Analysis
-
max time kernel
150s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
01-06-2024 07:43
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-01_a6e1eec4372ad80d154d7970915d0210_ryuk.exe
Resource
win7-20240221-en
General
-
Target
2024-06-01_a6e1eec4372ad80d154d7970915d0210_ryuk.exe
-
Size
5.5MB
-
MD5
a6e1eec4372ad80d154d7970915d0210
-
SHA1
6bf8a399a6163b967305df9ad755a63a50cb046c
-
SHA256
e40fce63c8f44326e3cc990a35055c970a1607416da62413c951b7f3b897dfea
-
SHA512
a9698b79b5c493aaba670b354da9fb6422ebe7490b92101cfa60dd88e12842901d925b358774dca51fe19a0d5e514608c8903d6ec252c15cecc46ae39f04bee4
-
SSDEEP
49152:hEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1Ln9tJEUxDG0BYYrLA50IHLGfL:FAI5pAdVJn9tbnR1VgBVmdnlS
Malware Config
Signatures
-
Executes dropped EXE 22 IoCs
Processes:
alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exepid Process 4352 alg.exe 1988 DiagnosticsHub.StandardCollector.Service.exe 1112 fxssvc.exe 844 elevation_service.exe 3636 elevation_service.exe 4760 maintenanceservice.exe 2952 msdtc.exe 1268 OSE.EXE 4432 PerceptionSimulationService.exe 1140 perfhost.exe 5476 locator.exe 5564 SensorDataService.exe 5668 snmptrap.exe 5768 spectrum.exe 5912 ssh-agent.exe 6060 TieringEngineService.exe 5156 AgentService.exe 5464 vds.exe 5620 vssvc.exe 5344 wbengine.exe 5756 WmiApSrv.exe 5156 SearchIndexer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 31 IoCs
Processes:
2024-06-01_a6e1eec4372ad80d154d7970915d0210_ryuk.exealg.exe2024-06-01_a6e1eec4372ad80d154d7970915d0210_ryuk.exemsdtc.exedescription ioc Process File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-06-01_a6e1eec4372ad80d154d7970915d0210_ryuk.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-06-01_a6e1eec4372ad80d154d7970915d0210_ryuk.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-06-01_a6e1eec4372ad80d154d7970915d0210_ryuk.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-06-01_a6e1eec4372ad80d154d7970915d0210_ryuk.exe File opened for modification C:\Windows\system32\locator.exe 2024-06-01_a6e1eec4372ad80d154d7970915d0210_ryuk.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-06-01_a6e1eec4372ad80d154d7970915d0210_ryuk.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-06-01_a6e1eec4372ad80d154d7970915d0210_ryuk.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-06-01_a6e1eec4372ad80d154d7970915d0210_ryuk.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-06-01_a6e1eec4372ad80d154d7970915d0210_ryuk.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-06-01_a6e1eec4372ad80d154d7970915d0210_ryuk.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-06-01_a6e1eec4372ad80d154d7970915d0210_ryuk.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-06-01_a6e1eec4372ad80d154d7970915d0210_ryuk.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-06-01_a6e1eec4372ad80d154d7970915d0210_ryuk.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-06-01_a6e1eec4372ad80d154d7970915d0210_ryuk.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-06-01_a6e1eec4372ad80d154d7970915d0210_ryuk.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-06-01_a6e1eec4372ad80d154d7970915d0210_ryuk.exe File opened for modification C:\Windows\System32\vds.exe 2024-06-01_a6e1eec4372ad80d154d7970915d0210_ryuk.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-06-01_a6e1eec4372ad80d154d7970915d0210_ryuk.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-06-01_a6e1eec4372ad80d154d7970915d0210_ryuk.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-06-01_a6e1eec4372ad80d154d7970915d0210_ryuk.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-06-01_a6e1eec4372ad80d154d7970915d0210_ryuk.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\System32\alg.exe 2024-06-01_a6e1eec4372ad80d154d7970915d0210_ryuk.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\177d0d41b3e2edcd.bin alg.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\System32\SensorDataService.exe alg.exe -
Drops file in Program Files directory 64 IoCs
Processes:
alg.exe2024-06-01_a6e1eec4372ad80d154d7970915d0210_ryuk.exedescription ioc Process File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe 2024-06-01_a6e1eec4372ad80d154d7970915d0210_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe 2024-06-01_a6e1eec4372ad80d154d7970915d0210_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe 2024-06-01_a6e1eec4372ad80d154d7970915d0210_ryuk.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\iediagcmd.exe 2024-06-01_a6e1eec4372ad80d154d7970915d0210_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe 2024-06-01_a6e1eec4372ad80d154d7970915d0210_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe 2024-06-01_a6e1eec4372ad80d154d7970915d0210_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaw.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe 2024-06-01_a6e1eec4372ad80d154d7970915d0210_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe 2024-06-01_a6e1eec4372ad80d154d7970915d0210_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe 2024-06-01_a6e1eec4372ad80d154d7970915d0210_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe 2024-06-01_a6e1eec4372ad80d154d7970915d0210_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe 2024-06-01_a6e1eec4372ad80d154d7970915d0210_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe 2024-06-01_a6e1eec4372ad80d154d7970915d0210_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe 2024-06-01_a6e1eec4372ad80d154d7970915d0210_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe alg.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe 2024-06-01_a6e1eec4372ad80d154d7970915d0210_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe 2024-06-01_a6e1eec4372ad80d154d7970915d0210_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe 2024-06-01_a6e1eec4372ad80d154d7970915d0210_ryuk.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe 2024-06-01_a6e1eec4372ad80d154d7970915d0210_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe 2024-06-01_a6e1eec4372ad80d154d7970915d0210_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe 2024-06-01_a6e1eec4372ad80d154d7970915d0210_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe 2024-06-01_a6e1eec4372ad80d154d7970915d0210_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javaws.exe 2024-06-01_a6e1eec4372ad80d154d7970915d0210_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe 2024-06-01_a6e1eec4372ad80d154d7970915d0210_ryuk.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe 2024-06-01_a6e1eec4372ad80d154d7970915d0210_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe 2024-06-01_a6e1eec4372ad80d154d7970915d0210_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe 2024-06-01_a6e1eec4372ad80d154d7970915d0210_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe alg.exe -
Drops file in Windows directory 3 IoCs
Processes:
2024-06-01_a6e1eec4372ad80d154d7970915d0210_ryuk.exemsdtc.exealg.exedescription ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-06-01_a6e1eec4372ad80d154d7970915d0210_ryuk.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
SensorDataService.exespectrum.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
TieringEngineService.exedescription ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
SearchProtocolHost.exeSearchFilterHost.exefxssvc.exechrome.exedescription ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006666c09bf7b3da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000311e9099f7b3da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003dac889cf7b3da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000020cc3898f7b3da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000036598b99f7b3da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ce41d599f7b3da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ea8c7b98f7b3da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e5376599f7b3da01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000024aefe98f7b3da01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video" SearchProtocolHost.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133617014613071310" chrome.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000001e83799f7b3da01 SearchProtocolHost.exe -
Suspicious behavior: EnumeratesProcesses 39 IoCs
Processes:
chrome.exe2024-06-01_a6e1eec4372ad80d154d7970915d0210_ryuk.exechrome.exepid Process 2720 chrome.exe 2720 chrome.exe 2152 2024-06-01_a6e1eec4372ad80d154d7970915d0210_ryuk.exe 2152 2024-06-01_a6e1eec4372ad80d154d7970915d0210_ryuk.exe 2152 2024-06-01_a6e1eec4372ad80d154d7970915d0210_ryuk.exe 2152 2024-06-01_a6e1eec4372ad80d154d7970915d0210_ryuk.exe 2152 2024-06-01_a6e1eec4372ad80d154d7970915d0210_ryuk.exe 2152 2024-06-01_a6e1eec4372ad80d154d7970915d0210_ryuk.exe 2152 2024-06-01_a6e1eec4372ad80d154d7970915d0210_ryuk.exe 2152 2024-06-01_a6e1eec4372ad80d154d7970915d0210_ryuk.exe 2152 2024-06-01_a6e1eec4372ad80d154d7970915d0210_ryuk.exe 2152 2024-06-01_a6e1eec4372ad80d154d7970915d0210_ryuk.exe 2152 2024-06-01_a6e1eec4372ad80d154d7970915d0210_ryuk.exe 2152 2024-06-01_a6e1eec4372ad80d154d7970915d0210_ryuk.exe 2152 2024-06-01_a6e1eec4372ad80d154d7970915d0210_ryuk.exe 2152 2024-06-01_a6e1eec4372ad80d154d7970915d0210_ryuk.exe 2152 2024-06-01_a6e1eec4372ad80d154d7970915d0210_ryuk.exe 2152 2024-06-01_a6e1eec4372ad80d154d7970915d0210_ryuk.exe 2152 2024-06-01_a6e1eec4372ad80d154d7970915d0210_ryuk.exe 2152 2024-06-01_a6e1eec4372ad80d154d7970915d0210_ryuk.exe 2152 2024-06-01_a6e1eec4372ad80d154d7970915d0210_ryuk.exe 2152 2024-06-01_a6e1eec4372ad80d154d7970915d0210_ryuk.exe 2152 2024-06-01_a6e1eec4372ad80d154d7970915d0210_ryuk.exe 2152 2024-06-01_a6e1eec4372ad80d154d7970915d0210_ryuk.exe 2152 2024-06-01_a6e1eec4372ad80d154d7970915d0210_ryuk.exe 2152 2024-06-01_a6e1eec4372ad80d154d7970915d0210_ryuk.exe 2152 2024-06-01_a6e1eec4372ad80d154d7970915d0210_ryuk.exe 2152 2024-06-01_a6e1eec4372ad80d154d7970915d0210_ryuk.exe 2152 2024-06-01_a6e1eec4372ad80d154d7970915d0210_ryuk.exe 2152 2024-06-01_a6e1eec4372ad80d154d7970915d0210_ryuk.exe 2152 2024-06-01_a6e1eec4372ad80d154d7970915d0210_ryuk.exe 2152 2024-06-01_a6e1eec4372ad80d154d7970915d0210_ryuk.exe 2152 2024-06-01_a6e1eec4372ad80d154d7970915d0210_ryuk.exe 2152 2024-06-01_a6e1eec4372ad80d154d7970915d0210_ryuk.exe 2152 2024-06-01_a6e1eec4372ad80d154d7970915d0210_ryuk.exe 2152 2024-06-01_a6e1eec4372ad80d154d7970915d0210_ryuk.exe 2152 2024-06-01_a6e1eec4372ad80d154d7970915d0210_ryuk.exe 876 chrome.exe 876 chrome.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid Process 672 672 -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
