Malware Analysis Report

2025-06-15 19:59

Sample ID 240611-xjqd7axemq
Target 2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk
SHA256 5e7c7edb35812ca1ce75ebe32d05e7898e47cbe48b6ae4d0b94876dac00378c0
Tags
spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

5e7c7edb35812ca1ce75ebe32d05e7898e47cbe48b6ae4d0b94876dac00378c0

Threat Level: Shows suspicious behavior

The file 2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk was found to be: Shows suspicious behavior.

Malicious Activity Summary

spyware stealer

Executes dropped EXE

Reads user/profile data of web browsers

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: LoadsDriver

Suspicious use of FindShellTrayWindow

Checks processor information in registry

Enumerates system info in registry

Modifies data under HKEY_USERS

Modifies registry class

Uses Volume Shadow Copy service COM API

Checks SCSI registry key(s)

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-11 18:53

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-11 18:53

Reported

2024-06-11 18:55

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
N/A N/A C:\Windows\system32\fxssvc.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe N/A
N/A N/A C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe N/A
N/A N/A C:\Windows\System32\msdtc.exe N/A
N/A N/A \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE N/A
N/A N/A C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe N/A
N/A N/A C:\Windows\SysWow64\perfhost.exe N/A
N/A N/A C:\Windows\system32\locator.exe N/A
N/A N/A C:\Windows\System32\SensorDataService.exe N/A
N/A N/A C:\Windows\System32\snmptrap.exe N/A
N/A N/A C:\Windows\system32\spectrum.exe N/A
N/A N/A C:\Windows\System32\OpenSSH\ssh-agent.exe N/A
N/A N/A C:\Windows\system32\TieringEngineService.exe N/A
N/A N/A C:\Windows\system32\AgentService.exe N/A
N/A N/A C:\Windows\System32\vds.exe N/A
N/A N/A C:\Windows\system32\vssvc.exe N/A
N/A N/A C:\Windows\system32\wbengine.exe N/A
N/A N/A C:\Windows\system32\wbem\WmiApSrv.exe N/A
N/A N/A C:\Windows\system32\SearchIndexer.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\dllhost.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe N/A
File opened for modification C:\Windows\System32\snmptrap.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe N/A
File opened for modification C:\Windows\system32\AgentService.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe N/A
File opened for modification C:\Windows\system32\msiexec.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Windows\system32\AppVClient.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Windows\System32\SensorDataService.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Windows\System32\msdtc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe N/A
File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG C:\Windows\System32\msdtc.exe N/A
File opened for modification C:\Windows\system32\spectrum.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe N/A
File opened for modification C:\Windows\system32\TieringEngineService.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe N/A
File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe N/A
File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe N/A
File opened for modification C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe N/A
File opened for modification C:\Windows\system32\vssvc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe N/A
File opened for modification C:\Windows\system32\wbengine.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Windows\System32\SensorDataService.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe N/A
File opened for modification C:\Windows\system32\SgrmBroker.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe N/A
File opened for modification C:\Windows\system32\SearchIndexer.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\bcd86c0ec3a5208d.bin C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe N/A
File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe N/A
File opened for modification C:\Windows\System32\alg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe N/A
File opened for modification C:\Windows\SysWow64\perfhost.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe N/A
File opened for modification C:\Windows\System32\vds.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe N/A
File opened for modification C:\Windows\system32\SgrmBroker.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Windows\system32\AgentService.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Windows\system32\AppVClient.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe N/A
File opened for modification C:\Windows\system32\locator.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\Install\{125326D0-F6C3-409C-BC6D-35A6D8D3AF5D}\chrome_installer.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_105437\javaws.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\7-Zip\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe N/A
File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe N/A
File opened for modification C:\Windows\DtcInstall.log C:\Windows\System32\msdtc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\TieringEngineService.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\TieringEngineService.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000240619a930bcda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000294449a630bcda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133626056086132563" C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" C:\Windows\system32\fxssvc.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009ecc5ca630bcda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ab9a45a630bcda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d0be51a830bcda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000396225a930bcda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device C:\Windows\system32\SearchFilterHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000074483fa830bcda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000205a49a830bcda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000056ea38a930bcda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e4ba24a830bcda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" C:\Windows\system32\SearchProtocolHost.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe N/A
N/A N/A C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
N/A N/A C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
N/A N/A C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
N/A N/A C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
N/A N/A C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
N/A N/A C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
N/A N/A C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\fxssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\TieringEngineService.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\TieringEngineService.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\AgentService.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: 33 N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3348 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe
PID 3348 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe
PID 3348 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3348 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5020 wrote to memory of 2652 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5020 wrote to memory of 2652 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5020 wrote to memory of 4024 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5020 wrote to memory of 4024 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5020 wrote to memory of 4024 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5020 wrote to memory of 4024 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5020 wrote to memory of 4024 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5020 wrote to memory of 4024 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5020 wrote to memory of 4024 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5020 wrote to memory of 4024 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5020 wrote to memory of 4024 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5020 wrote to memory of 4024 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5020 wrote to memory of 4024 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5020 wrote to memory of 4024 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5020 wrote to memory of 4024 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5020 wrote to memory of 4024 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5020 wrote to memory of 4024 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5020 wrote to memory of 4024 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5020 wrote to memory of 4024 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5020 wrote to memory of 4024 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5020 wrote to memory of 4024 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5020 wrote to memory of 4024 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5020 wrote to memory of 4024 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5020 wrote to memory of 4024 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5020 wrote to memory of 4024 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5020 wrote to memory of 4024 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5020 wrote to memory of 4024 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5020 wrote to memory of 4024 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5020 wrote to memory of 4024 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5020 wrote to memory of 4024 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5020 wrote to memory of 4024 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5020 wrote to memory of 4024 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5020 wrote to memory of 4024 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5020 wrote to memory of 5172 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5020 wrote to memory of 5172 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5020 wrote to memory of 5180 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5020 wrote to memory of 5180 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5020 wrote to memory of 5180 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5020 wrote to memory of 5180 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5020 wrote to memory of 5180 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5020 wrote to memory of 5180 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5020 wrote to memory of 5180 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5020 wrote to memory of 5180 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5020 wrote to memory of 5180 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5020 wrote to memory of 5180 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5020 wrote to memory of 5180 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5020 wrote to memory of 5180 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5020 wrote to memory of 5180 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5020 wrote to memory of 5180 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5020 wrote to memory of 5180 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5020 wrote to memory of 5180 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5020 wrote to memory of 5180 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5020 wrote to memory of 5180 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5020 wrote to memory of 5180 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5020 wrote to memory of 5180 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5020 wrote to memory of 5180 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5020 wrote to memory of 5180 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5020 wrote to memory of 5180 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5020 wrote to memory of 5180 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 5020 wrote to memory of 5180 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe"

