Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
03/04/2024, 12:37
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe
Resource
win7-20240221-en
General
-
Target
2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe
-
Size
5.5MB
-
MD5
60aa0fdad2e2aa0150825f19b5c30ff4
-
SHA1
344606e78a0e7b04370b74a6a79c12efe510d7f7
-
SHA256
11073d014e6030f3fd360f5fb86285a84f349f402cf2bea8c55f0da92791abc3
-
SHA512
266103b1c12cd4d43f9bf6523d9589f01fc7f0320225754c7fc8a4fc5fe39671eb84199d9683f0453bfde67c01e9aaaabd4b7b211ee98f937607348e87cb6db8
-
SSDEEP
98304:9AI5pAdVJn9tbnR1VgBVmmU7dG1yfpVBlH:9AsCh7XY/UoiPBx
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
pid Process 4640 alg.exe 4828 DiagnosticsHub.StandardCollector.Service.exe 1116 fxssvc.exe 5044 elevation_service.exe 2776 elevation_service.exe 924 maintenanceservice.exe 5156 msdtc.exe 5280 OSE.EXE 5400 PerceptionSimulationService.exe 5560 perfhost.exe 6052 locator.exe 5304 SensorDataService.exe 1888 snmptrap.exe 5464 spectrum.exe 5860 ssh-agent.exe 4648 TieringEngineService.exe 5368 AgentService.exe 5708 vds.exe 3192 vssvc.exe 1812 wbengine.exe 5792 WmiApSrv.exe 5876 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 31 IoCs
description ioc Process File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe File opened for modification C:\Windows\system32\locator.exe 2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe File opened for modification C:\Windows\System32\SensorDataService.exe alg.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe File opened for modification C:\Windows\System32\vds.exe 2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe File opened for modification C:\Windows\System32\alg.exe 2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\254ce263b3e2edcd.bin alg.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe 2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe 2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe 2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe 2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe 2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe 2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe 2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe 2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe 2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe 2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe 2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe 2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe 2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe 2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe 2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe alg.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log maintenanceservice.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe 2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe 2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe 2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE 2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe 2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe 2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe alg.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe 2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe 2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe 2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe 2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe 2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe 2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe alg.exe File opened for modification C:\Program Files\7-Zip\7z.exe 2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe 2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe 2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe 2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe 2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe 2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe 2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe 2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe 2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe 2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe 2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe 2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000977568e1c385da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000eefd09e0c385da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a8687fe2c385da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000301909e1c385da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS SearchProtocolHost.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133566214890378035" chrome.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e4857ee3c385da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000048398ce1c385da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000084507ddfc385da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000003ee5ee1c385da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe -
