hxxps://cyphercall[.]net

Analysis

max time kernel
267s
max time network
268s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
11/07/2024, 18:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cyphercall.net

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
6000	CipherCall Sentinel.exe

Loads dropped DLL 5 IoCs

pid	Process
6000	CipherCall Sentinel.exe
6000	CipherCall Sentinel.exe
6000	CipherCall Sentinel.exe
6000	CipherCall Sentinel.exe
6000	CipherCall Sentinel.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
25	api.ipify.org
28	api.ipify.org

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133651946159545904"	chrome.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{3f471841-eef2-47d6-89c0-d028f03a4ad5}\ciph..tion_b47f9c7562cb8 = 54007200750065000000	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Visibility\ciph...exe_b47f9c7562cb815b_0001.0000_none_f5b69679aacf5ea4\Applications\ciph..tion_b47f9c7562cb815b_0001.0 = 68747470733a2f2f63697068657263616c6c2e6e65742f617070636861742f43697068657243616c6c25323053656e74696e656c2e6170706c69636174696f6e2343697068657243616c6c2053656e74696e656c2e6170706c69636174696f6e2c2056657273696f6e3d312e302e322e33382c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d623437663963373536326362383135622c2070726f636573736f724172636869746563747572653d6d73696c2f43697068657243616c6c2053656e74696e656c2e6578652c2056657273696f6e3d312e302e322e33382c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d623437663963373536326362383135622c2070726f636573736f724172636869746563747572653d6d73696c2c20747970653d77696e3332	dfsvc.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-SubSysId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\ciph...exe_b47f9c7562cb815b_0001.0000_none_f5b69679aacf5ea4	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\micr..orms_2a8ab48044d2601e_0001.0000_none_e3edd16662dbdc17\lock!080000007ed2580ecc0a00000c090000000000000000000 = 30303030306163632c30316461643362636431393436366262	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\ciph...exe_b47f9c7562cb815b_0001.0000_none_f5b69679aacf5ea4\lock!0400000027d6580e7017000074170000000000000000000 = 30303030313737302c30316461643362636462653836376438	CipherCall Sentinel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\Applications\ciph..tion_b47f9c7562cb815b_0001.0000_fa2972682fdaabef\HasRunBefore = 01	CipherCall Sentinel.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\FileNames\	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\CRLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{06AD94C8-D68D-4083-B314-7CC98BFF9FA9} = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DXFeatureLevel = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{60051b8f-4f12-400a-8e50-dd05ebd438d1}\ciph..tion_b47f9c7562cb8 = 3c004100700070006c00690063006100740069006f006e00540072007500730074002000760065007200730069006f006e003d002200310022000d000a00460075006c006c004e0061006d0065003d002200680074007400700073003a002f002f00630069007000680065007200630061006c006c002e006e00650074002f0061007000700063006800610074002f00430069007000680065007200430061006c006c00250032003000530065006e00740069006e0065006c002e006100700070006c00690063006100740069006f006e002300430069007000680065007200430061006c006c002000530065006e00740069006e0065006c002e006100700070006c00690063006100740069006f006e002c002000560065007200730069006f006e003d0031002e0030002e0032002e00330038002c002000430075006c0074007500720065003d006e00650075007400720061006c002c0020005000750062006c00690063004b006500790054006f006b0065006e003d0062003400370066003900630037003500360032006300620038003100350062002c002000700072006f0063006500730073006f0072004100720063006800690074006500630074007500720065003d006d00730069006c002f00430069007000680065007200430061006c006c002000530065006e00740069006e0065006c002e006500780065002c002000560065007200730069006f006e003d0031002e0030002e0032002e00330038002c002000430075006c0074007500720065003d006e00650075007400720061006c002c0020005000750062006c00690063004b006500790054006f006b0065006e003d0062003400370066003900630037003500360032006300620038003100350062002c002000700072006f0063006500730073006f0072004100720063006800690074006500630074007500720065003d006d00730069006c002c00200074007900700065003d00770069006e003300320022000d000a00540072007500730074006500640054006f00520075006e003d002200740072007500650022000d000a0050006500720073006900730074003d002200740072007500650022003e000d000a003c00440065006600610075006c0074004700720061006e0074003e000d000a003c0050006f006c00690063007900530074006100740065006d0065006e0074002000760065007200730069006f006e003d002200310022003e000d000a003c005000650072006d0069007300730069006f006e005300650074002000760065007200730069006f006e003d002200310022000d000a0063006c006100730073003d002200530079007300740065006d002e00530065006300750072006900740079002e004e0061006d00650064005000650072006d0069007300730069006f006e0053006500740022000d000a004e0061006d0065003d00220049006e007400650072006e006500740022000d000a004400650073006300720069007000740069006f006e003d002200440065006600610075006c0074002000720069006700680074007300200067006900760065006e00200074006f00200049006e007400650072006e006500740020006100700070006c00690063006100740069006f006e00730022000d000a0055006e0072006500730074007200690063007400650064003d002200740072007500650022000d000a00490044003d00220043007500730074006f006d0022000d000a00530061006d00650053006900740065003d002200730069007400650022000d000a0078006d006c006e0073003a00610073006d00760031003d002200750072006e003a0073006300680065006d00610073002d006d006900630072006f0073006f00660074002d0063006f006d003a00610073006d002e007600310022000d000a0078006d006c006e0073003d002200750072006e003a0073006300680065006d00610073002d006d006900630072006f0073006f00660074002d0063006f006d003a00610073006d002e007600320022000d000a0078006d006c006e0073003a00610073006d00760032003d002200750072006e003a0073006300680065006d00610073002d006d006900630072006f0073006f00660074002d0063006f006d003a00610073006d002e007600320022000d000a0078006d006c006e0073003a007800730069003d00220068007400740070003a002f002f007700770077002e00770033002e006f00720067002f0032003000300031002f0058004d004c0053006300680065006d0061002d0069006e007300740061006e006300650022000d000a0078006d006c006e0073003a0063006f002e00760031003d002200750072006e003a0073006300680065006d00610073002d006d006900630072006f0073006f00660074002d0063006f006d003a0063006c00690063006b006f006e00630065002e007600310022000d000a0078006d006c006e0073003a00610073006d00760033003d002200750072006e003a0073006300680065006d00610073002d006d006900630072006f0073006f00660074002d0063006f006d003a00610073006d002e007600330022000d000a0078006d006c006e0073003a0064007300690067003d00220068007400740070003a002f002f007700770077002e00770033002e006f00720067002f0032003000300030002f00300039002f0078006d006c006400730069006700230022000d000a0078006d006c006e0073003a0063006f002e00760032003d002200750072006e003a0073006300680065006d00610073002d006d006900630072006f0073006f00660074002d0063006f006d003a0063006c00690063006b006f006e00630065002e007600320022003e000d000a003c0049005000650072006d0069007300730069006f006e00200063006c006100730073003d002200530079007300740065006d002e004e00650074002e005700650062005000650072006d0069007300730069006f006e002c002000530079007300740065006d002c002000560065007200730069006f006e003d0032002e0030002e0030002e0030002c002000430075006c0074007500720065003d006e00650075007400720061006c002c0020005000750062006c00690063004b006500790054006f006b0065006e003d00620037003700610035006300350036003100390033003400650030003800390022000d000a00760065007200730069006f006e003d002200310022003e000d000a003c0043006f006e006e006500630074004100630063006500730073003e000d000a003c0055005200490020007500720069003d00220028006800740074007000730029003a002f002f00630069007000680065007200630061006c006c005c002e006e00650074002f002e002a0022002f003e000d000a003c002f0043006f006e006e006500630074004100630063006500730073003e000d000a003c002f0049005000650072006d0069007300730069006f006e003e000d000a003c002f005000650072006d0069007300730069006f006e005300650074003e000d000a003c002f0050006f006c00690063007900530074006100740065006d0065006e0074003e000d000a003c002f00440065006600610075006c0074004700720061006e0074003e000d000a003c004500780074007200610049006e0066006f00200044006100740061003d00220030003000300031003000300030003000300030