C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=124.0.6367.202 --initial-client-data=0x2c0,0x2c4,0x2c8,0x294,0x2cc,0x1403796b8,0x1403796c4,0x1403796d0

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc07d4ab58,0x7ffc07d4ab68,0x7ffc07d4ab78

C:\Windows\System32\alg.exe

C:\Windows\System32\alg.exe

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv

C:\Windows\system32\fxssvc.exe

C:\Windows\system32\fxssvc.exe

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe"

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"

C:\Windows\System32\msdtc.exe

C:\Windows\System32\msdtc.exe

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE

"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\system32\locator.exe

C:\Windows\system32\locator.exe

C:\Windows\System32\SensorDataService.exe

C:\Windows\System32\SensorDataService.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\system32\spectrum.exe

C:\Windows\system32\spectrum.exe

C:\Windows\System32\OpenSSH\ssh-agent.exe

C:\Windows\System32\OpenSSH\ssh-agent.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc

C:\Windows\system32\TieringEngineService.exe

C:\Windows\system32\TieringEngineService.exe

C:\Windows\system32\AgentService.exe

C:\Windows\system32\AgentService.exe

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\SearchIndexer.exe /Embedding

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1792 --field-trial-handle=1884,i,15307216227339004880,8175815000737781994,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2020 --field-trial-handle=1884,i,15307216227339004880,8175815000737781994,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2036 --field-trial-handle=1884,i,15307216227339004880,8175815000737781994,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3056 --field-trial-handle=1884,i,15307216227339004880,8175815000737781994,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3064 --field-trial-handle=1884,i,15307216227339004880,8175815000737781994,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4296 --field-trial-handle=1884,i,15307216227339004880,8175815000737781994,131072 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3144,i,1697479186275492802,18058102846092193784,262144 --variations-seed-version --mojo-platform-channel-handle=4292 /prefetch:8

C:\Windows\system32\SearchProtocolHost.exe

"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"

C:\Windows\system32\SearchFilterHost.exe

"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4744 --field-trial-handle=1884,i,15307216227339004880,8175815000737781994,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x2a0,0x298,0x29c,0x294,0x2a4,0x14044ae48,0x14044ae58,0x14044ae68

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4864 --field-trial-handle=1884,i,15307216227339004880,8175815000737781994,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=736 --field-trial-handle=1884,i,15307216227339004880,8175815000737781994,131072 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 pywolwnvd.biz udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 clients2.google.com udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 ssbzmoy.biz udp
US 8.8.8.8:53 clients2.google.com udp
US 8.8.8.8:53 cvgrf.biz udp
US 8.8.8.8:53 npukfztj.biz udp
US 8.8.8.8:53 przvgke.biz udp
US 8.8.8.8:53 clients2.google.com udp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 knjghuig.biz udp
US 8.8.8.8:53 uhxqin.biz udp
US 8.8.8.8:53 clients2.google.com udp
US 8.8.8.8:53 anpmnmxo.biz udp
US 8.8.8.8:53 lpuegx.biz udp
US 8.8.8.8:53 vjaxhpbji.biz udp
US 8.8.8.8:53 beacons.gvt2.com udp
US 8.8.8.8:53 ifsaia.biz udp

