Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
30/03/2025, 21:01
Static task
static1
General
-
Target
2025-03-30_840840851d5a9dc8b18b5e35b6378f56_black-basta_cobalt-strike_ryuk_satacom.exe
-
Size
6.8MB
-
MD5
840840851d5a9dc8b18b5e35b6378f56
-
SHA1
aa7483b7cc1d3b56a552c68d52ab5f622b95fbaf
-
SHA256
46ddbde117742cd75abca02b7248fe5a32c536e0e28411450168a7be3bdd01c7
-
SHA512
c7735eb5308ada0735cb857a60a50fbf288830312e11f6ec26626c6081d9dfac20b03b08788be041a936b639995515dbdf035184258a2e6d76d51e1d2b6dd991
-
SSDEEP
49152:3fuvW0EOoKwpjRsgsK6dYXC6CroK0Ymajp2Ya323Frovc2PDuXn9qXnDDSNUScjx:2R1rtBLo3or2/PDmy38P2IjzTOSdhvs
Malware Config
Signatures
-
Executes dropped EXE 26 IoCs
pid Process 5660 alg.exe 3664 DiagnosticsHub.StandardCollector.Service.exe 944 fxssvc.exe 5760 elevation_service.exe 2348 elevation_service.exe 4944 maintenanceservice.exe 4256 msdtc.exe 2936 OSE.EXE 2256 PerceptionSimulationService.exe 3832 perfhost.exe 1668 locator.exe 3640 SensorDataService.exe 2460 snmptrap.exe 6136 spectrum.exe 6056 ssh-agent.exe 5920 TieringEngineService.exe 5560 AgentService.exe 5484 vds.exe 4640 vssvc.exe 4976 wbengine.exe 4504 WmiApSrv.exe 468 SearchIndexer.exe 3236 chrmstp.exe 5956 chrmstp.exe 3076 chrmstp.exe 5948 chrmstp.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 31 IoCs
description ioc Process File opened for modification C:\Windows\system32\AgentService.exe 2025-03-30_840840851d5a9dc8b18b5e35b6378f56_black-basta_cobalt-strike_ryuk_satacom.exe File opened for modification C:\Windows\system32\vssvc.exe 2025-03-30_840840851d5a9dc8b18b5e35b6378f56_black-basta_cobalt-strike_ryuk_satacom.exe File opened for modification C:\Windows\System32\SensorDataService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\msiexec.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\fxssvc.exe 2025-03-30_840840851d5a9dc8b18b5e35b6378f56_black-basta_cobalt-strike_ryuk_satacom.exe File opened for modification C:\Windows\system32\MSDtc\MSDTC.LOG msdtc.exe File opened for modification C:\Windows\SysWow64\perfhost.exe 2025-03-30_840840851d5a9dc8b18b5e35b6378f56_black-basta_cobalt-strike_ryuk_satacom.exe File opened for modification C:\Windows\system32\SgrmBroker.exe 2025-03-30_840840851d5a9dc8b18b5e35b6378f56_black-basta_cobalt-strike_ryuk_satacom.exe File opened for modification C:\Windows\System32\OpenSSH\ssh-agent.exe 2025-03-30_840840851d5a9dc8b18b5e35b6378f56_black-basta_cobalt-strike_ryuk_satacom.exe File opened for modification C:\Windows\system32\wbem\WmiApSrv.exe 2025-03-30_840840851d5a9dc8b18b5e35b6378f56_black-basta_cobalt-strike_ryuk_satacom.exe File opened for modification C:\Windows\system32\AgentService.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\alg.exe 2025-03-30_840840851d5a9dc8b18b5e35b6378f56_black-basta_cobalt-strike_ryuk_satacom.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\baab4a2dfc508d3b.bin DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\snmptrap.exe 2025-03-30_840840851d5a9dc8b18b5e35b6378f56_black-basta_cobalt-strike_ryuk_satacom.exe File opened for modification C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe 2025-03-30_840840851d5a9dc8b18b5e35b6378f56_black-basta_cobalt-strike_ryuk_satacom.exe File opened for modification C:\Windows\system32\TieringEngineService.exe 2025-03-30_840840851d5a9dc8b18b5e35b6378f56_black-basta_cobalt-strike_ryuk_satacom.exe File opened for modification C:\Windows\system32\dllhost.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\AppVClient.exe 2025-03-30_840840851d5a9dc8b18b5e35b6378f56_black-basta_cobalt-strike_ryuk_satacom.exe File opened for modification C:\Windows\system32\msiexec.exe 2025-03-30_840840851d5a9dc8b18b5e35b6378f56_black-basta_cobalt-strike_ryuk_satacom.exe File opened for modification C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe 2025-03-30_840840851d5a9dc8b18b5e35b6378f56_black-basta_cobalt-strike_ryuk_satacom.exe File opened for modification C:\Windows\System32\vds.exe 2025-03-30_840840851d5a9dc8b18b5e35b6378f56_black-basta_cobalt-strike_ryuk_satacom.exe File opened for modification C:\Windows\system32\fxssvc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\System32\msdtc.exe 2025-03-30_840840851d5a9dc8b18b5e35b6378f56_black-basta_cobalt-strike_ryuk_satacom.exe File opened for modification C:\Windows\system32\SearchIndexer.exe 2025-03-30_840840851d5a9dc8b18b5e35b6378f56_black-basta_cobalt-strike_ryuk_satacom.exe File opened for modification C:\Windows\system32\locator.exe 2025-03-30_840840851d5a9dc8b18b5e35b6378f56_black-basta_cobalt-strike_ryuk_satacom.exe File opened for modification C:\Windows\System32\SensorDataService.exe 2025-03-30_840840851d5a9dc8b18b5e35b6378f56_black-basta_cobalt-strike_ryuk_satacom.exe File opened for modification C:\Windows\system32\spectrum.exe 2025-03-30_840840851d5a9dc8b18b5e35b6378f56_black-basta_cobalt-strike_ryuk_satacom.exe File opened for modification C:\Windows\system32\dllhost.exe 2025-03-30_840840851d5a9dc8b18b5e35b6378f56_black-basta_cobalt-strike_ryuk_satacom.exe File opened for modification C:\Windows\system32\wbengine.exe 2025-03-30_840840851d5a9dc8b18b5e35b6378f56_black-basta_cobalt-strike_ryuk_satacom.exe File opened for modification C:\Windows\system32\AppVClient.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\system32\SgrmBroker.exe DiagnosticsHub.StandardCollector.Service.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe 2025-03-30_840840851d5a9dc8b18b5e35b6378f56_black-basta_cobalt-strike_ryuk_satacom.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe 2025-03-30_840840851d5a9dc8b18b5e35b6378f56_black-basta_cobalt-strike_ryuk_satacom.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe 2025-03-30_840840851d5a9dc8b18b5e35b6378f56_black-basta_cobalt-strike_ryuk_satacom.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_84468\javaw.exe 2025-03-30_840840851d5a9dc8b18b5e35b6378f56_black-basta_cobalt-strike_ryuk_satacom.exe File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe 2025-03-30_840840851d5a9dc8b18b5e35b6378f56_black-basta_cobalt-strike_ryuk_satacom.