004600460046004600460046004600460030003100300030003000300030003000300030003000300030003000300030003000430030003200300030003000300030003000350037003500330037003900370033003700340036003500360044003200450035003700360039003600450036003400360046003700370037003300320045003400360036004600370032003600440037003300320043003200300035003600360035003700320037003300360039003600460036004500330044003300340032004500330030003200450033003000320045003300300032004300320030003400330037003500360043003700340037003500370032003600350033004400360045003600350037003500370034003700320036003100360043003200430032003000350030003700350036003200360043003600390036003300340042003600350037003900350034003600460036004200360035003600450033004400360032003300370033003700360031003300350036003300330035003300360033003100330039003300330033003400360035003300300033003800330039003000350030003100300030003000300030003000330030003500330037003900370033003700340036003500360044003200450035003300360035003600330037003500370032003600390037003400370039003200450035003000360046003600430036003900360033003700390032004500340031003700300037003000360043003600390036003300360031003700340036003900360046003600450035003400370032003700350037003300370034003400350037003800370034003700320036003100340039003600450036003600360046003000310030003000300030003000300031003800370032003600350037003100370035003600350037003300370034003700330035003300360038003600350036004300360043003400390036004500370034003600350036003700370032003600310037003400360039003600460036004500300030003000310030003200300030003000300030003000300031003000420022002f003e000d000a003c002f004100700070006c00690063006100740069006f006e00540072007500730074003e000d000a000000	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\ciph..tion_b47f9c7562cb815b_0001.0000_fa2972682fdaabef\newt..json_30ad4fe6b2a6aeed_000d.0000_none_88c266d3a	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Software\Microsoft\Windows	CipherCall Sentinel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionHigh = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Software	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\micr...wpf_2a8ab48044d2601e_0001.0000_none_7e11ba0814ab3acf\implication!ciph..tion_b47f9c7562cb815b_0001.0000_38 = 68747470733a2f2f63697068657263616c6c2e6e65742f617070636861742f43697068657243616c6c25323053656e74696e656c2e6170706c69636174696f6e2343697068657243616c6c2053656e74696e656c2e6170706c69636174696f6e2c2056657273696f6e3d312e302e322e33382c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d623437663963373536326362383135622c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\newt..json_30ad4fe6b2a6aeed_000d.0000_none_88c266d3abb85860\DigestMethod = 02	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\Families\Gi_ciph..tion_b47f9c7562cb815b_7dacc6167de0569b\LastRunVersion = 68747470733a2f2f63697068657263616c6c2e6e65742f617070636861742f43697068657243616c6c25323053656e74696e656c2e6170706c69636174696f6e2343697068657243616c6c2053656e74696e656c2e6170706c69636174696f6e2c2056657273696f6e3d312e302e322e33382c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d623437663963373536326362383135622c2070726f636573736f724172636869746563747572653d6d73696c2f43697068657243616c6c2053656e74696e656c2e6578652c2056657273696f6e3d312e302e322e33382c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d623437663963373536326362383135622c2070726f636573736f724172636869746563747572653d6d73696c2c20747970653d77696e3332	CipherCall Sentinel.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Assemblies	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\micr..core_2a8ab48044d2601e_0001.0000_none_b64ac22bbf236049\DigestValue = a1e096c6842b9f443679f47e321379d15e1f93c77fd0b6d32b9eb0e93e25ac89	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\ciph..tion_b47f9c7562cb815b_0001.0000_fa2972682fdaabef\ciph...exe_b47f9c7562cb815b_0001.0000_none_f5b69679a = 01	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\ciph..tion_b47f9c7562cb815b_0001.0000_fa2972682fdaabef\SubstructureCreated = 01	dfsvc.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy\InProgressFlags = "262144"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\History	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\NextUpdateDate = "427568869"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\micr...wpf_2a8ab48044d2601e_0001.0000_none_7e11ba0814ab3acf	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\newt..json_30ad4fe6b2a6aeed_000d.0000_none_88c266d3abb85860\SizeOfStronglyNamedComponent = 9af80a0000000000	dfsvc.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "395205405"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\Certificates	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{3f471841-eef2-47d6-89c0-d028f03a4ad5}\ciph..tion_b47f9c7562cb8 = 32003000320034002f00300037002f00310031002000310038003a00300035003a00300035000000	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\ciph..tion_b47f9c7562cb815b_0001.0000_fa2972682fdaabef\micr...wpf_2a8ab48044d2601e_0001.0000_none_7e11ba081 = 01	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\newt..json_30ad4fe6b2a6aeed_000d.0000_none_88c266d3abb85860\lock!0800000027d6580e7017000074170000000000000000000 = 30303030313737302c30316461643362636462653836376438	CipherCall Sentinel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\NextPromptBuild = "15063"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\ComponentStore_RandomString = "OXXTQTGBBAR8H801L7C7OWOR"	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\ciph...exe_b47f9c7562cb815b_0001.0000_none_f5b69679aacf5ea4\identity = 43697068657243616c6c2053656e74696e656c2e6578652c2056657273696f6e3d312e302e322e33382c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d623437663963373536326362383135622c2070726f636573736f724172636869746563747572653d6d73696c2c20747970653d77696e3332	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\ciph..tion_b47f9c7562cb815b_0001.0000_38437dac6df32c2d	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\micr..core_2a8ab48044d2601e_0001.0000_none_b64ac22bbf236049\identity = 4d6963726f736f66742e5765622e57656256696577322e436f72652c2056657273696f6e3d312e302e323533352e34312c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d324138414234383034344432363031452c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\ciph...exe_b47f9c7562cb815b_0001.0000_none_f5b69679aacf5ea4\DigestValue = 8789161b5df4693f4b95a9c6e216d8b3b0a2420adf6ec0c44ceade9c208b3c92	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\newt..json_30ad4fe6b2a6aeed_000d.0000_none_88c266d3abb85860\lock!1400000066d6580e7017000074170000000000000000000 = 30303030313737302c30316461643362636462653836376438	CipherCall Sentinel.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IETld\LowMic	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Revision = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\ciph..tion_b47f9c7562cb815b_0001.0000_fa2972682fdaabef\micr..orms_2a8ab48044d2601e_0001.0000_none_e3edd1666 = 01	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\ciph...exe_b47f9c7562cb815b_0001.0000_none_f5b69679aacf5ea4\lock!060000007ed2580ecc0a00000c090000000000000000000 = 30303030306163632c30316461643362636431393436366262	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$vBulletin 4	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\NextUpdateDate = "427548936"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks\ciph...exe_b47f9c7562cb815b_0001.0000_none_f5b69679aacf5ea4\lock!0100000093d1580ecc0a00000c090000000000000000000 = 30303030306163632c30316461643362636431393436366262	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{3f471841-eef2-47d6-89c0-d028f03a4ad5}\ciph..tion_b47f9c7562cb8 = 680074007400700073003a002f002f00630069007000680065007200630061006c006c002e006e00650074002f0061007000700063006800610074002f004100700070006c00690063006100740069006f006e00250032003000460069006c00650073002f00430069007000680065007200430061006c006c00250032003000530065006e00740069006e0065006c005f0031005f0030005f0032005f00330038002f00430069007000680065007200430061006c006c00250032003000530065006e00740069006e0065006c002e006500780065002e006d0061006e00690066006500730074000000	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components	CipherCall Sentinel.exe

