Malware Analysis Report

2025-06-15 20:00

Sample ID 240611-wgfarsvgqg
Target 2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk
SHA256 492b8ea0d4b4998b5fe24ca4645502bc24a85d2b6870f1f69ed31b3f536b757a
Tags
spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

492b8ea0d4b4998b5fe24ca4645502bc24a85d2b6870f1f69ed31b3f536b757a

Threat Level: Shows suspicious behavior

The file 2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk was found to be: Shows suspicious behavior.

Malicious Activity Summary

spyware stealer

Executes dropped EXE

Reads user/profile data of web browsers

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Modifies data under HKEY_USERS

Enumerates system info in registry

Uses Volume Shadow Copy service COM API

Checks processor information in registry

Checks SCSI registry key(s)

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-11 17:53

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-11 17:53

Reported

2024-06-11 17:55

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
N/A N/A C:\Windows\system32\fxssvc.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe N/A
N/A N/A C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe N/A
N/A N/A C:\Windows\System32\msdtc.exe N/A
N/A N/A \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE N/A
N/A N/A C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe N/A
N/A N/A C:\Windows\SysWow64\perfhost.exe N/A
N/A N/A C:\Windows\system32\locator.exe N/A
N/A N/A C:\Windows\System32\SensorDataService.exe N/A
N/A N/A C:\Windows\System32\snmptrap.exe N/A
N/A N/A C:\Windows\system32\spectrum.exe N/A
N/A N/A C:\Windows\System32\OpenSSH\ssh-agent.exe N/A
N/A N/A C:\Windows\system32\TieringEngineService.exe N/A
N/A N/A C:\Windows\system32\AgentService.exe N/A
N/A N/A C:\Windows\System32\vds.exe N/A
N/A N/A C:\Windows\system32\vssvc.exe N/A
N/A N/A C:\Windows\system32\wbengine.exe N/A
N/A N/A C:\Windows\system32\wbem\WmiApSrv.exe N/A
N/A N/A C:\Windows\system32\SearchIndexer.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\dllhost.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe N/A
File opened for modification C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe N/A
File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG C:\Windows\System32\msdtc.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\f40f35e1b4b1389a.bin C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Windows\system32\locator.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe N/A
File opened for modification C:\Windows\system32\AppVClient.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe N/A
File opened for modification C:\Windows\system32\TieringEngineService.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe N/A
File opened for modification C:\Windows\System32\alg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe N/A
File opened for modification C:\Windows\SysWow64\perfhost.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe N/A
File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe N/A
File opened for modification C:\Windows\system32\AgentService.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe N/A
File opened for modification C:\Windows\system32\wbengine.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe N/A
File opened for modification C:\Windows\system32\AppVClient.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe N/A
File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe N/A
File opened for modification C:\Windows\System32\SensorDataService.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Windows\system32\AgentService.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe N/A
File opened for modification C:\Windows\System32\SensorDataService.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe N/A
File opened for modification C:\Windows\System32\snmptrap.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe N/A
File opened for modification C:\Windows\system32\spectrum.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe N/A
File opened for modification C:\Windows\system32\SearchIndexer.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe N/A
File opened for modification C:\Windows\system32\msiexec.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Windows\system32\AppVClient.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe N/A
File opened for modification C:\Windows\System32\msdtc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe N/A
File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe N/A
File opened for modification C:\Windows\system32\SgrmBroker.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe N/A
File opened for modification C:\Windows\System32\vds.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe N/A
File opened for modification C:\Windows\system32\vssvc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe N/A
File opened for modification C:\Windows\system32\SgrmBroker.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe N/A
File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe N/A
File opened for modification C:\Program Files\Internet Explorer\iexplore.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\7-Zip\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe N/A
File opened for modification C:\Windows\DtcInstall.log C:\Windows\System32\msdtc.exe N/A
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\TieringEngineService.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\TieringEngineService.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bd5fcb4828bcda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000981634928bcda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000098b6784928bcda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" C:\Windows\system32\fxssvc.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer C:\Windows\system32\SearchFilterHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000022e00c4a28bcda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003fd0344928bcda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" C:\Windows\system32\fxssvc.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000683d424928bcda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device C:\Windows\system32\SearchFilterHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000119a1f4928bcda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133626020112232595" C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000eb9234928bcda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009fd19e4828bcda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print" C:\Windows\system32\fxssvc.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" C:\Windows\system32\SearchProtocolHost.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe N/A
N/A N/A C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
N/A N/A C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
N/A N/A C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
N/A N/A C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
N/A N/A C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
N/A N/A C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
N/A N/A C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\fxssvc.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\TieringEngineService.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\TieringEngineService.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\AgentService.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: 33 N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1500 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe
PID 1500 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe
PID 1500 wrote to memory of 3984 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1500 wrote to memory of 3984 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3984 wrote to memory of 1632 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3984 wrote to memory of 1632 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3984 wrote to memory of 444 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3984 wrote to memory of 444 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3984 wrote to memory of 444 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3984 wrote to memory of 444 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3984 wrote to memory of 444 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3984 wrote to memory of 444 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3984 wrote to memory of 444 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3984 wrote to memory of 444 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3984 wrote to memory of 444 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3984 wrote to memory of 444 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3984 wrote to memory of 444 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3984 wrote to memory of 444 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3984 wrote to memory of 444 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3984 wrote to memory of 444 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3984 wrote to memory of 444 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3984 wrote to memory of 444 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3984 wrote to memory of 444 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3984 wrote to memory of 444 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3984 wrote to memory of 444 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3984 wrote to memory of 444 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3984 wrote to memory of 444 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3984 wrote to memory of 444 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3984 wrote to memory of 444 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3984 wrote to memory of 444 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3984 wrote to memory of 444 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3984 wrote to memory of 444 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3984 wrote to memory of 444 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3984 wrote to memory of 444 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3984 wrote to memory of 444 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3984 wrote to memory of 444 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3984 wrote to memory of 444 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3984 wrote to memory of 1944 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3984 wrote to memory of 1944 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3984 wrote to memory of 4044 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3984 wrote to memory of 4044 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3984 wrote to memory of 4044 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3984 wrote to memory of 4044 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3984 wrote to memory of 4044 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3984 wrote to memory of 4044 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3984 wrote to memory of 4044 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3984 wrote to memory of 4044 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3984 wrote to memory of 4044 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3984 wrote to memory of 4044 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3984 wrote to memory of 4044 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3984 wrote to memory of 4044 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3984 wrote to memory of 4044 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3984 wrote to memory of 4044 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3984 wrote to memory of 4044 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3984 wrote to memory of 4044 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3984 wrote to memory of 4044 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3984 wrote to memory of 4044 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3984 wrote to memory of 4044 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3984 wrote to memory of 4044 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3984 wrote to memory of 4044 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3984 wrote to memory of 4044 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3984 wrote to memory of 4044 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3984 wrote to memory of 4044 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3984 wrote to memory of 4044 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe"

