local\Temp\2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\7-Zip\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE C:\Users\Admin\AppData\Local\Temp\2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe C:\Windows\System32\alg.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe N/A
File opened for modification C:\Windows\DtcInstall.log C:\Windows\System32\msdtc.exe N/A
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Windows\System32\alg.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\TieringEngineService.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\TieringEngineService.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005c5edd7c27bcda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine" C:\Windows\system32\SearchIndexer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000086a4317e27bcda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e4ea7f7e27bcda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" C:\Windows\system32\SearchIndexer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d4042d7d27bcda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ca908e7e27bcda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009a6ace7c27bcda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007a4de57c27bcda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fadbd07c27bcda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" C:\Windows\system32\SearchIndexer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" C:\Windows\system32\SearchIndexer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000240a2c7f27bcda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133626016728539738" C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000469cee7c27bcda01 C:\Windows\system32\SearchProtocolHost.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\fxssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\TieringEngineService.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\TieringEngineService.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\AgentService.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: 33 N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1736 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe
PID 1736 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe
PID 1736 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1736 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1704 wrote to memory of 4468 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1704 wrote to memory of 4468 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1704 wrote to memory of 2584 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1704 wrote to memory of 2584 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1704 wrote to memory of 2584 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1704 wrote to memory of 2584 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1704 wrote to memory of 2584 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1704 wrote to memory of 2584 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1704 wrote to memory of 2584 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1704 wrote to memory of 2584 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1704 wrote to memory of 2584 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1704 wrote to memory of 2584 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1704 wrote to memory of 2584 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1704 wrote to memory of 2584 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1704 wrote to memory of 2584 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1704 wrote to memory of 2584 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1704 wrote to memory of 2584 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1704 wrote to memory of 2584 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1704 wrote to memory of 2584 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1704 wrote to memory of 2584 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1704 wrote to memory of 2584 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1704 wrote to memory of 2584 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1704 wrote to memory of 2584 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1704 wrote to memory of 2584 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1704 wrote to memory of 2584 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1704 wrote to memory of 2584 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1704 wrote to memory of 2584 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1704 wrote to memory of 2584 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1704 wrote to memory of 2584 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1704 wrote to memory of 2584 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1704 wrote to memory of 2584 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1704 wrote to memory of 2584 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1704 wrote to memory of 2584 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1704 wrote to memory of 3740 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1704 wrote to memory of 3740 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1704 wrote to memory of 312 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1704 wrote to memory of 312 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1704 wrote to memory of 312 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1704 wrote to memory of 312 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1704 wrote to memory of 312 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1704 wrote to memory of 312 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1704 wrote to memory of 312 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1704 wrote to memory of 312 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1704 wrote to memory of 312 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1704 wrote to memory of 312 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1704 wrote to memory of 312 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1704 wrote to memory of 312 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1704 wrote to memory of 312 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1704 wrote to memory of 312 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1704 wrote to memory of 312 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1704 wrote to memory of 312 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1704 wrote to memory of 312 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1704 wrote to memory of 312 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1704 wrote to memory of 312 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1704 wrote to memory of 312 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1704 wrote to memory of 312 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1704 wrote to memory of 312 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1704 wrote to memory of 312 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1704 wrote to memory of 312 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1704 wrote to memory of 312 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe"

C:\Users\Admin\AppData\Local\Temp\2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-11_2a5cc09797f9a012e13c23ad75169860_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2d0,0x2d4,0x2d8,0x2a4,0x2dc,0x140462458,0x140462468,0x140462478

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb610fab58,0x7ffb610fab68,0x7ffb610fab78

C:\Windows\System32\alg.exe

C:\Windows\System32\alg.exe

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv

C:\Windows\system32\fxssvc.exe

C:\Windows\system32\fxssvc.exe

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"

C:\Windows\System32\msdtc.exe

C:\Windows\System32\msdtc.exe

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE

"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\system32\locator.exe

C:\Windows\system32\locator.exe

C:\Windows\System32\SensorDataService.exe

C:\Windows\System32\SensorDataService.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\system32\spectrum.exe

C:\Windows\system32\spectrum.exe

C:\Windows\System32\OpenSSH\ssh-agent.exe

C:\Windows\System32\OpenSSH\ssh-agent.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc

C:\Windows\system32\TieringEngineService.exe

C:\Windows\system32\TieringEngineService.exe

C:\Windows\system32\AgentService.exe

C:\Windows\system32\AgentService.exe

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\SearchIndexer.exe /Embedding

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1624 --field-trial-handle=1924,i,10891759352711051076,5296715924390367985,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 --field-trial-handle=1924,i,10891759352711051076,5296715924390367985,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2164 --field-trial-handle=1924,i,10891759352711051076,5296715924390367985,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3076 --field-trial-handle=1924,i,10891759352711051076,5296715924390367985,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3088 --field-trial-handle=1924,i,10891759352711051076,5296715924390367985,131072 /prefetch:1

