Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/11/2024, 14:27
Static task
static1
General
-
Target
2024-11-08_45afb8e093b7ab1794807114d9f16653_cobalt-strike_ryuk.exe
-
Size
6.2MB
-
MD5
45afb8e093b7ab1794807114d9f16653
-
SHA1
5cc5e6fe4dc873c4a8e9e4e5611547fc6d1e5380
-
SHA256
e65364d8dd1047eabfa29eb8b08970d0571c03edc9cd4d0094ad11a548a98f14
-
SHA512
06f1bf52592a182644a904def75e4f3b74df73c879bb30242892cd6fda07907872fc2c3135972262538ae00b05d04ca05e13b30560ed68b17ed829b9881025d2
-
SSDEEP
98304:naNewOzj/0I/v7lyCsDkV/i+3Kf7SWD527BWG:namRxsDt+3KfBVQBWG
Malware Config
Signatures
-
Executes dropped EXE 26 IoCs
pid Process 4268 alg.exe 2700 DiagnosticsHub.StandardCollector.Service.exe 1924 fxssvc.exe 1364 elevation_service.exe 2284 elevation_service.exe 4084 maintenanceservice.exe 4732 msdtc.exe 1912 OSE.EXE 2712 PerceptionSimulationService.exe 1844 perfhost.exe 2396 locator.exe 3116 SensorDataService.exe 1256 snmptrap.exe 760 spectrum.exe 4544 ssh-agent.exe 1140 TieringEngineService.exe 2184 AgentService.exe 4224 vds.exe 3528 vssvc.exe 2880 wbengine.exe 5160 WmiApSrv.exe 5296 SearchIndexer.exe 1536 chrmstp.exe 5124 chrmstp.exe 944 chrmstp.exe 5416 chrmstp.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 31 IoCs
description ioc Process File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-11-08_45afb8e093b7ab1794807114d9f16653_cobalt-strike_ryuk.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\ca9961ba99262766.bin alg.exe File opened for modification C:\Windows\system32\fxssvc.exe 2024-11-08_45afb8e093b7ab1794807114d9f16653_cobalt-strike_ryuk.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-11-08_45afb8e093b7ab1794807114d9f16653_cobalt-strike_ryuk.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-11-08_45afb8e093b7ab1794807114d9f16653_cobalt-strike_ryuk.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-11-08_45afb8e093b7ab1794807114d9f16653_cobalt-strike_ryuk.exe File opened for modification C:\Windows\System32\vds.exe 2024-11-08_45afb8e093b7ab1794807114d9f16653_cobalt-strike_ryuk.exe File opened for modification C:\Windows\System32\alg.exe 2024-11-08_45afb8e093b7ab1794807114d9f16653_cobalt-strike_ryuk.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-11-08_45afb8e093b7ab1794807114d9f16653_cobalt-strike_ryuk.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-11-08_45afb8e093b7ab1794807114d9f16653_cobalt-strike_ryuk.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-11-08_45afb8e093b7ab1794807114d9f16653_cobalt-strike_ryuk.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-11-08_45afb8e093b7ab1794807114d9f16653_cobalt-strike_ryuk.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-11-08_45afb8e093b7ab1794807114d9f16653_cobalt-strike_ryuk.exe File opened for modification C:\Windows\system32\locator.exe 2024-11-08_45afb8e093b7ab1794807114d9f16653_cobalt-strike_ryuk.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-11-08_45afb8e093b7ab1794807114d9f16653_cobalt-strike_ryuk.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-11-08_45afb8e093b7ab1794807114d9f16653_cobalt-strike_ryuk.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-11-08_45afb8e093b7ab1794807114d9f16653_cobalt-strike_ryuk.exe File opened for modification C:\Windows\System32\SensorDataService.exe alg.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-11-08_45afb8e093b7ab1794807114d9f16653_cobalt-strike_ryuk.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-11-08_45afb8e093b7ab1794807114d9f16653_cobalt-strike_ryuk.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-11-08_45afb8e093b7ab1794807114d9f16653_cobalt-strike_ryuk.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-11-08_45afb8e093b7ab1794807114d9f16653_cobalt-strike_ryuk.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-11-08_45afb8e093b7ab1794807114d9f16653_cobalt-strike_ryuk.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-11-08_45afb8e093b7ab1794807114d9f16653_cobalt-strike_ryuk.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{1E8F5DDF-3FB3-4332-A4CC-B46FF6E6899A}\chrome_installer.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe 2024-11-08_45afb8e093b7ab1794807114d9f16653_cobalt-strike_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe 2024-11-08_45afb8e093b7ab1794807114d9f16653_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe 2024-11-08_45afb8e093b7ab1794807114d9f16653_cobalt-strike_ryuk.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplore.exe 2024-11-08_45afb8e093b7ab1794807114d9f16653_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe 2024-11-08_45afb8e093b7ab1794807114d9f16653_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 2024-11-08_45afb8e093b7ab1794807114d9f16653_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Crashpad\metadata chrmstp.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe 2024-11-08_45afb8e093b7ab1794807114d9f16653_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe 2024-11-08_45afb8e093b7ab1794807114d9f16653_cobalt-strike_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe 2024-11-08_45afb8e093b7ab1794807114d9f16653_cobalt-strike_ryuk.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe 2024-11-08_45afb8e093b7ab1794807114d9f16653_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe 2024-11-08_45afb8e093b7ab1794807114d9f16653_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe 2024-11-08_45afb8e093b7ab1794807114d9f16653_cobalt-strike_ryuk.