Malware Analysis Report

2024-11-30 06:32

Sample ID 240612-vzt17sshlf
Target 2024-06-12_ff1b337b4b1b10ef4d374b5d699dcb02_ryuk
SHA256 0411f58409e863ffe1a167f286588129112625689171e4d5e962ec920328a29a
Tags
spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

0411f58409e863ffe1a167f286588129112625689171e4d5e962ec920328a29a

Threat Level: Shows suspicious behavior

The file 2024-06-12_ff1b337b4b1b10ef4d374b5d699dcb02_ryuk was found to be: Shows suspicious behavior.

Malicious Activity Summary

spyware stealer

Executes dropped EXE

Reads user/profile data of web browsers

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Checks processor information in registry

Checks SCSI registry key(s)

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Uses Volume Shadow Copy service COM API

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: LoadsDriver

Enumerates system info in registry

Suspicious use of WriteProcessMemory

Modifies registry class

Modifies data under HKEY_USERS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-12 17:26

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 17:26

Reported

2024-06-12 17:28

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-12_ff1b337b4b1b10ef4d374b5d699dcb02_ryuk.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\System32\alg.exe N/A
N/A N/A C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe N/A
N/A N/A C:\Windows\system32\fxssvc.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe N/A
N/A N/A C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe N/A
N/A N/A C:\Windows\System32\msdtc.exe N/A
N/A N/A \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE N/A
N/A N/A C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe N/A
N/A N/A C:\Windows\SysWow64\perfhost.exe N/A
N/A N/A C:\Windows\system32\locator.exe N/A
N/A N/A C:\Windows\System32\SensorDataService.exe N/A
N/A N/A C:\Windows\System32\snmptrap.exe N/A
N/A N/A C:\Windows\system32\spectrum.exe N/A
N/A N/A C:\Windows\System32\OpenSSH\ssh-agent.exe N/A
N/A N/A C:\Windows\system32\TieringEngineService.exe N/A
N/A N/A C:\Windows\system32\AgentService.exe N/A
N/A N/A C:\Windows\System32\vds.exe N/A
N/A N/A C:\Windows\system32\vssvc.exe N/A
N/A N/A C:\Windows\system32\wbengine.exe N/A
N/A N/A C:\Windows\system32\wbem\WmiApSrv.exe N/A
N/A N/A C:\Windows\system32\SearchIndexer.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG C:\Windows\System32\msdtc.exe N/A
File opened for modification C:\Windows\system32\AgentService.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_ff1b337b4b1b10ef4d374b5d699dcb02_ryuk.exe N/A
File opened for modification C:\Windows\System32\SensorDataService.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_ff1b337b4b1b10ef4d374b5d699dcb02_ryuk.exe N/A
File opened for modification C:\Windows\SysWow64\perfhost.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_ff1b337b4b1b10ef4d374b5d699dcb02_ryuk.exe N/A
File opened for modification C:\Windows\system32\SgrmBroker.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_ff1b337b4b1b10ef4d374b5d699dcb02_ryuk.exe N/A
File opened for modification C:\Windows\system32\AppVClient.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_ff1b337b4b1b10ef4d374b5d699dcb02_ryuk.exe N/A
File opened for modification C:\Windows\system32\locator.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_ff1b337b4b1b10ef4d374b5d699dcb02_ryuk.exe N/A
File opened for modification C:\Windows\System32\snmptrap.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_ff1b337b4b1b10ef4d374b5d699dcb02_ryuk.exe N/A
File opened for modification C:\Windows\system32\vssvc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_ff1b337b4b1b10ef4d374b5d699dcb02_ryuk.exe N/A
File opened for modification C:\Windows\system32\msiexec.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\System32\alg.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_ff1b337b4b1b10ef4d374b5d699dcb02_ryuk.exe N/A
File opened for modification C:\Windows\system32\AppVClient.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_ff1b337b4b1b10ef4d374b5d699dcb02_ryuk.exe N/A
File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_ff1b337b4b1b10ef4d374b5d699dcb02_ryuk.exe N/A
File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_ff1b337b4b1b10ef4d374b5d699dcb02_ryuk.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\SgrmBroker.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\e540078cc3a5208d.bin C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_ff1b337b4b1b10ef4d374b5d699dcb02_ryuk.exe N/A
File opened for modification C:\Windows\System32\msdtc.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_ff1b337b4b1b10ef4d374b5d699dcb02_ryuk.exe N/A
File opened for modification C:\Windows\system32\TieringEngineService.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_ff1b337b4b1b10ef4d374b5d699dcb02_ryuk.exe N/A
File opened for modification C:\Windows\System32\vds.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_ff1b337b4b1b10ef4d374b5d699dcb02_ryuk.exe N/A
File opened for modification C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_ff1b337b4b1b10ef4d374b5d699dcb02_ryuk.exe N/A
File opened for modification C:\Windows\system32\spectrum.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_ff1b337b4b1b10ef4d374b5d699dcb02_ryuk.exe N/A
File opened for modification C:\Windows\system32\wbengine.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_ff1b337b4b1b10ef4d374b5d699dcb02_ryuk.exe N/A
File opened for modification C:\Windows\System32\SensorDataService.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_ff1b337b4b1b10ef4d374b5d699dcb02_ryuk.exe N/A
File opened for modification C:\Windows\system32\fxssvc.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\AgentService.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Windows\system32\dllhost.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_ff1b337b4b1b10ef4d374b5d699dcb02_ryuk.exe N/A
File opened for modification C:\Windows\system32\SearchIndexer.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_ff1b337b4b1b10ef4d374b5d699dcb02_ryuk.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_ff1b337b4b1b10ef4d374b5d699dcb02_ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_ff1b337b4b1b10ef4d374b5d699dcb02_ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_ff1b337b4b1b10ef4d374b5d699dcb02_ryuk.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_ff1b337b4b1b10ef4d374b5d699dcb02_ryuk.exe N/A
File opened for modification C:\Program Files\dotnet\dotnet.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_ff1b337b4b1b10ef4d374b5d699dcb02_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_ff1b337b4b1b10ef4d374b5d699dcb02_ryuk.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\updater.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_ff1b337b4b1b10ef4d374b5d699dcb02_ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_ff1b337b4b1b10ef4d374b5d699dcb02_ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_ff1b337b4b1b10ef4d374b5d699dcb02_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_ff1b337b4b1b10ef4d374b5d699dcb02_ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_ff1b337b4b1b10ef4d374b5d699dcb02_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_ff1b337b4b1b10ef4d374b5d699dcb02_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_ff1b337b4b1b10ef4d374b5d699dcb02_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_ff1b337b4b1b10ef4d374b5d699dcb02_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_ff1b337b4b1b10ef4d374b5d699dcb02_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_ff1b337b4b1b10ef4d374b5d699dcb02_ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_ff1b337b4b1b10ef4d374b5d699dcb02_ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_ff1b337b4b1b10ef4d374b5d699dcb02_ryuk.exe N/A
File opened for modification C:\Program Files\7-Zip\Uninstall.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE C:\Users\Admin\AppData\Local\Temp\2024-06-12_ff1b337b4b1b10ef4d374b5d699dcb02_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_ff1b337b4b1b10ef4d374b5d699dcb02_ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_ff1b337b4b1b10ef4d374b5d699dcb02_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_ff1b337b4b1b10ef4d374b5d699dcb02_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_ff1b337b4b1b10ef4d374b5d699dcb02_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_ff1b337b4b1b10ef4d374b5d699dcb02_ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\Install\{125326D0-F6C3-409C-BC6D-35A6D8D3AF5D}\chrome_installer.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_ff1b337b4b1b10ef4d374b5d699dcb02_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_ff1b337b4b1b10ef4d374b5d699dcb02_ryuk.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_ff1b337b4b1b10ef4d374b5d699dcb02_ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_ff1b337b4b1b10ef4d374b5d699dcb02_ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_ff1b337b4b1b10ef4d374b5d699dcb02_ryuk.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_ff1b337b4b1b10ef4d374b5d699dcb02_ryuk.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_ff1b337b4b1b10ef4d374b5d699dcb02_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_ff1b337b4b1b10ef4d374b5d699dcb02_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_ff1b337b4b1b10ef4d374b5d699dcb02_ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_105437\java.exe C:\Windows\System32\alg.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_ff1b337b4b1b10ef4d374b5d699dcb02_ryuk.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_ff1b337b4b1b10ef4d374b5d699dcb02_ryuk.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_ff1b337b4b1b10ef4d374b5d699dcb02_ryuk.exe N/A
File opened for modification C:\Windows\DtcInstall.log C:\Windows\System32\msdtc.exe N/A