C:\Windows\system32\SearchProtocolHost.exe

"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"

C:\Windows\system32\SearchFilterHost.exe

"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4260 --field-trial-handle=1924,i,10891759352711051076,5296715924390367985,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4644 --field-trial-handle=1924,i,10891759352711051076,5296715924390367985,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4804 --field-trial-handle=1924,i,10891759352711051076,5296715924390367985,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x29c,0x294,0x298,0x290,0x2a0,0x14044ae48,0x14044ae58,0x14044ae68

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x29c,0x294,0x298,0x290,0x2a0,0x14044ae48,0x14044ae58,0x14044ae68

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2396 --field-trial-handle=1924,i,10891759352711051076,5296715924390367985,131072 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 pywolwnvd.biz udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 clients2.google.com udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 ssbzmoy.biz udp
US 8.8.8.8:53 clients2.google.com udp
US 8.8.8.8:53 cvgrf.biz udp
US 8.8.8.8:53 npukfztj.biz udp
US 8.8.8.8:53 clients2.google.com udp
US 8.8.8.8:53 przvgke.biz udp
US 8.8.8.8:53 clients2.google.com udp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 knjghuig.biz udp
US 8.8.8.8:53 uhxqin.biz udp
US 8.8.8.8:53 clients2.google.com udp
US 8.8.8.8:53 anpmnmxo.biz udp
US 8.8.8.8:53 lpuegx.biz udp
US 8.8.8.8:53 vjaxhpbji.biz udp
US 8.8.8.8:53 beacons.gvt2.com udp
US 8.8.8.8:53 xlfhhhm.biz udp
US 8.8.8.8:53 clients2.google.com udp
US 8.8.8.8:53 ifsaia.biz udp

Files

memory/1736-8-0x0000000140000000-0x0000000140592000-memory.dmp

memory/1736-9-0x0000000000510000-0x0000000000570000-memory.dmp

memory/1736-1-0x0000000000510000-0x0000000000570000-memory.dmp

memory/2708-21-0x0000000140000000-0x0000000140592000-memory.dmp

memory/1736-24-0x0000000000510000-0x0000000000570000-memory.dmp

C:\Users\Admin\AppData\Roaming\52259bfb293b476c.bin

MD5 a70ab9ea6c80e5dc0d313ebe6b177fde
SHA1 722b1e28b9c0b5e76e4ab15971268f684ab8af81
SHA256 1dc3226745a47db1a3073f606516661ab9afe58878ab2930fd077f38ad4aa55d
SHA512 8b7fdfce2651f2e603f166dda3f15c43d8c411463434af3821579971a96259daab26eec6d823ac1266981e741026744a29e172ac6c58bee93a204ffcbe1ffb45

memory/2708-18-0x00000000008F0000-0x0000000000950000-memory.dmp

memory/2708-12-0x00000000008F0000-0x0000000000950000-memory.dmp

memory/1736-25-0x0000000140000000-0x0000000140592000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

MD5 23e6ef5a90e33c22bae14f76f2684f3a
SHA1 77c72b67f257c2dde499789fd62a0dc0503f3f21
SHA256 62d7beeb501a1dcd8ce49a2f96b3346f4a7823c6f5c47dac0e6dc6e486801790
SHA512 23be0240146ba8d857fc8d37d77eb722066065877d1f698f0d3e185fcdae3daf9e1b2580a1db839c1356a45b599996d5acc83fda2af36840d3a8748684df5122

C:\Windows\System32\alg.exe

MD5 2c5e8f9bcb6f8e1ac8dcbc1b416af496
SHA1 82d51b644b27d1f50e07b8d1acbbeba41040784e
SHA256 7b5cac6e61f684214c8b1ac60173ef32372c4df9dbb70794fd2e7757b1cf3136
SHA512 cf188e2894ac5db00a779ce416772f8928ad61d67e683d6138bcd66adae98b4e013b2a4721a8e20d5aa1f85b2becee8e525010decfff497ee552980851919ea9

memory/4964-40-0x0000000000710000-0x0000000000770000-memory.dmp

memory/4964-31-0x0000000000710000-0x0000000000770000-memory.dmp

memory/2384-53-0x0000000140000000-0x00000001400A9000-memory.dmp

memory/2384-54-0x0000000000670000-0x00000000006D0000-memory.dmp

C:\Windows\System32\FXSSVC.exe

MD5 00e09eab6a0321fd68855b17dfff645e
SHA1 eefb7b251314a6dc35210f273ea71f02db8c7290
SHA256 8cf32bf0c949f6e37d940e5adbe7be9226edfbdd8af69e362ff2d2353f606cb6
SHA512 bf8beee886e86649127f994e58db9a45fb57cc451cc23bc9b7c1b6db1ede5981096ead62dece8e4003164c24a2186296bdb62a6d8068f1a8a1097ec760d14820