C:\Users\Admin\AppData\Local\Temp\2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-11_52e4353530e50e858c9995f56bca8a63_ryuk.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=124.0.6367.202 --initial-client-data=0x2d8,0x2dc,0x2e8,0x2e4,0x2ec,0x1403796b8,0x1403796c4,0x1403796d0

C:\Windows\System32\alg.exe

C:\Windows\System32\alg.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcce3bab58,0x7ffcce3bab68,0x7ffcce3bab78

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv

C:\Windows\system32\fxssvc.exe

C:\Windows\system32\fxssvc.exe

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1616 --field-trial-handle=1924,i,15950119622387277657,4681866059924635909,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2072 --field-trial-handle=1924,i,15950119622387277657,4681866059924635909,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2124 --field-trial-handle=1924,i,15950119622387277657,4681866059924635909,131072 /prefetch:8

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3056 --field-trial-handle=1924,i,15950119622387277657,4681866059924635909,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3088 --field-trial-handle=1924,i,15950119622387277657,4681866059924635909,131072 /prefetch:1

C:\Windows\System32\msdtc.exe

C:\Windows\System32\msdtc.exe

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE

"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\system32\locator.exe

C:\Windows\system32\locator.exe

C:\Windows\System32\SensorDataService.exe

C:\Windows\System32\SensorDataService.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\system32\spectrum.exe

C:\Windows\system32\spectrum.exe

C:\Windows\System32\OpenSSH\ssh-agent.exe

C:\Windows\System32\OpenSSH\ssh-agent.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc

C:\Windows\system32\TieringEngineService.exe

C:\Windows\system32\TieringEngineService.exe

C:\Windows\system32\AgentService.exe

C:\Windows\system32\AgentService.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4352 --field-trial-handle=1924,i,15950119622387277657,4681866059924635909,131072 /prefetch:1

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\SearchIndexer.exe /Embedding

C:\Windows\system32\SearchProtocolHost.exe

"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"

C:\Windows\system32\SearchFilterHost.exe

"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4688 --field-trial-handle=1924,i,15950119622387277657,4681866059924635909,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4788 --field-trial-handle=1924,i,15950119622387277657,4681866059924635909,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1564 --field-trial-handle=1924,i,15950119622387277657,4681866059924635909,131072 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 pywolwnvd.biz udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 clients2.google.com udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 ssbzmoy.biz udp
US 8.8.8.8:53 clients2.google.com udp
US 8.8.8.8:53 cvgrf.biz udp
US 8.8.8.8:53 npukfztj.biz udp
US 8.8.8.8:53 przvgke.biz udp
US 8.8.8.8:53 clients2.google.com udp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 knjghuig.biz udp
US 52.111.229.43:443 tcp
US 8.8.8.8:53 clients2.google.com udp
US 8.8.8.8:53 uhxqin.biz udp
US 8.8.8.8:53 anpmnmxo.biz udp
US 8.8.8.8:53 lpuegx.biz udp
US 8.8.8.8:53 vjaxhpbji.biz udp
US 8.8.8.8:53 beacons.gvt2.com udp
US 8.8.8.8:53 xlfhhhm.biz udp
US 8.8.8.8:53 ifsaia.biz udp