Processes:
chrome.exepid Process 2720 chrome.exe 2720 chrome.exe 2720 chrome.exe 2720 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
2024-06-01_a6e1eec4372ad80d154d7970915d0210_ryuk.exefxssvc.exechrome.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exedescription pid Process Token: SeTakeOwnershipPrivilege 3256 2024-06-01_a6e1eec4372ad80d154d7970915d0210_ryuk.exe Token: SeAuditPrivilege 1112 fxssvc.exe Token: SeShutdownPrivilege 2720 chrome.exe Token: SeCreatePagefilePrivilege 2720 chrome.exe Token: SeShutdownPrivilege 2720 chrome.exe Token: SeCreatePagefilePrivilege 2720 chrome.exe Token: SeShutdownPrivilege 2720 chrome.exe Token: SeCreatePagefilePrivilege 2720 chrome.exe Token: SeShutdownPrivilege 2720 chrome.exe Token: SeCreatePagefilePrivilege 2720 chrome.exe Token: SeShutdownPrivilege 2720 chrome.exe Token: SeCreatePagefilePrivilege 2720 chrome.exe Token: SeShutdownPrivilege 2720 chrome.exe Token: SeCreatePagefilePrivilege 2720 chrome.exe Token: SeShutdownPrivilege 2720 chrome.exe Token: SeCreatePagefilePrivilege 2720 chrome.exe Token: SeRestorePrivilege 6060 TieringEngineService.exe Token: SeManageVolumePrivilege 6060 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 5156 AgentService.exe Token: SeShutdownPrivilege 2720 chrome.exe Token: SeCreatePagefilePrivilege 2720 chrome.exe Token: SeShutdownPrivilege 2720 chrome.exe Token: SeCreatePagefilePrivilege 2720 chrome.exe Token: SeBackupPrivilege 5620 vssvc.exe Token: SeRestorePrivilege 5620 vssvc.exe Token: SeAuditPrivilege 5620 vssvc.exe Token: SeBackupPrivilege 5344 wbengine.exe Token: SeRestorePrivilege 5344 wbengine.exe Token: SeSecurityPrivilege 5344 wbengine.exe Token: SeShutdownPrivilege 2720 chrome.exe Token: SeCreatePagefilePrivilege 2720 chrome.exe Token: SeShutdownPrivilege 2720 chrome.exe Token: SeCreatePagefilePrivilege 2720 chrome.exe Token: SeShutdownPrivilege 2720 chrome.exe Token: SeCreatePagefilePrivilege 2720 chrome.exe Token: SeShutdownPrivilege 2720 chrome.exe Token: SeCreatePagefilePrivilege 2720 chrome.exe Token: 33 5156 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 5156 SearchIndexer.exe Token: SeShutdownPrivilege 2720 chrome.exe Token: SeCreatePagefilePrivilege 2720 chrome.exe Token: SeTakeOwnershipPrivilege 5156 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5156 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5156 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5156 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5156 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5156 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5156 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5156 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5156 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5156 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5156 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5156 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5156 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5156 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5156 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5156 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5156 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5156 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5156 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5156 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5156 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5156 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5156 SearchIndexer.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
chrome.exepid Process 2720 chrome.exe 2720 chrome.exe 2720 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
2024-06-01_a6e1eec4372ad80d154d7970915d0210_ryuk.exechrome.exedescription pid Process procid_target PID 3256 wrote to memory of 2152 3256 2024-06-01_a6e1eec4372ad80d154d7970915d0210_ryuk.exe 92 PID 3256 wrote to memory of 2152 3256 2024-06-01_a6e1eec4372ad80d154d7970915d0210_ryuk.exe 92 PID 3256 wrote to memory of 2720 3256 2024-06-01_a6e1eec4372ad80d154d7970915d0210_ryuk.exe 94 PID 3256 wrote to memory of 2720 3256 2024-06-01_a6e1eec4372ad80d154d7970915d0210_ryuk.exe 94 PID 2720 wrote to memory of 2432 2720 chrome.exe 95 PID 2720 wrote to memory of 2432 2720 chrome.exe 95 PID 2720 wrote to memory of 3688 2720 chrome.exe 102 PID 2720 wrote to memory of 3688 2720 chrome.exe 102 PID 2720 wrote to memory of 3688 2720 chrome.exe 102 PID 2720 wrote to memory of 3688 2720 chrome.exe 102 PID 2720 wrote to memory of 3688 2720 chrome.exe 102 PID 2720 wrote to memory of 3688 2720 chrome.exe 102 PID 2720 wrote to memory of 3688 2720 chrome.exe 102 PID 2720 wrote to memory of 3688 2720 chrome.exe 102 PID 2720 wrote to memory of 3688 2720 chrome.exe 102 PID 2720 wrote to