Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/11/2024, 15:01
Static task
static1
Behavioral task
behavioral1
Sample
2024-11-08_259ed8b436e06e9d0a46973979f1c308_cobalt-strike_ryuk.exe
Resource
win7-20240729-en
General
-
Target
2024-11-08_259ed8b436e06e9d0a46973979f1c308_cobalt-strike_ryuk.exe
-
Size
3.2MB
-
MD5
259ed8b436e06e9d0a46973979f1c308
-
SHA1
8755d1c6fc9cb7eec87175e2f327964e61d85681
-
SHA256
44a4a04dea7eca8a5909b42900a0367f3bd9c188e660e705bcdb12345ab4b509
-
SHA512
738fe89a19ce52f10156fd0ee3189b9a9e302e735ed4232228b733db0425c9641e216482aff636cf18de9e56a19ef8195d2c103a18e8b883aef88f5d06231931
-
SSDEEP
49152:V5k1YCdptya507NUUWn043oHS3fTIYwVq1/xT3DDbw0TUqypkQ/qoLEw:1NhSMYw8yBqo4w
Malware Config
Signatures
-
Executes dropped EXE 26 IoCs
pid Process 2160 alg.exe 4548 DiagnosticsHub.StandardCollector.Service.exe 4980 fxssvc.exe 2632 elevation_service.exe 4472 elevation_service.exe 396 maintenanceservice.exe 3584 msdtc.exe 4068 OSE.EXE 2136 PerceptionSimulationService.exe 1360 perfhost.exe 2052 locator.exe 3944 SensorDataService.exe 2256 snmptrap.exe 2372 spectrum.exe 3948 ssh-agent.exe 1020 TieringEngineService.exe 4928 AgentService.exe 3112 vds.exe 3108 vssvc.exe 3224 wbengine.exe 5144 WmiApSrv.exe 5272 SearchIndexer.exe 5176 chrmstp.exe 2340 chrmstp.exe 5524 chrmstp.exe 5660 chrmstp.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 31 IoCs
description ioc Process File opened for modification C:\Windows\system32\fxssvc.exe 2024-11-08_259ed8b436e06e9d0a46973979f1c308_cobalt-strike_ryuk.exe File opened for modification C:\Windows\System32\msdtc.exe 2024-11-08_259ed8b436e06e9d0a46973979f1c308_cobalt-strike_ryuk.exe File opened for modification C:\Windows\system32\spectrum.exe 2024-11-08_259ed8b436e06e9d0a46973979f1c308_cobalt-strike_ryuk.exe File opened for modification C:\Windows\system32\dllhost.exe 2024-11-08_259ed8b436e06e9d0a46973979f1c308_cobalt-strike_ryuk.exe File opened for modification C:\Windows\system32\dllhost.exe alg.exe File opened for modification C:\Windows\System32\SensorDataService.exe alg.exe File opened for modification C:\Windows\system32\AgentService.exe alg.exe File opened for modification C:\Windows\System32\alg.exe 2024-11-08_259ed8b436e06e9d0a46973979f1c308_cobalt-strike_ryuk.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2024-11-08_259ed8b436e06e9d0a46973979f1c308_cobalt-strike_ryuk.exe File opened for modification C:\Windows\System32\snmptrap.exe 2024-11-08_259ed8b436e06e9d0a46973979f1c308_cobalt-strike_ryuk.exe File opened for modification C:\Windows\system32\msiexec.exe 2024-11-08_259ed8b436e06e9d0a46973979f1c308_cobalt-strike_ryuk.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2024-11-08_259ed8b436e06e9d0a46973979f1c308_cobalt-strike_ryuk.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2024-11-08_259ed8b436e06e9d0a46973979f1c308_cobalt-strike_ryuk.exe File opened for modification C:\Windows\System32\vds.exe 2024-11-08_259ed8b436e06e9d0a46973979f1c308_cobalt-strike_ryuk.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\8f79d4ec38f5360d.bin alg.exe File opened for modification C:\Windows\system32\AgentService.exe 2024-11-08_259ed8b436e06e9d0a46973979f1c308_cobalt-strike_ryuk.exe File opened for modification C:\Windows\system32\wbengine.exe 2024-11-08_259ed8b436e06e9d0a46973979f1c308_cobalt-strike_ryuk.exe File opened for modification C:\Windows\system32\fxssvc.exe alg.exe File opened for modification C:\Windows\system32\AppVClient.exe alg.exe File opened for modification C:\Windows\system32\AppVClient.exe 2024-11-08_259ed8b436e06e9d0a46973979f1c308_cobalt-strike_ryuk.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2024-11-08_259ed8b436e06e9d0a46973979f1c308_cobalt-strike_ryuk.exe File opened for modification C:\Windows\system32\locator.exe 2024-11-08_259ed8b436e06e9d0a46973979f1c308_cobalt-strike_ryuk.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2024-11-08_259ed8b436e06e9d0a46973979f1c308_cobalt-strike_ryuk.exe File opened for modification C:\Windows\system32\vssvc.exe 2024-11-08_259ed8b436e06e9d0a46973979f1c308_cobalt-strike_ryuk.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2024-11-08_259ed8b436e06e9d0a46973979f1c308_cobalt-strike_ryuk.exe File opened for modification C:\Windows\system32\msiexec.exe alg.exe File opened for modification C:\Windows\system32\SgrmBroker.exe alg.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2024-11-08_259ed8b436e06e9d0a46973979f1c308_cobalt-strike_ryuk.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2024-11-08_259ed8b436e06e9d0a46973979f1c308_cobalt-strike_ryuk.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2024-11-08_259ed8b436e06e9d0a46973979f1c308_cobalt-strike_ryuk.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstack.exe 2024-11-08_259ed8b436e06e9d0a46973979f1c308_cobalt-strike_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe 2024-11-08_259ed8b436e06e9d0a46973979f1c308_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe 2024-11-08_259ed8b436e06e9d0a46973979f1c308_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe 2024-11-08_259ed8b436e06e9d0a46973979f1c308_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe 2024-11-08_259ed8b436e06e9d0a46973979f1c308_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe 2024-11-08_259ed8b436e06e9d0a46973979f1c308_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe alg.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe alg.