Malware Analysis Report

2024-11-30 06:15

Sample ID 240612-rwmaeasbqq
Target 2024-06-12_2edc2339c0dc66b32e8c4997762f0657_ryuk
SHA256 26c2881859ce8f79c0e4d64bb5817f5936004c79fb32bb06d7ada50d6a45b224
Tags
spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

26c2881859ce8f79c0e4d64bb5817f5936004c79fb32bb06d7ada50d6a45b224

Threat Level: Shows suspicious behavior

The file 2024-06-12_2edc2339c0dc66b32e8c4997762f0657_ryuk was found to be: Shows suspicious behavior.

Malicious Activity Summary

spyware stealer

Executes dropped EXE

Reads user/profile data of web browsers

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Modifies data under HKEY_USERS

Suspicious use of WriteProcessMemory

Checks processor information in registry

Uses Volume Shadow Copy service COM API

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Enumerates system info in registry

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-12 14:32

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 14:32

Reported

2024-06-12 14:35

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-12_2edc2339c0dc66b32e8c4997762f0657_ryuk.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
N/A N/A C:\Windows\system32\fxssvc.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe N/A
N/A N/A C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe N/A
N/A N/A C:\Windows\System32\msdtc.exe N/A
N/A N/A \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE N/A
N/A N/A C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe N/A
N/A N/A C:\Windows\SysWow64\perfhost.exe N/A
N/A N/A C:\Windows\system32\locator.exe N/A
N/A N/A C:\Windows\System32\SensorDataService.exe N/A
N/A N/A C:\Windows\System32\snmptrap.exe N/A
N/A N/A C:\Windows\system32\spectrum.exe N/A
N/A N/A C:\Windows\System32\OpenSSH\ssh-agent.exe N/A
N/A N/A C:\Windows\system32\TieringEngineService.exe N/A
N/A N/A C:\Windows\system32\AgentService.exe N/A
N/A N/A C:\Windows\System32\vds.exe N/A
N/A N/A C:\Windows\system32\vssvc.exe N/A
N/A N/A C:\Windows\system32\wbengine.exe N/A
N/A N/A C:\Windows\system32\wbem\WmiApSrv.exe N/A
N/A N/A C:\Windows\system32\SearchIndexer.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_2edc2339c0dc66b32e8c4997762f0657_ryuk.exe N/A
File opened for modification C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_2edc2339c0dc66b32e8c4997762f0657_ryuk.exe N/A
File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG C:\Windows\System32\msdtc.exe N/A
File opened for modification C:\Windows\system32\locator.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_2edc2339c0dc66b32e8c4997762f0657_ryuk.exe N/A
File opened for modification C:\Windows\System32\snmptrap.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_2edc2339c0dc66b32e8c4997762f0657_ryuk.exe N/A
File opened for modification C:\Windows\System32\alg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_2edc2339c0dc66b32e8c4997762f0657_ryuk.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\276808ddc8648821.bin C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\System32\vds.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_2edc2339c0dc66b32e8c4997762f0657_ryuk.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\System32\msdtc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_2edc2339c0dc66b32e8c4997762f0657_ryuk.exe N/A
File opened for modification C:\Windows\System32\SensorDataService.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_2edc2339c0dc66b32e8c4997762f0657_ryuk.exe N/A
File opened for modification C:\Windows\system32\spectrum.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_2edc2339c0dc66b32e8c4997762f0657_ryuk.exe N/A
File opened for modification C:\Windows\system32\wbengine.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_2edc2339c0dc66b32e8c4997762f0657_ryuk.exe N/A
File opened for modification C:\Windows\system32\AppVClient.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_2edc2339c0dc66b32e8c4997762f0657_ryuk.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_2edc2339c0dc66b32e8c4997762f0657_ryuk.exe N/A
File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_2edc2339c0dc66b32e8c4997762f0657_ryuk.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_2edc2339c0dc66b32e8c4997762f0657_ryuk.exe N/A
File opened for modification C:\Windows\SysWow64\perfhost.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_2edc2339c0dc66b32e8c4997762f0657_ryuk.exe N/A
File opened for modification C:\Windows\system32\vssvc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_2edc2339c0dc66b32e8c4997762f0657_ryuk.exe N/A
File opened for modification C:\Windows\system32\AppVClient.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\msiexec.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\AppVClient.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_2edc2339c0dc66b32e8c4997762f0657_ryuk.exe N/A
File opened for modification C:\Windows\system32\TieringEngineService.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_2edc2339c0dc66b32e8c4997762f0657_ryuk.exe N/A
File opened for modification C:\Windows\system32\AgentService.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\SearchIndexer.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_2edc2339c0dc66b32e8c4997762f0657_ryuk.exe N/A
File opened for modification C:\Windows\system32\SgrmBroker.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\SgrmBroker.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_2edc2339c0dc66b32e8c4997762f0657_ryuk.exe N/A
File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_2edc2339c0dc66b32e8c4997762f0657_ryuk.exe N/A
File opened for modification C:\Windows\System32\SensorDataService.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_2edc2339c0dc66b32e8c4997762f0657_ryuk.exe N/A
File opened for modification C:\Windows\system32\AgentService.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_2edc2339c0dc66b32e8c4997762f0657_ryuk.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_2edc2339c0dc66b32e8c4997762f0657_ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_2edc2339c0dc66b32e8c4997762f0657_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_2edc2339c0dc66b32e8c4997762f0657_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\policytool.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_2edc2339c0dc66b32e8c4997762f0657_ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_2edc2339c0dc66b32e8c4997762f0657_ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_2edc2339c0dc66b32e8c4997762f0657_ryuk.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_96109\java.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_2edc2339c0dc66b32e8c4997762f0657_ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_96109\java.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_2edc2339c0dc66b32e8c4997762f0657_ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_2edc2339c0dc66b32e8c4997762f0657_ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_2edc2339c0dc66b32e8c4997762f0657_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_2edc2339c0dc66b32e8c4997762f0657_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_2edc2339c0dc66b32e8c4997762f0657_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmid.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_2edc2339c0dc66b32e8c4997762f0657_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_2edc2339c0dc66b32e8c4997762f0657_ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_2edc2339c0dc66b32e8c4997762f0657_ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_2edc2339c0dc66b32e8c4997762f0657_ryuk.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_2edc2339c0dc66b32e8c4997762f0657_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_2edc2339c0dc66b32e8c4997762f0657_ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_96109\javaw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_2edc2339c0dc66b32e8c4997762f0657_ryuk.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Internet Explorer\iexplore.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_2edc2339c0dc66b32e8c4997762f0657_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_2edc2339c0dc66b32e8c4997762f0657_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_2edc2339c0dc66b32e8c4997762f0657_ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_2edc2339c0dc66b32e8c4997762f0657_ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_2edc2339c0dc66b32e8c4997762f0657_ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_96109\javaws.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_2edc2339c0dc66b32e8c4997762f0657_ryuk.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\servertool.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_2edc2339c0dc66b32e8c4997762f0657_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_2edc2339c0dc66b32e8c4997762f0657_ryuk.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_2edc2339c0dc66b32e8c4997762f0657_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe C:\Windows\System32\alg.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_2edc2339c0dc66b32e8c4997762f0657_ryuk.exe N/A
