Analysis Overview
SHA256
5e7c7edb35812ca1ce75ebe32d05e7898e47cbe48b6ae4d0b94876dac00378c0
Threat Level: Shows suspicious behavior
The file 2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Reads user/profile data of web browsers
Drops file in System32 directory
Drops file in Program Files directory
Drops file in Windows directory
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: LoadsDriver
Suspicious use of FindShellTrayWindow
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Uses Volume Shadow Copy service COM API
Checks SCSI registry key(s)
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-11 18:53
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-11 18:53
Reported
2024-06-11 18:55
Platform
win10v2004-20240508-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Executes dropped EXE
Reads user/profile data of web browsers
Drops file in System32 directory
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\7-Zip\7z.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\pack200.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\schemagen.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\klist.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\default-browser-agent.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\javapackager.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\java.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\uninstall.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\Install\{125326D0-F6C3-409C-BC6D-35A6D8D3AF5D}\chrome_installer.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\keytool.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\serialver.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\private_browsing.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\orbd.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\keytool.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\rmid.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\rmid.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\chrome_proxy.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\chrome_proxy.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\firefox.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\policytool.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Internet Explorer\ieinstal.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\javap.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\rmic.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\java.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\java.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\kinit.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\wsimport.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\orbd.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_105437\javaws.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Uninstall.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\javaws.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Internet Explorer\iediagcmd.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\klist.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\firefox.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\javaw.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe | C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe | C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe | N/A |
