Analysis
-
max time kernel
125s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
27-12-2024 01:06
Behavioral task
behavioral1
Sample
Sigma1231231.exe
Resource
win10v2004-20241007-en
General
-
Target
Sigma1231231.exe
-
Size
78KB
-
MD5
8883fa8d238242e1aa27ffa53978f471
-
SHA1
e1b7cf625a7efeaef1267d7526ce0d8934cbd1d5
-
SHA256
79b60dc0e09c34c25572e03fd159abc274611b764a114225b56ffd7493f3d194
-
SHA512
767dc16b9f9815e39cf50b897e76ead19036c02ac56a874331c75e39ac0c6396bc749a876a155462dd9919521aac069a29f55fa8a0b4f61ac926b62fc481802a
-
SSDEEP
1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+sPIC:5Zv5PDwbjNrmAE+AIC
Malware Config
Extracted
discordrat
-
discord_token
MTMyMTgzMTIwOTA5MjkwNzAzMA.GSuLMP.Q2rECgIO-z6aoG3zAks69t5l-n64ffenYfOjCM
-
server_id
1160586840504545422
Signatures
-
Discord RAT
A RAT written in C# using Discord as a C2.
-
Discordrat family
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 5068 created 608 5068 Sigma1231231.exe 5 -
Downloads MZ/PE file
-
Abuse Elevation Control Mechanism: Bypass User Account Control 1 TTPs 1 IoCs
UAC Bypass Attempt via SilentCleanup Task.
pid Process 3620 SCHTASKS.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
flow ioc 30 discord.com 53 discord.com 62 discord.com 10 discord.com 29 discord.com 50 raw.githubusercontent.com 51 raw.githubusercontent.com 61 discord.com 86 discord.com 12 discord.com 17 discord.com -
Drops file in System32 directory 8 IoCs
description ioc Process File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml OfficeClickToRun.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 5068 set thread context of 4984 5068 Sigma1231231.exe 103 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Modifies data under HKEY_USERS 17 IoCs
description ioc Process Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" OfficeClickToRun.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Uninstall svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Fri, 27 Dec 2024 01:07:45 GMT" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata OfficeClickToRun.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Uninstall svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1735261664" OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={D750C836-6DA6-467B-A44A-33C88B5171B5}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Uninstall svchost.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 5068 Sigma1231231.exe 4984 dllhost.exe 4984 dllhost.exe 4984 dllhost.exe 4984 dllhost.exe 5068 Sigma1231231.exe 4984 dllhost.exe 4984 dllhost.exe 4984 dllhost.exe 4984 dllhost.exe 4984 dllhost.exe 4984 dllhost.exe 4984 dllhost.exe 4984 dllhost.exe 2492 taskmgr.exe 2492 taskmgr.exe 4984 dllhost.exe 4984 dllhost.exe 5068 Sigma1231231.exe 4984 dllhost.exe 4984 dllhost.exe 4984 dllhost.exe 4984 dllhost.exe 4984 dllhost.exe 4984 dllhost.exe 4984 dllhost.exe 4984 dllhost.exe 5068 Sigma1231231.exe 4984 dllhost.exe 4984 dllhost.exe 4984 dllhost.exe 4984 dllhost.exe 4984 dllhost.exe 4984 dllhost.exe 4984 dllhost.exe 4984 dllhost.exe 2492 taskmgr.exe 4984 dllhost.exe 4984 dllhost.exe 5068 Sigma1231231.exe 4984 dllhost.exe 4984 dllhost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2492 taskmgr.exe 3448 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 27 IoCs
description pid Process Token: SeDebugPrivilege 5068 Sigma1231231.exe Token: SeDebugPrivilege 2492 taskmgr.exe Token: SeSystemProfilePrivilege 2492 taskmgr.exe Token: SeCreateGlobalPrivilege 2492 taskmgr.exe Token: SeDebugPrivilege 5068 Sigma1231231.exe Token: SeDebugPrivilege 4984 dllhost.exe Token: SeShutdownPrivilege 3448 Explorer.EXE Token: SeCreatePagefilePrivilege 3448 Explorer.EXE Token: SeShutdownPrivilege 3448 Explorer.EXE Token: SeCreatePagefilePrivilege 3448 Explorer.EXE Token: 33 2492 taskmgr.exe Token: SeIncBasePriorityPrivilege 2492 taskmgr.exe Token: SeShutdownPrivilege 3448 Explorer.EXE Token: SeCreatePagefilePrivilege 3448 Explorer.EXE Token: SeShutdownPrivilege 3448 Explorer.EXE Token: SeCreatePagefilePrivilege 3448 Explorer.EXE Token: SeShutdownPrivilege 3448 Explorer.EXE Token: SeCreatePagefilePrivilege 3448 Explorer.EXE Token: SeShutdownPrivilege 3448 Explorer.EXE Token: SeCreatePagefilePrivilege 3448 Explorer.EXE Token: SeShutdownPrivilege 3448 Explorer.EXE Token: SeCreatePagefilePrivilege 3448 Explorer.EXE Token: SeShutdownPrivilege 60 dwm.exe Token: SeCreatePagefilePrivilege 60 dwm.exe Token: SeShutdownPrivilege 3448 Explorer.EXE Token: SeCreatePagefilePrivilege 3448 Explorer.EXE Token: SeDebugPrivilege 5068 Sigma1231231.