memory/2536-64-0x0000000000D70000-0x0000000000DD0000-memory.dmp

memory/2536-66-0x0000000140000000-0x0000000140135000-memory.dmp

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

MD5 14f08faddcf14f85f2bf0ccff504291b
SHA1 9c153b80c1e8aa8f050d2ba94ce4944b9fb4b30f
SHA256 c2df660dc9b7d196f6828280765851e42c86af1365e9a480c7576b054e85b6b4
SHA512 4388c15c2cd55ac30a67b25a1222eb15dcc066271992da0d32e509200947e6936869f51f8e56d9864146e1dc41421326a4d32ea7df3225b2316ad5556dfece58

memory/3528-74-0x0000000000C70000-0x0000000000CD0000-memory.dmp

memory/3528-68-0x0000000000C70000-0x0000000000CD0000-memory.dmp

memory/3528-78-0x0000000140000000-0x000000014024B000-memory.dmp

memory/3504-86-0x00000000001A0000-0x0000000000200000-memory.dmp

memory/2536-105-0x0000000140000000-0x0000000140135000-memory.dmp

C:\Windows\System32\msdtc.exe

MD5 ff50851c16b6349271f5911aa6f4d3b7
SHA1 7dd0ec208cb76397bd4ca769a5187107ec0a5b31
SHA256 9369c446074be63e53bb05d823fccbc026c7d2cee48ccfc6d22e2f3bbfb9e64c
SHA512 7523abd6b3a41d328ea9488032ebcc22c1ff1d719b7739c4d68cadcd41c441c210261d77b9770d9a9c5be03e4efd5c7bc42d9d232bfb1f6b34bf85b7db8bac32

memory/2432-104-0x0000000140000000-0x00000001400CF000-memory.dmp

memory/2432-90-0x00000000015E0000-0x0000000001640000-memory.dmp

C:\Windows\System32\Locator.exe

MD5 4fe84edecab7f14831bdef3a0b37310f
SHA1 f7fb3507fc8f6dd5ec5b3c922c1e07afd70d1ac4
SHA256 2bc61df526550f3cfc92daa9ba8189d733a20078d2156c50e96208229d9b4b8f
SHA512 6e987340afbbfb76c7336c917e1b2f66b1e75c4794775369c6661311ba57848c74cf41cde29d54719f3bb77f65b84873b6638a5638a65e9637a843388e9d80c1

C:\Windows\System32\SensorDataService.exe

MD5 534cf97518f13821ed708baece25859f
SHA1 67142e3bf5dd21e91441722f34e47e29682f5ef5
SHA256 0d19c820e2b2e7bdc856244b662be588ee21b81ddfadc44b5d216a37b74afc63
SHA512 c1a90713f9a7fcaa3493ebedd50e19bcbcc1d5117412d5287356011b0ea9c4c50801cdfd9d7cc030fa1d4c332f8a533a02d30534a0270aafb1ac63629f656f39

C:\Windows\System32\Spectrum.exe

MD5 d75206112211e5cc729392f4549513e7
SHA1 2ec1e11e7291ee45357999728e1d7f2906e25143
SHA256 be88983f48632024b38a18f8716a5e03fc4ad0da23bf15c95db1fe576178aa78
SHA512 f1e7ee62e28730cb8b704fa6423ba3826a234a1bc6af71f7551f79bcacc7d0fff357069fb01b1b0f5841c24c867e0ae83bf782e039009ad42b6179e5eb61e0cc

memory/632-216-0x0000000140000000-0x00000001401C0000-memory.dmp

C:\Windows\System32\vds.exe

MD5 928206e0a963424064f3398ae8237d28
SHA1 9a36b1021c6bae92979ce75678d1b8a18f67f7d2
SHA256 7ddee036893c54c69567aecc8136acef65caba3374b7502dbfaff766db734410
SHA512 9348f97684245328f7234bdf2ab973263256e01f9b88f6f1e4460221ee1956daeb6269fdcf0cd1bf8c4a9d14f58c24610e24638e411a6b38c97f64fcc048593d

C:\Windows\System32\VSSVC.exe

MD5 6d0402ff07cdcc280469bba25d20645e
SHA1 b29050996b49852fc0e9a43375194411e47138ef
SHA256 444788d7bd00d3b675db1d7f7b2e0eeb700aafb3e62d2c15ff6a15e03e5bdfa2
SHA512 63d6e76529ac3ce59d16cf15e9cffe6ee9ad260704063aca4b6ed96a9be3142234fb293620c0597436328c75a27476f312ec57bcc833eabc15fa40e415b0c6dd