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_86328\java.exe 2024-11-08_259ed8b436e06e9d0a46973979f1c308_cobalt-strike_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe 2024-11-08_259ed8b436e06e9d0a46973979f1c308_cobalt-strike_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe 2024-11-08_259ed8b436e06e9d0a46973979f1c308_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe alg.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe 2024-11-08_259ed8b436e06e9d0a46973979f1c308_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe 2024-11-08_259ed8b436e06e9d0a46973979f1c308_cobalt-strike_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe 2024-11-08_259ed8b436e06e9d0a46973979f1c308_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe 2024-11-08_259ed8b436e06e9d0a46973979f1c308_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe 2024-11-08_259ed8b436e06e9d0a46973979f1c308_cobalt-strike_ryuk.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe alg.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe alg.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe 2024-11-08_259ed8b436e06e9d0a46973979f1c308_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe 2024-11-08_259ed8b436e06e9d0a46973979f1c308_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe alg.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe 2024-11-08_259ed8b436e06e9d0a46973979f1c308_cobalt-strike_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe 2024-11-08_259ed8b436e06e9d0a46973979f1c308_cobalt-strike_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe 2024-11-08_259ed8b436e06e9d0a46973979f1c308_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\mip.exe alg.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe 2024-11-08_259ed8b436e06e9d0a46973979f1c308_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe 2024-11-08_259ed8b436e06e9d0a46973979f1c308_cobalt-strike_ryuk.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\chrome_installer.exe 2024-11-08_259ed8b436e06e9d0a46973979f1c308_cobalt-strike_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe alg.exe File opened for modification C:\Program Files\7-Zip\7z.exe 2024-11-08_259ed8b436e06e9d0a46973979f1c308_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe 2024-11-08_259ed8b436e06e9d0a46973979f1c308_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe 2024-11-08_259ed8b436e06e9d0a46973979f1c308_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe 2024-11-08_259ed8b436e06e9d0a46973979f1c308_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe alg.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe alg.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe alg.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe 2024-11-08_259ed8b436e06e9d0a46973979f1c308_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe 2024-11-08_259ed8b436e06e9d0a46973979f1c308_cobalt-strike_ryuk.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_86328\javaw.exe 2024-11-08_259ed8b436e06e9d0a46973979f1c308_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe 2024-11-08_259ed8b436e06e9d0a46973979f1c308_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe 2024-11-08_259ed8b436e06e9d0a46973979f1c308_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe 2024-11-08_259ed8b436e06e9d0a46973979f1c308_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe 2024-11-08_259ed8b436e06e9d0a46973979f1c308_cobalt-strike_ryuk.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe 2024-11-08_259ed8b436e06e9d0a46973979f1c308_cobalt-strike_ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe 2024-11-08_259ed8b436e06e9d0a46973979f1c308_cobalt-strike_ryuk.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2024-11-08_259ed8b436e06e9d0a46973979f1c308_cobalt-strike_ryuk.exe File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe alg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language perfhost.exe -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007d8cc122ef31db01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001a43fc23ef31db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000be9a3123ef31db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document" SearchProtocolHost.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133755517029867480" chrome.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ec372f23ef31db01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b450c622ef31db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000054157124ef31db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c976ec22ef31db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000023524d24ef31db01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cb339d28ef31db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000091c13823ef31db01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000068690324ef31db01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie SearchFilterHost.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ chrmstp.exe -
Suspicious behavior: EnumeratesProcesses 41 IoCs