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 3448 Explorer.EXE 3448 Explorer.EXE 3448 Explorer.EXE 3448 Explorer.EXE 3448 Explorer.EXE -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 2492 taskmgr.exe 3448 Explorer.EXE 3448 Explorer.EXE 3448 Explorer.EXE 3448 Explorer.EXE 3448 Explorer.EXE 3448 Explorer.EXE -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 3872 RuntimeBroker.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5068 wrote to memory of 4984 5068 Sigma1231231.exe 103 PID 5068 wrote to memory of 4984 5068 Sigma1231231.exe 103 PID 5068 wrote to memory of 4984 5068 Sigma1231231.exe 103 PID 5068 wrote to memory of 4984 5068 Sigma1231231.exe 103 PID 5068 wrote to memory of 4984 5068 Sigma1231231.exe 103 PID 5068 wrote to memory of 4984 5068 Sigma1231231.exe 103 PID 5068 wrote to memory of 4984 5068 Sigma1231231.exe 103 PID 5068 wrote to memory of 4984 5068 Sigma1231231.exe 103 PID 5068 wrote to memory of 4984 5068 Sigma1231231.exe 103 PID 5068 wrote to memory of 4984 5068 Sigma1231231.exe 103 PID 5068 wrote to memory of 4984 5068 Sigma1231231.exe 103 PID 4984 wrote to memory of 608 4984 dllhost.exe 5 PID 4984 wrote to memory of 672 4984 dllhost.exe 7 PID 4984 wrote to memory of 956 4984 dllhost.exe 12 PID 4984 wrote to memory of 60 4984 dllhost.exe 13 PID 4984 wrote to memory of 744 4984 dllhost.exe 14 PID 4984 wrote to memory of 924 4984 dllhost.exe 15 PID 4984 wrote to memory of 1108 4984 dllhost.exe 17 PID 4984 wrote to memory of 1116 4984 dllhost.exe 18 PID 4984 wrote to memory of 1144 4984 dllhost.exe 19 PID 4984 wrote to memory of 1228 4984 dllhost.exe 20 PID 4984 wrote to memory of 1284 4984 dllhost.exe 21 PID 4984 wrote to memory of 1292 4984 dllhost.exe 22 PID 4984 wrote to memory of 1360 4984 dllhost.exe 23 PID 4984 wrote to memory of 1368 4984 dllhost.exe 24 PID 4984 wrote to memory of 1448 4984 dllhost.exe 25 PID 4984 wrote to memory of 1604 4984 dllhost.exe 26 PID 4984 wrote to memory of 1612 4984 dllhost.exe 27 PID 4984 wrote to memory of 1640 4984 dllhost.exe 28 PID 4984 wrote to memory of 1724 4984 dllhost.exe 29 PID 4984 wrote to memory of 1776 4984 dllhost.exe 30 PID 4984 wrote to memory of 1784 4984 dllhost.exe 31 PID 4984 wrote to memory of 1880 4984 dllhost.exe 32 PID 4984 wrote to memory of 2024 4984 dllhost.exe 33 PID 4984 wrote to memory of 2032 4984 dllhost.exe 34 PID 4984 wrote to memory of 2044 4984 dllhost.exe 35 PID 4984 wrote to memory of 1772 4984 dllhost.exe 36 PID 4984 wrote to memory of 1820 4984 dllhost.exe 37 PID 4984 wrote to memory of 2116 4984 dllhost.exe 38 PID 4984 wrote to memory of 2224 4984 dllhost.exe 40 PID 4984 wrote to memory of 2408 4984 dllhost.exe 41 PID 4984 wrote to memory of 2532 4984 dllhost.exe 42 PID 4984 wrote to memory of 2544 4984 dllhost.exe 43 PID 4984 wrote to memory of 2644 4984 dllhost.exe 44 PID 4984 wrote to memory of 2704 4984 dllhost.exe 45 PID 4984 wrote to memory of 2712 4984 dllhost.exe 46 PID 4984 wrote to memory of 2752 4984 dllhost.exe 47 PID 4984 wrote to memory of 2760 4984 dllhost.exe 48 PID 4984 wrote to memory of 3016 4984 dllhost.exe 50 PID 4984 wrote to memory of 2160 4984 dllhost.exe 51 PID 4984 wrote to memory of 2924 4984 dllhost.exe 52 PID 4984 wrote to memory of 816 4984 dllhost.exe 53 PID 4984 wrote to memory of 3220 4984 dllhost.exe 54 PID 4984 wrote to memory of 3368 4984 dllhost.exe 55 PID 4984 wrote to memory of 3448 4984 dllhost.exe 56 PID 4984 wrote to memory of 3580 4984 dllhost.exe 57 PID 4984 wrote to memory of 3756 4984 dllhost.exe 58 PID 4984 wrote to memory of 3960 4984 dllhost.exe 60 PID 4984 wrote to memory of 3872 4984 dllhost.exe 62 PID 4984 wrote to memory of 1892 4984 dllhost.exe 65 PID 4984 wrote to memory of 3824 4984 dllhost.exe 67 PID 4984 wrote to memory of 4708 4984 dllhost.exe 68 PID 4984 wrote to memory of 5108 4984 dllhost.exe 69 PID 4984 wrote to memory of 1916 4984 dllhost.exe 70 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:608