Suspicious behavior: EnumeratesProcesses 39 IoCs
pid Process 2644 chrome.exe 2644 chrome.exe 416 2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe 416 2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe 416 2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe 416 2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe 416 2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe 416 2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe 416 2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe 416 2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe 416 2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe 416 2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe 416 2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe 416 2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe 416 2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe 416 2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe 416 2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe 416 2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe 416 2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe 416 2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe 416 2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe 416 2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe 416 2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe 416 2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe 416 2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe 416 2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe 416 2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe 416 2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe 416 2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe 416 2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe 416 2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe 416 2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe 416 2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe 416 2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe 416 2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe 416 2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe 416 2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe 3328 chrome.exe 3328 chrome.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 672 Process not Found 672 Process not Found -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
pid Process 2644 chrome.exe 2644 chrome.exe 2644 chrome.exe 2644 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 2360 2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe Token: SeAuditPrivilege 1116 fxssvc.exe Token: SeShutdownPrivilege 2644 chrome.exe Token: SeCreatePagefilePrivilege 2644 chrome.exe Token: SeShutdownPrivilege 2644 chrome.exe Token: SeCreatePagefilePrivilege 2644 chrome.exe Token: SeShutdownPrivilege 2644 chrome.exe Token: SeCreatePagefilePrivilege 2644 chrome.exe Token: SeShutdownPrivilege 2644 chrome.exe Token: SeCreatePagefilePrivilege 2644 chrome.exe Token: SeShutdownPrivilege 2644 chrome.exe Token: SeCreatePagefilePrivilege 2644 chrome.exe Token: SeShutdownPrivilege 2644 chrome.exe Token: SeCreatePagefilePrivilege 2644 chrome.exe Token: SeShutdownPrivilege 2644 chrome.exe Token: SeCreatePagefilePrivilege 2644 chrome.exe Token: SeShutdownPrivilege 2644 chrome.exe Token: SeCreatePagefilePrivilege 2644 chrome.exe Token: SeShutdownPrivilege 2644 chrome.exe Token: SeCreatePagefilePrivilege 2644 chrome.exe Token: SeShutdownPrivilege 2644 chrome.exe Token: SeCreatePagefilePrivilege 2644 chrome.exe Token: SeShutdownPrivilege 2644 chrome.exe Token: SeCreatePagefilePrivilege 2644 chrome.exe Token: SeShutdownPrivilege 2644 chrome.exe Token: SeCreatePagefilePrivilege 2644 chrome.exe Token: SeShutdownPrivilege 2644 chrome.exe Token: SeCreatePagefilePrivilege 2644 chrome.exe Token: SeShutdownPrivilege 2644 chrome.exe Token: SeCreatePagefilePrivilege 2644 chrome.exe Token: SeShutdownPrivilege 2644 chrome.exe Token: SeCreatePagefilePrivilege 2644 chrome.exe Token: SeRestorePrivilege 4648 TieringEngineService.exe Token: SeManageVolumePrivilege 4648 TieringEngineService.exe Token: SeShutdownPrivilege 2644 chrome.exe Token: SeCreatePagefilePrivilege 2644 chrome.exe Token: SeAssignPrimaryTokenPrivilege 5368 AgentService.exe Token: SeShutdownPrivilege 2644 chrome.exe Token: SeCreatePagefilePrivilege 2644 chrome.exe Token: SeShutdownPrivilege 2644 chrome.exe Token: SeCreatePagefilePrivilege 2644 chrome.exe Token: SeBackupPrivilege 