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe 2025-03-30_840840851d5a9dc8b18b5e35b6378f56_black-basta_cobalt-strike_ryuk_satacom.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe 2025-03-30_840840851d5a9dc8b18b5e35b6378f56_black-basta_cobalt-strike_ryuk_satacom.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe 2025-03-30_840840851d5a9dc8b18b5e35b6378f56_black-basta_cobalt-strike_ryuk_satacom.exe File opened for modification C:\Program Files\Crashpad\settings.dat chrmstp.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe 2025-03-30_840840851d5a9dc8b18b5e35b6378f56_black-basta_cobalt-strike_ryuk_satacom.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\java-rmi.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe 2025-03-30_840840851d5a9dc8b18b5e35b6378f56_black-basta_cobalt-strike_ryuk_satacom.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe 2025-03-30_840840851d5a9dc8b18b5e35b6378f56_black-basta_cobalt-strike_ryuk_satacom.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe 2025-03-30_840840851d5a9dc8b18b5e35b6378f56_black-basta_cobalt-strike_ryuk_satacom.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe 2025-03-30_840840851d5a9dc8b18b5e35b6378f56_black-basta_cobalt-strike_ryuk_satacom.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe 2025-03-30_840840851d5a9dc8b18b5e35b6378f56_black-basta_cobalt-strike_ryuk_satacom.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Windows Media Player\wmpnetwk.exe 2025-03-30_840840851d5a9dc8b18b5e35b6378f56_black-basta_cobalt-strike_ryuk_satacom.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe 2025-03-30_840840851d5a9dc8b18b5e35b6378f56_black-basta_cobalt-strike_ryuk_satacom.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe 2025-03-30_840840851d5a9dc8b18b5e35b6378f56_black-basta_cobalt-strike_ryuk_satacom.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe 2025-03-30_840840851d5a9dc8b18b5e35b6378f56_black-basta_cobalt-strike_ryuk_satacom.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe 2025-03-30_840840851d5a9dc8b18b5e35b6378f56_black-basta_cobalt-strike_ryuk_satacom.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe 2025-03-30_840840851d5a9dc8b18b5e35b6378f56_black-basta_cobalt-strike_ryuk_satacom.exe File opened for modification C:\Program Files\Google\Chrome\Application\133.0.6943.60\Installer\chrmstp.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_84468\javaw.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe 2025-03-30_840840851d5a9dc8b18b5e35b6378f56_black-basta_cobalt-strike_ryuk_satacom.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe 2025-03-30_840840851d5a9dc8b18b5e35b6378f56_black-basta_cobalt-strike_ryuk_satacom.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe 2025-03-30_840840851d5a9dc8b18b5e35b6378f56_black-basta_cobalt-strike_ryuk_satacom.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_84468\java.exe 2025-03-30_840840851d5a9dc8b18b5e35b6378f56_black-basta_cobalt-strike_ryuk_satacom.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe 2025-03-30_840840851d5a9dc8b18b5e35b6378f56_black-basta_cobalt-strike_ryuk_satacom.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe 2025-03-30_840840851d5a9dc8b18b5e35b6378f56_black-basta_cobalt-strike_ryuk_satacom.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\klist.exe 2025-03-30_840840851d5a9dc8b18b5e35b6378f56_black-basta_cobalt-strike_ryuk_satacom.exe File opened for modification C:\Program Files\Google\Chrome\Application\133.0.6943.60\notification_helper.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe 2025-03-30_840840851d5a9dc8b18b5e35b6378f56_black-basta_cobalt-strike_ryuk_satacom.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe 2025-03-30_840840851d5a9dc8b18b5e35b6378f56_black-basta_cobalt-strike_ryuk_satacom.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe 2025-03-30_840840851d5a9dc8b18b5e35b6378f56_black-basta_cobalt-strike_ryuk_satacom.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Google\Chrome\Application\133.0.6943.60\chrome_pwa_launcher.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe DiagnosticsHub.StandardCollector.Service.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\DtcInstall.log msdtc.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe DiagnosticsHub.StandardCollector.Service.exe File opened for modification C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe 2025-03-30_840840851d5a9dc8b18b5e35b6378f56_black-basta_cobalt-strike_ryuk_satacom.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language perfhost.exe -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 spectrum.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName SensorDataService.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A spectrum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 SensorDataService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A SensorDataService.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TieringEngineService.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz TieringEngineService.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier chrome.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000003572ffeb6a1db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer SearchFilterHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000780250feb6a1db01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b44973feb6a1db01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b12332ffb6a1db01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit SearchFilterHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a55e2dffb6a1db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006915f2fdb6a1db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension" fxssvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ba8ce3fdb6a1db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet" SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation" SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml SearchProtocolHost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008b6e22feb6a1db01 SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f82d27feb6a1db01 SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video" SearchProtocolHost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000079ae3afeb6a1db01 SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software SearchProtocolHost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider" fxssvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device SearchFilterHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList SearchProtocolHost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList SearchProtocolHost.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ chrmstp.exe -
