Analysis
-
max time kernel
153s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
01-06-2024 07:08
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-01_150b4ab35647f50419a97822f8a9d0b8_ryuk.exe
Resource
win7-20240221-en
General
-
Target
2024-06-01_150b4ab35647f50419a97822f8a9d0b8_ryuk.exe
-
Size
5.5MB
-
MD5
150b4ab35647f50419a97822f8a9d0b8
-
SHA1
72172ad996ca71c3639e0aec864d8bb8ca92f267
-
SHA256
ddaa98f7655b7e79a86c9770f2765be49ebbc732b068aca6b22963a33a7796b1
-
SHA512
83e2770cedf47992db4255268370e545b021e7726d32772ef6d429bebc85f5333e0a6716dde4c3307857a19236df7804040fcaaf4d6a4af817efffb90180a731
-
SSDEEP
49152:3EFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1cn9tJEUxDG0BYYrLA50IHLGfm:jAI5pAdVen9tbnR1VgBVm8U023W
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
Processes:
alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exepid Process 3228 alg.exe 5052 DiagnosticsHub.StandardCollector.Service.exe 2336 fxssvc.exe 4696 elevation_service.exe 3124 elevation_service.exe 4108 maintenanceservice.exe 2908 msdtc.exe 4336 OSE.EXE 1796 PerceptionSimulationService.exe 5208 perfhost.exe 5432 locator.exe 5532 SensorDataService.exe 5644 snmptrap.exe 5812 spectrum.exe 5924 ssh-agent.exe 1648 TieringEngineService.exe 544 AgentService.exe 5256 vds.exe 5776 vssvc.exe 5140 wbengine.exe 3920 WmiApSrv.exe 640 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 31 IoCs
Processes:
alg.exemsdtc.exe2024-06-01_150b4ab35647f50419a97822f8a9d0b8_ryuk.exe2024-06-01_150b4ab35647f50419a97822f8a9d0b8_ryuk.exedescription ioc Process File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-06-01_150b4ab35647f50419a97822f8a9d0b8_ryuk.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-06-01_150b4ab35647f50419a97822f8a9d0b8_ryuk.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-06-01_150b4ab35647f50419a97822f8a9d0b8_ryuk.exe File opened for modification C:\Windows\System32\SensorDataService.exe alg.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-06-01_150b4ab35647f50419a97822f8a9d0b8_ryuk.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-06-01_150b4ab35647f50419a97822f8a9d0b8_ryuk.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-06-01_150b4ab35647f50419a97822f8a9d0b8_ryuk.exe File opened for modification C:\Windows\System32\vds.exe 2024-06-01_150b4ab35647f50419a97822f8a9d0b8_ryuk.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-06-01_150b4ab35647f50419a97822f8a9d0b8_ryuk.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\924ae3b6b3e2edcd.bin alg.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-06-01_150b4ab35647f50419a97822f8a9d0b8_ryuk.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-06-01_150b4ab35647f50419a97822f8a9d0b8_ryuk.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-06-01_150b4ab35647f50419a97822f8a9d0b8_ryuk.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-06-01_150b4ab35647f50419a97822f8a9d0b8_ryuk.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-06-01_150b4ab35647f50419a97822f8a9d0b8_ryuk.exe File opened for modification C:\Windows\system32\locator.exe 2024-06-01_150b4ab35647f50419a97822f8a9d0b8_ryuk.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-06-01_150b4ab35647f50419a97822f8a9d0b8_ryuk.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-06-01_150b4ab35647f50419a97822f8a9d0b8_ryuk.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-06-01_150b4ab35647f50419a97822f8a9d0b8_ryuk.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-06-01_150b4ab35647f50419a97822f8a9d0b8_ryuk.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-06-01_150b4ab35647f50419a97822f8a9d0b8_ryuk.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-06-01_150b4ab35647f50419a97822f8a9d0b8_ryuk.exe File opened for modification C:\Windows\System32\alg.exe 2024-06-01_150b4ab35647f50419a97822f8a9d0b8_ryuk.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-06-01_150b4ab35647f50419a97822f8a9d0b8_ryuk.exe -
Drops file in Program Files directory 64 IoCs
Processes:
2024-06-01_150b4ab35647f50419a97822f8a9d0b8_ryuk.exealg.exemaintenanceservice.exedescription ioc Process File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE 2024-06-01_150b4ab35647f50419a97822f8a9d0b8_ryuk.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe 2024-06-01_150b4ab35647f50419a97822f8a9d0b8_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe 2024-06-01_150b4ab35647f50419a97822f8a9d0b8_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe 2024-06-01_150b4ab35647f50419a97822f8a9d0b8_ryuk.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe 2024-06-01_150b4ab35647f50419a97822f8a9d0b8_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe 2024-06-01_150b4ab35647f50419a97822f8a9d0b8_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe 2024-06-01_150b4ab35647f50419a97822f8a9d0b8_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe 2024-06-01_150b4ab35647f50419a97822f8a9d0b8_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe 2024-06-01_150b4ab35647f50419a97822f8a9d0b8_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe 2024-06-01_150b4ab35647f50419a97822f8a9d0b8_ryuk.