File opened for modification C:\Windows\DtcInstall.log C:\Windows\System32\msdtc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\TieringEngineService.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\TieringEngineService.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006dcbb169d5bcda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000087e5ae69d5bcda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" C:\Windows\system32\fxssvc.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133626763740316480" C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002ecdc369d5bcda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" C:\Windows\system32\fxssvc.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" C:\Windows\system32\fxssvc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006974e469d5bcda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000002b2ec69d5bcda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f9a3806cd5bcda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" C:\Windows\system32\SearchProtocolHost.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_2edc2339c0dc66b32e8c4997762f0657_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_2edc2339c0dc66b32e8c4997762f0657_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_2edc2339c0dc66b32e8c4997762f0657_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_2edc2339c0dc66b32e8c4997762f0657_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_2edc2339c0dc66b32e8c4997762f0657_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_2edc2339c0dc66b32e8c4997762f0657_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_2edc2339c0dc66b32e8c4997762f0657_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_2edc2339c0dc66b32e8c4997762f0657_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_2edc2339c0dc66b32e8c4997762f0657_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_2edc2339c0dc66b32e8c4997762f0657_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_2edc2339c0dc66b32e8c4997762f0657_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_2edc2339c0dc66b32e8c4997762f0657_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_2edc2339c0dc66b32e8c4997762f0657_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_2edc2339c0dc66b32e8c4997762f0657_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_2edc2339c0dc66b32e8c4997762f0657_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_2edc2339c0dc66b32e8c4997762f0657_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_2edc2339c0dc66b32e8c4997762f0657_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_2edc2339c0dc66b32e8c4997762f0657_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_2edc2339c0dc66b32e8c4997762f0657_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_2edc2339c0dc66b32e8c4997762f0657_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_2edc2339c0dc66b32e8c4997762f0657_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_2edc2339c0dc66b32e8c4997762f0657_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_2edc2339c0dc66b32e8c4997762f0657_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_2edc2339c0dc66b32e8c4997762f0657_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_2edc2339c0dc66b32e8c4997762f0657_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_2edc2339c0dc66b32e8c4997762f0657_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_2edc2339c0dc66b32e8c4997762f0657_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_2edc2339c0dc66b32e8c4997762f0657_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_2edc2339c0dc66b32e8c4997762f0657_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_2edc2339c0dc66b32e8c4997762f0657_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_2edc2339c0dc66b32e8c4997762f0657_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_2edc2339c0dc66b32e8c4997762f0657_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_2edc2339c0dc66b32e8c4997762f0657_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_2edc2339c0dc66b32e8c4997762f0657_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_2edc2339c0dc66b32e8c4997762f0657_ryuk.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_2edc2339c0dc66b32e8c4997762f0657_ryuk.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\fxssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\TieringEngineService.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\TieringEngineService.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\AgentService.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: 33 N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2324 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_2edc2339c0dc66b32e8c4997762f0657_ryuk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_2edc2339c0dc66b32e8c4997762f0657_ryuk.exe
PID 2324 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_2edc2339c0dc66b32e8c4997762f0657_ryuk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_2edc2339c0dc66b32e8c4997762f0657_ryuk.exe
PID 2324 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_2edc2339c0dc66b32e8c4997762f0657_ryuk.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2324 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_2edc2339c0dc66b32e8c4997762f0657_ryuk.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3052 wrote to memory of 2664 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3052 wrote to memory of 2664 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3052 wrote to memory of 800 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3052 wrote to memory of 800 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3052 wrote to memory of 800 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3052 wrote to memory of 800 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3052 wrote to memory of 800 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3052 wrote to memory of 800 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3052 wrote to memory of 800 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3052 wrote to memory of 800 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3052 wrote to memory of 800 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3052 wrote to memory of 800 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3052 wrote to memory of 800 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3052 wrote to memory of 800 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3052 wrote to memory of 800 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3052 wrote to memory of 800 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3052 wrote to memory of 800 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3052 wrote to memory of 800 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3052 wrote to memory of 800 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3052 wrote to memory of 800 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3052 wrote to memory of 800 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3052 wrote to memory of 800 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3052 wrote to memory of 800 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3052 wrote to memory of 800 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3052 wrote to memory of 800 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3052 wrote to memory of 800 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3052 wrote to memory of 800 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3052 wrote to memory of 800 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3052 wrote to memory of 800 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3052 wrote to memory of 800 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3052 wrote to memory of 800 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3052 wrote to memory of 800 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3052 wrote to memory of 800 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3052 wrote to memory of 4512 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3052 wrote to memory of 4512 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3052 wrote to memory of 972 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3052 wrote to memory of 972 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3052 wrote to memory of 972 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3052 wrote to memory of 972 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3052 wrote to memory of 972 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3052 wrote to memory of 972 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3052 wrote to memory of 972 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3052 wrote to memory of 972 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3052 wrote to memory of 972 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3052 wrote to memory of 972 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3052 wrote to memory of 972 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3052 wrote to memory of 972 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3052 wrote to memory of 972 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3052 wrote to memory of 972 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3052 wrote to memory of 972 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3052 wrote to memory of 972 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3052 wrote to memory of 972 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3052 wrote to memory of 972 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3052 wrote to memory of 972 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3052 wrote to memory of 972 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3052 wrote to memory of 972 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3052 wrote to memory of 972 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3052 wrote to memory of 972 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3052 wrote to memory of 972 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3052 wrote to memory of 972 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-12_2edc2339c0dc66b32e8c4997762f0657_ryuk.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-12_2edc2339c0dc66b32e8c4997762f0657_ryuk.exe"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_2edc2339c0dc66b32e8c4997762f0657_ryuk.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_2edc2339c0dc66b32e8c4997762f0657_ryuk.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=125.0.6422.142 --initial-client-data=0x2cc,0x2d0,0x2dc,0x2d8,0x2e0,0x140382698,0x1403826a4,0x1403826b0