pid Process 3376 chrome.exe 3376 chrome.exe 4344 2024-11-08_259ed8b436e06e9d0a46973979f1c308_cobalt-strike_ryuk.exe 4344 2024-11-08_259ed8b436e06e9d0a46973979f1c308_cobalt-strike_ryuk.exe 4344 2024-11-08_259ed8b436e06e9d0a46973979f1c308_cobalt-strike_ryuk.exe 4344 2024-11-08_259ed8b436e06e9d0a46973979f1c308_cobalt-strike_ryuk.exe 4344 2024-11-08_259ed8b436e06e9d0a46973979f1c308_cobalt-strike_ryuk.exe 4344 2024-11-08_259ed8b436e06e9d0a46973979f1c308_cobalt-strike_ryuk.exe 4344 2024-11-08_259ed8b436e06e9d0a46973979f1c308_cobalt-strike_ryuk.exe 4344 2024-11-08_259ed8b436e06e9d0a46973979f1c308_cobalt-strike_ryuk.exe 4344 2024-11-08_259ed8b436e06e9d0a46973979f1c308_cobalt-strike_ryuk.exe 4344 2024-11-08_259ed8b436e06e9d0a46973979f1c308_cobalt-strike_ryuk.exe 4344 2024-11-08_259ed8b436e06e9d0a46973979f1c308_cobalt-strike_ryuk.exe 4344 2024-11-08_259ed8b436e06e9d0a46973979f1c308_cobalt-strike_ryuk.exe 4344 2024-11-08_259ed8b436e06e9d0a46973979f1c308_cobalt-strike_ryuk.exe 4344 2024-11-08_259ed8b436e06e9d0a46973979f1c308_cobalt-strike_ryuk.exe 4344 2024-11-08_259ed8b436e06e9d0a46973979f1c308_cobalt-strike_ryuk.exe 4344 2024-11-08_259ed8b436e06e9d0a46973979f1c308_cobalt-strike_ryuk.exe 4344 2024-11-08_259ed8b436e06e9d0a46973979f1c308_cobalt-strike_ryuk.exe 4344 2024-11-08_259ed8b436e06e9d0a46973979f1c308_cobalt-strike_ryuk.exe 4344 2024-11-08_259ed8b436e06e9d0a46973979f1c308_cobalt-strike_ryuk.exe 4344 2024-11-08_259ed8b436e06e9d0a46973979f1c308_cobalt-strike_ryuk.exe 4344 2024-11-08_259ed8b436e06e9d0a46973979f1c308_cobalt-strike_ryuk.exe 4344 2024-11-08_259ed8b436e06e9d0a46973979f1c308_cobalt-strike_ryuk.exe 4344 2024-11-08_259ed8b436e06e9d0a46973979f1c308_cobalt-strike_ryuk.exe 4344 2024-11-08_259ed8b436e06e9d0a46973979f1c308_cobalt-strike_ryuk.exe 4344 2024-11-08_259ed8b436e06e9d0a46973979f1c308_cobalt-strike_ryuk.exe 4344 2024-11-08_259ed8b436e06e9d0a46973979f1c308_cobalt-strike_ryuk.exe 4344 2024-11-08_259ed8b436e06e9d0a46973979f1c308_cobalt-strike_ryuk.exe 4344 2024-11-08_259ed8b436e06e9d0a46973979f1c308_cobalt-strike_ryuk.exe 4344 2024-11-08_259ed8b436e06e9d0a46973979f1c308_cobalt-strike_ryuk.exe 4344 2024-11-08_259ed8b436e06e9d0a46973979f1c308_cobalt-strike_ryuk.exe 4344 2024-11-08_259ed8b436e06e9d0a46973979f1c308_cobalt-strike_ryuk.exe 4344 2024-11-08_259ed8b436e06e9d0a46973979f1c308_cobalt-strike_ryuk.exe 4344 2024-11-08_259ed8b436e06e9d0a46973979f1c308_cobalt-strike_ryuk.exe 4344 2024-11-08_259ed8b436e06e9d0a46973979f1c308_cobalt-strike_ryuk.exe 4344 2024-11-08_259ed8b436e06e9d0a46973979f1c308_cobalt-strike_ryuk.exe 5500 chrome.exe 5500 chrome.exe 5500 chrome.exe 5500 chrome.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 660 Process not Found 660 Process not Found -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
pid Process 3376 chrome.exe 3376 chrome.exe 3376 chrome.exe 3376 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 5100 2024-11-08_259ed8b436e06e9d0a46973979f1c308_cobalt-strike_ryuk.exe Token: SeTakeOwnershipPrivilege 4344 2024-11-08_259ed8b436e06e9d0a46973979f1c308_cobalt-strike_ryuk.exe Token: SeAuditPrivilege 4980 fxssvc.exe Token: SeShutdownPrivilege 3376 chrome.exe Token: SeCreatePagefilePrivilege 3376 chrome.exe Token: SeShutdownPrivilege 3376 chrome.exe Token: SeCreatePagefilePrivilege 3376 chrome.exe Token: SeShutdownPrivilege 3376 chrome.exe Token: SeCreatePagefilePrivilege 3376 chrome.exe Token: SeShutdownPrivilege 3376 chrome.exe Token: SeCreatePagefilePrivilege 3376 chrome.exe Token: SeRestorePrivilege 1020 TieringEngineService.exe Token: SeManageVolumePrivilege 1020 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 4928 AgentService.exe Token: SeBackupPrivilege 3108 vssvc.exe Token: SeRestorePrivilege 3108 vssvc.exe Token: SeAuditPrivilege 3108 vssvc.exe Token: SeBackupPrivilege 3224 wbengine.exe Token: SeRestorePrivilege 3224 wbengine.exe Token: SeSecurityPrivilege 3224 wbengine.exe Token: SeShutdownPrivilege 3376 chrome.exe Token: SeCreatePagefilePrivilege 3376 chrome.exe Token: 33 5272 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 5272 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5272 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5272 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5272 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5272 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5272 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5272 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5272 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5272 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5272 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5272 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5272 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5272 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5272 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5272 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5272 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5272 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5272 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5272 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5272 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5272 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5272 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5272 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5272 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 5272 SearchIndexer.exe Token: SeShutdownPrivilege 3376 chrome.exe Token: SeCreatePagefilePrivilege 3376 chrome.exe Token: SeShutdownPrivilege 3376 chrome.exe Token: SeCreatePagefilePrivilege 3376 chrome.exe Token: SeShutdownPrivilege 3376 chrome.exe Token: SeCreatePagefilePrivilege 3376 chrome.exe Token: SeShutdownPrivilege 3376 chrome.exe Token: SeCreatePagefilePrivilege 3376 chrome.exe Token: SeShutdownPrivilege 3376 chrome.exe Token: SeCreatePagefilePrivilege 3376 chrome.exe Token: SeShutdownPrivilege 3376 chrome.exe Token: SeCreatePagefilePrivilege 3376 chrome.exe Token: SeShutdownPrivilege 3376 chrome.exe Token: SeCreatePagefilePrivilege 3376 chrome.exe Token: SeShutdownPrivilege 3376 chrome.exe Token: SeCreatePagefilePrivilege 3376 chrome.