hxxps://downloads[.]sourceforge[.]net/winmerge/WinMerge-2[.]16[.]34-x64-Setup[.]exe

Analysis

max time kernel
514s
max time network
516s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
24/11/2023, 08:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://downloads.sourceforge.net/winmerge/WinMerge-2.16.34-x64-Setup.exe

Score

8^/10

discovery persistence

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 5 IoCs

pid	Process
5536	WinMerge-2.16.34-x64-Setup.exe
1052	WinMerge-2.16.34-x64-Setup.tmp
1396	WinMerge32BitPluginProxy.exe
5852	WinMergeU.exe
5952	WinMergeU.exe

Loads dropped DLL 1 IoCs

pid	Process
5292	regsvr32.exe

Registers COM server for autorun 1 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4E716236-AA30-4C65-B225-D68BBA81E9C2}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4E716236-AA30-4C65-B225-D68BBA81E9C2}\InprocServer32\ = "C:\\Program Files\\WinMerge\\ShellExtensionX64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4E716236-AA30-4C65-B225-D68BBA81E9C2}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4E716236-AA30-4C65-B225-D68BBA81E9C2}\InprocServer32	regsvr32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\WinMerge\WinWebDiff\is-EIVI2.tmp	WinMerge-2.16.34-x64-Setup.tmp
File created	C:\Program Files\WinMerge\Commands\yq\is-EN87O.tmp	WinMerge-2.16.34-x64-Setup.tmp
File created	C:\Program Files\WinMerge\Commands\Java\is-UNM2L.tmp	WinMerge-2.16.34-x64-Setup.tmp
File opened for modification	C:\Program Files\WinMerge\WinMergeU.exe	WinMerge-2.16.34-x64-Setup.tmp
File opened for modification	C:\Program Files\WinMerge\WinMergeContextMenu.dll	WinMerge-2.16.34-x64-Setup.tmp
File created	C:\Program Files\WinMerge\Merge7z\Lang\is-UMFRN.tmp	WinMerge-2.16.34-x64-Setup.tmp
File created	C:\Program Files\WinMerge\Filters\is-PCPRG.tmp	WinMerge-2.16.34-x64-Setup.tmp
File created	C:\Program Files\WinMerge\WinWebDiff\is-GHGVI.tmp	WinMerge-2.16.34-x64-Setup.tmp
File created	C:\Program Files\WinMerge\Merge7z\Lang\is-N35GK.tmp	WinMerge-2.16.34-x64-Setup.tmp
File created	C:\Program Files\WinMerge\Merge7z\Lang\is-UBFP1.tmp	WinMerge-2.16.34-x64-Setup.tmp
File created	C:\Program Files\WinMerge\Merge7z\Lang\is-2ECSS.tmp	WinMerge-2.16.34-x64-Setup.tmp
File created	C:\Program Files\WinMerge\Commands\msys2\usr\share\doc\Msys\is-BPO6Q.tmp	WinMerge-2.16.34-x64-Setup.tmp
File opened for modification	C:\Program Files\WinMerge\MergePlugins\IgnoreFieldsComma.dll	WinMerge-2.16.34-x64-Setup.tmp
File created	C:\Program Files\WinMerge\Merge7z\Lang\is-A605G.tmp	WinMerge-2.16.34-x64-Setup.tmp
File created	C:\Program Files\WinMerge\Commands\Apache-Tika\is-H0H1E.tmp	WinMerge-2.16.34-x64-Setup.tmp
File created	C:\Program Files\WinMerge\is-J78IN.tmp	WinMerge-2.16.34-x64-Setup.tmp
File created	C:\Program Files\WinMerge\Merge7z\Lang\is-FM0NN.tmp	WinMerge-2.16.34-x64-Setup.tmp
File created	C:\Program Files\WinMerge\Merge7z\Lang\is-GQVD3.tmp	WinMerge-2.16.34-x64-Setup.tmp
File created	C:\Program Files\WinMerge\Merge7z\Lang\is-RIELO.tmp	WinMerge-2.16.34-x64-Setup.tmp
File created	C:\Program Files\WinMerge\ColorSchemes\is-583U8.tmp	WinMerge-2.16.34-x64-Setup.tmp
File created	C:\Program Files\WinMerge\MergePlugins\is-NUTI1.tmp	WinMerge-2.16.34-x64-Setup.tmp
File created	C:\Program Files\WinMerge\Merge7z\Lang\is-75B56.tmp	WinMerge-2.16.34-x64-Setup.tmp
File created	C:\Program Files\WinMerge\Merge7z\Lang\is-LVULB.tmp	WinMerge-2.16.34-x64-Setup.tmp
File created	C:\Program Files\WinMerge\Merge7z\is-L57SE.tmp	WinMerge-2.16.34-x64-Setup.tmp
File created	C:\Program Files\WinMerge\Merge7z\Lang\is-EDBM0.tmp	WinMerge-2.16.34-x64-Setup.tmp
File created	C:\Program Files\WinMerge\Merge7z\Lang\is-S5HBH.tmp	WinMerge-2.16.34-x64-Setup.tmp
File created	C:\Program Files\WinMerge\Docs\is-NB033.tmp	WinMerge-2.16.34-x64-Setup.tmp
File created	C:\Program Files\WinMerge\Commands\is-4RJ9N.tmp	WinMerge-2.16.34-x64-Setup.tmp
File created	C:\Program Files\WinMerge\MergePlugins\is-6TGHT.tmp	WinMerge-2.16.34-x64-Setup.tmp
File opened for modification	C:\Program Files\WinMerge\Commands\msys2\usr\bin\patch.exe	WinMerge-2.16.34-x64-Setup.tmp
File created	C:\Program Files\WinMerge\LogoImages\is-R0145.tmp	WinMerge-2.16.34-x64-Setup.tmp
File created	C:\Program Files\WinMerge\Merge7z\is-J90B3.tmp	WinMerge-2.16.34-x64-Setup.tmp
File created	C:\Program Files\WinMerge\Merge7z\Lang\is-S5VC6.tmp	WinMerge-2.16.34-x64-Setup.tmp
File created	C:\Program Files\WinMerge\Merge7z\Lang\is-IAAAA.tmp	WinMerge-2.16.34-x64-Setup.tmp
File created	C:\Program Files\WinMerge\Merge7z\Lang\is-AV1CE.tmp	WinMerge-2.16.34-x64-Setup.tmp
File created	C:\Program Files\WinMerge\Merge7z\Lang\is-5NSQQ.tmp	WinMerge-2.16.34-x64-Setup.tmp
File created	C:\Program Files\WinMerge\Merge7z\Lang\is-RHMQT.tmp	WinMerge-2.16.34-x64-Setup.tmp
File created	C:\Program Files\WinMerge\Frhed\Languages\is-KABNF.tmp	WinMerge-2.16.34-x64-Setup.tmp
File created	C:\Program Files\WinMerge\Merge7z\Lang\is-Q7156.tmp	WinMerge-2.16.34-x64-Setup.tmp
File created	C:\Program Files\WinMerge\Merge7z\Lang\is-7K9LF.tmp	WinMerge-2.16.34-x64-Setup.tmp
File created	C:\Program Files\WinMerge\Commands\msys2\usr\bin\is-62108.tmp	WinMerge-2.16.34-x64-Setup.tmp
File created	C:\Program Files\WinMerge\Commands\q\is-N46F0.tmp	WinMerge-2.16.34-x64-Setup.tmp
File created	C:\Program Files\WinMerge\is-U43C9.tmp	WinMerge-2.16.34-x64-Setup.tmp
File created	C:\Program Files\WinMerge\Merge7z\Lang\is-AEF1V.tmp	WinMerge-2.16.34-x64-Setup.tmp
File created	C:\Program Files\WinMerge\Merge7z\Lang\is-HBTV7.tmp	WinMerge-2.16.34-x64-Setup.tmp
File opened for modification	C:\Program Files\WinMerge\Commands\jq\jq.exe	WinMerge-2.16.34-x64-Setup.tmp
File created	C:\Program Files\WinMerge\Merge7z\Lang\is-6700E.tmp	WinMerge-2.16.34-x64-Setup.tmp
File created	C:\Program Files\WinMerge\Merge7z\Lang\is-M5REQ.tmp	WinMerge-2.16.34-x64-Setup.tmp
File created	C:\Program Files\WinMerge\Commands\PlantUML\is-SHGK9.tmp	WinMerge-2.16.34-x64-Setup.tmp
File created	C:\Program Files\WinMerge\Commands\ildasm\is-UK4OJ.tmp	WinMerge-2.16.34-x64-Setup.tmp
File opened for modification	C:\Program Files\WinMerge\vcomp140.dll	WinMerge-2.16.34-x64-Setup.tmp
File opened for modification	C:\Program Files\WinMerge\Commands\msys2\usr\bin\msys-gcc_s-1.dll	WinMerge-2.16.34-x64-Setup.tmp
File created	C:\Program Files\WinMerge\WinWebDiff\is-I6A2T.tmp	WinMerge-2.16.34-x64-Setup.tmp
File created	C:\Program Files\WinMerge\Merge7z\Lang\is-A4AE1.tmp	WinMerge-2.16.34-x64-Setup.tmp
File created	C:\Program Files\WinMerge\Merge7z\Lang\is-KDHO9.tmp	WinMerge-2.16.34-x64-Setup.tmp
File created	C:\Program Files\WinMerge\Filters\is-HOJ3H.tmp	WinMerge-2.16.34-x64-Setup.tmp
File created	C:\Program Files\WinMerge\Docs\is-LO7P3.tmp	WinMerge-2.16.34-x64-Setup.tmp
File created	C:\Program Files\WinMerge\Merge7z\Lang\is-DFEG8.tmp	WinMerge-2.16.34-x64-Setup.tmp
File created	C:\Program Files\WinMerge\Merge7z\Lang\is-I4I6P.tmp	WinMerge-2.16.34-x64-Setup.tmp
File created	C:\Program Files\WinMerge\MergePlugins\is-M1BOK.tmp	WinMerge-2.16.34-x64-Setup.tmp
File created	C:\Program Files\WinMerge\Frhed\Languages\is-8BCQI.tmp	WinMerge-2.16.34-x64-Setup.tmp
File created	C:\Program Files\WinMerge\Commands\q\is-SB4T5.tmp	WinMerge-2.16.34-x64-Setup.tmp
File created	C:\Program Files\WinMerge\ColorSchemes\is-T0DOT.tmp	WinMerge-2.16.34-x64-Setup.tmp