File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe C:\Windows\System32\alg.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\System32\SensorDataService.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\System32\SensorDataService.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\system32\spectrum.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\system32\spectrum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\system32\spectrum.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\TieringEngineService.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\TieringEngineService.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f80055a5edbcda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004f6177a6edbcda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c20d37a4edbcda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133626867782673358" C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device C:\Windows\system32\SearchFilterHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000008ee08a3edbcda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001f3acfa5edbcda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device C:\Windows\system32\SearchFilterHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" C:\Windows\system32\fxssvc.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\system32\SearchFilterHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a8e9aaa5edbcda01 C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" C:\Windows\system32\fxssvc.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound" C:\Windows\system32\SearchProtocolHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print" C:\Windows\system32\fxssvc.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" C:\Windows\system32\fxssvc.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit C:\Windows\system32\SearchFilterHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" C:\Windows\system32\SearchProtocolHost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e9bb41a4edbcda01 C:\Windows\system32\SearchProtocolHost.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_ff1b337b4b1b10ef4d374b5d699dcb02_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_ff1b337b4b1b10ef4d374b5d699dcb02_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_ff1b337b4b1b10ef4d374b5d699dcb02_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_ff1b337b4b1b10ef4d374b5d699dcb02_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_ff1b337b4b1b10ef4d374b5d699dcb02_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_ff1b337b4b1b10ef4d374b5d699dcb02_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_ff1b337b4b1b10ef4d374b5d699dcb02_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_ff1b337b4b1b10ef4d374b5d699dcb02_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_ff1b337b4b1b10ef4d374b5d699dcb02_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_ff1b337b4b1b10ef4d374b5d699dcb02_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_ff1b337b4b1b10ef4d374b5d699dcb02_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_ff1b337b4b1b10ef4d374b5d699dcb02_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_ff1b337b4b1b10ef4d374b5d699dcb02_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_ff1b337b4b1b10ef4d374b5d699dcb02_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_ff1b337b4b1b10ef4d374b5d699dcb02_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_ff1b337b4b1b10ef4d374b5d699dcb02_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_ff1b337b4b1b10ef4d374b5d699dcb02_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_ff1b337b4b1b10ef4d374b5d699dcb02_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_ff1b337b4b1b10ef4d374b5d699dcb02_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_ff1b337b4b1b10ef4d374b5d699dcb02_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_ff1b337b4b1b10ef4d374b5d699dcb02_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_ff1b337b4b1b10ef4d374b5d699dcb02_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_ff1b337b4b1b10ef4d374b5d699dcb02_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_ff1b337b4b1b10ef4d374b5d699dcb02_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_ff1b337b4b1b10ef4d374b5d699dcb02_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_ff1b337b4b1b10ef4d374b5d699dcb02_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_ff1b337b4b1b10ef4d374b5d699dcb02_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_ff1b337b4b1b10ef4d374b5d699dcb02_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_ff1b337b4b1b10ef4d374b5d699dcb02_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_ff1b337b4b1b10ef4d374b5d699dcb02_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_ff1b337b4b1b10ef4d374b5d699dcb02_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_ff1b337b4b1b10ef4d374b5d699dcb02_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_ff1b337b4b1b10ef4d374b5d699dcb02_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_ff1b337b4b1b10ef4d374b5d699dcb02_ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_ff1b337b4b1b10ef4d374b5d699dcb02_ryuk.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_ff1b337b4b1b10ef4d374b5d699dcb02_ryuk.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_ff1b337b4b1b10ef4d374b5d699dcb02_ryuk.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\fxssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\TieringEngineService.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\TieringEngineService.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\AgentService.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: 33 N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\SearchIndexer.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4256 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_ff1b337b4b1b10ef4d374b5d699dcb02_ryuk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_ff1b337b4b1b10ef4d374b5d699dcb02_ryuk.exe
PID 4256 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_ff1b337b4b1b10ef4d374b5d699dcb02_ryuk.exe C:\Users\Admin\AppData\Local\Temp\2024-06-12_ff1b337b4b1b10ef4d374b5d699dcb02_ryuk.exe
PID 4256 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_ff1b337b4b1b10ef4d374b5d699dcb02_ryuk.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4256 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_ff1b337b4b1b10ef4d374b5d699dcb02_ryuk.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1832 wrote to memory of 1920 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1832 wrote to memory of 1920 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2284 wrote to memory of 5612 N/A C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\SearchProtocolHost.exe
PID 2284 wrote to memory of 5612 N/A C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\SearchProtocolHost.exe
PID 2284 wrote to memory of 5636 N/A C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\SearchFilterHost.exe
PID 2284 wrote to memory of 5636 N/A C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\SearchFilterHost.exe
PID 1832 wrote to memory of 5848 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1832 wrote to memory of 5848 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1832 wrote to memory of 5848 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1832 wrote to memory of 5848 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1832 wrote to memory of 5848 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1832 wrote to memory of 5848 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1832 wrote to memory of 5848 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1832 wrote to memory of 5848 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1832 wrote to memory of 5848 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1832 wrote to memory of 5848 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1832 wrote to memory of 5848 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1832 wrote to memory of 5848 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1832 wrote to memory of 5848 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1832 wrote to memory of 5848 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1832 wrote to memory of 5848 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1832 wrote to memory of 5848 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1832 wrote to memory of 5848 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1832 wrote to memory of 5848 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1832 wrote to memory of 5848 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1832 wrote to memory of 5848 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1832 wrote to memory of 5848 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1832 wrote to memory of 5848 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1832 wrote to memory of 5848 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1832 wrote to memory of 5848 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1832 wrote to memory of 5848 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1832 wrote to memory of 5848 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1832 wrote to memory of 5848 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1832 wrote to memory of 5848 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1832 wrote to memory of 5848 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1832 wrote to memory of 5848 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1832 wrote to memory of 5848 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1832 wrote to memory of 5936 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1832 wrote to memory of 5936 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1832 wrote to memory of 5972 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1832 wrote to memory of 5972 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1832 wrote to memory of 5972 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1832 wrote to memory of 5972 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1832 wrote to memory of 5972 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1832 wrote to memory of 5972 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1832 wrote to memory of 5972 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1832 wrote to memory of 5972 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1832 wrote to memory of 5972 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1832 wrote to memory of 5972 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1832 wrote to memory of 5972 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1832 wrote to memory of 5972 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1832 wrote to memory of 5972 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1832 wrote to memory of 5972 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1832 wrote to memory of 5972 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1832 wrote to memory of 5972 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1832 wrote to memory of 5972 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1832 wrote to memory of 5972 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1832 wrote to memory of 5972 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1832 wrote to memory of 5972 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1832 wrote to memory of 5972 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-12_ff1b337b4b1b10ef4d374b5d699dcb02_ryuk.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-12_ff1b337b4b1b10ef4d374b5d699dcb02_ryuk.exe"