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 3376 chrome.exe 3376 chrome.exe 3376 chrome.exe 5524 chrmstp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5100 wrote to memory of 4344 5100 2024-11-08_259ed8b436e06e9d0a46973979f1c308_cobalt-strike_ryuk.exe 83 PID 5100 wrote to memory of 4344 5100 2024-11-08_259ed8b436e06e9d0a46973979f1c308_cobalt-strike_ryuk.exe 83 PID 5100 wrote to memory of 3376 5100 2024-11-08_259ed8b436e06e9d0a46973979f1c308_cobalt-strike_ryuk.exe 84 PID 5100 wrote to memory of 3376 5100 2024-11-08_259ed8b436e06e9d0a46973979f1c308_cobalt-strike_ryuk.exe 84 PID 3376 wrote to memory of 2956 3376 chrome.exe 85 PID 3376 wrote to memory of 2956 3376 chrome.exe 85 PID 3376 wrote to memory of 552 3376 chrome.exe 91 PID 3376 wrote to memory of 552 3376 chrome.exe 91 PID 3376 wrote to memory of 552 3376 chrome.exe 91 PID 3376 wrote to memory of 552 3376 chrome.exe 91 PID 3376 wrote to memory of 552 3376 chrome.exe 91 PID 3376 wrote to memory of 552 3376 chrome.exe 91 PID 3376 wrote to memory of 552 3376 chrome.exe 91 PID 3376 wrote to memory of 552 3376 chrome.exe 91 PID 3376 wrote to memory of 552 3376 chrome.exe 91 PID 3376 wrote to memory of 552 3376 chrome.exe 91 PID 3376 wrote to memory of 552 3376 chrome.exe 91 PID 3376 wrote to memory of 552 3376 chrome.exe 91 PID 3376 wrote to memory of 552 3376 chrome.exe 91 PID 3376 wrote to memory of 552 3376 chrome.exe 91 PID 3376 wrote to memory of 552 3376 chrome.exe 91 PID 3376 wrote to memory of 552 3376 chrome.exe 91 PID 3376 wrote to memory of 552 3376 chrome.exe 91 PID 3376 wrote to memory of 552 3376 chrome.exe 91 PID 3376 wrote to memory of 552 3376 chrome.exe 91 PID 3376 wrote to memory of 552 3376 chrome.exe 91 PID 3376 wrote to memory of 552 3376 chrome.exe 91 PID 3376 wrote to memory of 552 3376 chrome.exe 91 PID 3376 wrote to memory of 552 3376 chrome.exe 91 PID 3376 wrote to memory of 552 3376 chrome.exe 91 PID 3376 wrote to memory of 552 3376 chrome.exe 91 PID 3376 wrote to memory of 552 3376 chrome.exe 91 PID 3376 wrote to memory of 552 3376 chrome.exe 91 PID 3376 wrote to memory of 552 3376 chrome.exe 91 PID 3376 wrote to memory of 552 3376 chrome.exe 91 PID 3376 wrote to memory of 552 3376 chrome.exe 91 PID 3376 wrote to memory of 1708 3376 chrome.exe 92 PID 3376 wrote to memory of 1708 3376 chrome.exe 92 PID 3376 wrote to memory of 3328 3376 chrome.exe 93 PID 3376 wrote to memory of 3328 3376 chrome.exe 93 PID 3376 wrote to memory of 3328 3376 chrome.exe 93 PID 3376 wrote to memory of 3328 3376 chrome.exe 93 PID 3376 wrote to memory of 3328 3376 chrome.exe 93 PID 3376 wrote to memory of 3328 3376 chrome.exe 93 PID 3376 wrote to memory of 3328 3376 chrome.exe 93 PID 3376 wrote to memory of 3328 3376 chrome.exe 93 PID 3376 wrote to memory of 3328 3376 chrome.exe 93 PID 3376 wrote to memory of 3328 3376 chrome.exe 93 PID 3376 wrote to memory of 3328 3376 chrome.exe 93 PID 3376 wrote to memory of 3328 3376 chrome.exe 93 PID 3376 wrote to memory of 3328 3376 chrome.exe 93 PID 3376 wrote to memory of 3328 3376 chrome.exe 93 PID 3376 wrote to memory of 3328 3376 chrome.exe 93 PID 3376 wrote to memory of 3328 3376 chrome.exe 93 PID 3376 wrote to memory of 3328 3376 chrome.exe 93 PID 3376 wrote to memory of 3328 3376 chrome.exe 93 PID 3376 wrote to memory of 3328 3376 chrome.exe 93 PID 3376 wrote to memory of 3328 3376 chrome.exe 93 PID 3376 wrote to memory of 3328 3376 chrome.exe 93 PID 3376 wrote to memory of 3328 3376 chrome.exe 93 PID 3376 wrote to memory of 3328 3376 chrome.exe 93 PID 3376 wrote to memory of 3328 3376 chrome.exe 93 PID 3376 wrote to memory of 3328 3376 chrome.exe 93 PID 3376 wrote to memory of 3328 3376 chrome.exe 93 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-11-08_259ed8b436e06e9d0a46973979f1c308_cobalt-strike_ryuk.exe"C:\Users\Admin\AppData\Local\Temp\2024-11-08_259ed8b436e06e9d0a46973979f1c308_cobalt-strike_ryuk.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5100 -
C:\Users\Admin\AppData\Local\Temp\2024-11-08_259ed8b436e06e9d0a46973979f1c308_cobalt-strike_ryuk.exeC:\Users\Admin\AppData\Local\Temp\2024-11-08_259ed8b436e06e9d0a46973979f1c308_cobalt-strike_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=92.0.4515.131 --initial-client-data=0x2c0,0x2c4,0x2c8,0x29c,0x2cc,0x140221ee0,0x140221ef0,0x140221f002⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4344
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3376 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffed618cc40,0x7ffed618cc4c,0x7ffed618cc583⤵PID:2956
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1908,i,8756990815903459157,14784852962158558754,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1904 /prefetch:23⤵PID:552
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2136,i,8756990815903459157,14784852962158558754,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2160 /prefetch:33⤵PID:1708
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2220,i,8756990815903459157,14784852962158558754,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2464 /prefetch:83⤵PID:3328
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3016,i,8756990815903459157,14784852962158558754,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3112 /prefetch:13⤵PID:5052
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3024,i,8756990815903459157,14784852962158558754,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3216 /prefetch:13⤵PID:228
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4500,i,8756990815903459157,14784852962158558754,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4516 /prefetch:13⤵PID:4444