File opened for modification	C:\Program Files\WinMerge\Commands\tidy-html5\tidy.dll	WinMerge-2.16.34-x64-Setup.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133452898439993266"	chrome.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShellExtension.WinMergeShell\CLSID\ = "{4E716236-AA30-4C65-B225-D68BBA81E9C2}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4E716236-AA30-4C65-B225-D68BBA81E9C2}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinMerge32BitPluginProxy.Loader\ = "Loader Class"	WinMerge32BitPluginProxy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B8AA7CCC-2D80-4FCB-BF92-145831C091F6}\1.0\FLAGS	WinMerge32BitPluginProxy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B8AA7CCC-2D80-4FCB-BF92-145831C091F6}\1.0\0	WinMerge32BitPluginProxy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{46C062C2-0497-4004-9FAC-06E4021DA550}\TypeLib\Version = "1.0"	WinMerge32BitPluginProxy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShellExtension.WinMergeShell.1\ = "WinMergeShell Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4E716236-AA30-4C65-B225-D68BBA81E9C2}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{06029E17-28B5-456A-B866-4E79D98612FD}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinMerge32BitPluginProxy.Loader	WinMerge32BitPluginProxy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\Background\shellex\DragDropHandlers	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{06029E17-28B5-456A-B866-4E79D98612FD}\1.0\HELPDIR\ = "C:\\Program Files\\WinMerge"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinMerge.Project.File\shell\open\command\ = "\"C:\\Program Files\\WinMerge\\WinMergeU.exe\" \"%1\""	WinMerge-2.16.34-x64-Setup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4E716236-AA30-4C65-B225-D68BBA81E9C2}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4E716236-AA30-4C65-B225-D68BBA81E9C2}\InprocServer32\ = "C:\\Program Files\\WinMerge\\ShellExtensionX64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{64200B75-83AE-464A-88C6-262E175BBA92}\ = "IWinMergeShell"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AA6F8426-159F-418E-9FE3-EFB0C46C3DBF}\ = "Loader Class"	WinMerge32BitPluginProxy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AA6F8426-159F-418E-9FE3-EFB0C46C3DBF}\VersionIndependentProgID\ = "WinMerge32BitPluginProxy.Loader"	WinMerge32BitPluginProxy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinMerge.Project.File	WinMerge-2.16.34-x64-Setup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\background\shellex\DragDropHandlers\WinMerge	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{64200B75-83AE-464A-88C6-262E175BBA92}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinMerge32BitPluginProxy.Loader.1\ = "Loader Class"	WinMerge32BitPluginProxy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{46C062C2-0497-4004-9FAC-06E4021DA550}\TypeLib	WinMerge32BitPluginProxy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinMerge.Project.File\DefaultIcon	WinMerge-2.16.34-x64-Setup.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\WinMerge	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{64200B75-83AE-464A-88C6-262E175BBA92}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\background\shellex\DragDropHandlers\WinMerge\ = "{4E716236-AA30-4C65-B225-D68BBA81E9C2}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\background\shellex\ContextMenuHandlers\WinMerge	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{64200B75-83AE-464A-88C6-262E175BBA92}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4E716236-AA30-4C65-B225-D68BBA81E9C2}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinMerge\ = "{4E716236-AA30-4C65-B225-D68BBA81E9C2}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4E716236-AA30-4C65-B225-D68BBA81E9C2}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{06029E17-28B5-456A-B866-4E79D98612FD}\1.0\0\win64	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{64200B75-83AE-464A-88C6-262E175BBA92}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.WinMerge	WinMerge-2.16.34-x64-Setup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4E716236-AA30-4C65-B225-D68BBA81E9C2}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{64200B75-83AE-464A-88C6-262E175BBA92}\TypeLib\ = "{06029E17-28B5-456A-B866-4E79D98612FD}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinMerge32BitPluginProxy.Loader.1	WinMerge32BitPluginProxy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinMerge32BitPluginProxy.Loader\CurVer\ = "WinMerge32BitPluginProxy.Loader.1"	WinMerge32BitPluginProxy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AA6F8426-159F-418E-9FE3-EFB0C46C3DBF}\TypeLib\ = "{B8AA7CCC-2D80-4FCB-BF92-145831C091F6}"	WinMerge32BitPluginProxy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinMerge.Project.File\shell	WinMerge-2.16.34-x64-Setup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinMerge.Project.File\shell\edit\command\ = "\"NOTEPAD.EXE\" \"%1\""	WinMerge-2.16.34-x64-Setup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\WinMerge	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AA6F8426-159F-418E-9FE3-EFB0C46C3DBF}\LocalServer32\ServerExecutable = "C:\\Program Files\\WinMerge\\WinMerge32BitPluginProxy.exe"	WinMerge32BitPluginProxy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B8AA7CCC-2D80-4FCB-BF92-145831C091F6}\1.0\HELPDIR\ = "C:\\Program Files\\WinMerge"	WinMerge32BitPluginProxy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{46C062C2-0497-4004-9FAC-06E4021DA550}\ProxyStubClsid32	WinMerge32BitPluginProxy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinMerge.Project.File\shell\edit\command	WinMerge-2.16.34-x64-Setup.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{06029E17-28B5-456A-B866-4E79D98612FD}\1.0\0\win64\ = "C:\\Program Files\\WinMerge\\ShellExtensionX64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinMerge32BitPluginProxy.Loader.1\CLSID\ = "{AA6F8426-159F-418E-9FE3-EFB0C46C3DBF}"	WinMerge32BitPluginProxy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{46C062C2-0497-4004-9FAC-06E4021DA550}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	WinMerge32BitPluginProxy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{06029E17-28B5-456A-B866-4E79D98612FD}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AA6F8426-159F-418E-9FE3-EFB0C46C3DBF}\Programmable	WinMerge32BitPluginProxy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AA6F8426-159F-418E-9FE3-EFB0C46C3DBF}\Version	WinMerge32BitPluginProxy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B8AA7CCC-2D80-4FCB-BF92-145831C091F6}\1.0\0\win32\ = "C:\\Program Files\\WinMerge\\WinMerge32BitPluginProxy.exe"	WinMerge32BitPluginProxy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4E716236-AA30-4C65-B225-D68BBA81E9C2}\ProgID\ = "ShellExtension.WinMergeShell.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{64200B75-83AE-464A-88C6-262E175BBA92}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinMerge32BitPluginProxy.Loader\CurVer	WinMerge32BitPluginProxy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{46C062C2-0497-4004-9FAC-06E4021DA550}	WinMerge32BitPluginProxy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinMerge.Project.File\shell\open	WinMerge-2.16.34-x64-Setup.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AA6F8426-159F-418E-9FE3-EFB0C46C3DBF}	WinMerge32BitPluginProxy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{46C062C2-0497-4004-9FAC-06E4021DA550}\ = "ILoader"	WinMerge32BitPluginProxy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShellExtension.WinMergeShell\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{06029E17-28B5-456A-B866-4E79D98612FD}\1.0\ = "ShellExtension 1.0 Type Library"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B8AA7CCC-2D80-4FCB-BF92-145831C091F6}\1.0\HELPDIR	WinMerge32BitPluginProxy.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2940	chrome.exe
2940	chrome.exe
3916	chrome.exe
3916	chrome.exe
1052	WinMerge-2.16.34-x64-Setup.tmp
1052	WinMerge-2.16.34-x64-Setup.tmp