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:60
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{5584d5c8-28d2-4b9f-a6d6-1684b12651d1}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4984
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:672
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵PID:956
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵PID:744
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵PID:924
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵PID:1108
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵PID:1116
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵PID:1144
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵PID:1228
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵PID:816
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵PID:1284
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵PID:1292
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵PID:1360
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵PID:1368
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵PID:1448
-
C:\Windows\system32\sihost.exesihost.exe2⤵PID:3016
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵PID:1604
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵PID:1612
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵PID:1640
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵PID:1724
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵PID:1776
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵PID:1784
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1880
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:2024
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵PID:2032
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵PID:2044
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵PID:1772
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵PID:1820
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:2116
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵PID:2224
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵PID:2408
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵PID:2532
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵PID:2544
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵
- Drops file in System32 directory
PID:2644
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵PID:2704
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵PID:2712
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵PID:2752
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵PID:2760
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2160
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:2924
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker1⤵PID:3220
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵PID:3368
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3448 -
C:\Users\Admin\AppData\Local\Temp\Sigma1231231.exe"C:\Users\Admin\AppData\Local\Temp\Sigma1231231.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5068 -
C:\Windows\SYSTEM32\SCHTASKS.exe"SCHTASKS.exe" /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I3⤵
- Abuse Elevation Control Mechanism: Bypass User Account Control
PID:3620
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /42⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2492
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"2⤵PID:2512