C:\Windows\System32\alg.exe

C:\Windows\System32\alg.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv

C:\Windows\system32\fxssvc.exe

C:\Windows\system32\fxssvc.exe

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"

C:\Windows\System32\msdtc.exe

C:\Windows\System32\msdtc.exe

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE

"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\system32\locator.exe

C:\Windows\system32\locator.exe

C:\Windows\System32\SensorDataService.exe

C:\Windows\System32\SensorDataService.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\system32\spectrum.exe

C:\Windows\system32\spectrum.exe

C:\Windows\System32\OpenSSH\ssh-agent.exe

C:\Windows\System32\OpenSSH\ssh-agent.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc

C:\Windows\system32\TieringEngineService.exe

C:\Windows\system32\TieringEngineService.exe

C:\Windows\system32\AgentService.exe

C:\Windows\system32\AgentService.exe

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\SearchIndexer.exe /Embedding

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffff952ab58,0x7ffff952ab68,0x7ffff952ab78

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1756 --field-trial-handle=1956,i,5698041853565401426,18182952449893179463,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 --field-trial-handle=1956,i,5698041853565401426,18182952449893179463,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2248 --field-trial-handle=1956,i,5698041853565401426,18182952449893179463,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3020 --field-trial-handle=1956,i,5698041853565401426,18182952449893179463,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3060 --field-trial-handle=1956,i,5698041853565401426,18182952449893179463,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4292 --field-trial-handle=1956,i,5698041853565401426,18182952449893179463,131072 /prefetch:1

C:\Windows\system32\SearchProtocolHost.exe

"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"

C:\Windows\system32\SearchFilterHost.exe

"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4648 --field-trial-handle=1956,i,5698041853565401426,18182952449893179463,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4780 --field-trial-handle=1956,i,5698041853565401426,18182952449893179463,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4816 --field-trial-handle=1956,i,5698041853565401426,18182952449893179463,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4800 --field-trial-handle=1956,i,5698041853565401426,18182952449893179463,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4396 --field-trial-handle=1956,i,5698041853565401426,18182952449893179463,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2508 --field-trial-handle=1956,i,5698041853565401426,18182952449893179463,131072 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 pywolwnvd.biz udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 clients2.google.com udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 ssbzmoy.biz udp
US 8.8.8.8:53 clients2.google.com udp
US 8.8.8.8:53 cvgrf.biz udp
US 8.8.8.8:53 npukfztj.biz udp
US 8.8.8.8:53 clients2.google.com udp
US 8.8.8.8:53 przvgke.biz udp
US 8.8.8.8:53 clients2.google.com udp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 knjghuig.biz udp
US 8.8.8.8:53 uhxqin.biz udp
US 8.8.8.8:53 clients2.google.com udp
US 8.8.8.8:53 anpmnmxo.biz udp
US 8.8.8.8:53 lpuegx.biz udp
US 8.8.8.8:53 vjaxhpbji.biz udp
US 8.8.8.8:53 beacons.gvt2.com udp
US 8.8.8.8:53 xlfhhhm.biz udp
US 8.8.8.8:53 ifsaia.biz udp
US 8.8.8.8:53 clients2.google.com udp

Files

memory/2324-6-0x0000000000510000-0x0000000000570000-memory.dmp

memory/2324-0-0x0000000000510000-0x0000000000570000-memory.dmp

memory/2324-9-0x0000000140000000-0x00000001404AC000-memory.dmp

memory/4820-19-0x00000000007D0000-0x0000000000830000-memory.dmp

memory/4204-31-0x0000000000710000-0x0000000000770000-memory.dmp

memory/4204-30-0x0000000140000000-0x00000001401E9000-memory.dmp

C:\Windows\system32\AppVClient.exe

MD5 026ea7951c818b80599c34075e32efed
SHA1 33e0a56aa69e495f4e082ae69638cad3341e2e83
SHA256 f511ac543a999c63a7e4111c4c251c9408a67d33f5dff7162369a039c0eaf56c
SHA512 7c1b94ea9911a928e726e5f52c6c8bb38806f06bc7ed2f7bfc49bdab0d6bbce71fce93c087b6d32b50d8465b5417a5b3d915276fc209ba559a8c5d1f3eb062ac