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe 2024-06-01_150b4ab35647f50419a97822f8a9d0b8_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe 2024-06-01_150b4ab35647f50419a97822f8a9d0b8_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe 2024-06-01_150b4ab35647f50419a97822f8a9d0b8_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe 2024-06-01_150b4ab35647f50419a97822f8a9d0b8_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe 2024-06-01_150b4ab35647f50419a97822f8a9d0b8_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe 2024-06-01_150b4ab35647f50419a97822f8a9d0b8_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe 2024-06-01_150b4ab35647f50419a97822f8a9d0b8_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe 2024-06-01_150b4ab35647f50419a97822f8a9d0b8_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe 2024-06-01_150b4ab35647f50419a97822f8a9d0b8_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe 2024-06-01_150b4ab35647f50419a97822f8a9d0b8_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe 2024-06-01_150b4ab35647f50419a97822f8a9d0b8_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe 2024-06-01_150b4ab35647f50419a97822f8a9d0b8_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe 2024-06-01_150b4ab35647f50419a97822f8a9d0b8_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe 2024-06-01_150b4ab35647f50419a97822f8a9d0b8_ryuk.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe alg.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe 2024-06-01_150b4ab35647f50419a97822f8a9d0b8_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe alg.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log maintenanceservice.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{1342F81A-D5C5-42B4-A5E8-933F7759DA30}\chrome_installer.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe 2024-06-01_150b4ab35647f50419a97822f8a9d0b8_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\policytool.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe alg.exe File opened for modification C:\Program Files\7-Zip\7z.exe 2024-06-01_150b4ab35647f50419a97822f8a9d0b8_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe 2024-06-01_150b4ab35647f50419a97822f8a9d0b8_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe 2024-06-01_150b4ab35647f50419a97822f8a9d0b8_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\servertool.exe 2024-06-01_150b4ab35647f50419a97822f8a9d0b8_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe 2024-06-01_150b4ab35647f50419a97822f8a9d0b8_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe 2024-06-01_150b4ab35647f50419a97822f8a9d0b8_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe 2024-06-01_150b4ab35647f50419a97822f8a9d0b8_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe 2024-06-01_150b4ab35647f50419a97822f8a9d0b8_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 2024-06-01_150b4ab35647f50419a97822f8a9d0b8_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe 2024-06-01_150b4ab35647f50419a97822f8a9d0b8_ryuk.exe -
Drops file in Windows directory 3 IoCs
Processes:
msdtc.exealg.exe2024-06-01_150b4ab35647f50419a97822f8a9d0b8_ryuk.exedescription ioc Process File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-06-01_150b4ab35647f50419a97822f8a9d0b8_ryuk.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
spectrum.exeSensorDataService.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
TieringEngineService.exedescription ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
SearchProtocolHost.exefxssvc.exeSearchFilterHost.exeSearchIndexer.exechrome.exedescription ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000062ee29c6f2b3da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000014187abff2b3da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ce1ab5c5f2b3da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000791ba4c0f2b3da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000009de8cc2f2b3da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b3f931c5f2b3da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" SearchIndexer.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000999fddbdf2b3da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 39 IoCs
Processes:
chrome.exe2024-06-01_150b4ab35647f50419a97822f8a9d0b8_ryuk.exechrome.exepid Process 1348 chrome.exe 1348 chrome.exe 404 2024-06-01_150b4ab35647f50419a97822f8a9d0b8_ryuk.exe 404 2024-06-01_150b4ab35647f50419a97822f8a9d0b8_ryuk.exe 404 2024-06-01_150b4ab35647f50419a97822f8a9d0b8_ryuk.exe 404 2024-06-01_150b4ab35647f50419a97822f8a9d0b8_ryuk.exe 404 2024-06-01_150b4ab35647f50419a97822f8a9d0b8_ryuk.exe 404 2024-06-01_150b4ab35647f50419a97822f8a9d0b8_ryuk.exe 404 2024-06-01_150b4ab35647f50419a97822f8a9d0b8_ryuk.exe 404 2024-06-01_150b4ab35647f50419a97822f8a9d0b8_ryuk.exe 404 2024-06-01_150b4ab35647f50419a97822f8a9d0b8_ryuk.exe 404 2024-06-01_150b4ab35647f50419a97822f8a9d0b8_ryuk.exe 404 2024-06-01_150b4ab35647f50419a97822f8a9d0b8_ryuk.exe 404 2024-06-01_150b4ab35647f50419a97822f8a9d0b8_ryuk.exe 404 2024-06-01_150b4ab35647f50419a97822f8a9d0b8_ryuk.exe 404 2024-06-01_150b4ab35647f50419a97822f8a9d0b8_ryuk.exe 404 2024-06-01_150b4ab35647f50419a97822f8a9d0b8_ryuk.exe 404 2024-06-01_150b4ab35647f50419a97822f8a9d0b8_ryuk.exe 404 2024-06-01_150b4ab35647f50419a97822f8a9d0b8_ryuk.exe 404 2024-06-01_150b4ab35647f50419a97822f8a9d0b8_ryuk.exe 404 2024-06-01_150b4ab35647f50419a97822f8a9d0b8_ryuk.exe 404 2024-06-01_150b4ab35647f50419a97822f8a9d0b8_ryuk.exe 404 2024-06-01_150b4ab35647f50419a97822f8a9d0b8_ryuk.exe 