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffbd4c1cc40,0x7ffbd4c1cc4c,0x7ffbd4c1cc583⤵PID:4928
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1896,i,17521789892794430762,11181645921835811650,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1888 /prefetch:23⤵PID:4136
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2148,i,17521789892794430762,11181645921835811650,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2116 /prefetch:33⤵PID:1068
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2304,i,17521789892794430762,11181645921835811650,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2180 /prefetch:83⤵PID:4816
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3140,i,17521789892794430762,11181645921835811650,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3160 /prefetch:13⤵PID:4956
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3176,i,17521789892794430762,11181645921835811650,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3216 /prefetch:13⤵PID:968
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4540,i,17521789892794430762,11181645921835811650,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4564 /prefetch:13⤵PID:3696
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4696,i,17521789892794430762,11181645921835811650,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4808 /prefetch:83⤵PID:3324
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5028,i,17521789892794430762,11181645921835811650,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4828 /prefetch:83⤵PID:2848
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5156,i,17521789892794430762,11181645921835811650,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5160 /prefetch:83⤵PID:2012
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4488,i,17521789892794430762,11181645921835811650,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4808 /prefetch:83⤵PID:228
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5244,i,17521789892794430762,11181645921835811650,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4876 /prefetch:83⤵PID:4820
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5152,i,17521789892794430762,11181645921835811650,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4896 /prefetch:83⤵PID:3592
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5180,i,17521789892794430762,11181645921835811650,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5172 /prefetch:23⤵PID:452
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"2⤵PID:1620
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffbd4c1cc40,0x7ffbd4c1cc4c,0x7ffbd4c1cc583⤵PID:2300
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1756,i,14804013960624471298,13709545727441097278,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=1752 /prefetch:23⤵PID:4824
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1712,i,14804013960624471298,13709545727441097278,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=2088 /prefetch:33⤵PID:912
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2208,i,14804013960624471298,13709545727441097278,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=2192 /prefetch:83⤵PID:2088
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3140,i,14804013960624471298,13709545727441097278,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=3176 /prefetch:13⤵PID:4272
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3148,i,14804013960624471298,13709545727441097278,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=3332 /prefetch:13⤵PID:2676
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4504,i,14804013960624471298,13709545727441097278,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=4472 /prefetch:13⤵PID:3644
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4752,i,14804013960624471298,13709545727441097278,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=4764 /prefetch:83⤵PID:1984