C:\Users\Admin\AppData\Local\Temp\2024-06-12_ff1b337b4b1b10ef4d374b5d699dcb02_ryuk.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-12_ff1b337b4b1b10ef4d374b5d699dcb02_ryuk.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=124.0.6367.202 --initial-client-data=0x2c0,0x2c4,0x2c8,0x294,0x2cc,0x1403796b8,0x1403796c4,0x1403796d0

C:\Windows\System32\alg.exe

C:\Windows\System32\alg.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb0bf1ab58,0x7ffb0bf1ab68,0x7ffb0bf1ab78

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv

C:\Windows\system32\fxssvc.exe

C:\Windows\system32\fxssvc.exe

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe"

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"

C:\Windows\System32\msdtc.exe

C:\Windows\System32\msdtc.exe

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE

"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\SysWow64\perfhost.exe

C:\Windows\system32\locator.exe

C:\Windows\system32\locator.exe

C:\Windows\System32\SensorDataService.exe

C:\Windows\System32\SensorDataService.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\System32\snmptrap.exe

C:\Windows\system32\spectrum.exe

C:\Windows\system32\spectrum.exe

C:\Windows\System32\OpenSSH\ssh-agent.exe

C:\Windows\System32\OpenSSH\ssh-agent.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc

C:\Windows\system32\TieringEngineService.exe

C:\Windows\system32\TieringEngineService.exe

C:\Windows\system32\AgentService.exe

C:\Windows\system32\AgentService.exe

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\SearchIndexer.exe /Embedding

C:\Windows\system32\SearchProtocolHost.exe

"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"

C:\Windows\system32\SearchFilterHost.exe

"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1712 --field-trial-handle=1908,i,1885196826431696138,7289637442266772173,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 --field-trial-handle=1908,i,1885196826431696138,7289637442266772173,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2176 --field-trial-handle=1908,i,1885196826431696138,7289637442266772173,131072 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4356,i,15142778360084620907,1763097090506261076,262144 --variations-seed-version --mojo-platform-channel-handle=4672 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3052 --field-trial-handle=1908,i,1885196826431696138,7289637442266772173,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3092 --field-trial-handle=1908,i,1885196826431696138,7289637442266772173,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4224 --field-trial-handle=1908,i,1885196826431696138,7289637442266772173,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4624 --field-trial-handle=1908,i,1885196826431696138,7289637442266772173,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4756 --field-trial-handle=1908,i,1885196826431696138,7289637442266772173,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1572 --field-trial-handle=1908,i,1885196826431696138,7289637442266772173,131072 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 pywolwnvd.biz udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 clients2.google.com udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 ssbzmoy.biz udp
US 8.8.8.8:53 clients2.google.com udp
US 8.8.8.8:53 cvgrf.biz udp
US 8.8.8.8:53 npukfztj.biz udp
US 8.8.8.8:53 clients2.google.com udp
US 8.8.8.8:53 przvgke.biz udp
US 8.8.8.8:53 clients2.google.com udp
US 8.8.8.8:53 zlenh.biz udp
US 8.8.8.8:53 knjghuig.biz udp
US 8.8.8.8:53 clients2.google.com udp
US 8.8.8.8:53 uhxqin.biz udp
US 8.8.8.8:53 beacons.gcp.gvt2.com udp
US 8.8.8.8:53 anpmnmxo.biz udp
US 8.8.8.8:53 lpuegx.biz udp
US 8.8.8.8:53 vjaxhpbji.biz udp
US 8.8.8.8:53 beacons.gvt2.com udp
US 8.8.8.8:53 xlfhhhm.biz udp
US 8.8.8.8:53 ifsaia.biz udp