| File opened for modification | C:\Windows\DtcInstall.log | C:\Windows\System32\msdtc.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\system32\spectrum.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\spectrum.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\System32\SensorDataService.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\system32\spectrum.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\system32\spectrum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\System32\SensorDataService.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\TieringEngineService.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system32\TieringEngineService.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000240619a930bcda01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000294449a630bcda01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133626056086132563" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" | C:\Windows\system32\fxssvc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009ecc5ca630bcda01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ab9a45a630bcda01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d0be51a830bcda01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000396225a930bcda01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000074483fa830bcda01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000205a49a830bcda01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie | C:\Windows\system32\SearchFilterHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print" | C:\Windows\system32\fxssvc.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000056ea38a930bcda01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e4ba24a830bcda01 | C:\Windows\system32\SearchProtocolHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" | C:\Windows\system32\SearchProtocolHost.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe"
C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe
C:\Users\Admin\AppData\Local\Temp\2024-06-11_55ca08678f751fb95cd3353920c58552_ryuk.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=124.0.6367.202 --initial-client-data=0x2c0,0x2c4,0x2c8,0x294,0x2cc,0x1403796b8,0x1403796c4,0x1403796d0
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc07d4ab58,0x7ffc07d4ab68,0x7ffc07d4ab78
C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe"
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1792 --field-trial-handle=1884,i,15307216227339004880,8175815000737781994,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2020 --field-trial-handle=1884,i,15307216227339004880,8175815000737781994,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2036 --field-trial-handle=1884,i,15307216227339004880,8175815000737781994,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3056 --field-trial-handle=1884,i,15307216227339004880,8175815000737781994,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3064 --field-trial-handle=1884,i,15307216227339004880,8175815000737781994,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4296 --field-trial-handle=1884,i,15307216227339004880,8175815000737781994,131072 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3144,i,1697479186275492802,18058102846092193784,262144 --variations-seed-version --mojo-platform-channel-handle=4292 /prefetch:8
C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4744 --field-trial-handle=1884,i,15307216227339004880,8175815000737781994,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x2a0,0x298,0x29c,0x294,0x2a4,0x14044ae48,0x14044ae58,0x14044ae68
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4864 --field-trial-handle=1884,i,15307216227339004880,8175815000737781994,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=736 --field-trial-handle=1884,i,15307216227339004880,8175815000737781994,131072 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pywolwnvd.biz | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | clients2.google.com | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | ssbzmoy.biz | udp |
| US | 8.8.8.8:53 | clients2.google.com | udp |
| US | 8.8.8.8:53 | cvgrf.biz | udp |
| US | 8.8.8.8:53 | npukfztj.biz | udp |
| US | 8.8.8.8:53 | przvgke.biz | udp |
| US | 8.8.8.8:53 | clients2.google.com | udp |
| US | 8.8.8.8:53 | zlenh.biz | udp |
| US | 8.8.8.8:53 | knjghuig.biz | udp |
| US | 8.8.8.8:53 | uhxqin.biz | udp |
| US | 8.8.8.8:53 | clients2.google.com | udp |