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4656,i,8756990815903459157,14784852962158558754,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4452 /prefetch:83⤵PID:2464
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4660,i,8756990815903459157,14784852962158558754,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4772 /prefetch:83⤵PID:4276
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4832,i,8756990815903459157,14784852962158558754,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4824 /prefetch:83⤵PID:5380
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5184,i,8756990815903459157,14784852962158558754,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4868 /prefetch:83⤵PID:5916
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings3⤵
- Executes dropped EXE
PID:5176 -
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x2c4,0x2c8,0x2cc,0x2c0,0x2d0,0x140384698,0x1403846a4,0x1403846b04⤵
- Executes dropped EXE
PID:2340
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\initial_preferences" --create-shortcuts=1 --install-level=04⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:5524 -
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x2bc,0x2c0,0x2c4,0x298,0x2c8,0x140384698,0x1403846a4,0x1403846b05⤵
- Executes dropped EXE
PID:5660
-
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4676,i,8756990815903459157,14784852962158558754,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4760 /prefetch:83⤵PID:6100
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5092,i,8756990815903459157,14784852962158558754,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5048 /prefetch:83⤵PID:5800
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5052,i,8756990815903459157,14784852962158558754,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4872 /prefetch:83⤵PID:5548
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5032,i,8756990815903459157,14784852962158558754,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5004 /prefetch:83⤵PID:5620
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=4844,i,8756990815903459157,14784852962158558754,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4840 /prefetch:23⤵PID:6004
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5084,i,8756990815903459157,14784852962158558754,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5324 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
PID:5500
-
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:2160
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
PID:4548
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:1460
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4980
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2632
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
PID:4472
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:396
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3584
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:4068
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:2136
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1360
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:2052
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3944
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:2256
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2372
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:3948
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:1784
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1020
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4928
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:3112
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3108
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3224
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:5144
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5272 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:6032
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 8962⤵
- Modifies data under HKEY_USERS
PID:6112
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:6124
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD516673d572494a80f663cdf5616fc844a
SHA17ec91aaa06542765b3b6f8d497d3ff6a9ca41003
SHA2566fbb34f3a5e5d24439f691af6381024a603f3a50d7b7a11fbc5f808c0339f629
SHA512774d39e4051e711494a6ccb6e542f55e191f2489c98b111a319e059acf3bc88a5d532c9224018ffbdae3e06f36c0c014ab2fc82796402578dd94bf96bef8ff0e
-
Filesize
1.4MB
MD5e136196b5cdf7561b228cd743644af27
SHA131024423cc0baf18a440ea8ef61346778240ddbf
SHA256e4ab53a5dffa7a4f97501362f31613e1ff28ae414e99f0fe7111221ac012bc53
SHA5124865135ef5c0dd77b32b42c995c65a88a194a5b8c5695b6226bcaf87cfae66afe59c4423f9b6ee616b5c34e69dc10dd1d60ee46e4893db056f17b7f738c20df0
-
Filesize
1.7MB
MD5b01cce0da1c883a440d2437695fc8e94
SHA1f7d0ced69f1780de34b620f8eb0416c0a15f0ba6
SHA2562e7a5d8a9fb2254a926a40787cd30787fda3d5dc771c7553620316e3b5da61de
SHA5124d6b76d8640b27afde7b3f9a5828d2aa2cce047f9af3b7cb21757f279e10c8e6376cf1aa487f7e0c88eb03d0450fffa5a221de6d0cc49abc55e1786bb16ac48a
-
Filesize
1.5MB
MD59965ba09b5038c6d1e39c150ab91c4bb
SHA192a13c45a7179687701bc10d8ee4ed7f99608aa7
SHA2561ea66b447ffc885710eb15403f97463824e206faac15323a8d4fc2dfe6536dfe
SHA512fa0ce07e2dae55a5df09ecb455927c6e58075677c374a3347be703e025c153f78675add6f44d4881db08d5d8a3f2ceab82789c83277894ea826ef6a5b40c3a4b
-
Filesize
1.2MB
MD5f8c4c4cf8492d0fc568af4caec3432c0
SHA1ff7a1c8e710b0768387ae677eb0fd89130640384
SHA256d4b3b8a9ef77f732dfed153c8642077e18a1b9426385e7bbc99ad132ec5bd537
SHA5121fe30216a4c239935474604dc002e84de188fc2d56084722864697b1e01c17a47f9735278a116952e439dc161ba330643ce45297ca8d5a14dbca9fc60e404ddb