Files

memory/3348-0-0x0000000000820000-0x0000000000880000-memory.dmp

memory/3348-8-0x0000000140000000-0x00000001404A3000-memory.dmp

memory/3348-9-0x0000000000820000-0x0000000000880000-memory.dmp

memory/1112-18-0x00000000008F0000-0x0000000000950000-memory.dmp

C:\Users\Admin\AppData\Roaming\bcd86c0ec3a5208d.bin

MD5 81edc1d8b137d8f3547f9c66e190553c
SHA1 d615b8d424f9e7a1e1b05d952862358b04618953
SHA256 c1789205f6ac2d09508d6a6bfb3d959494d6b40ad0d7fcad443825ba0cdde9d0
SHA512 21e9a8ad39525239ce0b1672688120807c25e481e36bd19a052188b68f489fb7d15fbf4d04f8ad5580a64b5c320fb4281e08d32fcbcbcadf9e03da715148499c

memory/3348-27-0x0000000140000000-0x00000001404A3000-memory.dmp

C:\Windows\System32\alg.exe

MD5 fa8640d90ef9358c50dbce41b5f11bb4
SHA1 dd95a5a211910563756a804def6c11a4e01b93a5
SHA256 ddbdce7d77cb0642359743492695b845a3ac59822a20707ff746a2cec62ca8e2
SHA512 ececb31c6c30cdb2f780de2c32b36d94331dd4a8717c169c9a94bbe4cb66306355552ddcd7ba49ab2cd27ae6b9b7ec3ba2dce7af00caeff75321a060c8accee3

memory/2704-35-0x00000000006B0000-0x0000000000710000-memory.dmp

memory/2704-44-0x00000000006B0000-0x0000000000710000-memory.dmp

memory/2704-43-0x0000000140000000-0x00000001400A9000-memory.dmp

memory/1872-31-0x0000000140000000-0x00000001400AA000-memory.dmp

C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

MD5 738932ccab16a6011b3d3b42f027de7d
SHA1 6feb97a5c13e5c3644135e9b7d51ab0b6e22b0b4
SHA256 472c057cf5410e8113555629538005edf27202486fd428e38756f3de937d76eb
SHA512 ccb4a61b2cf6214c981fd6e88f80de949ac5bb4a3f83b98360789111a01182b0883b12303d027751640b8a4b3da6697f3d3d28d6a6bdd743913308f885de5467

C:\Windows\System32\FXSSVC.exe

MD5 32974bfaab47035d1ad150cb6d12a2d6
SHA1 51ffb328c6cc9f9ce8849c15b11c1b5c23e650a7
SHA256 1d97dd43ae82db354c967396edd3d6f4466d2a7aa5c85d6094b4142fb0cab9c6
SHA512 4019889458a677fbcce12246b51d1754fcaf7f4259191a018063d2719ad563309799c3b02a08aa6ae06beef94a4dcfa6fc15afb2ca04037b083f3dd03c2b6dd6

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

MD5 e646991f9b7863013f4543e5deea2d49
SHA1 7d3ab1c249b15c5bc5761baef819fa96b043539a
SHA256 0cc277125b5bd55a7c42e32f351b5bce3ca6003f28bc0646db5bc6b9b5135c07
SHA512 8b7b264f086ee2d1c1ec1199307d6511ce964890e84312a1c12c21a0a1fac24d6bf005a2ded820ecae3b51b58229a8ce724e98e40b03e1f93d3914948025a76f

memory/1112-20-0x0000000140000000-0x00000001404A3000-memory.dmp

memory/1112-12-0x00000000008F0000-0x0000000000950000-memory.dmp

memory/1360-48-0x0000000140000000-0x0000000140135000-memory.dmp

memory/1360-50-0x0000000140000000-0x0000000140135000-memory.dmp

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

MD5 eb810c054cc107b8f615d3f6c23b9f0d
SHA1 229238481495998116763f72dea3c7e889723ad9
SHA256 1a49bf283e4fffc909d7294081d51d8cf92f7916858e9a2505c16929cb05a8c0
SHA512 e3995452444909e9c2542733f1d7cc0949e758df7367e2f5b6d9ec2e5cd891349a89a4e937fcbc2ffdfd28cb27e0bcaf694dc77c08ac6c1728a22a2128dba785

memory/4992-58-0x0000000000710000-0x0000000000770000-memory.dmp

memory/4992-60-0x0000000140000000-0x000000014024B000-memory.dmp

memory/4992-52-0x0000000000710000-0x0000000000770000-memory.dmp

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe

MD5 ebc3aafed71590f1e25e2e0517d05702
SHA1 78a30a7a627009baeb86cb9cd30ece667904b2c8
SHA256 4448892e94c1b296d335481fa7081b41a29f1b0eedc9dfbd63f3a36b71c80ddb
SHA512 33ec4c9cea25fa7ef28be7627499c657ba2d69a3ff04916a6fa3fd4839129623b416ea5c6da077b65ef2812f26f1644a3bc0bb63dd5d862865f66e918464628d

memory/4764-63-0x0000000140000000-0x0000000140267000-memory.dmp

memory/4764-65-0x0000000000990000-0x00000000009F0000-memory.dmp

memory/4764-71-0x0000000000990000-0x00000000009F0000-memory.dmp

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

MD5 d3b04de90e345fd67fc7be5505c645a9
SHA1 78fc8ae2074a773a0a334b74c9d29b9ee3667e3b
SHA256 533052fc94ded824bdc803e433bfd04293c1af5e77291528df7eb52dc55f45ac
SHA512 1ab841eea8b225353627dd5ec5692e76985c6cbe5e610e00a1bf8b3f57a7d2ec5880c515490e668b6812d575582bb222ff87ab8d2a1c8bc96702c05e5052ae46