404 2024-06-01_150b4ab35647f50419a97822f8a9d0b8_ryuk.exe 404 2024-06-01_150b4ab35647f50419a97822f8a9d0b8_ryuk.exe 404 2024-06-01_150b4ab35647f50419a97822f8a9d0b8_ryuk.exe 404 2024-06-01_150b4ab35647f50419a97822f8a9d0b8_ryuk.exe 404 2024-06-01_150b4ab35647f50419a97822f8a9d0b8_ryuk.exe 404 2024-06-01_150b4ab35647f50419a97822f8a9d0b8_ryuk.exe 404 2024-06-01_150b4ab35647f50419a97822f8a9d0b8_ryuk.exe 404 2024-06-01_150b4ab35647f50419a97822f8a9d0b8_ryuk.exe 404 2024-06-01_150b4ab35647f50419a97822f8a9d0b8_ryuk.exe 404 2024-06-01_150b4ab35647f50419a97822f8a9d0b8_ryuk.exe 404 2024-06-01_150b4ab35647f50419a97822f8a9d0b8_ryuk.exe 404 2024-06-01_150b4ab35647f50419a97822f8a9d0b8_ryuk.exe 404 2024-06-01_150b4ab35647f50419a97822f8a9d0b8_ryuk.exe 404 2024-06-01_150b4ab35647f50419a97822f8a9d0b8_ryuk.exe 6240 chrome.exe 6240 chrome.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid Process 656 656 -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
Processes:
chrome.exepid Process 1348 chrome.exe 1348 chrome.exe 1348 chrome.exe 1348 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
2024-06-01_150b4ab35647f50419a97822f8a9d0b8_ryuk.exefxssvc.exechrome.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exedescription pid Process Token: SeTakeOwnershipPrivilege 1932 2024-06-01_150b4ab35647f50419a97822f8a9d0b8_ryuk.exe Token: SeAuditPrivilege 2336 fxssvc.exe Token: SeShutdownPrivilege 1348 chrome.exe Token: SeCreatePagefilePrivilege 1348 chrome.exe Token: SeShutdownPrivilege 1348 chrome.exe Token: SeCreatePagefilePrivilege 1348 chrome.exe Token: SeShutdownPrivilege 1348 chrome.exe Token: SeCreatePagefilePrivilege 1348 chrome.exe Token: SeShutdownPrivilege 1348 chrome.exe Token: SeCreatePagefilePrivilege 1348 chrome.exe Token: SeShutdownPrivilege 1348 chrome.exe Token: SeCreatePagefilePrivilege 1348 chrome.exe Token: SeShutdownPrivilege 1348 chrome.exe Token: SeCreatePagefilePrivilege 1348 chrome.exe Token: SeShutdownPrivilege 1348 chrome.exe Token: SeCreatePagefilePrivilege 1348 chrome.exe Token: SeShutdownPrivilege 1348 chrome.exe Token: SeCreatePagefilePrivilege 1348 chrome.exe Token: SeShutdownPrivilege 1348 chrome.exe Token: SeCreatePagefilePrivilege 1348 chrome.exe Token: SeShutdownPrivilege 1348 chrome.exe Token: SeCreatePagefilePrivilege 1348 chrome.exe Token: SeRestorePrivilege 1648 TieringEngineService.exe Token: SeManageVolumePrivilege 1648 TieringEngineService.exe Token: SeShutdownPrivilege 1348 chrome.exe Token: SeCreatePagefilePrivilege 1348 chrome.exe Token: SeAssignPrimaryTokenPrivilege 544 AgentService.exe Token: SeShutdownPrivilege 1348 chrome.exe Token: SeCreatePagefilePrivilege 1348 chrome.exe Token: SeBackupPrivilege 5776 vssvc.exe Token: SeRestorePrivilege 5776 vssvc.exe Token: SeAuditPrivilege 5776 vssvc.exe Token: SeBackupPrivilege 5140 wbengine.exe Token: SeRestorePrivilege 5140 wbengine.exe Token: SeSecurityPrivilege 5140 wbengine.exe Token: SeShutdownPrivilege 1348 chrome.exe Token: SeCreatePagefilePrivilege 1348 chrome.exe Token: SeShutdownPrivilege 1348 chrome.exe Token: SeCreatePagefilePrivilege 1348 chrome.exe Token: SeShutdownPrivilege 1348 chrome.exe Token: SeCreatePagefilePrivilege 1348 chrome.exe Token: 33 640 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 640 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 640 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 640 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 640 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 640 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 640 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 640 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 640 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 640 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 640 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 640 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 640 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 640 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 640 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 640 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 640 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 640 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 640 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 640 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 640 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 640 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 640 SearchIndexer.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
chrome.exepid Process 1348 chrome.exe 1348 chrome.exe 1348 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