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4488,i,14804013960624471298,13709545727441097278,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=4236 /prefetch:83⤵PID:212
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /42⤵PID:4900
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3580
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3756
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3960
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Suspicious use of UnmapMainImage
PID:3872
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵PID:1892
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵PID:3824
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵PID:4708
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
- Modifies data under HKEY_USERS
PID:5108
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵PID:1916
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵PID:1184
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4496
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:4360
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc1⤵PID:1172
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1468
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵PID:2776
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵PID:2832
-
C:\Windows\servicing\TrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exe1⤵PID:1484
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc1⤵PID:424
-
C:\Windows\System32\mousocoreworker.exeC:\Windows\System32\mousocoreworker.exe -Embedding1⤵PID:4244
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵PID:5008
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc1⤵
- Modifies data under HKEY_USERS
PID:1796
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:2188
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:4840
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:3352
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:652
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
40B
MD51fd21a5228803360e7498b21377bd349
SHA1c028d9a423b995bb2f9d9b56ef09e5a4f9535b38
SHA256920270c469d0fdd572881597d30bae6f24faec32c8a1e7e689186947ac7958d3
SHA512c2324e1b0a32c3d4abdac5ee1c2e663d1e49c24c17f0b5a5dac56cc867f67d2665f29148de2773f2e048292b189d136876b557ae9837517f612155633cbb09b2
-
Filesize
649B
MD5ed1657d348f83d46de48b544f30a6d90
SHA1192c7d45f61602905e7f983f8f94049b6201f785
SHA2569fd2afdb04a176fa4c9d3a04925090ef18b7d3132c3756552eec39b92c168007
SHA512248c30e934a4cb89e272ae6e15ed7abbb9850f8d9a15ace7e9989aa8677ce5cab9385fd8f161fab2a6496fe8749ce6bc0b1ccac740e280b0588fcccc19b097df
-
Filesize
44KB
MD5c9fef0a3cd3f84bea787939c14d06f55
SHA19c747c3a07c63968cf453637b996d18c1307da8a
SHA2566d42e9cda72c49ec780aa9229fb728b124b67c7629919b74b8f42c5fe460a39d
SHA51246e9fa4dd918d12cbb9002a3a0962a1188442894a0686d7f59ddce5c2e99ebc1af48ef062000f8bb176f452cb4afa165bcdf961903611ff0b8d9773c5c2b03c3
-
Filesize
264KB
MD53f64f95821b2c9441525c60a2873c7db
SHA1fa7cf6ba11f366a1a2da3253757b67412a9421dc
SHA25613142d56deb2035fe49e3a719f1defbd6499edccb64a9274d53813dba6d1c13b
SHA5122a2439bba5857bedccd5fc515adf7185519d5ad45a5e95a14d131b815b568723906e831c5062a5c4dc068815fc6ac854ec3d322195ecc4101cbcb7c9a9151d7c
-
Filesize
4.0MB
MD5b09ae16dfccda3fde39ddec550ac179d
SHA1cccb08691c229fc6b6acf7be3231a43995d0ef7b
SHA2560ccdac175e8aab0d1c128815b85ca064bd7cd4329451ccc7d32fd1fcb944b715
SHA51265cbe0a00857b3e006a47980f5d38730994c98d9c2cfa2635e1a6551fb3acee8fe3e3165970d56f5315706dc7022827048aba8568d37a1e5fa10689407740577
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
399B
MD5a15ac2782bb6b4407d11979316f678fd
SHA1b64eaf0810e180d99b83bba8e366b2e3416c5881
SHA25655f8fa21c3f0d42c973aedf538f1ade32563ae4a1e7107c939ab82b4a4d7859a
SHA512370b43c7e434c6cc9328d266c1c9db327621e2c95ad13d953c4d63457a141fbf2be0b35072de96becc29048224d3646535a149229fc2ba367c7903d3e3e79bdb
-
Filesize
320B
MD5292f3c3ea789025aeba2c06a1b79ac28
SHA14736aecb8662a260011687589ca14738ca103b21
SHA2563a861d7afdad2363e3a2db605982fdd0a6cc192053909b8e1003e03793403317