Files

memory/4256-0-0x0000000002110000-0x0000000002170000-memory.dmp

memory/4256-9-0x0000000002110000-0x0000000002170000-memory.dmp

memory/4256-8-0x0000000140000000-0x00000001404A3000-memory.dmp

memory/4860-18-0x00000000020C0000-0x0000000002120000-memory.dmp

C:\Windows\System32\alg.exe

MD5 43fec045cff168140918aa215622c847
SHA1 2c94bf67d89cbe33004381830dfcfda551003015
SHA256 5617d3423b19a0a547749cb273f09d66ee66e2b7f0e74232ef25e212d3e32075
SHA512 3ab77f7a9b1224f10d834467989c3c2446d23ab5df8850c19ad3ce5e678f7c5192eace4d98598a8b472989cb1e5fa8148d3a72231681e31d7507233b990576f6

memory/4860-21-0x0000000140000000-0x00000001404A3000-memory.dmp

C:\Users\Admin\AppData\Roaming\e540078cc3a5208d.bin

MD5 6ade5233b930e3468e0130400a691f81
SHA1 e0354499851456b67b13b8ffedccbff87b8e0585
SHA256 748d4c466f2ad01162e3afbaba4010b4dc2b847950343a989512e1260cc4d75e
SHA512 a6590dc3939c66bec4f4cce37bb3d1fb4be4c810ed74315c4fafc9b64e44c12ec15c102aaf64085594d4b2cd05aeefa3824c35a9d99498e28811a95d6e1a5732

memory/4256-37-0x0000000140000000-0x00000001404A3000-memory.dmp

memory/3888-48-0x0000000000580000-0x00000000005E0000-memory.dmp

memory/3888-42-0x0000000000580000-0x00000000005E0000-memory.dmp

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

MD5 f9828c243ccd073bfc501b43aecdf8f4
SHA1 39a880bf76622df4c19d49c4d1c259e70eb12648
SHA256 15909f0f8cb5a595d4337433c59112509a3443cd55e1a3b76c603786115b1b87
SHA512 709345a756c45258aa916f0499469ee897db1bc6b396b6d172979e2454fd46dbc3b268fb8720218f67de60ad3117b776a3d0edd35d237960f8a24ffdeea40284

memory/4216-81-0x0000000000890000-0x00000000008F0000-memory.dmp

memory/4516-97-0x0000000140000000-0x00000001401C0000-memory.dmp

C:\Windows\System32\msdtc.exe

MD5 0e284c9f2e3c3e30d983f60ab479a8be
SHA1 f4eb8682d612159fe481383815fe3f0bbd4f3ba3
SHA256 c9a1fea324fa1538085eaf26de245ab5f4a679ff3f84ef39328aa338c8fb0adc
SHA512 8bff128185e5dd376b18b935dc0021eb8ba80db0ed1d1bdd745996e3aa0d5138d3064ac4a36d99556a1146f354ecb6855603b0e659331e9c599cee756c5a2e44

C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

MD5 86046050605934dc28c5c08b67efc90c
SHA1 523c9a5872554c54301bbc07358df6676bd76113
SHA256 17e28448832b5b17befcde795f7e334d856bd84bf4d36d7363962cfb4c736a6f
SHA512 ec5833ac0d7dd3193b8a38821a9e0bc75d23b446531ef603789a9e446775f1514a49c3e76778eae2bd92009a128aca053a27f79a5170d364b013ecc3fd2a714d

C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

MD5 43e3f4da3dc7f4f5c8a86e0795ed6337
SHA1 478c6863f461030134f4ee024325d1bc260a7fb4
SHA256 9f5215e6bbd1e228fb00169a917553a2bcae2377b497d61cbe563f66eee93aad
SHA512 59749024dc65e91d64773fa418764a942859b6e95f7eb912996c317296ba918ad3f90853699739463b0ab6bdba3fbeab0f29ae5968396733dc1a80b8b7d12ae0

C:\Windows\System32\Locator.exe

MD5 41b260bcdd414fbb57da85adac3705a8
SHA1 f90253907d789e9be19f36c9a8637db47547c308
SHA256 ff473b5c67d4b3346348be7923e424952115a87e56aefecee27ee07cc1243c7e
SHA512 d59e34d7732c4ed4d779bba6a334b5a926c246be68ec074368ac8dafaa9b16e51dd2b1882eda2c66988b1b7f8b76909a847e6eab8c1d6a1541b374eca76b9bcf

C:\Windows\System32\SensorDataService.exe

MD5 c5a418033fbf11cfcba59883a01a439b
SHA1 81f0ea8b8fd58ac4127bf4d8cffe796562ab474c
SHA256 ccae570da6047d7056a5598ffcd3e1f67f4283615777190f300c06b0621df629
SHA512 f55e0f4e1fe0e6347b4bc24df8c7f92ff3ff535cd5683176e5f3c18308dd6723b88bf08304f6f1954c43410ee9511359613b6fb177e6fe315cb99db52242399d

C:\Windows\System32\snmptrap.exe

MD5 b1ee112636e4c849533d84e1f0b86286
SHA1 951ffc10928627d7a10f2505867855d8f122e353
SHA256 9314246197a3542631ae3b78b925ed8bd05be8d916294510068d618102cf191c
SHA512 11271308898b4131855202dcec2e27a1a5218df719c6b085ab25ce3c58046e7fbf5be2e60afbf43b512ffab25a80c6f3e581e4fe2186a38daed8dc13f4baf753

C:\Windows\System32\OpenSSH\ssh-agent.exe

MD5 56f950623326408f9ff87d6444b92ff1
SHA1 f7946af7d3e779caa7f6c5f16a064a23d61d23ca
SHA256 eca9c9d10c519d44eb2f579ad40289ccd27fe6a486c2e49c4fb7997f2b1858a6
SHA512 1608d18125ee9e4a9b244b40ac8f53a4de7443471906ec425bf29610d75cb5e1be03dc0250cb41577e516f39efca133d4925b27b4b44138fde8ec39b8429e87a