| US | 8.8.8.8:53 | anpmnmxo.biz | udp |
| US | 8.8.8.8:53 | lpuegx.biz | udp |
| US | 8.8.8.8:53 | vjaxhpbji.biz | udp |
| US | 8.8.8.8:53 | beacons.gvt2.com | udp |
| US | 8.8.8.8:53 | ifsaia.biz | udp |
Files
memory/3348-0-0x0000000000820000-0x0000000000880000-memory.dmp
memory/3348-8-0x0000000140000000-0x00000001404A3000-memory.dmp
memory/3348-9-0x0000000000820000-0x0000000000880000-memory.dmp
memory/1112-18-0x00000000008F0000-0x0000000000950000-memory.dmp
C:\Users\Admin\AppData\Roaming\bcd86c0ec3a5208d.bin
| MD5 | 81edc1d8b137d8f3547f9c66e190553c |
| SHA1 | d615b8d424f9e7a1e1b05d952862358b04618953 |
| SHA256 | c1789205f6ac2d09508d6a6bfb3d959494d6b40ad0d7fcad443825ba0cdde9d0 |
| SHA512 | 21e9a8ad39525239ce0b1672688120807c25e481e36bd19a052188b68f489fb7d15fbf4d04f8ad5580a64b5c320fb4281e08d32fcbcbcadf9e03da715148499c |
memory/3348-27-0x0000000140000000-0x00000001404A3000-memory.dmp
C:\Windows\System32\alg.exe
| MD5 | fa8640d90ef9358c50dbce41b5f11bb4 |
| SHA1 | dd95a5a211910563756a804def6c11a4e01b93a5 |
| SHA256 | ddbdce7d77cb0642359743492695b845a3ac59822a20707ff746a2cec62ca8e2 |
| SHA512 | ececb31c6c30cdb2f780de2c32b36d94331dd4a8717c169c9a94bbe4cb66306355552ddcd7ba49ab2cd27ae6b9b7ec3ba2dce7af00caeff75321a060c8accee3 |
memory/2704-35-0x00000000006B0000-0x0000000000710000-memory.dmp
memory/2704-44-0x00000000006B0000-0x0000000000710000-memory.dmp
memory/2704-43-0x0000000140000000-0x00000001400A9000-memory.dmp
memory/1872-31-0x0000000140000000-0x00000001400AA000-memory.dmp
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
| MD5 | 738932ccab16a6011b3d3b42f027de7d |
| SHA1 | 6feb97a5c13e5c3644135e9b7d51ab0b6e22b0b4 |
| SHA256 | 472c057cf5410e8113555629538005edf27202486fd428e38756f3de937d76eb |
| SHA512 | ccb4a61b2cf6214c981fd6e88f80de949ac5bb4a3f83b98360789111a01182b0883b12303d027751640b8a4b3da6697f3d3d28d6a6bdd743913308f885de5467 |
C:\Windows\System32\FXSSVC.exe
| MD5 | 32974bfaab47035d1ad150cb6d12a2d6 |
| SHA1 | 51ffb328c6cc9f9ce8849c15b11c1b5c23e650a7 |
| SHA256 | 1d97dd43ae82db354c967396edd3d6f4466d2a7aa5c85d6094b4142fb0cab9c6 |
| SHA512 | 4019889458a677fbcce12246b51d1754fcaf7f4259191a018063d2719ad563309799c3b02a08aa6ae06beef94a4dcfa6fc15afb2ca04037b083f3dd03c2b6dd6 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
| MD5 | e646991f9b7863013f4543e5deea2d49 |
| SHA1 | 7d3ab1c249b15c5bc5761baef819fa96b043539a |
| SHA256 | 0cc277125b5bd55a7c42e32f351b5bce3ca6003f28bc0646db5bc6b9b5135c07 |
| SHA512 | 8b7b264f086ee2d1c1ec1199307d6511ce964890e84312a1c12c21a0a1fac24d6bf005a2ded820ecae3b51b58229a8ce724e98e40b03e1f93d3914948025a76f |
memory/1112-20-0x0000000140000000-0x00000001404A3000-memory.dmp
memory/1112-12-0x00000000008F0000-0x0000000000950000-memory.dmp
memory/1360-48-0x0000000140000000-0x0000000140135000-memory.dmp
memory/1360-50-0x0000000140000000-0x0000000140135000-memory.dmp
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
| MD5 | eb810c054cc107b8f615d3f6c23b9f0d |
| SHA1 | 229238481495998116763f72dea3c7e889723ad9 |
| SHA256 | 1a49bf283e4fffc909d7294081d51d8cf92f7916858e9a2505c16929cb05a8c0 |
| SHA512 | e3995452444909e9c2542733f1d7cc0949e758df7367e2f5b6d9ec2e5cd891349a89a4e937fcbc2ffdfd28cb27e0bcaf694dc77c08ac6c1728a22a2128dba785 |
memory/4992-58-0x0000000000710000-0x0000000000770000-memory.dmp
memory/4992-60-0x0000000140000000-0x000000014024B000-memory.dmp
memory/4992-52-0x0000000000710000-0x0000000000770000-memory.dmp
C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe
| MD5 | ebc3aafed71590f1e25e2e0517d05702 |
| SHA1 | 78a30a7a627009baeb86cb9cd30ece667904b2c8 |
| SHA256 | 4448892e94c1b296d335481fa7081b41a29f1b0eedc9dfbd63f3a36b71c80ddb |
| SHA512 | 33ec4c9cea25fa7ef28be7627499c657ba2d69a3ff04916a6fa3fd4839129623b416ea5c6da077b65ef2812f26f1644a3bc0bb63dd5d862865f66e918464628d |
memory/4764-63-0x0000000140000000-0x0000000140267000-memory.dmp
memory/4764-65-0x0000000000990000-0x00000000009F0000-memory.dmp