Files

memory/1500-0-0x0000000000750000-0x00000000007B0000-memory.dmp

memory/1500-9-0x0000000000750000-0x00000000007B0000-memory.dmp

memory/1500-8-0x0000000140000000-0x00000001404A3000-memory.dmp

memory/916-12-0x0000000000730000-0x0000000000790000-memory.dmp

C:\Windows\System32\alg.exe

MD5 b67371b474038b970b6b448bbcf65e5d
SHA1 01f0e9da55a1f48c475b968437eb1fef2242b0d0
SHA256 2f50201dfcf9c1e3d363e6dcf76fd688732fdabca0b8e2629c1eaa20bcf33a3b
SHA512 30711090b829b8dd180fbd3ab5ab79675cf626c1c40f3b0b458877fe9e704f03f7be3eb8689c1cc66d5ed48d161ee62fa9222e507855ab7d6b5ebb4956f6f41d

memory/916-18-0x0000000000730000-0x0000000000790000-memory.dmp

memory/5112-23-0x0000000140000000-0x00000001400AA000-memory.dmp

C:\Users\Admin\AppData\Roaming\f40f35e1b4b1389a.bin

MD5 dcbac783ae89b309c13f011f7c5afb3d
SHA1 752805b6b1226fe4113de96e99ffe503ad327e32
SHA256 0a8f46b8855fa32d1c929557db9fe255dbc93a5885e129992876f9126df2f573
SHA512 b26c0bfbace300c51b9b7834e04f9cd7fa123dde0f42320d1dc7669ed84e29b447ab82e8c39c7530b70ae5bc2cbbff396a9a718faeb5383096a8ebc3dc1658a5

memory/1500-30-0x0000000140000000-0x00000001404A3000-memory.dmp

C:\Windows\system32\AppVClient.exe

MD5 7e6de9ced184fb696d36096af90c7c15
SHA1 d6b30d958e2e3bbc5565ad9e66e83940bd2ef341
SHA256 a73d68899ad7f6ae671cbc266ec2afb6b2d28ad8c723bdef41f4975e94208e74
SHA512 4d93ce075066c49b8603bf96d3f00f4a32bc133ddbece9493c20f442f81171fa437d66de90043859cae40c98e37f508dac327ac9deb2028a43d0cac8afc09962

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

MD5 2cd879c3b1b25f881f4b7ab71b67a095
SHA1 e8c477526bb5bdddd659fdd44606060d83e703ad
SHA256 d15ec0b42a1305238584533da0ddd5ec2959a76896cabc74599185af8af9e92a
SHA512 95c25065ecb23b375e233d554beb9c5fb61d877f6b5586155d5b5931d270cedfd4508a8fde3dfee5073af2215b256d7cffde9f77923d41909d4168d9bc61123a

memory/916-22-0x0000000140000000-0x00000001404A3000-memory.dmp

memory/4124-44-0x00000000006B0000-0x0000000000710000-memory.dmp

memory/4124-36-0x00000000006B0000-0x0000000000710000-memory.dmp

memory/4124-43-0x0000000140000000-0x00000001400A9000-memory.dmp

C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

MD5 b21de9965818177de0981e812f4dd64b
SHA1 185b706811ea41b52edd538227ccf6c206f26f7e
SHA256 e4ae48111542c8c92f2dbb16a6b45ad4540869285d91f4d70fa1291d8f476224
SHA512 1b816a907e123eaddb1fdb742ba322009fd60f2b6c86141860cceb7f35fdbeb6e484ff217a8d32ffaa000d9b353a89d2b117b8554ca8c32cbd7cf1aee89b9d58

memory/3784-49-0x0000000140000000-0x0000000140135000-memory.dmp

C:\Windows\System32\FXSSVC.exe

MD5 1fc4d0bfdfe491cd1fb5e5efc1349e43
SHA1 c03652111e99674bdd0064b0e88e5b007a4aa397
SHA256 11c9e8cbd2d65134aee873a10580079788939e3206c5fea27780c59e1927d404
SHA512 dc1fc6d539487c07aab0b066bf8b7d07e6b8d9b21072af2d813504f2c13694e2b45ebd94de697648bca87bcb461974306e635cc11daf36b1d851f1c2f2e02443

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

MD5 c8c4c1d54531ee39170f2d7e61838f31
SHA1 4b86f0238523448a87916d3f788160f3b43d9d7e
SHA256 9cd5024455cdd9b07aaedad7968455762c5bf9f98314e8ed6e437766848762e6
SHA512 251b17afe4f00e5028bd461e4db349bcd00c1ee58a70f008e71d9068c030cbd6f7eb28c850080c882b0ff5c13adbc07adad924ba43b917b25efc8953dd6ce4f9

memory/3784-60-0x0000000140000000-0x0000000140135000-memory.dmp

memory/3704-58-0x0000000000C70000-0x0000000000CD0000-memory.dmp

memory/3704-61-0x0000000140000000-0x000000014024B000-memory.dmp

memory/3704-52-0x0000000000C70000-0x0000000000CD0000-memory.dmp

memory/1484-74-0x00000000001A0000-0x0000000000200000-memory.dmp

memory/1484-80-0x0000000140000000-0x000000014022B000-memory.dmp

memory/1484-68-0x00000000001A0000-0x0000000000200000-memory.dmp

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

MD5 6734a17e167825fa165d1a7ebae2336b
SHA1 eb39c8b4e63572bd22fa3f2c7dc354d8877f2aa6
SHA256 31b38a66cd4c00c0331d68f367e3ef648d7f9e5126d8245f987d50134892c423
SHA512 50fa93516ebf51e94123917ac001854bcb6098978f697da3221d4053d0f8ae18e482f8a9af47b49fb36cebba1b0f6407cb1879db8ee7d56793fc808e4aabed34