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe 2024-11-08_45afb8e093b7ab1794807114d9f16653_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe 2024-11-08_45afb8e093b7ab1794807114d9f16653_cobalt-strike_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe 2024-11-08_45afb8e093b7ab1794807114d9f16653_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Crashpad\metadata chrmstp.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_87484\java.exe alg.exe File opened for modification C:\Program Files\7-Zip\7z.exe 2024-11-08_45afb8e093b7ab1794807114d9f16653_cobalt-strike_ryuk.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe 2024-11-08_45afb8e093b7ab1794807114d9f16653_cobalt-strike_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe 2024-11-08_45afb8e093b7ab1794807114d9f16653_cobalt-strike_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\chrome_installer.exe 2024-11-08_45afb8e093b7ab1794807114d9f16653_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe 2024-11-08_45afb8e093b7ab1794807114d9f16653_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe 2024-11-08_45afb8e093b7ab1794807114d9f16653_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe 2024-11-08_45afb8e093b7ab1794807114d9f16653_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe 2024-11-08_45afb8e093b7ab1794807114d9f16653_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe 2024-11-08_45afb8e093b7ab1794807114d9f16653_cobalt-strike_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe 2024-11-08_45afb8e093b7ab1794807114d9f16653_cobalt-strike_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe 2024-11-08_45afb8e093b7ab1794807114d9f16653_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe 2024-11-08_45afb8e093b7ab1794807114d9f16653_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe 2024-11-08_45afb8e093b7ab1794807114d9f16653_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe 2024-11-08_45afb8e093b7ab1794807114d9f16653_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe 2024-11-08_45afb8e093b7ab1794807114d9f16653_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstat.exe alg.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe 2024-11-08_45afb8e093b7ab1794807114d9f16653_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe 2024-11-08_45afb8e093b7ab1794807114d9f16653_cobalt-strike_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe 2024-11-08_45afb8e093b7ab1794807114d9f16653_cobalt-strike_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe 2024-11-08_45afb8e093b7ab1794807114d9f16653_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe 2024-11-08_45afb8e093b7ab1794807114d9f16653_cobalt-strike_ryuk.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-11-08_45afb8e093b7ab1794807114d9f16653_cobalt-strike_ryuk.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001ba8325fea31db01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133755496559889393" chrome.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000006d87f5eea31db01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001241065eea31db01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002a9e655eea31db01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" SearchProtocolHost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ba8c335eea31db01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008a783f5eea31db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration" SearchIndexer.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006568ee5dea31db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000005670d5eea31db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration" SearchIndexer.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList SearchProtocolHost.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ chrmstp.exe -
Suspicious behavior: EnumeratesProcesses 41 IoCs
pid Process 3580 chrome.exe 3580 chrome.exe 3968 2024-11-08_45afb8e093b7ab1794807114d9f16653_cobalt-strike_ryuk.exe 3968 2024-11-08_45afb8e093b7ab1794807114d9f16653_cobalt-strike_ryuk.exe 3968 2024-11-08_45afb8e093b7ab1794807114d9f16653_cobalt-strike_ryuk.exe 3968 2024-11-08_45afb8e093b7ab1794807114d9f16653_cobalt-strike_ryuk.exe 3968 2024-11-08_45afb8e093b7ab1794807114d9f16653_cobalt-strike_ryuk.exe 3968 2024-11-08_45afb8e093b7ab1794807114d9f16653_cobalt-strike_ryuk.exe 3968 2024-11-08_45afb8e093b7ab1794807114d9f16653_cobalt-strike_ryuk.exe 3968 2024-11-08_45afb8e093b7ab1794807114d9f16653_cobalt-strike_ryuk.exe 3968 2024-11-08_45afb8e093b7ab1794807114d9f16653_cobalt-strike_ryuk.exe 3968 2024-11-08_45afb8e093b7ab1794807114d9f16653_cobalt-strike_ryuk.exe 3968 2024-11-08_45afb8e093b7ab1794807114d9f16653_cobalt-strike_ryuk.exe 3968 2024-11-08_45afb8e093b7ab1794807114d9f16653_cobalt-strike_ryuk.exe 3968 2024-11-08_45afb8e093b7ab1794807114d9f16653_cobalt-strike_ryuk.exe 3968 2024-11-08_45afb8e093b7ab1794807114d9f16653_cobalt-strike_ryuk.exe 3968 2024-11-08_45afb8e093b7ab1794807114d9f16653_cobalt-strike_ryuk.exe 3968 2024-11-08_45afb8e093b7ab1794807114d9f16653_cobalt-strike_ryuk.exe 3968 2024-11-08_45afb8e093b7ab1794807114d9f16653_cobalt-strike_ryuk.exe 3968 2024-11-08_45afb8e093b7ab1794807114d9f16653_cobalt-strike_ryuk.exe 3968 2024-11-08_45afb8e093b7ab1794807114d9f16653_cobalt-strike_ryuk.exe 3968 2024-11-08_45afb8e093b7ab1794807114d9f16653_cobalt-strike_ryuk.exe 3968 2024-11-08_45afb8e093b7ab1794807114d9f16653_cobalt-strike_ryuk.exe 3968 2024-11-08_45afb8e093b7ab1794807114d9f16653_cobalt-strike_ryuk.exe 