C:\Windows\System32\wbem\WmiApSrv.exe

MD5 565faa4c46cf85b848c2e080b9bb9b3b
SHA1 4ce2407fb10c6dd5d7d127a1a83ee70c20e782be
SHA256 bd19f7d1a45712cece8669b2439cbf5701944a0d078a1ccd050d4030066c7491
SHA512 81525937a70cb72c91ea969530d71bfae5e9bbe10ab6d424eb50f642834683d548bd5bcc6d2828bd7bb168c0b13512246c751178f456fa306d1d3a9336cb8261

C:\Windows\System32\SearchIndexer.exe

MD5 e997b9116a2114988956c8cc90d0dbeb
SHA1 55a36014d8b48cfbe20a399b2b4a473017076ec4
SHA256 8c4b70fbb4708b2989325502990132a1515ed9412f075c6e8a6b9c34b7617182
SHA512 37e279c29e918b5d653d18516f4c3c349d3ddcfd9dc3e37d78c247a4c34e03d96c98c6365e2696a87164dc1d12c4ecb31a6d48c6d529d0716a55a925ee6511da

C:\Windows\System32\wbengine.exe

MD5 7e36cac3234fc5deb208236c77a5a92d
SHA1 423f33c8721b1e8ac3567b901c75f756405a24dd
SHA256 f971bcfec60d8145ee67d1bb19a4a8fa080b5297437f7da32844486f97477e3a
SHA512 2e475010b5ec1aee3e7103ab7ef768d3c77a102104cece14e707a85458ec65910c2597d47a8fe2fb54d0841b9c352c9a50edacfb81eac5e86229aae7be3a447b

C:\Windows\System32\AgentService.exe

MD5 a3e86925bb19f44dce87d05d7ebe2db3
SHA1 74fd3523b5a912888a644b4c922cf624c9df7df5
SHA256 c2138fd7d0f1984518faf5e5dd807314fa9e8fe8b5d11d14b061121a4f97a61a
SHA512 21cea0f96e177906a5e8eca8049f9016136418c7f46fe02397d962c8c6398418ee7143bde4831b2cdcee580e169fcec7a7cc816454f92d1c053b5505bdc93f99

C:\Windows\System32\TieringEngineService.exe

MD5 2010abfe7b41e604de16336864a1d169
SHA1 237cf50cbd50f358dd966b8f2d8043bf43ab4943
SHA256 619913eb7eab02b338e0e51ff5fb28461b31349d48b76fbbe4f66741d3b47d83
SHA512 30382cd3af1d8e6ce5d21b30083a78d11699bf13608ecb5e23f74d4187fe4a816c0d7fdc06945547c86259cec6991a6bc8d2c39c9494a1faf36d127a0cf8810a

memory/804-316-0x0000000140000000-0x0000000140102000-memory.dmp

memory/5056-319-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/1144-324-0x0000000140000000-0x0000000140179000-memory.dmp

memory/2700-323-0x0000000140000000-0x00000001400C6000-memory.dmp

memory/3000-322-0x0000000140000000-0x0000000140216000-memory.dmp

memory/1040-318-0x0000000140000000-0x0000000140147000-memory.dmp

memory/4544-317-0x0000000140000000-0x00000001400E2000-memory.dmp

memory/1192-315-0x0000000140000000-0x0000000140169000-memory.dmp

\??\pipe\crashpad_1704_XCFDXODUYRAOGLXP

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/676-314-0x0000000140000000-0x0000000140096000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

MD5 ef36a84ad2bc23f79d171c604b56de29
SHA1 38d6569cd30d096140e752db5d98d53cf304a8fc
SHA256 e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831
SHA512 dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

memory/2684-313-0x0000000140000000-0x00000001401D7000-memory.dmp

memory/3296-312-0x0000000140000000-0x0000000140095000-memory.dmp

memory/2968-311-0x0000000000400000-0x0000000000497000-memory.dmp

memory/4168-310-0x0000000140000000-0x00000001400AB000-memory.dmp

memory/2856-309-0x0000000140000000-0x00000001400CF000-memory.dmp

memory/3504-308-0x0000000140000000-0x000000014022B000-memory.dmp

memory/3528-432-0x0000000140000000-0x000000014024B000-memory.dmp

memory/3496-307-0x0000000140000000-0x00000001400B9000-memory.dmp

C:\Windows\System32\OpenSSH\ssh-agent.exe

MD5 1b5896bac59cc05a69b1e696471aa95a
SHA1 1a96b2c0a4805c3d994371d7b545c90b315a7802
SHA256 7b5a86cb5bdcbf816cd39160c0888233589bdbc4494b2823e5630e31c74f4323
SHA512 33239c11e5660fb5579caf63b53c820652a0aa514d407c1f66fa14f2f2376e9b37b0466c9951188c7416e0d892ec9739fe6ffc0b6b846e53081a17f879cc020d

