2db44b086d860c51a4f45f43a739cd20fb0822189deb1c1cf13e4b5a3b05bc3b

Analysis

max time kernel
132s
max time network
140s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
23-04-2024 15:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

gpg4win-4.3.1.exe
Size

33.9MB
MD5

cff05af81adc5ca0066baf07d17edb24
SHA1

7c5fa919c2eb90194e844de027a36e87c7be8a80
SHA256

2db44b086d860c51a4f45f43a739cd20fb0822189deb1c1cf13e4b5a3b05bc3b
SHA512

6db824e5da2a9c0af492e78f06fd18fc864eefeb3de4861b09eee6e9da7db2b4a5c181061262deb530dedd56640c314647cac4b49c9b7bb65f7b6020f79f4e10
SSDEEP

786432:4xIC7bI5s6sxkbB2mULpBWfrw5nqGBbC7cSEW/4jHQrXcvbYZJiGLEhUiqQS:QwK6sSbB3ULpBWM5qG62HqBiqFQS

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 58 IoCs

Processes:

gnupg-w32-2.4.5_20240307-bin.exekleopatra.exegpgme-w32spawn.exegpgconf.exegpgme-w32spawn.exegpgconf.exegpgme-w32spawn.exegpg.exegpgme-w32spawn.exegpgsm.exegpgme-w32spawn.exegpgconf.exegpgconf.exedirmngr.exegpgconf.exegpg-agent.exegpgme-w32spawn.exegpgconf.exegpg-connect-agent.exegpg-agent.exegpgme-w32spawn.exegpgconf.exegpg.exegpg.exegpgme-w32spawn.exegpgconf.exegpgsm.exegpgsm.exegpgme-w32spawn.exegpgconf.exekeyboxd.exekeyboxd.exegpgme-w32spawn.exegpgconf.exegpg-agent.exegpg-agent.exegpgme-w32spawn.exegpgconf.exescdaemon.exescdaemon.exegpgme-w32spawn.exegpgconf.exedirmngr.exedirmngr.exegpgme-w32spawn.exegpgconf.exegpgme-w32spawn.exegpgconf.exegpgme-w32spawn.exegpgme-w32spawn.exegpgsm.exegpg.exekeyboxd.exegpgme-w32spawn.exegpgme-w32spawn.exegpgsm.exegpg.exescdaemon.exe

pid	process
3744	gnupg-w32-2.4.5_20240307-bin.exe
488	kleopatra.exe
1272	gpgme-w32spawn.exe
224	gpgconf.exe
3584	gpgme-w32spawn.exe
4836	gpgconf.exe
2492	gpgme-w32spawn.exe
1776	gpg.exe
4824	gpgme-w32spawn.exe
508	gpgsm.exe
1500	gpgme-w32spawn.exe
96	gpgconf.exe
2036	gpgconf.exe
1248	dirmngr.exe
4296	gpgconf.exe
3012	gpg-agent.exe
892	gpgme-w32spawn.exe
4800	gpgconf.exe
4852	gpg-connect-agent.exe
4568	gpg-agent.exe
4364	gpgme-w32spawn.exe
2452	gpgconf.exe
2808	gpg.exe
4284	gpg.exe
2212	gpgme-w32spawn.exe
4340	gpgconf.exe
224	gpgsm.exe
4612	gpgsm.exe
312	gpgme-w32spawn.exe
4620	gpgconf.exe
2872	keyboxd.exe
1776	keyboxd.exe
216	gpgme-w32spawn.exe
4584	gpgconf.exe
504	gpg-agent.exe
2956	gpg-agent.exe
1248	gpgme-w32spawn.exe
1656	gpgconf.exe
3756	scdaemon.exe
2400	scdaemon.exe
4356	gpgme-w32spawn.exe
1464	gpgconf.exe
1856	dirmngr.exe
3548	dirmngr.exe
1504	gpgme-w32spawn.exe
4684	gpgconf.exe
4248	gpgme-w32spawn.exe
3540	gpgconf.exe
4444	gpgme-w32spawn.exe
3776	gpgme-w32spawn.exe
4548	gpgsm.exe
3012	gpg.exe
2940	keyboxd.exe
5004	gpgme-w32spawn.exe
2452	gpgme-w32spawn.exe
2904	gpgsm.exe
372	gpg.exe
3932	scdaemon.exe