SHA5120b5c51e28a2780a0eed86f333a41666fbd08b28bb8f36547bac3dc316a8bb197c5b2920480cadabc720498f71cdd1e2c68fe02ed8f3005855e83d910b1437214
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\_locales\en\messages.json
Filesize851B
MD507ffbe5f24ca348723ff8c6c488abfb8
SHA16dc2851e39b2ee38f88cf5c35a90171dbea5b690
SHA2566895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c
SHA5127ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\_metadata\computed_hashes.json
Filesize5KB
MD5b60565bcc498024ac6b314bbde5fc51f
SHA15a56ef1f2db4075458d28a8cbfa8c2016e132d12
SHA2562789f5c2c30836bcd23b16b56bd75e1adb34464d81a0985c7f4333d851d5d0b4
SHA5125089f9447e4f942109fa4f6d178269ac112bd404376561b13360e4fc2dff852b592e8880fe4e239f2cad83d718ce5aa079eba5c5bbc620fcb23c3217a048a847
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\_metadata\verified_contents.json
Filesize11KB
MD50a68c9539a188b8bb4f9573f2f2321d6
SHA1e0f814fa4dcc04edc6a5d39cbc1038979e88f0e5
SHA25639e6c25d096afd156644f07586d85e37f1f7b3da9b636471e8d15ceb14db184f
SHA51213f133c173c6622b8e1b6f86a551cbc5b0b2446b3cf96e4ae8ca2646009b99e4a360c2db3168cb94a488faebd215003dfa60d10150b7a85b5f8919900bd01ccc
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\dasherSettingSchema.json
Filesize854B
MD54ec1df2da46182103d2ffc3b92d20ca5
SHA1fb9d1ba3710cf31a87165317c6edc110e98994ce
SHA2566c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6
SHA512939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d
-
Filesize
44KB
MD58899337b034b22a895cd794ea2d646ae
SHA1bf159a69e5ce329a16aba1e35c42a9fa35945263
SHA256848c7db154ecb36c0a7d77b1f56b3151b500b9d38954ad1ded5f1de94498a6a4
SHA512c21da10ae66bca1a2a2c29f5544887de0b8997692eac1ee8d43aa3710568162ccbb21d60e2c7fcb931f669de281d562e00cdee343d58ea298e6778b6b1da545b
-
Filesize
264KB
MD50d7d5aeb98f592e30c011ce82d5ad131
SHA1ae45e38d3eeab2b47b1cbe095ee967bfaef1cb04
SHA2560add9c4d6c17aa785ab2af405c6db642be6f0d3ab89e9a8a00867d9e7d8cbd0b
SHA5126c18e480ba5a7808a76dd980722bf7a2dcc3d7e42957db0e4d15075e4154f9f5c2891b8aa7f4a43e59d00cc7fa8b1c99b3c83e01059280560eeed62b6c530831
-
Filesize
1.0MB
MD5e1b16abf4fe264f7c3311e57952aa058
SHA1aee707f40614b80889939de7c3e4b663956b21b8
SHA25667ae8c2d2821a070ba4fca6a29c72b4d913bbcd752cc8cd2e623c743b6e132df
SHA512a8997f262d3075165d8784e23b0170a6ffcd630c83a45a9995272ebf769ae3d9ff0d401dbce57e51ca2ab52b2d4457307923687587f987586ee85bbfa4c93f75
-
Filesize
4.0MB
MD5d6b0609c4b6edb45553ff9afbfc95e33
SHA12697657b75906d3653f48080ec1f3993c07bd8bf
SHA256eb5cc165f4f69f7a3e72851b1b63e67efa9afb3c96bf8aefc962a5fdbdd6cc2e
SHA512db4c837c9a8a30e65f0f634bcceecff3354d6b72b34536e584fafd02eb103cb4a6b01522d4463d8c54e6852d28a71d9ec8997e2f353e59ea8724aadbbc2a80ca
-
Filesize
329B
MD5754bee08f551f040b71cf4568549e877
SHA186173217807c0d869270128d5b955d79552194cd
SHA25602feae18ae954b479873a24e17a55941c65ba209dbfab6b30cfe0aa03420501c
SHA5123251b861940b0cbf8b1cbc1427d2033c9fa1bfd020cef1e5cfcb5a4557730b067914e994aa03ad56ab867f11290ae3f4437dbcd66ee3368973535a36a6138a3a
-
Filesize
20KB
MD5692ccf8f57e0cf152184fa7d7e3629f3
SHA19329069b77450ad6debdc49b1ebb4e8e60aa4793
SHA2569e8cb80e6e3a4e21c3ce875f3f61ed6adca26033c72f24c12b6573323616c022
SHA51298ea6a75db9274fb496d17da8a45cdc2ba02280af4c7102d19d5af3a2aeb6a886f725eb9520569d1a01316d6e68a5be3e2c273588a7f243fe420974aebafdbcd
-
Filesize
1KB
MD5508d94d438f8b090e40e525d156df2f7
SHA17235e6ce7db72f23a734f8b6d8b6c749e0964939
SHA2568a90522e084dc1bc51aff6d1e7a4ba02b8015024904b0efbef30f25fe9b3a23a
SHA512cb7d30c3d917258910c39d1be164d407dfa9c422838af82924a27f29b5e5656cd4121d97585c7abcfabc01b6604d2c0fc6268db6264b2472d5a6a3ff8719755a
-
Filesize
36KB
MD579cbb3bc8182b167716db7607608d274
SHA1b6cd66c616b55e6a15b9e238cf9290fcad6b1c59
SHA256c4f00225fef5d59e542cccf24343e10805e8b1da9d39a99e8e92743d92a9252c
SHA512591a71bf130bcdb0af2ea5cc5dec1213778eb8796912a18ccd18ffc166fef5d3e6a5744847d490494e48c9c60cafac9ce0a3ee027e0321447e32df5c8ac52f34
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
356B
