Malware Analysis Report

2025-06-15 20:01

Sample ID 240611-wnfj4swcqm
Target 2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk
SHA256 ac77632f9e93467bf8889972b03378f11ae85e42ce9613dcef1ae81e509f4a6b
Tags
spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

ac77632f9e93467bf8889972b03378f11ae85e42ce9613dcef1ae81e509f4a6b

Threat Level: Shows suspicious behavior

The file 2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk was found to be: Shows suspicious behavior.

Malicious Activity Summary

spyware stealer

Executes dropped EXE

Reads user/profile data of web browsers

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Uses Volume Shadow Copy service COM API

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Modifies registry class

Suspicious use of FindShellTrayWindow

Checks SCSI registry key(s)

Modifies data under HKEY_USERS

Suspicious behavior: LoadsDriver

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-11 18:03

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-11 18:03

Reported

2024-06-11 18:06

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
N/A N/A C:\Windows\system32\fxssvc.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe N/A
N/A N/A C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe N/A
N/A N/A C:\Windows\System32\msdtc.exe N/A
N/A N/A \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE N/A
N/A N/A C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe N/A
N/A N/A C:\Windows\SysWow64\perfhost.exe N/A
N/A N/A C:\Windows\system32\locator.exe N/A
N/A N/A C:\Windows\System32\SensorDataService.exe N/A
N/A N/A C:\Windows\System32\snmptrap.exe N/A
N/A N/A C:\Windows\system32\spectrum.exe N/A
N/A N/A C:\Windows\System32\OpenSSH\ssh-agent.exe N/A
N/A N/A C:\Windows\system32\TieringEngineService.exe N/A
N/A N/A C:\Windows\system32\AgentService.exe N/A
N/A N/A C:\Windows\System32\vds.exe N/A
N/A N/A C:\Windows\system32\vssvc.exe N/A
N/A N/A C:\Windows\system32\wbengine.exe N/A
N/A N/A C:\Windows\system32\wbem\WmiApSrv.exe N/A
N/A N/A C:\Windows\system32\SearchIndexer.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\locator.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe N/A
File opened for modification C:\Windows\System32\SensorDataService.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe N/A
File opened for modification C:\Windows\system32\AgentService.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Windows\System32\alg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe N/A
File opened for modification C:\Windows\System32\msdtc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe N/A
File opened for modification C:\Windows\system32\spectrum.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe N/A
File opened for modification C:\Windows\system32\wbengine.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe N/A
File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe N/A
File opened for modification C:\Windows\system32\SearchIndexer.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe N/A
File opened for modification C:\Windows\system32\AppVClient.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Windows\system32\AppVClient.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe N/A
File opened for modification C:\Windows\System32\vds.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe N/A
File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\2a4bf77dc3a5208d.bin C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Windows\system32\TieringEngineService.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe N/A
File opened for modification C:\Windows\system32\AgentService.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe N/A
File opened for modification C:\Windows\System32\SensorDataService.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Windows\system32\msiexec.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG C:\Windows\System32\msdtc.exe N/A
File opened for modification C:\Windows\SysWow64\perfhost.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe N/A
File opened for modification C:\Windows\system32\SgrmBroker.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe N/A
File opened for modification C:\Windows\System32\snmptrap.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe N/A
File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe N/A
File opened for modification C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe N/A
File opened for modification C:\Windows\system32\vssvc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe N/A
File opened for modification C:\Windows\system32\SgrmBroker.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe N/A
File opened for modification C:\Program Files\dotnet\dotnet.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Internet Explorer\iexplore.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\Install\{125326D0-F6C3-409C-BC6D-35A6D8D3AF5D}\chrome_installer.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\Install\{125326D0-F6C3-409C-BC6D-35A6D8D3AF5D}\chrome_installer.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_105437\javaws.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe N/A
File opened for modification C:\Windows\DtcInstall.log C:\Windows\System32\msdtc.exe N/A
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\TieringEngineService.exe N/A
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\TieringEngineService.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bac5c5c029bcda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" C:\Windows\system32\fxssvc.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\system32\SearchFilterHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bc12b3be29bcda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000cd105c029bcda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" C:\Windows\system32\fxssvc.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e615a8be29bcda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000427602c029bcda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print" C:\Windows\system32\fxssvc.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000075e21ec129bcda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008c409dbe29bcda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133626026419408783" C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg C:\Windows\system32\SearchProtocolHost.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe N/A
N/A N/A C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
N/A N/A C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
N/A N/A C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
N/A N/A C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
N/A N/A C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
N/A N/A C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
N/A N/A C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\fxssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\TieringEngineService.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\TieringEngineService.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\AgentService.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: 33 N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2988 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe
PID 2988 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe
PID 2988 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2988 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 116 wrote to memory of 4512 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 116 wrote to memory of 4512 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4476 wrote to memory of 3864 N/A C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\SearchProtocolHost.exe
PID 4476 wrote to memory of 3864 N/A C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\SearchProtocolHost.exe
PID 4476 wrote to memory of 1544 N/A C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\SearchFilterHost.exe
PID 4476 wrote to memory of 1544 N/A C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\SearchFilterHost.exe
PID 116 wrote to memory of 5308 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 116 wrote to memory of 5308 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 116 wrote to memory of 5308 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 116 wrote to memory of 5308 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 116 wrote to memory of 5308 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 116 wrote to memory of 5308 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 116 wrote to memory of 5308 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 116 wrote to memory of 5308 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 116 wrote to memory of 5308 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 116 wrote to memory of 5308 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 116 wrote to memory of 5308 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 116 wrote to memory of 5308 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 116 wrote to memory of 5308 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 116 wrote to memory of 5308 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 116 wrote to memory of 5308 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 116 wrote to memory of 5308 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 116 wrote to memory of 5308 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 116 wrote to memory of 5308 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 116 wrote to memory of 5308 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 116 wrote to memory of 5308 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 116 wrote to memory of 5308 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 116 wrote to memory of 5308 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 116 wrote to memory of 5308 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 116 wrote to memory of 5308 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 116 wrote to memory of 5308 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 116 wrote to memory of 5308 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 116 wrote to memory of 5308 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 116 wrote to memory of 5308 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 116 wrote to memory of 5308 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 116 wrote to memory of 5308 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 116 wrote to memory of 5308 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 116 wrote to memory of 5328 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 116 wrote to memory of 5328 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 116 wrote to memory of 5432 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 116 wrote to memory of 5432 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 116 wrote to memory of 5432 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 116 wrote to memory of 5432 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 116 wrote to memory of 5432 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 116 wrote to memory of 5432 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 116 wrote to memory of 5432 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 116 wrote to memory of 5432 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 116 wrote to memory of 5432 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 116 wrote to memory of 5432 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 116 wrote to memory of 5432 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 116 wrote to memory of 5432 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 116 wrote to memory of 5432 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 116 wrote to memory of 5432 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 116 wrote to memory of 5432 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 116 wrote to memory of 5432 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 116 wrote to memory of 5432 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 116 wrote to memory of 5432 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 116 wrote to memory of 5432 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 116 wrote to memory of 5432 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 116 wrote to memory of 5432 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe"