3192 vssvc.exe Token: SeRestorePrivilege 3192 vssvc.exe Token: SeAuditPrivilege 3192 vssvc.exe Token: SeBackupPrivilege 1812 wbengine.exe Token: SeRestorePrivilege 1812 wbengine.exe Token: SeSecurityPrivilege 1812 wbengine.exe Token: SeShutdownPrivilege 2644 chrome.exe Token: SeCreatePagefilePrivilege 2644 chrome.exe Token: SeShutdownPrivilege 2644 chrome.exe Token: SeCreatePagefilePrivilege 2644 chrome.exe Token: SeShutdownPrivilege 2644 chrome.exe Token: SeCreatePagefilePrivilege 2644 chrome.exe Token: SeShutdownPrivilege 2644 chrome.exe Token: SeCreatePagefilePrivilege 2644 chrome.exe Token: 33 5876 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 5876 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5876 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5876 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5876 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5876 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5876 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5876 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5876 SearchIndexer.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 2644 chrome.exe 2644 chrome.exe 2644 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2360 wrote to memory of 416 2360 2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe 94 PID 2360 wrote to memory of 416 2360 2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe 94 PID 2360 wrote to memory of 2644 2360 2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe 96 PID 2360 wrote to memory of 2644 2360 2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe 96 PID 2644 wrote to memory of 1092 2644 chrome.exe 97 PID 2644 wrote to memory of 1092 2644 chrome.exe 97 PID 2644 wrote to memory of 2480 2644 chrome.exe 102 PID 2644 wrote to memory of 2480 2644 chrome.exe 102 PID 2644 wrote to memory of 2480 2644 chrome.exe 102 PID 2644 wrote to memory of 2480 2644 chrome.exe 102 PID 2644 wrote to memory of 2480 2644 chrome.exe 102 PID 2644 wrote to memory of 2480 2644 chrome.exe 102 PID 2644 wrote to memory of 2480 2644 chrome.exe 102 PID 2644 wrote to memory of 2480 2644 chrome.exe 102 PID 2644 wrote to memory of 2480 2644 chrome.exe 102 PID 2644 wrote to memory of 2480 2644 chrome.exe 102 PID 2644 wrote to memory of 2480 2644 chrome.exe 102 PID 2644 wrote to memory of 2480 2644 chrome.exe 102 PID 2644 wrote to memory of 2480 2644 chrome.exe 102 PID 2644 wrote to memory of 2480 2644 chrome.exe 102 PID 2644 wrote to memory of 2480 2644 chrome.exe 102 PID 2644 wrote to memory of 2480 2644 chrome.exe 102 PID 2644 wrote to memory of 2480 2644 chrome.exe 102 PID 2644 wrote to memory of 2480 2644 chrome.exe 102 PID 2644 wrote to memory of 2480 2644 chrome.exe 102 PID 2644 wrote to memory of 2480 2644 chrome.exe 102 PID 2644 wrote to memory of 2480 2644 chrome.exe 102 PID 2644 wrote to memory of 2480 2644 chrome.exe 102 PID 2644 wrote to memory of 2480 2644 chrome.exe 102 PID 2644 wrote to memory of 2480 2644 chrome.exe 102 PID 2644 wrote to memory of 2480 2644 chrome.exe 102 PID 2644 wrote to memory of 2480 2644 chrome.exe 102 PID 2644 wrote to memory of 2480 2644 chrome.exe 102 PID 2644 wrote to memory of 2480 2644 chrome.exe 102 PID 2644 wrote to memory of 2480 2644 chrome.exe 102 PID 2644 wrote to memory of 2480 2644 chrome.exe 102 PID 2644 wrote to memory of 2480 2644 chrome.exe 102 PID 2644 wrote to memory of 2480 2644 chrome.exe 102 PID 2644 wrote to memory of 2480 2644 chrome.exe 102 PID 2644 wrote to memory of 2480 2644 chrome.exe 102 PID 2644 wrote to memory of 2480 2644 chrome.exe 102 PID 2644 wrote to memory of 2480 2644 chrome.exe 102 PID 2644 wrote to memory of 2480 2644 chrome.exe 102 PID 2644 wrote to memory of 2480 2644 chrome.exe 102 PID 2644 wrote to memory of 3468 2644 chrome.exe 103 PID 2644 wrote to memory of 3468 2644 chrome.exe 103 PID 2644 wrote to memory of 4928 2644 chrome.exe 105 PID 2644 wrote to memory of 4928 2644 chrome.exe 105 PID 2644 wrote to memory of 4928 2644 chrome.exe 105 PID 2644 wrote to memory of 4928 2644 chrome.exe 105 PID 2644 wrote to memory of 4928 2644 chrome.exe 105 PID 2644 wrote to memory of 4928 2644 chrome.exe 105 PID 2644 wrote to memory of 4928 2644 chrome.exe 105 PID 2644 wrote to memory of 4928 2644 chrome.exe 105 PID 2644 wrote to memory of 4928 2644 chrome.exe 105 PID 2644 wrote to memory of 4928 2644 chrome.exe 105 PID 2644 wrote to memory of 4928 2644 chrome.exe 105 PID 2644 wrote to memory of 4928 2644 chrome.exe 105 PID 2644 wrote to memory of 4928 2644 chrome.exe 105 PID 2644 wrote to memory of 4928 2644 chrome.exe 105 PID 2644 wrote to memory of 4928 2644 chrome.exe 105 PID 2644 wrote to memory of 4928 2644 chrome.exe 105 PID 2644 wrote to memory of 4928 2644 chrome.exe 105 PID 2644 wrote to memory of 4928 2644 chrome.exe 105 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Users\Admin\AppData\Local\Temp\2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exeC:\Users\Admin\AppData\Local\Temp\2024-04-03_60aa0fdad2e2aa0150825f19b5c30ff4_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2d4,0x2d8,0x2e4,0x2e0,0x2e8,0x140462458,0x140462468,0x1404624782⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:416