memory/4764-71-0x0000000000990000-0x00000000009F0000-memory.dmp
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
| MD5 | d3b04de90e345fd67fc7be5505c645a9 |
| SHA1 | 78fc8ae2074a773a0a334b74c9d29b9ee3667e3b |
| SHA256 | 533052fc94ded824bdc803e433bfd04293c1af5e77291528df7eb52dc55f45ac |
| SHA512 | 1ab841eea8b225353627dd5ec5692e76985c6cbe5e610e00a1bf8b3f57a7d2ec5880c515490e668b6812d575582bb222ff87ab8d2a1c8bc96702c05e5052ae46 |
memory/1232-81-0x0000000000C00000-0x0000000000C60000-memory.dmp
memory/1232-83-0x0000000140000000-0x00000001400CF000-memory.dmp
memory/1232-75-0x0000000000C00000-0x0000000000C60000-memory.dmp
memory/1232-85-0x0000000000C00000-0x0000000000C60000-memory.dmp
C:\Windows\System32\msdtc.exe
| MD5 | 85bde09df5b28370902aa31ec381b519 |
| SHA1 | 8ca7a492a19cc79fcf61e77cc2c8a3aeb5db0128 |
| SHA256 | 183fecdb0abc2c45a74d30413b4f42bf314bc850004d99d708c9fe25068facbb |
| SHA512 | 6df1cc0e19fdd11adbbf34654c1f72729b34eec1b2e948b97d636dff3aa4baa9be78b199b31cdd392423bf6338109385df187543fb38aa784ddba6c49e049bac |
memory/1232-88-0x0000000140000000-0x00000001400CF000-memory.dmp
memory/3444-99-0x00000000007E0000-0x0000000000840000-memory.dmp
memory/3448-105-0x0000000000B30000-0x0000000000B90000-memory.dmp
C:\Windows\System32\Locator.exe
| MD5 | b59b6dafe2e4f7ee1cb2809a3eeffabd |
| SHA1 | ac36ee715451cdd22db699288ee5e7d764928797 |
| SHA256 | ea88645cee7a31a2feee159f57dd0b96cc952f0709da7ef9081023f6cc1382b5 |
| SHA512 | 21135b0eada592d25a2c924ac82f6b6f896bbf0ee083f11dcbf75370355994af6c55a033a1da96e8e60d7a50ce04c2a1b99cd6c970a94e518234f53a6ba3fcbe |
C:\Windows\System32\snmptrap.exe
| MD5 | a8c234ac032d02a2e1dcd4c4dc5faf5d |
| SHA1 | d209fcc728472c7b956a9c04b2a98a709e414b8a |
| SHA256 | 62bcd986530774febdd20bb9276b8e9a8487ac2a46dcbd417c5b47de58217a04 |
| SHA512 | 7059371b289ede591a4d98586f1b52d6bb09b359d96b7207427117461c091ebf90f2e56f18422d6ac810de72ac7b3ce645bf8533f6877a1dc4df931d192bd902 |
C:\Windows\System32\Spectrum.exe
| MD5 | 8028be7beddd36d6eb2d4b0107d5dae4 |
| SHA1 | adc4079c837e411eba35532abee5306cecd9ebbf |
| SHA256 | 2b2b518438874df617109f97a806e8d12a3faa6b8202735aa03dd6b373ac1c3e |
| SHA512 | e28a89b99ce3bd1c32480c5b8dd28819709ce8f12258e468834fca6b289642c166529704526d404ede16f6fdd5fa17d2cb18c6addca6ab134b8c9e5874b0f91a |
C:\Windows\System32\OpenSSH\ssh-agent.exe
| MD5 | 99e20a4a0fd1fcf9912b43ad9b5b873d |
| SHA1 | 5a39056bed169987a6bc7bed1b0d689108684396 |
| SHA256 | 279df47f25ad62ddd9b3efb9ee71b6ad0ab0cbd5fc6670c967619e749a6e4e0f |
| SHA512 | 46ab7b9b763921085657ab10a5037a0dc39dc67ce189ef83e2929dcb703c56c9d0da1d88c67c261403c954cacdbed61d23ec45046322e922bfbedd0162094ea4 |
C:\Windows\System32\TieringEngineService.exe
| MD5 | 5da6519d6894184f2bb8f83ecbe2918a |
| SHA1 | f14aba85a0b6c9f0e82afb68b1d72bda893aa6b0 |
| SHA256 | e9d9693bb9251d8e5298dbb600c92c4278ebe9c805f598c3ada0be5868ee72ee |
| SHA512 | 57a635debe40231f083f2ae92d0250c5878b966b42c6a70614fea0212932d9dc239e91b73b67c206040a14ccbb7fac8acd05936efaa759b62bcfdd4f4db9c0c3 |
C:\Windows\System32\AgentService.exe
| MD5 | 98a7d5ed19494f4a49fe13ecc5664769 |
| SHA1 | 1c637dac4d0d1b405dd864b0c82948982434954f |
| SHA256 | 542a2871d8f3dbf3c7a1e3cc112dffbcc70ed9166fd8373a970a86ef846ec575 |
| SHA512 | d4cc169d7c453535a7582152379435d07e9e368aa8d40af87802c9095f96e2868cb712bedf58452ec44bcc942ddb8d9a0b5ac65074acfcb3a60c205dcaed3f5e |
C:\Windows\System32\vds.exe
| MD5 | 44ac3ce9a4ed9810896ef4a46c1007f8 |
| SHA1 | aad81bf783264d81be1c5bdfb4ce922ad24ebd0f |
| SHA256 | 1efcfc67f9e0a18d028e46a1abdc7e6eb802b3ebfb9834a6ddce2d940d28ac2a |
| SHA512 | 57bc08084d59f41077749e5efbd184dd84125f443041061da51b81c5aeaa2f4af0f73d501e0fc373895d5bf188db92ec66dbfc1a7b4a2c0c024deb0d70038b7b |
memory/4336-156-0x0000000140000000-0x00000001401C0000-memory.dmp
C:\Windows\System32\VSSVC.exe
| MD5 | 08c997dace168253160979888fb70d83 |
| SHA1 | 13a8eccc90158ee84e3807fb292a67fd135010d0 |