C:\Windows\System32\snmptrap.exe

MD5 601b94b1cbdbd8efa4d96274dca5d723
SHA1 cf05b272de950124029653f7f36f479ec0bf7093
SHA256 238fb27fafd4c0af37a19194432e4658acfa5c615a3f3b3cbe71548c4ff7bb2a
SHA512 7128a19140b453f4c114b68a2740be1928ed99d23a6d525f17a3ca5f4f1729ebb75cbe748af933937933490d604ec95251be7453f18297ca81ba8bc3addee7b9

C:\Windows\SysWOW64\perfhost.exe

MD5 6f279d3f0fef3e9b2821f0fbb18c7870
SHA1 08f3cb4c1391306bd372cc51ada359049db75d6c
SHA256 2c02c7b9b547dca79aa52b9f11e940a7758c44f67a599cf90666395c3b66f657
SHA512 5d18175dbb82bc7f477459fe6b29dec24987ba1f5f49c5f6ff7024ff2d09207c32e0219a5d8ff5045919fe91d605ff46f36ff3aceef3e2e00985133eff673646

C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

MD5 e8463160fe60aa93a492f88f0143af69
SHA1 15191ac74561281c0fc7f22d723f8fe4e0314cc1
SHA256 e75914964bcfa051793f6acd03c99ede469ce4523bae7a0916caecd0d29097e6
SHA512 05e786c46efc14720d3feee59e10f9ab77327140d301a415186b1521005fbaf8d3f0b8f42ebb278f85a67eeeeefee8cc2f1f1d65788fd92095f71e33e40a44fe

C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

MD5 4a25df9aff7b7dfa62078ee451b259fc
SHA1 68ca8136bc6c27d6f48f05cf45ba9657a9e88239
SHA256 8d7d1a44ebb1f890106ef635940cc48b857f1c87d2f76d22a5a2b0bdf573bd03
SHA512 ca8ec75fccdb660c90fecb2dc74b7c2150dded4ee5e13ea113c0dd45ca5248aa3641fa236343695527ebc2233878d06b14848eddd56f21184bbe0fb8ce29d258

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

MD5 18fde8ce707cf4b79fb00825fa6dc70b
SHA1 385dd0f2480c3a1c6783fb6d643318f95b4e4658
SHA256 4aafc649f34aaf84eba8ec69625816bf24d48487de1ab3c7fd58a1a4aa182a3c
SHA512 db03061875d70ef7948bd520a266be578b722fd3da24c43b3e64e482e4a29bf1d46270e217477197ece3fdef2142a24d045d647f2464346dd0b7061481e4fe02

memory/3504-80-0x00000000001A0000-0x0000000000200000-memory.dmp

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

MD5 99cb16a41b855728357a3dc78217850e
SHA1 2e963dd741f7bda972d60c4bfe9b5cf9135f2a5d
SHA256 13a8a52cd49fbe0ffb0111ca180b246bc4b410bd246222a0538695d75ded10ce
SHA512 34d9c1b8460ab4bc6419f793ea2e6ac43edaacff5ad61c31687a16ce4b41847606dfe4e07d3d625f786af4168194f605f14e3d2eb3cb5d1123a4f06b0bd5fb3c

memory/2536-57-0x0000000000D70000-0x0000000000DD0000-memory.dmp

memory/2384-45-0x0000000000670000-0x00000000006D0000-memory.dmp

C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

MD5 8c678845537656b517d567df1abb2acf
SHA1 c18e733aa0f45202fdea4f417252a306d37eace7
SHA256 a1efc59a712edfd703dee61b163ad8080012ee2d0a87704f773b207c1f2ffc49
SHA512 ddce9c19627db37d5bf1ded1f71c710462f976eec923dd016dc9dd694eb4d84df4736fe3b5b56eb0473cef1d7408d73edfa5477b79a2ea9c419d8546ff6b5012

memory/4964-39-0x0000000140000000-0x00000001400AA000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

MD5 0d20031bc284d27a61994c4ab9657bce
SHA1 bb8c9b31be0bfcc39e6f72f9724a9b6d3ce9c269
SHA256 72c8104e8f9c459fe3407bb58ec8ac18f12ca8cee0d213a85d768c91104fe8ec
SHA512 0203d9868ab86c05051484e12ac274a295cf3b2a79dcdae5be2bacb47ae639e413f6dea5555c64ead12748be77833380a530860f523c9a7e00f112083144bad9

memory/2708-521-0x0000000140000000-0x0000000140592000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

MD5 7c386932bf76a8805dab23fefb4cd330
SHA1 2eedc28e69ab8ae5b9a6ef76c87446585d4ba37f
SHA256 6bc25b13f5ebc01309e30eecafb14f1a1f5f654c5a5a3a3ba1f61f6d90a4c62f
SHA512 1bc17278cc4785903b2567058ee49f7e8187f429d8273643c169f94d7ab8bbde2e8094535605ebb414b6bfaa96097d5188cb15137dee3b690f14a12f896fe8d8

memory/6076-525-0x0000000140000000-0x000000014057B000-memory.dmp

memory/3904-534-0x0000000140000000-0x000000014057B000-memory.dmp

memory/4964-547-0x0000000140000000-0x00000001400AA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