-
Filesize
1.2MB
MD5741b4ad8b131bc2ff8e7e8b2d50b6b82
SHA1f090c017a586dbdccfae1b139d6f518c2181aa62
SHA25636b870aad2a729aa72fabc4b5f602f92c86c57ca3afbf0fb5dd2e2da13463c65
SHA512bbf01e07ca683014e577fa29cee954be6402dff3960b2b89985c92771b1a9f2be4290b7305189fa1fe356f65ce494343295ff196d65dfcf81bf37a298d04075f
-
Filesize
1.4MB
MD581f30c985c141c4c41c3bf7c2200aaa8
SHA18833552e8ebc7af9038c1ab064bc74e07a727947
SHA256b248018ee7a493ebdc066af4601d2263aa03ff2fda7033065cb57ff892cca14f
SHA512c13a516dd0d6affccf6e17fa9b6e7d5f935e9c9f7e288af2433333a5a9965a595ca103362953f7b622b2713efb35629da668ed788404c7b328f7616d7ac56474
-
Filesize
4.6MB
MD52e1f5b48b394d47bda8c387e21a078dd
SHA1c72d72d42150e216a5ebea9005a651d007c9aba1
SHA256167efd80c690402dd38bc3a87c08ce766032354fc8438058059f525583616ae0
SHA512b511b03a65800ad55b817948489745d01abdbaf1d35e465ed5cb7a8c093ac9db661282ff3ebb862cd32773d3fdd74f58329e5357874cae286fcf64f158c075be
-
Filesize
1.5MB
MD5d0a18ebdd8c30f6f389565f45612d7b6
SHA1e9b858a79d0d869f3c380b359b8d114522232f08
SHA256a8a8791ed466e70c255112d8b87bd92e5384433013e4c19bf9b07b74f245b0e8
SHA51246b54f9027fff4b32b656cca948c66b4c890d38d0055a85263aa4864499d00bb0ceb22c6f0d9f2200c170589a11fb8b0143c849167d3e60106e755583f1b31ef
-
Filesize
24.0MB
MD5a18325c9e54312ba007447b783c532fd
SHA1e51f5a312af5380951a5e362e7bb517b1a8acd3f
SHA25670b739e7d297bed1057b1fe84ec0829e0065525065bcbdbe02fe25160149f84d
SHA512c9f49ce83404c14a5a3bd41a458e56264c8680d124c6d6171d12e1eefe2ed5daf41b13b1668be11c7ea434d2ee1c152926bcad10cb751782a6a2956a42e541b1
-
Filesize
2.7MB
MD5f569751ccefd6d67bd1dc78ceca9cae8
SHA1c2556f8d8f6652267898badfe98b5b270fcd2c2b
SHA256ad0d2959f2a4ae0326b3c7e3c057bcec0f41cfee7cd7ef8390d12eac713cc74a
SHA5126756cb7d6a6a6de96bbb2496f0e02673ac8f884d4d7e4ff25184b578f085f75888d44d85ec7faf8995ccc57d62f97f5d210d01f684244991578ec6496a046fa5
-
Filesize
1.4MB
MD56e88627271f986e13975f8f04ee3ed87
SHA1241ca8a065bdc12a7f27750d0c08a31879cfc431
SHA25689de72c5b19dfafa4a320d8a426945d5a163947f3f6b075047f52be14a38cda7
SHA5120f1e2012f07696fe2f4d21c17fb30a03a8a91f2c886bb1617612f4e47982a285fd3ae1e93132b741d31c0b7b1607a74c8c976801832ac7903ccc83a8834b6605
-
Filesize
40B
MD5268950ab73d1854104eeb4f6d4793128
SHA1757d3749ea559786c560d5b973561f2f997e50f6
SHA256c9abc4c8dec9b51d2ec8d156bddce7e9c6d71ba3fa70e9fa0dc3beb20d99a8b1
SHA51290884d54c91b90d1d9cea23ecea2cf0e3e78f6303c7106b0d1350132025d7b031a3dfef5445fc0ad71094993ed31f4de4c9194c9573b3fe4e1216294b847fa14
-
Filesize
4.6MB
MD5374644a8fcdd8675abf229551b3966b8
SHA1bf8e9df76c0fe64260545d6ca30b77cd45064d84
SHA256a73a7a545eed9a9da95d7aa5c203fb455fe814620f3e9c4a25c8060262570ef3
SHA512a37169e6e509230f1a3e0e97b16c4b7618c4c6f79cbcaa0e66d77e0ae147b8df3a3c5772279aec79bd9868b833fd9e8a7c6d9c5e75fbc9d94d29ef3f7b2768b0
-
Filesize
2.1MB
MD5e665dfb16cb83d54bbfdf1a4c5db2d6b
SHA127c2793a01a7936ca0c97c906ea0eb7b5cf68273
SHA2560022d6c148d2252b9214e0bc899ce095ead6072c752adad51dc6688b185a0b80
SHA5129e373cba7238aad426e40c37b872180656c457836c0dbc62a607c2caed848000c01a91586ed07e6444ba4b821ae1c6b81597cd6e755ec9a3180c705370d655ee
-
Filesize
1.5MB
MD5bd75f702f5100527e68fcd28eb7daec7
SHA1941621c3a21f549118e4d14ae2985d566e176f70
SHA256f514c0a778383a2738915a01d2d7447fe90cf402a4a6e835ebd98ddd2c3c6264
SHA512592a7efa39e57c9bb72c2f6f2b5f0b13e5bff147475ea252cdccb1e99ec40574c45d5772f87e3d8231e413108e30b4c9c511c0d825369fe81cbdf7fe04fe65a9
-
Filesize
40B
MD5980ebd34ef8cdfa9900dba4fe367d2f7
SHA135955645e6324fce99a971a5a80ecae0fc21d971
SHA256d5384308d29f2f9478f0d1354e9f94053300496f3b7cd2f88f5f8d00dbe1482e
SHA512470cce060f4dcca34b26c8c3b2d3d4024c12fb4631ed8251e942e7e992149a422f30526b27f9f55c13d5d9581f022d3b18439893c6b0455180ae70c0fb24430a
-
Filesize
649B
MD58323d06c2e86154bc1ba8d5f60885469
SHA1e0a677e66503ff0179f52d80195681a9997a938f
SHA256eb35d0e77d65aefb351add8f38e15aba5be238b6d7a14d2312f5f7e43c606520
SHA512e5f2714ae3e5ae11402f368c5fc6dc576068fc4d65c5ecace6365c5797d5656f2870963fdc754738bc7b7e75d41d0b7d7b4a81a899e0d11a760692973448a4b5
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\_locales\en_CA\messages.json
Filesize851B
MD507ffbe5f24ca348723ff8c6c488abfb8
SHA16dc2851e39b2ee38f88cf5c35a90171dbea5b690
SHA2566895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c
SHA5127ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\dasherSettingSchema.json
Filesize854B
MD54ec1df2da46182103d2ffc3b92d20ca5
SHA1fb9d1ba3710cf31a87165317c6edc110e98994ce
SHA2566c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6
SHA512939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d
-
Filesize
192KB
MD5a8cf54419129b874864cf206392ece0f
SHA12d8f78e5d6951faedba3257d5794227f34c50967
SHA256b8a7649c907c010db609d7143f3f0601a385b9cf803f4b0bddb449c41151cc1f
SHA51202a77857be5123636fdc44791f6cf7a4532fa53e34576be7f6ab21da51ef400fc138d7dda6a2880b2b42ddb22a803a1897e4f95ea3479487af61a199c7929a8c
-
Filesize
2KB
MD51618e26b3d922422a66be610f91137ff
SHA16d085f3e357a91280d9501854f8e016558c8ff06
SHA256df3b805c25762286403c3307b6771053c77e03ac285327154d78c3053faf05a2
SHA5120c145adb3a3da1a07628b394eedd08c5b310c4cec115240335937fdbe55662d15d8d92f8aa83b3da2546b5a3bd3f7b86d082ca0a9072fa06040e6ffc1808c54c
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
356B
MD58bd399bae1542546857469410728ed5f
SHA102fdb45d9b2c0755108a633a8905ef4ba23a4e98
SHA2563c1310f375f8b6d11b2f14533c2c9c436491797df7ee2143b04a442ba4bd1c24
SHA512e7beff7ffc5d44147b6fbc99752e38b46ece50512b75d5e60b8bb40dc9bb66936593d5cbd500920d0e891c5919708359514d026e3893827aa89c5958189734e3
-
Filesize
8KB
MD5c6c88a3401fc91eb75af8c315c3bdb23