Suspicious behavior: EnumeratesProcesses 48 IoCs
pid Process 464 chrome.exe 464 chrome.exe 5456 2025-03-30_840840851d5a9dc8b18b5e35b6378f56_black-basta_cobalt-strike_ryuk_satacom.exe 5456 2025-03-30_840840851d5a9dc8b18b5e35b6378f56_black-basta_cobalt-strike_ryuk_satacom.exe 5456 2025-03-30_840840851d5a9dc8b18b5e35b6378f56_black-basta_cobalt-strike_ryuk_satacom.exe 5456 2025-03-30_840840851d5a9dc8b18b5e35b6378f56_black-basta_cobalt-strike_ryuk_satacom.exe 5456 2025-03-30_840840851d5a9dc8b18b5e35b6378f56_black-basta_cobalt-strike_ryuk_satacom.exe 5456 2025-03-30_840840851d5a9dc8b18b5e35b6378f56_black-basta_cobalt-strike_ryuk_satacom.exe 5456 2025-03-30_840840851d5a9dc8b18b5e35b6378f56_black-basta_cobalt-strike_ryuk_satacom.exe 5456 2025-03-30_840840851d5a9dc8b18b5e35b6378f56_black-basta_cobalt-strike_ryuk_satacom.exe 5456 2025-03-30_840840851d5a9dc8b18b5e35b6378f56_black-basta_cobalt-strike_ryuk_satacom.exe 5456 2025-03-30_840840851d5a9dc8b18b5e35b6378f56_black-basta_cobalt-strike_ryuk_satacom.exe 5456 2025-03-30_840840851d5a9dc8b18b5e35b6378f56_black-basta_cobalt-strike_ryuk_satacom.exe 5456 2025-03-30_840840851d5a9dc8b18b5e35b6378f56_black-basta_cobalt-strike_ryuk_satacom.exe 5456 2025-03-30_840840851d5a9dc8b18b5e35b6378f56_black-basta_cobalt-strike_ryuk_satacom.exe 5456 2025-03-30_840840851d5a9dc8b18b5e35b6378f56_black-basta_cobalt-strike_ryuk_satacom.exe 5456 2025-03-30_840840851d5a9dc8b18b5e35b6378f56_black-basta_cobalt-strike_ryuk_satacom.exe 5456 2025-03-30_840840851d5a9dc8b18b5e35b6378f56_black-basta_cobalt-strike_ryuk_satacom.exe 5456 2025-03-30_840840851d5a9dc8b18b5e35b6378f56_black-basta_cobalt-strike_ryuk_satacom.exe 5456 2025-03-30_840840851d5a9dc8b18b5e35b6378f56_black-basta_cobalt-strike_ryuk_satacom.exe 5456 2025-03-30_840840851d5a9dc8b18b5e35b6378f56_black-basta_cobalt-strike_ryuk_satacom.exe 5456 2025-03-30_840840851d5a9dc8b18b5e35b6378f56_black-basta_cobalt-strike_ryuk_satacom.exe 5456 2025-03-30_840840851d5a9dc8b18b5e35b6378f56_black-basta_cobalt-strike_ryuk_satacom.exe 5456 2025-03-30_840840851d5a9dc8b18b5e35b6378f56_black-basta_cobalt-strike_ryuk_satacom.exe 5456 2025-03-30_840840851d5a9dc8b18b5e35b6378f56_black-basta_cobalt-strike_ryuk_satacom.exe 5456 2025-03-30_840840851d5a9dc8b18b5e35b6378f56_black-basta_cobalt-strike_ryuk_satacom.exe 5456 2025-03-30_840840851d5a9dc8b18b5e35b6378f56_black-basta_cobalt-strike_ryuk_satacom.exe 5456 2025-03-30_840840851d5a9dc8b18b5e35b6378f56_black-basta_cobalt-strike_ryuk_satacom.exe 5456 2025-03-30_840840851d5a9dc8b18b5e35b6378f56_black-basta_cobalt-strike_ryuk_satacom.exe 5456 2025-03-30_840840851d5a9dc8b18b5e35b6378f56_black-basta_cobalt-strike_ryuk_satacom.exe 5456 2025-03-30_840840851d5a9dc8b18b5e35b6378f56_black-basta_cobalt-strike_ryuk_satacom.exe 5456 2025-03-30_840840851d5a9dc8b18b5e35b6378f56_black-basta_cobalt-strike_ryuk_satacom.exe 5456 2025-03-30_840840851d5a9dc8b18b5e35b6378f56_black-basta_cobalt-strike_ryuk_satacom.exe 5456 2025-03-30_840840851d5a9dc8b18b5e35b6378f56_black-basta_cobalt-strike_ryuk_satacom.exe 5456 2025-03-30_840840851d5a9dc8b18b5e35b6378f56_black-basta_cobalt-strike_ryuk_satacom.exe 5456 2025-03-30_840840851d5a9dc8b18b5e35b6378f56_black-basta_cobalt-strike_ryuk_satacom.exe 5456 2025-03-30_840840851d5a9dc8b18b5e35b6378f56_black-basta_cobalt-strike_ryuk_satacom.exe 464 chrome.exe 464 chrome.exe 3664 DiagnosticsHub.StandardCollector.Service.exe 3664 DiagnosticsHub.StandardCollector.Service.exe 3664 DiagnosticsHub.StandardCollector.Service.exe 3664 DiagnosticsHub.StandardCollector.Service.exe 3664 DiagnosticsHub.StandardCollector.Service.exe 3664 DiagnosticsHub.StandardCollector.Service.exe 3664 DiagnosticsHub.StandardCollector.Service.exe 1432 chrome.exe 1432 chrome.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 668 Process not Found 668 Process not Found -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
pid Process 464 chrome.exe 464 chrome.exe 464 chrome.exe 464 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 4660 2025-03-30_840840851d5a9dc8b18b5e35b6378f56_black-basta_cobalt-strike_ryuk_satacom.exe Token: SeTakeOwnershipPrivilege 5456 2025-03-30_840840851d5a9dc8b18b5e35b6378f56_black-basta_cobalt-strike_ryuk_satacom.exe Token: SeAuditPrivilege 944 fxssvc.exe Token: SeRestorePrivilege 5920 TieringEngineService.exe Token: SeManageVolumePrivilege 5920 TieringEngineService.exe Token: SeAssignPrimaryTokenPrivilege 5560 AgentService.exe Token: SeBackupPrivilege 4640 vssvc.exe Token: SeRestorePrivilege 4640 vssvc.exe Token: SeAuditPrivilege 4640 vssvc.exe Token: SeBackupPrivilege 4976 wbengine.exe Token: SeRestorePrivilege 4976 wbengine.exe Token: SeSecurityPrivilege 4976 wbengine.exe Token: SeShutdownPrivilege 464 chrome.exe Token: SeCreatePagefilePrivilege 464 chrome.exe Token: 33 468 SearchIndexer.exe Token: SeIncBasePriorityPrivilege 468 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 468 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 468 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 468 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 468 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 468 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 