memory/1232-81-0x0000000000C00000-0x0000000000C60000-memory.dmp

memory/1232-83-0x0000000140000000-0x00000001400CF000-memory.dmp

memory/1232-75-0x0000000000C00000-0x0000000000C60000-memory.dmp

memory/1232-85-0x0000000000C00000-0x0000000000C60000-memory.dmp

C:\Windows\System32\msdtc.exe

MD5 85bde09df5b28370902aa31ec381b519
SHA1 8ca7a492a19cc79fcf61e77cc2c8a3aeb5db0128
SHA256 183fecdb0abc2c45a74d30413b4f42bf314bc850004d99d708c9fe25068facbb
SHA512 6df1cc0e19fdd11adbbf34654c1f72729b34eec1b2e948b97d636dff3aa4baa9be78b199b31cdd392423bf6338109385df187543fb38aa784ddba6c49e049bac

memory/1232-88-0x0000000140000000-0x00000001400CF000-memory.dmp

memory/3444-99-0x00000000007E0000-0x0000000000840000-memory.dmp

memory/3448-105-0x0000000000B30000-0x0000000000B90000-memory.dmp

C:\Windows\System32\Locator.exe

MD5 b59b6dafe2e4f7ee1cb2809a3eeffabd
SHA1 ac36ee715451cdd22db699288ee5e7d764928797
SHA256 ea88645cee7a31a2feee159f57dd0b96cc952f0709da7ef9081023f6cc1382b5
SHA512 21135b0eada592d25a2c924ac82f6b6f896bbf0ee083f11dcbf75370355994af6c55a033a1da96e8e60d7a50ce04c2a1b99cd6c970a94e518234f53a6ba3fcbe

C:\Windows\System32\snmptrap.exe

MD5 a8c234ac032d02a2e1dcd4c4dc5faf5d
SHA1 d209fcc728472c7b956a9c04b2a98a709e414b8a
SHA256 62bcd986530774febdd20bb9276b8e9a8487ac2a46dcbd417c5b47de58217a04
SHA512 7059371b289ede591a4d98586f1b52d6bb09b359d96b7207427117461c091ebf90f2e56f18422d6ac810de72ac7b3ce645bf8533f6877a1dc4df931d192bd902

C:\Windows\System32\Spectrum.exe

MD5 8028be7beddd36d6eb2d4b0107d5dae4
SHA1 adc4079c837e411eba35532abee5306cecd9ebbf
SHA256 2b2b518438874df617109f97a806e8d12a3faa6b8202735aa03dd6b373ac1c3e
SHA512 e28a89b99ce3bd1c32480c5b8dd28819709ce8f12258e468834fca6b289642c166529704526d404ede16f6fdd5fa17d2cb18c6addca6ab134b8c9e5874b0f91a

C:\Windows\System32\OpenSSH\ssh-agent.exe

MD5 99e20a4a0fd1fcf9912b43ad9b5b873d
SHA1 5a39056bed169987a6bc7bed1b0d689108684396
SHA256 279df47f25ad62ddd9b3efb9ee71b6ad0ab0cbd5fc6670c967619e749a6e4e0f
SHA512 46ab7b9b763921085657ab10a5037a0dc39dc67ce189ef83e2929dcb703c56c9d0da1d88c67c261403c954cacdbed61d23ec45046322e922bfbedd0162094ea4

C:\Windows\System32\TieringEngineService.exe

MD5 5da6519d6894184f2bb8f83ecbe2918a
SHA1 f14aba85a0b6c9f0e82afb68b1d72bda893aa6b0
SHA256 e9d9693bb9251d8e5298dbb600c92c4278ebe9c805f598c3ada0be5868ee72ee
SHA512 57a635debe40231f083f2ae92d0250c5878b966b42c6a70614fea0212932d9dc239e91b73b67c206040a14ccbb7fac8acd05936efaa759b62bcfdd4f4db9c0c3

C:\Windows\System32\AgentService.exe

MD5 98a7d5ed19494f4a49fe13ecc5664769
SHA1 1c637dac4d0d1b405dd864b0c82948982434954f
SHA256 542a2871d8f3dbf3c7a1e3cc112dffbcc70ed9166fd8373a970a86ef846ec575
SHA512 d4cc169d7c453535a7582152379435d07e9e368aa8d40af87802c9095f96e2868cb712bedf58452ec44bcc942ddb8d9a0b5ac65074acfcb3a60c205dcaed3f5e

C:\Windows\System32\vds.exe

MD5 44ac3ce9a4ed9810896ef4a46c1007f8
SHA1 aad81bf783264d81be1c5bdfb4ce922ad24ebd0f
SHA256 1efcfc67f9e0a18d028e46a1abdc7e6eb802b3ebfb9834a6ddce2d940d28ac2a
SHA512 57bc08084d59f41077749e5efbd184dd84125f443041061da51b81c5aeaa2f4af0f73d501e0fc373895d5bf188db92ec66dbfc1a7b4a2c0c024deb0d70038b7b

memory/4336-156-0x0000000140000000-0x00000001401C0000-memory.dmp

C:\Windows\System32\VSSVC.exe

MD5 08c997dace168253160979888fb70d83
SHA1 13a8eccc90158ee84e3807fb292a67fd135010d0
SHA256 9cbf1fde19b041215fe1f47e93d079629839ec101691c5eefae2f8b1275d8820
SHA512 2f3900ce63c9a867e607e0ee7c1e0347b05b04f2b266ef36ba8182fc36abf213a88242cbceed993c95b6a07343a70c3c9e53ee6701cbd4ec320e8d18b568de08