| SHA256 | 9cbf1fde19b041215fe1f47e93d079629839ec101691c5eefae2f8b1275d8820 |
| SHA512 | 2f3900ce63c9a867e607e0ee7c1e0347b05b04f2b266ef36ba8182fc36abf213a88242cbceed993c95b6a07343a70c3c9e53ee6701cbd4ec320e8d18b568de08 |
C:\Windows\System32\wbem\WmiApSrv.exe
| MD5 | ab6baf23eb880c0ec5c21d09eb99c95a |
| SHA1 | bd41aebdbb175b6d40e223e45d135c91fb85a85c |
| SHA256 | 61c06e6c0e23bd04f897d885c33cf859de964e962f5365ce9c7459c6639b5cd4 |
| SHA512 | b0e8d1001e9426ea0b1e50ca49d8d9fcf3c055a78da4cfd1f8cda04e195f29595a6c28871284751f5b9edd6d5c7e98a9a3acbd71d5b15bc53554442806a8f6d4 |
C:\Windows\System32\SearchIndexer.exe
| MD5 | d680a5d3ef5c3b083ed9d3b74b627c3e |
| SHA1 | 421102a1bc7b61743d742bf5d8cc143828ecc520 |
| SHA256 | fb067c0ebe945c547875303928d632cc4eb2d0ac98b18195e35a25d26f8a7558 |
| SHA512 | 75df06ef2f7c17d21fc041dfaadaf99a623cc31e6b88ece56b7c3922c5389a4bdf562fecb211bcf447a2da5ec3551ce4907957a385d1f72513986eae8f21f9f4 |
C:\Windows\System32\wbengine.exe
| MD5 | 56e7fa1d7e30c5863b792131d6de2252 |
| SHA1 | c5739ab6b25b0cf15426d7525227f4468f476c27 |
| SHA256 | a9f186c36a5baf56a681e293a201fc483a3ce01a4e000ab543307e18bfec9ac1 |
| SHA512 | c25ec95714c714bb1db68f7789e4068118b3109a2747d38879ff2eb805c798f5c63160c9af42e3cfdeda09b4c8f05ba1237bd5a4da0d0ca4696bb2d0f86bfe78 |
memory/4500-181-0x0000000140000000-0x0000000140102000-memory.dmp
memory/3644-188-0x0000000140000000-0x00000001400C6000-memory.dmp
memory/1248-189-0x0000000140000000-0x0000000140179000-memory.dmp
memory/5092-187-0x0000000140000000-0x0000000140216000-memory.dmp
memory/3160-186-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/1360-185-0x0000000140000000-0x0000000140147000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico
| MD5 | ef36a84ad2bc23f79d171c604b56de29 |
| SHA1 | 38d6569cd30d096140e752db5d98d53cf304a8fc |
| SHA256 | e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831 |
| SHA512 | dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be |
\??\pipe\crashpad_5020_LUNLOUPOUXKLSJFJ
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/2492-184-0x0000000140000000-0x00000001400E2000-memory.dmp
memory/3752-180-0x0000000140000000-0x0000000140169000-memory.dmp
memory/1544-179-0x0000000140000000-0x0000000140096000-memory.dmp
memory/4896-178-0x0000000140000000-0x00000001401D7000-memory.dmp
memory/5044-177-0x0000000140000000-0x0000000140095000-memory.dmp
memory/4996-176-0x0000000000400000-0x0000000000497000-memory.dmp
memory/3448-175-0x0000000140000000-0x00000001400AB000-memory.dmp
memory/3444-174-0x0000000140000000-0x00000001400CF000-memory.dmp
memory/4908-173-0x0000000140000000-0x00000001400B9000-memory.dmp
C:\Windows\System32\SensorDataService.exe
| MD5 | 9618a44af02b2c6ff4b6e6a3daf0fa1d |
| SHA1 | 510136b819e1b2f269e8cfb1f9350773f6bd5bbd |
| SHA256 | 631bc48ee2bee0585ae7834c07119598a96cd285fad8924fc0ec18ea3b803d32 |
| SHA512 | 44299f6297c079844245243da61a9bc5cb4cc0604ad1c73aa7ce4f814ee45b9d5e607e01adf190d84cdaf4cc820ea3d75867e531933fb01ed13815450f15b8dd |
C:\Windows\SysWOW64\perfhost.exe
| MD5 | 61c5d8b2441b9326efa807baba80b230 |
| SHA1 | d5fedad6d426ae3ccd7b0c0033013bf0dacae930 |
| SHA256 | 0b07c7f004751134b4b9fcefda1307bddc1ead0a7a36140f7341a200be5c9971 |
| SHA512 | af5384307e21df0b3cfd1d59a4c8fcc765de58f245b3ad9801237c2a15fe1e0711df05d806037775ac8a0218a1c0fd76f3e061a7bb70cf057c5d5132232025e4 |
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
| MD5 | 89abd1a3112fe9944c31f04e8255f8e7 |
| SHA1 | 3bfb4d9a38e31136ef24c8f29989173b051574c3 |
| SHA256 | f4c391d876b7643ec878f78b89d855de6211a25f3fbbafae0c6bceee859944ba |
| SHA512 | 5d526250c5b3a71ad601a6e89a74cbea32f8abcd8cedba328103a0e1aba150fd0a6c57ef0902c14a21da377f347b63da2da885ac67a77c17d65402b7a6ba1987 |
memory/3444-93-0x00000000007E0000-0x0000000000840000-memory.dmp
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
| MD5 | b2ea04e00065f94472ab2c272780e15b |
| SHA1 | 4898967ddbb34d2a376cf7f84a75252ced51abdc |