C:\Users\Admin\AppData\Local\Temp\2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-11_ad600fc7ddca5a6fb49ede5b76dd533b_ryuk.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=124.0.6367.202 --initial-client-data=0x2bc,0x2c0,0x2c4,0x290,0x2c8,0x1403796b8,0x1403796c4,0x1403796d0

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff269cab58,0x7fff269cab68,0x7fff269cab78

C:\Windows\System32\alg.exe

C:\Windows\System32\alg.exe

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv

C:\Windows\system32\fxssvc.exe

C:\Windows\system32\fxssvc.exe

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe"

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"

C:\Windows\System32\msdtc.exe

C:\Windows\System32\msdtc.exe

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE

"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\system32\locator.exe

C:\Windows\system32\locator.exe

C:\Windows\System32\SensorDataService.exe

C:\Windows\System32\SensorDataService.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\system32\spectrum.exe

C:\Windows\system32\spectrum.exe

C:\Windows\System32\OpenSSH\ssh-agent.exe

C:\Windows\System32\OpenSSH\ssh-agent.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc

C:\Windows\system32\TieringEngineService.exe

C:\Windows\system32\TieringEngineService.exe

C:\Windows\system32\AgentService.exe

C:\Windows\system32\AgentService.exe

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\SearchIndexer.exe /Embedding

C:\Windows\system32\SearchProtocolHost.exe

"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"

C:\Windows\system32\SearchFilterHost.exe

"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3768,i,14486271492189381216,15799931579469722648,262144 --variations-seed-version --mojo-platform-channel-handle=4212 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1672 --field-trial-handle=1912,i,7325083813853303863,15650312182383035393,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 --field-trial-handle=1912,i,7325083813853303863,15650312182383035393,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2204 --field-trial-handle=1912,i,7325083813853303863,15650312182383035393,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3052 --field-trial-handle=1912,i,7325083813853303863,15650312182383035393,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3080 --field-trial-handle=1912,i,7325083813853303863,15650312182383035393,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4164 --field-trial-handle=1912,i,7325083813853303863,15650312182383035393,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4632 --field-trial-handle=1912,i,7325083813853303863,15650312182383035393,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4772 --field-trial-handle=1912,i,7325083813853303863,15650312182383035393,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x290,0x294,0x298,0x268,0x29c,0x14044ae48,0x14044ae58,0x14044ae68

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1876 --field-trial-handle=1912,i,7325083813853303863,15650312182383035393,131072 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 pywolwnvd.biz udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 clients2.google.com udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 ssbzmoy.biz udp
US 8.8.8.8:53 clients2.google.com udp
US 8.8.8.8:53 cvgrf.biz udp
US 8.8.8.8:53 npukfztj.biz udp
US 8.8.8.8:53 clients2.google.com udp
US 8.8.8.8:53 przvgke.biz udp
US 8.8.8.8:53 clients2.google.com udp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 knjghuig.biz udp
US 8.8.8.8:53 uhxqin.biz udp
US 8.8.8.8:53 clients2.google.com udp
US 8.8.8.8:53 anpmnmxo.biz udp
US 8.8.8.8:53 lpuegx.biz udp
US 8.8.8.8:53 vjaxhpbji.biz udp
US 8.8.8.8:53 beacons.gvt2.com udp
US 8.8.8.8:53 xlfhhhm.biz udp
US 8.8.8.8:53 ifsaia.biz udp