NTFS ADS 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\Deployment\C1DWP3HV.ECD\6TRL2M04.X09\CipherCall Sentinel.exe:Zone.Identifier	dfsvc.exe
File created	C:\Users\Admin\AppData\Local\Apps\2.0\OXXTQTGB.BAR\8H801L7C.7OW\ciph..tion_b47f9c7562cb815b_0001.0000_fa2972682fdaabef\CipherCall Sentinel.exe\:Zone.Identifier:$DATA	dfsvc.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4944	chrome.exe
4944	chrome.exe
5252	chrome.exe
5252	chrome.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
4344	MicrosoftEdgeCP.exe
4344	MicrosoftEdgeCP.exe
4344	MicrosoftEdgeCP.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
5108	MicrosoftEdge.exe
4344	MicrosoftEdgeCP.exe
4364	MicrosoftEdgeCP.exe
4344	MicrosoftEdgeCP.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4944 wrote to memory of 4956	4944	chrome.exe	75
PID 4944 wrote to memory of 4956	4944	chrome.exe	75
PID 4944 wrote to memory of 3080	4944	chrome.exe	77
PID 4944 wrote to memory of 3080	4944	chrome.exe	77
PID 4944 wrote to memory of 3080	4944	chrome.exe	77
PID 4944 wrote to memory of 3080	4944	chrome.exe	77
PID 4944 wrote to memory of 3080	4944	chrome.exe	77
PID 4944 wrote to memory of 3080	4944	chrome.exe	77
PID 4944 wrote to memory of 3080	4944	chrome.exe	77
PID 4944 wrote to memory of 3080	4944	chrome.exe	77
PID 4944 wrote to memory of 3080	4944	chrome.exe	77
PID 4944 wrote to memory of 3080	4944	chrome.exe	77
PID 4944 wrote to memory of 3080	4944	chrome.exe	77
PID 4944 wrote to memory of 3080	4944	chrome.exe	77
PID 4944 wrote to memory of 3080	4944	chrome.exe	77
PID 4944 wrote to memory of 3080	4944	chrome.exe	77
PID 4944 wrote to memory of 3080	4944	chrome.exe	77
PID 4944 wrote to memory of 3080	4944	chrome.exe	77
PID 4944 wrote to memory of 3080	4944	chrome.exe	77
PID 4944 wrote to memory of 3080	4944	chrome.exe	77
PID 4944 wrote to memory of 3080	4944	chrome.exe	77
PID 4944 wrote to memory of 3080	4944	chrome.exe	77
PID 4944 wrote to memory of 3080	4944	chrome.exe	77
PID 4944 wrote to memory of 3080	4944	chrome.exe	77
PID 4944 wrote to memory of 3080	4944	chrome.exe	77
PID 4944 wrote to memory of 3080	4944	chrome.exe	77
PID 4944 wrote to memory of 3080	4944	chrome.exe	77
PID 4944 wrote to memory of 3080	4944	chrome.exe	77
PID 4944 wrote to memory of 3080	4944	chrome.exe	77
PID 4944 wrote to memory of 3080	4944	chrome.exe	77
PID 4944 wrote to memory of 3080	4944	chrome.exe	77
PID 4944 wrote to memory of 3080	4944	chrome.exe	77
PID 4944 wrote to memory of 3080	4944	chrome.exe	77
PID 4944 wrote to memory of 3080	4944	chrome.exe	77
PID 4944 wrote to memory of 3080	4944	chrome.exe	77
PID 4944 wrote to memory of 3080	4944	chrome.exe	77
PID 4944 wrote to memory of 3080	4944	chrome.exe	77
PID 4944 wrote to memory of 3080	4944	chrome.exe	77
PID 4944 wrote to memory of 3080	4944	chrome.exe	77
PID 4944 wrote to memory of 3080	4944	chrome.exe	77
PID 4944 wrote to memory of 3100	4944	chrome.exe	78
PID 4944 wrote to memory of 3100	4944	chrome.exe	78
PID 4944 wrote to memory of 3968	4944	chrome.exe	79
PID 4944 wrote to memory of 3968	4944	chrome.exe	79
PID 4944 wrote to memory of 3968	4944	chrome.exe	79
PID 4944 wrote to memory of 3968	4944	chrome.exe	79
PID 4944 wrote to memory of 3968	4944	chrome.exe	79
PID 4944 wrote to memory of 3968	4944	chrome.exe	79
PID 4944 wrote to memory of 3968	4944	chrome.exe	79
PID 4944 wrote to memory of 3968	4944	chrome.exe	79
PID 4944 wrote to memory of 3968	4944	chrome.exe	79
PID 4944 wrote to memory of 3968	4944	chrome.exe	79
PID 4944 wrote to memory of 3968	4944	chrome.exe	79
PID 4944 wrote to memory of 3968	4944	chrome.exe	79
PID 4944 wrote to memory of 3968	4944	chrome.exe	79
PID 4944 wrote to memory of 3968	4944	chrome.exe	79
PID 4944 wrote to memory of 3968	4944	chrome.exe	79
PID 4944 wrote to memory of 3968	4944	chrome.exe	79
PID 4944 wrote to memory of 3968	4944	chrome.exe	79
PID 4944 wrote to memory of 3968	4944	chrome.exe	79
PID 4944 wrote to memory of 3968	4944	chrome.exe	79
PID 4944 wrote to memory of 3968	4944	chrome.exe	79
PID 4944 wrote to memory of 3968	4944	chrome.exe	79
PID 4944 wrote to memory of 3968	4944	chrome.exe	79