memory of 3688 2720 chrome.exe 102 PID 2720 wrote to memory of 3688 2720 chrome.exe 102 PID 2720 wrote to memory of 3688 2720 chrome.exe 102 PID 2720 wrote to memory of 3688 2720 chrome.exe 102 PID 2720 wrote to memory of 3688 2720 chrome.exe 102 PID 2720 wrote to memory of 3688 2720 chrome.exe 102 PID 2720 wrote to memory of 3688 2720 chrome.exe 102 PID 2720 wrote to memory of 3688 2720 chrome.exe 102 PID 2720 wrote to memory of 3688 2720 chrome.exe 102 PID 2720 wrote to memory of 3688 2720 chrome.exe 102 PID 2720 wrote to memory of 3688 2720 chrome.exe 102 PID 2720 wrote to memory of 3688 2720 chrome.exe 102 PID 2720 wrote to memory of 3688 2720 chrome.exe 102 PID 2720 wrote to memory of 3688 2720 chrome.exe 102 PID 2720 wrote to memory of 3688 2720 chrome.exe 102 PID 2720 wrote to memory of 3688 2720 chrome.exe 102 PID 2720 wrote to memory of 3688 2720 chrome.exe 102 PID 2720 wrote to memory of 3688 2720 chrome.exe 102 PID 2720 wrote to memory of 3688 2720 chrome.exe 102 PID 2720 wrote to memory of 3688 2720 chrome.exe 102 PID 2720 wrote to memory of 3688 2720 chrome.exe 102 PID 2720 wrote to memory of 3688 2720 chrome.exe 102 PID 2720 wrote to memory of 3688 2720 chrome.exe 102 PID 2720 wrote to memory of 3688 2720 chrome.exe 102 PID 2720 wrote to memory of 3688 2720 chrome.exe 102 PID 2720 wrote to memory of 3688 2720 chrome.exe 102 PID 2720 wrote to memory of 3688 2720 chrome.exe 102 PID 2720 wrote to memory of 3688 2720 chrome.exe 102 PID 2720 wrote to memory of 3688 2720 chrome.exe 102 PID 2720 wrote to memory of 4344 2720 chrome.exe 103 PID 2720 wrote to memory of 4344 2720 chrome.exe 103 PID 2720 wrote to memory of 3484 2720 chrome.exe 104 PID 2720 wrote to memory of 3484 2720 chrome.exe 104 PID 2720 wrote to memory of 3484 2720 chrome.exe 104 PID 2720 wrote to memory of 3484 2720 chrome.exe 104 PID 2720 wrote to memory of 3484 2720 chrome.exe 104 PID 2720 wrote to memory of 3484 2720 chrome.exe 104 PID 2720 wrote to memory of 3484 2720 chrome.exe 104 PID 2720 wrote to memory of 3484 2720 chrome.exe 104 PID 2720 wrote to memory of 3484 2720 chrome.exe 104 PID 2720 wrote to memory of 3484 2720 chrome.exe 104 PID 2720 wrote to memory of 3484 2720 chrome.exe 104 PID 2720 wrote to memory of 3484 2720 chrome.exe 104 PID 2720 wrote to memory of 3484 2720 chrome.exe 104 PID 2720 wrote to memory of 3484 2720 chrome.exe 104 PID 2720 wrote to memory of 3484 2720 chrome.exe 104 PID 2720 wrote to memory of 3484 2720 chrome.exe 104 PID 2720 wrote to memory of 3484 2720 chrome.exe 104 PID 2720 wrote to memory of 3484 2720 chrome.exe 104 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-01_a6e1eec4372ad80d154d7970915d0210_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-01_a6e1eec4372ad80d154d7970915d0210_ryuk.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3256 -
C:\Users\Admin\AppData\Local\Temp\2024-06-01_a6e1eec4372ad80d154d7970915d0210_ryuk.exeC:\Users\Admin\AppData\Local\Temp\2024-06-01_a6e1eec4372ad80d154d7970915d0210_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2ec,0x2f0,0x2fc,0x2f8,0x300,0x140462458,0x140462468,0x1404624782⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2152
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffce9709758,0x7ffce9709768,0x7ffce97097783⤵PID:2432
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1804 --field-trial-handle=1920,i,16968180085737949422,10480723609641280490,131072 /prefetch:23⤵PID:3688
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 --field-trial-handle=1920,i,16968180085737949422,10480723609641280490,131072 /prefetch:83⤵PID:4344
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2276 --field-trial-handle=1920,i,16968180085737949422,10480723609641280490,131072 /prefetch:83⤵PID:3484
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3052 --field-trial-handle=1920,i,16968180085737949422,10480723609641280490,131072 /prefetch:13⤵PID:4564
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3096 --field-trial-handle=1920,i,16968180085737949422,10480723609641280490,131072 /prefetch:13⤵PID:5012
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4568 --field-trial-handle=1920,i,16968180085737949422,10480723609641280490,131072 /prefetch:83⤵PID:4624
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4808 --field-trial-handle=1920,i,16968180085737949422,10480723609641280490,131072 /prefetch:83⤵PID:4312
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4876 --field-trial-handle=1920,i,16968180085737949422,10480723609641280490,131072 /prefetch:13⤵PID:3952
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5016 --field-trial-handle=1920,i,16968180085737949422,10480723609641280490,131072 /prefetch:83⤵PID:4244
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4820 --field-trial-handle=1920,i,16968180085737949422,10480723609641280490,131072 /prefetch:83⤵PID:5220
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5332 --field-trial-handle=1920,i,16968180085737949422,10480723609641280490,131072 /prefetch:83⤵PID:5300
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4496 --field-trial-handle=1920,i,16968180085737949422,10480723609641280490,131072 /prefetch:83⤵PID:5612