468 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 468 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 468 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 468 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 468 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 468 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 468 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 468 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 468 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 468 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 468 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 468 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 468 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 468 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 468 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 468 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 468 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 468 SearchIndexer.exe Token: SeTakeOwnershipPrivilege 468 SearchIndexer.exe Token: SeShutdownPrivilege 464 chrome.exe Token: SeCreatePagefilePrivilege 464 chrome.exe Token: SeShutdownPrivilege 464 chrome.exe Token: SeCreatePagefilePrivilege 464 chrome.exe Token: SeShutdownPrivilege 464 chrome.exe Token: SeCreatePagefilePrivilege 464 chrome.exe Token: SeShutdownPrivilege 464 chrome.exe Token: SeCreatePagefilePrivilege 464 chrome.exe Token: SeShutdownPrivilege 464 chrome.exe Token: SeCreatePagefilePrivilege 464 chrome.exe Token: SeShutdownPrivilege 464 chrome.exe Token: SeCreatePagefilePrivilege 464 chrome.exe Token: SeShutdownPrivilege 464 chrome.exe Token: SeCreatePagefilePrivilege 464 chrome.exe Token: SeShutdownPrivilege 464 chrome.exe Token: SeCreatePagefilePrivilege 464 chrome.exe Token: SeShutdownPrivilege 464 chrome.exe Token: SeCreatePagefilePrivilege 464 chrome.exe Token: SeShutdownPrivilege 464 chrome.exe Token: SeCreatePagefilePrivilege 464 chrome.exe Token: SeShutdownPrivilege 464 chrome.exe Token: SeCreatePagefilePrivilege 464 chrome.exe Token: SeShutdownPrivilege 464 chrome.exe Token: SeCreatePagefilePrivilege 464 chrome.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 464 chrome.exe 464 chrome.exe 464 chrome.exe 3076 chrmstp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4660 wrote to memory of 5456 4660 2025-03-30_840840851d5a9dc8b18b5e35b6378f56_black-basta_cobalt-strike_ryuk_satacom.exe 87 PID 4660 wrote to memory of 5456 4660 2025-03-30_840840851d5a9dc8b18b5e35b6378f56_black-basta_cobalt-strike_ryuk_satacom.exe 87 PID 4660 wrote to memory of 464 4660 2025-03-30_840840851d5a9dc8b18b5e35b6378f56_black-basta_cobalt-strike_ryuk_satacom.exe 89 PID 4660 wrote to memory of 464 4660 2025-03-30_840840851d5a9dc8b18b5e35b6378f56_black-basta_cobalt-strike_ryuk_satacom.exe 89 PID 464 wrote to memory of 2108 464 chrome.exe 90 PID 464 wrote to memory of 2108 464 chrome.exe 90 PID 464 wrote to memory of 4648 464 chrome.exe 95 PID 464 wrote to memory of 4648 464 chrome.exe 95 PID 464 wrote to memory of 4648 464 chrome.exe 95 PID 464 wrote to memory of 4648 464 chrome.exe 95 PID 464 wrote to memory of 4648 464 chrome.exe 95 PID 464 wrote to memory of 4648 464 chrome.exe 95 PID 464 wrote to memory of 4648 464 chrome.exe 95 PID 464 wrote to memory of 4648 464 chrome.exe 95 PID 464 wrote to memory of 4648 464 chrome.exe 95 PID 464 wrote to memory of 4648 464 chrome.exe 95 PID 464 wrote to memory of 4648 464 chrome.exe 95 PID 464 wrote to memory of 4648 464 chrome.exe 95 PID 464 wrote to memory of 4648 464 chrome.exe 95 PID 464 wrote to memory of 4648 464 chrome.exe 95 PID 464 wrote to memory of 4648 464 chrome.exe 95 PID 464 wrote to memory of 4648 464 chrome.exe 95 PID 464 wrote to memory of 4648 464 chrome.exe 95 PID 464 wrote to memory of 4648 464 chrome.exe 95 PID 464 wrote to memory of 4648 464 chrome.exe 95 PID 464 wrote to memory of 4648 464 chrome.exe 95 PID 464 wrote to memory of 4648 464 chrome.exe 95 PID 464 wrote to memory of 4648 464 chrome.exe 95 PID 464 wrote to memory of 4648 464 chrome.exe 95 PID 464 wrote to memory of 4648 464 chrome.exe 95 PID 464 wrote to memory of 4648 464 chrome.exe 95 PID 464 wrote to memory of 4648 464 chrome.exe 95 PID 464 wrote to memory of 4648 464 chrome.exe 95 PID 464 wrote to memory of 4648 464 chrome.exe 95 PID 464 wrote to memory of 4648 464 chrome.exe 95 PID 464 wrote to memory of 4648 464 chrome.exe 95 PID 464 wrote to memory of 5696 464 chrome.exe 96 PID 464 wrote to memory of 5696 464 chrome.exe 96 PID 464 wrote to memory of 5804 464 chrome.exe 98 PID 464 wrote to memory of 5804 464 chrome.exe 98 PID 464 wrote to memory of 5804 464 chrome.exe 98 PID 464 wrote to memory of 5804 464 chrome.exe 98 PID 464 wrote to memory of 5804 464 chrome.exe 98 PID 464 wrote to memory of 5804 464 chrome.exe 98 PID 464 wrote to memory of 5804 464 chrome.exe 98 PID 464 wrote to memory of 5804 464 chrome.exe 98 PID 464 wrote to memory of 5804 464 chrome.exe 98 PID 464 wrote to memory of 5804 464 chrome.exe 98 PID 464 wrote to memory of 5804 464 chrome.exe 98 PID 464 wrote to memory of 5804 464 chrome.exe 98 PID 464 wrote to memory of 5804 464 chrome.exe 98 PID 464 wrote to memory of 5804 464 chrome.exe 98 PID 464 wrote to memory of 5804 464 chrome.exe 98 PID 464 wrote to memory of 5804 464 chrome.exe 98 PID 464 wrote to memory of 5804 464 chrome.exe 98 PID 464 wrote to memory of 5804 464 chrome.exe 98 PID 464 wrote to memory of 5804 464 chrome.exe 98 PID 464 wrote to memory of 5804 464 chrome.exe 98 PID 464 wrote to memory of 5804 464 chrome.exe 98 PID 464 wrote to memory of 5804 464 chrome.exe 98 PID 464 wrote to memory of 5804 464 chrome.exe 98 PID 464 wrote to memory of 5804 464 chrome.exe 98 PID 464 wrote to memory of 5804 464 chrome.exe 98 PID 464 wrote to memory of 5804 464 chrome.exe 98 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-03-30_840840851d5a9dc8b18b5e35b6378f56_black-basta_cobalt-strike_ryuk_satacom.exe"C:\Users\Admin\AppData\Local\Temp\2025-03-30_840840851d5a9dc8b18b5e35b6378f56_black-basta_cobalt-strike_ryuk_satacom.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4660 -