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 37 IoCs

pid	Process
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2940	chrome.exe
Token: SeCreatePagefilePrivilege	2940	chrome.exe
Token: SeShutdownPrivilege	2940	chrome.exe
Token: SeCreatePagefilePrivilege	2940	chrome.exe
Token: SeShutdownPrivilege	2940	chrome.exe
Token: SeCreatePagefilePrivilege	2940	chrome.exe
Token: SeShutdownPrivilege	2940	chrome.exe
Token: SeCreatePagefilePrivilege	2940	chrome.exe
Token: SeShutdownPrivilege	2940	chrome.exe
Token: SeCreatePagefilePrivilege	2940	chrome.exe
Token: SeShutdownPrivilege	2940	chrome.exe
Token: SeCreatePagefilePrivilege	2940	chrome.exe
Token: SeShutdownPrivilege	2940	chrome.exe
Token: SeCreatePagefilePrivilege	2940	chrome.exe
Token: SeShutdownPrivilege	2940	chrome.exe
Token: SeCreatePagefilePrivilege	2940	chrome.exe
Token: SeShutdownPrivilege	2940	chrome.exe
Token: SeCreatePagefilePrivilege	2940	chrome.exe
Token: SeShutdownPrivilege	2940	chrome.exe
Token: SeCreatePagefilePrivilege	2940	chrome.exe
Token: SeShutdownPrivilege	2940	chrome.exe
Token: SeCreatePagefilePrivilege	2940	chrome.exe
Token: SeShutdownPrivilege	2940	chrome.exe
Token: SeCreatePagefilePrivilege	2940	chrome.exe
Token: SeShutdownPrivilege	2940	chrome.exe
Token: SeCreatePagefilePrivilege	2940	chrome.exe
Token: SeShutdownPrivilege	2940	chrome.exe
Token: SeCreatePagefilePrivilege	2940	chrome.exe
Token: SeShutdownPrivilege	2940	chrome.exe
Token: SeCreatePagefilePrivilege	2940	chrome.exe
Token: SeShutdownPrivilege	2940	chrome.exe
Token: SeCreatePagefilePrivilege	2940	chrome.exe
Token: SeShutdownPrivilege	2940	chrome.exe
Token: SeCreatePagefilePrivilege	2940	chrome.exe
Token: SeShutdownPrivilege	2940	chrome.exe
Token: SeCreatePagefilePrivilege	2940	chrome.exe
Token: SeShutdownPrivilege	2940	chrome.exe
Token: SeCreatePagefilePrivilege	2940	chrome.exe
Token: SeShutdownPrivilege	2940	chrome.exe
Token: SeCreatePagefilePrivilege	2940	chrome.exe
Token: SeShutdownPrivilege	2940	chrome.exe
Token: SeCreatePagefilePrivilege	2940	chrome.exe
Token: SeShutdownPrivilege	2940	chrome.exe
Token: SeCreatePagefilePrivilege	2940	chrome.exe
Token: SeShutdownPrivilege	2940	chrome.exe
Token: SeCreatePagefilePrivilege	2940	chrome.exe
Token: SeShutdownPrivilege	2940	chrome.exe
Token: SeCreatePagefilePrivilege	2940	chrome.exe
Token: SeShutdownPrivilege	2940	chrome.exe
Token: SeCreatePagefilePrivilege	2940	chrome.exe
Token: SeShutdownPrivilege	2940	chrome.exe
Token: SeCreatePagefilePrivilege	2940	chrome.exe
Token: SeShutdownPrivilege	2940	chrome.exe
Token: SeCreatePagefilePrivilege	2940	chrome.exe
Token: SeShutdownPrivilege	2940	chrome.exe
Token: SeCreatePagefilePrivilege	2940	chrome.exe
Token: SeShutdownPrivilege	2940	chrome.exe
Token: SeCreatePagefilePrivilege	2940	chrome.exe
Token: SeShutdownPrivilege	2940	chrome.exe
Token: SeCreatePagefilePrivilege	2940	chrome.exe
Token: SeShutdownPrivilege	2940	chrome.exe
Token: SeCreatePagefilePrivilege	2940	chrome.exe
Token: SeShutdownPrivilege	2940	chrome.exe
Token: SeCreatePagefilePrivilege	2940	chrome.exe