2024-06-01_150b4ab35647f50419a97822f8a9d0b8_ryuk.exechrome.exedescription pid Process procid_target PID 1932 wrote to memory of 404 1932 2024-06-01_150b4ab35647f50419a97822f8a9d0b8_ryuk.exe 93 PID 1932 wrote to memory of 404 1932 2024-06-01_150b4ab35647f50419a97822f8a9d0b8_ryuk.exe 93 PID 1932 wrote to memory of 1348 1932 2024-06-01_150b4ab35647f50419a97822f8a9d0b8_ryuk.exe 94 PID 1932 wrote to memory of 1348 1932 2024-06-01_150b4ab35647f50419a97822f8a9d0b8_ryuk.exe 94 PID 1348 wrote to memory of 628 1348 chrome.exe 95 PID 1348 wrote to memory of 628 1348 chrome.exe 95 PID 1348 wrote to memory of 4296 1348 chrome.exe 101 PID 1348 wrote to memory of 4296 1348 chrome.exe 101 PID 1348 wrote to memory of 4296 1348 chrome.exe 101 PID 1348 wrote to memory of 4296 1348 chrome.exe 101 PID 1348 wrote to memory of 4296 1348 chrome.exe 101 PID 1348 wrote to memory of 4296 1348 chrome.exe 101 PID 1348 wrote to memory of 4296 1348 chrome.exe 101 PID 1348 wrote to memory of 4296 1348 chrome.exe 101 PID 1348 wrote to memory of 4296 1348 chrome.exe 101 PID 1348 wrote to memory of 4296 1348 chrome.exe 101 PID 1348 wrote to memory of 4296 1348 chrome.exe 101 PID 1348 wrote to memory of 4296 1348 chrome.exe 101 PID 1348 wrote to memory of 4296 1348 chrome.exe 101 PID 1348 wrote to memory of 4296 1348 chrome.exe 101 PID 1348 wrote to memory of 4296 1348 chrome.exe 101 PID 1348 wrote to memory of 4296 1348 chrome.exe 101 PID 1348 wrote to memory of 4296 1348 chrome.exe 101 PID 1348 wrote to memory of 4296 1348 chrome.exe 101 PID 1348 wrote to memory of 4296 1348 chrome.exe 101 PID 1348 wrote to memory of 4296 1348 chrome.exe 101 PID 1348 wrote to memory of 4296 1348 chrome.exe 101 PID 1348 wrote to memory of 4296 1348 chrome.exe 101 PID 1348 wrote to memory of 4296 1348 chrome.exe 101 PID 1348 wrote to memory of 4296 1348 chrome.exe 101 PID 1348 wrote to memory of 4296 1348 chrome.exe 101 PID 1348 wrote to memory of 4296 1348 chrome.exe 101 PID 1348 wrote to memory of 4296 1348 chrome.exe 101 PID 1348 wrote to memory of 4296 1348 chrome.exe 101 PID 1348 wrote to memory of 4296 1348 chrome.exe 101 PID 1348 wrote to memory of 4296 1348 chrome.exe 101 PID 1348 wrote to memory of 4296 1348 chrome.exe 101 PID 1348 wrote to memory of 4296 1348 chrome.exe 101 PID 1348 wrote to memory of 4296 1348 chrome.exe 101 PID 1348 wrote to memory of 4296 1348 chrome.exe 101 PID 1348 wrote to memory of 4296 1348 chrome.exe 101 PID 1348 wrote to memory of 4296 1348 chrome.exe 101 PID 1348 wrote to memory of 4296 1348 chrome.exe 101 PID 1348 wrote to memory of 4296 1348 chrome.exe 101 PID 1348 wrote to memory of 2040 1348 chrome.exe 102 PID 1348 wrote to memory of 2040 1348 chrome.exe 102 PID 1348 wrote to memory of 1788 1348 chrome.exe 103 PID 1348 wrote to memory of 1788 1348 chrome.exe 103 PID 1348 wrote to memory of 1788 1348 chrome.exe 103 PID 1348 wrote to memory of 1788 1348 chrome.exe 103 PID 1348 wrote to memory of 1788 1348 chrome.exe 103 PID 1348 wrote to memory of 1788 1348 chrome.exe 103 PID 1348 wrote to memory of 1788 1348 chrome.exe 103 PID 1348 wrote to memory of 1788 1348 chrome.exe 103 PID 1348 wrote to memory of 1788 1348 chrome.exe 103 PID 1348 wrote to memory of 1788 1348 chrome.exe 103 PID 1348 wrote to memory of 1788 1348 chrome.exe 103 PID 1348 wrote to memory of 1788 1348 chrome.exe 103 PID 1348 wrote to memory of 1788 1348 chrome.exe 103 PID 1348 wrote to memory of 1788 1348 chrome.exe 103 PID 1348 wrote to memory of 1788 1348 chrome.exe 103 PID 1348 wrote to memory of 1788 1348 chrome.exe 103 PID 1348 wrote to memory of 1788 1348 chrome.exe 103 PID 1348 wrote to memory of 1788 1348 chrome.exe 103 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-01_150b4ab35647f50419a97822f8a9d0b8_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-01_150b4ab35647f50419a97822f8a9d0b8_ryuk.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Users\Admin\AppData\Local\Temp\2024-06-01_150b4ab35647f50419a97822f8a9d0b8_ryuk.exeC:\Users\Admin\AppData\Local\Temp\2024-06-01_150b4ab35647f50419a97822f8a9d0b8_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2dc,0x2e0,0x2ec,0x2e8,0x2f0,0x140462458,0x140462468,0x1404624782⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:404
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1348 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffaee4a9758,0x7ffaee4a9768,0x7ffaee4a97783⤵PID:628
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1692 --field-trial-handle=1888,i,2717848781026729977,8068954603650443937,131072 /prefetch:23⤵PID:4296
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2064 --field-trial-handle=1888,i,2717848781026729977,8068954603650443937,131072 /prefetch:83⤵PID:2040
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2272 --field-trial-handle=1888,i,2717848781026729977,8068954603650443937,131072 /prefetch:83⤵PID:1788
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3140 --field-trial-handle=1888,i,2717848781026729977,8068954603650443937,131072 /prefetch:13⤵PID:3208
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3148 --field-trial-handle=1888,i,2717848781026729977,8068954603650443937,131072 /prefetch:13⤵PID:2512
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4424 --field-trial-handle=1888,i,2717848781026729977,8068954603650443937,131072 /prefetch:83⤵PID:3416
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4736 --field-trial-handle=1888,i,2717848781026729977,8068954603650443937,131072 /prefetch:13⤵PID:4344
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4892 --field-trial-handle=1888,i,2717848781026729977,8068954603650443937,131072 /prefetch:83⤵PID:3128
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4912 --field-trial-handle=1888,i,2717848781026729977,8068954603650443937,131072 /prefetch:83⤵PID:1476
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5332 --field-trial-handle=1888,i,2717848781026729977,8068954603650443937,131072 /prefetch:83⤵PID:5624