C:\Windows\System32\TieringEngineService.exe

MD5 fe73d4c9a40535082e06761154a469f6
SHA1 7b29ea2d859be82416f87180172cd88c4d8cc1c0
SHA256 5a39d667e987479a0ad6b153fd9c33bfecf6de039f2a0524f71f44d8cc4ce559
SHA512 c130da1ca60417d611c50a9c6973190294f35d49b3efcb37f8a08f544c84b657c072af031cf1680a75642acbaec7b8b20ae595e4fa48bc5ac8b15d795f417df4

C:\Windows\System32\vds.exe

MD5 8254696d789ab72b7bd87b0672b4fc61
SHA1 4192bd3b47706390f2d18f620cbb1e86e5609702
SHA256 95333d497b2cde6ff8a2e11bae56b932d1e95cb5d3d44ea44041c2a418ce3b89
SHA512 493326086fab3cd20710604307b211fc6e9854b4aa48eb4bb641740b88439917b6b43d4b5576de9e1471f0efe2216a976d99826a0f69dc03d88ab0359e0e2956

C:\Windows\System32\wbengine.exe

MD5 b85f6e7908eef7be754a36fc236d83fe
SHA1 be3b0bc221d59490e7a919a51e9cf79ae088ba45
SHA256 e3abc74b157fb056ad1ed264f248157315d9e8632716960518bfa4401597631e
SHA512 096d625ab48c9421a48201f722a69d77aacf2816ade223adc7909c6b09047e1cb450523f68c574fd04c8f1bc994cde9de5337520fab971bdef19f140d1a8011f

C:\Windows\System32\SearchIndexer.exe

MD5 2ec3a296b07b067cd01cf6f192e539df
SHA1 a86119c23ef2df3c57248ae1f8ca4bd680dd66e7
SHA256 5e504b62effd1a40dcb2d3497e3bbef8e76410e28a9ac5701331b5ecbc47d92b
SHA512 0924cf4633e3539f6ecd451048e0f41209be343a78d0373b1a873f34e22aceaddca9b8271a375239bc4caf1b8493db9f39e7c12a13f5c284b5dd4ca8065d3d38

C:\Windows\System32\wbem\WmiApSrv.exe

MD5 900294ea63f0213e08c18fd968f09867
SHA1 730a1279b16370b13fd641114eaa1647c191d93f
SHA256 d1b86aae58e423f9f1d3602dffc183ffa0e8e67b794c402c67b5b4888e33b708
SHA512 59270dbc9e732c2a752f4e16971af5d4dfc8f5fecf618b59f0bd7cd286f0d2f737390dd99dab6c8e610b0709ef1fb2b88fbb9a0777095c33be964e7a05c19ab7

C:\Windows\System32\VSSVC.exe

MD5 7c9486cd84dd6f928d71c536bfb758b2
SHA1 48ec416531c24031af50695f97accfe15b0e0991
SHA256 ba793abcd14d48120369f42da0feff581a9d3687622a45fc0b6ec1456afcd82b
SHA512 acbfd66ae2ae336e40c2eea6b46617dec5c72d24e83b69b8ad9d5a330cc8ecbfee37784b32bd3ad7260d346f99421472bbb3a6a9f98478695203c1099018f4cb

memory/3484-215-0x0000000140000000-0x00000001401C0000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

MD5 e646991f9b7863013f4543e5deea2d49
SHA1 7d3ab1c249b15c5bc5761baef819fa96b043539a
SHA256 0cc277125b5bd55a7c42e32f351b5bce3ca6003f28bc0646db5bc6b9b5135c07
SHA512 8b7b264f086ee2d1c1ec1199307d6511ce964890e84312a1c12c21a0a1fac24d6bf005a2ded820ecae3b51b58229a8ce724e98e40b03e1f93d3914948025a76f

memory/3628-313-0x0000000140000000-0x000000014024B000-memory.dmp

memory/4480-319-0x0000000140000000-0x000000014019C000-memory.dmp

memory/1328-322-0x0000000140000000-0x0000000140186000-memory.dmp

memory/768-325-0x0000000140000000-0x00000001401D7000-memory.dmp

memory/3852-334-0x0000000140000000-0x0000000140147000-memory.dmp

memory/628-341-0x0000000140000000-0x0000000140216000-memory.dmp

memory/2284-343-0x0000000140000000-0x0000000140179000-memory.dmp

memory/3024-342-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/3740-336-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/4796-333-0x0000000140000000-0x00000001401D3000-memory.dmp

memory/1404-331-0x0000000140000000-0x00000001401F3000-memory.dmp

memory/4280-330-0x0000000140000000-0x0000000140169000-memory.dmp

memory/3696-329-0x0000000140000000-0x0000000140187000-memory.dmp

memory/4788-321-0x0000000000400000-0x0000000000588000-memory.dmp

memory/1504-318-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/4620-317-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/4216-312-0x0000000140000000-0x0000000140267000-memory.dmp

memory/3888-311-0x0000000140000000-0x000000014019A000-memory.dmp

C:\Windows\System32\AgentService.exe

MD5 4d73d5948f807a0b3d1c1e995622bd77
SHA1 17368a531b8ff5682164802ad0b8c9e9477db0b5
SHA256 5d1b0de1abcfaa660ff7946f332ff562666c6f6cb906314ad8f0097d7bbba987
SHA512 18f7c6df906e6a2065abb86715dfe919f67d756427f8bd208e1c81e8516cedc8f2c790586937c9890d4c91d658e2de28fd0d585748d2f37abd84e1d5cd405c19

C:\Windows\System32\Spectrum.exe

MD5 bf5d410105426a8bc95fb03d238809f7
SHA1 4f50025e6cba136da0d358301ba33cc869db0eab
SHA256 3d29ce18fb2b950e76170cae81aa8d04c6131bcc0dda122b679efa51f59f44e3
SHA512 69f7bb109e674a1caa9ad216a1855553e33cfd3e293682b39752f065de2d3713dca08fae8d139098820d6775721b6f4f41512552733dc61ae2a24aa036f2e59d