MD56c3060ee18c51c04e3f0fe35ffb78a7a
SHA1d7a1132c2048ac71046f4d047f5a438e332874d6
SHA25652c33de7d464e06ae18809aaca1e5b41587c0a588e2c339f5ebd18bc87e3826e
SHA512fb8b5df9a08669ebd07417bd3886dfe46a80987248119b1b839c1a521d14fb59c5f288549ffa20d199b7547f2015c77430cc8d88b24f964283e4321af5056930
-
Filesize
356B
MD56e28cee319f9e0505cf8f5efdb2bdad3
SHA14c37af92363efc27cf0be20f073b2fec78ba0ae9
SHA2561fea4512c20a0dd27f6e2651bb045d8c6538ed432231d60b575cd31319fdbe8b
SHA51208e36e5cc87a06164c11033a50e219ca72eb029352b96846d18f18953aacda20eaa3c900a5f0d0b27bc931fdf1f50b1de563eedb6f1f49cbafbe07af0fd2afb6
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
291B
MD5129d029ef239cac57e7a13c0e5764c0d
SHA17e6c75863694fa2f043a3bf8a646bdb17056ccfb
SHA2562b9694cb7a17856e6497fcee5bd33482498f9c338712f869ab096c8168c450d1
SHA5123f5064051425dda12bdeaeeaa4383662dd0c219afbc0d30a3b39cbb0ea23dac3a587f94aefd118c5be859bbd9b154d75b8f8b8037865d1d44a8b22b657afe7d7
-
Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
9KB
MD5d6390ae275818fa42187f4dd14e25851
SHA1bec35151a0dcc8c4ef3ae0e833a7226302221fd2
SHA256ff283bfb7a55003b0aafb5fc283aa195d10e7d172c455b1342012823e803122d
SHA5122df68de8700151223cc8c110163f7546bfdf798c79ff0b7c9b49afb15d29e773476f83df260a64172a96a172b40e5e4c44e6bd89e2a8dbb088b780a7134f70a0
-
Filesize
9KB
MD583209ff66b821e26397802e8a80e449c
SHA1568bebbc2e46a7300e2fa88f264370bda37d8586
SHA256d346f0acf60ea753d09c83ff5024cedbd0bbe0dc1123ef75b479c3dc474d24c2
SHA5127a7ac03b763f7b7d5bed1c986a69935741c4c05e5c8930fcca1224b5542a0db34633a371f839b3c5fd3f0c7bafffca708f501455ff568eb17b0b763c34f1ac91
-
Filesize
15KB
MD555b06b4957ec4107397a1074bbf62b8f
SHA1a6e5c4e5a659bc4c291452180c84b2d5934dce60
SHA25651382658af064dd01e4cb9a92656777e404f56a8605f57cf4d1d7b3710080f82
SHA512091e4cad7b4d0e3ccea3439ec3a3b571631a7c08dcdb4e327bc1ea49a9a0187d946ccbc54ada96a7765e035bfcd1f492faab9764f261c2b7474b945e50736373
-
Filesize
3KB
MD5de0cec180b3e4fb689dc6e51ed9f0acd
SHA1d80a38c130f9a2d50554f55860a6439fe8cfe917
SHA2565b802d08beac870c7dcfec63eac611c051a4461550f087ad0ba845baea0ef83b
SHA51200962197ab80aa14384be106566343b6fa5aa3567eddc53eb289470f113975397dc1c3946c2ab742d1bbb72fbfcfba4825cf0385d0dba70839d4fa385040cea3
-
Filesize
336B
MD56686e32b8fc10aac7b3d7250418e3218
SHA1c0dc86ddbbabe083b1d95bd1a607ee2d43f76a51
SHA25687f7b595817bc59323f5f1753139c828901b0250335a14133eee4cc19e49bfd5
SHA512b92655a23cc6859e70c75cabfd5296295ac5b6f1f26952bb0ea6b01f84892d2bf4e9d4f6510269f3e41ca50666eded2b62333b5e503aa27b74e04a1130c48f31
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize72B
MD5fb3c5ad07aee64fb348cf393a2c38170
SHA19382f00b49d11ed79d5b4346835579d29c733bf1
SHA25631ce629d30bcbf1ca446b3b70752a27d271fa820a0ab04bfcce085e5a2c12a70
SHA512cc34ea30d00687a5e544cce0f83444464533f1d7ab4cc15ab5b2b9166c33d3cffa61750667165194ad73e1ab9f869e37775c67761b245936cbe67f758b027700
-
Filesize
308B
MD54e7982b86b3d7d916b7722aa3b3f0669
SHA1ce4e874903cb71d9012cc7654ca7a6ba5e4f7efd
SHA256cbee1100a2c9add47776b7e416b58a809f6feb9fe458bef8185b0c176b5db340
SHA512c4dda8b36e90a327061dab901730f47fc23cca129b02a157f1ed0c566a1d6dddf272a4e74d3acbf14eb3a7fac0820387a584db9e19ca299724ed7f3030f891bb
-
Filesize
317B
MD51fc7c26940a727b17f51d3b7bebf6667
SHA108a32da8f27bd4e193014800ecdaf80adfcb8f2f
SHA25634527a18b6899e9fe82ba6f1871958d234f07aba004d047703dcf3430993a5ef
SHA5122f1832f256f2d244e50638dafc161bfe70075e8c9e5409dbf2b34bab27e2c36887baa3eac60990bb69db929f3a566a33dce36de47f25353c4a34b28fe77d70c7
-
Filesize
345B
MD51830bd3a3e3e24dad5d8336b143dda17
SHA14f9b5873ccb9f55d2e16ebc7f20b7ab1cf8c3b47
SHA256329399e1a23fe1e50e190c2278e3d2891c6a145329afa962c7f2490f4e370cc3
SHA51235269b63e8808fc8caa6421b4be2183fd899ee3eb6ce72542c714982c1c00d17ebc9d4b8980d508ebfbaaee211ae62035a64dcf81583aa005f9792c7d9f46e76
-
Filesize
321B
MD5e696004488aabbde7372c3c119e25b07
SHA1e45c3e9e85173bf43227ac57b196c69542fbd751
SHA25663a8655a332821540e48cc7c6b5c305dcf79c208e5767e4d6f9cf9a517a68eb2