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5352 --field-trial-handle=1888,i,2717848781026729977,8068954603650443937,131072 /prefetch:83⤵PID:6012
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings3⤵PID:5100
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x23c,0x240,0x244,0x238,0x248,0x7ff7c1767688,0x7ff7c1767698,0x7ff7c17676a84⤵PID:5588
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=04⤵PID:4088
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff7c1767688,0x7ff7c1767698,0x7ff7c17676a85⤵PID:5072
-
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5528 --field-trial-handle=1888,i,2717848781026729977,8068954603650443937,131072 /prefetch:83⤵PID:5404
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5664 --field-trial-handle=1888,i,2717848781026729977,8068954603650443937,131072 /prefetch:83⤵PID:5420
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5496 --field-trial-handle=1888,i,2717848781026729977,8068954603650443937,131072 /prefetch:83⤵PID:5844
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4408 --field-trial-handle=1888,i,2717848781026729977,8068954603650443937,131072 /prefetch:83⤵PID:5460
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=5644 --field-trial-handle=1888,i,2717848781026729977,8068954603650443937,131072 /prefetch:13⤵PID:6452
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1920 --field-trial-handle=1888,i,2717848781026729977,8068954603650443937,131072 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
PID:6240
-
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:3228
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:5052
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:1972
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2336
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4696
-
C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"1⤵
- Executes dropped EXE
PID:3124
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4108
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2908
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:4336
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:1796
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:5208
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:5432
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5532
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:5644
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5812
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:5924
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:6048
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1648
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:544
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:5256
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5776
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5140
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:3920
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:640 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:5524
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:5692
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1312 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:81⤵PID:7136
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.2MB
MD54fd91e4a6c47f95b7e36bf22d5cc6f91
SHA117dcd2dfb9857c304d701416910c269e9f52a4c7
SHA256be9bcf07fcbb5a968a95a06c37ae4d6ccda0ff0fc1020f6b1798ec23c1f27a36
SHA512822590718bceeb16eeccf3f6b9c2d83d6cf24fffa9088d8bc8601f06f10982f82bcdc261a5fba94e2744699fbfb23228f20bb05ddd93b8c118cacd77c6ba21b5
-
Filesize
781KB
MD53fcb65a590a28da58c64a1ded92ac1f6
SHA170fb132fe4f7d09bc4c8ff9909b325ec2397ac24
SHA256579bf1e0d6b2e3e2088638e8000144f761f1a601d287d47506553c9e92f92ab6
SHA51200ec660d53e3c2a9c14cd8c00a9af2eab1ccb75ee9aa2e673c89e48f22c7e42e79f266b8dddcaf5cfda4f8cfa972f2f705023e6c446985aacd5767ef2e0bd1bf
-
Filesize
1.1MB
MD518c5fede751a49ab73960599fe7dd13f
SHA1c63823a8cdd4f98b0476a9d968319b3410b46109
SHA25680b9b618b479dc7d0e73bee38aede7e72bf984d1ad0e0ea0dc5a14a933869940
SHA5125797431a6ad78883ff738599c19a182ab6e0f0d13c91ad2cb7ca125ed9a00db25c6a620a0e8f9addaecdb6f4daf84d252a38f38b698aab0cab56265f3238ee02
-
Filesize
1.5MB
MD50fc60cb44b81b54d3179d59ca20895e7
SHA1c40789d0492e9f58d97604654718f2a52d829888
SHA256e5f6a5e7cbb6dcc5ae3cf0c101be46f76b429a4a11db1cae107f0271b7055b5a
SHA5122dfa206c8df6979b436ecbd39179803b97b304d2e0c3405b7142aec55372cb7fdd6ecd70091be7296a99d8d778c60fdb74e449ef9cb6f6499ef1f33fe3bca3ff
-
Filesize
1.2MB
MD50857edd46b9f24ed234b09ebf39a9b3c
SHA11f94b56cf897cd986dfab94bd74bc1170e633b4b
SHA25635c95b12fa5ccc88fead25caeca90edad484315700b3a302f234af13bdf30403
SHA512363ed4aa86c0bfad4b44774d076b802726733267f8e8bc9d6d726151f0a9f0d85f983477468db361f48b131d20617b7e95778d395eb2ea1cd13e3317d7a39229
-
Filesize
582KB
MD5f6459a782a291507ab11c3991bf370e1
SHA1672a8e045acb7920e4397c54614aee21a7dc86ca
SHA256c4d8e26fedcc76f5a8b2743d2b0b3b58420782594dfaa1843a0f6ab72dacbdd2
SHA5120db9891ceb3238e59ba49f958e1965c0a8864743c15815b095cb6a0562b035be2d3ffa2aa53e9a36583e2a71668947569623c02d980423c0a57b10624909b8d7
-
Filesize
840KB
MD5a2178992e2889d9c1ba938d6ba513321
SHA1643bea83e444f9ce6ad2eebbf5f6e0525557f3e4
SHA25604b00e1b2356c54e64e11b1f9323ebe3a26b1a6aac6a6ee399118d6c3a8c40f2
SHA5125edf036e0106d6d61d317b0edaec87b00b728fa2ef07d6f310146c2ff6681546a842f53fb0ac1571adc5c7c4ee09608485a30e46abd7fd1e38803f36bf85a443