3968 2024-11-08_45afb8e093b7ab1794807114d9f16653_cobalt-strike_ryuk.exe 3968 2024-11-08_45afb8e093b7ab1794807114d9f16653_cobalt-strike_ryuk.exe 3968 2024-11-08_45afb8e093b7ab1794807114d9f16653_cobalt-strike_ryuk.exe 3968 2024-11-08_45afb8e093b7ab1794807114d9f16653_cobalt-strike_ryuk.exe 3968 2024-11-08_45afb8e093b7ab1794807114d9f16653_cobalt-strike_ryuk.exe 3968 2024-11-08_45afb8e093b7ab1794807114d9f16653_cobalt-strike_ryuk.exe 3968 2024-11-08_45afb8e093b7ab1794807114d9f16653_cobalt-strike_ryuk.exe 3968 2024-11-08_45afb8e093b7ab1794807114d9f16653_cobalt-strike_ryuk.exe 3968 2024-11-08_45afb8e093b7ab1794807114d9f16653_cobalt-strike_ryuk.exe 3968 2024-11-08_45afb8e093b7ab1794807114d9f16653_cobalt-strike_ryuk.exe 3968 2024-11-08_45afb8e093b7ab1794807114d9f16653_cobalt-strike_ryuk.exe 3968 2024-11-08_45afb8e093b7ab1794807114d9f16653_cobalt-strike_ryuk.exe 3968 2024-11-08_45afb8e093b7ab1794807114d9f16653_cobalt-strike_ryuk.exe 2364 chrome.exe 2364 chrome.exe 2364 chrome.exe 2364 chrome.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 652 Process not Found 652 Process not Found -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
pid Process 3580 chrome.exe 3580 chrome.exe 3580 chrome.exe 3580 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 3768 2024-11-08_45afb8e093b7ab1794807114d9f16653_cobalt-strike_ryuk.exe Token: SeAuditPrivilege 1924 fxssvc.exe Token: SeShutdownPrivilege 3580 chrome.exe Token: SeCreatePagefilePrivilege 3580 chrome.exe Token: SeRestorePrivilege 1140 TieringEngineService.exe Token: SeManageVolumePrivilege 1140 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 2184 AgentService.exe Token: SeBackupPrivilege 3528 vssvc.exe Token: SeRestorePrivilege 3528 vssvc.exe Token: SeAuditPrivilege 3528 vssvc.exe Token: SeBackupPrivilege 2880 wbengine.exe Token: SeRestorePrivilege 2880 wbengine.exe Token: SeSecurityPrivilege 2880 wbengine.exe Token: SeShutdownPrivilege 3580 chrome.exe Token: SeCreatePagefilePrivilege 3580 chrome.exe Token: SeShutdownPrivilege 3580 chrome.exe Token: SeCreatePagefilePrivilege 3580 chrome.exe Token: 33 5296 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 5296 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5296 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5296 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5296 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5296 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5296 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5296 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5296 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5296 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5296 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5296 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5296 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5296 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5296 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5296 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5296 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5296 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5296 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5296 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5296 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5296 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5296 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5296 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5296 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5296 SearchIndexer.exe Token: SeShutdownPrivilege 3580 chrome.exe Token: SeCreatePagefilePrivilege 3580 chrome.exe Token: SeShutdownPrivilege 3580 chrome.exe Token: SeCreatePagefilePrivilege 3580 chrome.exe Token: SeShutdownPrivilege 3580 chrome.exe Token: SeCreatePagefilePrivilege 3580 chrome.exe Token: SeShutdownPrivilege 3580 chrome.exe Token: SeCreatePagefilePrivilege 3580 chrome.exe Token: SeShutdownPrivilege 3580 chrome.exe Token: SeCreatePagefilePrivilege 3580 chrome.exe Token: SeShutdownPrivilege 3580 chrome.exe Token: SeCreatePagefilePrivilege 3580 chrome.exe Token: SeShutdownPrivilege 3580 chrome.exe Token: SeCreatePagefilePrivilege 3580 chrome.exe Token: SeShutdownPrivilege 3580 chrome.exe Token: SeCreatePagefilePrivilege 3580 chrome.exe Token: SeShutdownPrivilege 3580 chrome.exe Token: SeCreatePagefilePrivilege 3580 chrome.exe Token: SeShutdownPrivilege 3580 chrome.exe Token: SeCreatePagefilePrivilege 3580 chrome.exe Token: SeShutdownPrivilege 3580 chrome.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 3580 chrome.exe 3580 chrome.exe 3580 chrome.exe 944 chrmstp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3768 wrote to memory of 3968 3768 2024-11-08_45afb8e093b7ab1794807114d9f16653_cobalt-strike_ryuk.exe 83 PID 3768 wrote to memory of 3968 3768 2024-11-08_45afb8e093b7ab1794807114d9f16653_cobalt-strike_ryuk.exe 83 PID 3768 wrote to memory of 3580 3768 2024-11-08_45afb8e093b7ab1794807114d9f16653_cobalt-strike_ryuk.exe 84 PID 3768 wrote to memory of 3580 3768 2024-11-08_45afb8e093b7ab1794807114d9f16653_cobalt-strike_ryuk.exe 84 PID 3580 wrote to memory of 4120 3580 chrome.exe 85 PID 3580 wrote to memory of 4120 3580 chrome.exe 85 PID 3580 wrote to memory of 2036 3580 chrome.exe 93 PID 3580 wrote to memory of 2036 3580 chrome.exe 93 PID 3580 wrote to memory of 2036 3580 chrome.exe 93 PID 3580 