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4596 --field-trial-handle=1920,i,16968180085737949422,10480723609641280490,131072 /prefetch:83⤵PID:2196
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings3⤵PID:5548
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff692487688,0x7ff692487698,0x7ff6924876a84⤵PID:5556
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=04⤵PID:5868
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x244,0x248,0x24c,0x220,0x250,0x7ff692487688,0x7ff692487698,0x7ff6924876a85⤵PID:5416
-
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5564 --field-trial-handle=1920,i,16968180085737949422,10480723609641280490,131072 /prefetch:83⤵PID:5956
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5256 --field-trial-handle=1920,i,16968180085737949422,10480723609641280490,131072 /prefetch:83⤵PID:5280
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5132 --field-trial-handle=1920,i,16968180085737949422,10480723609641280490,131072 /prefetch:83⤵PID:5788
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4636 --field-trial-handle=1920,i,16968180085737949422,10480723609641280490,131072 /prefetch:83⤵PID:5512
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=1880 --field-trial-handle=1920,i,16968180085737949422,10480723609641280490,131072 /prefetch:13⤵PID:6792
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4700 --field-trial-handle=1920,i,16968180085737949422,10480723609641280490,131072 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
PID:876
-
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:4352
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:1988
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:1380
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1112
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
- Executes dropped EXE
PID:844
-
C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"1⤵
- Executes dropped EXE
PID:3636
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:4760
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2952
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:1268
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:4432
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:1140
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:5476
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5564
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:5668
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5768
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:5912
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:6060
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:1384
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5156
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:5464
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5620
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5344
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:5756
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5156 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:5788
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:5704
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3592 --field-trial-handle=2328,i,5873823382323802923,13134441441264702821,262144 --variations-seed-version /prefetch:81⤵PID:3052
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.2MB
MD5924a1ad93343e09c7b60b14a10151e8d
SHA108abb1f60db26a763adf91ae415be01d09610162
SHA256b91d6bdeb68502af990d14f08c0689e166621eb994cf4fa3058d7c52d560d997
SHA512c21920b306540192ae7a81cbeb59ff844da71d8d814520976b5517427d0183ad1fe5ab530fe077eacd873f625b8da0b92785941ca6842844f8db3d717f70dd1b
-
Filesize
781KB
MD57a8c72b9b147ad3f2a052c55a10a64c1
SHA1caad8d4d6b7c6c2f5501d52e095be8c380db154e
SHA256723109e1c41f89e12666abd0145b39f594e146be5835d23ba0fe8f5d5d12ec28
SHA512703bfeb11ff523d2a3156665f2cc9a2960a52cfb5bbf61d5aedc60091403f277963737a6fcc4aaac9d8014f85eb6c60c854b9e3c9f14cd84e721db72216d5a04
-
Filesize
1.1MB
MD51297a58b37dcff28ba18a10916e9c937
SHA13d6f9e42666e82126f09536fe4eab2f2b06b48c9
SHA256afaae49d426014604293662d95adf7b47ed71143b4c9ea983b3a5d0386f96e80
SHA512cc46649c230691461c80e4bee77b8037b50ee1748d9f5d9eed34e5ba0e4d63b52b25658c2aeefb927fe4aa33a33dc67f1be43bb8e6445660ceeb2bbfab910e7e
-
Filesize
1.5MB
MD56010465a33ae5442020a7148857da6e2
SHA1c702b859706257b6af343695f191b957ccc01fd8
SHA256458de595432163cb429bf5381ac17a160e517834887ebc486711015fa14e2132
SHA51294ac675593543f9ab4937ca142a284f361fcb1a1da51ee4352ecf297a132af9c816d0c7c52587ea593fb4ea8845c87fafa9e5bc4e940b648a28f203402dd3d8d
-
Filesize
1.2MB
MD5e2c5e6201b4f1de49fdd31d0de3c1a41
SHA17cdad8c7e4d93ab201eaf9f19d46dae8ae3c1616
SHA256d6ee3614f858a19b85777a92118644a84638a77511e29081db094ad7bdb43e97
SHA5129e1d9fe9efc04a9616759ced7a1b114c94c4898af0b02698b1f114d23cf3f2deec1c603307add9e90254c0c0c4ec49ef640ba3ca011ae4f97d75babedad1d9d4
-
Filesize
582KB
MD58ce7ce155a58c0556e6115677f6a2ab2
SHA155cacd1dd888c1eba1f86e49e4c2220fcc2857e0
SHA25668e0b6970d12d3361bf9e4bd9f25686ba4fd5f880b48dcab93dbfb6b42995174