SHA19591046a437ff8dfd1cda82b02b28bb5d77ea902
SHA256ba2d2a5cb7e3e6074acb0fba611778945562f493f56034ed875d4e7131787cf7
SHA5122d7e719ce194e3a9e17b3773e17aa5ee7d025cbf8f2eb39735dbc3935ea06b8b038dfe74ba97817a259747d4d6370b390bbc6576d9d018722810229fade79df2
-
Filesize
8KB
MD57a331b74bb76eb6754fd117e33bac4c7
SHA1d547e33c758e9696113ea5a387e6c9b2081c68bf
SHA256490970328f5469222575bd503eedfddf0c26668749ce82af2356ebc46283b952
SHA5124e005094884b35b48c7913fb46e185d5b8cd4f205f32625cb8d155e5123f70f0b8b7b869c38536ef5be54406250f1d6d2d8bdb1f8e732af302124e560ff7f7bb
-
Filesize
8KB
MD5cc93c0083f7b9aa0463f106c0f2b120d
SHA195ca637fe5a7f8842929b83f9e54efdc805406a3
SHA2564214636b833d3681c27de625216d51d68a1f27c570d6615ba4ae2b29f0298ce7
SHA512f65bbf16d533e082086f0f68728a4e5b709c06b61d54b4d45ff72af1dc64386f26ec2403f5c0129a9128ffcc1faed43f94be49a5607a010e0f9f9efdfaeb08de
-
Filesize
8KB
MD5cef23c50401d24bed5db5d2c3009cf88
SHA1cb58b6b4ae2e9b5a34e2e722eb4c298ccfad1e0f
SHA256ce8e61b578ed8c165b935b0095cb741f27d8c5a472066a7f7691e30340c3ccaa
SHA512beb8c0edc231470997a0fa6ed8a792cf95d335ce83342b28946fa87c2d3a27b592e7bf475fdc422eaf08491ff2ebabc52552e397b6adb2bd2483d08f34d7104f
-
Filesize
8KB
MD5140e401b113fadb10f96f0d30b1de06a
SHA1a66b438856963044fe6bc528324fb23ccb3084bd
SHA256c6e6852810bce06c62de31c663901cb8b5e8ffd001ed7a53e5421a1551514e01
SHA512ac3e295f4fa677245f302907d4a12b13be183a07f29efb341aa80ee337438fa5c01acb9aa161e1a6db8aa6deb36de0b70e25e73ff931c0ee435087d7654e327c
-
Filesize
8KB
MD58d5566771e851bae6995db10c41bdf27
SHA17284b0aae4655d732fe23eb161229574c9138d59
SHA256b52d6723c1d29ec40e7b2608ceb0a9bb003dada3dfd9f38e2d9e949d9801570c
SHA5126e9a0243500d02c82e4c03a730a98a96b9f9ce4d8d88ba2fd2934721b66f8df8a93fdb58f955680b4133f0dc93d341401f96c3241030e18d30b5aea33eaff635
-
Filesize
1KB
MD50d4b3eeb6b4343ffcc5a9aa997f52bf4
SHA128c9da82e5539ed572b6fec079b554fa8aec4ea1
SHA2566fdef3a9e405c12f661f27b154905fba6a07360e4637f2a26766121eea57461b
SHA5121067628201faab52f28d364cf83650f2368d9921c4459a8d388a863a15e15e850a9a61ec0d36158b9f4d590ce93bf8619a6ba2dda94786f6d6527fa824775aa2
-
Filesize
15KB
MD54c49d631bd6db2d2fdbf705065783b20
SHA150dca7b6a55be506a3f1f4c92fc29ee627ffa714
SHA256c720c4f2432de55bf663ec6d4a6f5fa9e63d890d86ebf3e8495916f26153ccff
SHA512b592a81bff3827933decc06de8b428b5856714ec9836822f4b7667d222a34a6cdbc71527990ec971c7caa0aa0caf359697f219e83f5313e173c22a39f0a47b2a
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize72B
MD5bea5b7dcc0fb1af575395c3b7560c9f8
SHA1c5b909d92cc2315daeafd9468129fcd30729a751
SHA2568e5a6d6554af2c09240fa854087eaecec817e1d2aa3a14f921aaec9fd137ca8f
SHA512012b19c046283590223de8f21f5f181466473747243d621f701907ba68e2657a84e50217686cd44de7b6d38d68d5b84fecf1cdd93e95d40b529f287491d6b22e
-
Filesize
232KB
MD5023b3bdae3f9839c82d27a1ab5f1cbac
SHA16a2c0454478c4f0868248c440c77c6387aa4479b
SHA2564662debcc3f3ae80911cc72c6049dc11873460ca2e5c5d7273168b017313b819
SHA51284842c00d592fea1a8d7f1d85c4b0c669699951f011ba44c950471bed79f5f694898cf092cc1f45819ed4667a20ab7f959c2aaefb5090ef2f79bc102b2ffdd25
-
Filesize
232KB
MD5c129d079d9601013172f99007a9761ef
SHA1360360bb0bdecd07ecd4952b373050bc0cf64fdf
SHA2560db4e815ccb447697e62f63dbaadbbab7d76b1750ed7329c1dc37e9ba0790bad
SHA5126e358aa8854965f57bb883905c89e44f50606cbe41dbd0f2c72790ed9f4c77f4022db4842998e82b93b7fa593b1214df2edbe53cd63017b90fbd8a4941f556c9
-
Filesize
7KB
MD5b74e892c51894bb66b0165993461b4d4
SHA1133b51941935a7da2984d751e299d624a99f113e
SHA256db229fb75722d6036f76252c4696538f052f6bfe7a49ae5237103f5d81322fa1
SHA512b618d628bab354c56a1f0f81d7e04ad4378ebeb1c0e691b851fb764e33be6c8c21cb7d66d5cdb647e5ff949e5e40049da56ce503d219476f9efff3ed9520b1ee
-
Filesize
8KB
MD57dbec1cd541e41dac8eebcf1f5930caf
SHA1c5ec7d64e2a78ff33bb3fec40292d1baa95a0321
SHA25615e0e3d0c92bc26044db77547819ed8a923233e624186724514f9e67010b6f85
SHA512939163cebf8c94d304a7c1c7daca5836a6f27104943eb425b6701b2b7297ed9e8095c4d3fe51f614ce94db61ae7cb4ad400a3032e86af8bc16033335fb2c10b2
-
Filesize
132KB
MD5da75bb05d10acc967eecaac040d3d733
SHA195c08e067df713af8992db113f7e9aec84f17181
SHA25633ae9b8f06dc777bb1a65a6ba6c3f2a01b25cd1afc291426b46d1df27ea6e7e2
SHA51256533de53872f023809a20d1ea8532cdc2260d40b05c5a7012c8e61576ff092f006a197f759c92c6b8c429eeec4bb542073b491ddcfd5b22cd4ecbe1a8a7c6ef
-
Filesize
711B
MD5558659936250e03cc14b60ebf648aa09
SHA132f1ce0361bbfdff11e2ffd53d3ae88a8b81a825
SHA2562445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b
SHA5121632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727
-
Filesize
12KB
MD528b2e03ddbd79646a1256179e82446aa
SHA1cbc29e0ac3595311192e50c651e83b79c793c873
SHA2566471b4768cff0b4df5fbb54dfd99d5424416c43a346bd36c42d25b4ca2e075c1
SHA51205704e5bea3b66f048b8099de18e20cdbf5832e076c397ae7dff4275749b81b4756180c85102cc777ed1ed16131fe64f396146426dfb2fa6ec1bae6c12d1759e
-
Filesize
1.2MB
MD51193ec82006d873889e52ad6176ce0be
SHA149b3cbb9830f5c2cd771d24c5713559cd37b4916
SHA256fdbdaed3227ec7dbf2a9f84260ad06554186aba4d956a01fb3c3d8f6a4de473b
SHA51270bbfc80d6d699e4a0045bac680221e76c69757e951a79f8dbcfb547283810ae24ac7135033f9b4bd6707f3e9100b7e1ea97cd662df14d18835febd0860f668c
-
Filesize
1.7MB
MD5f398fc00fe4cae64dbdfdae25a0dc281
SHA1fbe970d1da7946ea6b4ec4a27f31346a3d0cc582
SHA256853952c90de725bdf0e4d3c09178b1f66a6f205ffe199e5ef517e86002fd6227
SHA512cee5efaf1f4d9fc24e1e26b092cdbe654040e19f1439879802c6c454ba5e00c0c325bd3d4664d0470992dd46ca5b53f92a38d52f64ce8ea570ec438668da3c78
-
Filesize
1.2MB
MD5394aae84807c7bc918aa09860e7f0daf
SHA15ce08eb4c48a6be52a58a8f3a9e9dd799574f55d
SHA256e0d73253b258f25abf2896f0a4eef3b962501f1d1ea4e4a34dd41d838884223b