Files

memory/2988-0-0x0000000000510000-0x0000000000570000-memory.dmp

memory/2988-9-0x0000000000510000-0x0000000000570000-memory.dmp

memory/2988-8-0x0000000140000000-0x00000001404A3000-memory.dmp

memory/4756-21-0x0000000140000000-0x00000001404A3000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

MD5 e646991f9b7863013f4543e5deea2d49
SHA1 7d3ab1c249b15c5bc5761baef819fa96b043539a
SHA256 0cc277125b5bd55a7c42e32f351b5bce3ca6003f28bc0646db5bc6b9b5135c07
SHA512 8b7b264f086ee2d1c1ec1199307d6511ce964890e84312a1c12c21a0a1fac24d6bf005a2ded820ecae3b51b58229a8ce724e98e40b03e1f93d3914948025a76f

C:\Users\Admin\AppData\Roaming\2a4bf77dc3a5208d.bin

MD5 622b2418d9be35b2156bf0cf8c4bf67d
SHA1 8f89b99df4abc1c93149a8c8737cc7b13edc306c
SHA256 f447564f1bb7871f6918c55615c87d16384224e96a518b6d9cf6bff2f7e3d65a
SHA512 ae66ae0f16c45102cb9f2b62d3a3cb011c01326596ab6e07b417ceddd1659c19111b1579e7c4504130208580e2a35b5f6e96ce5bbd1ec9afde4c23f00b1a6aaf

memory/4756-17-0x0000000002090000-0x00000000020F0000-memory.dmp

memory/4756-11-0x0000000002090000-0x00000000020F0000-memory.dmp

memory/2988-27-0x0000000140000000-0x00000001404A3000-memory.dmp

C:\Windows\System32\alg.exe

MD5 ef71107effdec6908f0c88851a383b5b
SHA1 0b33f08d54204eb7c8784c94c6b6c4c5e4d1e5ca
SHA256 575dbe7cdf35d96641ece33ef22eec0701313372cb38b014ac92b341eed048ff
SHA512 14bf626acb4ac4547f832f7f15fad346a92c203ef35ee58c101e8ecec7448f7c86052004cea6dc38cc024862bac96f5d54382f8afad8d88af1b971234cf2c97d

memory/3036-30-0x0000000140000000-0x000000014021B000-memory.dmp

C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

MD5 27f03cd446335e6343c01d1f8ef4261a
SHA1 374316fe315f374cae8db2245166dc10f7342f66
SHA256 2b57c8b20c22be312b5f784810ca40d6d892d398ab58f0a8eec08253055211d2
SHA512 f94de214897da7a39faae397d4c394b46d6a2faeef44e606121b3e5c0e9afed27fcc51b4c29c326607e8ea56b85572572c7a6aab63930eae03e084615a6476cb

memory/4516-35-0x00000000006A0000-0x0000000000700000-memory.dmp

memory/4516-44-0x00000000006A0000-0x0000000000700000-memory.dmp

memory/4516-43-0x0000000140000000-0x000000014021A000-memory.dmp

C:\Windows\System32\FXSSVC.exe

MD5 b6e521a653c82b1b867127977074346b
SHA1 7538625d4b32f34c7a61baa819fb91adfe6d4f29
SHA256 ffdd98d69a7dea3c4a71a0b372aca354fd7ccc5e2e8caf7d62aa6abbdab18ca3
SHA512 6f4ab7d5677d100cee8d5f9f0b7522e0eac46397a9e9b6462b4ae0b2f0982e447d8e413fc3064ea67ab969cd751e109b2f473a9b3924f86dce5925272834506c

memory/1768-56-0x0000000000C80000-0x0000000000CE0000-memory.dmp

memory/840-58-0x0000000140000000-0x0000000140135000-memory.dmp

memory/840-61-0x0000000140000000-0x0000000140135000-memory.dmp

memory/3148-69-0x0000000000890000-0x00000000008F0000-memory.dmp

C:\Windows\System32\msdtc.exe

MD5 8b62c892732ac947339b1d18ec54b1d1
SHA1 76c801cd05acd18bd250de4f534afb7d9febef13
SHA256 d838b0436db542b0eabe9ae4454f35422a082d7021c4a7eceb1483c0c193a763
SHA512 e939a0d7000a41a1067406cf340b0e3ca71617da8985c4e93f20d84c188e6ce63ebf80affe9f99661393610802d3694252143558d5287588a59fe38f8e55bd15

memory/2500-102-0x0000000000B80000-0x0000000000BE0000-memory.dmp

C:\Windows\System32\SensorDataService.exe

MD5 167f00a6d02f00061ee502142d59c67d
SHA1 63e77a627199866a6ca5952bfe09227fcad60243
SHA256 83e05e735b791af8433d1b3baff9358b32cb92024cc3a95df5dfaadc65e96a93
SHA512 3824bb01992e745e73ea270f6f24c5bfc0615af02ed3b2f99755459076e4f506dc8548e3bfeefe9ee6ff4f39726e1f930d8b7b2061eb2454a94966557d7f8b2c

C:\Windows\System32\snmptrap.exe

MD5 bf5dfd9d7e5d8e36224be5f5f5cc61c9
SHA1 3bafcb852730f9ccdbbf776c3a3c0215a36e6a36
SHA256 b7b1ddcd98033c8a191e697db32f20e180fe034c6d73eef17321a3e71832b7d7
SHA512 1e18ec1799312eb2814ad2f6fc7780b75876bc49c9e1856e6a38772add2104f8256e11d164599a533064ef920edb90a8dc338b5f19e90cf1a1c64af8fe0bd884