SHA51218783416666fb9683cc47e2b22d349365c73ac3f1ce7853d4f394c4601e74930034dc418e5214d13c1cb26ecc86a9264834e2498909cb5c4e0e645586d9b1a68
-
Filesize
840KB
MD5559a8cc9b7c667dcb7c080d8e5ae26ca
SHA16452704a17e0d090156dd4b2174f95e03b064e15
SHA256481b1e915c72cdf98d43a8c90c930d47df97f834ab66a92c889e9ef8c76c789c
SHA512a58a93a5626a1a8cbcdec0a38240f704f661081498ffeda11f7e56a8d47e9d7852742c7d537eeb36f12caa4101e8df841f4eab8eadfa87edde02e9f7217f3d77
-
Filesize
4.6MB
MD51887250118cd5771bf42d0b7ac32c898
SHA150ea80bbbb0d41349fa558b0e87185a299e26843
SHA256a3ef373a40b67a84299416e9d0ce74421f527ab72fb41033a9c73f21fb56e0fd
SHA512029a752b761cd2fe5211b916e1e5242e8ca672595b99acdbbdce86d61b268bc645ed8b9d06859a0e59b23357ee99611c7ba565dcecb6f4af1580821e650eab25
-
Filesize
2.7MB
MD5273e7b4067df6ea341d7ce0a2651587f
SHA1eef3b8b24b49685e7475196835e28c2a09c3fb59
SHA256eb99d9872ece11f3e4689b33d7860606253e3b93713c544f9d0f0b6f65c5b7c5
SHA512c9b10f9fe2f37f4c5f77d412ba73bf5d5bb9a0d3af93c7ccbbe7a665252c16c0385bee328c4dcefdcbfd40b492f4c1f60858423950cbc79399a8f9c4c36cf78d
-
Filesize
805KB
MD5327e16c1389f9cbae2bb1e5daf60d1de
SHA13f9e0cc20977c1ec7da714711db6e9ab6821455d
SHA25608d58d97eccc51a49897b7710889adf42bbf4eaa148d3f764c1fabf8f5e2ca4e
SHA5128a1faa26c5c3eb22b87c9a8483b25b0c485672481d479b6f487e31b1dca13e2524a02422a072b771927dbe0d0b090b49c7809fba75700786d24477d7d914ecf7
-
Filesize
2.1MB
MD577c56d52c2925375721bf3ce9bbed5d5
SHA1e63e3a2f520b22d68968f5bdf921a944635cb1cd
SHA2566669886c9f02c3446abccc650ce4aff0cfeb3151e5aaa0fdc07b3cbbd98d35ce
SHA5127ab05a9d4767661be68a91639c4d98e77ce0f7cd8fc6ad47d7fd0c89364922c194b969b047f8068b927903ac73732c46185a1a6c3f9c8759e9352c83325c4179
-
Filesize
488B
MD56d971ce11af4a6a93a4311841da1a178
SHA1cbfdbc9b184f340cbad764abc4d8a31b9c250176
SHA256338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783
SHA512c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f
-
Filesize
1.5MB
MD5512bcb8e76969074775291ddc33541a8
SHA134fe101d6be2981428158213e271c7cc05e838cf
SHA256ce00a8b096edff08d5d7aaeff056542d17fcc7077930e70343b519679e4b3c65
SHA512b12fea26d7bc8737df8345fa33ff684895717e3efde5d2cfba0e411000dd2904d687e2de5126213d5ed1752892ff69cc54123e2a41417a98497b86fdd466bc7c
-
Filesize
40B
MD585cfc13b6779a099d53221876df3b9e0
SHA108becf601c986c2e9f979f9143bbbcb7b48540ed
SHA256bd34434d117b9572216229cb2ab703b5e98d588f5f6dfe072188bd3d6b3022f3
SHA512b248162930702450893a112987e96ea70569ac35e14ef5eb6973238e426428272d1c930ce30552f19dd2d8d7754dc1f7f667ecd18f2c857b165b7873f4c03a48
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\en_CA\messages.json
Filesize851B
MD507ffbe5f24ca348723ff8c6c488abfb8
SHA16dc2851e39b2ee38f88cf5c35a90171dbea5b690
SHA2566895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c
SHA5127ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\dasherSettingSchema.json
Filesize854B
MD54ec1df2da46182103d2ffc3b92d20ca5
SHA1fb9d1ba3710cf31a87165317c6edc110e98994ce
SHA2566c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6
SHA512939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d
-
Filesize
193KB
MD5ef36a84ad2bc23f79d171c604b56de29
SHA138d6569cd30d096140e752db5d98d53cf304a8fc
SHA256e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831
SHA512dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\CURRENT
Filesize16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\1e3dd185-ee5a-4b1a-8427-ea6a7a9f4d19.tmp
Filesize2KB
MD5cc6bf671f74491a137953dbeebc305c3
SHA13a836bd65a4501a317d477809c0f947629cf0bc3
SHA25699a04a9589f361bd76a3c1a1f15608eded41decaa617b1249b08ee7ae3037ff2
SHA512a334d9d274c27505936916e9db4ef027a8d7ba1c5b5139918835439811d7840e5ba2f91ee6175b32ada4cd26c5c0b98fafc02bb3145f264f3071d692eef2aaf3
-
Filesize
1KB
MD597aa78ce7d1df6c9d13511c816061894
SHA104eb4b18e4e2c6f02e46466246b88335164eafc9
SHA2566059d94eb5c3c64e57dbf56691f92fc12bec6365c3ba535f0ab807759c61d471
SHA512d28e652f8778f4f114d863224d69129def010ffa3976c57a83b3df093fad7918a9ae87fd0cebdc21a4409950200a8e879bd4f69ce155eee579e2494f016b14d7
-
Filesize
369B
MD5ebea724c473673d7e864c55bf2f1c5b0
SHA1fab5832618da66d926a7ba52c9bd49c1140dd188
SHA256de2d9c227742d6d35ff58ef11da1d41ab8571aa3763bf8727e9afa4c72a421e7
SHA5124b0bc9208e5364913801e648e52031dc66f89a93e3d91170fb69b716c7b91635a0cd689c89f22fb245b7485ab828868117e2b23a0442fac0d8efa674681b8b33
-
Filesize
5KB
MD5f46c88241b305ed00956189fbd59a091
SHA15874403a7bd9f3dd331c25319c498217a22503d4
SHA2568aca0ee9972ad9da5a2d94330840b7e3728228fd5ed7a2af9ad46683c3725f8d
SHA5121a6e1327227c5c4aed3a75d977838eaaa268812d5abb9aad483c04b8b8e393f7faf34b199e1b3a34d4069085b82646db646ea82a0c468acf65aae84f16b140c2
-
Filesize
4KB
MD52bf157f2b0bb3f22f8489491532c41cf
SHA1008d11d00c73b4d68b22311cf2cec298d36e17fe
SHA25646dcde213849e0d5af51f7beac29e479491fdfc9dfed634efb7efad39b1912d1
SHA51218986c8a1b4b9a253c96391ed29b047f5db051b30981982867cd1bdea0434d3ffa3af9f6755f6a9ba77188a86d96cdcdf56bb6b629700c9c9b79161561954170
-
Filesize
4KB
MD591ab6f7b0a8a1eb5bb96e478724b87f3
SHA1934cfdd896b9cfd33abf1338ab6a0f527e506940
SHA2569b58381eb7e0c23ae01417ff8626888fb3648a1175cce349b40cfd8a993a85e0
SHA512eff2bb4a5763654ca5440ee7316694c8e4ffc00e7ea1439785a3f0ca157d454d594bf6c81b0e8c146cd8aff48ca3f081c7d3c8801f02291ceedf1a94633ba637
-
Filesize