SHA5123bc95c694958e9d0676c5fe673f7b410d40ce4abb92330fb76f67c08f92607d867c17429965bd295217236cf68b4e9d6a3a606f1a2d7c8153845b5cce6a39244
-
Filesize
40KB
MD502c99950de0832f4974e75644c6736cb
SHA141f8d938339003aef16c9d0b6bca05b16efa3bff
SHA25608cbd39b1ddd3aa42187be0f28d96be30c1504f0647f3f39e906cefa7903b75d
SHA5126b64c879c6a4adfa0e56a024f6c75f5850a1674ee76f4e9425c4b77f420251436f458a49b75f0996953b6486403863654f0843b1e911c765c2ab6ab82217e90d
-
Filesize
8KB
MD53889bb8a94272de73db7434b1df3fb09
SHA1240393c1fc95f0a3392f9edb44eacee6588e36be
SHA256e88dcf33335eac1031fee13b82dcb56011e55dced32e0b645595bfb40a986b5b
SHA5123fd1b122d95220d044fc9ceab910a5c0dda391deead17fbd9f33977069803179a4f082bb76d4465b30e2310d742631a7e0f46c10ecb2c46c135eb65971663c7c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\e3833b87-939a-4ce2-93e8-4eeb568ded02.tmp
Filesize1B
MD55058f1af8388633f609cadb75a75dc9d
SHA13a52ce780950d4d969792a2559cd519d7ee8c727
SHA256cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
SHA5120b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21
-
Filesize
18KB
MD593f7bff68a339c89cf40200bc0640990
SHA1e2340fa8f134eb06c1537b5f0ecbe6e390234d89
SHA25698816298d7326d3fd1cb117d9eb43cd25ba509cb61f48dd74ef8e01a36d8961f
SHA512418c5bc7d8d1c875f5a303c09de78dea8b67d09c413093a83ef736046c6148223de58ac12cebb5324a484599f0720a42e8a4f20a46bd18dfec721408ecd5ea96
-
Filesize
320B
MD560e8b73b66f9fb1b01a865b23fc5abb2
SHA16d3cf02b7aaed79cc985e10e3b47bd81c7539a51
SHA256f97fc5678a85c149b102dcf6a8d571da6c1e8c8f5afc65db9df4dd9974f0777f
SHA51241a3fa41bd1ed428d6a68ea5555c26793be1d64e2451ec80c0edc9be8495892cc2f58b182d1c94d150126f8bee07b70d78dcf5a55e2c99246d5ca1fee6f4182f
-
Filesize
1KB
MD5b929e77800ac39e2df35dc2812b851e3
SHA1c54cff1159b9137cc081c82a26ec7169f191cb63
SHA2569c592ee5b8a897b4fd0932a84b4bd0cf0336eaf3a83abfd541ca306051a32ac4
SHA51204d9d9afab3b928fc095e1ef9465e6245474e80cd2639130e53f895d4f7eb4dcd42e8001a589bd97bd5f2146aed36fe36fbf0e45af28c76df736d9f46ac31d02
-
Filesize
338B
MD5badb5aeb8ac05b791078a5aaf92138cb
SHA1ea63e63fc00daf567f03bb7602acbd2e2b36f8f4
SHA256098df076ae422473a6532edeae43da89f033bfb28ceb7e73a3a55a6eb6f171f3
SHA5127af376f002aa2a0dd1cd1e011962ffcc544df1689de4c15fdaaa1d40eb228dc5359a6220a9a6a3e61b4f9e275f4b7a68e317bc166a101c60036b384a201fad1c
-
Filesize
14B
MD5ef48733031b712ca7027624fff3ab208
SHA1da4f3812e6afc4b90d2185f4709dfbb6b47714fa
SHA256c9ce8dbbe51a4131073db3d6ceef1e11eaca6308ad88a86125f221102d2cee99
SHA512ce3a5a429e3796977a8019f47806b8c0671b597ead642fcbfbe3144e2b8112d35a9f2250896b7f215d237d0d19c5966caf3fe674165a6d50e14cb2b88c892029
-
Filesize
231KB
MD5da085f0b85320e7a86cfef03105d7626
SHA1aa8282e16852ba33732581dcc3a606df44fc8150
SHA256d0f6ed8f81957729875b66599bc5c6446ec3a59f2252ed0fd7ce99a49e043586
SHA5128135e48d2e71d451adf1ce158fc1213774782c2566101d2356294d70a0a8e9633355d859c3f7871e21be30fd5be7f8a73af5bf89d1c56f87024cd9e4b33a1eb8
-
Filesize
119KB
MD5a1c5ba44f8e5e7701377357f2e215338
SHA1e0bc3ac6b59fd7a45f6a00956c42c9cd31f0b6f7
SHA2563cd42c2521b8f42de971b27c0b0dc568b021699be977d9b79cd089960195a51f
SHA512245f061a7795a1cb901129f5852fd2eaa1aa02fcff5acb62346ad57c5c02d41da833c045131b98ef456fbe33d8ce4773fca75d954a0c9abc79d45a811a66a383
-
Filesize
86B
MD5961e3604f228b0d10541ebf921500c86
SHA16e00570d9f78d9cfebe67d4da5efe546543949a7
SHA256f7b24f2eb3d5eb0550527490395d2f61c3d2fe74bb9cb345197dad81b58b5fed
SHA512535f930afd2ef50282715c7e48859cc2d7b354ff4e6c156b94d5a2815f589b33189ffedfcaf4456525283e993087f9f560d84cfcf497d189ab8101510a09c472
-
Filesize
150KB
MD514937b985303ecce4196154a24fc369a
SHA1ecfe89e11a8d08ce0c8745ff5735d5edad683730
SHA25671006a5311819fef45c659428944897184880bcdb571bf68c52b3d6ee97682ff
SHA5121d03c75e4d2cd57eee7b0e93e2de293b41f280c415fb2446ac234fc5afd11fe2f2fcc8ab9843db0847c2ce6bd7df7213fcf249ea71896fbf6c0696e3f5aee46c
-
Filesize
711B
MD5558659936250e03cc14b60ebf648aa09
SHA132f1ce0361bbfdff11e2ffd53d3ae88a8b81a825
SHA2562445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b
SHA5121632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727