| SHA256 | 98acbb8df1577958c57331acc8a8c99c809ba1d656566b13e50e3edb82863ade |
| SHA512 | 623f8c953986825af5203c88a24ea84b777990f08d0f71c6bc6e073ddadc9b3c0c8efd5b1fbd66fd6fcf38ce16253f51afa83c3c938987b1c0e71b743c59b461 |
memory/4992-327-0x0000000140000000-0x000000014024B000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
memory/1112-406-0x0000000140000000-0x00000001404A3000-memory.dmp
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
| MD5 | fbc5ec9985914979849c6d0dc1e3a317 |
| SHA1 | 744e6d25729267b8bd3bd4f107ed1ed43224245d |
| SHA256 | 3131b26dbbf293ed71cf17781ccb7e13b0cb6beb7853b42eafcb44aa670a3c3b |
| SHA512 | fc457c615b8dfc6621a98b08dec7adecdc0a00f08a97ffe3b80fb695a51111fed22693f6a3e3b22f69af9185300eeb9652f8e0d88a2802c3054e83e12e0b3ae7 |
memory/1236-418-0x0000000140000000-0x000000014057B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
| MD5 | 59b03b2dd7f024e92ed5a40cd3993c9a |
| SHA1 | 4584315731a4fdfdb5d586853f811f1a8f6ab385 |
| SHA256 | 3083766bfc4b8554860030eebdd044db3d7269bd9d18f8df78da35084b53b96a |
| SHA512 | 825bc0783c92c4d0769bb74b98d6c1234e3bce30a4ac51fc7eef8ce541a218692e121683db6b6ca60ed12cc6dad265c5d2edab297a9a9ec3e79f29a7c5cb8924 |
memory/2604-429-0x0000000140000000-0x000000014057B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
| MD5 | ee48e93e3f7ac857ad26631958ebe793 |
| SHA1 | 79ac896a38e5b1c2627ec6171b6a36cf5f8d3ca2 |
| SHA256 | ec37912fd1a4b995a152d40f8c3ef7934c8a4a203b070316f0809753ca4f4c0d |
| SHA512 | 2e0f739c1c2d9f9c6ed39c6de6c0d76b95cce930ead609c4c58ff3cf0c70f0abc3e312df076a6512b421e42a7288a823c9e774b6f81c0b4b2b9ce288c97b2daa |
memory/5208-445-0x0000000140000000-0x000000014057B000-memory.dmp
memory/1872-433-0x0000000140000000-0x00000001400AA000-memory.dmp
memory/5356-454-0x0000000140000000-0x000000014057B000-memory.dmp
C:\Windows\TEMP\Crashpad\settings.dat
| MD5 | de12892063f81f60b11c0497ec332fa7 |
| SHA1 | ccfa0530f55d277c3fe6d75260088ae08d5b7616 |
| SHA256 | afd8ccad757251c38eecbb67fc9f41af5aecfec62b521b229c5b17e17ba05eae |
| SHA512 | 441e809f431b7d1715efa1a6eeda910ba6945b9529a6330cf964a1d8f7233e97893e6eac6758abbeca4c61d315829371fa2e2fa02a5b838d1fb79e7a43b6d7ca |
memory/5208-468-0x0000000140000000-0x000000014057B000-memory.dmp
memory/1236-479-0x0000000140000000-0x000000014057B000-memory.dmp
C:\Program Files\Google\Chrome\Application\SetupMetrics\704efe7a-779c-48bb-8cb3-1cd4dfa07efc.tmp
| MD5 | 6d971ce11af4a6a93a4311841da1a178 |
| SHA1 | cbfdbc9b184f340cbad764abc4d8a31b9c250176 |
| SHA256 | 338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783 |
| SHA512 | c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f |
memory/4896-489-0x0000000140000000-0x00000001401D7000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 80caab93b92cb9a6e99928b495731968 |
| SHA1 | e66a46d1d124893c6cf4f2b70293433ca0feb17a |
| SHA256 | add6c41f7df980a99ff1e1be979c4c1bc238d9ae8fa37f6bb700481fa6990137 |
| SHA512 | 2356dabeee87ca99e53b078915a9b6f3bf0bc285273640f306ff59e8be9db27d467dd4d08aefa9d95535e8d974c5a54ce1c4abdd8d72ce78271eac84765b0a10 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | d5aad58861ea27d452be4adb99f5f90a |
| SHA1 | 46d63932e0d4d36ecfe25bfc4103218d14ab0564 |
| SHA256 | 813f0dd9e27caefdaf5c874ef0740767caa99d6e7300bcb8215b38bb04c83514 |
| SHA512 | 8e7e91cd75b0615dc1de3d71cc5aaaafa8a6c62b1e6f7b64ec2de3af98497e0649b7f0ce2604f0235eef959d9f4ad015de585c3639c07e7da307603fb4930cdc |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe581db4.TMP
| MD5 | c4d12c24a85b7e1aaf85cad983fe7610 |
| SHA1 | 00bcb6e962cbc5a3d88689ec2f8c15feda6ff7fb |
| SHA256 | 6568b506f3cb4367abf414e66e1e93a4d4e40339dd3a2a1d5ded1f1907484337 |
| SHA512 | 0d45cd5f36424147b7a67d4f154539d9ddde285cb363a139c5922814e6073cf731d61902a7eb84e9ac6547bcd52e65b023a2f97636072db478ccd04495a59aa6 |
memory/4764-568-0x0000000140000000-0x0000000140267000-memory.dmp
memory/3160-575-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/1248-577-0x0000000140000000-0x0000000140179000-memory.dmp