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://cyphercall.net
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffefa949758,0x7ffefa949768,0x7ffefa949778
  2⤵
  PID:4956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1516 --field-trial-handle=1832,i,12304801891505117953,5594387056198527325,131072 /prefetch:2
  2⤵
  PID:3080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1792 --field-trial-handle=1832,i,12304801891505117953,5594387056198527325,131072 /prefetch:8
  2⤵
  PID:3100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2056 --field-trial-handle=1832,i,12304801891505117953,5594387056198527325,131072 /prefetch:8
  2⤵
  PID:3968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2788 --field-trial-handle=1832,i,12304801891505117953,5594387056198527325,131072 /prefetch:1
  2⤵
  PID:3572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2796 --field-trial-handle=1832,i,12304801891505117953,5594387056198527325,131072 /prefetch:1
  2⤵
  PID:3672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3896 --field-trial-handle=1832,i,12304801891505117953,5594387056198527325,131072 /prefetch:1
  2⤵
  PID:692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2988 --field-trial-handle=1832,i,12304801891505117953,5594387056198527325,131072 /prefetch:1
  2⤵
  PID:2268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4240 --field-trial-handle=1832,i,12304801891505117953,5594387056198527325,131072 /prefetch:8
  2⤵
  PID:3556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3548 --field-trial-handle=1832,i,12304801891505117953,5594387056198527325,131072 /prefetch:8
  2⤵
  PID:1884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4400 --field-trial-handle=1832,i,12304801891505117953,5594387056198527325,131072 /prefetch:1
  2⤵
  PID:5024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3588 --field-trial-handle=1832,i,12304801891505117953,5594387056198527325,131072 /prefetch:1
  2⤵
  PID:904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3084 --field-trial-handle=1832,i,12304801891505117953,5594387056198527325,131072 /prefetch:8
  2⤵
  PID:2228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=2972 --field-trial-handle=1832,i,12304801891505117953,5594387056198527325,131072 /prefetch:1
  2⤵
  PID:2212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3296 --field-trial-handle=1832,i,12304801891505117953,5594387056198527325,131072 /prefetch:8
  2⤵
  PID:4764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5036 --field-trial-handle=1832,i,12304801891505117953,5594387056198527325,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5252

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2508

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5108

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:3184
- C:\Windows\System32\rundll32.exe
  "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\dfshim.dll",ShOpenVerbApplication https://ciphercall.net/appChat/CipherCall%20Sentinel.application
  2⤵
  PID:3880
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
    3⤵
    - Modifies registry class
    - NTFS ADS
    PID:2764
  - - C:\Users\Admin\AppData\Local\Apps\2.0\OXXTQTGB.BAR\8H801L7C.7OW\ciph..tion_b47f9c7562cb815b_0001.0000_fa2972682fdaabef\CipherCall Sentinel.exe
      "C:\Users\Admin\AppData\Local\Apps\2.0\OXXTQTGB.BAR\8H801L7C.7OW\ciph..tion_b47f9c7562cb815b_0001.0000_fa2972682fdaabef\CipherCall Sentinel.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies registry class
      PID:6000

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:4344

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4364

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:1588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Apps\2.0\OXXTQTGB.BAR\8H801L7C.7OW\ciph...exe_b47f9c7562cb815b_0001.0000_none_f5b69679aacf5ea4\CipherCall Sentinel.exe.config

Filesize
187B

MD5
43b6c94c2bb6b358de50705b8dda7f25

SHA1
b4f64ba98faff50c96d3285081723ab387746262

SHA256
89b4898415adea44f58dc837d166c05c26493b3cbaf7dff351d8069d7b3983dc

SHA512
2c07e517cbe69ff7ad7e1c952901ea1049019d61ea647cdbef450467c8e8a4c0000418245924b07e8c62001149f11ce1386628937af3f80327a9381b3326c031

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\OXXTQTGB.BAR\8H801L7C.7OW\ciph..tion_b47f9c7562cb815b_0001.0000_fa2972682fdaabef\CipherCall Sentinel.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\OXXTQTGB.BAR\8H801L7C.7OW\manifests\ciph...exe_b47f9c7562cb815b_0001.0000_none_f5b69679aacf5ea4.cdf-ms