C:\Windows\System32\TieringEngineService.exe

MD5 68880d808e17e1e17845c0e07019575a
SHA1 f8b134ca0694fc3832c067a3b93b0703433ce46d
SHA256 192ab18b2ab81847f372fa4ef79e622b2a8fa53062c359dcd310b9df26525a1e
SHA512 fe4eaf1ebf21bcc895c99b4e7d44914fe51ecf3a370ba25ed9365615205dd8b89c207cc418b65617bf57cc7db804ca28fcf9a17d1aa4ad80e04f111ba897abc8

C:\Windows\System32\wbem\WmiApSrv.exe

MD5 3a8506513c9cabcfd92bd801c762757f
SHA1 a102d1ec38ce2b252afa8e8c099413996df84e6b
SHA256 d4c84cac8cc7d754497a2c3dabb006766dbc326f6c3cf2e592d28154352e35e5
SHA512 656fd0e7c3216ff99c3906a11db229cfaa2833e243bf8b6d68fe1fcda1ab3e76c3bf3d94af819a939db3bcc3a57880e01c552b8b4b2ab93ba416badafea2861c

C:\Windows\System32\SearchIndexer.exe

MD5 88cf5f7f85a63dc8d3ad8b5265a296ee
SHA1 ef227b7e07258e80399032e39a828fa3faf87845
SHA256 936432fef765844bb32beb944bfcf5238ca7b066b4752e58e63fc275f08ea2c5
SHA512 047bc7a7fb8ef91c32b7d9633283600f5a6de4341f2dc4dcd3d7ff4df9e8d8151b72ce24d865148be1be921f87ac338138b2622b087ccd4b0a790d77ba8d1688

C:\Windows\System32\wbengine.exe

MD5 4c8bb8790db2ff1ea93b037b2950f78a
SHA1 a4f674f1bfa2d3f655299f8ad045cd2379481280
SHA256 1a99cf346f4f8386d334962f4570eb5e6ec0b048df35bcd8e50fb99753e64cce
SHA512 45b4d7959d3619f52fb92be055340d81da84180ed9621c35b427015e93ff2c5efbf45c0bcea268a1b8869066cf1d1315e58faa4aacd510db10dbc3355fd26a1d

C:\Windows\System32\VSSVC.exe

MD5 34fd4125965c601adce3c9627c04457d
SHA1 babc7cf40d68a4e21ac02c3b494184314cac3e25
SHA256 8be7d412ef1faa2ace2cf86966068a1d1544ed365691b124cc0777d354f7f38e
SHA512 3d77863b0a928f4855d39db0b197e7e589508847414c985ae80bb54b5f71cc62399f1eee2fec46cd02a974cfac8b8071e6a776c508b5acf2f22877f423db2f7b

C:\Windows\System32\vds.exe

MD5 9d024ba7a5fffd2765c9803ba43eb305
SHA1 e4df3f6233ad97cf0e7a2b2056e5895d753551ad
SHA256 04424ef7de3e1ab76b6cb50a340065dfd3378fae0c156828c958f24525f967d1
SHA512 7233d5256a089b0e5c491050b9a56c50327dbe4f74160507b66d3681abaac4082436d94c8075eba7ce6da08e392c54262048f1cb31113938f419c39d85cd15c8

memory/3296-153-0x0000000140000000-0x00000001401C0000-memory.dmp

C:\Windows\System32\AgentService.exe

MD5 939a6f7ebac0eb8abab41415a816f155
SHA1 3f9b5cc2ea3258474c3a19c763194cef502fd18c
SHA256 47dcb62338f924f767157716ec8b0de8f291804f53c4fd253e077b6ff7a08078
SHA512 ac16afa2617f1f5a9744e945c1bd0bfb99c850878ba3aa76dd4645d0dddad2c72b390cc7ce64e943dae692554e94fd373b44c84b6d31a2ea3c8ddcd2c28bc5bb

memory/1456-247-0x0000000140000000-0x000000014022A000-memory.dmp

memory/2500-250-0x0000000140000000-0x000000014021C000-memory.dmp

memory/4608-255-0x0000000140000000-0x00000001401D7000-memory.dmp

memory/1796-261-0x0000000140000000-0x0000000140273000-memory.dmp

memory/4576-259-0x0000000140000000-0x0000000140169000-memory.dmp

memory/3720-258-0x0000000140000000-0x0000000140207000-memory.dmp

memory/3648-254-0x0000000140000000-0x0000000140206000-memory.dmp

memory/3684-253-0x0000000000400000-0x0000000000608000-memory.dmp

memory/2884-248-0x0000000140000000-0x0000000140240000-memory.dmp

memory/3148-246-0x0000000140000000-0x0000000140267000-memory.dmp

C:\Windows\System32\OpenSSH\ssh-agent.exe

MD5 c021fcfd00b78a3fba66dd9efbd4a90c
SHA1 089280badc5d90cf99ebf3b1659eb5b5b985d44e
SHA256 88a20994f0c45e1cab758e0b6df00524b90b09cbbfbec9428485b0be551cf056
SHA512 fcdc55fbfa8a119a280eea682477f1894570a027f25750b56d4d7e5e2234d6bdce110efcf254f591b27d7834516ac126dcdd7f6518dcc0ef998db19cdfe95962