C:\Windows\System32\wbem\WmiApSrv.exe

MD5 ab6baf23eb880c0ec5c21d09eb99c95a
SHA1 bd41aebdbb175b6d40e223e45d135c91fb85a85c
SHA256 61c06e6c0e23bd04f897d885c33cf859de964e962f5365ce9c7459c6639b5cd4
SHA512 b0e8d1001e9426ea0b1e50ca49d8d9fcf3c055a78da4cfd1f8cda04e195f29595a6c28871284751f5b9edd6d5c7e98a9a3acbd71d5b15bc53554442806a8f6d4

C:\Windows\System32\SearchIndexer.exe

MD5 d680a5d3ef5c3b083ed9d3b74b627c3e
SHA1 421102a1bc7b61743d742bf5d8cc143828ecc520
SHA256 fb067c0ebe945c547875303928d632cc4eb2d0ac98b18195e35a25d26f8a7558
SHA512 75df06ef2f7c17d21fc041dfaadaf99a623cc31e6b88ece56b7c3922c5389a4bdf562fecb211bcf447a2da5ec3551ce4907957a385d1f72513986eae8f21f9f4

C:\Windows\System32\wbengine.exe

MD5 56e7fa1d7e30c5863b792131d6de2252
SHA1 c5739ab6b25b0cf15426d7525227f4468f476c27
SHA256 a9f186c36a5baf56a681e293a201fc483a3ce01a4e000ab543307e18bfec9ac1
SHA512 c25ec95714c714bb1db68f7789e4068118b3109a2747d38879ff2eb805c798f5c63160c9af42e3cfdeda09b4c8f05ba1237bd5a4da0d0ca4696bb2d0f86bfe78

memory/4500-181-0x0000000140000000-0x0000000140102000-memory.dmp

memory/3644-188-0x0000000140000000-0x00000001400C6000-memory.dmp

memory/1248-189-0x0000000140000000-0x0000000140179000-memory.dmp

memory/5092-187-0x0000000140000000-0x0000000140216000-memory.dmp

memory/3160-186-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/1360-185-0x0000000140000000-0x0000000140147000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

MD5 ef36a84ad2bc23f79d171c604b56de29
SHA1 38d6569cd30d096140e752db5d98d53cf304a8fc
SHA256 e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831
SHA512 dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

\??\pipe\crashpad_5020_LUNLOUPOUXKLSJFJ

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2492-184-0x0000000140000000-0x00000001400E2000-memory.dmp

memory/3752-180-0x0000000140000000-0x0000000140169000-memory.dmp

memory/1544-179-0x0000000140000000-0x0000000140096000-memory.dmp

memory/4896-178-0x0000000140000000-0x00000001401D7000-memory.dmp

memory/5044-177-0x0000000140000000-0x0000000140095000-memory.dmp

memory/4996-176-0x0000000000400000-0x0000000000497000-memory.dmp

memory/3448-175-0x0000000140000000-0x00000001400AB000-memory.dmp

memory/3444-174-0x0000000140000000-0x00000001400CF000-memory.dmp

memory/4908-173-0x0000000140000000-0x00000001400B9000-memory.dmp

C:\Windows\System32\SensorDataService.exe

MD5 9618a44af02b2c6ff4b6e6a3daf0fa1d
SHA1 510136b819e1b2f269e8cfb1f9350773f6bd5bbd
SHA256 631bc48ee2bee0585ae7834c07119598a96cd285fad8924fc0ec18ea3b803d32
SHA512 44299f6297c079844245243da61a9bc5cb4cc0604ad1c73aa7ce4f814ee45b9d5e607e01adf190d84cdaf4cc820ea3d75867e531933fb01ed13815450f15b8dd

C:\Windows\SysWOW64\perfhost.exe

MD5 61c5d8b2441b9326efa807baba80b230
SHA1 d5fedad6d426ae3ccd7b0c0033013bf0dacae930
SHA256 0b07c7f004751134b4b9fcefda1307bddc1ead0a7a36140f7341a200be5c9971
SHA512 af5384307e21df0b3cfd1d59a4c8fcc765de58f245b3ad9801237c2a15fe1e0711df05d806037775ac8a0218a1c0fd76f3e061a7bb70cf057c5d5132232025e4

C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

MD5 89abd1a3112fe9944c31f04e8255f8e7
SHA1 3bfb4d9a38e31136ef24c8f29989173b051574c3
SHA256 f4c391d876b7643ec878f78b89d855de6211a25f3fbbafae0c6bceee859944ba
SHA512 5d526250c5b3a71ad601a6e89a74cbea32f8abcd8cedba328103a0e1aba150fd0a6c57ef0902c14a21da377f347b63da2da885ac67a77c17d65402b7a6ba1987

memory/3444-93-0x00000000007E0000-0x0000000000840000-memory.dmp

C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

MD5 b2ea04e00065f94472ab2c272780e15b
SHA1 4898967ddbb34d2a376cf7f84a75252ced51abdc
SHA256 98acbb8df1577958c57331acc8a8c99c809ba1d656566b13e50e3edb82863ade
SHA512 623f8c953986825af5203c88a24ea84b777990f08d0f71c6bc6e073ddadc9b3c0c8efd5b1fbd66fd6fcf38ce16253f51afa83c3c938987b1c0e71b743c59b461

memory/4992-327-0x0000000140000000-0x000000014024B000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

memory/1112-406-0x0000000140000000-0x00000001404A3000-memory.dmp

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

MD5 fbc5ec9985914979849c6d0dc1e3a317
SHA1 744e6d25729267b8bd3bd4f107ed1ed43224245d
SHA256 3131b26dbbf293ed71cf17781ccb7e13b0cb6beb7853b42eafcb44aa670a3c3b
SHA512 fc457c615b8dfc6621a98b08dec7adecdc0a00f08a97ffe3b80fb695a51111fed22693f6a3e3b22f69af9185300eeb9652f8e0d88a2802c3054e83e12e0b3ae7

memory/1236-418-0x0000000140000000-0x000000014057B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