MD5 a0858d1fcaf057a1f21f631fab440888
SHA1 5d458fa4adcbb6e6221f2eef82760c9089bdf6a1
SHA256 9ee9831138cff821d0139ab616056ef2ca0919751a201f0434263a49e683ffd8
SHA512 5bbe531d7ce33d4c203df2da7ab6ee0e762011863b83f3925d4d9b83fdc06a69d474f1fc31073fb711e96b184810deab22f9aa22d49f295ef4b5b23a549ade45

C:\Windows\TEMP\Crashpad\settings.dat

MD5 440112092893b01f78caecd30d754c2c
SHA1 f91512acaa9b371b541b1d6cd789dff5f6501dd3
SHA256 fdf37f8111f0fabb5be766202a1a0b5a294818c4c448af0fec9003242123e3e6
SHA512 194c7b90414a57eb8f5ba0fc504e585ab26b2830ed0aae29cf126d5a6c4888d508c22984aeedec651c8644fb1f874fa558b2090488516b33165fe7985d2815ea

memory/2272-559-0x0000000140000000-0x000000014057B000-memory.dmp

memory/5352-562-0x0000000140000000-0x000000014057B000-memory.dmp

memory/2272-574-0x0000000140000000-0x000000014057B000-memory.dmp

C:\Program Files\Google\Chrome\Application\SetupMetrics\5f7ea9c6-269e-4a83-b371-d7449f5b9874.tmp

MD5 6d971ce11af4a6a93a4311841da1a178
SHA1 cbfdbc9b184f340cbad764abc4d8a31b9c250176
SHA256 338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783
SHA512 c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

memory/6076-585-0x0000000140000000-0x000000014057B000-memory.dmp

memory/2684-590-0x0000000140000000-0x00000001401D7000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 ce7832f88abb8904d69bd8c28b44daf7
SHA1 21e17488466b0c28dbde0df2ecd7ea0c75f77182
SHA256 ce1fa25a7278f8b37b44fe99591a8988e4bc314d6f4be2d33d5dbd9e18632e01
SHA512 f8f7363957cb180d276f604f3fb82653bb226ccef1e3aad55503dc0a02fb46b9d8893468011f58c0661ad2768789a39da7be88ca6cbcf118fe0941bb4a45fc0f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 7651ccb0efe36b5bbdb43f74a2f10df9
SHA1 54adcd06803c8705b82ee44834c07b8879621fe2
SHA256 4596f4c632ef7c396c0583bbe4220ba02b73ca9925897ce15eefac45833290a5
SHA512 2cda9bcc41ffe7e01c1225c45bcb230a0df6dad25dae968aef63e238d176c6acdcf736377d416f56f3cd83448c143680dabaac3becd4469b08146920e3a5ca8d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe57bd83.TMP

MD5 8441fa327ce1f6c12f371a1535e655be
SHA1 7ccca62179f1eb9a2d47c3886ad8ad4bf5b15071
SHA256 975c8308bab1dce91143c9ad18effdd216bc367fccb3195ec2d4fd50177d2158
SHA512 986088d4595dc5a9e166ecc0b439a878a24d512f236b2756e377050c0cc7423143d3aaa3033ba5163b28fe8551313ff985d6df2ab109117186e878ca4a98d0a4

memory/3504-677-0x0000000140000000-0x000000014022B000-memory.dmp

memory/1144-679-0x0000000140000000-0x0000000140179000-memory.dmp

memory/2700-678-0x0000000140000000-0x00000001400C6000-memory.dmp

memory/3904-680-0x0000000140000000-0x000000014057B000-memory.dmp

memory/5352-681-0x0000000140000000-0x000000014057B000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 bf7b4dd1534e9b2888fadbbe91ea50a0
SHA1 4cc9d8872c53a77ee4d242a56c02420c4eb3fedf
SHA256 68f0b6f7b8789c81f267b3528b1ca9ba9ca89746387c2c04a6810a27e2331b1a
SHA512 075a6e5ca1b26d2cb3b6cff5f4755bc6905f4cda59fa2d6a8a65724e7ec8303933f965af5f8df76a4aa8d806eecaaa8b26a56c1a836112ddaf40b85760a8458a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 91c902d3231cfc26efd84a0645999c11
SHA1 0eb9c426760704825edac2ef7bc8a2f7deff5e7c
SHA256 e4a2f7e291666f996a6800617149f5b1b807c8574ab2de33240395e94da16e8a
SHA512 c41f1dfa0568cbb9838e0503a58a89cbe0e2ab33178e406dc693201becd0b6767b8081662c8d0bd41c5b086e1179a4b55a0679de541a864d0ccb8cce4db975c0