C:\Windows\System32\FXSSVC.exe

MD5 fae831e8bb2d95ab0f629d3e251394ae
SHA1 4d9a44ac1310ccdf56ed6d7169a430338ae3558a
SHA256 ee5e835c5add717922e364d57ea95fc6178c2011c654c8568683957591b16adc
SHA512 ade3c563a52342393f7a87831b52817f49a62734a78ad0f4a81da4916109a4a6e64b76ad505fd177f9f7349d6d0bd29fc3a271ec4e5c42a4f8570774604f0550

memory/2700-58-0x0000000000EA0000-0x0000000000F00000-memory.dmp

memory/2700-73-0x0000000140000000-0x0000000140135000-memory.dmp

memory/3304-81-0x00000000001A0000-0x0000000000200000-memory.dmp

memory/4860-85-0x0000000000D90000-0x0000000000DF0000-memory.dmp

C:\Windows\System32\msdtc.exe

MD5 82fcaa8458b03fb58a96b4182bdfaf33
SHA1 a4ac8b2d2056643203af8862bc1bad3884ac783e
SHA256 26bf66d4b59b803c6bde5c4a94592acaf00f084a829a8729551b846409db3aa8
SHA512 3ef4a45c17cf6997efb236dfceab0d72e2ab11114ab655a2bc1909d2f8637bfa172d3f97a48f322555517a70200238820bae58014882a2c001573b1271348b71

C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

MD5 01e4519e4fb371bc67472050570ca666
SHA1 7422940758421ee039a64c6ea9bc3d0b73c99e3b
SHA256 b01d994a11bfc8126561d779208b85019bdf3fb0c2cd10940291ce5c8fefa780
SHA512 316c78f67703adde881bcc160755eb6eb1f210bdaebc8ecc0d05c04dfe0667d52bd2483d4be2be000d98a9e11d2969c4c5825ac230c397aa6dd3f17d2104127f

C:\Windows\System32\Locator.exe

MD5 d2b88ada893166a0b0f0f5d05913f132
SHA1 1cba3be22b5845341c888f5ba1fe32ddd75dde5b
SHA256 dd2483007b1b97de35ab21d149daf4fb8872f78d3340dfaf326823d6f45413b4
SHA512 775bc720f4ad33b9af1c16312de71c1a78c61c3f31979ef6fb03f97f8e245c2bec80dc3ea7eec2d999535cf2cabdd33083c5d24a37f1c4702864431be9ed9526

C:\Windows\System32\OpenSSH\ssh-agent.exe

MD5 fc50c9dff58c5758979ce8ef19208cae
SHA1 7ae310d27917f0882719c0ef4fec4f6189fa246e
SHA256 b08e98f10e0612fe0f60102d27956455ed907a3b54160e7fa949638e8136e7ea
SHA512 79d42f19029616279e4eed11c39b94662f641d3590eccfe63c9d2e6ac42cd521a61dc9b2730c4c6bc7534400cbd321457fa98fc2f04314b01d4076d39062b20e

C:\Windows\System32\AgentService.exe

MD5 0dd4740104565315bb19339c9960e8b0
SHA1 3a1f264e261302245b4ea4fbdaea0da548df3611
SHA256 e457433df1f1953acf7bf219e755682b798cb2896691cec9bbde5ca2a7e02641
SHA512 e1bbd8401458db533cd1875543b28218fea2b37fee9553d2ecc2093be242305d6c2d80829e272213bc690074006c2b921da183b59b0cfb6994a5cd156c042bcb

memory/4112-208-0x0000000140000000-0x00000001401C0000-memory.dmp

C:\Windows\System32\vds.exe

MD5 0427b5f0e7d13c47de2835736e949a98
SHA1 e7386007031b1a1fd1880f5fd020601febdf9cce
SHA256 71e255e0c4fedd83bdcf1f0471127985c30fd2ba8adde5b60c1f71c08955aa68
SHA512 787300bb5879691f8b77a4a5b341b77bdf58e1b3a42bbbb63dd7c9c6c7b66b5c513e545742b6f222f2db44a3598c5d9b9f13997373f27241b5839a7a2935debd

C:\Windows\System32\VSSVC.exe

MD5 a147a7ecc40c11602257d3ba07eb9c00
SHA1 98cc7da5ba636871da3a5a98e676a624134a63dd
SHA256 87bbd778598a9cfa137bf5ed4c7ce4d6d3ec174303266386f861f207fcff086c
SHA512 aac88bb17fec7eb212d78c9bdd6ab6018b290c8d9c79804aea0e0f7a52f52f8c664f478fff2ef3c1011187f538224c8c5cbeef7c1db87d4ec5bd210ad07ff05a

C:\Windows\System32\wbengine.exe

MD5 f4ad87a164289b114e54a53171c771fa
SHA1 383906f08d54aa53fe97ed64e3932474b5655f99
SHA256 1e9a87a7dac6926eef2b0f8d092baeb3686a13c641d87cf63fb10df998772918
SHA512 7c134af6709308f5a1296d7a6da4dd90cf356842e251adc8767d211006f49f59f9d727f5ad71667a147d79582183be67a473dd7695de886c2abd4e5af2fad4bb

C:\Windows\System32\SearchIndexer.exe

MD5 cdead7a433784dad109c565f456b8be3
SHA1 21cad9f1188ca74512e68c9d054f50a40d16793f
SHA256 a09da4302f882d607c89a0b3065707984c58e93a7643f6453cb68db908372a72
SHA512 347444ed664b0a5d9376f41f3dbc7e2014838f4a9afce3622519fd885d872fd4207ad2781b164142f14dcef57225f96a5f2ddd5805268f2da1e995980e4eeb26

C:\Windows\System32\wbem\WmiApSrv.exe

MD5 1982797aa40accedbc8abd3049989982
SHA1 9380b90c57b058d12cbf36ddc4b6c0c5c78a1315
SHA256 c0bc8c988e1c84d0478fd872f6618a4cc096611b9e4feb2ec3e93497566fc919
SHA512 0960e54fcae0130033281f5ef8311b91f4d917a0b90a827f525c491acadcd2d752421b7f2186a97fc842272eb609dd3fb1072b46436931dca39fb6b6504040f0