\??\pipe\crashpad_3984_SSXHZYCWRXTFDQJD

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

MD5 ef36a84ad2bc23f79d171c604b56de29
SHA1 38d6569cd30d096140e752db5d98d53cf304a8fc
SHA256 e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831
SHA512 dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

memory/4320-91-0x0000000001A60000-0x0000000001AC0000-memory.dmp

memory/4320-97-0x0000000001A60000-0x0000000001AC0000-memory.dmp

memory/4320-90-0x0000000140000000-0x00000001400CF000-memory.dmp

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

MD5 33668d6d7289f0b958c3ebf98c928664
SHA1 8b02777cc1292e0d582d2fb6d98dc98ea346155c
SHA256 c5e78157b1c2e199865245447a39a24189a94302d538ed1ef922914539f98acc
SHA512 816996a88a85a65bf3571723abeeb4c5f3833baa5dc700a7ecba01215f196df84132005dc46228b5fe7c5fb38cd539a1c53954958b43cb82fb1f75b3d430b2ad

memory/4320-101-0x0000000001A60000-0x0000000001AC0000-memory.dmp

memory/4320-104-0x0000000140000000-0x00000001400CF000-memory.dmp

C:\Windows\System32\msdtc.exe

MD5 48d99a72b1bd9c76d13a11f7851be138
SHA1 d80a522d795dd71347c0c2a86202baf024aa4071
SHA256 702c462407a37967bb245b29c8ba34b18066f8b9e6e4dedfb6794adaf747b0bd
SHA512 5eeb7072b6a06864c8b55caa9a164ac9a511d81252b1a0c8cd1df5533890d6bdddc6f3db2036d43b8ce2ab6b67b6c479403607b06187d40e58cee33d9269ae1b

memory/3704-108-0x0000000140000000-0x000000014024B000-memory.dmp

memory/3704-106-0x0000000000C70000-0x0000000000CD0000-memory.dmp

memory/4932-113-0x0000000140000000-0x00000001400B9000-memory.dmp

memory/1696-120-0x00000000007B0000-0x0000000000810000-memory.dmp

memory/1696-114-0x00000000007B0000-0x0000000000810000-memory.dmp

memory/1696-112-0x0000000140000000-0x00000001400CF000-memory.dmp

C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

MD5 dd54d4766594c9a48e3d53a3dbd0d5c2
SHA1 268eb7e6cafbed4a296874b9d7010bda4010b6ee
SHA256 2305f75f7f9b52c10367c249285fc3a165b64be8057c768bb70f3530eabc9d44
SHA512 05a6cbd877ecdaa9ce6764c27578ba237390b2d2d59d99d1a1e0098068a05ce80b223eb0ec60c0603e9f580b4ab8fe0b9f78ffe05ed297d0253556ba89216974

memory/2892-127-0x0000000000B30000-0x0000000000B90000-memory.dmp

C:\Windows\SysWOW64\perfhost.exe

MD5 cecda316e21f5bdc6da50ca356450347
SHA1 53b0c19ac4243119ab4e28884aa7662dc8d3cc93
SHA256 962bdc010824299fb75ce08f169880e56b13469144c0b277769a83709239eca8
SHA512 e1d122b1a042f0bc0a895f0c48ac9115f6e7aeac859803873dd53578d3d97dd4a87428a1cd2fd11d7b222ac1faf7041ee8e2fd4d130d1f85bc4b560c9f12867e

C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

MD5 d229beff68ff55d562c9a3ec93a1f26e
SHA1 e29b9d4cf433090a060c240fc8454e90b6ca3291
SHA256 5783ffcca977c4ac853b44c2b3503151ba4a679aefd9d0a4e07292278707afc7
SHA512 9e2ef6691320befe89c609ec528e4f77e147640f9772501f05038bf353ecd4f696058519a0e4ab98638b5737f0deaac2c30d98546d3a880a367ed744d2befbc4

C:\Windows\System32\Locator.exe

MD5 ee3a2e3c83fee1d43baf7abb2e555a2e
SHA1 46062ecb9c14e3ad465b591aa4f293ad17875e2d
SHA256 15caa2889ba8f93baef12631b3d709212d4206cada4c7b304c979efc6eb8a9e7
SHA512 9a15eeb5f7a2e081ad78b5c7e144b5dbdcd66e04688f773cf70f49de01f46d56ecc80d1f3de0b5f6c1e9bc7a8e927213be693785c15bd58c3bcbccb556e0ada7

C:\Windows\System32\SensorDataService.exe

MD5 d7a797cec5723f1e13da2cd3c23b6b24
SHA1 76b54ffaee051cdec865f983fb5b8b9e8a4d8c04
SHA256 a8e8b187bba459aee1bda8dfd3bd1cc6246bf775ec09975711769257d09bad75
SHA512 9b8f519ca34d9a81d5f91bafb7f3340698bb9b70c1f754e3c0fb38c60fdfe6a0eba4b5c552dcc7e86913d5efca54e41798f238ee50985b6798f0113ff42e3943

memory/3820-152-0x0000000140000000-0x0000000140095000-memory.dmp

memory/1956-153-0x0000000140000000-0x00000001401D7000-memory.dmp

memory/2752-151-0x0000000000400000-0x0000000000497000-memory.dmp

C:\Windows\System32\snmptrap.exe

MD5 1476fc6d278deae433833a457f491c6e
SHA1 9d9deb5cb0a71f382b3ae1f2594cd04f9c3417ac
SHA256 85f9d38e29eba4164e9cc2c2cbc06690063db8f262c492db0bbf3b720bc20bdc
SHA512 e67e30990823214a5d0fb0b59c3cab081393e9011c3469018d04aa8d94d081e0e4480ad07a026c1a5e4956582d84d60e290bcf6a6902b8680de6ff8b056fde9c

memory/2892-150-0x0000000140000000-0x00000001400AB000-memory.dmp

C:\Windows\System32\Spectrum.exe

MD5 e5d49a03fc20c3c5d0155c360891f43b
SHA1 4ae0a8850dbaafa945be174264b5e545b1399c65
SHA256 2b11fbfc4d72a7649d8f51d436c3c4d11de95f7a644456eb650b4e09567e1cbe
SHA512 d1a2851924c29a2cb02fd2537f69620c3ea830086173c43c32cd0edebc60b6c0f8477b0d98094bbc044c208c475872f6887ad6b470102ba5e4b3d2bef810ea48