Suspicious use of FindShellTrayWindow 37 IoCs

pid	Process
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
1052	WinMerge-2.16.34-x64-Setup.tmp

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe
2940	chrome.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
5852	WinMergeU.exe
5852	WinMergeU.exe
5952	WinMergeU.exe
5952	WinMergeU.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2940 wrote to memory of 1684	2940	chrome.exe	86
PID 2940 wrote to memory of 1684	2940	chrome.exe	86
PID 2940 wrote to memory of 260	2940	chrome.exe	90
PID 2940 wrote to memory of 260	2940	chrome.exe	90
PID 2940 wrote to memory of 260	2940	chrome.exe	90
PID 2940 wrote to memory of 260	2940	chrome.exe	90
PID 2940 wrote to memory of 260	2940	chrome.exe	90
PID 2940 wrote to memory of 260	2940	chrome.exe	90
PID 2940 wrote to memory of 260	2940	chrome.exe	90
PID 2940 wrote to memory of 260	2940	chrome.exe	90
PID 2940 wrote to memory of 260	2940	chrome.exe	90
PID 2940 wrote to memory of 260	2940	chrome.exe	90
PID 2940 wrote to memory of 260	2940	chrome.exe	90
PID 2940 wrote to memory of 260	2940	chrome.exe	90
PID 2940 wrote to memory of 260	2940	chrome.exe	90
PID 2940 wrote to memory of 260	2940	chrome.exe	90
PID 2940 wrote to memory of 260	2940	chrome.exe	90
PID 2940 wrote to memory of 260	2940	chrome.exe	90
PID 2940 wrote to memory of 260	2940	chrome.exe	90
PID 2940 wrote to memory of 260	2940	chrome.exe	90
PID 2940 wrote to memory of 260	2940	chrome.exe	90
PID 2940 wrote to memory of 260	2940	chrome.exe	90
PID 2940 wrote to memory of 260	2940	chrome.exe	90
PID 2940 wrote to memory of 260	2940	chrome.exe	90
PID 2940 wrote to memory of 260	2940	chrome.exe	90
PID 2940 wrote to memory of 260	2940	chrome.exe	90
PID 2940 wrote to memory of 260	2940	chrome.exe	90
PID 2940 wrote to memory of 260	2940	chrome.exe	90
PID 2940 wrote to memory of 260	2940	chrome.exe	90
PID 2940 wrote to memory of 260	2940	chrome.exe	90
PID 2940 wrote to memory of 260	2940	chrome.exe	90
PID 2940 wrote to memory of 260	2940	chrome.exe	90
PID 2940 wrote to memory of 260	2940	chrome.exe	90
PID 2940 wrote to memory of 260	2940	chrome.exe	90
PID 2940 wrote to memory of 260	2940	chrome.exe	90
PID 2940 wrote to memory of 260	2940	chrome.exe	90
PID 2940 wrote to memory of 260	2940	chrome.exe	90
PID 2940 wrote to memory of 260	2940	chrome.exe	90
PID 2940 wrote to memory of 260	2940	chrome.exe	90
PID 2940 wrote to memory of 260	2940	chrome.exe	90
PID 2940 wrote to memory of 4848	2940	chrome.exe	89
PID 2940 wrote to memory of 4848	2940	chrome.exe	89
PID 2940 wrote to memory of 4284	2940	chrome.exe	91
PID 2940 wrote to memory of 4284	2940	chrome.exe	91
PID 2940 wrote to memory of 4284	2940	chrome.exe	91
PID 2940 wrote to memory of 4284	2940	chrome.exe	91
PID 2940 wrote to memory of 4284	2940	chrome.exe	91
PID 2940 wrote to memory of 4284	2940	chrome.exe	91
PID 2940 wrote to memory of 4284	2940	chrome.exe	91
PID 2940 wrote to memory of 4284	2940	chrome.exe	91
PID 2940 wrote to memory of 4284	2940	chrome.exe	91
PID 2940 wrote to memory of 4284	2940	chrome.exe	91
PID 2940 wrote to memory of 4284	2940	chrome.exe	91
PID 2940 wrote to memory of 4284	2940	chrome.exe	91
PID 2940 wrote to memory of 4284	2940	chrome.exe	91
PID 2940 wrote to memory of 4284	2940	chrome.exe	91
PID 2940 wrote to memory of 4284	2940	chrome.exe	91
PID 2940 wrote to memory of 4284	2940	chrome.exe	91
PID 2940 wrote to memory of 4284	2940	chrome.exe	91
PID 2940 wrote to memory of 4284	2940	chrome.exe	91
PID 2940 wrote to memory of 4284	2940	chrome.exe	91
PID 2940 wrote to memory of 4284	2940	chrome.exe	91
PID 2940 wrote to memory of 4284	2940	chrome.exe	91
PID 2940 wrote to memory of 4284	2940	chrome.exe	91