MD5 59b03b2dd7f024e92ed5a40cd3993c9a
SHA1 4584315731a4fdfdb5d586853f811f1a8f6ab385
SHA256 3083766bfc4b8554860030eebdd044db3d7269bd9d18f8df78da35084b53b96a
SHA512 825bc0783c92c4d0769bb74b98d6c1234e3bce30a4ac51fc7eef8ce541a218692e121683db6b6ca60ed12cc6dad265c5d2edab297a9a9ec3e79f29a7c5cb8924

memory/2604-429-0x0000000140000000-0x000000014057B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

MD5 ee48e93e3f7ac857ad26631958ebe793
SHA1 79ac896a38e5b1c2627ec6171b6a36cf5f8d3ca2
SHA256 ec37912fd1a4b995a152d40f8c3ef7934c8a4a203b070316f0809753ca4f4c0d
SHA512 2e0f739c1c2d9f9c6ed39c6de6c0d76b95cce930ead609c4c58ff3cf0c70f0abc3e312df076a6512b421e42a7288a823c9e774b6f81c0b4b2b9ce288c97b2daa

memory/5208-445-0x0000000140000000-0x000000014057B000-memory.dmp

memory/1872-433-0x0000000140000000-0x00000001400AA000-memory.dmp

memory/5356-454-0x0000000140000000-0x000000014057B000-memory.dmp

C:\Windows\TEMP\Crashpad\settings.dat

MD5 de12892063f81f60b11c0497ec332fa7
SHA1 ccfa0530f55d277c3fe6d75260088ae08d5b7616
SHA256 afd8ccad757251c38eecbb67fc9f41af5aecfec62b521b229c5b17e17ba05eae
SHA512 441e809f431b7d1715efa1a6eeda910ba6945b9529a6330cf964a1d8f7233e97893e6eac6758abbeca4c61d315829371fa2e2fa02a5b838d1fb79e7a43b6d7ca

memory/5208-468-0x0000000140000000-0x000000014057B000-memory.dmp

memory/1236-479-0x0000000140000000-0x000000014057B000-memory.dmp

C:\Program Files\Google\Chrome\Application\SetupMetrics\704efe7a-779c-48bb-8cb3-1cd4dfa07efc.tmp

MD5 6d971ce11af4a6a93a4311841da1a178
SHA1 cbfdbc9b184f340cbad764abc4d8a31b9c250176
SHA256 338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783
SHA512 c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

memory/4896-489-0x0000000140000000-0x00000001401D7000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 80caab93b92cb9a6e99928b495731968
SHA1 e66a46d1d124893c6cf4f2b70293433ca0feb17a
SHA256 add6c41f7df980a99ff1e1be979c4c1bc238d9ae8fa37f6bb700481fa6990137
SHA512 2356dabeee87ca99e53b078915a9b6f3bf0bc285273640f306ff59e8be9db27d467dd4d08aefa9d95535e8d974c5a54ce1c4abdd8d72ce78271eac84765b0a10

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 d5aad58861ea27d452be4adb99f5f90a
SHA1 46d63932e0d4d36ecfe25bfc4103218d14ab0564
SHA256 813f0dd9e27caefdaf5c874ef0740767caa99d6e7300bcb8215b38bb04c83514
SHA512 8e7e91cd75b0615dc1de3d71cc5aaaafa8a6c62b1e6f7b64ec2de3af98497e0649b7f0ce2604f0235eef959d9f4ad015de585c3639c07e7da307603fb4930cdc

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe581db4.TMP

MD5 c4d12c24a85b7e1aaf85cad983fe7610
SHA1 00bcb6e962cbc5a3d88689ec2f8c15feda6ff7fb
SHA256 6568b506f3cb4367abf414e66e1e93a4d4e40339dd3a2a1d5ded1f1907484337
SHA512 0d45cd5f36424147b7a67d4f154539d9ddde285cb363a139c5922814e6073cf731d61902a7eb84e9ac6547bcd52e65b023a2f97636072db478ccd04495a59aa6

memory/4764-568-0x0000000140000000-0x0000000140267000-memory.dmp

memory/3160-575-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/1248-577-0x0000000140000000-0x0000000140179000-memory.dmp

memory/3644-576-0x0000000140000000-0x00000001400C6000-memory.dmp

memory/2604-578-0x0000000140000000-0x000000014057B000-memory.dmp

memory/5356-580-0x0000000140000000-0x000000014057B000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 e9c051e119da401f867ab348cafd541f
SHA1 bfa342f06d90231e3939ba4a31eb490dfd30dacc
SHA256 d016c945f92840fcd41c1a2b95efb7948df660e6ab7ffa4a37396f3de0832b96
SHA512 e25a0ce5a9dc94e9ca1fc115b64d6e505ab06b4ae2a09193350b1258fa76c9948d57924852a43da482f40b9734791e909271336b50dd8275627f948a8017b66a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 5b8863726ac1d2cc99bbea48607a3b4a
SHA1 8a8cb48c0ea1bc61a949d564034f6f281feeefc3
SHA256 49ad474e109f70e9854efcedd75508253271b0c4b5f4ffc039dd2b8fdf994c10
SHA512 098df0186f24983141233710b52d43c617abd6eb481d18714c3bbb355babee441d18b83484d1139aa772443e2b97dd02a08a8b73bc975816ffc0105b32519cdc