C:\Windows\System32\Spectrum.exe

MD5 b936b5f66097442b1af4996a651a13f3
SHA1 e778935154e588ea106b8a45f132cc2b6c35dbdd
SHA256 a0f1ace40afb519ff0fdd01f8ec8e09ffbc511d48dd8fe15b0be15cdda9de3fc
SHA512 70f176bca88ccdaf5b88ead32a3da086a7394005f59206c53573b304da1b9c8f266a162b7ca4da303a0e80213f07649147a331492f4f60234c0158ff1f13f7ec

C:\Windows\System32\Locator.exe

MD5 1edc1a87afb88b9dd41cf78141c63dba
SHA1 1da61f7de126abd31488e5c2097ffbf355503d23
SHA256 06382e5edd2a5abc8676bc285e468a84615700fe77b0bd02859e0c17d06d0409
SHA512 40a943592b268ed3ffe3b7099be1acd544f18c480ab801c34e2228d58d735c7f96a34fba2c995ab28362818c0813d9ad48e0755c8acd83bf075924b33ab6e3ee

C:\Windows\SysWOW64\perfhost.exe

MD5 0f459838ffb7e45f1b2e32bc9eb6b886
SHA1 8b1e657f190771e4678563a16457b00eef3ed93e
SHA256 cedff35842d4f27598a12b4b9d987da393980770bedacc855a6a1d3ac0e52c5e
SHA512 42f91f5bf6f90eb40b4f548db3141a2a62177802ec94bf81d69750c3e9454d19bf9a8238cdc9201589549b3f8b56c2ee42dca08043f6713b49e6e1c0dba4494a

C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

MD5 69b1a8b19119ea1d7c6faedfa849427d
SHA1 32276e5103e89d76f37e11f8a334255ae5cf7d77
SHA256 45aeb52d2a27256bebc31cf23f80c42f931eee0418cabcc4d963ccbc025ab1e7
SHA512 f8baf2e195c9c04be5ad2ac31d1d3cc9525f2bfc47a8f51433627a8bc226892a46de7a2c154e15a42b5bec1fb916485722d550ad8eadce1db675f70fe0360db0

memory/2884-96-0x0000000000840000-0x00000000008A0000-memory.dmp

memory/2884-90-0x0000000000840000-0x00000000008A0000-memory.dmp

C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

MD5 b97b60e2dabbd5954a0bf7e2eb007d7a
SHA1 2621fa81a742c57f0ef1ec55835cc06bd6ecb82c
SHA256 832cf8aa74ac0e51303481e9be7a6d7510f2e8e6cef86805477be093e677d5f5
SHA512 b058f6ffd122900a4697f9020ab7c09f551c0bda3d6623adc81cb0ebd3aab8c95071cb84b3d3212540a7bd26ea4df015c16941b0210f47ab37631f6fc2ce542c

memory/1724-85-0x0000000140000000-0x0000000140240000-memory.dmp

memory/1724-83-0x0000000001A60000-0x0000000001AC0000-memory.dmp

memory/1724-79-0x0000000001A60000-0x0000000001AC0000-memory.dmp

memory/1724-73-0x0000000001A60000-0x0000000001AC0000-memory.dmp

memory/3624-277-0x0000000140000000-0x0000000140147000-memory.dmp

memory/4308-276-0x0000000140000000-0x0000000140253000-memory.dmp

memory/636-299-0x0000000140000000-0x0000000140216000-memory.dmp

memory/4476-302-0x0000000140000000-0x0000000140179000-memory.dmp

memory/1724-301-0x0000000140000000-0x0000000140237000-memory.dmp

memory/3100-297-0x0000000140000000-0x00000001401FC000-memory.dmp

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

MD5 de51b5f42efeafc1929d9d06ecd2a3de
SHA1 20546fc6e203be7856358414f1e63246edb041b3
SHA256 137db3944ad78686822d6c84f3d0d1a0f57e8c99f2a1061517efab78187821b0
SHA512 03f84a97b8941732baf2e577f8dbbf6cf980df2a0d1891e07396210a7b5a897fde77cf76a686e864fb7e399c69eef9b92b35293e430d9e3b51d3ec11e512f9df

memory/3148-63-0x0000000000890000-0x00000000008F0000-memory.dmp

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe

MD5 f45c11eb6246638b29c02ebeecd67df3
SHA1 5c0484fd81fe7ac7843e6b8c158c2a8f8b23c4f7
SHA256 685e55bd144e41266404d1cceba7592c02fabb138cde42b8669d45e128391b71
SHA512 fcc1d48b629c9b45f68ad840b8f0eb6f864823a56d27f84bfc4c1f7df0c32b6e37885eff4933581e0f8a2bd8c68082c373c9fce805e2e2fe4fe2a22246b7ee1a

memory/1768-59-0x0000000140000000-0x000000014024B000-memory.dmp

memory/1768-50-0x0000000000C80000-0x0000000000CE0000-memory.dmp

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

MD5 2beefa08e574859be44dc9d48308cd62
SHA1 51f90d7003678819ca73831f078108f84105f857
SHA256 e77b23843bda7238848e9fed52526f4bdb637315695d799a9bc5e5a8b436740b
SHA512 02ee2b4c86c36cf73e76f24dbe1eef5c206dcbcca88204c683b86b4dfee872564524af4d6ccb9467b9bf1cf4e8c23fedc46387327c3f59901646a2e7769264e2