Loads dropped DLL 64 IoCs

Processes:

gpg4win-4.3.1.exegnupg-w32-2.4.5_20240307-bin.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exekleopatra.exe

pid	process
4364	gpg4win-4.3.1.exe
4364	gpg4win-4.3.1.exe
4364	gpg4win-4.3.1.exe
4364	gpg4win-4.3.1.exe
4364	gpg4win-4.3.1.exe
4364	gpg4win-4.3.1.exe
4364	gpg4win-4.3.1.exe
4364	gpg4win-4.3.1.exe
4364	gpg4win-4.3.1.exe
4364	gpg4win-4.3.1.exe
4364	gpg4win-4.3.1.exe
4364	gpg4win-4.3.1.exe
4364	gpg4win-4.3.1.exe
4364	gpg4win-4.3.1.exe
4364	gpg4win-4.3.1.exe
4364	gpg4win-4.3.1.exe
4364	gpg4win-4.3.1.exe
4364	gpg4win-4.3.1.exe
4364	gpg4win-4.3.1.exe
4364	gpg4win-4.3.1.exe
4364	gpg4win-4.3.1.exe
4364	gpg4win-4.3.1.exe
4364	gpg4win-4.3.1.exe
4364	gpg4win-4.3.1.exe
4364	gpg4win-4.3.1.exe
4364	gpg4win-4.3.1.exe
4364	gpg4win-4.3.1.exe
4364	gpg4win-4.3.1.exe
3744	gnupg-w32-2.4.5_20240307-bin.exe
3744	gnupg-w32-2.4.5_20240307-bin.exe
3744	gnupg-w32-2.4.5_20240307-bin.exe
3744	gnupg-w32-2.4.5_20240307-bin.exe
3744	gnupg-w32-2.4.5_20240307-bin.exe
3744	gnupg-w32-2.4.5_20240307-bin.exe
3744	gnupg-w32-2.4.5_20240307-bin.exe
4364	gpg4win-4.3.1.exe
4364	gpg4win-4.3.1.exe
392	regsvr32.exe
2932	regsvr32.exe
4364	gpg4win-4.3.1.exe
4364	gpg4win-4.3.1.exe
4760	regsvr32.exe
1396	regsvr32.exe
4364	gpg4win-4.3.1.exe
4364	gpg4win-4.3.1.exe
4364	gpg4win-4.3.1.exe
488	kleopatra.exe
488	kleopatra.exe
488	kleopatra.exe
488	kleopatra.exe
488	kleopatra.exe
488	kleopatra.exe
488	kleopatra.exe
488	kleopatra.exe
488	kleopatra.exe
488	kleopatra.exe
488	kleopatra.exe
488	kleopatra.exe
488	kleopatra.exe
488	kleopatra.exe
488	kleopatra.exe
488	kleopatra.exe
488	kleopatra.exe
488	kleopatra.exe

Registers COM server for autorun 1 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Processes:

regsvr32.exeregsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{42d30988-1a3a-11da-c687-000d6080e735}\InprocServer32\ = "C:\\Program Files (x86)\\Gpg4win\\bin_64\\gpgol.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{42d30988-1a3a-11da-c687-000d6080e735}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CCD955E4-5C16-4A33-AFDA-A8947A94946B}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CCD955E4-5C16-4A33-AFDA-A8947A94946B}\InprocServer32\ = "C:\\Program Files (x86)\\Gpg4win\\bin_64\\gpgex.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CCD955E4-5C16-4A33-AFDA-A8947A94946B}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{42d30988-1a3a-11da-c687-000d6080e735}\InprocServer32	regsvr32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

Processes:

gpg4win-4.3.1.exegnupg-w32-2.4.5_20240307-bin.exe

description	ioc	process
File created	C:\Program Files (x86)\Gpg4win\bin\libKF5ConfigWidgets.dll	gpg4win-4.3.1.exe
File created	C:\Program Files (x86)\Gpg4win\share\locale\da\LC_MESSAGES\kwidgetsaddons5_qt.qm	gpg4win-4.3.1.exe
File created	C:\Program Files (x86)\Gpg4win\share\locale\ka\LC_MESSAGES\kio5.mo	gpg4win-4.3.1.exe
File created	C:\Program Files (x86)\Gpg4win\share\locale\nn\LC_MESSAGES\ktextwidgets5.mo	gpg4win-4.3.1.exe
File created	C:\Program Files (x86)\Gpg4win\share\locale\sl\LC_MESSAGES\okular_poppler.mo	gpg4win-4.3.1.exe
File created	C:\Program Files (x86)\Gpg4win\bin\translations\qtxmlpatterns_ca.qm	gpg4win-4.3.1.exe
File created	C:\Program Files (x86)\GnuPG\share\locale\da\LC_MESSAGES\gnupg2.mo	gnupg-w32-2.4.5_20240307-bin.exe
File created	C:\Program Files (x86)\Gpg4win\share\locale\de\LC_MESSAGES\okular.mo	gpg4win-4.3.1.exe
File created	C:\Program Files (x86)\Gpg4win\share\locale\en_GB\LC_MESSAGES\kcompletion5_qt.qm	gpg4win-4.3.1.exe
File created	C:\Program Files (x86)\Gpg4win\share\locale\pt\LC_MESSAGES\ki18n5.mo	gpg4win-4.3.1.exe
File created	C:\Program Files (x86)\Gpg4win\share\locale\ru\LC_MESSAGES\ki18n5.mo	gpg4win-4.3.1.exe
File created	C:\Program Files (x86)\Gpg4win\share\locale\sv\LC_MESSAGES\kconfigwidgets5.mo	gpg4win-4.3.1.exe
File created	C:\Program Files (x86)\Gpg4win\share\locale\zh_CN\LC_MESSAGES\kiconthemes5.mo	gpg4win-4.3.1.exe
File created	C:\Program Files (x86)\Gpg4win\bin\translations\qtxmlpatterns_ko.qm	gpg4win-4.3.1.exe
File created	C:\Program Files (x86)\Gpg4win\share\gpg4win\HOWTO-SMIME.de.txt	gpg4win-4.3.1.exe
File created	C:\Program Files (x86)\Gpg4win\share\locale\bs\LC_MESSAGES\kxmlgui5.mo	gpg4win-4.3.1.exe
File created	C:\Program Files (x86)\Gpg4win\share\locale\ca\LC_MESSAGES\okular.mo	gpg4win-4.3.1.exe
File created	C:\Program Files (x86)\Gpg4win\share\locale\et\LC_MESSAGES\kleopatra.mo	gpg4win-4.3.1.exe
File created	C:\Program Files (x86)\Gpg4win\share\locale\gl\LC_MESSAGES\kiconthemes5.mo	gpg4win-4.3.1.exe
File created	C:\Program Files (x86)\Gpg4win\share\locale\bs\LC_MESSAGES\okular_poppler.mo	gpg4win-4.3.1.exe
File created	C:\Program Files (x86)\Gpg4win\share\locale\nl\kf5_entry.desktop	gpg4win-4.3.1.exe
File created	C:\Program Files (x86)\Gpg4win\share\locale\nl\LC_MESSAGES\kparts5.mo	gpg4win-4.3.1.exe
File created	C:\Program Files (x86)\Gpg4win\share\locale\pt_BR\LC_MESSAGES\kconfig5_qt.qm	gpg4win-4.3.1.exe
File created	C:\Program Files (x86)\Gpg4win\share\locale\pt_BR\LC_MESSAGES\kleopatra.mo	gpg4win-4.3.1.exe
File created	C:\Program Files (x86)\Gpg4win\share\locale\eu\LC_MESSAGES\ki18n5.mo	gpg4win-4.3.1.exe
File created	C:\Program Files (x86)\Gpg4win\share\locale\pt_BR\LC_MESSAGES\kiconthemes5.mo	gpg4win-4.3.1.exe
File created	C:\Program Files (x86)\Gpg4win\share\locale\pt_BR\LC_MESSAGES\okular.mo	gpg4win-4.3.1.exe
File created	C:\Program Files (x86)\Gpg4win\share\locale\es\LC_MESSAGES\gpgex.mo	gpg4win-4.3.1.exe
File created	C:\Program Files (x86)\Gpg4win\bin\translations\qtscript_de.qm	gpg4win-4.3.1.exe
File created	C:\Program Files (x86)\Gpg4win\bin\translations\qtxmlpatterns_cs.qm	gpg4win-4.3.1.exe
File created	C:\Program Files (x86)\GnuPG\bin\gpgv.exe	gnupg-w32-2.4.5_20240307-bin.exe
File created	C:\Program Files (x86)\Gpg4win\share\locale\eu\LC_MESSAGES\okular.mo	gpg4win-4.3.1.exe