C:\Users\Admin\AppData\Local\Temp\2025-03-30_840840851d5a9dc8b18b5e35b6378f56_black-basta_cobalt-strike_ryuk_satacom.exeC:\Users\Admin\AppData\Local\Temp\2025-03-30_840840851d5a9dc8b18b5e35b6378f56_black-basta_cobalt-strike_ryuk_satacom.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=134.0.6998.178 --initial-client-data=0x2c0,0x2c4,0x2c8,0x294,0x2cc,0x140589ed8,0x140589ee4,0x140589ef02⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5456
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:464 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff83435dcf8,0x7ff83435dd04,0x7ff83435dd103⤵PID:2108
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2008,i,12180127554521021606,3139048110835371617,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2004 /prefetch:23⤵PID:4648
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1572,i,12180127554521021606,3139048110835371617,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2268 /prefetch:33⤵PID:5696
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2300,i,12180127554521021606,3139048110835371617,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2540 /prefetch:83⤵PID:5804
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3192,i,12180127554521021606,3139048110835371617,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3212 /prefetch:13⤵PID:4952
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3088,i,12180127554521021606,3139048110835371617,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3384 /prefetch:13⤵PID:2728
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4248,i,12180127554521021606,3139048110835371617,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4260 /prefetch:23⤵PID:1756
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4668,i,12180127554521021606,3139048110835371617,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4680 /prefetch:83⤵PID:3156
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4704,i,12180127554521021606,3139048110835371617,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4832 /prefetch:83⤵PID:4292
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4844,i,12180127554521021606,3139048110835371617,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4944 /prefetch:13⤵PID:1200
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5636,i,12180127554521021606,3139048110835371617,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5648 /prefetch:83⤵PID:1148
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5256,i,12180127554521021606,3139048110835371617,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5780 /prefetch:83⤵PID:2300
-
-
C:\Program Files\Google\Chrome\Application\133.0.6943.60\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\133.0.6943.60\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings3⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3236 -
C:\Program Files\Google\Chrome\Application\133.0.6943.60\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\133.0.6943.60\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x2c8,0x2cc,0x2c4,0x2c0,0x2d0,0x140561f58,0x140561f64,0x140561f704⤵
- Executes dropped EXE
PID:5956
-
-
C:\Program Files\Google\Chrome\Application\133.0.6943.60\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\133.0.6943.60\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\initial_preferences" --create-shortcuts=1 --install-level=04⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:3076 -
C:\Program Files\Google\Chrome\Application\133.0.6943.60\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\133.0.6943.60\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x2bc,0x2c0,0x2c4,0x298,0x2c8,0x140561f58,0x140561f64,0x140561f705⤵
- Executes dropped EXE
PID:5948
-
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5048,i,12180127554521021606,3139048110835371617,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4680 /prefetch:83⤵PID:5048
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=6040,i,12180127554521021606,3139048110835371617,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5992 /prefetch:83⤵PID:4476
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5968,i,12180127554521021606,3139048110835371617,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5784 /prefetch:83⤵PID:1036
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5660,i,12180127554521021606,3139048110835371617,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5688 /prefetch:83⤵PID:3064
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=208,i,12180127554521021606,3139048110835371617,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5876 /prefetch:83⤵PID:3776
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5824,i,12180127554521021606,3139048110835371617,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=6100 /prefetch:83⤵PID:6888
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5820,i,12180127554521021606,3139048110835371617,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5816 /prefetch:83⤵PID:6884
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=6048,i,12180127554521021606,3139048110835371617,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5832 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
PID:1432
-
-
-
C:\Windows\System32\alg.exeC:\Windows\System32\alg.exe1⤵
- Executes dropped EXE
PID:5660
-
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:3664
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵PID:1204
-
C:\Windows\system32\fxssvc.exeC:\Windows\system32\fxssvc.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:944
-
C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"1⤵
- Executes dropped EXE
PID:5760
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"1⤵
- Executes dropped EXE
PID:2348
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
PID:4944
-