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffa5179758,0x7fffa5179768,0x7fffa51797783⤵PID:1092
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1780 --field-trial-handle=1884,i,12612878511373227033,8655718077213397337,131072 /prefetch:23⤵PID:2480
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 --field-trial-handle=1884,i,12612878511373227033,8655718077213397337,131072 /prefetch:83⤵PID:3468
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2232 --field-trial-handle=1884,i,12612878511373227033,8655718077213397337,131072 /prefetch:83⤵PID:4928
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2872 --field-trial-handle=1884,i,12612878511373227033,8655718077213397337,131072 /prefetch:13⤵PID:788
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2896 --field-trial-handle=1884,i,12612878511373227033,8655718077213397337,131072 /prefetch:13⤵PID:2648
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4544 --field-trial-handle=1884,i,12612878511373227033,8655718077213397337,131072 /prefetch:83⤵PID:1596
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4776 --field-trial-handle=1884,i,12612878511373227033,8655718077213397337,131072 /prefetch:13⤵PID:3016
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5020 --field-trial-handle=1884,i,12612878511373227033,8655718077213397337,131072 /prefetch:83⤵PID:5660
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4564 --field-trial-handle=1884,i,12612878511373227033,8655718077213397337,131072 /prefetch:83⤵PID:5804
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings3⤵PID:5980
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff7dc547688,0x7ff7dc547698,0x7ff7dc5476a84⤵PID:6080
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=04⤵PID:3456
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff7dc547688,0x7ff7dc547698,0x7ff7dc5476a85⤵PID:3700
-
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5060 --field-trial-handle=1884,i,12612878511373227033,8655718077213397337,131072 /prefetch:83⤵PID:4916
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5328 --field-trial-handle=1884,i,12612878511373227033,8655718077213397337,131072 /prefetch:83⤵PID:5220
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5472 --field-trial-handle=1884,i,12612878511373227033,8655718077213397337,131072 /prefetch:83⤵PID:5508
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5632 --field-trial-handle=1884,i,12612878511373227033,8655718077213397337,131072 /prefetch:83⤵PID:6064
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=3160 --field-trial-handle=1884,i,12612878511373227033,8655718077213397337,131072 /prefetch:13⤵PID:6188
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2332 --field-trial-handle=1884,i,12612878511373227033,8655718077213397337,131072 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
PID:3328
-
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:4640
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:4828
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:560
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1116
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:5044
-
C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2776
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:924
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:5156
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:5280
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:5400
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:5560
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:6052
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5304
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:1888
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5464
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:5860
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:5824
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4648
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5368
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:5708
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3192
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1812
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:5792
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5876 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:5756