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\Windows\System32\OpenSSH\ssh-agent.exe

MD5 4d87333bea02a64ec0277ff8ee9b0068
SHA1 792e0a8467ee453d3e3b8ba082eecdf7fe715a6b
SHA256 b3dd198fd335a62cc71f454565040310724f15efe9a9f8b9ea9fdc09159d942b
SHA512 b4ea4c00e67b7e9d95009ce12f0b7973517f9712a92bfa719b33902e09d9273810c224362b91159226548e6b90136e67a56d2da634a1edbeef92777bb792b0c5

C:\Windows\System32\TieringEngineService.exe

MD5 3ead74b261c47a4e4fc005deeb6a162e
SHA1 77ddf4d7a2247c913fbb42ec0790b4226b7892b3
SHA256 728dd25377fa02fb9c02a6a3f1f4c8e0cc68c85f2a54c1f4fc232dc546d82002
SHA512 5e2e8258c8e742e77a0531f7d3c6aee8933e53a74385be6c760012bd8e66bdafab8758810e44178e84fa9dab8f347defd0172ec157eb61415e848e95373e35ae

C:\Windows\System32\AgentService.exe

MD5 573af82494bc996d7bd347498377dc5e
SHA1 f06689f7f148181ea4ce71a62360b8c36aa57841
SHA256 bf4a964f48da3ab86ed6f014be17cbcf56f983bc8f7625889f19cc9940e99da1
SHA512 6cfc03dec634aa8e004c7cc859a05ab2ee1f48871fe83fb2eba9ab65848281f0268f1496a5071e451a8a1cfceb7e9c52c8b1c7aee33366345435e4e5646038e6

memory/2396-186-0x0000000140000000-0x00000001401C0000-memory.dmp

memory/5048-190-0x0000000140000000-0x0000000140102000-memory.dmp

memory/4488-191-0x0000000140000000-0x00000001400E2000-memory.dmp

memory/4696-189-0x0000000140000000-0x0000000140169000-memory.dmp

memory/316-188-0x0000000140000000-0x0000000140096000-memory.dmp

memory/916-187-0x0000000140000000-0x00000001404A3000-memory.dmp

C:\Windows\System32\vds.exe

MD5 3b679d43a3513496d3455231fd3b4f6d
SHA1 289668faec21ca84ab9fdb4d7f981fdf1bd72a30
SHA256 c675cba1e1f010c3b504fb6adbc06a8d6cf3d7d86b4c39608f30dd32ba46efcd
SHA512 113ba25232eb73449950049ed5e79f56c7fb27b606739682285d95cfe806f46d9f1ff4d4a87c01b27b0b5dfea069ec471954086ac8a06226169320a1cd49599f

memory/3344-203-0x0000000140000000-0x0000000140147000-memory.dmp

C:\Windows\System32\VSSVC.exe

MD5 7522df3398b7a5cc1b1cd02c962713f0
SHA1 311b19901a02e0b17bc9d6193000bd1e6ff6917c
SHA256 d263a0e0610c5e0c46e2c7f6fda68ac528e1e75d971a212e90152eeb6d778002
SHA512 e34b452e5d53c616b073cad4488cf766da64efafae94b7e9827e877340163ddf7571def854539cfdd5d7e95a302cbc367e6a0ff95d4819c85349543e5db567f0

memory/3140-207-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/5112-206-0x0000000140000000-0x00000001400AA000-memory.dmp

C:\Windows\System32\wbengine.exe

MD5 6ea1da6ebb14748128ebb0044c266966
SHA1 7ab67f84d3b5fe01632662728425a40d68deeacc
SHA256 d4ab770718cd8179ead43ab230ed7c1020ec45e487d427b4e1e30d4ed079a423
SHA512 a5657acd7937c17ca9f61555705000c801f66e97ce75b6a0ea49e07061ec505568a39e29c763b60df00aea0c208ffef6f24841f390c3d12af8b163c1eae54c68

memory/936-211-0x0000000140000000-0x0000000140216000-memory.dmp

C:\Windows\System32\wbem\WmiApSrv.exe

MD5 d0441480cda6d85b302d8a6c668a0778
SHA1 2957cd150e6c2b417b61417cf8fbd604b4387ee6
SHA256 1ec715883cd130a55ff2c3c316980152588f93d37c9b0350f200e0836866811f
SHA512 f4d76109f8cafa22c20e89af6fc026d92edd4a84c537b34edd45e148a0fca5d310f88f811d22115ef5a47305376876c60dfc917af649a51d86080defb42d228c