C:\Windows\SysWOW64\perfhost.exe

MD5 3a6b65911194f4f479ac832f79726e27
SHA1 312b68852c2da1d907badf2077f32b056c8efcb7
SHA256 474f5a8f897c9f4d283e15ff3cc62fd9ed5a076999d060adca1a934800c2e436
SHA512 9e2c3d5beb089c98c0ee8e138cbc77970ab5025e94c1ba4d3999b882e2d7a5f4e37f6380077bd9cf35addb7b72667e55a66048d242cc36701fc0a23a9a2c147a

memory/4516-85-0x0000000000CD0000-0x0000000000D30000-memory.dmp

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

MD5 7a4c944ee5b236aa8dec2b0ffc0ba959
SHA1 8f1a25bfb11fd4c3357b2fe35eb81a530fd999f7
SHA256 263a16a650d43051ed56357aa28613b1d950367ef7dd0443eb013a10e68cf14d
SHA512 d7a6bdc6eb5a743729273c569091520e48b5ebeb405267c580129cd624375c3aee35e93932846e1f77ccfb1aeeca30e691881fa6a4a68d4f72cc7af88c417b75

memory/4216-75-0x0000000000890000-0x00000000008F0000-memory.dmp

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe

MD5 4d2ea83a18a3f438181f3574bd2c476a
SHA1 06b0f8092a342755bcefd5f61461e49858a672e2
SHA256 8602ba168b3a72dd252b4c4d3842bba5a6f35a08da61c5d13714f93b2c9780b4
SHA512 ec234556fd39a407256f9aba57663d482044afccee2f048eda21098752603bd4387d2089b8c545346034afb9db396e45448e2935aea33f05ab20070661c9e1ff

memory/2244-73-0x0000000140000000-0x0000000140135000-memory.dmp

memory/2244-71-0x0000000000A00000-0x0000000000A60000-memory.dmp

memory/3628-68-0x0000000000440000-0x00000000004A0000-memory.dmp

memory/3628-62-0x0000000000440000-0x00000000004A0000-memory.dmp

memory/2244-58-0x0000000000A00000-0x0000000000A60000-memory.dmp

memory/2244-52-0x0000000000A00000-0x0000000000A60000-memory.dmp

C:\Windows\System32\FXSSVC.exe

MD5 d7cbde47f136045a16ec3f0bfacc8b8b
SHA1 f14c3b83909c45e2b5ec8c36881b6fd4baaebca4
SHA256 6c4bb790fce359706a9fcfc957efea0a67ae3f5efba17f3ccb26c76a2c3d6381
SHA512 e335562b4865e557d03a284efeb727d7dd205682334111b83fec4a6ce51667675730efb5e23c70b26baef534274f8703620082a25338dded190aa8eea853c6e3

C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

MD5 9080af7e7d744640b90941a9742d1914
SHA1 8bc9cd33a07bd1fc372e4de6d93436ab0d4a55e4
SHA256 c3173ba3d5061841efdda7afb7cde6f265f50c1dfbc4905f8fef0c0135ab482d
SHA512 5f1bde54a7ab1fd748406e4cbe3bdea27fac83d2e73722469d85e0ce947c85cbc3c02d2b1be80b0b762aa38407f70a182e4ffe50872c52db0b047aefd6b2864f

memory/3272-36-0x0000000140000000-0x000000014019B000-memory.dmp

memory/3272-29-0x00000000006D0000-0x0000000000730000-memory.dmp

memory/3272-23-0x00000000006D0000-0x0000000000730000-memory.dmp

memory/4860-12-0x00000000020C0000-0x0000000002120000-memory.dmp

\??\pipe\crashpad_1832_SZHWCQEQYREBSSWF

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico

MD5 ef36a84ad2bc23f79d171c604b56de29
SHA1 38d6569cd30d096140e752db5d98d53cf304a8fc
SHA256 e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831
SHA512 dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

memory/3628-455-0x0000000140000000-0x000000014024B000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

MD5 133238a7ba2fd8119c2eaba9effbf692
SHA1 f5e6126929e79c6327fca9b5aa942c1ff66e2032
SHA256 0ef4029413894412016291154f3370c193aeb2db296656587242b425664d614b
SHA512 456d849cb49007d425d24ae29fbaf751df9c9e172fdcc36eb0f5f7036d5e9215f16f91897ed806513234025a16859437af3263769619135827b314a6762fa35e

memory/5188-520-0x0000000140000000-0x000000014057B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

MD5 15acbb66c422f1854c442a57e075afa0
SHA1 e107bb6475a09b7f4a182c96e169f9a73f2de932
SHA256 a826e915db5148e172fb6a3bed1fe4290dcb60cdbabd2cac5f2891f2c9ce5557
SHA512 2bad877dde8c69d0be78eaec4b4652e1ea4fce694b5b5aec0d1c3adfb8ca308da0bb18a24c34a5cac14f37a5c724091064aa98441c07e99214f8bbd004ff6f94

memory/5752-543-0x0000000140000000-0x000000014057B000-memory.dmp

memory/3232-546-0x0000000140000000-0x000000014057B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

MD5 861a3b2fdd8d142a8db45c015f872baf
SHA1 80069d60954333835f11b5701193ed8415cee0b6
SHA256 8bb85daa3a23a81636a1f439581d1bbcb34ba21a8632497a131cb20e4f1979fa
SHA512 1287dcdd9003957df3926e1177b30008ea6255ec3c33a69ddffbdc2230ae454eb0d3b2fe8e1d35b8129ae40fec33015a0c33adb1f68b0d5129b546e48df924eb

C:\Windows\TEMP\Crashpad\settings.dat

MD5 de12892063f81f60b11c0497ec332fa7
SHA1 ccfa0530f55d277c3fe6d75260088ae08d5b7616
SHA256 afd8ccad757251c38eecbb67fc9f41af5aecfec62b521b229c5b17e17ba05eae
SHA512 441e809f431b7d1715efa1a6eeda910ba6945b9529a6330cf964a1d8f7233e97893e6eac6758abbeca4c61d315829371fa2e2fa02a5b838d1fb79e7a43b6d7ca

memory/5788-570-0x0000000140000000-0x000000014057B000-memory.dmp

memory/768-571-0x0000000140000000-0x00000001401D7000-memory.dmp

memory/3232-581-0x0000000140000000-0x000000014057B000-memory.dmp

C:\Program Files\Google\Chrome\Application\SetupMetrics\7e48fa42-562c-47a2-a6e8-c631fa016736.tmp