C:\Windows\system32\AppVClient.exe

MD5 da2c59a3398b7ff2f4cc50c0ddc1af09
SHA1 1f20bcb8ba8f0ced92659e891055891ee9b8a093
SHA256 ff1d26424110861060485fa6454bc6b296a3f0b37e8c21d35820ecf7d40dfe00
SHA512 bc86834ceb7729c0243b44eff3e024607933cc13914cf8028c4a1633873b9621c00b09b7f14abac414b22464aa48734393841b12415d5ebee301db6f5d229e8b

C:\Program Files\Windows Media Player\wmpnetwk.exe

MD5 8f3958962e5f342ea1d64b21cd371252
SHA1 daa04bf21a5495f38b4c31c890ce3784ee7202cb
SHA256 ecde3599c09ccfc4d83efffc2d4b58bf5a4fa4859b804ecf2754b82c9059e605
SHA512 3bfd38fa31f08fd600dd5d18f515e1b538c703a84fca35d386f6527009a2a29bd3007d057a6d58ef69d12b8c53524d25c082238ef61ba5009d244a681a277d80

C:\Windows\system32\SgrmBroker.exe

MD5 249cde7a34a6233194481b00107da656
SHA1 ce1089091e65e0cfa8faaae9d6b491ca536ec850
SHA256 515915e05717ca1b89807f1a0531267a08d6362cc0d6a91c2b22bdd37f5d45f1
SHA512 d87f326e8e4e02c1f125bbe17564b8e6adcf331b6063c87b960795d4adb44238e1d0c5ceb3e987d61bc0205dda117b420a54cb75b626d732f900d8726270043c

C:\Windows\system32\msiexec.exe

MD5 fafc0ee87d73043d03eb626f4850c042
SHA1 6d0a2c20c7c09df9047d840ea6404e7ef249fea3
SHA256 917807be67d9bd8fe00ba614e00d13fb8415066f8e9489b6ad119dc11ca5bf16
SHA512 69ecd77e03abd33dad84d4059c12e97c8e4a389de5c5cedae05fe64c4255349a9ac8c32786fd9bcef9207731b1df1af282fad8d7201cc80dfa1db787f3b03616

C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

MD5 447548fe0df99795d906e09012d32bd4
SHA1 ea77dac1428b234f540dedb7baf3f5ed2175e699
SHA256 6b2f05b40449caec6286ec8d6a6a9d3c80edd63e60badacaa2207fe8572f7f36
SHA512 9612fab765605aa59a6beaabd32a2cb384aa846fd22e5d315388d6f19f1b1fdfdc16aa44d9684ad3db0d90958ebed28b7520bc5cea8c7149441de9a179508b3c

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

MD5 20506dce7fa6b072e98a36df7f659c89
SHA1 8be435f14266a2b6311c71ed84779fdb5555865c
SHA256 617e4ab13057747f9fba2f6b6ac7e6dc46d20f9943c036490e325fc6d03e3f01
SHA512 3d255a47ec4307c1675db66c324e52fea54e41150d340f727ab349ac7732f73548ca1a46c0fb7056d792138da4ce5e7e1932f17740138c5fe76e0755bb4e5cd0

C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

MD5 9664e61ad18f725e565cb60e392511a2
SHA1 9459e4233f015af7c1844f0c54252a994ab2e3dc
SHA256 a9bc5eef7bda34d6e88f830e59ce915270f58c085e5bcf073bee165b2d94a1c4
SHA512 2f584c5896bc140704268b17cc9c3e99cd1113d95ba9a61b206da196e4eb2b0412630276d3facbab5bacd1881c9c94826d1d00ec7ef2523509281c1105edc8da

C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

MD5 8d61ec4576eb38ed7f4a70b0dbd75ecf
SHA1 d631a10572d198ef6c7256048998550761ab8cc6
SHA256 896dae6a06306f6f97c10025e8ced9db06a19c1ec0cb452d876790e1a8e7e114
SHA512 3dbc03685b085c2774f6aa771f2e86079d684b8e5eb89a9971649d3332a8b9b4886f7a557f19af307fc763581f971a146810e571fd4f0ab4bac6ffc9aa04234a

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

MD5 e212554ab3a4f6b4bf7028c67f36901c
SHA1 adb251ea01ab49dcc36ed3616041e83a5edaeaba
SHA256 15279adb52dcab86f774f25df72bccbb902457d7a7da91975128a40e5619419d
SHA512 d0d745a3f227c91152c2718d071b6505dd0d73f6ace0efbab1c209d5dba5a052bd201911f7fe65a8d75a0f94b9e1ad351e9c1b4d70fce3bf54ff01488ce05c4c

C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

MD5 77662d782095e95c4c5a5bc8e17837f6
SHA1 6032446cbb2503b62858caf249a3095bb5b2114f
SHA256 4553cb06d0fb4c688c65a86ade8272354621bdf61c4bf8a349bd08af8989367f
SHA512 18cb84a7c95437727241ead18b3f3c2ee624a472e151f861c57e961328035a55526472091ab062a00cee43ac8ec85fc752c91f1732e806d6f217b088b7a6e4f1