memory/1392-213-0x0000000140000000-0x00000001400C6000-memory.dmp

C:\Windows\System32\SearchIndexer.exe

MD5 69f71b1b12f31b8d0e196f3eaec16b40
SHA1 87af90a4d52107a6306a6b257e9259e784fb18ff
SHA256 377ecf11799222d9c1a13e2f550a891cc270c3ad9f54a44b17c67e9dbe96cb51
SHA512 2f6f86001e721f8a58ea610ee7c751ae5dae913a12d7ae0d5b386ea096d2637df2265721ab6c598762dac6fbe1084cc13e479c6f419dc6ab0a7f894c6ba2bf19

memory/3284-217-0x0000000140000000-0x0000000140179000-memory.dmp

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

MD5 62daa4c678bf8f5c4a5d774c440cab65
SHA1 2b93445f60eb9424ef116599bc8ae1ccc7c40427
SHA256 d5b20197f5d05740922e650858d700d50e64d6682db6ad38c949a4c20b99bf01
SHA512 b4900f6f8ff00a7bfa5830f089ec2f392f198b81e0d764147dacf760e374977a5a1b8bcd3ce822594f1f84897795bddc522473b89295ee418a21626e176dd818

C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

MD5 0802dd7e7b1025b89202a2c10c05fdf0
SHA1 4e6ded2f991a27911dd67581e7a9dc3712a031f2
SHA256 856ac18c55dfbd0823d22326f4253b36ca554da339eff81d67fbab48c6425e2c
SHA512 64d05fb931c6208d0f1042b04100002ce53e9eb79b4d1c99b8e2f048eda1d8def29bd72a267fd1b57804dfb25bf4e88b20044c70e3acf429d160478dd0f405ea

memory/1484-392-0x0000000140000000-0x000000014022B000-memory.dmp

memory/5976-410-0x0000000140000000-0x000000014057B000-memory.dmp

memory/1696-414-0x0000000140000000-0x00000001400CF000-memory.dmp

memory/6076-413-0x0000000140000000-0x000000014057B000-memory.dmp

memory/1956-427-0x0000000140000000-0x00000001401D7000-memory.dmp

memory/1808-425-0x0000000140000000-0x000000014057B000-memory.dmp

memory/5176-436-0x0000000140000000-0x000000014057B000-memory.dmp

C:\Windows\TEMP\Crashpad\settings.dat

MD5 b2c359ffd4bf582baf62f6e8adf87a6e
SHA1 8e9a26cf9202a00b2f38b9cf92a2cc0fa2e76b79
SHA256 ee8fad0e09119ff89b6f13fc18df351e81b41199adfc10acbfeccbbb88e02a9d
SHA512 1b1cddd7353d0e9300f1c661feda7f8d1a71e6d90279cb72c3adb51a7bce9c64e2fc87777926db50a8d41cc945445821d1b3cc1628f7446a7c03e64bcf8aff92

C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

MD5 3dff96b360f5c4fe1a2a503bc973ac74
SHA1 9444353c3dd58a6e59b275edae2b753905b8c7fd
SHA256 3584279260141595ddbda2967b56d723055cc9f9d72c28d497f956856118a323
SHA512 342679f4a88089d12b88019ae93d93f755bd542220ce523e2440d3e8fcb8bf5af9ac1f8aa77123e2165864f3c865dc99bd22e7f5d7949a3b823b93a0615f0eaa

memory/1808-468-0x0000000140000000-0x000000014057B000-memory.dmp

C:\Program Files\Google\Chrome\Application\SetupMetrics\c4cc9da4-67bd-4e55-bbb2-ceb595243820.tmp

MD5 6d971ce11af4a6a93a4311841da1a178
SHA1 cbfdbc9b184f340cbad764abc4d8a31b9c250176
SHA256 338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783
SHA512 c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

memory/5976-479-0x0000000140000000-0x000000014057B000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 a44abd1ee75e2a6eda24167a9fe9d1f7
SHA1 d8a342750c8ea47b3f9a6d1cfc2fe42df2eb3e62
SHA256 b9c595f4f4d2c46ce3c51c7c93ca300e356d58e7aa56924bc1800bb224a1db5c
SHA512 b7d445ca468fdffa63dc999e3989c055162244a5b524d8ba30d31d3021a8fa62ae22507fd7e42d49d2d37a51618e9e67bd32ec9f7cc94d79bbd84bf41107cfc9

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe5786f3.TMP

MD5 1f497c78bb1cefe5fae1f2d3e5c467dc
SHA1 12ec3f79d43fc239252d3812f8f0c2edc492bc51
SHA256 e7fedf1f3f9f65c94434b56a0a6b0be4a9773cb80c1fe09b6391adaec9849dbc
SHA512 f7ce6b59abe22c099ba4ded438dae24ad228fad07f742fe053c580f2c052a91d5af99bc7616681f0f377f8b5bbbe7ae2defab99203bd1af816724a1e63b62e92

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\e71cbb51-2b73-4abe-94be-2bd68d602990.tmp