MD5 6d971ce11af4a6a93a4311841da1a178
SHA1 cbfdbc9b184f340cbad764abc4d8a31b9c250176
SHA256 338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783
SHA512 c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

memory/5188-592-0x0000000140000000-0x000000014057B000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 10339b5cd93862b6103e554d39c0e4b6
SHA1 000314d6ff2b82fe76191708dfa7b15cb5749db7
SHA256 229508aaabca463c548f1c39e63d9befa1763234b540267805f435288b6eaab3
SHA512 6757c14d0a87a0701f17a47a4c97b9a3cf254c4b16b8dfc08fa12cc98d188a1b2a28026e6497b8e9004b721c44cab669eb32259f022ca6f98287305ff7b2eab3

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 05849bb9881ea482c001da5526337073
SHA1 20d30af52887d96d2e25a4964d3c63d451f191dd
SHA256 b8ea00f7ff1607452c2eaacb738ede911e172f7392e9bb873d479f8df32420a5
SHA512 753f030fd4cbedbfc7ef12264255d1f3160fbf98a1243c5e50d18a819c0f678d8886c1d6cff203b83243839c98ee6e5567834b3d76af79986cda5d42e4c7d25e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe58212f.TMP

MD5 c4d12c24a85b7e1aaf85cad983fe7610
SHA1 00bcb6e962cbc5a3d88689ec2f8c15feda6ff7fb
SHA256 6568b506f3cb4367abf414e66e1e93a4d4e40339dd3a2a1d5ded1f1907484337
SHA512 0d45cd5f36424147b7a67d4f154539d9ddde285cb363a139c5922814e6073cf731d61902a7eb84e9ac6547bcd52e65b023a2f97636072db478ccd04495a59aa6

memory/4860-691-0x0000000140000000-0x00000001404A3000-memory.dmp

memory/3272-696-0x0000000140000000-0x000000014019B000-memory.dmp

memory/4216-697-0x0000000140000000-0x0000000140267000-memory.dmp

memory/2284-699-0x0000000140000000-0x0000000140179000-memory.dmp

memory/3024-698-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/5752-700-0x0000000140000000-0x000000014057B000-memory.dmp

memory/5788-701-0x0000000140000000-0x000000014057B000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 0af759c5540b8c7e6bf974d5e1c5f701
SHA1 d2dd7c6f92822ea2434b729f91b30b07694e9b96
SHA256 ec6d09394bd99ff17e5083c82f6de51614160b4dead25ef6ee15b5978667fb4a
SHA512 e7d7095d94f3e6c944cf62cbc7fcbc797c398ee73072958dfc7727f86036b4729683e194a5635d0282bc0398505736d31e37c834f916d3b06c7daa5876319b34

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 0fcb202702fa9704a6e2e2acfb902294
SHA1 a7f04cc40fd00f3bdfc6dcde6442b5bedf12a4f3
SHA256 e1c3350699951492ff211cdb7e49d33b08ab320e077275a571f2ecc7d35db180
SHA512 a6e7907e82b5880fd2d03324f4309fed9c37647c48aceab809f9551bb484a27e8997817e99a170b939058f068743c8c5140dea208aebc2d3e2c7956afc2e5e89

C:\Windows\system32\AppVClient.exe

MD5 295c99398f3586aeab693e9ae5dc7ef6
SHA1 bce92fc86cadebfa7d87480275270a19f2cbb812
SHA256 d4aaea33070ddcce97f29882b69485cb86237846c0868555613e11f8180eacb0
SHA512 b3950e307074e166f15113adb8eeb9a432e3323e1fd9ef7a0aca23b778cf24a7ffc170785d38dfc5ff2e2b560c42fe866156f83500492d0ed19f5769b3046e78

C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

MD5 3a6e4438c3516e2e60eff139a7f3e950
SHA1 93b2c87c3dd26e1368bedf808682fcf2993a3699
SHA256 9c1050260ee2803acc704a72df81e1a9124960b10e93d190230ba364a6af3a42
SHA512 9aaff84f2f0fe78064e28a2d0f30b367edb7394959491cee2d01cdecdb152ec2cd62fe51de6ed144e5796df2d780c3e3a58a1f237004ef4d15e07171dc097b0f

C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

MD5 412733a4da9525b4644a6e2da2b57f0f
SHA1 f076bdbf3d4db7380a62c47f8e0c2f4004368123
SHA256 336eae1f824fa3ea961acd598bd1b884109b47797ccc93c60436e5e33ac07e0e
SHA512 a53d67b1a09ab85472c51fc930b8bddba2ce9ef390b91920eee787f74b565774a85c26452ce2a1294bdb01f5467f1cdb66d2c6c4fd24257d4e4b81bc1b0807d9

C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

MD5 6ed30be76b2a4327d8ab180cc4d66701
SHA1 420bc3bfe01f237c60e21757965b5445767eac3c
SHA256 0e5c994f538e656ca085fc452b8ec6ce7106e32956b19487d9919ec435bcda6e
SHA512 ee4812f76700d197dcd42bea4f3aaf19b8f3de9161729650b8064f334c74345f099d73961dc079c0daf3683b11b539138f4b8d20fc2686693805ee79b0f23cd1

C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

MD5 cfb3dda87530cd400eb1af0aaa10cb94
SHA1 ac8ef671a43628869f339a4772ca9ad79d3d60a9
SHA256 c0b37e71393064eed7e2e5c3a6e13851d2e25361e53bb4939daed57465b8c904
SHA512 6b6f46624f7050075bad7058c941be90d92d5e167834ebeba50622156cf0b467d53bec10b13aa9196bd975ee74f567df907b9e74412b996deeaff5bc04c2ff97

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

MD5 186a4c2b94a8e96b9b2d2b02f6a32ef3
SHA1 bc6c0d4259a07d842882b405c2354539acad3ee1
SHA256 4e24cd6ca53083a9e99803c2ce8450be92b4940db868d2e8ff1a09021be4249c
SHA512 2d7f48778aea9845200e36cf2162d5ab138dfad1e53cea2e32dafda2c55deb9b7f4ef8021e26da191a86211396a802dd1cce5853e8804d453bc99928c9d5e254

C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

MD5 e355b6ec01b661837b7660e172c79c13
SHA1 4b21c8071dbc6d0836a5ee06fec3ec5a05cb6bff
SHA256 428fc6b2d23684b48cbc192c23f07354fe6db190d0b2f464ceb84138417c78ac
SHA512 e07e03707c37750f2b48b365f757f369d8d4c3df7fbd320d5c700d84f6884905921efeb235550b5e09cd8670f3653086549640effc6a554a7bf092cc2d0d8869