-
Filesize
4.6MB
MD5912defa5d332a816cf2696007169757c
SHA1ebf49ba60b90d21b08a7cc5fa8d1a2ee457ac804
SHA256408a5155a774e3427b8661ce03ea55efadf1ef45dfcd5fee6f7780a0a2a3ada8
SHA512dbbfcb886e5c2108641d4e7fbbcf7f3828eb84e12cc13746cd725156a1c63ae3f2b442c7aefb3c31312ab16ea8256c428c283e824fb715a3009ef393ac2e4b38
-
Filesize
910KB
MD5849ddf9181d6953f24171d76310ca87c
SHA1aa40974ce8d1fddc48a68cc2cc518b0f57f61179
SHA256799f72fe656f29afb40ff58e2f64454ca96f4fc15d3834cebda4cb2ae77eb525
SHA5126bba10ac73da57e3ebca43616a0e9ac48bac34650d25c32650c260337c6c25ab3c21963d02e599e5e5983aa42372f28845877f27d268a0232ebecdb896d7b642
-
Filesize
24.0MB
MD58e6ca7372874a9be57fe081f1974ecab
SHA1d2aa1ecd84fdcdb4e37765e594ad613f6252a61d
SHA256a4c9a1d28d8f4e6bdfeb4fff6c0b6cf85325bc37d68a9ceeb5931a3e5a236d54
SHA512d15916a980bb1b3b13562681b108a69d337b5285621129dfa92cae4d7e75317ea69b302b802088c51006c42d4a56b69b2a81a060d2e1981a978e3aec1b8057c2
-
Filesize
2.7MB
MD55393135c9a47a27e1c0e93e0751623b0
SHA1a25c657fddaddef5afb8f7c9665434c47cc73a3c
SHA256cb50ac3faefa943f3f677599678d4790e238cbbfa7521b3931e30253233da73a
SHA512066d4e236aa61a4ac4e8e5f157d4c331927f632f0caa33b2a32de2cf4834b219ad2cc120900724ad204e7c8c10bade9e0d7ed21d15fc1a0c49f6ecebfd86d95a
-
Filesize
805KB
MD570ba2a5b92f4d859db93f172f4c82652
SHA139d471b771c955b754fa5bda0f6d6fd7db43c11a
SHA256316a22ccf53f22e1af3eae375110842d421cc9526d0991cdb0bca47602498349
SHA5126c2f7b33505a0602b46d2c43c7c680ea675ca1ba775f237365d10b0b3376c145cdad2b5868824150412741a44d2b6342446566d9c745b263d3301b37f3bec789
-
Filesize
2.1MB
MD567ebdbb075dae6bf802610dd4d8606f5
SHA16e11c921480be5358a27ec74fcdf9fbf202d3946
SHA256db7b1f1b46b2ef6d06d6e9a64e77da7b7710e3812feec1d52be469eda86a83c3
SHA5127830c5f092a86ee9c76a56f4f9bdf02d6ef3d9337824694693eabdb998806a18f4252014f2f6a3a1c70df56b48565e0d400565303d27c6c7572f0d7f681214ce
-
Filesize
488B
MD56d971ce11af4a6a93a4311841da1a178
SHA1cbfdbc9b184f340cbad764abc4d8a31b9c250176
SHA256338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783
SHA512c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f
-
Filesize
1.5MB
MD5eb3f5aca0ecbe9d4b276b4ab2b91ee1c
SHA12a7d92fbd7b01fd1b3bfac8b78f04b58966b8ec7
SHA2560cdc298a6aceb4b16aea8d70a7e77b695e1d203d1493b629f5b6d549e0648e32
SHA512157223aab5177a4f111a23ab64023ab356f2eec9c159a39ae0633b98b10b203e1b52e8ec6f212e2016d678f2b323b1514e9fec6b2fe4886cb65bb2531870d0d7
-
Filesize
40B
MD585cfc13b6779a099d53221876df3b9e0
SHA108becf601c986c2e9f979f9143bbbcb7b48540ed
SHA256bd34434d117b9572216229cb2ab703b5e98d588f5f6dfe072188bd3d6b3022f3
SHA512b248162930702450893a112987e96ea70569ac35e14ef5eb6973238e426428272d1c930ce30552f19dd2d8d7754dc1f7f667ecd18f2c857b165b7873f4c03a48
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\en_CA\messages.json
Filesize851B
MD507ffbe5f24ca348723ff8c6c488abfb8
SHA16dc2851e39b2ee38f88cf5c35a90171dbea5b690
SHA2566895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c
SHA5127ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\dasherSettingSchema.json
Filesize854B
MD54ec1df2da46182103d2ffc3b92d20ca5
SHA1fb9d1ba3710cf31a87165317c6edc110e98994ce
SHA2566c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6
SHA512939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d
-
Filesize
193KB
MD5ef36a84ad2bc23f79d171c604b56de29
SHA138d6569cd30d096140e752db5d98d53cf304a8fc
SHA256e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831
SHA512dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\CURRENT
Filesize16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
1KB
MD54c82f46801d9cd83550c3aa0e12befc1
SHA1e4c15c7f785aac6d31352d66b5ebbf0352caca87
SHA256f1d7cce79d77bbe67cce7ed1aa5f6d122677cc2aaaa45929d5f7e4d54bf75f14
SHA512ed615ea67fb6464345c827fa9b2f9c6e573c59621110760fe4a311dcd69bd13eef67d17d1cb6fb13e8154f83b885082f44c990ee25e14d8bbb0b0dc17bd927c9
-
Filesize
1KB
MD513484387c7b57959dede8c5cba0ecf00
SHA14b868bcad884b1ad52c8b253f7e70a2cb0fb9460
SHA256efce29ab2e7a18af56ae120eecb4f2b9c9a4ee2bbdf427291c24634186f6fa49
SHA5121ce90bb0ef3c0fc64670ef134bb639ec58743e6aeb5f5e78049178c2d4d367fb67b5385f201b1f77d46cbcc4a79bee46cd057e8f5590125166456db5a49bc07a
-
Filesize
369B
MD556ac7d294fa328a5cae7d81c26d7b7a9
SHA1f403dbdbe4c57cbf0c44983e6dac233e62f08efb
SHA25675a0cd43af4f7458f33db24a684b8d765eabdfd5e46cf9e2a7c6de2176105c03
SHA512f923ac7cadd7517b8ae20863b4460f58d4aba567fe8809ee50e69280f6cbd7fe782296d5fbccd89df9186790cd39aeb212a0a33a019dfca1aa07ae2e55799bd0
-
Filesize
5KB
MD58b3f52b8d520d7e560b648d305359c36
SHA1a02bf6fe6874bbb17801a162868cda374c765a5f
SHA25654e54604457ce8c7d17a68b7e3c6686d73a2ced92aaebb0fdf8d2674d3b07cc8
SHA512404460f9da4d151af8cde307a0a35fbf8da7e27db4392c160b0a3bd843c894bd92f4444168f7a390170c89dfc3ff7a11df5559c20e882ce575fe7638a369770e
-
Filesize
4KB
MD5590509026de9a150853561507561c097
SHA19bd43229f037b858580ce5b7cf367c96906610e7
SHA2568243295f6ba3e262a3d6fa192c88f2be6c59456a1ff01c04cb7ab0d76f61144b
SHA512f4cd125a3aea6deb725b5215b438de4c8c1310af300325e62a6bfe32e2717200e7bfe3721b741b3c2c286ae56987d1cc8063cb404b6e7133e0bba323ceee5561
-
Filesize
4KB
MD50ab8d1cc1e8d45e04992ff1e265defec
SHA1c8d86b53f425c7f92df9b41e799f87638c67542e
SHA2564274081e3cbb0eb3c3d1f227b8f359db4cf05dde82124dd055924980f3bee10d
SHA512fcc8b231f337a2e239cf3ff00eb40708a215987c6469167ef8fccb360034477df47ba21f23fc6d0ff154b0b82bc2fea7144bbb54c95f6a6bca68b9c6b23ff1f1