C:\Windows\System32\TieringEngineService.exe

MD5 75cf8a4a957a274002dab9241cd4b16c
SHA1 00b3c3de1ea63c50608dc7ea614daf4092128529
SHA256 aa2ba717ae925f862c309f0e62f2e3c38825d4ad78b7a0ad6835377491d450fb
SHA512 7afd2c8905e49d7d9c95ec48cfb752984ca7425c6d830962094bdfb0fb965d423ba34749dc540dd155ff8d4307b8122efe17ca812e2b38dba257379b3ef3a8b1

C:\Windows\System32\Spectrum.exe

MD5 5c36d3f9ba3c359af3ebe70e9495fd0a
SHA1 92d1b6a258e4676ab71ba1f17b50735d99136577
SHA256 55b05a45b9d043eac6f49a7de0b0f2a08a928b872a176d1531a7e07d87a2c0db
SHA512 818def8e85b9317a65a3e097667ac6b961a088add0985546c18c7787eb95a2f3f4af1a1c2f7eda8af85ea7a5de3f2bd17c4ff24460d606edc30c01052d38bef4

C:\Windows\System32\snmptrap.exe

MD5 d3ba3561328a11b23c62b69d4410f1bd
SHA1 ba07a908110cd12ca748bf7f3693a570c3ea2a4d
SHA256 ba3e38b4a3aa3d8f1cacdf3d7866309f0a8a81df4a3214b1cb0b0599b4146c94
SHA512 659bf59cd134583c5fa17ea0bf493672158e262c1e32fcb98a608e26c0965696846ba8b17ac1bd80bb9152645c9325fde0f77d18259380b92a0bf0e310af2034

C:\Windows\System32\SensorDataService.exe

MD5 c80b95f95f1db12e678e9816e0204e29
SHA1 7e3710a2c4849737a7e7e9b19930dcddfed431c2
SHA256 8eda452a6d659c0b30a0672897f7e28ed02a46763a1d4188a229695c0fc80647
SHA512 063bf849607fbb0da3edcc8b5bca47422f9dc3d34e78ad578b744de8b31b68897d62a37dde7b90c4e917a00144666ebec1bd1252a2954bc3047ee8f6eef5840f

C:\Windows\SysWOW64\perfhost.exe

MD5 c9dd47ea5268ea66cafc1b1dbc090e05
SHA1 c7a0f9de8a39f3f2bb9263b20ae878059c301713
SHA256 0bc33185a4deb5b4df9e4b758a5a53753d3f4b7369774d91a578996d6f47dea3
SHA512 c2909c0487f2a770b9bc2842197682736b7b817ed460c4b2a13f5a00a2cc2dc18f653b421fe99fd77486326b708af84c66d426bcf3fda38a82748c06dc5b49e5

C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

MD5 bc7b21b87132aa8fc1e4e1452a28ee40
SHA1 275a7e405c7b85ae4293ba9da41eab3f6fb0806e
SHA256 a836156d408f728972b1eac7d3fa4b1d91ca1a74b8b4313f84ed0589214195cf
SHA512 15f5c5dabbc7f0d884cf9278db04b76b39d8d125c6ef1db129b9a754256e40a61f128fd86e16affc263074e56fc44ac5f72eda31ca55a85cc50a90d7819be76f

memory/4860-97-0x0000000140000000-0x000000014020E000-memory.dmp

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

MD5 c965b9293a3903f479cc2a6c483d6dd5
SHA1 103c7b1c0b3eecf15927edb3a022ab5045cb68d2
SHA256 c1fa247d7580ef5649c77f01f5665be1b04adae1e3050eab9cd59524ccebe259
SHA512 5853c101dfdbaa33b374acbb45091a85c00f87b938650aec12f967f78e91ca5436ddf6336a6ab211bdb8c5e7d4c81d72a3ed6c7c8100a7babedad92a80465bbe

memory/3304-75-0x00000000001A0000-0x0000000000200000-memory.dmp

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

MD5 eed69ddec1961372a7cc153578d58884
SHA1 7525211f1787f35c9014bc98fc99e97ed9b7e825
SHA256 ad890deab94201805e27cb736ffeac4175204972992c7eac768f9d7f0a191dc0
SHA512 5ce870e984396f975ab51bebd47139bc0a527b1e7c222ff59e306b30735ecd763ac742e03e3648c3b21b3b673f0eb30a9892968b702bb2e02031eff2c4f82415

memory/2700-71-0x0000000000EA0000-0x0000000000F00000-memory.dmp

memory/3288-68-0x0000000000510000-0x0000000000570000-memory.dmp

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

MD5 399f2ffdeab08934f8e8e7123265110c
SHA1 1dd5d0ddd9806137368179466735140820fcbdf9
SHA256 902957950925d00b6ce34acb6454cb0fa1aa31a682ba18e5a592d6561c5fedb5
SHA512 9e60eaebbf17b8d2ce69c0431ce895a190884669c2e1c20d46a735e8d17e71e20ca4e9c44c7675c3b64a7167fdff30ed5690f6d243b972a095d2472704076b7f

memory/2700-52-0x0000000000EA0000-0x0000000000F00000-memory.dmp

memory/2656-48-0x00000000006D0000-0x0000000000730000-memory.dmp

memory/2656-42-0x00000000006D0000-0x0000000000730000-memory.dmp

C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

MD5 e92999c70653847373cf62dd9272293a
SHA1 6041b9802ad33413f63ab6c03c03b416b3ff2bca
SHA256 5345a31435b8d2fdce9a40830afbd21ffbf72ad4eab7905ecf91e3df9efdb940
SHA512 8b4cafb467eac4be3f37ebcfe3c05f81e7ea24fea76c3fe35e48d5e82c81883e2790a604ef93e1dbc6c079b37f6d03d1a2667701b1ff08dfafbb3928aca0c2d4