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 9002⤵
- Modifies data under HKEY_USERS
PID:6176
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5408 --field-trial-handle=2356,i,13261194862334667799,7441241219475888176,262144 --variations-seed-version /prefetch:81⤵PID:6212
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.2MB
MD5c9116c3a79df6281a6e8572f38d6245d
SHA1eef59f266eabb7b81962b8350e43c36276abf9d2
SHA256fc9413b06858ebe284b8b1418096d30d770e836d167968d306a84121ccd1205b
SHA5124e4d43e32f8f58478e303ac58be23722c598d15340df9a3b018a190794053aeb6cc4fb611b5f2008993a38b80749b67e5279e0b1d96dc7308fca4e9c0f490f17
-
Filesize
1.6MB
MD5ae824ae1b7c6fd132248c9a43adb155d
SHA1f516697681e3673822fe1d22bcb39a94c0efbdb8
SHA2564ed5b9f1f21bd1838840c02c579246c11d1f1e5af41ddc57b50723a64604ffcd
SHA5123cf0cf2e8cebde9c5b9975d35c7597bffa59735dc8490b44dead7662c092ab388d8607f3f96149fc7a2f329a62b569fe8913f03d3575a8d2a62b6205abe6e658
-
Filesize
2.0MB
MD59af303f9439def055925ad7cbed32f98
SHA1d3b9a1ffb3dec7b772fe557c606656a3f559701e
SHA256f60a0891d27095cc0f84644b87524a205d0d2963bccbe2147a5f3f77ed750536
SHA5124a7f839773b20577056629780a51969316867cfc48aa849a8d767014cb11c00260c951565ac2b8b9126650e12c8e8ac132078caa4a00b7e37ac79be8730ea3c7
-
Filesize
1.5MB
MD5c948f122d8271e857d7d63ba31b673a7
SHA1e53f08d675bf0b423cef6df177a6763f2d155236
SHA25656c08f18087007c1407d1b3e9e29cbf6e45f5ac534589a45af4e10ab510e552f
SHA512998680e04c55e1a1f5795fae6316d7f88827c60093f5b8ac595210074087d99f18beeeabe498e6ca92cc4304af795ec5d7b1b94391b878aa059d5a0e64fb2cc3
-
Filesize
1.2MB
MD5c52348b422d916119f32df33b6fbc3c6
SHA1c46456a3c4d3d190386364d6d84ff6ab8a2d6db7
SHA256671febebc73f06492a7a162478f398542338278516e49114b76c389795cc957b
SHA512dd187910741ca5bb2bf0e3fbf8868aa428503fabf0403fe160e1d001a87716db93adfefceccfc654c07fe0c8e57bc7de557e09b2ef5c4f70e6924060a18d1354
-
Filesize
1.4MB
MD587aa212191976477b66491be194b6de4
SHA1e1917db90c8319d91750f2d2a8430a454d891d9d
SHA256823e4784be5be6a2b5628638991b3a553af6c8514edf6e19b87c60b6974853cd
SHA512dfc025483157c1aea8654d515debbc3877aa09628f3617de52f2a22ed8ad4908581b79269bf30a7b0d0706a8583d5e9bd2d7405a75db68a1c50a476365d3cd28
-
Filesize
1.7MB
MD564b7dd0875e7c90f201cbaab80e9d154
SHA1cbe210fe72b4d383c7a9a7dfbe789a722daaadeb
SHA256d5510092c64a68cbd88e9bd3f08d69caf390fd9a46607b2087518ce7b5e1a02c
SHA512ca5bde527160f5fc0fc8fb29f15f4499d282a66199c7a14fc707f9b9a2d6814817e5059fae7fad1604ba1a5d6c406fee5eee3ec3a3df29b2839ae3db83f8bf7e
-
Filesize
4.6MB
MD556a2bf37e93746c049765a83fb945cf0
SHA1f88a330d885ef85c517b5cab581a51d7c9de4828
SHA25658890a1f198d33d3a1d58d2242f572e3e28e2a34f229400f7a52194d0899431a
SHA51293f93e4f18d44d5400e50e79dc9676a5182ffebe5520f2dc0d67e61ecf628ae44254bcb36e7f1422c81565ad35d702e50c3cf0cd656253dbca5aec5c57b12eac
-
Filesize
1.8MB
MD535814c602d6311cc964b2d252052c55e
SHA18ab45f7978fb197c2f17e1d8081aa0f34dc4d035
SHA2563c0895fc9465c015b3a96ddcfb4d8ed3ef9264639a9b24ffe58f96bf7e30b949
SHA5127702c5afca77da607697a658ead54e2a2026603722666af7a275aded983359cea7bb32787ceb6132a8d6b0578ebc688177c846a5102ec7ad4db0f3eadc04b549
-
Filesize
24.0MB
MD567080f631e4d2a392e505b2ada768a81
SHA19a8ecf51c069828b91141194447430cd24ecda05
SHA256083336c56bc502cab22f0f74a333efa004b0a545a0e7f9d11153d558e3e45ca5
SHA512eb11fc7bfeffda1f51b88f510dfd0b4d427236037d409a00b4cf2bfb0ea0e3fff566197f15a67955dbc6698f952da373f1283bd7727f72dc9887be801f394585
-
Filesize
2.7MB
MD55ecd843af5d94930b9530c2f0ce7da36
SHA1b8187477c41cb6f97629a3aa3afafc4455dee629
SHA2561cd1df2b026572f52895af6d6fc06ddada7e5e659c513b50a7588128a5dd7895
SHA512c14581cc34f78e2e80462b9de1d6ee320b2a5edc998d1c7f1169b1643677628ec892f8cdccb3fcd49856e3cc43099adaf5cefdc0f9abf6b9e486846e9b89706d
-
Filesize
1.1MB
MD5a0954507924ba0f79b2f2de0277ac150
SHA10869e94aa9a59913a0624b846b3d32ec16f963a6
SHA256a2418edac5e6bc874fa804c6869ddfa7ed56abfac33757b64a1e20150bdde2c6
SHA512356a253d07ad43c65dd220aca4590a6c589dec7ef9d83d2a413559f934f4136bc0d7458ff7c012b4ba79bb59db5e04c2e5e43364c56e82d0b44dd7da276b04ab
-
Filesize
1.7MB
MD5ca4d8a85bbbb3b92b5d6ec4761f3bd5d
SHA188f11c5636fa1e071af5ca216f04132b13b2e22b
SHA256c534bd87388366abb9b576313f738711066ef588e0961b5087689876134b341e
SHA512c58f7fb2931af26cdb7864a764db3b539b1949fe185e617aa39a64c9e4420fa7130217560f137076598f7aed6657fc527e8710d9fd195722122c13e1c603c5a3
-
Filesize
1.5MB
MD5411a49623aca8f42801f0ad706966abd
SHA1d695162bacc7f97cd02c36fc057b93d71cc7d88d
SHA2565f7065df621912baf316eadbdd9d2754e4430decb72a00802d332429fe535778
SHA512d0e4dc9b447fc8688eca0660eed9e73d34b563399f3ae26c2732630f1dbae11d8430aebb1608194a6807ed11294d2c4d37f81fe232e395363de04826e07ebbe9
-
Filesize
2.1MB
MD56f82c9476215e4aeb85450d59b3630ba
SHA15bb46f5f4db57786226826dfca800836b2b6d102