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://downloads.sourceforge.net/winmerge/WinMerge-2.16.34-x64-Setup.exe
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd36649758,0x7ffd36649768,0x7ffd36649778
  2⤵
  PID:1684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 --field-trial-handle=1868,i,2655109674486167124,8175733934608073380,131072 /prefetch:8
  2⤵
  PID:4848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1644 --field-trial-handle=1868,i,2655109674486167124,8175733934608073380,131072 /prefetch:2
  2⤵
  PID:260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2228 --field-trial-handle=1868,i,2655109674486167124,8175733934608073380,131072 /prefetch:8
  2⤵
  PID:4284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3176 --field-trial-handle=1868,i,2655109674486167124,8175733934608073380,131072 /prefetch:1
  2⤵
  PID:2524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3200 --field-trial-handle=1868,i,2655109674486167124,8175733934608073380,131072 /prefetch:1
  2⤵
  PID:2176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=5064 --field-trial-handle=1868,i,2655109674486167124,8175733934608073380,131072 /prefetch:1
  2⤵
  PID:3136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5436 --field-trial-handle=1868,i,2655109674486167124,8175733934608073380,131072 /prefetch:8
  2⤵
  PID:5080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4972 --field-trial-handle=1868,i,2655109674486167124,8175733934608073380,131072 /prefetch:1
  2⤵
  PID:884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=5600 --field-trial-handle=1868,i,2655109674486167124,8175733934608073380,131072 /prefetch:1
  2⤵
  PID:1052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4856 --field-trial-handle=1868,i,2655109674486167124,8175733934608073380,131072 /prefetch:8
  2⤵
  PID:4440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=5828 --field-trial-handle=1868,i,2655109674486167124,8175733934608073380,131072 /prefetch:1
  2⤵
  PID:4864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5940 --field-trial-handle=1868,i,2655109674486167124,8175733934608073380,131072 /prefetch:1
  2⤵
  PID:2300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5644 --field-trial-handle=1868,i,2655109674486167124,8175733934608073380,131072 /prefetch:1
  2⤵
  PID:1580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=6384 --field-trial-handle=1868,i,2655109674486167124,8175733934608073380,131072 /prefetch:1
  2⤵
  PID:5188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=6368 --field-trial-handle=1868,i,2655109674486167124,8175733934608073380,131072 /prefetch:1
  2⤵
  PID:5268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=4596 --field-trial-handle=1868,i,2655109674486167124,8175733934608073380,131072 /prefetch:1
  2⤵
  PID:5436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=6744 --field-trial-handle=1868,i,2655109674486167124,8175733934608073380,131072 /prefetch:1
  2⤵
  PID:5512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=6660 --field-trial-handle=1868,i,2655109674486167124,8175733934608073380,131072 /prefetch:1
  2⤵
  PID:5520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=6684 --field-trial-handle=1868,i,2655109674486167124,8175733934608073380,131072 /prefetch:1
  2⤵
  PID:5528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=7284 --field-trial-handle=1868,i,2655109674486167124,8175733934608073380,131072 /prefetch:1
  2⤵
  PID:5608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=7384 --field-trial-handle=1868,i,2655109674486167124,8175733934608073380,131072 /prefetch:1
  2⤵
  PID:5680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=7568 --field-trial-handle=1868,i,2655109674486167124,8175733934608073380,131072 /prefetch:1
  2⤵
  PID:5756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=7688 --field-trial-handle=1868,i,2655109674486167124,8175733934608073380,131072 /prefetch:1
  2⤵
  PID:5764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --mojo-platform-channel-handle=5224 --field-trial-handle=1868,i,2655109674486167124,8175733934608073380,131072 /prefetch:1
  2⤵
  PID:4604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --mojo-platform-channel-handle=4552 --field-trial-handle=1868,i,2655109674486167124,8175733934608073380,131072 /prefetch:1
  2⤵
  PID:5920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --mojo-platform-channel-handle=7660 --field-trial-handle=1868,i,2655109674486167124,8175733934608073380,131072 /prefetch:1
  2⤵
  PID:5624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --mojo-platform-channel-handle=5252 --field-trial-handle=1868,i,2655109674486167124,8175733934608073380,131072 /prefetch:1
  2⤵
  PID:5672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --mojo-platform-channel-handle=6964 --field-trial-handle=1868,i,2655109674486167124,8175733934608073380,131072 /prefetch:1
  2⤵
  PID:2236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --mojo-platform-channel-handle=6052 --field-trial-handle=1868,i,2655109674486167124,8175733934608073380,131072 /prefetch:1
  2⤵
  PID:6088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --mojo-platform-channel-handle=7640 --field-trial-handle=1868,i,2655109674486167124,8175733934608073380,131072 /prefetch:1
  2⤵
  PID:4052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --mojo-platform-channel-handle=7928 --field-trial-handle=1868,i,2655109674486167124,8175733934608073380,131072 /prefetch:1
  2⤵
  PID:3180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --mojo-platform-channel-handle=5956 --field-trial-handle=1868,i,2655109674486167124,8175733934608073380,131072 /prefetch:1
  2⤵
  PID:1524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --mojo-platform-channel-handle=8212 --field-trial-handle=1868,i,2655109674486167124,8175733934608073380,131072 /prefetch:1
  2⤵
  PID:872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --mojo-platform-channel-handle=6892 --field-trial-handle=1868,i,2655109674486167124,8175733934608073380,131072 /prefetch:1
  2⤵
  PID:4020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --mojo-platform-channel-handle=8428 --field-trial-handle=1868,i,2655109674486167124,8175733934608073380,131072 /prefetch:1
  2⤵
  PID:1384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --mojo-platform-channel-handle=8552 --field-trial-handle=1868,i,2655109674486167124,8175733934608073380,131072 /prefetch:1
  2⤵
  PID:3008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --mojo-platform-channel-handle=8680 --field-trial-handle=1868,i,2655109674486167124,8175733934608073380,131072 /prefetch:1
  2⤵
  PID:5852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --mojo-platform-channel-handle=8748 --field-trial-handle=1868,i,2655109674486167124,8175733934608073380,131072 /prefetch:1
  2⤵
  PID:5880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --mojo-platform-channel-handle=8732 --field-trial-handle=1868,i,2655109674486167124,8175733934608073380,131072 /prefetch:1
  2⤵
  PID:1064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --mojo-platform-channel-handle=1832 --field-trial-handle=1868,i,2655109674486167124,8175733934608073380,131072 /prefetch:1
  2⤵
  PID:492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --mojo-platform-channel-handle=8680 --field-trial-handle=1868,i,2655109674486167124,8175733934608073380,131072 /prefetch:1
  2⤵
  PID:5800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=8760 --field-trial-handle=1868,i,2655109674486167124,8175733934608073380,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8504 --field-trial-handle=1868,i,2655109674486167124,8175733934608073380,131072 /prefetch:8
  2⤵
  PID:5856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=8560 --field-trial-handle=1868,i,2655109674486167124,8175733934608073380,131072 /prefetch:8
  2⤵
  PID:5412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=8964 --field-trial-handle=1868,i,2655109674486167124,8175733934608073380,131072 /prefetch:8
  2⤵
  PID:3272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4800 --field-trial-handle=1868,i,2655109674486167124,8175733934608073380,131072 /prefetch:8
  2⤵
  PID:996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1128 --field-trial-handle=1868,i,2655109674486167124,8175733934608073380,131072 /prefetch:8
  2⤵
  PID:3904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=9196 --field-trial-handle=1868,i,2655109674486167124,8175733934608073380,131072 /prefetch:8
  2⤵
  PID:184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8560 --field-trial-handle=1868,i,2655109674486167124,8175733934608073380,131072 /prefetch:8
  2⤵
  PID:3992
- C:\Users\Admin\Downloads\WinMerge-2.16.34-x64-Setup.exe
  "C:\Users\Admin\Downloads\WinMerge-2.16.34-x64-Setup.exe"
  2⤵
  - Executes dropped EXE
  PID:5536
- - C:\Users\Admin\AppData\Local\Temp\is-36MEN.tmp\WinMerge-2.16.34-x64-Setup.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-36MEN.tmp\WinMerge-2.16.34-x64-Setup.tmp" /SL5="$80218,8858560,121344,C:\Users\Admin\Downloads\WinMerge-2.16.34-x64-Setup.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    PID:1052
  - - C:\Windows\system32\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\WinMerge\ShellExtensionX64.dll"
      4⤵
      Loads dropped DLL
      Registers COM server for autorun
      Modifies registry class
      PID:5292
  - - C:\Program Files\WinMerge\WinMerge32BitPluginProxy.exe
      "C:\Program Files\WinMerge\WinMerge32BitPluginProxy.exe" /RegServer
      4⤵
      Executes dropped EXE
      Modifies registry class
      PID:1396
  - - C:\Program Files\WinMerge\WinMergeU.exe
      "C:\Program Files\WinMerge\WinMergeU.exe" /s- /minimize /noninteractive /set-usertasks-to-jumplist 4097
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:5852
  - - C:\Program Files\WinMerge\WinMergeU.exe
      "C:\Program Files\WinMerge\WinMergeU.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:5952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --mojo-platform-channel-handle=7820 --field-trial-handle=1868,i,2655109674486167124,8175733934608073380,131072 /prefetch:1
  2⤵
  PID:1032