memory/3644-576-0x0000000140000000-0x00000001400C6000-memory.dmp
memory/2604-578-0x0000000140000000-0x000000014057B000-memory.dmp
memory/5356-580-0x0000000140000000-0x000000014057B000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | e9c051e119da401f867ab348cafd541f |
| SHA1 | bfa342f06d90231e3939ba4a31eb490dfd30dacc |
| SHA256 | d016c945f92840fcd41c1a2b95efb7948df660e6ab7ffa4a37396f3de0832b96 |
| SHA512 | e25a0ce5a9dc94e9ca1fc115b64d6e505ab06b4ae2a09193350b1258fa76c9948d57924852a43da482f40b9734791e909271336b50dd8275627f948a8017b66a |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 5b8863726ac1d2cc99bbea48607a3b4a |
| SHA1 | 8a8cb48c0ea1bc61a949d564034f6f281feeefc3 |
| SHA256 | 49ad474e109f70e9854efcedd75508253271b0c4b5f4ffc039dd2b8fdf994c10 |
| SHA512 | 098df0186f24983141233710b52d43c617abd6eb481d18714c3bbb355babee441d18b83484d1139aa772443e2b97dd02a08a8b73bc975816ffc0105b32519cdc |
C:\Windows\system32\AppVClient.exe
| MD5 | f3ae634eb93f807db0034fc8a3ffe8dc |
| SHA1 | afa4c577949b36c9a57ee3e54a3587a62d22eac6 |
| SHA256 | 66735e66af495955f381c8f57649e8c1801974e69ad9ac5eac86a6dbe38baa8c |
| SHA512 | 7acf7e4a78d2b411d2c3f66228d2ef9122c5df94e40dbce35285038e37a7225f4f72d61022532a9e02d386f402287a28dfddfc69d4b18f4e3ef681f43fda5c94 |
C:\Windows\system32\msiexec.exe
| MD5 | d24f4f673750ce678fc7f82fe38c5a5e |
| SHA1 | ea9b302a14346f8973242ab5b430662aff0f162e |
| SHA256 | f0328702232ca913493aa035d96e270802db12c9c6d6c0e0736b58d8142c6e56 |
| SHA512 | ab83efb70f7d8d7b0a2324e3067c32cbfb829cf49e72cd800d7e37a7bee9faa6fc43e373452ad6521dfe0a7b7d45b7b053cc3bb53c57de23c23c58fbb8a353d0 |
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
| MD5 | 47f4e38d44167c380601cd43da2f4f58 |
| SHA1 | f7ca56131ebb5e8ac2790c1dba88ad05c06c5ea4 |
| SHA256 | a54e82b340ae6b6f4147e41acc4d979f5d612ffa5ce2b8ae572560ee8601285c |
| SHA512 | 1e1192513e8a10c64c70cda16f8c31e7219464fba2da1f42ea7a69805a54dd6c90abdbc1e8529a546ce478b21796326338a3bd5643b89360c37c71b89ecf780a |
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
| MD5 | d0cc64fa7b9f9130100afacef518dfd2 |
| SHA1 | 3f5fdbf3a395a5614530a6600aad975ce0de271f |
| SHA256 | d3691abe55a68ea377de784c2354853a3a3b9db1583c5142aaa3cd031e3a6d20 |
| SHA512 | 65b40c19c2d898ef6b5a03b5f3c3bd63439ae050f5943d8ff34952c9ee93703257cbe28f9e4227b8dbfbadf51149078555f9506cb2111a95751e42ca89d4160e |
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe
| MD5 | 470c7a6a3ac4d6678456c47901be971b |
| SHA1 | 7bf00697ef05c15af51f155b5d7a617660714fb4 |
| SHA256 | f946aa39abc35b7b92cfadf0acf855132e97ddb7737de9d6e87c9e4ab2f151f9 |
| SHA512 | 56880d34e87f16b6c4d96813d7c57cd02943aeef0a93a1b9b058f9142889d59f05eb68680542809145819efd48655cb4b381aac48497b29c535ec751cbd03398 |
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
| MD5 | d6a0ced2164061738b44b2d278eb4d01 |
| SHA1 | 9819dedf37bda9a1bc32510cde0bdddabcb21446 |
| SHA256 | b54fa531e4eed5237bdafe6b0468c307ebad17b813cd777d69a0d4cb1c530aa5 |
| SHA512 | 23dd889d0d96fbbd628dc8245cfc96c2dd34a405729a9d46e1bd4330256af6572ca6bd32b37c9a1b14cddac56641c8cf4f02e6e82a18655d474c1a4e6781fbbb |
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
| MD5 | bfb352d5e47ff88e3937a139cc9b1070 |
| SHA1 | cf190c083761a2de489ce3a47ff8daae45b05866 |
| SHA256 | 70a5e465fc950d6ff41739854499c9249aa52f77682557b58f16ce36cfe5042d |
| SHA512 | 1a89d2489732144fd3a969e1138d999ad1312fa301ade498fc8fcbef9742b6120aa8383dc4016415925ec6aaeaa5c34e04ac0e7c20a769a9567c32549bdbde98 |
C:\Program Files\dotnet\dotnet.exe
| MD5 | 37472a5bdd984821bced761264a204c6 |
| SHA1 | 8c18d95d000bbc23f050efa591869bcf182f1a51 |
| SHA256 | 00be8f5b0e313e550e2872adb6ac662118209aff59dc8cbcda555e993d199e69 |
| SHA512 | ce3521a1f1b8110b68b09dda3931d3dcdb96c177410bab1d7dfbf5daf730d21014c675a2035ae1f89b293b10fe8ec5d6fc77e1aafbdb4266a27e486d5a3f1d3d |
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