SHA2569cd500daba158198d8279d73fee4ffe01032b2a1e82e17bcfdde769535fb04dd
SHA51237692aa7ccd64e3f189af83157d900b32f24a1f97dd7385d13811866633f815f03898e06efc9cfcf42a9658f8594d29f92b1c157da5788fdf0802463dfb67c62
-
Filesize
488B
MD56d971ce11af4a6a93a4311841da1a178
SHA1cbfdbc9b184f340cbad764abc4d8a31b9c250176
SHA256338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783
SHA512c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f
-
Filesize
1.5MB
MD587f63a451d3de30841b164f801d19d68
SHA1a6804604aded8eb9325f0167dc863a28fab8d7aa
SHA2564a8ebe356fedf18fa26772a523e6ac2ad3105b326eb58d59022e54e17baffadc
SHA5121345eb102aae7642f8cecdd46467a77d2d92b1e4c79192c52545e05a59c555d2012bf9d5f506aac8a67d9969ebf2716ab9c58a2b24eec894768389f2fb5e1008
-
Filesize
1.6MB
MD533dee2ebeed77826c1eeceb89b452424
SHA10e6e1dc3cb4922062e025ac1d5ab52c87992653c
SHA256fe4e0bd8faf70a19e58e276b208f367fb09b18bd684567aacd69212407958486
SHA51236bb932bc70cc0527c52fc631e4a72f69b1222639939cd11f2ff7ce2af529d290ea9229b4180082b0bb3ca9c9b874ddf1143f6757d072e9b268cea1b61acabe7
-
Filesize
40B
MD585cfc13b6779a099d53221876df3b9e0
SHA108becf601c986c2e9f979f9143bbbcb7b48540ed
SHA256bd34434d117b9572216229cb2ab703b5e98d588f5f6dfe072188bd3d6b3022f3
SHA512b248162930702450893a112987e96ea70569ac35e14ef5eb6973238e426428272d1c930ce30552f19dd2d8d7754dc1f7f667ecd18f2c857b165b7873f4c03a48
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\en\messages.json
Filesize851B
MD507ffbe5f24ca348723ff8c6c488abfb8
SHA16dc2851e39b2ee38f88cf5c35a90171dbea5b690
SHA2566895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c
SHA5127ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\dasherSettingSchema.json
Filesize854B
MD54ec1df2da46182103d2ffc3b92d20ca5
SHA1fb9d1ba3710cf31a87165317c6edc110e98994ce
SHA2566c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6
SHA512939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d
-
Filesize
193KB
MD5ef36a84ad2bc23f79d171c604b56de29
SHA138d6569cd30d096140e752db5d98d53cf304a8fc
SHA256e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831
SHA512dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\CURRENT
Filesize16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
1KB
MD5333ddfaad13eaeb501f760ec075c1d83
SHA1340805b541c46568737fcf7c78bc39b87a431a01
SHA25688bcf14c3cb826a5722b25e7f34cf71e5b19944af36fad6287280a19d1d7ecac
SHA5120cf461308fbc60ad2f7a8cd679b2ea1c4ab989a9c1b27781da201f82102f626706f98d6363f38d6d6407451dcde0789ac43d6d7f5dbd77b06969741184048d6c
-
Filesize
1KB
MD5368260c6fce84badcb88fba00cbc5f11
SHA1176094cf25327ce9f1b6c1b8cec85a0126aca1e0
SHA2560c54caf08eaeb3d89283c6fa4bbc6ebbd5d3ba7083bb9e6175da91a6b074f854
SHA51296af7ec29cd651f65342f39dce21fdd231ab9bf16b017f1a39beb702aaea2ad804a60396b9b267b7fe1ef6a4d2e57029ed294e4a8105034e8d584289bf850227
-
Filesize
369B
MD5b19622686f2a057780b7caa136d7eb9a
SHA1dc989ccc0a612c6d414db583ccfff3145559644c
SHA256f57e798c1e6657e6013d94c74fe2c6269f8346710c5588dbe5368ac24df0dc50
SHA512d8e766b0ba27bb936878818bb6fb28e90a3ab26a44009d36867664302b229e69b5d03a0f338220aaf6ccac23b9b1bc9efc49922934a0afcdaae46ee07057f4eb
-
Filesize
5KB
MD55f3edff58b2a093ef86e04e27c021bb3
SHA19655e3c6d811915133598a1e47d37d7585d35959
SHA25623429cc9bcbfc71fa99737236b1be870254bc38f1a4a0251623d77ebfc9f6001
SHA512bb5a920331189eade3c51ee4e9965e9832885e2180492d6ba08dd1584ede2b265f0ce0af3619d2920c9591a3d4d3f830071c4adef9d98ddc8d0767236bf13de1
-
Filesize
4KB
MD5fc1886e68b9d9abb1d630026d64b3f26
SHA17cf40ba35ff9f6b5d9104d92cc80d401d3edff38
SHA2560c148a6c46f58564e0ade7654e2df2cd647e059a58e78a82bdc4624b8c7c2e1b
SHA512df019ef23dcfa5eba3ddf1262f027b19ea9a9d3395ce168b082388b143f64b675664e017f0ca2c4749ed9e13424527c9211da952415cb0b8c8bf2a2c428a85fd
-
Filesize
4KB
MD5bd87672cb6547c76e21909f4b72ba4c5
SHA149a6ef2860af24c004a008939b35cff39a9cc3d4
SHA25665b6cd8ba0beab137d94a9c4691ab210eb41096dff2f87b8fe7738ed8b0d0d34
SHA512fa59f16dc67668446403bbf80ec196d82495c4a623735e663819b692d25adc93a3abbb29a5bb45c7f8a6de04959d99aeafa94b197c38814660103ca1b80f624d
-
Filesize
3KB
MD58572434b540e6d904e5bef40577ae0b0
SHA1dd06378f83c962de01e67391b9b6d886ff7a039a
SHA25655d846cbb27bd54b2e2ad01245deddd0926bf97440e0a0aa4738d1028f924c9e
SHA512e980de6d664b7406a5f3a9d9fe6dc5910c28c34c98530eb42d813f36829759204a44beb8aa8552322079f9b77371e5d1a7573ea2a6fa675bd9d20ba30d25c38c
-
Filesize
2KB
MD504695aadffdaf28b5be826d27d48721a
SHA1ce79df7c80926a86b0e1a922a05bcab16c7620c4
SHA2560bc76b0a74faa8d4d25cfa28127c42750e86004af7a10d590e07a33a89726b51
SHA512aa3438c4a09ea9c0c52dccb6cba636ac99c11b47a5b78317869823d6c39bfdfa304f40e67867b8ca9c4269efaba12431ae59a1d54c671f38acb9e4fe3d23da54
-
Filesize
10KB
MD5d87f2d1c8c702d49878b32cb8e8af2bc
SHA184a4146ecab48b7be73a16fbbfd55385ac41a2e3
SHA256116e4d05652538d695364ee611c7932dca3633b6087f8207f0b15e7fadce417c