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4256

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:5180

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
PID:5848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\WinMerge\ShellExtensionX64.dll

Filesize
264KB

MD5
67df5a575e5b257cd500baca605ea4d1

SHA1
fd9530086765b59e852d57c48193a1d07ca2ce77

SHA256
77d4dc3911803f369b47a8622191b77f77f8fac6c7ed7607a6b58f1cff454aec

SHA512
f8ef332cff398e74ef9247c50ee120d1554c82545c15d617c38aed9d07e35dcc0f84a7b26506ebb09930f1ab80be59c092142b25866a7dd320c02f50c30f201c

Download Submit
C:\Program Files\WinMerge\ShellExtensionX64.dll

Filesize
264KB

MD5
67df5a575e5b257cd500baca605ea4d1

SHA1
fd9530086765b59e852d57c48193a1d07ca2ce77

SHA256
77d4dc3911803f369b47a8622191b77f77f8fac6c7ed7607a6b58f1cff454aec

SHA512
f8ef332cff398e74ef9247c50ee120d1554c82545c15d617c38aed9d07e35dcc0f84a7b26506ebb09930f1ab80be59c092142b25866a7dd320c02f50c30f201c

Download Submit
C:\Program Files\WinMerge\WinMerge32BitPluginProxy.exe

Filesize
119KB

MD5
0bf44140b929d5b80cf5f3a8fba33767

SHA1
c8b1d80346c5b1dd9bb76a5bee624e790bc9c5d9

SHA256
5a520b3de6c24fbd81a0281f7b3d3fdb97455f1d5e14880bde423dd765a2c8b6

SHA512
3b6d236f48e0ba55d0835e83e940c54e9b81986669c1ca1dd0d1bcc1d11f32c9df4a2df657b83edf9da09b724e0761d1245f79717571150aaebe1bc94d3330cf

Download Submit
C:\Program Files\WinMerge\WinMerge32BitPluginProxy.exe

Filesize
119KB

MD5
0bf44140b929d5b80cf5f3a8fba33767

SHA1
c8b1d80346c5b1dd9bb76a5bee624e790bc9c5d9

SHA256
5a520b3de6c24fbd81a0281f7b3d3fdb97455f1d5e14880bde423dd765a2c8b6

SHA512
3b6d236f48e0ba55d0835e83e940c54e9b81986669c1ca1dd0d1bcc1d11f32c9df4a2df657b83edf9da09b724e0761d1245f79717571150aaebe1bc94d3330cf

Download Submit
C:\Program Files\WinMerge\WinMergeU.exe

Filesize
5.5MB

MD5
46870c9579938e999f77133ec35d97ae

SHA1
5336702b42e8702a633a1201b0d3b3de4fc63424

SHA256
a761439f2d9764ce0da8e909c0f3ca49b728abf121f1a3d9c7c6346ad0a41173

SHA512
52041cf35b97d81f17c539fa50e77549faefd327206d93cc908d0760e823c7963855dcd92fbfc65f27beef56bd9bf1cdf316dbd0bf93ade03097c394e92d5abb

Download Submit
C:\Program Files\WinMerge\WinMergeU.exe

Filesize
5.5MB

MD5
46870c9579938e999f77133ec35d97ae

SHA1
5336702b42e8702a633a1201b0d3b3de4fc63424

SHA256
a761439f2d9764ce0da8e909c0f3ca49b728abf121f1a3d9c7c6346ad0a41173

SHA512
52041cf35b97d81f17c539fa50e77549faefd327206d93cc908d0760e823c7963855dcd92fbfc65f27beef56bd9bf1cdf316dbd0bf93ade03097c394e92d5abb

Download Submit
C:\Program Files\WinMerge\WinMergeU.exe

Filesize
5.5MB

MD5
46870c9579938e999f77133ec35d97ae

SHA1
5336702b42e8702a633a1201b0d3b3de4fc63424

SHA256
a761439f2d9764ce0da8e909c0f3ca49b728abf121f1a3d9c7c6346ad0a41173

SHA512
52041cf35b97d81f17c539fa50e77549faefd327206d93cc908d0760e823c7963855dcd92fbfc65f27beef56bd9bf1cdf316dbd0bf93ade03097c394e92d5abb

Download Submit
C:\Program Files\WinMerge\WinMergeU.exe

Filesize
5.5MB

MD5
46870c9579938e999f77133ec35d97ae

SHA1
5336702b42e8702a633a1201b0d3b3de4fc63424

SHA256
a761439f2d9764ce0da8e909c0f3ca49b728abf121f1a3d9c7c6346ad0a41173

SHA512
52041cf35b97d81f17c539fa50e77549faefd327206d93cc908d0760e823c7963855dcd92fbfc65f27beef56bd9bf1cdf316dbd0bf93ade03097c394e92d5abb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000018

Filesize
38KB

MD5
2b7ec9fe5044c75348bc52964bf50b78

SHA1
039e784c53ba423877c5c845ffb044abbf4c110e

SHA256
71c9403962b1f930169325d2c812125a0088d2a695609486bb6f31185e84ff97

SHA512
92cb64599e198177093bda32e1c962fdccaa049d9875292b97c6b014d0d0afde750dcef27151751dda3f8639df41bed611bce7816c04d4e581b17b132d169016

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000019

Filesize
101KB

MD5
5dde26f4cab21fd974a2f3d5bef8ab04

SHA1
583fa34b69e49f9a1be36db0cedf4c72ffb8b575

SHA256
6973e96d0973694a8f016f06defd6b961752de79b685fab7acef15bbac17665d

SHA512
f981cf1f2fa82650d91848aaf9f13093fa3925279d023a3cd1d49788fbd675a17d8b828d19ab628907aa70eb2a2190d19c2ec929f9621fd425aff5f552cbd2ec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001a

Filesize
21KB

MD5
80451dfe04fdda188665b955c8fb8008

SHA1
96a2eb36bb4d25b5ed14eae42d9b8cfcbc066b13

SHA256
bc508daf8e07b9d83475b952fd1c68598109465c4828e70368fdf6aa7d115ea6

SHA512
1603a7728a4314ae46678fb2f2d0d1dfb2fd3b977d979322069e87ff80c27c67a2b80bc6b83617ad439342fefee8e3e5840944d99674aa08ed4eb5eb34db76df

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001b

Filesize
18KB

MD5
0ceb759015a6df090ad355231fdb39f1

SHA1
b947749baab5bfa0bee35d31e5a5050d4beefe9b

SHA256
db71f8a28ad8501544fb4e7668e3c6d0b731760b6f20de3525ebaeba597f1922

SHA512
48a93841b147af84f9419154fb43e23adf7c0afb9328a4427450d82c07220a4f55b08991361bd8cd12a1372de8333ed21a8911bfe372e90973d3a8c166b1e4d6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001c

Filesize
28KB

MD5
f190348cc251e3175a9c917194ed1cd4

SHA1
4affcf6d8c3bce9e96d4e692aa28a9b6e6184512

SHA256
512bf10cd2a7e5389839e2d18dd845d8a1a25b09bb0c60f7b59afd4787a871c5

SHA512
7cd94996b2345db0aa4db587ca47d012070aa67da4d1cf4100936392942c20e447fa993f36ed96a9d389fe94045ccc656e7279921b03203f788dff7d1d8c1638