4KB
MD53093d667315ad9380d7efedfcb11c876
SHA1609d7b31f171924afe612d9bd0f4116e8d451211
SHA256b337358fc348829a3580cf66c6ba1458ee5111101d4a69129e79a3b5b9441927
SHA512f7b1aa69c39d4d456ff56678cab9b012fbab93d9186e70638917ba4e3bc6886bc514f72a635b968d4423b9a7e7a21071fea5d7fb3d7b9aff84def2059f3cc53f
-
Filesize
2KB
MD504695aadffdaf28b5be826d27d48721a
SHA1ce79df7c80926a86b0e1a922a05bcab16c7620c4
SHA2560bc76b0a74faa8d4d25cfa28127c42750e86004af7a10d590e07a33a89726b51
SHA512aa3438c4a09ea9c0c52dccb6cba636ac99c11b47a5b78317869823d6c39bfdfa304f40e67867b8ca9c4269efaba12431ae59a1d54c671f38acb9e4fe3d23da54
-
Filesize
10KB
MD527d3bcbfb8e7dc1206f54050bb3a66b8
SHA1a024e440903dd253308bdd33b4f75e60f0747624
SHA2568be2b74204b69bbb6cd4f69954cbba27ac128fea7b8a92875cb9b1c1b5952ee0
SHA51225ba09d3822abf6e4df338aa1e872dd06468a4209d9682345d4827244bfe0188d315b625e42778eae0bea244cd34e3d1a489b4ab3d48faaa85a87542eeb5da74
-
Filesize
13KB
MD538991f5d56a8bfeef3e7f0fead91a9ca
SHA156463220c1df0ecccfe3070986922c66bfb8427d
SHA256d773ba477fa948bac3ecda9d4d4aad87c9daf183bdbf50818d1fdcd85f8932f3
SHA512d65b362a7d1dbb1b704c19e09b0173559b99a69e6ade2a9c7ab62896943ff06014dfcda38123cc27eb02e2d5525c36ae0c6886c6cf7f209bab62a489f08a4748
-
Filesize
270KB
MD5af91a827e5ec91b049d5409d163b0de5
SHA130d1379d689527163379a02924973d01f654aaaa
SHA2562bd6c0a0ce93093c8a207bb66069e83234a9363927f1bbc0eb4e65ef4f201c12
SHA51267a26a640e64fdef8db80ebb56a10186ba9f6df4850852f801bc17356440b771e2de5a9831e6b304e41352a3d37b67e16a736af563877e118682556b0fcfa826
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
4KB
MD5c354fe5c6d6e7901236f22c6e0e16627
SHA16063bdd382c281d3b48e7da4f0cf57f8059e68ce
SHA256f52bb3c63b9e063b12f6de91b75dded93ae13c9de4fc6ed439d513a6555d787b
SHA5128f0ec84942ea3a845d09075c866c0c7db0324e4002f3e3f976dae7cc3ed26fd9ee5c1e1bf8e17c37ec4a652836efeece86fb6326d026f9c42d8fb1c76038760a
-
Filesize
6KB
MD5ae893430c6018c7c4c717179887bac17
SHA1d7f3c6d5827141e487d5e3f485bed182c937b5b5
SHA2565399d2ffa39331902110cae7516cc2f8ab8e9c943edd327d9d84b6b88cf5c8ce
SHA512038a6402560ede612059d0308c13292252f5cb39d3d452b3a83716371b7ce7cdfc356205366df162972b50a7b58734e4247a43a8dc9823690f843a1236130daf
-
C:\Users\Admin\AppData\Local\Temp\scoped_dir2720_1970733013\CRX_INSTALL\_locales\en_CA\messages.json
Filesize711B
MD5558659936250e03cc14b60ebf648aa09
SHA132f1ce0361bbfdff11e2ffd53d3ae88a8b81a825
SHA2562445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b
SHA5121632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727
-
C:\Users\Admin\AppData\Local\Temp\scoped_dir2720_1970733013\ac4993be-cd17-4237-84e5-01e55ae7d355.tmp
Filesize88KB
MD52cc86b681f2cd1d9f095584fd3153a61
SHA12a0ac7262fb88908a453bc125c5c3fc72b8d490e
SHA256d412fbbeb84e2a6882b2f0267b058f2ceb97f501e440fe3f9f70fac5c2277b9c
SHA51214ba32c3cd5b1faf100d06f78981deebbbb673299a355b6eaec88e6cb5543725242c850235a541afa8abba4a609bb2ec26e4a0526c6b198016b08d8af868b986
-
Filesize
12KB
MD5ff50b226bbbbfe1aad72b65f3d98cd85
SHA1edca1c2a0b437b24f4ea66de4e982f3c60081d7b
SHA256640f8ded763457b89c4794fdaf65c09ed6a1eacaa9e5b60994f9fa6540268aff
SHA51218bfabd5a25863a6f1557e66907088858d8402554bf98810606e0e1bb2e6fb7c05bb8a81f489928ce1735f46bff66f67326b365d76ab93924160e54e0eaf3336
-
Filesize
588KB
MD5333b8155bedaf610e42860925fb4cf28
SHA104ce3cf7641b9070e3d10bea08b62f014426db3b
SHA256fa6b48531147c3129b8d936b6e5fff721d9573b35a829197a034f6ea8a0c0923
SHA5122214ea68885543de0baff4264a9dc79854b9d04733becd949594b384edea2a2e6a82c66cdbc80f9d7256c90d9a23d1db5b0b85d322ed545be55382b9a01384f9
-
Filesize
1.7MB
MD5fe85a878ee774da611e131039db4d397
SHA110dd1d8123d6506dac551b7be1ab850d2d3d35c4
SHA256f1ca52009de6778d882382846ac9e0612080bac3f8ecc24417eeaf9122922edc
SHA512015ee9a86f72ac2b5af3a7e22c7393ed01e790205274e2ff4e5f4dd87983b35ecebbe2d013924d30c24f14d619f9e25300cb12f4dddfa7dcca7e38ed8fc46da2
-
Filesize
659KB
MD5a5a0962141a0b5a1f2d8828159c54f86
SHA17c17991f599d88942e57bd445a83f335d77ed033
SHA25693633b66e6e01689090b165395b798a537673d6007311a12d1109e95bd631683
SHA512ceb5e72a60b79521624820565a2c1ed280390c1da69659482c7b1e7cf4e56ac6c0d4d92d7e68180501ab62a4a0dd59e4b2ab2567fb086ef8410846c2ae738d7d
-
Filesize
1.2MB
MD56c9d6429a9c72eee9eab17753ff66f42
SHA10d85dd6da5fdc89c2014137b7f438b8c41d05cc7
SHA256ab8a35192d0da73138d38c235d622a68b362ffefbd178991b0b9366e4d73bcf9
SHA512ddb6ed581cd715c9131ae10ceab96eafb3528a7fcb7db1b8c1726bf0d55a913dc8d5e6250cb255c33d3a5814f557dd4ac8810005b13b826fe468d13356a71f88
-
Filesize
578KB
MD50be5a6e0db0a77fbb49ce9beb21f427a
SHA150dd9772c499eb8ed984f7cb01efaa6d5c04f626
SHA25650a98c44586a2c34f5f291f3eb01c5e0c9ecbc800cd6f7623bd790fe43f1cf0b
SHA5120820eb97a29f0c49ced95fd1ca18efc2ad465a1f15dc35f47db6c248759b3bd1000952e08f317d531b1d753072de05cc9ac957c6148f67a3b8a2832435b9768e
-
Filesize
940KB
MD5c4618c11ed5fd9f91cc9518e62740194
SHA1847810441fc135ce7442de501a369b4863676192
SHA2564432c4bff7d8a5472276c1f217130efb88f627d951c92ba0be20fa8840218c1d
SHA5125c0af64bcc6d85051e5f998b283f0357ace68e3b2f3400d8fe345b2dac47dce0bdd52da9fb3e98194a0a0ae8c3b3a41771a169c587051e9f6ac56e42be8ddfde
-
Filesize
671KB
MD590928d035fef4cb9923b3504109776bf
SHA119b0b460005ebaafe2e21cb45aa442752af64e1a