| MD5 | 67c9aed0dd3b5240a36ceacd43babcd4 |
| SHA1 | a40b81d50ae077d2473cdd693fa2177bd6158e05 |
| SHA256 | 7ac8ebde99881aaedc192089948c6aaddddaa06e07132cd8e207464a18995d75 |
| SHA512 | fd064ec0d9a763b252fc2bcdfbd2a2389c5037105d9b51369fc072696d6150b2d0fc8ef195f9eb1df0f6a4c39fb47c1591cf1470a1153148a48f69ca390b4586 |
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
| MD5 | 5b86a2810dba3b1375228512ee3077d3 |
| SHA1 | b393e037f6b0381bc9045e71eddf0cf96fc4094a |
| SHA256 | da70481b7583eaa1069fe36c31a7a83ad05667f23d5856b7cabb2bbeb4fdaf1c |
| SHA512 | 08b71df78f050c1f59f74833766a9948bcc00422c0f962911a396a7f0f9d25fea306f018c2dcc754503262fac0f21a1b4d35149ff6464ea08337283da7719829 |
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
| MD5 | f83fb25f0304c859f9adf4b9aa5a24d1 |
| SHA1 | 3a27c471fd6e37cf0b17bf745242075a2aec9cb9 |
| SHA256 | f1473c39c8791a2b8c4237b7d5102876fb78bcef37ef736d14ed842366fb2cff |
| SHA512 | 8ac9b7ba91c166519e72ba1830a4cc31ef580cac0e1dfc8bd14bde0476cec7975e770c5dc8b97b777b488e91bdac778ecff62a2eb89fb1a9a2fdb613bf291922 |
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
| MD5 | 208b34d29d1f00ffc9e38c77d4828e7e |
| SHA1 | 6c1f6ccfafadf7aac4b2d58c0333447f6edd0901 |
| SHA256 | 1b2e7c8abfd25f80f70abdabd0458fa1541fa4150d6dffe6fd5c941c408a33ba |
| SHA512 | de2780e21caa8f355fb5d603a045386bfbedf5e67d5ed461aa86b6e8f3b36894d5a9aa89a4af6f6504c74591244a0bfe3d151949cb6c20ae286a91f43f724c92 |
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
| MD5 | ecb9e73df46d4bb13da66d2c9b0b0bea |
| SHA1 | 5d7f1b0bb4fa47e62362d5c1a11fddf834bd5bac |
| SHA256 | a15de249377a3d958767a5753ecec5efab4ebd833aa438f27d38729c90db10f7 |
| SHA512 | 9afe8d000de48cfc4d9372951bd12e0d6fb46369a587bb54a0f294660769c605c8f136769d1275d1210896e8d373381063711d5800240766af3b030326b7bd1e |
C:\Program Files\7-Zip\Uninstall.exe
| MD5 | 21dd792f3568cd8068bfefe7ec684e90 |
| SHA1 | e5aab05ff51b896ad54acc35ac33b3f9a840c187 |
| SHA256 | a58ac8e2accfaf92ac8d3ac602270136990b54e3a4ff390e45e867843a5a05a4 |
| SHA512 | 9134a5fc3d5393896ac4c07943bcccca1c0323fa31044f9c5acf57959e74c39e5c5a9eaa9e4c9dc3c613467477b15f9707b54410c639877d0af1b2d678fe99b8 |
C:\Program Files\7-Zip\7zG.exe
| MD5 | 3d0c720cd892351cf62d18e45b6445c6 |
| SHA1 | 7fe9b244de1eef3d7054f915bc3cec024249015c |
| SHA256 | 92b2dce928a77c652d1ee82d03935694f7e7511c5e4a6e2058dca0c8ec9432ce |
| SHA512 | f925a067681048760ccd36ed897e200c082379e5e4cf6b4ebd9cc00654c43b0690944dea4dd08c97452b95ac4ce43352f3f561ab0121349b086684fabf51c8e5 |
C:\Program Files\7-Zip\7zFM.exe
| MD5 | a74a4559e5ee131ff7b781cc17ac820a |
| SHA1 | 35b209d98a177c9db00e8beb6d905f8ab3190958 |
| SHA256 | 943a19775674fbcd53bfdb7132e18c591206ae203cb469186a65e3aca9a913af |
| SHA512 | aa875c01833e3e9b7cb3db8de3db41de325d93fc29a2ceda3d1d3e82ebbb02957e5040bc3a2336d9f6ab26e18e393d1800564b272d2b3c9f78a0371e8d42dc79 |
C:\Program Files\7-Zip\7z.exe
| MD5 | 6e8d21e05dcbe8aea860b994047fec0a |
| SHA1 | 2ddaa5a9c26ed7403ae51ea94bd1a26ac9a1bd81 |
| SHA256 | f84aeb8d6c0379e682ee37912dd6bc1f3e4f97afa962a882fd85ce8155220a0d |
| SHA512 | b1a13dc1d4cdead1651ecbd3ca6aa71a69b9489a43aa305c4162b3af48c5f5f5ef0765a6187cf5bedb4b2b915172acc6514b17db5c9ed8bd68838629c9962245 |
C:\Program Files\Windows Media Player\wmpnetwk.exe
| MD5 | 48fc7a66a38de137032b6a21beae4954 |
| SHA1 | 3fba192b5a8f2f282cc51abe1ced4aa5fa38d7ec |
| SHA256 | d253c9ff6a908cea980cdef04a5674bf8b99ba8fea3f4b546cf8319a47fa9186 |
| SHA512 | 019fb77c2a37bfd5c72aaceef6fc5d1aaa6c5d086c2c0d364ae32c89d7122c4eaea802daeabb6b9bb150d45d45c78ca021855ef811a7d72631a160da3022757c |
C:\Windows\system32\SgrmBroker.exe
| MD5 | 8ecf99ce2efe610ea9b0812fbf215418 |
| SHA1 | 1029431e4d6e6922e21a0da1da8bc475749634dd |
| SHA256 | a842017153ee713bfee24c04254b37dbabc98b3455e9df898fa9b1a4d0539701 |
| SHA512 | ad4fc09c76ce765060d1de020f2970469b5ce3ee3818ca09105323b8569a9828c7579667c5b7d6f27c9979941e65f631008f22eb047b858f0ae35a2617f12415 |