C:\Program Files\dotnet\dotnet.exe

MD5 451dcc16c5ca65353f3887458a956ede
SHA1 c178f493a52843ed3cfe83837756d31bfac036fa
SHA256 5b4c4213253655c117689e6a2f4d0d473a1ab0402a8d6fc0a2479cfbe371e05a
SHA512 7a9aeaf269f662aa9334080a444434c1de94f0731f9b335a535e9b47f72e3cc3286c88658ef19c736a75cd1e0fa6ce49105e4ab338b12abf968835a351170169

C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

MD5 b2bf7d28b1dd3f833bf3c64113ae1002
SHA1 f34e7956790b3fc79ffd6bab0418fa9a7066ca55
SHA256 0b3ef63decc81d2189a608b6f6f75e02b0dd0f4d5bf553cd373aced9c4cb5b61
SHA512 98fbfbe1430e473e586981fbd7e45c381a4756a7d5ba425d281c2aa0a2887eb749ce3268bae7132b9aa0ba487937e86298d3e95620b49392663c255bd3cec2fa

C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

MD5 c90c5336a667f8e9f47dbb26f770c11c
SHA1 6658c72557624b66cd24cfda2800296b3650616a
SHA256 2cbb37b2b4356286bd78af38afdcad97ea942370838110caf426038c35dfba78
SHA512 350e729df28ad40b1505afeb22126b2c10f4e90abe13fc540a04f78f39ba3300220ca1f7a85bcaf0366aba571c534589ea55768a71888e5a779ae08252c96867

C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

MD5 278ceb0aad38bce03b6fd7260b686806
SHA1 6129472e1e3006ffb657457175d1f5604bf5d974
SHA256 0037f8dded091b2e9cb26668d14a35e2fc3815ee13bae0ccc81046e07ac07e49
SHA512 ac685b7d8b1d539f9981ff51d7ae7c703bb27dbf3936227cf001892baef3731d26707bacc8147445db518bb5d27e99d4b2908abc0f95cd1bf465b5edc6eaf36b

C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

MD5 55e2b03c191cd83bf015892640a1807a
SHA1 6c790df2dac1d602849b1eb59ed2504327b314bc
SHA256 aed890925cb2f1312b4b421cfab525c9f19131ae58a7883dc263e414fdac459a
SHA512 cbacd4aa604ea7fa176e4f836f792f4ff2095bbdc9a25ee870e71b676d0a796a1fc7794c335e51fdc2345abf57148694c10900ba5f781416c057bc35fb99a90d

C:\Program Files\7-Zip\Uninstall.exe

MD5 3132a81ed1708677d61d0f26050ea9b5
SHA1 80cb01e33bed9db3b0d13e93b1f642e4451e4fb9
SHA256 363f419697f1d86bc26adbc8e6081d5e4eb9c9c062657345825e7bad105a3f98
SHA512 c138057563f7e69cd559ab05fd609dd3938ae6ef669328d6f91eeae771c386d5eefdfe5fec102cc1dd4f74e0e4576220a10ac7818702db4998569b030375ad8b

C:\Program Files\7-Zip\7zG.exe

MD5 43db0a62b7fc5903794ac41173e0deba
SHA1 4a925e73ccf0ab713fbdee2b43fc9e98d92b0938
SHA256 4d656e059c35f7d1b78563f6671efb207dc41c49f8d4f487d0f3f3a153952e4a
SHA512 a95d6d26a1cfaf83fa2ef51f45dc35e83cee1bf39b6fac5881c4b1093bc4f769374be40fdcc615746650863b4afefdc8df0d18982448306c378d16dacbb82e4b

C:\Program Files\7-Zip\7zFM.exe

MD5 33a58acec54d4f35f3d8adb70f31fb96
SHA1 e58511c22ecba04316a024d6c4e054357814718e
SHA256 ad8c9051d0260e493340b20b9692224ab0787b34cb0cb50f6dafdd9f6782afc7
SHA512 a0ae8bae82e753106b962820104c92e16a7777ed4d69224ba293deab7c74c2468865387d4374ec530d3f8e16f91b6b36d4881fafcc66c4cf4d64e0c342c7c740

C:\Program Files\7-Zip\7z.exe

MD5 9b1bb3fb0e7211ce44e9d2e53b9c9bef
SHA1 8643becb837b13ff84a3e0e3dbae66e1984b3656
SHA256 36ec926b2043ca0202218c1dc7a0369a5ff737ed888dffb421f7dbdcecb15eaf
SHA512 653d5cd9def47bca6e0458dcc728ac8aa2b2854f4377f339788dbfe18e6326e0c5ee0c002e8cc86073e2be931da5eeb4a1eebf77097daa6e4eb914ad8ffb62f5