wrote to memory of 2036 3580 chrome.exe 93 PID 3580 wrote to memory of 2036 3580 chrome.exe 93 PID 3580 wrote to memory of 2036 3580 chrome.exe 93 PID 3580 wrote to memory of 2036 3580 chrome.exe 93 PID 3580 wrote to memory of 2036 3580 chrome.exe 93 PID 3580 wrote to memory of 2036 3580 chrome.exe 93 PID 3580 wrote to memory of 2036 3580 chrome.exe 93 PID 3580 wrote to memory of 2036 3580 chrome.exe 93 PID 3580 wrote to memory of 2036 3580 chrome.exe 93 PID 3580 wrote to memory of 2036 3580 chrome.exe 93 PID 3580 wrote to memory of 2036 3580 chrome.exe 93 PID 3580 wrote to memory of 2036 3580 chrome.exe 93 PID 3580 wrote to memory of 2036 3580 chrome.exe 93 PID 3580 wrote to memory of 2036 3580 chrome.exe 93 PID 3580 wrote to memory of 2036 3580 chrome.exe 93 PID 3580 wrote to memory of 2036 3580 chrome.exe 93 PID 3580 wrote to memory of 2036 3580 chrome.exe 93 PID 3580 wrote to memory of 2036 3580 chrome.exe 93 PID 3580 wrote to memory of 2036 3580 chrome.exe 93 PID 3580 wrote to memory of 2036 3580 chrome.exe 93 PID 3580 wrote to memory of 2036 3580 chrome.exe 93 PID 3580 wrote to memory of 2036 3580 chrome.exe 93 PID 3580 wrote to memory of 2036 3580 chrome.exe 93 PID 3580 wrote to memory of 2036 3580 chrome.exe 93 PID 3580 wrote to memory of 2036 3580 chrome.exe 93 PID 3580 wrote to memory of 2036 3580 chrome.exe 93 PID 3580 wrote to memory of 2036 3580 chrome.exe 93 PID 3580 wrote to memory of 4356 3580 chrome.exe 94 PID 3580 wrote to memory of 4356 3580 chrome.exe 94 PID 3580 wrote to memory of 4324 3580 chrome.exe 95 PID 3580 wrote to memory of 4324 3580 chrome.exe 95 PID 3580 wrote to memory of 4324 3580 chrome.exe 95 PID 3580 wrote to memory of 4324 3580 chrome.exe 95 PID 3580 wrote to memory of 4324 3580 chrome.exe 95 PID 3580 wrote to memory of 4324 3580 chrome.exe 95 PID 3580 wrote to memory of 4324 3580 chrome.exe 95 PID 3580 wrote to memory of 4324 3580 chrome.exe 95 PID 3580 wrote to memory of 4324 3580 chrome.exe 95 PID 3580 wrote to memory of 4324 3580 chrome.exe 95 PID 3580 wrote to memory of 4324 3580 chrome.exe 95 PID 3580 wrote to memory of 4324 3580 chrome.exe 95 PID 3580 wrote to memory of 4324 3580 chrome.exe 95 PID 3580 wrote to memory of 4324 3580 chrome.exe 95 PID 3580 wrote to memory of 4324 3580 chrome.exe 95 PID 3580 wrote to memory of 4324 3580 chrome.exe 95 PID 3580 wrote to memory of 4324 3580 chrome.exe 95 PID 3580 wrote to memory of 4324 3580 chrome.exe 95 PID 3580 wrote to memory of 4324 3580 chrome.exe 95 PID 3580 wrote to memory of 4324 3580 chrome.exe 95 PID 3580 wrote to memory of 4324 3580 chrome.exe 95 PID 3580 wrote to memory of 4324 3580 chrome.exe 95 PID 3580 wrote to memory of 4324 3580 chrome.exe 95 PID 3580 wrote to memory of 4324 3580 chrome.exe 95 PID 3580 wrote to memory of 4324 3580 chrome.exe 95 PID 3580 wrote to memory of 4324 3580 chrome.exe 95 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-11-08_45afb8e093b7ab1794807114d9f16653_cobalt-strike_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-11-08_45afb8e093b7ab1794807114d9f16653_cobalt-strike_ryuk.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3768 -
C:\Users\Admin\AppData\Local\Temp\2024-11-08_45afb8e093b7ab1794807114d9f16653_cobalt-strike_ryuk.exeC:\Users\Admin\AppData\Local\Temp\2024-11-08_45afb8e093b7ab1794807114d9f16653_cobalt-strike_ryuk.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=130.0.6723.117 --initial-client-data=0x298,0x29c,0x2e8,0x2e4,0x2ec,0x14050ec28,0x14050ec34,0x14050ec402⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:3968
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3580 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff874cacc40,0x7ff874cacc4c,0x7ff874cacc583⤵PID:4120
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1920,i,10015731063615730663,1407726355950287850,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1916 /prefetch:23⤵PID:2036
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2148,i,10015731063615730663,1407726355950287850,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2368 /prefetch:33⤵PID:4356
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2180,i,10015731063615730663,1407726355950287850,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2376 /prefetch:83⤵PID:4324
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3036,i,10015731063615730663,1407726355950287850,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3092 /prefetch:13⤵PID:2500
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3044,i,10015731063615730663,1407726355950287850,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3132 /prefetch:13⤵PID:528
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4384,i,10015731063615730663,1407726355950287850,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4348 /prefetch:13⤵PID:5564
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4616,i,10015731063615730663,1407726355950287850,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4380 /prefetch:83⤵PID:5628
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4712,i,10015731063615730663,1407726355950287850,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4688 /prefetch:83⤵PID:3664
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4680,i,10015731063615730663,1407726355950287850,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4784 /prefetch:83⤵PID:5936