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\6b00c0d7575931d1_0

Filesize
264B

MD5
0b729bbb9265cd02c306ce63f8ad8b76

SHA1
261ec7ff499ee402efc1431a92c215ce768f3945

SHA256
6a1713066f52b9cdb8045e8e6c0b9626c3108bc7d36b3f06a7003216b43257f7

SHA512
b4ec9a4b683c73576157bdf85ed6a351280d472a70eed7078337c8651ba9adfe535b3833d7a5c1a5629b6306782017a30ff94b4f6cf2e8f6f26e5fdf1d6a7f70

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\d82ca7771e83cd9b_0

Filesize
40KB

MD5
df6ff29a54182deeaa64014fa3ebc8ff

SHA1
b6f46b44686c65a07a1ea6f31f2896547a3c0867

SHA256
9fd7d9ef2ca74d594282d0914d045c24fd9748cebf7f39fe73d15459574a5764

SHA512
9cff8e1cf4cd1836eb4fb983dd212f54e83333c1a8296ac18a5bd4c10751ac6f9cbf7403b65d34443916ea79150315a3ef65ae914b56f1d9446138e553ddb403

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\ee098ba2d4bfbcdb_0

Filesize
303B

MD5
fe790ea5f0c8fd21b6ab1a3c70aecd45

SHA1
e3cb39b8e510bdd816d0a02103938fe59b69807e

SHA256
e0d3933ecc60675b42752c5085bd95c8584da48511fb4c67a000378737e1de3a

SHA512
896a4903825fd431c77a36a63222293d19a0fb0a99c2233209b647bfd25be904663bd29e48ca38fe4e2b2f181ec8c21660f310fed6afd4dd16e8bb1ee752bd42

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
fdd9a74370b43d7bf1e3a972d99ec909

SHA1
5f260c3d2a5286ef9debef2330ff924522981fdf

SHA256
49cdbf9eb2e86bc367627ff3929a537f2b39f13a62bd35438c8f2810d357bc59

SHA512
76fc665d1d4d0082ce8fb7715e4e9fc37fec2261e3529dd0e3f688b65fafb22cd54733e8c5865fa6c698d340db70c156066d4f7d5aef26e6ae5495d142f8758f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
932ea0d76d48f2e10399f5b0fc4a4b54

SHA1
83e5e4e0e45dd722c8b74caef89419dc65c0a16f

SHA256
3317eaf7d0c0739b83cde9fe0a8a9410b76e36e066bd4bbf5b4cb263695ce0fb

SHA512
c928953df30cfc6c8074b7b05f239bb5bd873d4b9882e1f717c3c3b0cbc60a69832cb7603f5663590053ebae4a099f32573efc069926314541f71d2ff482818b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
e2595a5b4cb88951af975b947d08742d

SHA1
724c2aca46669a25f699462ad00c2a8f931a5f80

SHA256
fb06a57acaf924727dd96c5466f77ba145f88ac80eb0f415016f2b86b0a9dcd1

SHA512
cad9ac4979a910d07d4ef4cf987c466d92f230610a317f99b141086791b300a572737d3777ce0d63b5727acac26eeeb7e12a7dbf75cd25477d43a68c2fd992ad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
8KB

MD5
3fe4e1889d38434a12e9ded7cf6bc383

SHA1
aae4c873c6347abfbbcbc6033b1e94b96b27a5f7

SHA256
13296105391ff2d00ad952bd8204d363e7a91c301cc83e737d0d21c49b29a49f

SHA512
091c03b6893e013c59f3d1a5dde6597831123ac74ef7ca05d049870b423530d19c9b0435e0620dad82e272d9ebead08105863fa4764ec2e2dc4070c4ad0fdfdd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
8KB

MD5
6b565c13f7edb7c04c5224dbc5f7e34f

SHA1
e5c8e849537e858bfb5521fbdc9d3699bc4c3918

SHA256
495944b5d4daf6ae185211a3b97cd987e3959eb82634cacb47a07cff17b81a68

SHA512
349981bd85d8b1a80f7b01be4f6c55c4455fb9d490ba855a53418569dcb9bfe9c05eb553d6b97840f8255ed95816f856c681dbc1df252e1fe82fc8b9dc31e4c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
9KB

MD5
ef1fdcdca4b13453f54f04b66ef1f14f

SHA1
d4dc5079377289e56b1bc9a2bef41993888964cf

SHA256
b4a44e891f4e8421e24dce130e11df12cfe77875441a28f5a43e30d709f71e04

SHA512
acbd247730722253a43dc5cc2c93d2f575df66c14372fd7fe611fe2766160501b81cdab94064e82b96519571aafea74cd7fd574a6b626bfd2043572384ec1cb0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
efc0b788a3d665dbabeb1d2772038820

SHA1
277f7c8a4f09bd55d54ea9c275c0467bb8f1653b

SHA256
0c244e3d1085721ef4fa9771947244159859e6af1651d642a3108ca2e340b99b

SHA512
674abeab0e2413e2b9cdd08fc4f9403bcc8d1cb8d68829b00448ce02846be71db0b916a6505acf052b2124a20ac410e21fad02bb40b135658b9599087240c6e5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
061ff22416f07929ce516a08b1b3419b

SHA1
a7dca22b5171fda88a1de575215068962c73df22

SHA256
ce984b94873600f556d04a56085f48cad89c2032ce8c6ee8a41b0dac5ffc6228

SHA512
b54b02ed295f58ef3297c44323739d62fa6cd04bffb58029f454254957f8f7162268450a30f018e0e517a1433a20cabcdcc74170b41a941e5b4ac93cc52a57a1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
791fad402216e8e129124ce02fce7ed0

SHA1
5e09e2517060d3c2a0e12994dc3565236882455c

SHA256
a44c15464e40c737e4e64181a704a9afdd912e1ca7820bd3caa90346e3af3861

SHA512
7e4385d2de98e6cfe374751f65a455cf747b58dc590ca7d5b5fe94295d1dd6766641afa8602d7a8906234e85d5b1e2584c5cc6f3d52123620e74187ab84a81ae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
90472d8e8618765883644672c8d002f5

SHA1
d4e1650cec0e503901092ef92b57c5717de58f6f

SHA256
4aa27be206ec1f417c9afca6ba0c37a6390503d8208b1e1d0df67f3d87936c73

SHA512
897de6d84481475274c70fd876d649908ec75e62ed3cdea9a90f75eef969a2745a8ec0433a65969477abd0463704ebf530b86f259f4a88414767e5d7685e0986

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
d422e50c1c88dd730b6c6a8c5684ccd7

SHA1
c0be99ee3d6d71910f3bb4d69b4ea1369680e98e

SHA256
47adc5d7501a7c18d5400fc2d59dcb8ec483f5995c3f10a1c3586f9003a2aef4

SHA512
0e93970cf977d89cce1784dbf99bb6bc15e1cafdafe20488190d8830b3908bf59a85c8695a1e8d9efb7094b8b77889e7aca40e61e8e792f26e3da01cc88a4d3c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
509e8f82a22209a3182c7f6cbacd08e7