SHA5127bbded1b4bcef75defec08a9af5f7ce6f718f86652ed2723bfec08aa1f8322bb5bdc229043299c803f13d472850e84a8fc02c007e07482ed31ef7affd2604971
-
Filesize
1.2MB
MD58ec6eba17f292ebf73143e00bfaf9a1d
SHA194c353baa7943375326b93372ec7feff9975f2d0
SHA2569bc001fbfb9030780c296cc8e3fbf8864319d74298ee4b4e1d6a746b16716511
SHA512475514d748964d1baeb33eafc1dd73d64a66f289934697b06a508b416e89a2d4b886b30e5bed80144688c71d6cf25b6b0adbae8387a0f717f75c94a7dd748d91
-
Filesize
1.2MB
MD51d40e02371240c4a9ced80900b640cc6
SHA1b4e8b8efe817374e740f1ea4ae9b8a765f634652
SHA256b22d7c629d7be628a24f360fa4e5e4ae53fd14a51636bf2d84830d146cda936e
SHA512233e8856ce615a97565acf28815d70c6ea3d893c2029a851eccccc9b967cd866c5b278b1bc82699a4576bd9e7111daec9aa680d8bc532256f353dda090f786d0
-
Filesize
1.5MB
MD54ec028bf720b8ca8c421087a613f062a
SHA1798b146d8b804aa0e7cb48fc667f85bb4c94a725
SHA256eff345ff03758bafaf14a6da973e14a2d060478980aeef5fb6856e2ef283403b
SHA5127d6c6d739a8e4010f02e73aa1b62ddd60529aebf6ad39956b5dbca8aa547e6593bbddac84cc26be108848b66f120d30c67b174462fc6a8822dc0058ee9e79341
-
Filesize
1.2MB
MD57b20e8dcac73034e74ffd470062a1fac
SHA1e89ae5ccd5e1d17fd2691927b0dac29faecb40b7
SHA25671fa84f392fe29dd729fde0370a55709c700845c2c33fe1e1b1a7b11e05f4425
SHA512f1cef9e6005ef9810f7fddfe0f512f01abc8c6812a356df8802a77f242c2097fd16891a180762d2f61a15e4f775c25dffaee4d60a3bddc6c66954df436d6b5db
-
Filesize
1.4MB
MD54b1223a7be65b9974890ee9ac9a01913
SHA117fb85d4fc10509659b4b7b9ed0b6f7e8f90240b
SHA2562106bf2695d52a73d2b8f1019906362327914e52c53fe1d1b395e498666e590d
SHA5128c7d064718ad5b20efddd63ae778494aeb7aa5831f16d537b8c8333aee489e94d648e37bbb4433603f946c59f0faa5a9238814faf375f50fb9356a16d2fbe5f5
-
Filesize
1.8MB
MD5b1eba8ffe9fc7efb511d9dae69f22261
SHA1d0ea3b8b27493ddee410c38d43dcb45e9f7145dd
SHA25625ecb3d4ee7611ba40e159cf587833ac1b6dc37b8832f3f77ea6f1662cbfcb01
SHA5120401b63a6b2f90a8255a2cd4e5c85e6c924562c60b1363b35a65311b1621a5f448343c7ae9c7bafb39270e1c1c24ea28ca321ca62f0b59426d8bf5e71a46157a
-
Filesize
1.4MB
MD538d6b330a3a0ad1a694bd503094dd721
SHA173a25f7449745a897afde6b716ab6f03bac248d4
SHA2563c20793d925afc2bed4e9124bd08f2e50e19894a53de0fa22952bf2a681d8c6b
SHA512e15bc213671fb938789e980d9ad21936a57984abe552f0923745c3e1fce4c7aaf4ae0067754ce9669dbd50ff09a96bc812055102d08476ebce3c97df562633c4
-
Filesize
1.5MB
MD520ad8ef951cefbff593b9ce03dd0ee8f
SHA17e953be4f93f0729adee9de49c55df5a0caa8e3b
SHA2560645a457f92939bd9b1cfea2c6983969765a1c9de83da5d4f4158b36a92ccb77
SHA512a2fd04ad7990210b3d3ad8eae709903edf45a0789cb00614f77b2702bb6e9334edfeffa3eba3d376323a247b523be250ae347ea9b63384b68fbf4560a273497e
-
Filesize
2.0MB
MD5dd7822094c7418faa26ee099f089ddb8
SHA148542b445ca2b403a3f7c1b8238ba2b2b3414e6e
SHA256d375ac85fa68d0fa1f13a2b379a54b9c61edc3b7ca28acfffd49af62508f639e
SHA512dd97a4f488cbe4939d9e9d73d80c814bfffec1cf9f658489330649e5942e15760fb7f9d2ccc10982d952f1c2c89b46c02338cad82b2f74b665ce4e70acbd268a
-
Filesize
1.2MB
MD5fb55ee538bf3b4ed6adab8c703ace022
SHA1e3585fcaf08d7e529b334272519bbbba32e283d3
SHA256bc24ee49273ee81b2a21e518aa9e58ddf7cf6fddcfc18be9b10fa725905ef545
SHA512a33bd085446443cf021d9b51525c4006865f24142a97b492bed8ffcc5349c59869a224d49b5926d6972faf755a7a759af46242272e01f4feb096c3c37ecf4250
-
Filesize
1.3MB
MD5b9d127f71d6bcd8311e14642195234b3
SHA16761e0d94d2976b832ad49fa78406e49b2779e0a
SHA2567760d9f572e67fe0d5783881a369dcec668d8ac09ecf067a45564aaacbb0b1a1
SHA512213f43ea45295f4c35f9ddfac2facf6895255becc4dbc3fdc9d86ee25f51d660680dbedb36af915c190566c63b05b99172c5613248226b0ba2787f7921abbaa3
-
Filesize
1.2MB
MD58ff37a1335360a8293cdda43d2fe4967
SHA13aeebf331a24122dc8a406352165a9443798bffc
SHA256fb1acdc9741c03645185216195b3e3e281831d0777828b288df4388eb2521e3f
SHA51232ebdc02484dd93bb781b18f27a791828352784877aa9eb9c5e76e71c92c76eede7cf433687472fde47768881865395f981de607e9eee844f27ae5b2b19b6a5c
-
Filesize
1.3MB
MD5bd3cf574adadfb1e0f498cf661d01609
SHA1ed1f4618a0f7357b01b29be4e26b9aa41ef34a2f
SHA2560563fd5dbc85b43900a61cb69bd174d69050cc7a6bbba3368e323ff25435355a
SHA5128d5bd6972c12015778e68fd07270d98d06990e6f9b06dcd84e37a0437eba0d4ddef80b7b6320ef2bf91c21915c16d0bfb487e198d6d142a34566655e2690e435
-
Filesize
1.3MB
MD50f98300c2ea809d633da709dd564e0bf
SHA1f9eef90095a4c0699feee29d54d89a08b0fb3aa3
SHA256fdfd89410a7638c13abd675efcddd15e065071f832b38edec20f08817cea8fd0
SHA512f3644c0ad98a1e4aadbc6984fcfe5477f2a407f78fa9aaa6995030aecdd47a64340cc1af27935201b0a65ec87e5d0b07f551bbe8c40fbf5b65a55a7bd5a36f93
-
Filesize
2.1MB
MD50a6fe71eea802442568efc61b85a6802
SHA1ac5a37e78fed3d1d7d09dc1bede637ac21ae5fbb
SHA256bed3d7be004cdce8c2ffe8666f78f4f79acb15f2b53457826f879d52bf367fb8
SHA5121046a4d114e8ea652b00543b5322a68ef63dbd85a6b985186703903ed1fde91f005a557b7ae9ec179b2e865b921e3768231cb6c84a0a6159957cedd20b4c01df
-
Filesize
1.3MB
MD57f5e64499c5c225f75701d8a6b4a4ef7
SHA10ffbd76c2e4fc0e3dd5352541a156bec42ffc749
SHA2562f765d1859821b1b18a5f0f4c0d7966c69a827f2316af90d29dc9eafaa987f22
SHA5122c8cbd669f18fd442fa2026135134eeb7354440e45d9f317b019ec66ceade5ee6a9b884b497121af7e2be275aa376bd0a50801e978a6545b034c09268f229d7a
-
Filesize
1.4MB
MD521e276dc8fcebe72b3438c10c4f784e8
SHA129b8ae6ef16768a6a93545b7a1dc0236b7556471
SHA256ebbb931179f7d738b7f2b94e81bdd8115c21938bb8ab98f6103236d87e3b4267
SHA51265a06bb631eba01b60cb11da57be67d335a51167701fdfd48498a5b19feb520d149106e3679a6df1ffccc657964303521a22608a6a7d8a72ebfbd54c24da6092
-
Filesize
1.2MB
MD565d009240e32f0da9095dd78f314d9ba
SHA171b21efec23f5de5ab9ed9dd7f8ed722dc46375c
SHA256790c5c1475e0674d8af6229062998fa91320e0254d9e9f9b64cc7cb00d44d186
SHA512f3176c01fccc79aba68d1fbec714c070229ccac3bae822c9e570bc1ffba6717b63cd827e3d2ea0c0db49bf1b1233b357231aadd105a1f75d7dbccc3466ac4602