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5188,i,10015731063615730663,1407726355950287850,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5200 /prefetch:83⤵PID:5960
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings3⤵
- Executes dropped EXE
PID:1536 -
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x2c4,0x2c8,0x2cc,0x2c0,0x2d0,0x140384698,0x1403846a4,0x1403846b04⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:5124
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\initial_preferences" --create-shortcuts=1 --install-level=04⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:944 -
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x2c4,0x2c8,0x2cc,0x298,0x2d0,0x140384698,0x1403846a4,0x1403846b05⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:5416
-
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4764,i,10015731063615730663,1407726355950287850,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5068 /prefetch:83⤵PID:5224
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5072,i,10015731063615730663,1407726355950287850,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4972 /prefetch:83⤵PID:5944
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4860,i,10015731063615730663,1407726355950287850,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5312 /prefetch:83⤵PID:4796
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5452,i,10015731063615730663,1407726355950287850,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5460 /prefetch:83⤵PID:5184
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5332,i,10015731063615730663,1407726355950287850,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5420 /prefetch:23⤵PID:1200
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5400,i,10015731063615730663,1407726355950287850,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4708 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
PID:2364
-
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:4268
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:2700
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:3752
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1924
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
- Executes dropped EXE
PID:1364
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2284
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:4084
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4732
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:1912
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:2712
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
PID:1844
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:2396
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3116
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:1256
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:760
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:4544
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:4548
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1140
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2184
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:4224
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3528
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2880
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:5160
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5296 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:5644
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:5792
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:1724
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD580c66e3cd9ac21024b0b9dd136e5449b
SHA177f1f8dcfa976396800c97c8bdf8362f180e96c4
SHA256370040530fc729aae45114e037edc76a0a0cc246f89fda4a846200818ec8bd8a
SHA512004f52812275123edd45587b59abc619ea1fe7d461addb05a7763447657fc48a41a2469f54eea9ea6b488abc68adb9dd023f5092d281b5c277c8a71699076028
-
Filesize
1.4MB
MD582fc571bce96b0bd81ff6ff90a1bf73c
SHA19ad96a675b6a2987383b0113908148f973b443d7
SHA256a6f401964af5f78e72118418828c10d7784b42beca9c2705a6c1e36ccd0104bb
SHA51229a0e4825fb5f60e766664822fc75384f4597b65cef1490ca017c5260ad258b166c3eac24ffe89ccc0e65aa525eb1dc0722fea82b79ed0b2a9542d592cea6ab3
-
Filesize
1.7MB
MD5ee475878eab058ce725b4b60b2ec7cbd
SHA108f22d6d86e3f3f2483f027ec4c90c871a064e4a
SHA2568fbeec6946efe21fdccda032f17b9b8c7fe99a921fb2a6437cf1bde200e74081
SHA512b55497340eebd665145403fe79618d93884ab840b475cc0e316eb94d8c9419dc6c6cc9df85a6437620065c9a2e0eb2d5c6633bf22c5d64950c1d9a3c205c65d7
-
Filesize
1.5MB
MD59199203525197713373dc8562064f3f9
SHA1987b88a83db31a866dec024826d6edb8b3009d8a
SHA256bebdd1bbc49ebec99d8ff83eab4faddd3a18c0b66734737bb30c3a5a9e6a90d6
SHA512dfc6cc91e45c1425e15945318d9057c0103bfb16d9bd387a968527122913328bda82f6d8785b79e0cb1ae9e7b93189fe3e12bc256968f1c106ea8c3fbe5296aa
-
Filesize
1.2MB
MD5c86499a2b725016540530121c3f5b574
SHA185c460f80c0af0e1a0ce4669618bae4a3ac66f13
SHA25604511d0067093eaac5e57b61edc96751971a4c4fdcda2a795e618e1b6781a5c7
SHA5125d3abdfd9a0f1f7d2e2d38dbbd744bc5211afaa5252e8795473a69808512264fcffb66b42d721d1105e2253cb463e76457eba9997d857cb0965729c976a09b37
-
Filesize
1.2MB
MD50c7266b16a5183d841659349700730b2
SHA1f42d74982cc23331ec1998267f91efd74f5a494a
SHA256182bf50f049a53c100079f19b23ae60678fc9f858d5a9189d0761afc12f14bc2
SHA512d873430336afe0c0aae9a3bb0d943de70db67e34880777fabcb5c8034e99ef2cc68ae7a2b63efe98e99116d3aea3a741a50720e19b08b20e30f30da6b8da74a9
-
Filesize
1.4MB
MD5c0af5170c4de0af6dc794c9e4ffa38d5
SHA1fa304524d92eb5727a6ca71b18ca68410db64df0