memory/2324-38-0x0000000140000000-0x00000001404AC000-memory.dmp

C:\Users\Admin\AppData\Roaming\276808ddc8648821.bin

MD5 8830e8670e136132ed3bd6b67d5a05e5
SHA1 53704194686108be755d8abf7c737c0063d0ecd4
SHA256 1a655a07289101a280203a1b370049f57738f3c74d57b8ce8f67c3db59a9ebb8
SHA512 c8f68a483943b851e995efd7257b5296bb09ba302cc9aee965324489fd38c8b0124dcec24165b1f8fe78d6236b5985210d5e54256dd1f2fb448b2fd5ff9f8158

memory/4204-21-0x0000000000710000-0x0000000000770000-memory.dmp

memory/4820-13-0x00000000007D0000-0x0000000000830000-memory.dmp

C:\Windows\System32\alg.exe

MD5 0139611c3e4b68648b052f66572e5b38
SHA1 2dda0c66e8636295f0b9c516c3c5b03f7ea6197a
SHA256 fd85817d235cb9c23e92a97402c16060372d6529fb97e64d5bd6dd655d3c804d
SHA512 b64bc02beb54ef9b5d4f0b9ac5726e987ca976e85f00a494c1d54dc29f3f6e504953573075d48eb0b3d71fd2ce2669875ef5050cdf15b9501be0c1f619415f78

memory/4820-11-0x0000000140000000-0x00000001404AC000-memory.dmp

memory/3304-385-0x0000000140000000-0x000000014022B000-memory.dmp

memory/2656-383-0x0000000140000000-0x00000001401E8000-memory.dmp

memory/2572-387-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/3288-386-0x0000000140000000-0x000000014024B000-memory.dmp

memory/4260-389-0x0000000140000000-0x000000014020E000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

MD5 89f55681cd116518c116754e0407b2c8
SHA1 f5d4aeb85e94ba181091d6a1ebca93915919c9c6
SHA256 f36101d056932eba1217b54d3ee1c54e0c6c4120087bf1e1e0781625d2be6fc9
SHA512 8db0dc249a77703508e63c8314af4bddcf54ac4f887b26409f743b344b94f9afe762d266cbac8b8097ffb28870d40841c7f64ed60acd087dbc1768db15b1c0cf

memory/5064-393-0x0000000140000000-0x00000001401EA000-memory.dmp

memory/2160-398-0x0000000140000000-0x00000001401D4000-memory.dmp

memory/2072-404-0x0000000140000000-0x00000001401D5000-memory.dmp

memory/5088-405-0x0000000140000000-0x0000000140169000-memory.dmp

memory/5104-408-0x0000000140000000-0x0000000140241000-memory.dmp

memory/2456-414-0x0000000140000000-0x0000000140221000-memory.dmp

memory/4868-416-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/3032-421-0x0000000140000000-0x0000000140179000-memory.dmp

memory/3148-420-0x0000000140000000-0x0000000140205000-memory.dmp

memory/4316-419-0x0000000140000000-0x0000000140216000-memory.dmp

memory/808-415-0x0000000140000000-0x0000000140147000-memory.dmp

memory/224-399-0x0000000140000000-0x00000001401D7000-memory.dmp

memory/4168-396-0x0000000000400000-0x00000000005D6000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 31f082b9ede984089d495d835d280117
SHA1 1b02043e9a0b930cea98f417777f84fc11c042e7
SHA256 f6fe633d3cbacb0c62479bc8790a1d629d4e1c7cc9c402f5e203ffab07f6acda
SHA512 d6d863963354925e6f3b1a11438f32a8c7eee3f6ff47f7f527c30980b822292d95e03c32614806fd1226c9672be3d9ccc906d71ef874baaf624ffe4cd7781476

\??\pipe\crashpad_3052_ALSDXXFCOYAVSDJB

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

MD5 ef36a84ad2bc23f79d171c604b56de29
SHA1 38d6569cd30d096140e752db5d98d53cf304a8fc
SHA256 e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831
SHA512 dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

memory/3288-491-0x0000000140000000-0x000000014024B000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

MD5 3637496791653df6fc502f3b6a69cd4a
SHA1 396fe76f2bdce9e183366b6fa8ea41cdb1257594
SHA256 a954f476df3f512ab98ea845fac30c2ebc3cb6a639dc85cbbd5c7620a707df7c
SHA512 2259ce0415f55519843077d31b1598418f6122d7eb33b688e75847a6283472cce753cf354601c4f453152e7fefc023410d0a38ad12f93a973bde3cd21f0c633a

C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

MD5 a62ede29659243f5cc33b22ac7dccdee
SHA1 b805424779fa1412ccbefe36a29beca5098efd34
SHA256 52cadaba2688e0c8a4414dff268f6451a116ac06b907dcc15c7b9ee2beaa6b88
SHA512 d50ed74db7a5328f4d4c9a3d784c4438aedd25feee23856e0e0b16cdb51dbb8dc2a25dcf12af182dc0d551d327eec37bbe18954617f5f02fbe8b57934b8f689c

memory/1712-531-0x0000000140000000-0x000000014057B000-memory.dmp

memory/5256-543-0x0000000140000000-0x000000014057B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

MD5 f16392737c199d3ba97bcc2f8e4dd555
SHA1 10324a832e2bc1b959253c6c3d725b62fe10a177
SHA256 03378ed2f1124d3cb3c5b0973d5bc8fd2dd03dae3cc807131f6188b7ae7f210e
SHA512 cb1c77dc8cfbb1aa0e229280f10b3ce64ad9f92462eaab244d65c4c96ab6b95090e439703edfaed847adb1ef0905c0ca7f4465fc907982d6a5c1a6b068eb5099

memory/5384-555-0x0000000140000000-0x000000014057B000-memory.dmp

memory/5456-565-0x0000000140000000-0x000000014057B000-memory.dmp

C:\Windows\TEMP\Crashpad\settings.dat

MD5 63c24fafa38c1b0109d7b33c1be0d22e
SHA1 9b3ae6d17378fa094069f9aef62df034089e3083
SHA256 5928caa89b1d2b710b06e2032deeeb129c5844abc95bb506a96a2181663fdb20
SHA512 1387ef7a3e1e729ec2d22463f44463c5645c772a8336127bbbc7532923abb04b62bbfadf10c12c2f6b50d1ffb567ae4059efe192f3fc0ffdd90ff0cafaacb6b0

memory/5384-611-0x0000000140000000-0x000000014057B000-memory.dmp

memory/224-616-0x0000000140000000-0x00000001401D7000-memory.dmp

C:\Program Files\Google\Chrome\Application\SetupMetrics\98ed642f-deef-41c7-a8af-c4878d384534.tmp