File created	C:\Program Files (x86)\Gpg4win\share\locale\fr\LC_MESSAGES\kcoreaddons5_qt.qm	gpg4win-4.3.1.exe
File created	C:\Program Files (x86)\Gpg4win\share\locale\kk\LC_MESSAGES\kconfig5_qt.qm	gpg4win-4.3.1.exe
File created	C:\Program Files (x86)\Gpg4win\share\locale\uk\LC_MESSAGES\kcompletion5_qt.qm	gpg4win-4.3.1.exe
File created	C:\Program Files (x86)\Gpg4win\share\locale\bs\LC_MESSAGES\ki18n5.mo	gpg4win-4.3.1.exe
File created	C:\Program Files (x86)\Gpg4win\share\locale\cs\LC_MESSAGES\kxmlgui5.mo	gpg4win-4.3.1.exe
File created	C:\Program Files (x86)\Gpg4win\share\locale\nds\LC_MESSAGES\kconfigwidgets5.mo	gpg4win-4.3.1.exe
File created	C:\Program Files (x86)\Gpg4win\share\locale\zh_CN\LC_MESSAGES\kcoreaddons5_qt.qm	gpg4win-4.3.1.exe
File created	C:\Program Files (x86)\Gpg4win\bin\overlayer.exe	gpg4win-4.3.1.exe
File created	C:\Program Files (x86)\GnuPG\bin\libgpg-error-0.dll	gnupg-w32-2.4.5_20240307-bin.exe
File created	C:\Program Files (x86)\GnuPG\share\locale\pt\LC_MESSAGES\libgpg-error.mo	gnupg-w32-2.4.5_20240307-bin.exe
File created	C:\Program Files (x86)\Gpg4win\share\locale\et\LC_MESSAGES\libkleopatra.mo	gpg4win-4.3.1.exe
File created	C:\Program Files (x86)\Gpg4win\bin\translations\qtmultimedia_ru.qm	gpg4win-4.3.1.exe
File created	C:\Program Files (x86)\Gpg4win\share\gpgol\gpgol-form-signed.cfg	gpg4win-4.3.1.exe
File created	C:\Program Files (x86)\Gpg4win\share\color-schemes\Breeze.colors	gpg4win-4.3.1.exe
File created	C:\Program Files (x86)\Gpg4win\share\locale\es\kf5_entry.desktop	gpg4win-4.3.1.exe
File created	C:\Program Files (x86)\Gpg4win\share\locale\zh_CN\LC_MESSAGES\okular.mo	gpg4win-4.3.1.exe
File created	C:\Program Files (x86)\Gpg4win\share\icons\hicolor\32x32\apps\kleopatra.png	gpg4win-4.3.1.exe
File created	C:\Program Files (x86)\Gpg4win\share\doc\gpgol\gpgol.pdf	gpg4win-4.3.1.exe
File created	C:\Program Files (x86)\Gpg4win\VERSION	gpg4win-4.3.1.exe
File created	C:\Program Files (x86)\Gpg4win\share\locale\et\LC_MESSAGES\okular.mo	gpg4win-4.3.1.exe
File created	C:\Program Files (x86)\Gpg4win\share\locale\eu\LC_MESSAGES\kcompletion5_qt.qm	gpg4win-4.3.1.exe
File created	C:\Program Files (x86)\Gpg4win\share\locale\lv\LC_MESSAGES\kxmlgui5.mo	gpg4win-4.3.1.exe
File created	C:\Program Files (x86)\Gpg4win\share\locale\ca@valencia\LC_MESSAGES\kio5.mo	gpg4win-4.3.1.exe
File created	C:\Program Files (x86)\Gpg4win\bin\libKF5ItemModels.dll	gpg4win-4.3.1.exe
File created	C:\Program Files (x86)\Gpg4win\share\gpg4win\mail-ext.ico	gpg4win-4.3.1.exe
File created	C:\Program Files (x86)\Gpg4win\share\locale\zh_TW\LC_MESSAGES\gpgol.mo	gpg4win-4.3.1.exe
File created	C:\Program Files (x86)\Gpg4win\share\locale\zh_TW\LC_MESSAGES\kio5.mo	gpg4win-4.3.1.exe
File created	C:\Program Files (x86)\Gpg4win\share\locale\zh_TW\LC_MESSAGES\kwidgetsaddons5_qt.qm	gpg4win-4.3.1.exe
File created	C:\Program Files (x86)\Gpg4win\bin\libKF5JobWidgets.dll	gpg4win-4.3.1.exe
File created	C:\Program Files (x86)\Gpg4win\share\locale\el\LC_MESSAGES\ktextwidgets5.mo	gpg4win-4.3.1.exe
File created	C:\Program Files (x86)\Gpg4win\share\locale\ka\LC_MESSAGES\kiconthemes5.mo	gpg4win-4.3.1.exe
File created	C:\Program Files (x86)\Gpg4win\share\locale\km\LC_MESSAGES\okular_poppler.mo	gpg4win-4.3.1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 64 IoCs