\??\pipe\crashpad_116_WJHOSPYCLTAEVVZU

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

MD5 ef36a84ad2bc23f79d171c604b56de29
SHA1 38d6569cd30d096140e752db5d98d53cf304a8fc
SHA256 e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831
SHA512 dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

memory/1768-354-0x0000000140000000-0x000000014024B000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

MD5 55af799172f8131cb47ac40567b382ca
SHA1 dd4873af6867a8cd4e6db83a707d4089066ff203
SHA256 8506d383df590ac0fa8870afcf277c72ba6b87f4c98103c5f5fde7139322543c
SHA512 7389f7e7d2ca8bbe7598189dacec983eb0d1b64dc2e831a3cf2854906e6f2769e2ddf8a141c855ee720deffb638027eaec522aeb5e138e420000f086b0178692

memory/644-412-0x0000000140000000-0x000000014057B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

MD5 0c192d9326e76cc1935234b56bac4e53
SHA1 8f25cf0989eabd192f0b7a89f56a6299112333e4
SHA256 fa350df47a5e1e78ec90153b0656bd06f871da3765da298bb8b321535bd898e7
SHA512 30c574f7fe9468e287106fa06326d238dedd5ff7230d61fad7c85c42d9edc257d889511a41a75263479f34e3ce81a59456572fc7c7eadeaf5c920bc4d7c2d28f

memory/4348-432-0x0000000140000000-0x000000014057B000-memory.dmp

memory/4756-444-0x0000000140000000-0x00000001404A3000-memory.dmp

memory/3408-447-0x0000000140000000-0x000000014057B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

MD5 5a0afaa6d8bcfa23c349640d5c51e4ff
SHA1 eb481ba20b7aa4eb61fadb067449888dcc5ba458
SHA256 61c69e4d9188737f8e0533e535b1967fca5e876ce516a7376612f607d4acf910
SHA512 b3929eaa5ded219f9225839646b57ebc1485a846bbda40d70ea0da89c7d6b1f64b91b4c43f37b5caf2ba002391ce5e96b4eba84fceee768133849b8e1fd19617

memory/6092-459-0x0000000140000000-0x000000014057B000-memory.dmp

C:\Windows\TEMP\Crashpad\settings.dat

MD5 de12892063f81f60b11c0497ec332fa7
SHA1 ccfa0530f55d277c3fe6d75260088ae08d5b7616
SHA256 afd8ccad757251c38eecbb67fc9f41af5aecfec62b521b229c5b17e17ba05eae
SHA512 441e809f431b7d1715efa1a6eeda910ba6945b9529a6330cf964a1d8f7233e97893e6eac6758abbeca4c61d315829371fa2e2fa02a5b838d1fb79e7a43b6d7ca

memory/3408-469-0x0000000140000000-0x000000014057B000-memory.dmp

C:\Program Files\Google\Chrome\Application\SetupMetrics\d19af095-f5a8-46cd-a8ab-7027b2d6a7dc.tmp

MD5 6d971ce11af4a6a93a4311841da1a178
SHA1 cbfdbc9b184f340cbad764abc4d8a31b9c250176
SHA256 338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783
SHA512 c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

memory/644-480-0x0000000140000000-0x000000014057B000-memory.dmp

memory/4608-501-0x0000000140000000-0x00000001401D7000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 6f5a389c25fa94ca8c16de690f79aa90
SHA1 1cdcb1bbddacd5f4eabafa20f3451fa88dd8e642
SHA256 db5a19c6b96285b5de81091f18ce85ea6dbbd79a5f48baf9071ff7b2404d495c
SHA512 6d8d724dfdb519b003095e74df3d1a60fd1189cb6f96716e1670864fbe19b5ecc49b8256a6d55ebb1eb5cc2239263238175792ffae7137c27914f7ceca58d7e1

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 c13740799d0caa933b421619655eef43
SHA1 0922bf64d722e6924730ce8fa7dbadc4053f8e9d
SHA256 eda06343b6fddbd4df468f2b768e6d1999f662ad59b584643810615fb0bd24a8
SHA512 fe7a28453f6fe32a7443f94cfe585827c44567dbb73cec6f8d2574d9011aefbf4c9514c43adf24020d448e1d3774b4f495d17419f4188aa26edf189abed41947

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe582e4e.TMP

MD5 c4d12c24a85b7e1aaf85cad983fe7610
SHA1 00bcb6e962cbc5a3d88689ec2f8c15feda6ff7fb
SHA256 6568b506f3cb4367abf414e66e1e93a4d4e40339dd3a2a1d5ded1f1907484337
SHA512 0d45cd5f36424147b7a67d4f154539d9ddde285cb363a139c5922814e6073cf731d61902a7eb84e9ac6547bcd52e65b023a2f97636072db478ccd04495a59aa6

memory/3036-614-0x0000000140000000-0x000000014021B000-memory.dmp

memory/3148-621-0x0000000140000000-0x0000000140267000-memory.dmp

memory/4476-622-0x0000000140000000-0x0000000140179000-memory.dmp

memory/4348-623-0x0000000140000000-0x000000014057B000-memory.dmp

memory/6092-624-0x0000000140000000-0x000000014057B000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 d358ef6327ca3317cda73d856fb6233c
SHA1 2fa7981029d4341d3bc97bfc33d10a3e941c1eaa
SHA256 fd10197dd8986a31a1d8cf921b9b769f5cc0a6084a861fb43f7850f6687e71d4
SHA512 3d964b0482f0c68a7b61c24f5d8ea827b82fbd2f3ec6df4d4a17b316bf7dcca46521ddb90cee0c94ddec35542649a437ef167aaa027be67ea9069ce05704bff2