-
Filesize
4KB
MD5f77596879cf4dbb9c0a432d812631202
SHA14d8461c9a2fedeaed9b1269fd84a56996815f64f
SHA2562e364156eaf526f6930b1a8d9846141796b6b4f2f16248c1156e8d82a44901e4
SHA51289e9c4c9bef8047e0840fdd45b6c48b939a2cb66cb8dd8dddb06fb0601d9e7cc64c187a48d69583caf40a6b4fafbd04506064cd55668cdf4c36760e375983f4d
-
Filesize
4KB
MD5e5196ce03116babafb04fa5b0e3d849b
SHA15cc2eba685764ae5c3b7e0d9cde5f005fc838fa5
SHA256ec500fb984acb9ded2b2a3dff64d7a88698db3551e840f4eb7f4106566fb4b56
SHA5122d9ac4ff68bdf485a1c453f6ef1619a038c6455cc09eb7fe763ebe9c0bd5cfeda995b2be6c4fb11c822ea2d312962bb170634b818620865804da7f7724ceca95
-
Filesize
2KB
MD504695aadffdaf28b5be826d27d48721a
SHA1ce79df7c80926a86b0e1a922a05bcab16c7620c4
SHA2560bc76b0a74faa8d4d25cfa28127c42750e86004af7a10d590e07a33a89726b51
SHA512aa3438c4a09ea9c0c52dccb6cba636ac99c11b47a5b78317869823d6c39bfdfa304f40e67867b8ca9c4269efaba12431ae59a1d54c671f38acb9e4fe3d23da54
-
Filesize
10KB
MD56937e0668541fecd3a1be37038688ffb
SHA1d91bf1ad823678290faa3c7ae861a42428adc064
SHA2568c156366a47914b7b37e946b591a3a0a522ce961358b3669736b40b5f810b117
SHA512fcb9129c18736c2724d64aa0207b4b51b612ecf8134604f48f98d1164358153048109badbb593875430267406ea7bf294714a2ab2d32f314b855a3bd3943122f
-
Filesize
13KB
MD52d6acbed123af7aa06d278ef9128ae95
SHA1949aa743a059280d925006cb7a10d60a255dc4fc
SHA256df4aa8684b8c7f5b3e5988b4ccb4f045aa050da73759d43bde160db274ddc3ba
SHA512253eff82f76ba368eaf6db3e5f24c3b30b91962e4532c75a79356ba199c5d136103b77e289bb59f2ca33821201c9d1d3d745e15758d964a3b1df8ec62e5ff507
-
Filesize
270KB
MD54c3ca00afad6e7f4c98bbf38d2fc610e
SHA1740e3cb33f23e16b75578d6fe91581a8f0fa5ddb
SHA2564a7f67a1a7dbf53b690a1a5a57e5a73476c84220d1487d24e8193cdd8bb3583e
SHA512f471e34406cd40e49f9786b42ab6be8185baa703153b7e9a91da7d3e72d888e0bf60d1409f102f74b025826b90c1a96751edc0945d008a1841dd4534e231cf0a
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
4KB
MD5047e7e5c0e326a216f6a346298bdfe47
SHA11c41f0f0197d8a93580cae2ebb0d843188ad5244
SHA25639dfe9e2d1554461bd04a11a77bd6e0fb17de9db34ec8c28d63b6e14677e004a
SHA51235b2adb5bbde3769fa55ea75fe21841339cd9d4fda63851d03e2135eef367e2f405db761304831805ca0e40111fe3457d8a5e7330388da820b4cdbf5e098e99e
-
Filesize
6KB
MD52a0c3644d35067e0d8cb79c3eaffd959
SHA16ddf44359316c80622b6ec97c2f42138b2e07345
SHA256ad500842b4a712982670a7eefc3cb861868c9e4e083a28fb04812f133386e762
SHA512c9137f3f468c843100423cad7d3e2ca5afee7c67f6caab3bb8df4fcaa1052838aced9b8cefe343e838e1c78b441788a09467ae328b7becc89c1d4bd4f2233e16
-
C:\Users\Admin\AppData\Local\Temp\scoped_dir1348_1006138871\CRX_INSTALL\_locales\en_CA\messages.json
Filesize711B
MD5558659936250e03cc14b60ebf648aa09
SHA132f1ce0361bbfdff11e2ffd53d3ae88a8b81a825
SHA2562445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b
SHA5121632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727
-
C:\Users\Admin\AppData\Local\Temp\scoped_dir1348_1006138871\a7612265-8257-401f-beb5-de475ca653f5.tmp
Filesize88KB
MD52cc86b681f2cd1d9f095584fd3153a61
SHA12a0ac7262fb88908a453bc125c5c3fc72b8d490e
SHA256d412fbbeb84e2a6882b2f0267b058f2ceb97f501e440fe3f9f70fac5c2277b9c
SHA51214ba32c3cd5b1faf100d06f78981deebbbb673299a355b6eaec88e6cb5543725242c850235a541afa8abba4a609bb2ec26e4a0526c6b198016b08d8af868b986
-
Filesize
12KB
MD52f164131aebe38513399660eafd5f529
SHA1758190b71f4d29ae4c51b74f90a02ef477052283
SHA25619d708886a5d1844cc75f09fc83fd73f0065df1478a62a6232a3e45e8422847e
SHA5128bca088ed4a817bd977fbe2c0501c7d3691fb57fdc7a29de47bbe400fae9e8a84b07e0460d8829ab6e041bb2650cc1f7b4cc59b12b0ad5cfa942cab03da08e98
-
Filesize
588KB
MD51c0b72eae39148428bdcbd4d8d4aef92
SHA10f633744ffea9d81eb94fa06b7d79d0bf96a3616
SHA256077e76a52174b00de18c6a86947d27ace8bae6ca2d6faf33c06dfa61d90a2e00
SHA51226ba089fbaf62c79a5bb6956edd81883946537ac30bcf6a9d7e9e20274099d5a3352eb80d9dafc4b1e51d5c3385f7a8b53eff0f0834c6b8058959aa00e50466b
-
Filesize
1.7MB
MD54b476410c2bc0d47b81ea41bc4f7f9ac
SHA10d26984f3a649a716b27c98cf6206db3b8f098bc
SHA2568092f6185e8513b9f54a68f894c539ea21eb34051adb22923ec5847f76165ff2
SHA5123f91f85c12c64f83fce8cbcdaa5525b94dfcda47a26406f4b9416d155239f1cecc764c27e6e1eaf04050428357bccc750a27a1ef319751a88d2ff42399bd5b79
-
Filesize
659KB
MD51cd7fbc83c13112edf7a9e36b4dd7ff6
SHA188b7676987bc07a7531925400dea825b26cbb99e
SHA256ee2075ba6886cfa12e886749b8174f90aa0f8b7c547387b44d3648aa19753449
SHA512f042b0d3cd421047695255ca179e48871ede7d3e5a4b6f7f83d3a9b243b607ac1866749081b6c74b3d7b0dca67280dc9bcda952a2d60f7f8ab5b6ce7ce738d6a
-
Filesize
1.2MB
MD57f7a94e30c34251998147c7dd3b6c54c
SHA14c15d3c9f1f2550776eae21871d9daf36203ed28
SHA25697b4ea3d2beff606e4811843e7a64901022c4ae1b59ac730d1831b02d890eae3
SHA512a7a1f4aef03c189b424ebf3328cc988254871e8c2e6c4b1d5a141d08767c8df08cd4bc99c6895ace82f2742391f4d93bd28cbd4a4afb9fdec5a108a01585bbbc
-
Filesize
578KB
MD5238294a463e0e6ac28342132fd788356
SHA1f3879d26cbbff3ec00f06a086f40dac65e56f69a
SHA256059b6192636c7a46603dda600669594e5ca12b8adcdbbed5a62b93f1df8462e6
SHA512ac88a2b01e726152827027848fc1a6d48998cb65be9a32f683c5d3c4094d7b9841393fa18ab2ba3bf5f923f0849567a75229b2000c5d3b4975acfda35f1b6758
-
Filesize
940KB
MD5d5a2a68a57e83442d5e49780dd094175
SHA17899213193f45d5de121bbe7d2d23e5d0a19786f
SHA256f137c1486df46ee369723aa32319a8ec0758b9363d83a59592f499aadc155d65