C:\Windows\system32\AppVClient.exe

MD5 f3ae634eb93f807db0034fc8a3ffe8dc
SHA1 afa4c577949b36c9a57ee3e54a3587a62d22eac6
SHA256 66735e66af495955f381c8f57649e8c1801974e69ad9ac5eac86a6dbe38baa8c
SHA512 7acf7e4a78d2b411d2c3f66228d2ef9122c5df94e40dbce35285038e37a7225f4f72d61022532a9e02d386f402287a28dfddfc69d4b18f4e3ef681f43fda5c94

C:\Windows\system32\msiexec.exe

MD5 d24f4f673750ce678fc7f82fe38c5a5e
SHA1 ea9b302a14346f8973242ab5b430662aff0f162e
SHA256 f0328702232ca913493aa035d96e270802db12c9c6d6c0e0736b58d8142c6e56
SHA512 ab83efb70f7d8d7b0a2324e3067c32cbfb829cf49e72cd800d7e37a7bee9faa6fc43e373452ad6521dfe0a7b7d45b7b053cc3bb53c57de23c23c58fbb8a353d0

C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

MD5 47f4e38d44167c380601cd43da2f4f58
SHA1 f7ca56131ebb5e8ac2790c1dba88ad05c06c5ea4
SHA256 a54e82b340ae6b6f4147e41acc4d979f5d612ffa5ce2b8ae572560ee8601285c
SHA512 1e1192513e8a10c64c70cda16f8c31e7219464fba2da1f42ea7a69805a54dd6c90abdbc1e8529a546ce478b21796326338a3bd5643b89360c37c71b89ecf780a

C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

MD5 d0cc64fa7b9f9130100afacef518dfd2
SHA1 3f5fdbf3a395a5614530a6600aad975ce0de271f
SHA256 d3691abe55a68ea377de784c2354853a3a3b9db1583c5142aaa3cd031e3a6d20
SHA512 65b40c19c2d898ef6b5a03b5f3c3bd63439ae050f5943d8ff34952c9ee93703257cbe28f9e4227b8dbfbadf51149078555f9506cb2111a95751e42ca89d4160e

C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

MD5 470c7a6a3ac4d6678456c47901be971b
SHA1 7bf00697ef05c15af51f155b5d7a617660714fb4
SHA256 f946aa39abc35b7b92cfadf0acf855132e97ddb7737de9d6e87c9e4ab2f151f9
SHA512 56880d34e87f16b6c4d96813d7c57cd02943aeef0a93a1b9b058f9142889d59f05eb68680542809145819efd48655cb4b381aac48497b29c535ec751cbd03398

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

MD5 d6a0ced2164061738b44b2d278eb4d01
SHA1 9819dedf37bda9a1bc32510cde0bdddabcb21446
SHA256 b54fa531e4eed5237bdafe6b0468c307ebad17b813cd777d69a0d4cb1c530aa5
SHA512 23dd889d0d96fbbd628dc8245cfc96c2dd34a405729a9d46e1bd4330256af6572ca6bd32b37c9a1b14cddac56641c8cf4f02e6e82a18655d474c1a4e6781fbbb

C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

MD5 bfb352d5e47ff88e3937a139cc9b1070
SHA1 cf190c083761a2de489ce3a47ff8daae45b05866
SHA256 70a5e465fc950d6ff41739854499c9249aa52f77682557b58f16ce36cfe5042d
SHA512 1a89d2489732144fd3a969e1138d999ad1312fa301ade498fc8fcbef9742b6120aa8383dc4016415925ec6aaeaa5c34e04ac0e7c20a769a9567c32549bdbde98

C:\Program Files\dotnet\dotnet.exe

MD5 37472a5bdd984821bced761264a204c6
SHA1 8c18d95d000bbc23f050efa591869bcf182f1a51
SHA256 00be8f5b0e313e550e2872adb6ac662118209aff59dc8cbcda555e993d199e69
SHA512 ce3521a1f1b8110b68b09dda3931d3dcdb96c177410bab1d7dfbf5daf730d21014c675a2035ae1f89b293b10fe8ec5d6fc77e1aafbdb4266a27e486d5a3f1d3d

C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

MD5 67c9aed0dd3b5240a36ceacd43babcd4
SHA1 a40b81d50ae077d2473cdd693fa2177bd6158e05
SHA256 7ac8ebde99881aaedc192089948c6aaddddaa06e07132cd8e207464a18995d75
SHA512 fd064ec0d9a763b252fc2bcdfbd2a2389c5037105d9b51369fc072696d6150b2d0fc8ef195f9eb1df0f6a4c39fb47c1591cf1470a1153148a48f69ca390b4586