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 93cce0bc8af4dc3358be9aec1b109b71
SHA1 1772bf883b9c9de1e77dcb0ea5e41c9763e705a1
SHA256 4242bf85fe60a130728246d1bbc1ddbb0409524b153b5f32ed1f027d4712848e
SHA512 b195697c5a574539684ee0830b3bbd2f70fd62be7329804e97ec18c4ee5d55498f7244024f2a797d34c55b5a925422bec1705fcafeff640d07fd172dff684560

C:\Windows\system32\AppVClient.exe

MD5 ae5908882d4ca644be8d99d9d8807c6e
SHA1 df97804cca228d79e941a751194cacd5f699630a
SHA256 c564f4baf58bd03863f8c91fa29de5d8de348b863a5a69e40869298e50996311
SHA512 7d43657313d52b617a5eb79a25fa71b28b0f9652ee0d343f356679a4d357502b56b491e4c55a77dcb00681a2a6c5e6e1bfda33c4a78babf35b2a37261fe21df2

C:\Windows\system32\msiexec.exe

MD5 b4cfb54cdb237ff5dded56655fc076a3
SHA1 e5e27f43eb1db516e8e9ee5b215d5961798fe7eb
SHA256 db69680603d8e4962de7c8587f42710480e3a5224498e1043dc9729d3921ce9f
SHA512 0747a11e283c3ebc061acc87d786adf881849afe941cf3578e3bc98c9d370cc85c03c43a0a232ba9e28b4a01ed29702b00b8a99233036733305ad6c0d4697f37

C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

MD5 83d7550d1726afb45866fe521b28ba27
SHA1 1dc3804261a6abc3fa234518bf2e85c3a1223779
SHA256 079768ba66947de35cef06c8404f296e704e00b48962e761326751bf0e0eda99
SHA512 b01c6e2a2f250ab74fff637ab675991b14e5c08ef66492281e99cb7572026c1a3d7f14ecb8576071d7676d6badb992d0d6488eee857914aec5a6f1a2ed0db1b0

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

MD5 e299c26ef263d99c9ba2fbc9a606da9a
SHA1 6009546d60baf6adf43cfee017d4e182822aee90
SHA256 a98e7ee7428e530e457352bfc69b785cef86a0f944661e5ace1089e2fed69298
SHA512 0579cbc36ed9645d650dcdbf4e90e5facc342e0036feed566d52cb6fe356100ead08120be5a59cc83eeb4d638d37075c7485a703cb1bb1200d6da392ec8749f4

C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

MD5 e57ce620a4dc664dfaf6858260442d74
SHA1 161f3fd6b5d0b1090e9349b7c9ae1f66c0c50924
SHA256 54f3378e67a78d398b5cbb6d28d549c3a255a64f7472b0742f16ca36e34b6b2c
SHA512 03276ce5737fbf1e25a9c01da60a36fc9323d18952b3c64259fb4461e8dbadf6b1f00b4dadfd9c55210b204083c733794b8d508f73fbbaac3c99daa50ca2e891

C:\Program Files\dotnet\dotnet.exe

MD5 26140d8282aa9824d427d5bbccb0b73f
SHA1 c6b0d30b159105a5cbd219039842a179ca34c74b
SHA256 dee5ff1e5f8568e774aa94fcd318d077490f63f6b32f4ddd96ec839da144913b
SHA512 5e31d3ed43fd831c6011cdbad705837e6204c919fa1b058c784e60a632e3514e7f97aaf1f752d31e816e67f88658a977a915d4ac2d6d5d9c5fe4108b98e39d06

C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

MD5 7ca7674bcfa7a3c9c81adb20b1ee05db
SHA1 b9485f9ef58ce951dea44940022f0ac970883b16
SHA256 1df250cabfd2d7f3af7331dfcc3e06859b4d7802a07266a9b3335ad4e0b9fa0c
SHA512 7462efd25247b2f5c4664fcf4d3bdb0890a7f28baf6ba0dc70e8a09c30e67b4126761a9f907ee2674066986971b43b3f1f93296d495612daadd3a3fc29bc117a

C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

MD5 7f73ac053ce36f9add78d572204792b5
SHA1 2027183c157a9d41ea3662dcbb9afca0d98db241
SHA256 cf897cfe2e5579cb27f34e962470885a9a5a2a49a303ebf9503e803c2d6c45fb
SHA512 ea48be3c9c803169b46e9e1b2d367d750135342a1a574e88c537bbe98fba93395c6ec470a32efe7690aeaae24da18d7f31e644a44f55d36496448c60b8585647

C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

MD5 47f7a9b40c3e3ed9d6762153823a5556
SHA1 ea9d612b587e8885a72888259ddf6e31a64a886c
SHA256 52b5e4c0a8a0cfe9408d0ac94fc5bd93bc5a7df3e5a05177f7b479869bf2d9f3
SHA512 024cbe6eb0645c705a87a2565aae2aee95622532f93e29db74af5fae381269c28196c9bfdc456e868e05dfb0311401c236b32bf74472229e75c737bc1d81c1aa