SHA51288fe2c9a06d54f1092c87691a4c03d0f6dfc89d1a17143c234a4e1bec317e108818bdb694193523c587b61b60243fc2ea450c3a8a894e8839ddf72a6f4ecbb2e
-
Filesize
671KB
MD55eff12a806082e9c7ec676d66613e824
SHA1feb16e36b2456435128d8fe307b6aefe6c768255
SHA256240bc0c594b8eb0469b0c31ce00d26350d503da51b8abd031ffaabe1b61b8e56
SHA51240070a54176ef331688a45b8995ab840fbe4e1c1da7790bb19a3645eb193456165290cd4f151af5e5df49efccb8f91ad84eb929ae052292307e5dec17cbd5b2e
-
Filesize
1.4MB
MD54f607239d42f7d3729b2e4a4b5007dd6
SHA1b2b0b1b39529e568a369cf22ca1c2cf357fc07d9
SHA256d9aa7b5daa381f19ed293a6130bfffd5203ec97182dcad2ce8582f7d478915b7
SHA512b452b8d5d9a125a28e820b9442fa32663e110c080c75be095403d8065449a8c940a359a6b4b3b33a656b5156e231b814ea220c3af839d11189355b82d3078e3b
-
Filesize
1.8MB
MD51369731e0d1e2e0a73f764d12d315f5f
SHA1c534ec870c70f0f0c8c56d52f4084f9d7c55c10d
SHA25654b71c5e7bdf80cd05a697526cb4e83c9e1b133db4dfcb1e8574747f41bffa89
SHA51220348f7b34d068e486ed69a79b0f6bde0735fed4731c5c1eab6c10e69addded8f628ea1ffffe04bea3dff6dc11245c026133d828d8ab4c935e768df5c5e0d049
-
Filesize
1.4MB
MD576e6caa6db461751e1f90746bf7e4818
SHA184446294e9f5f131d51644a48d4a0b1d756de452
SHA2561ad7788e8a32e25547a007c73f470f3f64e871e6bd8747a1c6c89c924aaa4be4
SHA51281b91f1b537094f8f95d701a3110f9f84aea6c2b498904420b3403746f6c6fef532013165aa9c269ab70df5e4e135a8f83ebf0cafd1106fba24c82f0a5135f45
-
Filesize
885KB
MD5fc1cd25f63b8965430c1da950db9e269
SHA1a0bb2fd56ffc305c5f240bf7c4d5fae5e450680b
SHA25682854e1df282676589d6ef7bf72e5e02aa8cdf06bea2935c24429fa39cb3c464
SHA51265501ac61232e411eb612ae3ad10b9d3571ff7b1fc6bbbca9e5494947031bcc911e6126f23b16951eae02898e4cd722632e0725f5f84d5f71dd7b4a69b2176b2
-
Filesize
2.0MB
MD5e6bdc3feb7a33aafce8fdd6a77f301a0
SHA140ba0a522013e502fd8ad30e2ca6e0520870b504
SHA256e932310d8bbda4aa7b9db4b68230b8836e910cf07bc86e656a35a0aecd903a97
SHA512f0fe9af3b61126cb7742cb90084d4d682e90fb751fa011a5918b74001d426b9277d3edb1f71332011702864ba994c4acd4e49c43c728351f78398eafbc3266f8
-
Filesize
661KB
MD51a3e978a76d2fce3b0603c2d9aa47255
SHA15eeadd4e7868e269eecddab372ccdb8d15fa5aa0
SHA256d3bdaa87fa12ee9526bdaadef8ecf9902075784fc5508dc3c61d0cd240c74a25
SHA5122dd5bf3d9e98232ee9f96da1afe7cc0e95f7654d53328eae89a841a8cce05b83887f0774a6c7c879df1cf1344015e4ea48c4b866d6ffaf5224f490d3b5cb50bd
-
Filesize
712KB
MD53dfb46d645605596bf615e76d038f682
SHA1bb9e20679fc615bdb954795c31f182cde7eb3326
SHA256b3e5470f391afcb78cd58d8851c172d1dd5fcaea3e6d37b27851ccacc2fdc45f
SHA5127a15f0fd2501b41e6df284e444d3ae13ea97a83d04822d0d3bec1530a0d864fc2d2853362205f56e32f0634adad5dae93417dd64bcabe87de48f12dff00f9ca7
-
Filesize
584KB
MD5a53cff86c702b70beda880c1877b4cda
SHA1a36fe1d6b2e647e268b49f95423ce50a2411e4f8
SHA2560ce49888288a6b002025d32608d544d105d2244b1348383a91fb34484a7dc15a
SHA51296c3466a97e403ad8eb78205e35c972039e9e79000284d799f87f8aa1c1f26f0a54d37434ccb51d6b94fbfebc785bd11de1bbe5e20823cde59b42173892d2662
-
Filesize
1.3MB
MD5554fe3f4f3b4ec3eee0fc65b699ed414
SHA13c740b77cb61b4f356916a751ce42bdcc3006d38
SHA2566a80356d794993173cdaa85382984b9376563674e3ac2936a570f1a75cc1241f
SHA51269b32129127986206bd827730432604cd5d91b1e64a17a80d5233c0213863361d5d99b03b2c9b650fe93890d4bd59a058c2389eba68439d5b9378999bc0eceb4
-
Filesize
772KB
MD5c592a9e20e7cf62ef4a1a37c370b89ae
SHA12ad6df235bdcdd8a578efcd3f087f32a7081c7e3
SHA2567bb744e0f2c823d7e954a497e32c86d1a6cf2193afdc6955145cc2460a85ee91
SHA5129d30212732c4fce87d76dbab28f7dbd61acd5d8ef2f5f148d029dec4471e87ae5561b815a9364d4f0cd2d58e2027651d8141db1fd493ec5375d7d6b04e212fea
-
Filesize
2.1MB
MD543330464525721f3a1f48ec74911f346
SHA143db7abccf7987ecded656106d08d6e60e3be20d
SHA25669a073a76e45a72fe446b7fd9878ed27e7ce3272c2114618c78525a6faa8480a
SHA51211f17d69d7559c5b23fe4e6f248eda8ca24e4499276c1af06f40ea96f403d3aae3c268c44dabdb404506b364d4d227ff4f0296bef72cea27a19c3c00c1ea4d96
-
Filesize
40B
MD50e1a0df5323f02fa141b11070035f203
SHA14662c48107aebe02429f78dc0ab4328f88ea9e8f
SHA256169bdddd028372b9c8dc1bbc8bc1a48dce9089467cf7c3b5967ebc20713b1bb7
SHA5125ef418e1f48b459f21f15f8462fceebbe5da2e16ff4cd02a614a6a508c1a9e28527c0d0778840600c85ba60d412de91e754b3aa0173ac4db70460367a2abc6e5
-
Filesize
1.3MB
MD59d0fab084b3bc0cba887bd74a77aeb9f
SHA11885d9432849c7804c38a26ef41b62ac30e7ad77
SHA25616b83e50ddd3f1b44963e05503a6dfb4b80ae81eb41b09e941e2fe1b09508992
SHA512c1df899146b7e939bf94a52d1215ac6b056ff99ebb6e85834267a44aa9985f31729d8a5d46e402da8aa6cd10052f8add2eaa7b8037fe3c63faebccb7a887f990
-
Filesize
877KB
MD56ab5093f5c0df7818ba6abca98ec29d7
SHA1d34c172ee22ec747aef371a3d4aa3262124b0ee0
SHA25637855ebc7f06cc88d177062e7d815726634d3d95d1ebe19fe8d9271585a1ab23
SHA5122c79ae6dd55b55eeec16ce309134651593d495fb65686b9a55940b3533d58502d2046df0176d9bb94d7dd502a958ae00b9b11ab3237bbd66f27c85f6cf4e769a
-
Filesize
635KB
MD596eb93622d53cb6ed3a50f6e331ed27a
SHA1e97744e200bba73e00dcc878426eccac832218ae
SHA256cac23211ebe746cfaa8743a0051ace9b1b16ad5c353a5f99fe00691e5460aa3e
SHA5126d93fc0407933e96706f8adb56694d596b4bb708df98f8c1d0166debedf1b3bef529b1a6c50e2b69dd5c0d929ad27399a6c78db065fa6f336aaf857a0becf561
-
Filesize
5.6MB
MD51429c97149b256c13b422134daa0e29a
SHA164e5ddee49853e16b40b2019ec5f435e3a185e93
SHA256ddc92397a1ed1c0199af58ca8eeff21385b0741d87da30f9734ac89489eb7c37
SHA5128d101ac7a0c7e92917722e04fb8b51359f4cff34fed31e03efc18506fc60cedf92eec104b0e0241f6d065d305496cb74965fdc7225f5ad266419c359ced481e6
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e