SHA256839796bb4f797c7a0f708628a57b584b9487c8fbd58a16540eb8a55459b5ab8e
SHA512cbeb107fb7f7ffbb9b1f5216cbac27be6fd17eba63d0315ec988b1c57db682ce6e4ac382f1ae2bfd389696106653eb285dfb908488b2caa39e52741cc8bc5dc0
-
Filesize
4.6MB
MD54e0363c08b7c31c103f8b33c77eea8fe
SHA12917e9b957ac6f239d5837eba30d72136757f3cb
SHA2560908984a65d67986fb7b016a34bcc8510e3483314efa3e5703c73ca8da57805d
SHA51272e9de5374210d7bcd5e32fddeb5c79a6396049e8230187c112eefcb1cbc10820c4e3b9b3caface887d44541ce02208d23a57f8260bdb4f88f4b26425598c797
-
Filesize
1.5MB
MD57faa4d42aea36f7fe4c870f26bb54a6a
SHA1e3de72c890413bd0077df67b548843684fea358b
SHA256fd46cbe4d2c82b4ab59c8ea8373d062d860e14062fb5d6f34537f2f9f3451c45
SHA5128094a77c069210af6b231f605a28c3de9bfc329877387776f5d4f1f9949652cd02cb87253b6198bd6b1aba867f7e92a8cb005a19d7698ac8d8fda332053d18cf
-
Filesize
24.0MB
MD53a988d7774e41d6bc4d0dbdb46929280
SHA19b4aedd49ff21333122e30be613a0fb762c8a043
SHA256f93ec81b7b12e6d2600f0f1610c692fb72eb7a867c76f80f3b2b08717469c5a6
SHA5124f3b9e9868b7f2ab7c3a205fecc18db683fc3b371715bad7569a1119389ada7bb710c3c8513ba9ddbd8c1be7d9d70d15e2d482613c9f5810135f05482c30f661
-
Filesize
2.7MB
MD5df6ee0e4fa3ba2a02e5b1e909e7c65d9
SHA116541cf78fb3f91d8bb58e744fcfec0b194ad922
SHA256c768c666e3b82e12e9185f771904433520eefc0bcd6b39bc388e4a352ae7374d
SHA5121fed2495870180cd28b00d4f8a1e1aa2e9ad4ace32fe2dc37e25ff1cc465a759b64c0744585ed9041a88e9da2fca941b8b37ecf5a2bc9c2ff3b28c6423a1e5e4
-
Filesize
1.4MB
MD548069515b200b5f38f463b91ff1d3c43
SHA1fda5ac4af8d5cd45a867cf133531dfb19cbba602
SHA2562e3fb61fa981eb2f7a7f4d149292250bf7c0df9b47fb0d92f2a242c1e5e8e07b
SHA51256af733a6820250131e0ad79c7eb66c2e9beead31fbfbd1f59f3a39254b786caaac9512de20d6fc73249620090635effd02dbfe83fad1036ca3074b509d245ef
-
Filesize
40B
MD57852d94c362827c88d3dc1afaddbee6a
SHA137485b5394d6175a207b53dacf49b2f6ffd44896
SHA256a5748f3d1825563a034741ca211d9f5cd8e8aa652d87be233581e12a7d4dd468
SHA5126399b5d81fdb760a5b134032acec0ae3e3f4a3ba9c1114b9e6edacfd20a7b928f078a73d54b839dc4c3ac784bfe91c14cc16100f1fabff9696516be7ed393ee8
-
Filesize
4.6MB
MD5251a4e33f7f99a29c6161a2cd618961a
SHA1ebcce900ea645b0992216e9a53f7d6576a00cc90
SHA2563781369075b4ddc0c96619c33e87afb53349b69ba1eaa5f618ffc814a4ebebc8
SHA512c3ea1f2dae15b5bc88988fff08dc574b8ea8a61f85713e48be7410c32e9a3df9a388f3e96fe8e54e4dbdf077900100c0f1b5ee99e9fbebcfdb86000b8397b87d
-
Filesize
2.1MB
MD5a01743a529c7da7e40ca854a11d4d097
SHA12a85186facc42a5c3e32cc343f2db2c3d054fd5e
SHA25650763fdc456abdd5a6777ab4d3db6dee121e02a76a89ef0f7c6f774944033b7c
SHA5126d234b30c6200bf6c9d01ec9fc08e0da82c634b74011c6c103e9a05a3be54a2c8d8c7425d82d63eb260f97864261f470fba4a2021ee7ab7d27041d3740ce06cc
-
Filesize
520B
MD5d7bdecbddac6262e516e22a4d6f24f0b
SHA11a633ee43641fa78fbe959d13fa18654fd4a90be
SHA256db3be7c6d81b2387c39b32d15c096173022cccee1015571dd3e09f2a69b508a9
SHA5121e72db18de776fe264db3052ce9a842c9766a720a9119fc6605f795c36d4c7bf8f77680c5564f36e591368ccd354104a7412f267c4157f04c4926bce51aeeaa1
-
Filesize
1.5MB
MD554fa7352f3ee7732acd896f590e8b52b
SHA171fdf83877eec2d008b2e3d856a345bf36a28d92
SHA25629d144df1e5a0d4ea9d2e15347b0a0c307f82cef24214d6cef5a2c44e55cb35c
SHA512044e3b277cd5126b638b39592927650269c27c337986256468b2b9e3fea32c3d64a4890ef6a7264a78967c6d5464e7130cbd6b4287fc75f75276d75967627caf
-
Filesize
40B
MD51fd2bcf7be677e004a5421b78e261340
SHA14e5abd04329ee1ffaebe9c04b67deef17f89ff84
SHA256f539c848f584add20b43d5daefd614526b67adbf22b0c89eaa7802a8a653cd31
SHA512929499946e38281bd808b37b362c4a86f3b6382eb1ecd5fc094410d3688906d14a114ca930a2cf38b6241ab734bc5959e6fe541270d47ca9538e82a68c99cc77
-
Filesize
649B
MD53b60570050a6821360351df62d1c2260
SHA1f1709ad824765349b5d71b471610922e56b7cd1c
SHA256d0e183b8eddfbb407af733808325a5aa9785abdd24d4ee5d0a0c4ffd79d85bbc
SHA51262ce810becc070da3c9b1ce4350f2748e09a3599fca0ba70c4664b2e9821b40450f17fa2d5954e70926a66d77572254d520a8951d037a4ed985051c7be82a046
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\_locales\en_CA\messages.json
Filesize851B
MD507ffbe5f24ca348723ff8c6c488abfb8
SHA16dc2851e39b2ee38f88cf5c35a90171dbea5b690
SHA2566895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c
SHA5127ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\dasherSettingSchema.json
Filesize854B
MD54ec1df2da46182103d2ffc3b92d20ca5
SHA1fb9d1ba3710cf31a87165317c6edc110e98994ce
SHA2566c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6
SHA512939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d
-
Filesize
192KB
MD5a8cf54419129b874864cf206392ece0f
SHA12d8f78e5d6951faedba3257d5794227f34c50967
SHA256b8a7649c907c010db609d7143f3f0601a385b9cf803f4b0bddb449c41151cc1f
SHA51202a77857be5123636fdc44791f6cf7a4532fa53e34576be7f6ab21da51ef400fc138d7dda6a2880b2b42ddb22a803a1897e4f95ea3479487af61a199c7929a8c
-
Filesize
2KB
MD5f47776a7bb41c0c589f12fd09473ba1c
SHA121fd0c4328c38f8dd5402a828e7a013a83287702
SHA256e541b518cf5cc716d2b380f3117c88ed26f4cfdf49b7cf292d4d8a3b71d1a63d
SHA512f8608776336d14c0f93ddcda844cfcfada71117197307e4113767c83f29619fabba1e086c6b83b4e1502cc89c8cf4f9eb243ea8c6230df169ace90da4ac68ea7
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
354B
MD5788cfd8afb5ad0208546ffd7a85fe657
SHA1a63818cb3091a69f2ba56c22afd071d6b32c3445
SHA25660166bb024344f0bcc20cc5327c8661e012fde5e76e4de0a860f25f411e107d5
SHA512b9625fd5b1e72de3e236c4ece9400cd8df3795cfe51a585d1afc92b48e70628fd3a722d86878ea5dfc55f6eacba101836f2adb65871ae4f81769673d448e07f8
-
Filesize
8KB
MD5c20a5c9349f1ca399fcba56986425d30