C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

MD5 05b999cabd175f42e7d385f23d3a654e
SHA1 bc82e2853d219104e9cd5f19752041179ec9bd46
SHA256 1615ae3d584c98b1f81a93b210156786e77b46639b348a0c496ea88a89890630
SHA512 101ce9875d4f21cc7a3f99d00ea49300625db9ee3b97c4f4caa91fa4f907933d974703bdf6ed1ad4a3419fbe64e1a0733e56f5ac1951eaa979835df27242ec48

C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

MD5 de9247f79c1234689663582fcee5f5ae
SHA1 6ad62f264c351e481ec86e1c077ee0c9a4d92af7
SHA256 f6630fddf91525d51ddf2dd4f41bbd840f1e79ebf8037bd761f412fff74a1848
SHA512 c97701617e68fe407a4bff8fbc9a36feb4a6870851ffd3e3a059d2efa0b77b83f1a79ff1770143885e2558d1c4248a1d7a54f1c29ff1c6a309ba3783aac0843e

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

MD5 54668b83c1ace0f863ed2d943baa9e8a
SHA1 eefde00aac4306d121ea3cb6b76bb0fea0738c55
SHA256 3c7983676841f1be2441f78fa7d1136dd1e40b909cc78be589b0d18a1b6af775
SHA512 9b83f784b4e00ec424c055a5a04ef154dbbd89f20691edc63905fd3acab44855eccaaa90209104454b6c59b1d140d913cdc6978731eaa7b250aadd4c1bd240f0

C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

MD5 28f911787e89a001b6779fa80bf02372
SHA1 3a06e4fe445d8d396d79abacbbcfe72df26b187e
SHA256 b1edd034f7ddd3c80ac29a1dbaa476c99af2d10ff19dc844e22e72c47c27601e
SHA512 c73c97a1c2f05fd3780064a3518d53a2ec79f243813c018506debc23ee62d49a7b0473a9437716db4b5d89881c468be5fb794625dbeb837bff7f71e37b7e1a21

C:\Program Files\7-Zip\Uninstall.exe

MD5 967a000a027c682e8fafb6bf7409eb2e
SHA1 579f92f831c000d2b67fb2c777d7a1f1e87f77e0
SHA256 97ff91e697c5d046a23393af90a9579ae0f45f06c6ee534fa83348afc3d93db7
SHA512 eb28e883ac023eac1a056db98b6be4cdd141824980f9d7f3752cc67ec845bce9689a51fe2a646abe9281aeb6fdd5a3db8629523999065e19343952c098571cee

C:\Program Files\7-Zip\7zG.exe

MD5 164e39866e16dd78b8527f26029a4ce3
SHA1 e4f5f207b4ad498443ab7bfecfcb2f441891c5c7
SHA256 93af94fc50c133bb925fc2997f79aeb620f648a4b31cccb3f03415d45464689f
SHA512 0089eb483b75d2f1a40ca5212d0e971d0bc4fd10a0bab023f7adf45862bdf110f75df3ae4d77f93cda539c4cad8a36eac390f01542f0a5efcf7a756b62fef031

C:\Program Files\7-Zip\7zFM.exe

MD5 4da11d1a04e95c99aabb81384e6a2440
SHA1 5e9427f61de9e576124768ffad53b10a840fc47d
SHA256 ca9b8bcb166768d3ea40de67483c8eb90f10f89780c529ddd0e850be1ad20cb0
SHA512 3f939c55561fd244757a37b2f5b6e8804d1636d6657d661b95e405d5eda6f0fb9ecc5bbf98988e3bfeb44dfedfe2bc7a086d3bc35092cb6ae5363fd164425a5f

C:\Program Files\7-Zip\7z.exe

MD5 f8745c90556dac2b77a269a55c613e1f
SHA1 8600988ee5ecbd05cbdb7dbda3e4994d05812256
SHA256 ba730c93a7387906e249746f82930736aef81c9c5e4fcf5426aeeff6d583b46f
SHA512 3d4280e104de656b469abbce238ff4b8e4e79524d37c967ad1cad4c429c26c74fc7e68efc82bb52acae4a378071d599203a0abc3b8c7f485358cf1a9095b98d3

C:\Program Files\Windows Media Player\wmpnetwk.exe

MD5 c0511fac8ab1df2738d2ca4513ccb8c1
SHA1 16ad2c6a8dac0d4078b5f589127373a33bee5189
SHA256 d520dcc414566fac095f7afd31c171d10c67abbc77eaf9daada8aab9800ab7a0
SHA512 2e7f30a78ec2b88bbecb69b2dfa48d3cf02a7045bdfa0e5195f0137777c279ac5ea802028f75123504d693e8694b16e390873f2c305d3a59c143bf5fca3ab189

C:\Windows\system32\SgrmBroker.exe

MD5 dc3a426c0699705de9c524cf36ea91d5
SHA1 35951951a97b7963bed82491508217624ae39b8f
SHA256 c7f933983b287a111a8fa6c38363b6057a172f737db24108585277c2351c8b0a
SHA512 fc1ae3a156f7239153929f78b802f7d2485eb01ffa8ec0887401e125a6303ff16e7f8e99d668c9a57b66a1c0da6db2fc5b1545c5425ac3879d7fb95a94030c56