C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

MD5 5b86a2810dba3b1375228512ee3077d3
SHA1 b393e037f6b0381bc9045e71eddf0cf96fc4094a
SHA256 da70481b7583eaa1069fe36c31a7a83ad05667f23d5856b7cabb2bbeb4fdaf1c
SHA512 08b71df78f050c1f59f74833766a9948bcc00422c0f962911a396a7f0f9d25fea306f018c2dcc754503262fac0f21a1b4d35149ff6464ea08337283da7719829

C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

MD5 f83fb25f0304c859f9adf4b9aa5a24d1
SHA1 3a27c471fd6e37cf0b17bf745242075a2aec9cb9
SHA256 f1473c39c8791a2b8c4237b7d5102876fb78bcef37ef736d14ed842366fb2cff
SHA512 8ac9b7ba91c166519e72ba1830a4cc31ef580cac0e1dfc8bd14bde0476cec7975e770c5dc8b97b777b488e91bdac778ecff62a2eb89fb1a9a2fdb613bf291922

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

MD5 208b34d29d1f00ffc9e38c77d4828e7e
SHA1 6c1f6ccfafadf7aac4b2d58c0333447f6edd0901
SHA256 1b2e7c8abfd25f80f70abdabd0458fa1541fa4150d6dffe6fd5c941c408a33ba
SHA512 de2780e21caa8f355fb5d603a045386bfbedf5e67d5ed461aa86b6e8f3b36894d5a9aa89a4af6f6504c74591244a0bfe3d151949cb6c20ae286a91f43f724c92

C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

MD5 ecb9e73df46d4bb13da66d2c9b0b0bea
SHA1 5d7f1b0bb4fa47e62362d5c1a11fddf834bd5bac
SHA256 a15de249377a3d958767a5753ecec5efab4ebd833aa438f27d38729c90db10f7
SHA512 9afe8d000de48cfc4d9372951bd12e0d6fb46369a587bb54a0f294660769c605c8f136769d1275d1210896e8d373381063711d5800240766af3b030326b7bd1e

C:\Program Files\7-Zip\Uninstall.exe

MD5 21dd792f3568cd8068bfefe7ec684e90
SHA1 e5aab05ff51b896ad54acc35ac33b3f9a840c187
SHA256 a58ac8e2accfaf92ac8d3ac602270136990b54e3a4ff390e45e867843a5a05a4
SHA512 9134a5fc3d5393896ac4c07943bcccca1c0323fa31044f9c5acf57959e74c39e5c5a9eaa9e4c9dc3c613467477b15f9707b54410c639877d0af1b2d678fe99b8

C:\Program Files\7-Zip\7zG.exe

MD5 3d0c720cd892351cf62d18e45b6445c6
SHA1 7fe9b244de1eef3d7054f915bc3cec024249015c
SHA256 92b2dce928a77c652d1ee82d03935694f7e7511c5e4a6e2058dca0c8ec9432ce
SHA512 f925a067681048760ccd36ed897e200c082379e5e4cf6b4ebd9cc00654c43b0690944dea4dd08c97452b95ac4ce43352f3f561ab0121349b086684fabf51c8e5

C:\Program Files\7-Zip\7zFM.exe

MD5 a74a4559e5ee131ff7b781cc17ac820a
SHA1 35b209d98a177c9db00e8beb6d905f8ab3190958
SHA256 943a19775674fbcd53bfdb7132e18c591206ae203cb469186a65e3aca9a913af
SHA512 aa875c01833e3e9b7cb3db8de3db41de325d93fc29a2ceda3d1d3e82ebbb02957e5040bc3a2336d9f6ab26e18e393d1800564b272d2b3c9f78a0371e8d42dc79

C:\Program Files\7-Zip\7z.exe

MD5 6e8d21e05dcbe8aea860b994047fec0a
SHA1 2ddaa5a9c26ed7403ae51ea94bd1a26ac9a1bd81
SHA256 f84aeb8d6c0379e682ee37912dd6bc1f3e4f97afa962a882fd85ce8155220a0d
SHA512 b1a13dc1d4cdead1651ecbd3ca6aa71a69b9489a43aa305c4162b3af48c5f5f5ef0765a6187cf5bedb4b2b915172acc6514b17db5c9ed8bd68838629c9962245

C:\Program Files\Windows Media Player\wmpnetwk.exe

MD5 48fc7a66a38de137032b6a21beae4954
SHA1 3fba192b5a8f2f282cc51abe1ced4aa5fa38d7ec
SHA256 d253c9ff6a908cea980cdef04a5674bf8b99ba8fea3f4b546cf8319a47fa9186
SHA512 019fb77c2a37bfd5c72aaceef6fc5d1aaa6c5d086c2c0d364ae32c89d7122c4eaea802daeabb6b9bb150d45d45c78ca021855ef811a7d72631a160da3022757c

C:\Windows\system32\SgrmBroker.exe

MD5 8ecf99ce2efe610ea9b0812fbf215418
SHA1 1029431e4d6e6922e21a0da1da8bc475749634dd
SHA256 a842017153ee713bfee24c04254b37dbabc98b3455e9df898fa9b1a4d0539701
SHA512 ad4fc09c76ce765060d1de020f2970469b5ce3ee3818ca09105323b8569a9828c7579667c5b7d6f27c9979941e65f631008f22eb047b858f0ae35a2617f12415