Filesize
33KB

MD5
85dabf6df6b1a356c49e8c23e5d11394

SHA1
e536621cd622c44256e8e0107bc07300beb947f4

SHA256
1e7d2552084b21df87bd8ef3ab67933dc1e73773d48fff78c2b86fdd07479c46

SHA512
88b34a2dd406bc0aeac3d3b6f361260b4906a90931f403d0f1b63535cf177d44f0070e5d28e550a100ba2b50da86960504a53f0772e134220c9c8831a4f7fc93

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\OXXTQTGB.BAR\8H801L7C.7OW\manifests\ciph..tion_b47f9c7562cb815b_0001.0000_none_2f1b5623e4de31d3.cdf-ms

Filesize
23KB

MD5
e7ed15b50c4e5082b39dd6cf68ab7205

SHA1
637c5d3483456650bd23d67b79a9c29974564f2c

SHA256
1df01bd1f65f3ade67845b9f30fc6f56c8242973040e5e9227fe7015eb408291

SHA512
5a8eb0b2e947ea1c8eafe6b53a1a53540f96699e8bb4ffbe344000d7aeaa50c2844ba2555ac4fe057485e0da86534275a3221c672a914b614aae8f343fe06669

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\OXXTQTGB.BAR\8H801L7C.7OW\manifests\micr...wpf_2a8ab48044d2601e_0001.0000_none_7e11ba0814ab3acf.cdf-ms

Filesize
4KB

MD5
2d1cc52bf4172b02efb48ad97190d618

SHA1
6717d13d936bfad060ebb9887d58f551e12714ac

SHA256
5f9c53a0b0964b3a1177d6838a91eccb498abd7a904bd7a9e2d2ceb9fe0e8ba0

SHA512
d01196ea8e4a3c7a971de2d0d6d2f786a7db8ed6d8a80a0a9c7bdc8ee5eafa591c2428d786058120e52dabe68474fb071c5d599fbe19ef4752c78223b83caa9e

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\OXXTQTGB.BAR\8H801L7C.7OW\manifests\micr..core_2a8ab48044d2601e_0001.0000_none_b64ac22bbf236049.cdf-ms

Filesize
3KB

MD5
fbae5cb916f0c8081ffeda5ff4b847e0

SHA1
4644c22c83af35bc40a1241d1c842555a5347b0d

SHA256
29b53d75e2627045e6b37c0d59a8f920294891126049bf3f1417ecdfd5950091

SHA512
53d64500c835fba303f7a32a9c7267fc6ad7cc92788c08b40a678a972ec63a9baaa024109e1733be1df4ada1ff6952b307277d3a9c50549ba817c2e7d8b4fff8

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\OXXTQTGB.BAR\8H801L7C.7OW\manifests\micr..orms_2a8ab48044d2601e_0001.0000_none_e3edd16662dbdc17.cdf-ms

Filesize
3KB

MD5
3b7fcb17cbbccc278c95b7e71d206af8

SHA1
979ca4d907dd9db9898ef4cffd114563002fa11b

SHA256
4b2536debbbda33701b0ffb22f3b9e85dd990361619147d294e7f6a4bded0817

SHA512
1a048327e73c3006f4809c9e0a1cb6425d0f9c0fc0f9f1297c61429955a0d0b2f531ac0bc235428fa85c27ff4396bc4981690a38cb965f4c21a06da149c63a0a

Download Submit
C:\Users\Admin\AppData\Local\Apps\2.0\OXXTQTGB.BAR\8H801L7C.7OW\manifests\newt..json_30ad4fe6b2a6aeed_000d.0000_none_88c266d3abb85860.cdf-ms

Filesize
4KB

MD5
55fed5278c847e61945e7167122eebcf

SHA1
bfd75495c803148d0246a512a4b2d707bab1a621

SHA256
754fac43aab0d0bb5e95fd6826ad20e14aeb86e5e5cb40899f78213d647a3b2e

SHA512
1f427b636044bdeb7918d7154d6488930f80fc1e06bc854aff5d3d1107110c714e517e9e5e95392734d9ef6bcc077e9c70b3308f7a93dc3838851ac8c91ce5ba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
480B

MD5
49eb90dd2da3837b1f7f75791a858efd

SHA1
76d997fa80e28d6a9cbe44cca70f699cb174cf68

SHA256
7d76b0e47df3a484dac9a8e2c661d08b6fac7470e51ce1ccc591f249e076718a

SHA512
1c8c6382faad9b18276ecea21b23e57dccab3532553b189084702d9fcc8c98da5d6af1f9eade24a7164ddaa4116cb76cec04beea282f56178e28263041aef642

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
91d4b26bdbf3aa1648912d1019ea6185

SHA1
3eed722f5569275f133f19c2ab7f5231dc13e689

SHA256
226bfa28443e69c5c911630691e6a3414c7373c67aeadf50d9f027d9c7d9acb6

SHA512
f40208437e0daa6ecd5f9f4f5022abbd4a5d84b67616b157c11cb54d8e5434a0e36b569578d160199e3567ef5c007cc5a6e5de6c3423c98bf0492e6c32d1810f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1018B

MD5
2769ca3b30e9071e5c4f08e5d05e8360

SHA1
bff5ddfbaa9c54a690e6a97019ad19e2055ccfb1

SHA256
945c9045956384687042f2c6dc706b5e5f9df44917043190eec603c9d902d17c

SHA512
68fa44bbbb74f4ad36a1ee4dcf11b4ce56a0e31bef6a8ce787e9dfa1e5dd14c65a1f04c1f38f53d8f3175382f1b4b5eb6fa64a62d0a26c828dfb634dc303f640

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
da60eafd31d1a1bc2456bd99619e753b

SHA1
789c0c71415f90932fa15cfc04e76258e13d0686

SHA256
4c7df0c45b46f86858e24548216b20498496144137aa8a82807c3f95962164d5

SHA512
48819e7f63b3640a31801245c914a81a4caff248c0c2013e69c0946c32031f7227661d2be456c476b21f08f43434a0d8e9afe2c30e517ba64ab029522192728a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
bcfe2e6283d7f66491ab298677c6dbd9

SHA1
bb2731f5a1e3ecd665804344cd9adbd9b65e2cae

SHA256
0d07e481621100ea1ca339345cedc718bbc4b3c8be7737b38312c92b959b6f4d

SHA512
d340cf18da7c9110b8fca6427091d31b39a537ac3a408a9e4aae0b564307cb4bf3b2228e4d082fcad646a12d983a8c9a7cdd8924994a83613b85327969750c99

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
7dae9d59440e470e3b387c449e34ce39