C:\Windows\System32\msdtc.exeC:\Windows\System32\msdtc.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4256
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
PID:2936
-
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exeC:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe1⤵
- Executes dropped EXE
PID:2256
-
C:\Windows\SysWow64\perfhost.exeC:\Windows\SysWow64\perfhost.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3832
-
C:\Windows\system32\locator.exeC:\Windows\system32\locator.exe1⤵
- Executes dropped EXE
PID:1668
-
C:\Windows\System32\SensorDataService.exeC:\Windows\System32\SensorDataService.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3640
-
C:\Windows\System32\snmptrap.exeC:\Windows\System32\snmptrap.exe1⤵
- Executes dropped EXE
PID:2460
-
C:\Windows\system32\spectrum.exeC:\Windows\system32\spectrum.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:6136
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
PID:6056
-
C:\Windows\system32\TieringEngineService.exeC:\Windows\system32\TieringEngineService.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5920
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc1⤵PID:2420
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5560
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Executes dropped EXE
PID:5484
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4640
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4976
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Executes dropped EXE
PID:4504
-
C:\Windows\system32\SearchIndexer.exeC:\Windows\system32\SearchIndexer.exe /Embedding1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:468 -
C:\Windows\system32\SearchProtocolHost.exe"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"2⤵
- Modifies data under HKEY_USERS
PID:4292
-
-
C:\Windows\system32\SearchFilterHost.exe"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 7842⤵
- Modifies data under HKEY_USERS
PID:1500
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:2028
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.3MB
MD56121c888cd4ddce3803060b7498e7fce
SHA1c77bd4dd16355a5b2e83de6fe7cb420fdac0fb5b
SHA25612730ccd78479964a5c9876ad7af607fb7440604d0a4df602e81d1d5e80404c2
SHA512e708e4a0e68974f7a728c7a29597bd040dc836c666a042d5df342a0964c44758b0edb2f731b04b07b44f9132dce3843c3e8d6f0719c3aad46fe67dd3c76d62db
-
Filesize
1.4MB
MD5bffa656306b74afef73195bcf9317681
SHA16ec27d063c18f9ddf6131242e5931f9fb4540cac
SHA2567cb657d75ebfd49b10841c940a7f6f19ca097ceb566b625f9222099bd8180857
SHA512f9e89ea586e96b663310b1a440387160a151fd380746dd0d75679df04ac1806efeb6af19dba3b3c9d5f1cb6cfa39293740627c3a085d1c9c80f8797020dafc1b
-
Filesize
1.7MB
MD5b2c4436b35b90615d8515b88b88d86b8
SHA1daadab0f6c8cafb1d797d8560295135f18e3758f
SHA256e70c8d3d6203ecdb36ceb5e92c29b6512ea29aada2ee67c717ddb85e8446ced7
SHA51270b8d156bff3f7f5998300e2967c1e300c4ecdac7690f0d3d2b211b37c8a49bb3e2d4b9523aa4cf9f0915cd9d45d3c63614019d5a3862ab76ccfefbce890d89a
-
Filesize
1.5MB
MD58a4b25363b2a3f6eb063a6314da22bec
SHA16c95d71357a7f8e2d016e54088acd592be2a7e3a
SHA2565e7c03d099e9fe4208b9644df6d0537b6f0c75e0a871cd947416d156ad113735
SHA5124d1b46515a0e1f1193984c2da73a308fe12f044cb8c29b7d379f3a10d7fe430352670aaf2de84abe8dbb5cf0972ba26082f5a52da261f4c157ff5ac0b487f433
-
Filesize
1.2MB
MD5fd5365cba8f5e4bbcf31adb373f8d6f1
SHA1a086544bae8831f84734a8dd7dbb2dbb24fb9657
SHA2560a5e5c2c29e3a8157260577dfdd989bcc8486ae31fb94fa37ea24f3356dbcd24
SHA5125c3f94c04dd66b1ba8ec5ad5ce79a1de7db85406089daa72e75b35eb3017d33286f4e9156c00b7d1254f70775ba20bc96a71086e275691f667701cda577e7a14
-
Filesize
1.2MB
MD516dbd6c9d578d37910377f11f3caf735
SHA1443f56fc334324bd84dc291d5e05511d84fbd0af
SHA2568e5141a5888750f163f0ac91a860aed771602514278853728e9a5b7c9a17cf36
SHA512504f79447a640c113e89b0cadf0083998a67f09bf65e1123820abd23905f8c34344541c482c831571df13304d3c996bc95d6a4314e580dadb60fde15def66d12
-
Filesize
1.4MB
MD5e1b53b622e0cf40e86002f5cf5d2da41
SHA1e9d0c41e0e9899a1a944e1ba7123ef9027ee73d8
SHA256f36d2268b3863ea77a139020e2c767fdfd1477e3299311b1b9d3bd43eebc1224
SHA5125271dd2a7169e3085fc6fd2d61cfc7d798895af5a66cc211b9a3fc1bddc2e5aa16e550020588ddc1a7354812a8e00dc9c532c400b9ef2f49836d5e9f29b31504
-
Filesize
40B
MD518577f269ff0706c28550a2d74496379
SHA19fba5edd05a42c967327591b22e59cf5caf74ead
SHA2566eda8bdb13c8865ba3780e0c25ed7e84e04a9b1ca6c10808cee3adf6efee84c5
SHA512aef53f35b72de019457f30cc7e055fbd5c44d3a5929b50303ee7834f3dd4cb7ce18df54507ca01070f8b5b815dadd980268b6ebb871b17188327cbc598cd916f
-
Filesize
6.6MB
MD504996628b5b6c1e60abcf7469cfe148e
SHA1b925855e32b410b15abe1b48429bbd2d5d5bd7c2
SHA25619b8f849359952eb66f7c74610b7375e993572745e71d5963e18aecb276f32d0
SHA5128d33858af275e80d1c550f80c685cbb54714362b70cfaf0d67d9440cf0776e803586e8702c16b650c0225676146c89b90d260bc112443de42c134b88d3969d00
-
Filesize
2.3MB
MD5a8d36f184dbfa94f94285b6a09386849
SHA150340209fd53d6c9b24cd3a702df87a707fe8fdb
SHA25643f67f54bcdb1e66af56e5696a9c0d8e89bd0e7d7908a8f03a2cb843c92d6b3b
SHA5128e8b6945606803392eb5d9cfe7b4665ff6fe21fe624d7f00d5143a397ab81a48971fd1cf415f580189d017d678bf2a8e40d439117790c7863e67bb9550097b5d
-
Filesize
696B
MD53f5af086a83b749aa34a3aac1b986a0a
SHA10e67e17122beec914722d98cef0e669541560ff3
SHA256da9a8ae0c04da6ceae900796a026f4777895bf149eed2c495fbdae098362f596
SHA5120a12749b3971d0023cc1dd4f87113c94cc2c961ef824009c89a32ba24fe51de83357bb0757af7612ffb3a638302f5a298a2fc823dec8d117cf27255d2996191b
-
Filesize
344B
MD51b7cdddfb06152ae01f12d9f253237d6
SHA11ef358781a086a0727f4fa95cd53510eb328bc52
SHA256fd668d6edcf6b6cc176edd9bf7b0d7f1881fe2f0d94ebae656127c27a359550e
SHA5124705c93b233be92dd2d04649d404b538bc76607bbe655d5e35a739653ac1af776ecdd12ec1cbf81476070ec5bae633f891817155014730a06939efb21bd132ea
-
Filesize
1.5MB
MD52eb340eb8b9e9d501ab4cfa8bf55f331
SHA1a52e344e50c444420d16d1b177d9bb0e58e2404c
SHA256c695675578e2495ce136969bf4172dc614d88db767e5676a6a4f857acc156354
SHA512e991f6a4de5b0ed7730f60bcc639a7a6ea1101e1b8fae7d9fb2862d74b240f2a7a10f474e6bd1034676a41d4e6f680944846d029cfac7c264a74233311efadfc
-
Filesize