SHA1d80a12e05aee231d1e3b47e0b22a9894d6dc61ee
SHA2565569ddcc2882588a8e1286a90ba2cc4ea63f714788ab7d9394d0b516d4d6e1a7
SHA512581b3ef9376651377754280b878ff08e91a9d48d9ded43c33fd3ef1a33731ab44793f94f98c0e60bd31ddcb77a96eb44b95ae14ad04ab5ea96a847833290fb2e
-
Filesize
8KB
MD5c6b0b174c35ecbb33d69e9b4cf685ad4
SHA1600f25d3ba90efea17dd7d74ab38dbb85dd1876e
SHA256431b6734ad461e9bfcb82dc323384673c17b9c7510b944edc129c81a53c1ca0d
SHA512cc1ddf745875a1a981ad345df2185479cca587cd4e0edfff252190d9ed1f343e990322a588578eed37dc37022423055034588c057211fe9f81583586160ccb95
-
Filesize
8KB
MD5c187ed3ed89760939dcb03d15b2409f8
SHA15a1359058b8b4f45a3db2585f17b664528728b11
SHA256c6d5f4a85a7768f51a508c2f49009e52ca01410f6263b7f8a08da0a5323bc5bb
SHA512cd754f0806b78f248674b902e13c03c7ba270d8263127f21a7c5b39eccb066868a296abf5a6b1f53d028e3e80b11eed6c2f50373fe3011e9a5c48a6788e3e7c1
-
Filesize
8KB
MD57da20564101722979cb147431d0105a7
SHA1cd2902b9be1cd63abaa94b26b40238659cf3b6dc
SHA256e296edd82c9dad0b76acff6cde04dca94a9054220f858e80f0b08596072df217
SHA51262b4ef52f91bc71bdd6db5438dacee52e31444d9a00b5751a678ac939d52d1f9e06dd907fcc842c94104bda6eca0dcb8f7d55362632f8eea3ba1bccb419f2449
-
Filesize
8KB
MD5e82e2ecd1fd6aa08dcabe27508221319
SHA130b0d83f9d2c1f121d5fecf29f0b8d8e916c56c1
SHA2569530cddc3c3689fb81722f2a33a99a7884361256ccb8e7fa944678ae308ab822
SHA5124605d5af74fd7191fd19ea9b19f60984d7619ba72d9663742ddba7f077d873755ce1edc5dcf592164761a97151793adbb648b9b1d2594f00d94684f36bee5cec
-
Filesize
8KB
MD5ec3744ccd10a15160fb6cdba248777c0
SHA154c33901183d2140e4a4f1c272b76be839f6733d
SHA256cb7b597c3596d15b0b5eac5028e1bab8e905284e9603e6485c27094b4a16c7f2
SHA5125b0525f1c34fafe31eefc7b489b1d0dbb540ab4451c13af93c53d2b5525723612d85aa68d39815687d7fad4504901385d72b4835fe6ff7b3351d51c0b7ec9547
-
Filesize
1KB
MD5b48ed78fa1fb941b515f74b52fb1dca4
SHA16833d24d0a079eee124987150f719abb72989744
SHA256335d3428a522b9cd6fbedc14d9664bba5b6ce573eb5d1d86e2023a22e3d72546
SHA512845118738800dfd8449863a903f8f94927fb5c6a6cfc45e5d08ef32f62136a2df4ea6a784a2e9f95147189678b5775034234d52f6f38247a9ac371726d531c12
-
Filesize
15KB
MD5090f0b9f0ee8334e561f74b4e9bd8703
SHA1866eaac9dae014bcbc5f44a726229675cf343659
SHA256244758b89b329feeeb0190429b7d1763aef97b2833f24b9e9036c0808b72a11d
SHA512c3616ebdb10be140c00ca9c31389bcb8b6923af9b2795582eb5365a1de24e5f8fbd0d0f83816ff330731800120593dece7ed9daece926a28b512c66ad3801e24
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize72B
MD522c69e3bd671374523e1d8347dd169d8
SHA1e71531cfc5c82e72ff3a39a49048a1c1005cce94
SHA2565aaa506485fee19f173fc31162d51393027f1d9ff4508de17dd908dbe36e155a
SHA512a809562059d26f9d22a33e422b202e8820aa074d5be643edb2be4c57eb0b39dba5c9547cbb867b998d27e6470cc5d534c6a050c4ae18f0179dbb6dbdeb2bece1
-
Filesize
232KB
MD5edf8d16da7b4dc89e47bd9465530e92d
SHA1e43e9dbda9b7eb43de3429339df191af4b9a043f
SHA256bf1f45dd41760cc7407ad8d5325017d4fa794c41b91e73fdaa4accddfb9ce4f8
SHA51296feaf9f1bba54706b2c49ee87dd00384774e2f5ddb7b432e46aa24aef6670335ad813a5884ce71c84067271669bc80c83cb3209081335e774fbedf8fa206e4b
-
Filesize
232KB
MD5e2e86f8a04d0fc61aa2134ada7dc7237
SHA15835da7c4da846fb240bf568e69f2bc14d9edb9b
SHA2569273438776b692c5fcf9f323db844799cc69cee351318a4058b544f86dcce242
SHA512b52a1f47086ce830e513b42b2ff926795b973a31a935d47530c4cea107298f62ed8ba9e7648e7605a374c942ed8b1b1069aa33b9b4f11d5f040525aac19173ec
-
Filesize
8KB
MD5786ee2da623825e37ede2004499ec9cf
SHA185f050dc5d27cd6734151df453f4d0b41d18a91b
SHA256e91829aa8ceabca00ef0ec46bacb402d028167cd4f562155089884e2f0a9bb88
SHA512141a078aec3ed98f4704afe1dcc3dc9192d5f795a0b57517cd2412b235013b9b7b9ad6363a9b147a71f22aeb96cd92848cf717b4e7e8e0013cc6495e3699db29
-
Filesize
711B
MD5558659936250e03cc14b60ebf648aa09
SHA132f1ce0361bbfdff11e2ffd53d3ae88a8b81a825
SHA2562445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b
SHA5121632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727
-
Filesize
132KB
MD5da75bb05d10acc967eecaac040d3d733
SHA195c08e067df713af8992db113f7e9aec84f17181
SHA25633ae9b8f06dc777bb1a65a6ba6c3f2a01b25cd1afc291426b46d1df27ea6e7e2
SHA51256533de53872f023809a20d1ea8532cdc2260d40b05c5a7012c8e61576ff092f006a197f759c92c6b8c429eeec4bb542073b491ddcfd5b22cd4ecbe1a8a7c6ef
-
Filesize
12KB
MD531f4c3221db62fab5636a2e94bfc338b
SHA1f1111dad52cb7d8887e833fafda2046828a49988
SHA256dfae48383b60a9ececf3ccf9935bedbabbdd6e26d71c0ef47b7ff4fd1ad55c09
SHA512ca49f7c7f4edaae5f868480d5646e8068361b382cb06240fa9892d88141590d847ab70f52a0db763d586d06f2d2f46565e834cba37bd1e283b4195490a8d7bb1
-
Filesize
1.2MB
MD5398905c56250171cbe6091c469ffcb9a
SHA176c129a52ac1a8e83b32b51da36b0d984d30f78b
SHA256432a583ac17850fa78caba048e3f75b2fb76ef80b70d07cadeb2dafdda98ac93
SHA512661a4c86bf94efe9da0aa454d896915d8ee9616ee5caa52a1500ee7e3cf34e7bed055a67335295c30e131c716e0ac2fd3e6818df8910495dab91cc2a92bdb5f7
-
Filesize
1.7MB
MD5fea81e0705f8cb5384d303662ba4e48d
SHA1f2031cb0a16a4089b26ce35ac986d54382be7e94
SHA2567369f1aefa536b1c9cbdf90ffa341c3e157fa3fde1e66a400fcab38378ac0835
SHA5120ca3e36e8207674a5451923cec3e4809c55ac077c76faceb97f81908fa77cad4bfbc43fc502adeadb8632238fff88380cdba2170759a8feeb37f6f03fe22349b
-
Filesize
1.3MB
MD52b9871c20d9e302a1c680cac163c9158
SHA1529b3102ed7c9ffff7db61f80950a4ecd57a1fae
SHA256067b86e038dd392dcab21ad151d23d361f3261470216c0f812b3f98b5fa1bb4b
SHA512eb3b937012f9080b8777039e3b3e3afcfb70f07fd0517903a1d73c73ab584b086a62eb10a07bc026f66d4c845db6be35acca8d56224bd715f8e3b14abca7a42b
-
Filesize
1.2MB
MD50be99f3d82696e8f1c3caf8dc60dd53d