SHA1
1445e80b08d4c86c2f0062923d477e50ab39b0f9

SHA256
0a408edce645487bf239304fb8e6be6dc22858e0758ef6f18d598ba602bfebb6

SHA512
1b89a6f84cadcf85e737ba712ff8a427fe79bc1b07dd8694bc6e519797ba956171dc0b685218c0c6275fb4df66896d28b645bf28513e52ae23a2676bcddcf3fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
2cdf51708620d33e5c4ee48426c039cd

SHA1
6fb07e847ae2bc47d0214e6dd14d47f8f2f2b830

SHA256
9f6eb916449c9bb1e6c21d1b8b244fbf0eb99987c445be6aeeed5394022e5107

SHA512
604f31c4f7ce9d9e9c39dc779aec068f69a2943ab53419d5092d6778a32e6bcf7b7c6ba263d47f1e0ce7a5b433b3219c3113c18ef11daf587f71cc2ae534f921

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
64e4e3ed8740c32fd9bab9771a57c1de

SHA1
3874cfbe3ab173d3e84bab273a3759e513285c30

SHA256
c7706d2751265d0baec73afa0329a3a9c40fecff71056f38b4429239d3862c28

SHA512
499fc4e470834fb258eb830f571509917387fe0f00705074281ada42ac813adbc4f77ef522da1ba118ab52a457cd88d3081efa636400e2558b10fbd6db497519

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
4d66db3dc2b3bac95cf74e4a3e4deda0

SHA1
f7c9fe97b1cd91faa09683f2d3e8ce2bbdddce32

SHA256
a558484923114cfa8cfd4311a9e92715ef143116d8eef700abf3c2996832e0f1

SHA512
0524dbb351dbb180878b233772cb79f61a241bb384fc84677dfaf82ae5e516f80e984dcaa0eb7ad3cd5a95657fdee609fe11a3e4ccf0e102b8dec93d1c16b1a3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
25568169392013a0a8bb58d48d5ad055

SHA1
98e235760749ecd71cd6186127a7bf0eba25115f

SHA256
d672dc31ea086bebe4d2b7bce92d231be1235153277281b480148de3d65f6bd2

SHA512
245c03626faa355b9bd9a76b485a214c74cbd8b30fc28715067bdbb8d58615dc19d8f48999d6134731144e1be3eba0b62f2a137118d9738929ce4903a6e83161

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
e8e7bbc0b484a35b26b1df631d2bd77d

SHA1
32ff300f66c43fa119dd5cca791e63e9a38e4839

SHA256
fb981fcbf71c0fc0ebeb08c77dd6a9934599e2fecc097dacf79208d70692bbfa

SHA512
36b0e1d145809c07960794c9d3231032d5c596c599adaab82d8e24c77f389c2803df930510b04909aa0f507bcc9164422a8de675d34566b9d36a77a0e4ce322e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
136KB

MD5
a42299baf687806b0eb7869e6456c9bc

SHA1
5f476cf694eca6268b3f161bcc8b9daa16702a6c

SHA256
325205d21fe82804e8f159becfe83c1114e2b13e56bd25e4bb4ad7bb9a61a95a

SHA512
3821b06ef6c6a5c8fc2f5de0599371b8f5f998062735ec2d8a4f6e2c8ff6783dfa54bc6c374a0cd71133045845e831eee6218df02cfcc0a02c8b08110c40fe42

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
136KB

MD5
842c8f28d8fe8897a753251c5a6a609b

SHA1
7d7835ae7de0396ce1847cc807ad80e3524cef29

SHA256
a3d084a6170f83a1f5ce7b490c10bcd02b95ee8ede64208e9e44e8b581dc0d0d

SHA512
f6cbb4581eeca189876522ef07c89539e943f63c089867cac707417bd2b239c595b1e74d298bd669bee862c768190ea903b5cc6da6a50505d032d52fc11584d2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
107KB

MD5
f3422627ce46f79ea9fb020897f3db5a

SHA1
bf46c436d182faa204c61bd0ba7f1d7eaf74afe3

SHA256
f8e572aa0237fb8841469d5db0b7da05a9175d86c923f9de94b4806d3c19f4e4

SHA512
1cc12649ef4b035d36609a91cc0dfa6578c32cb5ac226289f5f82e40a9f3a8cfd6c0cdd1bb1d4f37be8da1f87fa71fc3bfd61bbb17b89d956e29ab3659be2896

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
98KB

MD5
f58d7d5b79ac5e1cb3625438d773b316

SHA1
47376f3a3e5e5f305887f547b5a6640a471e9b81

SHA256
f70e2341dc20d4c1437af3582127b74f6ae31772258308d8d62ec96e849de9ab

SHA512
197395529a27bc1ea30c656cb57a39af08312115fffe137d8221523d5fa8622b5ea34952040d18cb39a57e95dcbc653ddd4f40ac1fd92a0e56f8ff858195a577

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe580de6.TMP

Filesize
91KB

MD5
22fa32aa62c34b0bf3c6a84746940811

SHA1
709ad3b71a4d99b2752ba8d63bb8c94dd1718282

SHA256
ba0271fc48cb8de3ab3ca724553df3cb0efcce679354d1c5da459c60f6a221c5

SHA512
862416adf73fb225c7130853c5e930b5d05f67755e774675c1f63c5d3ad08f282d13a81ce3dc9b0a0e5e1a24936d93f423e176e8953af3b37253164c1968728d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\PZD0T2PJ\edgecompatviewlist[1].xml

Filesize
74KB

MD5
d4fc49dc14f63895d997fa4940f24378

SHA1
3efb1437a7c5e46034147cbbc8db017c69d02c31

SHA256
853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1

SHA512
cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\VZYWJXWY\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Temp\~DF39589D8257B1D516.TMP

Filesize
16KB

MD5
c38e72fd108b2a6804f3b913b82d5401

SHA1
6cd414f59f09a96f2a5fdf459027cad1c59e0280

SHA256
8a4f7f8b1e8a458d821d04361cf3b2d61250e9646c9cf755ac664b3175c87a50

SHA512
183f09e1a6154bb771bb8e35c6b5da77b099bf44572ffa7cdb6af648068f585ceffed3e29599b50e2cdd91f9ba08e30614aa6fc60a012c2f270864de09205d65

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\3MEZIL27\CipherCall%20Sentinel[1].application