SHA51296c30c5b759ffa32e57ee1729c4ccb925fb6d5b00e61aaa2628b5c78812536791807050c0c4e4fdef1dcdd79cffd325a4435cd44196c9b1c23b1e463f5262150
-
Filesize
13KB
MD51cf28c8427d67b7f9abfed6faf79240a
SHA103d13ab35b1c8f647320c20ac0e32dfd49aa5139
SHA25611c320bcb4ef48b15bb50b45f1ff8e4bd57e53f90d14c9699883612449fa7203
SHA512cbb607e031137a01ce304d1c53d4034081cb818c6bcd13b50875f69b26411d1aa5a20f8ced09e281fde00fa7017491fc209a8c64bbf33e98bdd6be1f72549357
-
Filesize
260KB
MD57e49e7925c3076178d9a169c97921afa
SHA163aa3c51a37d87c83f284eae3d81329ada45a131
SHA256a759b9c70e06ebe2e5945bddbd02fa6c92a01b5cc646a0584ecc95bb4190583f
SHA5120d8c9b91984b8a7965c0113e6365160c19283de6008f5dbbd389c5816501652c02c35ace49dc2d4707574a2184d0ca3ca28cc61a73e8882f916c06992b6380a5
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
4KB
MD57fdece46ce5aca750a7de643c1779718
SHA19e65a89258a39243f1a019a489239c4caad48c43
SHA2568e146dd1b2c67f406ed4005d42e074af34fbc8db6aff32c0ac7926e4dfa8bb24
SHA512c1143d272578d24b2786eb8b4cbedf0f76758efb9e3590db6b803bad0a8d06226c3a2c3e1f4ffc6a1b9b30df9346bf5ca39cf96573806581a36ee280c248ca3e
-
Filesize
6KB
MD55c8f6512bced49242dfdeb87e927db82
SHA15a256157c9bb0b03b923f5d33bc88abb95cbdbfb
SHA2563ed7bf4a112509765aaf6d782cc92c4e821d1c5d0d9610e23600ed96342ebd26
SHA51295b702c371ee3b51d4d6b51eb18945affc12503e1cc4e2a2b7e20d6dee2f2da276eb797fad0d58f893f94ae50e27a021ba8555208bfb4d963a34bac58bf87ea2
-
C:\Users\Admin\AppData\Local\Temp\scoped_dir2644_1374066822\78980930-79e9-4e6d-871b-b2b591059468.tmp
Filesize88KB
MD52cc86b681f2cd1d9f095584fd3153a61
SHA12a0ac7262fb88908a453bc125c5c3fc72b8d490e
SHA256d412fbbeb84e2a6882b2f0267b058f2ceb97f501e440fe3f9f70fac5c2277b9c
SHA51214ba32c3cd5b1faf100d06f78981deebbbb673299a355b6eaec88e6cb5543725242c850235a541afa8abba4a609bb2ec26e4a0526c6b198016b08d8af868b986
-
C:\Users\Admin\AppData\Local\Temp\scoped_dir2644_1374066822\CRX_INSTALL\_locales\en_CA\messages.json
Filesize711B
MD5558659936250e03cc14b60ebf648aa09
SHA132f1ce0361bbfdff11e2ffd53d3ae88a8b81a825
SHA2562445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b
SHA5121632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727
-
Filesize
12KB
MD5e723496210060ff0b08e9e3afa126552
SHA1e659ac4b9e50d19446b79b25788fb40303be2b48
SHA25696a5ebfc6f7d41fcbd618754004bce9324962bc3a9432fd08cad127b8a101d11
SHA5120109523a4b0dacaac1c3a033d61d9cf2c0cdbf0ad5dcf100674be4018784934a43c15ed6a0242e4eee2079daaf676739ad872aca0ec0cd8216b340c6e9c9bdf4
-
Filesize
1.4MB
MD5eca8f30709ba107bb19862ddd3ed844d
SHA180b9d069ec12de12d1d57dee99d26c48344769c0
SHA256f7a128622d494a6777cd6111e41a548deef8ebf44a227a030c46955242672c7a
SHA5121a5394dff6a163950b29ba6cd08a213baa2e9508c6c0c8af56f2cbb319cfec70565ddc7ee9955165a187890e17f6d71a2dc02151c8e67d021b6251362c9cc641
-
Filesize
1.7MB
MD53891712cdb186bbfa1511a214d3a5a62
SHA1d1a6a5619c2b53079b89a0a66e526b3e72858ba0
SHA256aa219c64e77963a4d50e470aad88d325b8d0c714346404656a733d22476a03c9
SHA512838da1264459f290d28450b1a0649eb99073baa76e31f5736e9ef488e41ebc8ff69e8bd5f47fd2eca8fa633a1852a85a3b8e7a5e18cd81f4cacdce4471997076
-
Filesize
1.5MB
MD51eff1cac58fcad06bdb617346a5e0ebe
SHA16780be0fe29321e6090ce5a997da8a0de05f085d
SHA256ffac0b40546a2a00bb21ac7b4fec0dc253900d736eae440066885d792b74539e
SHA5120ff096d200f3ba1ffe8139ac84647541b5878ee71a4483e7a09fabfa5b449fbc27cc4396d840c040ce8aaf16e960ac3e836f396590fa5cf0022e28e880b0feca
-
Filesize
1.2MB
MD5d773b6630e4eba15be00df01abc078de
SHA1f6f0d8d868ec84a7fb5f115b4edc24d98f67d090
SHA256570c215a79bf07888ccc8b57eacec08285b2b381edf3a13c9f7c206f4c05ceeb
SHA51210abcf992893bdc00ee074ee0b32bd0fa56b22bef3587af7ed5b32b59d4d35fd50a67da6d5a07677d08243f50eb08e51d9aa7ece0eafafcb2c4158b3e584bae5
-
Filesize
1.4MB
MD5f3423ba4e6c3f509be72ec42dc374507
SHA17ea3348c87675ce09ba098cb68f6a4a8c315c920
SHA256769a0b5bf09dbf5e76e438d1b187a18f12d5c54e56eb4a3ae5758d5376bc496e
SHA512315011e88800c887d90d9cf98d9a6e1e2b6e6aed6a9a53a7f07ae06378ed225149bd7ac831bc7fe40905699d0f96349e0da4cb7ddba03f2aa2a87cbb218a90e5
-
Filesize
1.8MB
MD5aa75a793b45a1f2ab955c9ba653f31f5
SHA1e0e70bcdf914c6f0f807e778d7bee1b64f290fd9
SHA256950f54159b1ee0a2b97dc2000ae1dffdbfe1cbf2bf6bac3200e3cdd266a66673
SHA51276762bbae396f9780e0a631c29e44da063f81ba85405525d13a718c562ef7547f36800b852a719087bfa834ac6950e97fb0353e6888f249560ce500f28d790eb
-
Filesize
1.5MB
MD55f04235c408aa8fd692527ee31c1a8f6
SHA1499fa04f05304256aac26a9762609b05e8975992
SHA256cc06c6ae41cf1db1f7e518e7a047dccfd1c83ca519eace0063b932a365f1f956
SHA5129929057de688d91952a8eb4abcaaf2e686aad3da444f2ff215cbc3067d680bce1da5178b1599322f1be06ff7ded398b68a7c0e71900ef7227ba24f8838018551
-
Filesize
1.4MB
MD5bebbbfe23df01f5273827aac8dc31176
SHA1628af151ad006bc4464d5565926ad9105556cfc9
SHA256edfc0601642ca66b4414ec419e4961dc8edef34e9b84022b069eae58b6637bc1