C:\Program Files\7-Zip\Uninstall.exe

MD5 192f667592817bb065fe10821ed9223b
SHA1 393477add661eb553f500dbb391fa1b2e3264d06
SHA256 e693bf193d88022be876dc85eec039e43d9280edbd828eee2f7fc927a950bdb7
SHA512 2cb44e6f6727db66a484d3c01886d9c7689f18f699f782e3544115e705f33bafd668123f80e99de493ebc9ea2d2cd541e8d293288ce9cd339c9758dad52dfc03

C:\Program Files\7-Zip\7zG.exe

MD5 52b3b4dbff226fbd36ddea542413037e
SHA1 3db04693c36bd424c74a8db4e819b392d8914b3f
SHA256 ea7c635cd975c7a4e3a878c406e31948467f78c69ff65f90ca63e21ff7ea37c4
SHA512 fda4ab0af618726e78235d31130e64bf7396f849b6f8c03609db3321c7837a67d1c236078f46c3b3aaefcd323767735841134485130361405c9426152a09458e

C:\Program Files\7-Zip\7zFM.exe

MD5 066bff1b05c315bb71f872fb37db69a3
SHA1 f93c5a751869bed6a1e92f421633c815618199e2
SHA256 91d7373331d79b16e76bec9fa09d6c30b146143a87cc59d287d27a8e675992e4
SHA512 e9100db93a989e4d0d3d3e162caa15f9057d9ad7ed588dc3989f73230b6eff5c565c0899fa5c8769e69fbee0ea6d43d03bcd7f87b6ab8c4b91ac685f05abba0f

C:\Program Files\7-Zip\7z.exe

MD5 b38a11cbb499de282341d3b61680b5a0
SHA1 cc2b1dc695161058c51c8ff4e6387fccac4e6dd2
SHA256 dade153870b76d94d303321477d02e5e4c5907009fc6b7a39954bbe8f526ee74
SHA512 ca4eb1c6d8b5c760312191a38617a9fdf63b835fd6f084ecf7009d7cefcc36e4b5187b02b7640c8fd5e674bb28614a21b40acc3bd698d77761b9358ba456f2b4

C:\Program Files\Windows Media Player\wmpnetwk.exe

MD5 17feb0eed485d896f60ec7a6cbf77a4a
SHA1 4799f92c8375f20237a6f91a7d2b46ec6fab81aa
SHA256 a5df8837c82290b1ac93dad02b6cd65921bd8d8236fd7ccb089b1c93d1a374db
SHA512 c7390029a9f174214c113d32cd231bc2e5ec71a56d5500acaca81d866417e1d013ee85c58b08918e341610ca628d5a45209e8eefb776a39a696bd0a0c363fdb3

C:\Windows\system32\SgrmBroker.exe

MD5 7931f76713b5733d7ec8fc63903742fc
SHA1 ec50d22ebdafbb7c6142570febcce6c8dcca35d5
SHA256 07e15840aac92d354305aa7bffaf54ac0dbe92e4a9354e0a25eeac1172596e84
SHA512 1aeaf0ccffd514b5264e9d87f3ae233ed6659f88f71b9a7869b36b995ace071fcf71bbc917cd1fecf45f769eff8bfcd392e611a93d5ccbe18763c5a34cbf2b34

C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

MD5 0cf03b49429bcf84a05f345491efbdf7
SHA1 aada30460155d253f635b972a2d2a226c2fea943
SHA256 fcbca42a45ed50e9c4de1245dd3b39a85aa68d0d9986d1842361a71166634d64
SHA512 1b4fa944500fbe7811416059857f85cb8e1eaec3b0c01c1c962d0a6ad0583de7f8fb45cd4015f3f1c3ce9bb5521700d21d2ef34d60cad10d3d9e48a2c8d8ac82

C:\Windows\system32\msiexec.exe

MD5 01e54d98be66dfc742313033f5f43e6d
SHA1 c3d4a5abbe8f577615488b5d591549954390701b
SHA256 8422ca7f025e87c50142e85c8c080650117cee93398a93cbd947ad3128d846c4
SHA512 6912673824b6eeafb7bfa9bdbd83f9c389a60253cfeeb957db7a892d5ee0a4665196f7acd38feb1ea5d05a831dbeeb31eef570ac8750af991c8ec79f6e3af457

C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

MD5 b23ba8195615df175870acd2946f820e
SHA1 745a62464649a52c87aba877fb03ee62f078b21f
SHA256 e83d7aae7e0e10121da5b3ada0b3abaa6838fabae0fa81680590749f44e51e48
SHA512 fd360caaf89f6ba2fc0460ef6d959ae7d337abf26560a487c9b0bedd14a6e0c51adedced64ab6ad094840e5daf0eab31aca10297d3fe9b0aae33e0d4895da505

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

MD5 8b3beade41618bbabfa3623a67adbcc3
SHA1 d633a2cf9c8fc4c8fc969887dc2bb311b5e400e7
SHA256 e029a08b6e0559c1380cbf895a2537312fb2f50c888f141903241d0cbd4af36e
SHA512 850fcdfcbd92a29210705d659aea2820eaa2091567246a571cdc6830c8cda1dcc3f79a315d4f854f71d4a17009f5d47267c6c196778667d258cadbe02425f9eb

C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

MD5 de050460df779cd29b46417169e01686
SHA1 e7d0a7ac6729a943879ceaf44f2b68795a3e6bd0
SHA256 5c4523ce4c1bcc04a1934ff6900e2d0e6785b3ba5f6c7b8639fb2d6244f16f48
SHA512 3f13a0857d400cf42491f7c0127c23a7cea756cb4b7b8484a13f908b15eb54df6254e37e5b006afe9a857948372e7abf100117630cccb4c8c30739a86b371174

C:\Program Files\dotnet\dotnet.exe

MD5 ab328da198d5d2fd3a458587f4a3385e
SHA1 9a42952707a131f708270fb04d5b770e6e1de28c
SHA256 3b030929ce0507a29bf2ba8fcaecc2d829688a14ee4fed21f80448086c8cc116
SHA512 5c59c0811353f5b8a49584619e9295391418a057f11e4b319a5a284eef429e3049ac95144bf64b8c564e5aa54e6730da88369c817782c1291d7ad8f02c647fa3