MD5 6d971ce11af4a6a93a4311841da1a178
SHA1 cbfdbc9b184f340cbad764abc4d8a31b9c250176
SHA256 338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783
SHA512 c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

memory/1712-625-0x0000000140000000-0x000000014057B000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 9c00a952026383750c00fa11de99d331
SHA1 3136f3e8a89f486ad84017ba78c06e9c295673da
SHA256 991932d32e27f2240adcc1c91ff7a7c9437ccce3a4b6bfae6c22f23ecf931d5f
SHA512 120b8391b18b096e164e173074e1d431c4ef356e50b85db5f1d8734c325f4fd897d98eca48a1eb50fd98abf02ea0a49cdef390fa250449ed1dc630b685befe07

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 c1a45b22f11e666965cfa4187eed40b6
SHA1 7f0fcdfbb014c44645a1fe6de1a6f8573a058733
SHA256 0ca56f5b93ac614497f1a42b42075d83c7e067c4aadf0ea17914c130af1270db
SHA512 faeff371b1b6f2c98c16077037d10d2dd80605b60a2864810d9f30cea4d7df12cf69014469bda383992da8865ce1b4ddf695933f19c23a243dabe799c0409e56

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe578443.TMP

MD5 8e5632bb5baca5f24f88c9e2a8eb2b6d
SHA1 71f7dee86640b602595b40c6a65d7ed4498cf00d
SHA256 88575950e262396bd009db3c75b18b3a1cd44b7b869b90f9b2c961ce9b74c1ad
SHA512 def476d83ba944f2fe83839108072677672a230218192751dd5e37305d42816e2db59b6f368fe8d3ca8848542ac3e3732dea3a58187c1e14f372ff2f721dffcc

memory/4820-710-0x0000000140000000-0x00000001404AC000-memory.dmp

memory/4204-717-0x0000000140000000-0x00000001401E9000-memory.dmp

memory/3304-718-0x0000000140000000-0x000000014022B000-memory.dmp

memory/3032-719-0x0000000140000000-0x0000000140179000-memory.dmp

memory/5256-720-0x0000000140000000-0x000000014057B000-memory.dmp

memory/5456-725-0x0000000140000000-0x000000014057B000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 07dd4cb08d7912fb285a37cc98f6a1fb
SHA1 3b23577dd7548ad39992bc82f79f63b3ab741a56
SHA256 c87bc3b9a0317174932691a5e54ab77398fa7f509243888d6acc8a0119ef6c6d
SHA512 44cc96dc3c1837ebb42241537b1f3a66e812b95cf291be7ac57b32876d2208b82b76e2dfebb10737caa82840a1d95143095304091d251ba63fe7875f8d5adeb9

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

MD5 4671717dd03318e66d27de63011a43b4
SHA1 f02a17a66ee99b8f47d0d0e5fd3819b9b35f115a
SHA256 4191f9c5c7539740102f5b681bbdb75f7274d9b96626e09826623136f5057cf2
SHA512 2a53c2e872f8faa5879227bc1c6add544565b2f4ceb8c3b075172fa796ed8eeeea7349aead346f037e0e572f1ffcc6dcf5f1ccd53dadd0a5321596b60d71656e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57f9a2.TMP

MD5 85292590d1cdcb11161519fc609fb9ae
SHA1 378ffd79cb5029be14d726728e3951955754ddb5
SHA256 8849ec6ce347197086e4e434023ceefacbba2cd17ecc8db6d5f18f5c35b6872f
SHA512 193327d623748502a9191d79688ab09e434fefbe0e1bea848409f515527ccb06707952392f75152ee2278f4ceb899ceb3fdcb0ae97a5e21746f3059a4b5bfaa5

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 27d879637ff92b84d8f1e8fac756cbdd
SHA1 90000730d0f5551fb75bcd138fd62805e3e195e5
SHA256 f7e416c89239a8f9fac4e668e4b10097acca890cc77706f760ac76a9f359b0d9
SHA512 7b2c733c57d9ee0c8b3cb809d2d0d47d871465cbd38a0d897e4473f112d357d3285142e3fc2636f6e9f40f8dd1512df88feecee82c10670427cb808bdf5e7155

C:\Program Files\7-Zip\7zG.exe

MD5 f319aba23c00d8c6b91f06a7b64b5fd5
SHA1 1b912d0f6bbe80c4515620d7bd59fde540c0173f
SHA256 78f04ba7e2173f588be4c112ecd9d1989d93a7216303ed04c66380757958b024
SHA512 bde0d6e984af65cd0e389037d997475b4db957add6a3cc323e6e0188190ec3b9b448d297924722789e354f34fd1d9db918885c71fb8435410f4212170b10b527

C:\Program Files\7-Zip\7zFM.exe

MD5 4579825f8300a278a72d82a27631c62d
SHA1 cfb6a76c9c28477ec0a2d95c06f67f9afc748693
SHA256 9126fc5c633ff0e0deba33f75fb829f452eb7b35af948fd9a79ccc1b1d9e1af6
SHA512 35fd1f203c36bf11196002731fffd051807e54a6bebc9f84aaa5505f2afc95feb2b0c9c26ed187b66c08bd5d600b957c7cdac2f13e28e35c42730222bb577c69