SHA51273c202ab834b519e5a2404e972913f916be8945901007f04466830bb287f73bc41132faf7bb9fff3633ba90155b0680b44af510f79dc6e8eac526605f53b8058
-
Filesize
1.8MB
MD57222ee61b97ca656bf983505bebaa4ea
SHA182326d91115067083c48761e3b9581fdfb872a89
SHA2566f3d83e90c95ba26f55252311a19d553ebf5e95ad59d6776f506b7350aa57217
SHA512b0777f6f2215443103a60417e22ade5d044ad51b11e91b358cd3413bf50bb291274eb42c7716bd5b1be588da3aed4dc98e3e4e9b78cc353060f60d8a01906fb6
-
Filesize
1.4MB
MD54c63e1c2ce83169d2430dcef498c3997
SHA1f65d29c3a182daccd4faaf5954fe36971df6f02c
SHA256a29c2e891b705fb6f5ce0469b157cccf6f1d78bd4fe28975ac25936305a20e81
SHA5126ec8ded34a7d75d14386c8571a9c400d7204c857310b636f72f9b1d0aaa17a7bc005ed24c4ac3a7c9b813e0d6ad486648e4e32ae958a1bb86eafadbc5dfa4b02
-
Filesize
1.7MB
MD5d483bd3b73767f4203b0020d2406ca64
SHA1802d7d3a2ab31c8274b1da5438fdfa9c14c1b2c3
SHA256ef31cd7eed269058d43b97871a03502822bcce63d212683431a0f4bbef4af378
SHA512f7239afbc992b29d5081f767a28d27c9afe99efa750790905025b785ffc9fa6b38bd39b55ebf9a9bdc06a226f68bd6b41dec6d66d3ae7968c503ffcb84666bed
-
Filesize
2.0MB
MD5cc44ecc67c754fab40e47028d9679492
SHA1619ae59ac42dd874e4eed693724340ea8c9eb6e1
SHA256c8a32f9c8a8f4d303e9a7e8ebae95bc8f98a7716a893080e2833cf309d254c50
SHA5122adaef049cdc50c065c12d17d5386dccf589c21d3f1a2c1d46db9575f60a5a404d0bd5335c2f5d0dad51d77a41e58fed9a5d0bd9fa9f7bf8173135ef82b9597a
-
Filesize
1.5MB
MD525106ceff92da07d52c60ca6259ae34c
SHA101c824fcca8e995c3fea9620c964d368d6c513a4
SHA2560cd7d44cc25706393113096a8ce39ddd935e30a1409a0970fe74e71eeae2ccef
SHA512740b29fadc02cf38fe7638830909a60860407ccde19be2e123a68aea44001d95d2c1cef1fde134d2cdf36a350f62b3e06c9a45ddefcb2ee7171ce1b6298c9b4d
-
Filesize
1.6MB
MD571dbc3a71781ff8437ec92dae93e6f75
SHA10acf49aedb8f1bc8f8e0c50765397537dddae7c4
SHA2561b0b827ef2fc842383227150369e4b6966d3906903505b820d19029649c880d2
SHA512b914d448bbc0dc75e8a43b19cebe3da14faca546bd0a149d4a3ea9e487cb0558d15225847a5e37aeacb8b5fbd5ecaf2f7619cf498fcb96cb7e7adcd3e754ca39
-
Filesize
1.4MB
MD5b85179d4ffff32dba0ce91aa153a6ca1
SHA1f2cda5d5b701235b4849bc47cb02d6cbff7d6b6b
SHA256c75acade629d1d67148d549dddad4a8972a95d157d6ceed257252f602d7e9689
SHA5127f88c09814398a5ebedcd33edfc6876377fb6b86c715362dd2f02c8c1a0e38f75d6bce22c2fa94582371d08722a6e3f5aae8a69228093d4476f457e34db19e67
-
Filesize
1.3MB
MD54dce5b6ba7cc58aefbb132592b567c47
SHA1544684813ce201f5782c8ddbc7161b4cdda5cc22
SHA2565ce45e9ec1cb3aba8331eda64388c05b8baa386810c3c96995336f44232a6f92
SHA5123beeab5b5d0470dc9219213007e7ecad039a34095e86f6e896d7dcae3e9bcc5a91280f80231957158c5f6be90755faa3018aeefc564dd2e8ca597fac6f8babec
-
Filesize
1.6MB
MD55b89d34f4f7da6303c33d2a6b155ff4a
SHA16c64fbfd6454e669685712e897a54608009f3351
SHA2561ca721f1eb01714bdc90359e3370af161a9864b3908f0109777fef941e14ff54
SHA5121fb46a70f878418d90896168802eb37cd6535e38992db7cec224310626b18c0a5ef92ec41132f10ea1825401c26d631be34d160460d935d0dcba57647d1a4250
-
Filesize
2.1MB
MD58b5bcc540a044c50ed1beefb718f5dd8
SHA1d96e58a8746e9aaa421b8960d6dd8f65315dc91c
SHA25693e6605e695501e3ce0a5880435d00327f69acc37d9dd0f2a8ac1fea78dbd7e9
SHA5127a5d1f264febf8eb418746cb2b77cedabcea7d7564f907254ff831b7b80a3707c2037695d7e1f7a645790c1d05e2181b708c57e574ab031c6317d9a4b927893e
-
Filesize
40B
MD50e1a0df5323f02fa141b11070035f203
SHA14662c48107aebe02429f78dc0ab4328f88ea9e8f
SHA256169bdddd028372b9c8dc1bbc8bc1a48dce9089467cf7c3b5967ebc20713b1bb7
SHA5125ef418e1f48b459f21f15f8462fceebbe5da2e16ff4cd02a614a6a508c1a9e28527c0d0778840600c85ba60d412de91e754b3aa0173ac4db70460367a2abc6e5
-
Filesize
1.3MB
MD5f4f3343faf4a77e6b5d3ceabc6689de8
SHA1e392bf99ef55505ce6c1b0f8a5d2d6a6b0ca4996
SHA256b928429149fcc630f6a28af98e752b3ad09d48e5fd51bc27784e5e0b4f67b117
SHA5129985443d3afd4e7da03807883447524bb4c4164331cb2d60526c85caf9371a408e5badf74759356109bbf05063421eccfcd88f08d34a62b403d6f8c1f9bffe93
-
Filesize
1.7MB
MD5d3ca9cb8803a75a820f9324da3cd94aa
SHA1935729f98a66e6ce8ba06c3adff3fc5a40810393
SHA256cfb871970d2c7e8cfcfb21d5dd073f01feca32f2f2bf6efa2422e828cbe59679
SHA51265f92da40fe5c198f633194be6982768c2864bda54313a7401dadac3452ad3728b84a42b5cf0aa8f58c71dac4f82dc7bd063c5930991308797a404505ef220b7
-
Filesize
1.5MB
MD5b7633b32af3ddd696c23cddf6efaa818
SHA1a8f6fec011989b864f9ecd119c91d28f79649023
SHA2569382ed84c591d27c29782d9162632a1a140a752c90546d4ef946c0a25934361e
SHA512eeb2807d00a48b7151a0a4f4de904cd7bf5187f366d8f96cf129b231709af1583429353edc9c2995769064e4f04965b7688055fd83f68225418c2574db65c459
-
Filesize
5.6MB
MD5eddd991e454c08aa670d80d2994a8c4b
SHA17ee6b92429057410d56f988663c06808d5af0ccd
SHA2563f23fb642bcdf46ffa13068b43c385df36264f1ee8514d6c795ea31c47bc06bf
SHA51207f3be88de14cc8af0a15a6637bdf20dc8dfbd3169d7198d0f430f7ae34176df3ec899a5f03b0d8bc704e5d2ff5d0ffb326c6f3b0448864ae2438cf02c9c4469