6KB
MD5fdf8aad16d4a97661667ed9d72224d2c
SHA1cf819a1a5fb806854d184c30a56508a88759bd04
SHA2567d71490f98ae4f67657dfb92f8ff4ae59f19583f96d1372a9cfef37cf1e3f8c1
SHA512263a520affad5cb3c45317e45b16471c375ad98416e589ac7e55129d4fc8b983ecb5cda90a8fee0d61e4f9e2caeaf5bcfd55f8a676dc9ea6a1d321ef00e9b85b
-
Filesize
8KB
MD50e99a960dc22dd5bb4baa153994d68ac
SHA1adfa9a2b038949e8b0983eab4675d7b1aa66439d
SHA256d638c547f68fe43054fb461aa0118076ae5495b9ed93464c40562270c58d61ea
SHA512920258446179859abafe1a775e0d2e8cdfd7731d5c82b1898aba06e8be81657dd72938e5de08329132ab2a266e23a84b339aed90559eaf86899f86bd54c14e71
-
Filesize
40B
MD55eeb51e9e64e555e4a7d2705eb9976db
SHA1742d0f4d9a77575115f5c5ad9ac8a133bd7abde6
SHA25647b9983eedcea6a3828388e3097617595b69ff60543180b2411b20b0444085aa
SHA51232c4630f6be0210efa8330dd1286855379c169c048543d4bc1a985eba6fdedb67b3c8fab522265f667276f74fbd4290013588d8233003bfbce63701fb8ae3581
-
Filesize
649B
MD523f0f9e96cdaed04acd85774adaca5c2
SHA1c8b58936fa91cf7e7b810c7f8594a31979b902fc
SHA2565224f7fd5b66bc8e0fbbb531d1cf95de3be29ce583ab6a0296aef20b88557bdf
SHA512dbe4f999d5483b2c5a1df43fea169d5d9a6a694d72d9e4bbf17e270553a3f57e14a955b65aa5dcbd02e7012a9941e39925ec9f5b323812f1205ccc4dc00421e8
-
Filesize
192KB
MD5505a174e740b3c0e7065c45a78b5cf42
SHA138911944f14a8b5717245c8e6bd1d48e58c7df12
SHA256024ae694ba44ccd2e0914c5e8ee140e6cc7d25b3428d6380102ba09254b0857d
SHA5127891e12c5ec14b16979f94da0c27ac4629bae45e31d9d1f58be300c4b2bbaee6c77585e534be531367f16826ecbaf8ec70fc13a02beaf36473c448248e4eb911
-
Filesize
2KB
MD5cd33f32211d99410fac6648ea96388e4
SHA1d3a35f5b3f8ab6e15abb02635df0e9511c7113ea
SHA25637397750bf53c2024f74d4b9ffe1377bd79b9a15fb46b66c6a318b0dd9d1df4a
SHA5125201cf5b3e08733595752badc102126475c584e25001b12e95c626e021af2dd64b2e3abf5d03051f0cd461c6574ece62887b60214a833205cdf4456d32124d0a
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
9KB
MD5a4d2a6ad0153ed2914043274770b9aaa
SHA1a0a2fa01611680c748809ff05cf939cf1b5b3740
SHA256bf5dbb6351a2645fa37f839054bc93f7f8fc48f078a70fed78d2f68028ea50c5
SHA5122ee518d11dfbaa9da7bd5ada4f4dbcf973408f02e5133fe87d204274e9f30f6a3ce9faf00a79359a0dc45ea4f97dd9ca32edfa772527e33c47a0164a6f2dc018
-
Filesize
9KB
MD5becf85ca923aa7760f9198d880891f02
SHA1caf8ffaf83b21de1afdce6da382ec7947e74472c
SHA25637952bb031fbbf468d376b84caa735bfa65a128460f898142cb64da9f75750a6
SHA5122485cd4970b97ee67b911341f1a1f60c41e0fe7d3c0664674e468869df95f55093bf06ea06ca6b8194ba0674a4d57dad81970cbc2222d60a03bba521afab5c38
-
Filesize
2KB
MD5418bd2ea2ef4d719b08be5a2a2530bfc
SHA1342f754724b7a7eb85d7fa13df4aac25785aac4b
SHA256fb4675adb419b4915c8e6d878678f6b504401e881ca4c3c9a61b566995f42ae3
SHA512468b8d9600fc887e1e9e63f1802cc30e5e981d9bb1540bc6c18dc861d16d57ac0710422aa9f4b828e516dfb7cc66148815bcd56abebb00ce9cf15f02affa7276
-
Filesize
15KB
MD542e108e4d5e015f82a69d8d476e7dd7b
SHA187d0efa20af264a02e10e87c3e5ef9f40706c69b
SHA256161f71e2cb5fc06f72b1fd40b63dcc79c16d7633b3f18657ebb033d9916eb150
SHA512fd6e2a39624096ccc541c2b25766f061d335a9f66f2a888355f6aeb28796a674ab19c5e391620b36601a4cf5f9409aabed8a155657c182a7d144e58a3b1831d9
-
Filesize
18KB
MD59898f488a099e5d4d145afe707a00243
SHA11c6042e7f0b61b3a4ba63291a7eb3afc650d92c5
SHA256387e6106c4021ed3172f95b54821082065e685b22c27940b2431985246e4c647
SHA512802480b997ae3f06e564b14f19b58430d4912e6013f058b350877544452c1f215da26058114fa2e072d743e77b99e06212fd99d735722d5222d52b092b9fae9a
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize72B
MD552b3da218bdbbb686d64b9663b94e8d7
SHA113a4297b3aa675f720a483501e09f783bd71a605
SHA2569f4c0692bac221e247c3a70196998c944046dcc2dd33fb29496fd9dc3b5573e6
SHA51239cc81325a33bbeeb88c673514d6d1b851a05587c03a6620103354a4ed7cdd814116ea20363a390765be01f66c72ebbb4032ae2a8d6e56b154ecd6a60800912d
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57df63.TMP
Filesize48B
MD58a393bdca39e7c8c0e8feff4c8803181
SHA1edd0d8b5f744215e41575500359168d9bad12ef8
SHA2568ac22147cbdea0e187752957b4dc1f0faf24cdcad4350147f53e02c794dd8b1b
SHA512cd5a162a13ae4901ed7b99e725d511edb6213d172cbe43f639f9a69719a416c4df65262afe220982d1f41af07b25629b5798cdff54d92af6a9445abc1868bec8
-
Filesize
155KB
MD5052a29df3d3328a2ff750fed79ac22f4
SHA100946ce6164575c75be80014c99b6e009a2654d8
SHA256e90777d26508c1f65dc79a5066da143f9161d1a1ecf04a9785b8846a6ded042c
SHA51286e540f777a46134f37abfd4d95a3667968043e5adbbd9026e8cb010222d201c5744f27c354777f1674c0c0d055cd214e55f1c5cc4e5a46468d855002ccb20fb
-
Filesize
155KB
MD5e6879af29ae6708257c73782e3ecc441
SHA102fe26e19850d0252d9ca7420e750dfcd7c0c11f
SHA2569441ffc6cc4ea862aa6604affdff726ea64a48f4423cf975c309b04a73492693
SHA5125858f96a395980ad001a2fa17097f0f6f7419f90ee0d3ce82f2047e7a6d70c5d9aac3ebda806125b4ba6b5aa521dff3913a10bc03f3db314e1ed365b9840d041
-
Filesize
79KB
MD5cb0815995574b97f02910776dd55d31a
SHA1bbe352525c8765a22604104374b7b25ffda2248c
SHA256af67a6340036ec348ea88847fcf458e30f1f227731401b69a4efcede9ad5bd30
SHA512ce6045d7ac2b3446beef426d0c5a643c4634c969f7e3a85d83aa843f1dba38ea54034e19faf8b66e5a2a855b8ddce2ff75e24b45087c0ac9a3e12a00c1681397
-
Filesize
152KB
MD5dd9bf8448d3ddcfd067967f01e8bf6d7
SHA1d7829475b2bd6a3baa8fabfaf39af57c6439b35e
SHA256fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72
SHA51265347df34378c2bbb34417e2cccfb3251a0b2412422cc190eed9df525b6e0a9948e0295ea3c33b3ad873ce81e369e89a138ac41d6eb7229546c3269107e661de
-
Filesize
12KB
MD54bb238f293a524e22593a96d63b1204f
SHA11092f70c6b97ff683f41a8eb2d20bb9e5f7f3d02
SHA25624f16b1a67e4485dd6378212adbf3509cbe9ad4201fa81f63f18f36dd7aeb7ab
SHA5126fae8c2d067281c8521bfb6f2425c35c5ec2bc1523f8aad756985ea554cf8ec83d655024c30722b8eca65ce2c4c672e306253b64ed2e0ff0b4b795707734f35f
-
Filesize
1.2MB
MD50277bc6d958fe585fabbe66fdb96af8b
SHA11b0deb09c6c08f48bce0b2bf254d9331a3b73116
SHA2562fa8fe6a4eb81e8c9c234414c12687c0cfe93089154bdd2322fcdcc359aa5958
SHA5125fb3cb64064a944f9b1ec71647d92ad01d3f58a528d3266524e70ea97a165b95cfc3c20ce6d3a50a352e4ddbe6f891b7cbcdeb78344b1048d6f5193ca0a56bd3
-
Filesize
1.7MB
MD57bc12abee63a604873bf1e642a7dfadc
SHA1b67c1be55ef1c0e59ef88ac217aff038d75efe58