MD5 c5d8bab1dfb61e109e5966b5ed46a012
SHA1 c9cc552e388dd6b598bcaf4cf8088f755400f86b
SHA256 4375082e86faf6b143c1d73c607ccc9d5111342d97274c9d7b82492740664ed9
SHA512 23fb1b6f32c9331d5903899f95b4b84180650cbd6c9528e2d766330d8acf1dfbd2fbbac946db9d0e4fd31a85efddc46d459aabf1743d0341420b64992bc18cab

memory/1956-518-0x0000000140000000-0x00000001401D7000-memory.dmp

memory/3344-601-0x0000000140000000-0x0000000140147000-memory.dmp

memory/3140-636-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/936-641-0x0000000140000000-0x0000000140216000-memory.dmp

memory/1392-642-0x0000000140000000-0x00000001400C6000-memory.dmp

memory/3284-645-0x0000000140000000-0x0000000140179000-memory.dmp

memory/6076-646-0x0000000140000000-0x000000014057B000-memory.dmp

memory/5176-647-0x0000000140000000-0x000000014057B000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 6e4e0ea2316f8a07d733382ac2fa682d
SHA1 50f6f7be1e3bed57cf02bb54c579a0689aaf1e69
SHA256 b614ff2befc94a2f3445441ffc38c50c0cfda49fc9fefc0f1e0151ebeebb56b7
SHA512 d32d2ed4437f6fe3f28527b2456476cb2a459d527a384d460f00ef4edc7e39b7366a9fff2055d2cb92c41f4b1f03eed70f4471c922af3ce537d0e5636da20e75

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 0ed6a1d9d4d4057c93f7d13b0d770c3c
SHA1 dad40c6b03d538ae3ded406427d73ee5e95fc761
SHA256 68bc824b1d7e5ad0bd7b1b7f8785d8a9564d49bcb25c54fd88e29f04c9279976
SHA512 513bfd2b5fcabb4d8eb6e42e9c38678be2b0d1b52d1c8b3920c29ee80699da179f587debd9cfbf859d76faddcda01c3f5b883da1a39ce4d9c4aba7939d268731

C:\Program Files\7-Zip\7z.exe

MD5 a6d434f0019c2252f39452a85be69fa9
SHA1 b8da4f8826b2a2987d05ea8ec9afcc8bcc39cabe
SHA256 55760096ff9002d694d2811c499078cb5e766dac3f4dd100ffd650472ccd19e3
SHA512 7c16d3048c5ac322ffa5d0c34e67bb86a3a42daabea506c78231424e171b3eac0bd214ad80aaa0d6ed5910370c9c98a362751b80955dbc2c564dba7bbc8715bf

C:\Program Files\7-Zip\7zFM.exe

MD5 0e1a0fc13db68c3b5961b46b66b9ff3c
SHA1 55f40eeb7b025983fa9dc4eb7c8dd5336e87c6c0
SHA256 717eff1365d5c1c4d04161ccceb7ef17e1f643775864ae5fd5e81b7549776456
SHA512 93a018ac2347fe46c3aa7e7afaa910f3f93e2e3b37aef2fc530722552174839fd5cc87c2008b0a6e78456e3ef1f0c492bdc81c86505cf97e5107350fed979118

C:\Program Files\Windows Media Player\wmpnetwk.exe

MD5 23514bc794b1d5fda6282d6d997339ad
SHA1 bf4270f89e79cbd87a19952b6def6be6000eb5c7
SHA256 f824e0ae5c54bc0845b75d9a9046fcbb159f295c35a1d9de5b1d4c90836456e8
SHA512 34aab06857c3bae38761e068e68a663a543dbf7913861b5569d2725a47ab7cbf3ba27eda0b75ccc7ef1cdc31480945c368478c5a43d1b0ffa160d2b25774fcb1

C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

MD5 663f4827d0696d06ac6d0ca190d0fb28
SHA1 60d26b5e40bb5f81342750c8ee212fe653d3c789
SHA256 9787e06f0ddbc37e0bd974b66550a7007c017eb67e9f3d882edd8b05bc998f9e
SHA512 ef1d1565b9a2cdaee4f1167a0d1d1197270b5e10f020404ac539db18d760a0064ba174468e194f1c91a35361da7572554151de8e562ba73469d136254c1b9b0c

C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

MD5 0d7c5261a1d06739ae5d577328464d0a
SHA1 66b73529de91d792e63f16966330e8779ed27896
SHA256 05541f7ce0878b174934f485f691bacac34b9379ff36c1fa696acd7eee93d9d4
SHA512 b2cf21bb0c52c4223abfbdc0c60717dc1a945c336b1806099c3448060c07a762f710bdddaad9747662caaa6e438c3779e50f3f7c6bb82be2e0480939ab6e5987

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

MD5 afe049b844ba148eaa0177d58afff889
SHA1 79d92e467a8dd2b0578be870dc78ab0005d9b92a
SHA256 a7fc1944f04abf5bbb3af19de4afb9076b50f232985cc69a174490da62fecd45
SHA512 7c41df98077491d0e885eb338e5f1f081fd1b8730649f336823ad6419be08a35a409697480aef2abeb3ad2913597a2c65914ec709144a73921f74be9f6ae4e28

C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

MD5 4344bf399dade09fde17cd83787be7ba
SHA1 639007e802f70faaeb29487c39a5dfb73166249c
SHA256 f0ec52a468b9e530c7742b3c9f8e4fbf4240193e5e1727269c0fe8eb1ad293f7
SHA512 945503aeeb6b5e7c9751c7a5f188e28fe0326362df23d315e5489866d44d8ab91974e788522119bbd70a9b60eae49a58f5758ce261a6a218384c46f83f4dfa4a

C:\Program Files\dotnet\dotnet.exe

MD5 b4fb88bef3051440364465bcd687bf8f
SHA1 7d505571d6158ba43925ea9d7d767f408a993b7c
SHA256 cdbfbca9c99539f91d292b1c8a43257c74850dc2852dd7ea3cb1775c5b8c85ef
SHA512 9cd7284e931e843cfa07a649d9466ec7e86ca899c072e8bee5ea403eb29d43ab768a0ed794816d1804e5e8493d24664a437cc219ffba8d0547715cc7002712fd