Filesize
20KB

MD5
84038e8c2eb416460eeab94667b92281

SHA1
228d91039d6a165f67f68ff72199baf6a8e3cf7d

SHA256
e561520e31e78972e96c7d4d821c0bc2d2bfe970ea2dbc22bbbea84235db64c7

SHA512
21131440d53d50b18ad6b3273ac64f18030e0241e280196e1e9faa615c26e97e901c73d441431cc5d51ef977e9eade79820193ee993032df4fe842a1d0ba77a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\C1DWP3HV.ECD\6TRL2M04.X09\CipherCall Sentinel.exe

Filesize
495KB

MD5
8bd7ef603ea807bb75d2cd3d9aa2e54e

SHA1
5ca83e4377859941190155dfaca1a22ebcead4c7

SHA256
fd5bb027e3cd332b37bd964b58d7809f638ea50a2586c04839c9ec9846b6f847

SHA512
8ca67ef67e5fb7d7dfb04f0cf49c465b8c5a4d71bf56371758f3e15f9d1768ba51fca7ebe5893d548b069072ea9b7d0747391fc7354f858aaefd9dc9b3100542

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\C1DWP3HV.ECD\6TRL2M04.X09\CipherCall Sentinel.exe.manifest

Filesize
27KB

MD5
b3e17b64fc9f6b0660e30934a132c80e

SHA1
40498ffde39ce977029439244ff1636be9cabc47

SHA256
8789161b5df4693f4b95a9c6e216d8b3b0a2420adf6ec0c44ceade9c208b3c92

SHA512
ba684b8c80f9c2c9fdd003a7c989b305f62107c95aa2086234bf3d182fed9ef51ccef2862efe89b08f004859ca07155dfeb634ca779127630b368a2f12945646

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\C1DWP3HV.ECD\6TRL2M04.X09\Microsoft.Web.WebView2.Core.dll

Filesize
557KB

MD5
2ab84dc690059b2bd34d2f00561d6af4

SHA1
49b665b40a5ae995edfec80caf7e409c9795e9dd

SHA256
a1e096c6842b9f443679f47e321379d15e1f93c77fd0b6d32b9eb0e93e25ac89

SHA512
80d1c0fbe937655f1e78549c4bdaaa7d8aa55a74945c16f3663fe270c0a715eb7f89dc66490a0164f33444aece768a41e894bdcaa50ce2f88a6dab77b9809afa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\C1DWP3HV.ECD\6TRL2M04.X09\Microsoft.Web.WebView2.Core.dll.genman

Filesize
1KB

MD5
aaeaed64d34064584730a94b8c1021d7

SHA1
8ac05e5f3c0127dc5424acf83d06395068e66a53

SHA256
fefa6bebccbc11ee7b3ae5ff92c1f2da3ccbd9e8cde18f5eee36de3f5ec1de73

SHA512
18102c6ce83c35f49b83bb9b18b63aaeed9bcae3e8a7cd14bb807dc86d572b1ea599775b4957c5102022aabb7e9b08243866ba3b4780a6a84b50bb08e93c8d1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\C1DWP3HV.ECD\6TRL2M04.X09\Microsoft.Web.WebView2.WinForms.dll

Filesize
37KB

MD5
ca1529f9891c243b11934d156dc35bce

SHA1
fa82bd19c2835443bc9ea55644017b5d68ff7a4b

SHA256
b12d2c15e93a0fc29a731bec998e7ddf073b3ae2454f3afdd9934bbe6a223d4a

SHA512
95deee9fbca5bcff0d534f187e003780ff4358a24b5407701a46d5c8109f6d31e7a637b204a30ae5ed6d63caa42a5628a9aab693cbbf892cea60dae05a45c5ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\C1DWP3HV.ECD\6TRL2M04.X09\Microsoft.Web.WebView2.WinForms.dll.genman

Filesize
1KB

MD5
256b2a690f8c87b4d8f1f799643d83de

SHA1
a466df20353ff18f77a3133aae3c660edf83b4e8

SHA256
7c7f41c599f11a310db43ca7e850dbdefa4d65bb6f802889baa24106c5869812

SHA512
3072b8e49a18118f97ae7b9c756f928cb7da4dba5101fb274f17d2adb736b8026906545ef741d1fca0b2e64b6f2b8b9f106fbd061fd6d3b2661b5a8fc7cfa5ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\C1DWP3HV.ECD\6TRL2M04.X09\Microsoft.Web.WebView2.Wpf.dll

Filesize
50KB

MD5
e65623626760be48a2ac3b508f11ba68

SHA1
7d1ae39683fbf4d72ef3c3434ed17e90f7e51484

SHA256
33d0c7ae01120d49569041af217cbdf8ad7e54a3f9013ba6b61e7eafe9a69aee

SHA512
47a472b35c763d282022eff8fa0a8ec5c32cfd5c01dd4914e9f979af16068ae2f8ff4884c638f9307c8ec647350298aa9cb5c7cc9a5f7164b6653f460008e45c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\C1DWP3HV.ECD\6TRL2M04.X09\Microsoft.Web.WebView2.Wpf.dll.genman

Filesize
1KB

MD5
8003243f480074e1eb0277d3f57a9a18

SHA1
997da6e177de0b736452b668816de015bcc3f282

SHA256
642364489ae824930d537ed322bba72b9b7dea835cc2e6a0692ca148d4db9ceb

SHA512
2607f8d1e0005d1ab2182cdecc044b7e44da2f50d7323f542efa0962060b9bc6a4f2e5df73066115cda8257f48a7b5ec7eb350a119703a0c3a7b171596feaee4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\C1DWP3HV.ECD\6TRL2M04.X09\Newtonsoft.Json.dll

Filesize
695KB

MD5
195ffb7167db3219b217c4fd439eedd6

SHA1
1e76e6099570ede620b76ed47cf8d03a936d49f8

SHA256
e1e27af7b07eeedf5ce71a9255f0422816a6fc5849a483c6714e1b472044fa9d

SHA512
56eb7f070929b239642dab729537dde2c2287bdb852ad9e80b5358c74b14bc2b2dded910d0e3b6304ea27eb587e5f19db0a92e1cbae6a70fb20b4ef05057e4ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\C1DWP3HV.ECD\6TRL2M04.X09\Newtonsoft.Json.dll.genman