SHA256b83e9e905e3ba7d3324b472d7ac1f819f15001270877235ea100707cd3ba5f66
SHA512aa5e3dabe17ed3a51596f46401077c2c52f22326e2e60f0f37744c2306a1ba6687d1e82c8b18ed27c920a98a2485f70fce89e05008d6268aea8f62b6ddfb63b7
-
Filesize
1.3MB
MD5b648075765c973526ec9a99198a625d7
SHA161ad11fb40895e2dcf7806db50e29bb4cfc91e2f
SHA2560f6d935116594416e233c21d01440b2b3b8ba08108da636b2609bc4cd6538ed5
SHA512011e8a276a1bba4c10072024efc79d176470aa8ae2e70f4a292620142fe083d98c4570188cf328ae897fd0ef35b1976d36f987a31c3c6d2b32d997017feb59c8
-
Filesize
1.2MB
MD5c8f088aee98d0cd3a19335435a9c2c42
SHA14cff37c72001f5ded5dde7ba0e8c475092b92170
SHA25691b04967c474e7deadf8d7e9cdd60c7923ca3bc8e5b41de9a7a62883ba3fe933
SHA5120088d297acf51989731aaa52750358d7cf31efcd33d5bd4d008b000cede29050992690cf6224b9f078e0d65411d3c580dfdad7bbc7dd26a9e9064da11e4efc3f
-
Filesize
1.2MB
MD53bb6ec0db579eb4c8f73bd84b67588b9
SHA1783720f9cd9e839ce1db37f8ec6af442962c5451
SHA2561c268f36d65ecee2d9f69d7a590660bcca489656e28f2fe892942c2bb5a00407
SHA51299c342d3777fc77e2577937d97b3c5ebb1e70274f8114af6a9d683249fe35b6132ce7ce9601ab1fb869e624d7f901b4047bfcdff04ba15f3f98db276d76b7d60
-
Filesize
1.5MB
MD5f4d3cef8a873042800ea1c9842afc0fa
SHA122356e1c1c38aafa3dcc56bd818cf8ccd3dea10a
SHA256b484b9b5579268693a89bf27a35ad9abda8e7f88b9580d24bbb3933856df999e
SHA512a1f5036495a8407d78d218873828c137a794f29e9708bf25aac4323a561144ab4eb9ee0c4070f1dd4de805764af121475192994f6a8026f662e0be566f084cc1
-
Filesize
1.3MB
MD5ce3b9b6e57339c3c2421bffbc1de45fa
SHA18d003e934ff4c2d7a36de9d10d35558fb7f72402
SHA256ac5bc479b66f2d270d338b4b68d9fe98f64cfd76d14e8a2354f435c2dc1080aa
SHA5129c5a1015730a8f50833c0bc91ff013c4d6f8b53b4e95cce5e69c47e37c63b7fb22ca008c1b39aa02e0cda8fde4ca917b94b5cff462a79dd8e1571265fcbce4dd
-
Filesize
1.4MB
MD574c926918aec6637b79ebdace257c1c0
SHA1b8291fd2ccaea111748969ca99d0b120f8433019
SHA2569a8c0c5d4d24eb2589c578c6dca7d667a7cfdbbef249c1012c8a0449da280271
SHA512c54a15c442ab7f209230a79483e5b73480b7827512f0e75666737fb7b37f291fb5477cddc9697229577c515fcecdcb875a00a7945d1585250bcfc2fcc414c183
-
Filesize
1.8MB
MD53d5579c0559040a1e64a6692a4f1884b
SHA1138bc957a1c65ec1e7c563ff69e263dc1ca85eb7
SHA25622bf4ada0efe0f6254e2a1be5c75f8880f17948b4d2e3a2bb0fb3fd10e4069f4
SHA512661b8867d7dfae5b0f0aed5dbeb4fd0b1d86e9a53b024cf34b51189d1c02483685b6ee2efc495a9a28498cfac1e5f708a5b6326541770bfd59ba77dc1f651604
-
Filesize
1.4MB
MD5da3a2edfb535cb0f539737cc97800ae2
SHA188f0a688be297a0ccc64bfd8271fd6ec47fe033f
SHA25681bac3ed2f19a5f78343062b960662c95d0eb7e207d121e29d052d2dbad89deb
SHA51292e4f5ae808ba3dad528659d483de52701b6ecad1e996686b578ebfdae390bcafb5dcc43ef120a511bf1f986453ed9b81392fc247ccc3276eea655a2296aaac9
-
Filesize
1.5MB
MD54975f38d9bb5e6acef80461d907f264b
SHA11d76301c39e627e24beaccb4a8344963597ef39d
SHA256655211e4818cf3b471499dec4396f84ac467e4fd3ceae9f97e583e6add9c7322
SHA512f1ad0634d349a57de099e4468a2a3caf519709f83e23d8c9cba241ac1ad80e2a60633a5896e3b9bcb6b6e789824d45a25b5c4d8bc167c46152e872a144fcf666
-
Filesize
2.0MB
MD5d14a78606f877bd329656823a777b5e1
SHA19aa9321e76799666b28d833ce16ab4daf0dc3e7b
SHA256770c6cab396935689228cadee6daa5d9646f7565d824c534ebacd19891e5e565
SHA5124ecd94fbba96ea4a7271e811dbfe0dadd7295116ea5c3f4014b110ca2a6bf7eb6523b711bdecf2a1ece28cc5c81bfcb4a6b0dc8757aad20aa1b862891a83e87a
-
Filesize
1.3MB
MD5edca3c114086108a229c727b3221ec1d
SHA1ab8a835b025c36e89e93017ba1c0bc858974c89d
SHA2562e9f67b883c9dd90cf3a437cddbccaf9b8282dc357e8c9a9e27055df541d64a3
SHA512e2e1f5f1797b47252b89642394947f38a89bd94bccbc09d9bcb2858eb1e7b70e40ae0625345cae11a8e1c8ee6ecffa5850d6b3b25c4b381b41e9c6c45d5b56b4
-
Filesize
1.3MB
MD509d08a219c8feb8c52b2d906c4eb43c2
SHA1a870f7846fab1268fea59edb7df613b8cd380060
SHA256a012e83854a2568d2fdc196cda2a51332fcca11cb36d6cf16380f5a4aff9c949
SHA512467c6820a710880acbee63ad534e65ad7a33d168ebc6a26687135942f76909d69a84f158c47fa69386cce4cd3d0e3b74930b8e090bb02617f7b31b03c8b72b2f
-
Filesize
1.2MB
MD533c5221baae304be3893b7509a9d8675
SHA1845b61150b6be1183d273f478e0d610256dd5184
SHA256ac1e207514c58ca922522152fb18a0dda09ac97004de801d628100f457e1bc8b
SHA512c077291439fcf748de0c497b5ede59b009f8b5936167745859206d483fb4d0802902cc71c58783e1fe5846c0bdf53572406fce1b21f3bc5b2b72309116f59c2b
-
Filesize
1.3MB
MD51eb962857d764a4d8eaf5e4c8f62840e
SHA187126011b35fd42758dc33b3f82a90e6349d6ad6
SHA2569a8d17f6829a8e11f3f4750ea7d9a73f74ddbe344c175f788d45e8c3bfce34ad
SHA512036595fb49f7acaefd647fc33b036f4b7a392b3c263b19a3555be745ce7099de5e52803bdb08e789738fbaeb717d862374b5b5fb827f29d301d028e1eeffedaf
-
Filesize
1.4MB
MD52c42124e45029349c22613d2ad2f05fb
SHA14bd2d618a36cb308a9774346e99f8350d6234e13
SHA2560773130ca1c9d9a402fa178fd563086958dd27a523ea526b89b93e4ceadc9fcf
SHA512157c7cf987acae1fc8669e20c3717c58d278ff9841a4137c5ff63a7e2d880ddf9a10ec1078d4651a856dfc677fa023232ddb487ca4108663013a9a2e79bd6f97
-
Filesize
2.1MB
MD5d1f64aa8aaf3b7e3671622b2c34768a8
SHA1390d7841ffe9db6daee220fa6675397ab099c2c4
SHA2564fe57e3ae40ab6e48c8403c3323d6862b46cdb1abe9eb037fc7c6d288ccc0132
SHA5123fddb5d7ca6915f36e84c278970e90e2a0e06c120baa76b14cd700f1fcbd74699b7a6b5fc6120241922376b4e42ff969f368d3951eba3e0653fabbb882655c3b
-
Filesize
1.3MB
MD5296907151d626a5d19d735c52bc997f5
SHA1d9b4be7dbbb53969d7f430e6e7540ff18f22715c
SHA256d117fc445995a14373f0d2241e66624af6f15c2f463f9ade81f6f23048569103
SHA5123c99d7e81bf26c84149e8b088b37ba1f23c748a4b077a73d16aaf361571ff01c3ddaaedbd8b2274c35fcb1fc4b45648ed06550d5d7fde6af2bcb93e7686d821e
-
Filesize
1.5MB
MD52c99f288d60c3b62f47340f1dc5a62b8
SHA140e217c68139e7cc83eae658c446662f8cd935f5
SHA2565b3b01f5827e2e13f4369df3fe3eab1036a81e565d2dfc71d88bcefc71367441
SHA5124beac7362fc38b72214e068166d7993a387cf4dd84e343cdd5202318ffa2eba8c81a72f546bc5b7133448d5fb01279e06531eb34af0f53d8caf374b4e7a7708f
-
Filesize
1.2MB
MD5916fd3441b20c1c040376afcc7854552
SHA1adead36914880a57ac5fe7b1448c49d7a8ebcb07
SHA256f36df4587f3f83df767304d5c7fac2297cbebfdced5c7b6683654437da474a92
SHA51211ac721cf185f271477337daf5833df755ad15a7842a021e2d696e20cf6e487e15f61c921dade6c333b609ef54e3609c6d86a9ff17b6af892d4cd53da8582e59