C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

MD5 b16b49426ba2cf1845762291d94e05e9
SHA1 7e57eebdcace3207371fc1ed0567ee8dd878210f
SHA256 f77513efdf5844a5e932b9f2840af149491f7bf425ba7970bc3471a4d7868aee
SHA512 488333f2214126608a685aae5e9e143c3bb3690e3bac612d3b7fd47d9d5862e476f44649fdebac57d0b86a7b9e46037c14e61d00e791993ae3654694d03d4ec3

C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

MD5 cccff4de52ecd4906c036f17af118d19
SHA1 0d9ad92451d5e7700df21901954cf030c38a7a2d
SHA256 3c350ab029f7183cbf3cdedcf556bc7f0d3a8609a2917247d3db73d8eea2ac40
SHA512 fb84b2291755788c4edfabe9188112d4af5b73f661acbc15220935ce785dcc5338e9dd826058c3fe2ff39e7d062f3a0da47c21f2d7ecd70f2d6a26d6bc79376c

C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

MD5 08042fb1717279394e8a68b78ef70c19
SHA1 a777dcf1d008fdc0cebbb337dde5ebbac3e64f7c
SHA256 aa6b88de488e9768f6ba11ec7d6b6c8b667817e6f92a84aa139da9550c0a231f
SHA512 8e4b4111e34fc0531a91cab71247cffa1759f8fd5d6ffa56033a574d61bd6cff1266499ddd427e5213d2835576414b14705bd55c1a629d7a49811987d4b823aa

C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

MD5 d1027e1d48c6d6abbce78547708e3f75
SHA1 77be12b7df23b7af2d9fb6b44a22db4d890cd06d
SHA256 962a113d92311d7b75488eecaf90ea506a8ff6ee210feca295e92859502d15a0
SHA512 98a718c76e7935b64a00aae6edc2faa01cd22e579b56c62500a4d15453507efb49c08496a4e79217faec2855c67ab5d918b5395869683a839bcc5ec6c831cf45

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

MD5 fadddc517f3eebe38bcbe2fa6abbe3be
SHA1 3db5455d67f750589535d8be770f88f8cb18475f
SHA256 d9bc907765decb9ce88cf625dc748d8109322acedaf6d646960f97803b6f9e95
SHA512 1fa160fd39de002a21b2399021bc5884839bf3deb215e7defa88b34a4bfa43e689b2d1be519d657c6bebe12be248c09a75e289eb2db9c16def7ffd1166a7ed29

C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

MD5 ae02c79c04e66c386b6d4025b1b18360
SHA1 27cf69a08ab06dd0c6c83237cd27c908069fab2b
SHA256 399a3b30ff0c206bf51946fb9f0c20bee745dc60afcc27fa667328fc3b738f46
SHA512 6547399fe4bf0a065b74c658eb72456f0a9eb07a6067c95f9e306800a05c9401d3f7c16ec4a2d466d0720aa60afd9a62d2d174f42e822baf7d94ec2006e697dc

C:\Program Files\7-Zip\Uninstall.exe

MD5 db56340256ef9d9bc9f4b62d92a77b70
SHA1 978fb46e8f5fb971db365d439c938f3bc1061a11
SHA256 f88d948a640dade5ddbf285ecc7316a98053dc5f2bebc94b70134bd067045fca
SHA512 bd1c559a073369676dfdea9a749ff1f509e5fe8cf3efd3bdbf3d152c7e6fdffb0436b744158b9f4b6038aa66af09528bce782941c1ac85e3d11e12f76962eed1

C:\Program Files\7-Zip\7zG.exe

MD5 0f4897a1446f1399f8e2625fa48cc8b6
SHA1 3c0794d1ed42adf7d5087718bc315648f2d4648a
SHA256 6e0524ffce465ab6abc41df2f0a4c8fd46492f9e597559a9344e5e27a5f92ce1
SHA512 9e96ff6fee31daf48bc1beb2a9a36026433483e0ae03cc9b97f2e0735aa8ba2ef600fe3aa137023cf4d255f8d727ccffbaee47dd8c3d6eb74db9b1ff8f5519ff

C:\Windows\system32\SgrmBroker.exe

MD5 79b84a38e74a95a927b53ddf93e44eaf
SHA1 06871d0f91b41240f730087e59297ae386ff87d9
SHA256 c38dd4e518bfcefc947ace35ab3491b1140725cf587837c3f43f43fc0076e48b
SHA512 2e54e06eb7b0670607b7fd1ebf03ab69ea42a63039e967f6a64bae8a49f06743e32b10dd321d51df63eb1bcc2610639eab1a19177535fb496fc142cbcdda05d0

C:\Windows\system32\msiexec.exe

MD5 62c80873fb89bf998faa19a7487a0ed9
SHA1 b65cfc76412c8cf2f48db82ca7769cd3a624a0c3
SHA256 1f6a50fcf23cc1b91b39df4ffd3e33f86e664faeb791ae07f9ea34be5a8c3352
SHA512 46bf4b311913c8f867bfe1adc520b5f41ef039f04d895633b1929868572ef264859c37f76c1706435d2aa96db44980b96e926bd3f656ef6679c4f60058c68bc4