SHA13e0295a2fa97fd2bc822550010a59ae3abc48f18
SHA2566088237e14f2ceb189aed353788b821c3537b76602f274189f0e09ed62c169ac
SHA5126b00e0e5370718e9720871ad7592e77f2a71e7639b46860a13e69d619afd6df147245a627c29e88c87299749daec4aa0c210960ec24b9c7053a49a2084fb3090
-
Filesize
1.2MB
MD527cba5195c325590d0bb77926284d485
SHA1a4bc84aea3e191179bc8846ffcfdfb17df35aabb
SHA2566e54dbf256b1360eea25347ea1119be89bc371902096fe9442c209257c1a0ed6
SHA51295e24ee1f3dbcb67afd2b910b920b767d879b0100f6bc198b9ca7f0102a64d816c842ab526f64e1ca200b64182ffdf131c098c3c32e09209840fc3b1b92f0f50
-
Filesize
1.5MB
MD502d9e8ea1baa784c6bb5f0eaa04e70e7
SHA137c138ee4d9a54811745930e84999be3ac1a44b0
SHA2567628e3780fbde76cc37cdbb7fef2bc36188041e73e35d0613d6e4356b271876e
SHA51298eeced8ef3719b928c1e1cd7b4cd211bfda9dc1022d314fa4625ec50f0148aa5f4d19cd977df6538d4fec326acf67a16b8f38960738bb7b8d18577282264d4c
-
Filesize
1.3MB
MD5d1b0ea8af7f7d3996535194e93a05b26
SHA15cbcddc9600343b10d60ed292efe6a5cb820996f
SHA256c5c752d6d0af97fe92577de3be4add765c38f894f434c1c8df730d7f1943e013
SHA51275cc0269cdb09adc2622a2ac9ef2f7a3dd392564598a452a0aa9c1b73930a7ef389a79c5c9a1233b75c0b2930b141fbc1a4a9c04a9c6cc626331864d355e7d15
-
Filesize
1.4MB
MD5fa26d8603d2a9ab00d662ed99bfab5a2
SHA1baecb7d74c0233ed0be6c9635f934d0610194ed6
SHA25673ce9ab0b261dd120266b483824835e854030afb8c8b642736f3dbadaa3b593c
SHA5124e3427d869aaa0a8df2137a8704e357fff999e5afd6cad01faf6518d29cbb4208823f01f1a4939a44838ad29717d4fa68c7fdaf3ca92c9bc579439e2989460dd
-
Filesize
1.8MB
MD5e780768b31dcd84b174735f3c5495b0f
SHA16c48dee06224055c13f9ea02a21eba1498ef5142
SHA2566ce063bca04e9f4416d20dc8ac54ea6d1242db95823c298e58a315e289fbc27b
SHA512ef8d56701e0a9b4aa80382a3565b5a62c27fe80104aca8b5c4ebef5ee0b75e570200a23f3f6709465d321305d957f0b981812b36eb12063969a4813d4f088bd2
-
Filesize
1.4MB
MD5fbbc7b8bc8f76feaa15283bdb9fc18d0
SHA115f31a4585b4eb04e0638482deacc3993d44539f
SHA256c5009bd6c0b873f3b220789f445b078b3723babe6042fa268ee78da6c3398813
SHA512227034981bcebb3497f4799e973e0bb569e86f33aa70b036d3a26c51bb3992db6e518a4f93160b50a47c334a20e09639516cdfd84d2141cba10638fb27f40e1a
-
Filesize
1.5MB
MD5f1790e8845786cac656c23643df5c6cb
SHA1ecd89cdfa2e04e6d9f141f021e7e65ff8a4ce0cc
SHA256b1fadcad4ffcb357d38580ad32682cff79d79ae19d8907604269498e0d56440a
SHA5129b54b3dd3f7423bcabf53a6cdbb7d7494008427803ca731454c02bc83a6c90b12c4dc629c4414286d41860a824b00619a4956adeac939fa4d169966304ef070c
-
Filesize
2.0MB
MD5f6e56c858e5186bb187394d8a48d4744
SHA1607d549d167bbe07b8d25af00a1edc5c47c8f7f2
SHA256326d6ea746c42c67b7bfe65c775c7c7cee9388d9494436122dda256b85cf368d
SHA5127aacbd5473b24c26368fe1a076b0d40acdbffb88199dd584b422398d1cbb2b5b3c6e923d6484d4886fb7319de4f2b480181b86c79ba764aaf77ca827eee63a53
-
Filesize
1.3MB
MD525723d8681471851d41af820455d04a3
SHA1ac7feefef4dafb273c430a3e06e2e18c907e22b2
SHA256a05c51a00e4eaa0b44db11cb5b69e2fa5f361ac3dd04558d6c52fc2ca34652e2
SHA5127081f6308679d413fa9065405bd0829b32e2a46f036aaf9df99dc4b8939e26071f2cc1b0a33707787f95752f9e289f5f60c6f7957110feb9bea1aae7fc77f18a
-
Filesize
1.3MB
MD5c3508d09eb6b3d058b7c9944562b9361
SHA16413514bd7fa307e5af0258598b0b592b4787dfe
SHA256b4fb47b471af499551be2baf3afb7648772a84cf7fc665d60291c839ac62cd2b
SHA512e99f34ac40c22d16b5a36b83ee1909fac36dc3d1224a3b52f7e456abf212520dac16ee51dc36530b8a9b446e8aef6524074b10ef5a169902fd4fc6b3908c1e00
-
Filesize
1.2MB
MD5928b270c631f44b96f61c9aa2e7b1df9
SHA12fac6da254d0fb197a9b01432a1d82e54f46edaf
SHA256f6fcb0b7d5ac0078e3099df401a5804cd40f4bc3d00119b026924a6c74c0d3d5
SHA5129fdada912aec8b428f7e07387ec77f8987d32952d4514304610aa9524eccd6048e49812997689b4676c1106de37acd470d37f11d6b9ac7c3279f1aaf9503257d
-
Filesize
1.3MB
MD50f393427b9fc585b7afe85b043edad5b
SHA180545afda13ae6d99c168395374644b6bea6d452
SHA2566e8b4fda714441747d991564e6c43d34f5fba0d6e4d3943390aa6cde6bc109e6
SHA5123bde82338a7722034b05674204d80ca983e956f566d4cadc4e26502adbf34dc32f79e3db4a5c9dc1b17058f98512a0bba564ec7c8f895ec9fc1f53f05317cf7a
-
Filesize
1.4MB
MD5df95d9ebf5cac1945c3beffcee6c00a0
SHA170d4528f674891f23bb48d9b58339cb5486fcf85
SHA256718696d1d813e004e98d6e751e9ce7cfc2a6cffc89a2d407cb08224f056282d2
SHA512804e2d52133d3242a87da0fc00e5bd0de11bbed384ba68b98207d5d973840ecfa050dc74524d3434a6a749cc1c34756f1d07235d8ff1bb158edccae075ebad2d
-
Filesize
2.1MB
MD52fe7705da14ff7bc8cdc1efadeebc42d
SHA1e080daa2f9558303f8b49c2638f1c80565d3bba0
SHA256ae78f59cee9041eb0148652d711ba2f6f0f5e281e3cdcdd0eccbba185f498f09
SHA512f2c52cfcf18887b6206535f7070fea9fe4b2fd9a60b6daae000a7d028742a6af77f63bf105292350cf75d9e2164dde03963bde2b52001531acdadb212ceac05b
-
Filesize
1.3MB
MD558573351fe249123920ad7a6ef8ec663
SHA1f7f3e2ff5e211d15a5e1bf8c28fca4487cfa46d8
SHA256abd44b9dadced02bcc6d8bf22d018f740c192e0c8661c06e6387b2b3fc60adbf
SHA512043263397effcb01d3273f779e01e380b19983e7fc204e4ee04068bba106de7c8b2e173151a7216a57ce08709268697d5f3de1997d7388ff2b75eebd47fafcd8
-
Filesize
1.5MB
MD5ee64fbf81581b06334a6f5a7666013dd
SHA161b3bbbd768df2697c9908a73f2deff2614c1816
SHA2561b3f303b88fcbaec7912b2f3ce30b1b259111c3bb885095699438e02a4a127a6
SHA5126f2297389900bdc1d7667a06a4165090abdd304c2e908936e0d2511565df61d9c062bda69c4b553cb842615e2f63bedd278a1e17eb6e1bea113de557261d6515
-
Filesize
1.2MB
MD5f6e89110aa774b0dd71241756c50e038
SHA1bbeba3de46b3694290c50a32f7cf494cd1d19709
SHA2565b452ba729a0ec52fc7b7629d13fbf6ce3243065fe140c69a87dae7228592455
SHA5120e40e559392670efc2c9097dd5f21f313cb572c10f93c777362f9f1bbffd056436e5800afe89413a180ecd108b9c2adc46e5e1c19b32d2ef1ac64c1dcc1d25f1