C:\Program Files\7-Zip\7z.exe

MD5 5dd9d281bc36ff8eafb717260dcbbca3
SHA1 0e0f798d4e9a1262cab5cc877f2c1941592e7ff1
SHA256 7663ec70f95242d331af959d43df4829527743d51232b5009091ead612986346
SHA512 ba0e7d0aa8ef9cfe620a79d045899e3a9ccb4f46ddcafa534793f874686232dc9b0b6f0af66126695a65bf4dc7e1c9a04bdaa95fa8d25ada84c8c83e8e2d7896

C:\Program Files\Windows Media Player\wmpnetwk.exe

MD5 cb30d5bdb3cf79d5eea1f87cbeff8244
SHA1 e913c3f505b7b453522c47e1a23289ec97d11f82
SHA256 b71a4f1461906204e4ccc0d010dc280319ffb6e13136e13b0de5b03bb45552fb
SHA512 5f9502695cdd2a69f17f0cd0ebd1df0fd339592c552e0b63b7a7126cbf2fe229cf61a791c6433d6fbc29b747de99f2872ec97a6fb3b10354056024653aa178b5

C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

MD5 fd2dede9b6073c3b187d56c9c7f0f0db
SHA1 327f9df3bf76957a289435ad6b0bc4c7253f6a82
SHA256 3c933600451f8110c282330549ca1ecc634dce835ef31948c7b544e39ff7627d
SHA512 33cdaeea1a4b0b078004670bc091f74b5536d0d3e52d7a1ff76da8a05709547e3b8066710389cd25c23931c1384969c7285b51515e202eb9a5581f71ebb74f36

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

MD5 d1afad0096b958a577ec3511fc002117
SHA1 94c52ed93438a8ab2656795e60ffc1bf09a18810
SHA256 63c8313d323a318fd19c035a34c0707b4ff835af1f616e773bd3e7223ca1a035
SHA512 3817f033bdf1c74e0ac2a7b02ddefcfde9b094934a1f71624e8bee20e57a5ff294b8e74f3a35bbd77287f654f1cbfb12377c03e5e6be01d77e3a65d3425e1e5e

C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

MD5 3b44dd3e9a654417758e5339b4c4780e
SHA1 2f034c2757c493df3c8ac24b299a251977ec78dd
SHA256 10593a56f3ec8253c5ad8a49b84fb00d1642eca15d6ff4bc4d0d252d7cf9c858
SHA512 96e6d11b88242d4f9d6356a2dc90c548b5e7bb79266c2ed45e076eafde6c62e198e9f745bbd4f0000c1211fc6feeb18797ff624e8bf029b5eaa8f6ac88ef92d9

C:\Program Files\7-Zip\Uninstall.exe

MD5 a9b9734f0877146c9b003b7de4bc309e
SHA1 681cd6aff3528128feefbccd01eb5fb085d6babb
SHA256 477df83dc37b97f311253eb0eebfe1be0126e58bc625589dc4905d8eeb466e9e
SHA512 318c2d3c41448bd82eae984e1692870c1df03ddf110615002ddfdcd9a0592fbaa2f0ff1638019e3deedf537c2a35cefa4190aa123219f669fbcf40e508715b34

C:\Windows\system32\SgrmBroker.exe

MD5 fc82750001c3a65b8324fa30089029f4
SHA1 0e20cf368668108887330a65e9c81c8d7874ddd1
SHA256 e7f172831af7604df66cfe516fa4821175cd6d234b7ce6d4a3e15e14d3612374
SHA512 b8991aae03e04cb8210e80e2e8043aa47fba0e4a6568aacf3af000f7abd3d06c0daa4b7a14d2a847cbee51041c5c44e1f30e83f6f6fc00295240b1d5e027b277

C:\Windows\system32\msiexec.exe

MD5 385f33f6f62e14e97b3191a5b4a17c15
SHA1 bb817115c071001b26a668f695e0eafb140c342d
SHA256 4872c8cfcb863f0c910528fdea01d8bb45a55d2d484e6742a550d0669bf75358
SHA512 7fef48755a3c31215edfd38c3b35d7a2f1dac4877b4e0f888325a747ba162c6d21f0ea89613fad8088b1ccec4dcc021ee97d4481a2d68db5cfccac3c9099de50

C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

MD5 34ab5cfd5c555c97bc8b3676a4145aaf
SHA1 5267e3c766dd88f9b6821139773ab5dbad004a26
SHA256 a8016f686451ee10961fb660c83be6de5051fde0ca16c3d0202745fadcd2d34e
SHA512 64813012c1bc0fc44970c269ef7f4597f7b6f97d36a052bb052174bd27931f065a261964dcb0de6bfd1e476708f4d1283d60b94521a09bd9be6dc32fe1287225

C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

MD5 067a0a0653dd0165378bb6369a227622
SHA1 57fd2cab287b111a001f2b25b1c923cf84d91762
SHA256 953052801f0e2d3585c1c05ae71f1b0fa0136dfdae6a984a6fdb61ee4bd96ce5
SHA512 6a22c2b21a804df41dcdd31b8b0eeb4fd3d759c6424bb82edf19d676b2252de79dc1348e68a69b57830257651436595e4a13d8a67d63cf066afd3f5371f0364d

C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

MD5 61af84a120f06e00341308b03ea40a62
SHA1 a2f70b27a232050155da6a3608bdc6f26fbf7977
SHA256 38274771fde2e968e7979870025240d6264dd2ca489d1a9d2b271241029d4e96
SHA512 ab178aad1c80d5afb119c8b14b89a11f1b2f7d6c20a5eaa7f3164d20f27346d99e36cc905a48a60b1dceb349e0f70e936c838a80d055a22fcc2f779e78bcaa0b

C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

MD5 b014d5b6246dc9fc9cc9f0b7e794c946
SHA1 ee535755f0ea8047d205c9912a895f61135fb2d2
SHA256 6d2e6c6763f958a55d1e826845d9164b666a0e6542f61a15f5e579925eacfe04
SHA512 addf0315bda0c4efb55c270700561f95cef54fb646dc6c976299298d9a458a21c09cfde8bc5eaeaacaccc8a4c746c465ee432642023c9853c876fe7a792da765