SHA256a22f7f4d7b481a64eea64afd3b17468e5d90c60cccf1356e503b33443b80e160
SHA512e081a4925a70769f050a6c827e553f0efaadf940c71252fb5876b7136b373c52927a038614e7ea11461b50fe22769de7628cd8b6af284329df1c06dca3ba8f9d
-
Filesize
1.4MB
MD5f0d64220155fc7057b89a136f9d85045
SHA1421bcfda76f428624b9ac6460bac7277f496432b
SHA2564cb84ee506a471d6f2cb93dff53d10bc2c26c506a244e585a66440d55649321e
SHA512bd6fcf47c28edc208fbda1ff2ef2838ae572d29a555bf2392cc478cf93320b14b245bc00385cca0bb4f1fad4fc8d314c9a463d2e5417a0c52931016760fd5199
-
Filesize
1.8MB
MD56472b077c4361eed994e491c037a8897
SHA132546f17d27e33f11a392dff262d38eaef437372
SHA2569499ea9aaf9dfd9398095ce3ba49f0e6cf06c6a12185e164e4e57447fe51835e
SHA512d6f508ca46c0158e7d49dab307c9f89f37bc231b8023aa3f99f8fce96454f3cf985f7f317eea5698a79e3848e2654159ee80d08e3f2bbe7436806c8e8c77cf33
-
Filesize
1.4MB
MD5bfdaea53462419371128e1d518d79626
SHA16286ede3a63f25a65acd4ffef07bae2d773ad893
SHA2560703736bcf82b657504d805c067ccb307d85711b26ad6505478ba9ed3a996507
SHA512d221883e172fd9223402144caadb5772e83c0e6f4b964cd0c5de652997027226e096fdadbf1a1a69e38daaa65ab48fcb677ea0aa2a7a7dad366823f32ef881c6
-
Filesize
885KB
MD526bfe672bc81ac8fb4356099b13c48ed
SHA1a5d29a47a6d123018712185eb64bc2203cb7282a
SHA256c6950ca997b2792117d5a4dceb84c88db724b2f58e9c0f2ea3b0f78bb2ac76a0
SHA5129a9201e226a2361ce9364a396bd4bc9e87a01395294b61c69245da3231159ac667ac96fe3cafa76e6f5d1aa9b9ce08e1e543e2fa896987248b50b0cd52f67d68
-
Filesize
2.0MB
MD5050b0c41371d479253f6e341c540ce05
SHA1e350570a245c77fbb90c32e5d3263fa702fd1228
SHA25679b81ae944332ce2ed716f2a754c61b6d3754d94ada2412d9f6c08d41f5767da
SHA512609e3d539f4d0352f613dd68bb08f0a16b897ca8d242e23d8566f36b9379147c1933670d5db131456204eb0f6a7c2228f47991e06e646e893428d090a0a3fbfd
-
Filesize
661KB
MD5ef34cf57a62d2a4585bbe2a377dc903f
SHA1f342260ad44fcccad0b9cbc1dc780872cd7a828f
SHA25696b6e5d4d3700b232cf03271a218c409d5746486728c3e40507d3540b127b419
SHA512a91bb4283343a2e68ac0be736537339ab1f7509455ecb1d90803b6e6373ce3b06645aedcd885a2ad7e653d6b8cc1acea32db37d5438e72794f23fcc1c12b264d
-
Filesize
712KB
MD59e5f491f0d65686cdfa815c8a7caf2cd
SHA1ed8478eafdb38425a5acb02b2a4a0f1f275d36de
SHA256f3fe5016fc9d4930310fea0e4a90ba37e67ef50986b5e785e548d2fb2f067660
SHA512f3edc812e8fc2acd974500ce34fdb4575e4a1b2c2029c12821132c5379b46cc5d86c657631ec18d6f23daf276573351654d8806850c73855b63e754e54a43e11
-
Filesize
584KB
MD52c03de2c63d54434b312aa4cad8c3555
SHA1b651057745456a239ddee5a19ab10c9d9310e229
SHA2568e3f60b33425d9e06b893f78d090ac8a116408e63a260cbea0b3691a2aff0b10
SHA51274a4afb7e64f976c6e48754fb49726fa5af206e8e2355dd31fcfac222480fa21237b855e56ab8ec1693efd59fe7abf8751446f7efe3f6d70f391b1db7d18c3aa
-
Filesize
1.3MB
MD5a64fa476947e51c81d65a4e03c9c8016
SHA1c8ca971b660f8ddcf2fcc2a6b4f92e71ed9f82cd
SHA2562d7b4194e077591633c4b28c70337e17679a06a26fbed14c49067934c570cbb6
SHA5123aa4a629c78267b217db48478582d086ea891b7fda43b18edca43572c291cc4a1169ef5aa3f053c8d1c2f127782f1d397d44703d43aed3377cdae8debadc8724
-
Filesize
772KB
MD5c713d6661609478baeecd6346d7ccdc4
SHA15038934ad9238ce2ff6b94182e76335655d60e44
SHA2563f5a7d3fd46a0ee2eb68d43429af5aa45d5559a5a329e686f925995fb0d6ba26
SHA5127ba9b15f869cb4513902faeb715475c43af45b70c6e14b0d77729149b9213f9d74cd393556e4350b9de7160e7badb2b68a2968f336ef440703e6c66a396de610
-
Filesize
2.1MB
MD5ae7a65721af25173069fdfd6f7376504
SHA15017dcc30727862a5bd2e5e09ee8966909835fbc
SHA256181ed3b9e2eb2c2e466e7e4c46b4ecf5fec4b81a9f1df724ce0f99d0de0456fc
SHA5124a587b5ed64ea7851c2acc4a0a7c7d5c3ae81f70a6e4f2a7bf379ee07ff7b78c21213c8f621cdb94ed5ceb1140d5eb615a4ca91353742d9e1fcb4ddde6d57e92
-
Filesize
40B
MD50e1a0df5323f02fa141b11070035f203
SHA14662c48107aebe02429f78dc0ab4328f88ea9e8f
SHA256169bdddd028372b9c8dc1bbc8bc1a48dce9089467cf7c3b5967ebc20713b1bb7
SHA5125ef418e1f48b459f21f15f8462fceebbe5da2e16ff4cd02a614a6a508c1a9e28527c0d0778840600c85ba60d412de91e754b3aa0173ac4db70460367a2abc6e5
-
Filesize
1.3MB
MD569e12db29f4f26814405440fb11a08d5
SHA11d5d424b1a362955aac95fe57272dc3c3e4a2720
SHA256667300e97ebc3b33790aa0f2a7909c0f647a7e2d8a082d96022940e439fc97db
SHA5126951f1186e9ca170c754b7663b4569fde7f801a24afb70c01f0478bbad35fad2ff898f99429953dc7f2ddcdd4a339e1473280a3752567dc9f4584eb3ae7758a6
-
Filesize
877KB
MD5455f232b29c9086f30a7c1361d00c437
SHA1b0d814569e1acf22302c4cfcc477c54ca8b0b945
SHA256fa048da304830633a185839b90bd1503f50b90775f11250115e9c82396950e33
SHA51226c1974ed460ec2c5ce2eb16789e1bb7e20becf998c89b30e5f3934542fb9b61d7d54021d6ef3a629eaeb357583b6ceffabe77cc4292f72dbcff6f9a6c84c40e
-
Filesize
635KB
MD5bf8f25d7b3a0685a476a114f8dae6a03
SHA15934d151807b481969b0e36b70debcbae4adc82f
SHA25660cffc0ffd4cc22d559e27d64fb2e9aadf7ebeff67e79cc7bb31a6b037ab9b9d
SHA512542d79c128e4cd31161ee3c98567136eeda1f4b6fa3c8dbe8d3238890fa179448977048c3da51298280470e689f468ffa9cf14496078a2cd549aa8063fb675ea
-
Filesize
5.6MB
MD59a644aaf8230cddebb85ba0920af19f5
SHA1c9fec793ef51d5e0665d74dec3cf797efbc82f02
SHA2563983410320953a2d065a2594e0a325b114161053200095367fe0d95f0b288729
SHA51222624aa1b368b5e47f7335e15ace1a1e87c3faa0afd9e2385b984b396881fd1049f9d6961a5b36a7416884fdf880a0cbe878c453ed6fa3e0ef82d858d6d69a29
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e