SHA1
5dfa0616dca5c16fa24e117f5718bb6525634919

SHA256
3e59fc9dd3ad5362d30165aeb0675c143451b8e39193a540c6dfad3315cdca91

SHA512
ed77315d12d9b8b8264172ee633edb4c4133029f4923295f89c984032b1325eeb880e552f698ecae2dfb96832311ba5d55d6d2e85bf27844cfd4d9cb8189c719

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
d9b3e726a3a250959ad1085f54d315f6

SHA1
c93919051696b7138fefc7bef3d7948579497502

SHA256
9108d123c7cf7aef789d4e7a87b8d9d246caa2ff55a3b8db5ee7e3581e4cfbd3

SHA512
521ea91c84f3cdadc898235adb9ab50cf89c919adb7e29ddc8bb50f7ce6b36793117f343f13ac5cf84bfe370810c86387a6c465dbaea376e7314c6317acae37a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
c2ab8225aa0d35a81631f9e30cc6b918

SHA1
84e272134a3064ac37279d583279d13d545012bf

SHA256
29e367f11efd0dc71f47efd70c0d6be464ee3a3f537dcf409072b53008429d58

SHA512
7b2f45d23e38a912b88139c21df93cc843b16ab0b3fcc2baf70627e299882947c8747d7061ee8ad63df06af69dbbe995fc55999ffe3d5931ed8c3bfa7f713b9d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
c470ee7e203fcae312f32e1e7d974af7

SHA1
daac8ccc7b29d6f7dade8ba36091be539bf477b9

SHA256
5f4df11f00aec3630ac8a0081ebfb4af16285d6761f9425a624a0aeb5e441111

SHA512
c7af64928233045e534ef876ed5eaf1bc7d9acc21fbf2e7089603c06fa48a57657877a48bb521b8ec5d9e9627d7546695784cddfe03ba447fd913b1268605257

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
109KB

MD5
7c6fe3c1e9539386bef7190cd84bc7a5

SHA1
9f3a11f1ea04d43064f36c144b2c89c8e3bdb722

SHA256
2c8233bd79a3727345ad9aa4d760cc6210ed85423a7f76e2b6de723b90e015e3

SHA512
003bfa367fa8b0ef4d48bc3230823aa6fa8e6086ef5af355c68b79c13b2b4757768bc23b75cd50e6fadbbf941f03295691b010a7b438f20c9b11f1eb0b9b5f83

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
117KB

MD5
3cc6790346f0a42f671debc6bb96606c

SHA1
27ef81a9266a6e4b360cf1ee5d3c3eda1b9f5dc5

SHA256
380ff7b22dec4c6d968db08e3e12a1da006288317a7542825a0527bd5473b72e

SHA512
57b1c34400c4fdcce578968857655fbeb22c5eed77096b614c662b9779b96aedfe77bb45cb48ba0e1d04e3753b0b6573a9b8128b7b7f9c9156c1394dc6def9f0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe5a5d44.TMP

Filesize
104KB

MD5
b349737406f6b3f22d70f34f509e6387

SHA1
0d9cbf919db9ab07da672f4fd5e3afffe7394fc1

SHA256
c58da2aef70e50bebb8a919b9c9a7ecdd7efe584554ac21429b27fad0ecc5d61

SHA512
7b71c7e4ecf6aaa1114442d656ab63090c7824f2749941a8aedb5f7cc1fd81d6fa065adbad2b491c5eaaf996dc8a6a4d916f9e4f7db0236694d7214f5b64570a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-36MEN.tmp\WinMerge-2.16.34-x64-Setup.tmp

Filesize
1.1MB

MD5
829a640ef69955dd76d1571359b5cab2

SHA1
ca6ea573d79bb43024b9fa4fdcd4d8a920ea59c5

SHA256
a918e5cd628a9e85b3fdb18cecff7aefb042ab8eb5de05e0ed74494e1080fb24

SHA512
0d7179ee5012e55b4517a21e2e9475560ecbe7f747f8e304200cfda70676d945000b329067b76fa5b07e041c9b5a41c9f3f56fd7b0603c5cd042e7b6e6b2a83e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-36MEN.tmp\WinMerge-2.16.34-x64-Setup.tmp

Filesize
1.1MB

MD5
829a640ef69955dd76d1571359b5cab2

SHA1
ca6ea573d79bb43024b9fa4fdcd4d8a920ea59c5

SHA256
a918e5cd628a9e85b3fdb18cecff7aefb042ab8eb5de05e0ed74494e1080fb24

SHA512
0d7179ee5012e55b4517a21e2e9475560ecbe7f747f8e304200cfda70676d945000b329067b76fa5b07e041c9b5a41c9f3f56fd7b0603c5cd042e7b6e6b2a83e

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 133573.crdownload

Filesize
9.1MB

MD5
b182ef1848fea19c72764bfd46686a4d

SHA1
008fe4ce52375cbd0ff17c0b14dd2625652e37f7

SHA256
8873b7e9f26ee52a8babccd5a79b941226c182c027f91e44d18744f53595b6b7

SHA512
ef0edc4f69c55954a73f05b8a1bfc2a0bc38341986589967595e09ebc0f95ef8b6299edf16c487015930e26ccf309956cce84d1442db1e1dec50714b7bb8863f

Download Submit
C:\Users\Admin\Downloads\WinMerge-2.16.34-x64-Setup.exe

Filesize
9.1MB

MD5
b182ef1848fea19c72764bfd46686a4d

SHA1
008fe4ce52375cbd0ff17c0b14dd2625652e37f7

SHA256
8873b7e9f26ee52a8babccd5a79b941226c182c027f91e44d18744f53595b6b7

SHA512
ef0edc4f69c55954a73f05b8a1bfc2a0bc38341986589967595e09ebc0f95ef8b6299edf16c487015930e26ccf309956cce84d1442db1e1dec50714b7bb8863f

Download Submit
C:\Users\Admin\Downloads\WinMerge-2.16.34-x64-Setup.exe

Filesize
9.1MB

MD5
b182ef1848fea19c72764bfd46686a4d

SHA1
008fe4ce52375cbd0ff17c0b14dd2625652e37f7

SHA256
8873b7e9f26ee52a8babccd5a79b941226c182c027f91e44d18744f53595b6b7

SHA512
ef0edc4f69c55954a73f05b8a1bfc2a0bc38341986589967595e09ebc0f95ef8b6299edf16c487015930e26ccf309956cce84d1442db1e1dec50714b7bb8863f

Download Submit
memory/1052-909-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/1052-891-0x0000000000700000-0x0000000000701000-memory.dmp

Filesize
4KB

Download
memory/1052-777-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/1052-457-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/1052-396-0x0000000000700000-0x0000000000701000-memory.dmp

Filesize
4KB

Download
memory/5536-390-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/5536-910-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/5536-456-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/5848-947-0x000002896B440000-0x000002896B450000-memory.dmp

Filesize
64KB

Download
memory/5848-963-0x000002896B540000-0x000002896B550000-memory.dmp

Filesize
64KB

Download
memory/5848-979-0x0000028973820000-0x0000028973821000-memory.dmp

Filesize
4KB

Download
memory/5848-981-0x0000028973850000-0x0000028973851000-memory.dmp

Filesize
4KB

Download
memory/5848-982-0x0000028973850000-0x0000028973851000-memory.dmp

Filesize
4KB

Download
memory/5848-983-0x0000028973960000-0x0000028973961000-memory.dmp

Filesize
4KB

Download