Filesize
1KB

MD5
b1dca46549b0fe81d73a4a262219fe19

SHA1
c3ed598b7f90c88fd8b03590dc6fe95f4b81cf95

SHA256
6e10ea9db6a797f9a78cc0303829953d680657c056db31665d7b2fc5c69d1c35

SHA512
e2e9e3a7e3c2d382da57fbc1e010b4d686fabf66893c608a5cf521ec90a71a7e0ce48ebaf40b7f9767f38cf575875ca6db3d02e0d71dd0fafb8211194f67067c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\C1DWP3HV.ECD\6TRL2M04.X09\icon.ico

Filesize
155KB

MD5
3441d9556208cb8e4ecd71f4a11fea2f

SHA1
b09bb28c755084235c2a8b8f3b75345588ecda5e

SHA256
92448ebdcc16858d0e79b8150d55c516607f8c485f4c1c6f258112024e7de5de

SHA512
dcd8aae6b82979725e20467b495db17aed616bed636266cdf065c65bfb501da1801343054ec275f78b5e18c771d6233702ab5b62b499740501a08ff038e7f347

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\C1DWP3HV.ECD\6TRL2M04.X09\runtimes\win-arm64\native\WebView2Loader.dll

Filesize
137KB

MD5
45e5009b2972d41acfc7f6959584f004

SHA1
67d7fe4c2561cf9be093e2e37da6047d11ea3f27

SHA256
40a7d2f125b30211a5fef4f0e440ec6d71fdda299e2aeb34ff32f943c232182f

SHA512
a92cbe8fb1afac6defa08a1b43d1bb83ea96f9e882ce5a996da9e5df55708e100635056c5974536c395047f973f19fa90f3e5d72c3a3a81c78208670dbb5ea7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\C1DWP3HV.ECD\6TRL2M04.X09\runtimes\win-x64\native\WebView2Loader.dll

Filesize
161KB

MD5
d2033aa3200206b0d44255a36686124e

SHA1
e34b92f052afc26412298dde95088fd1bdf20c09

SHA256
e2004ecd9ddebd1bb7edfff5fa62781fe037eca4282c2be3483dc6f78779899c

SHA512
e266b16a265262447a7f4e3d2fea99b273976102206a4287e635164f9de7e40a8f9b3548da7a9a412530ca8f65a1a27e4a2c7ad55c05b9b58b78ae3f93703773

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deployment\C1DWP3HV.ECD\6TRL2M04.X09\runtimes\win-x86\native\WebView2Loader.dll

Filesize
113KB

MD5
df6b6e71cb65552cd9fb283b91ef9908

SHA1
e10f9cccaa4666f070db8209fb99f6fcaf9d9075

SHA256
256510c2872a3a96a8e0a7db0db6c6e7b31ebed34cd6b7c430712ca640c73842

SHA512
80561a65c7dc7dee4517240718d85ffa59782fb8c5be744862d041759db8fd818fefcdeff87a98f904ded0674b873e7f39b1e53d549aab96ff15a88cc85c93a0

Download Submit
memory/1588-263-0x000001C1F07C0000-0x000001C1F07C2000-memory.dmp

Filesize
8KB

Download
memory/1588-255-0x000001C1F0400000-0x000001C1F0500000-memory.dmp

Filesize
1024KB

Download
memory/1588-258-0x000001C1F05D0000-0x000001C1F05D2000-memory.dmp

Filesize
8KB

Download
memory/1588-261-0x000001C1F0700000-0x000001C1F0702000-memory.dmp

Filesize
8KB

Download
memory/2764-331-0x0000020877270000-0x0000020877322000-memory.dmp

Filesize
712KB

Download
memory/2764-326-0x0000020876960000-0x0000020876970000-memory.dmp

Filesize
64KB

Download
memory/2764-344-0x0000020876960000-0x000002087696E000-memory.dmp

Filesize
56KB

Download
memory/2764-319-0x0000020877200000-0x000002087727E000-memory.dmp

Filesize
504KB

Download
memory/2764-285-0x0000020876BA0000-0x0000020876BF0000-memory.dmp

Filesize
320KB

Download
memory/2764-273-0x0000020873BA0000-0x0000020873C76000-memory.dmp

Filesize
856KB

Download
memory/2764-272-0x0000020871670000-0x0000020871678000-memory.dmp

Filesize
32KB

Download
memory/2764-337-0x0000020877220000-0x00000208772B0000-memory.dmp

Filesize
576KB

Download
memory/4364-227-0x0000023322700000-0x0000023322800000-memory.dmp

Filesize
1024KB

Download
memory/5108-671-0x000002189A6E0000-0x000002189A6E2000-memory.dmp

Filesize
8KB

Download
memory/5108-674-0x0000021898A80000-0x0000021898A81000-memory.dmp

Filesize
4KB

Download
memory/5108-198-0x000002189B620000-0x000002189B630000-memory.dmp

Filesize
64KB

Download
memory/5108-182-0x000002189B520000-0x000002189B530000-memory.dmp

Filesize
64KB

Download
memory/5108-217-0x0000021898980000-0x0000021898982000-memory.dmp

Filesize
8KB

Download
memory/5108-269-0x00000218A1960000-0x00000218A1961000-memory.dmp

Filesize
4KB

Download
memory/5108-268-0x00000218A1950000-0x00000218A1951000-memory.dmp

Filesize
4KB

Download
memory/5108-678-0x0000021898970000-0x0000021898971000-memory.dmp

Filesize
4KB

Download
memory/6000-606-0x0000000005DE0000-0x0000000005E70000-memory.dmp

Filesize
576KB

Download
memory/6000-593-0x00000000007A0000-0x000000000081E000-memory.dmp

Filesize
504KB

Download
memory/6000-594-0x0000000005690000-0x0000000005B8E000-memory.dmp

Filesize
5.0MB

Download
memory/6000-595-0x0000000005190000-0x0000000005266000-memory.dmp

Filesize
856KB

Download
memory/6000-596-0x0000000005090000-0x0000000005122000-memory.dmp

Filesize
584KB

Download
memory/6000-597-0x00000000060C0000-0x00000000065EC000-memory.dmp

Filesize
5.2MB

Download
memory/6000-602-0x0000000005670000-0x000000000567E000-memory.dmp

Filesize
56KB

Download
memory/6000-598-0x0000000005660000-0x000000000566A000-memory.dmp

Filesize
40KB

Download