Processes:

gpg4win-4.3.1.exeregsvr32.exeregsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\openpgp4fpr\ = "URL:OpenPGP master key fingerprint"	gpg4win-4.3.1.exe
Key created	\REGISTRY\MACHINE\Software\Classes\openpgp4fpr\DefaultIcon	gpg4win-4.3.1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\P7MFile\shell\open	gpg4win-4.3.1.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.crl\OpenWithProgIDs\gpg4win.AssocFile.Kleopatra.CMS	gpg4win-4.3.1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.pem	gpg4win-4.3.1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mbox	gpg4win-4.3.1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\P7MFile\shell\open\command\ = "\"C:\\Program Files (x86)\\Gpg4win\\bin\\kleopatra.exe\" -- \"%1\""	gpg4win-4.3.1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\gpg4win.AssocFile.Kleopatra.PGPSIG\FriendlyTypeName = "OpenPGP Signature"	gpg4win-4.3.1.exe
Key created	\REGISTRY\MACHINE\Software\Classes\gpg4win.AssocFile.Kleopatra.MIME	gpg4win-4.3.1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\gpg4win.AssocFile.Kleopatra.ASC\ = "OpenPGP Text File"	gpg4win-4.3.1.exe
Key created	\REGISTRY\MACHINE\Software\Classes\gpg4win.AssocFile.Kleopatra.KGRP\DefaultIcon	gpg4win-4.3.1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\gpg4win.AssocFile.Kleopatra.ASC\shell\open\command\ = "\"C:\\Program Files (x86)\\Gpg4win\\bin\\Kleopatra.exe\" -- \"%1\""	gpg4win-4.3.1.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.p12\OpenWithProgIDs	gpg4win-4.3.1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mime\OpenWithProgIDs	gpg4win-4.3.1.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mime\OpenWithProgIDs\gpg4win.AssocFile.Kleopatra.MIME	gpg4win-4.3.1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.pgp\OpenWithProgIDs	gpg4win-4.3.1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\gpg4win.AssocFile.Kleopatra.X509\shell\open	gpg4win-4.3.1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CCD955E4-5C16-4A33-AFDA-A8947A94946B}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\gpg4win.AssocFile.Kleopatra.GPG\ = "OpenPGP Binary File"	gpg4win-4.3.1.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.cer\OpenWithProgIDs\gpg4win.AssocFile.Kleopatra.X509	gpg4win-4.3.1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{42d30988-1a3a-11da-c687-000d6080e735}\InprocServer32\ = "C:\\Program Files (x86)\\Gpg4win\\bin_64\\gpgol.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\P7MFile\shell	gpg4win-4.3.1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\gpg4win.AssocFile.Kleopatra.GPG\shell	gpg4win-4.3.1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\gpg4win.AssocFile.Kleopatra.GPG\shell\open	gpg4win-4.3.1.exe
Key created	\REGISTRY\MACHINE\Software\Classes\gpg4win.AssocFile.Kleopatra.ASC\shell\open\command	gpg4win-4.3.1.exe
Key created	\REGISTRY\MACHINE\Software\Classes\gpg4win.AssocFile.Kleopatra.CMS	gpg4win-4.3.1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\gpg4win.AssocFile.Kleopatra.KGRP\shell	gpg4win-4.3.1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{42d30988-1a3a-11da-c687-000d6080e735}\ = "GpgOL - The GnuPG Outlook Plugin"	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\gpg4win.AssocFile.Kleopatra.PGPKEY	gpg4win-4.3.1.exe
Key created	\REGISTRY\MACHINE\Software\Classes\gpg4win.AssocFile.Kleopatra.CMS\shell\open\command	gpg4win-4.3.1.exe
Key created	\REGISTRY\MACHINE\Software\Classes\gpg4win.AssocFile.Kleopatra.CMS\DefaultIcon	gpg4win-4.3.1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CCD955E4-5C16-4A33-AFDA-A8947A94946B}\ = "GpgEX"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\gpg4win.AssocFile.Kleopatra.CMS\shell	gpg4win-4.3.1.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.p7s\OpenWithProgIDs	gpg4win-4.3.1.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.p7m\OpenWithProgIDs	gpg4win-4.3.1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\gpg4win.AssocFile.Kleopatra.X509\shell	gpg4win-4.3.1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\GpgEX\ = "{CCD955E4-5C16-4A33-AFDA-A8947A94946B}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\gpg4win.AssocFile.Kleopatra.GPG\shell\open\command	gpg4win-4.3.1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\gpg4win.AssocFile.Kleopatra.GPG\CurVer\ = "4.3.1"	gpg4win-4.3.1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\gpg4win.AssocFile.Kleopatra.X509\CurVer\ = "4.3.1"	gpg4win-4.3.1.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.p12\OpenWithProgIDs\gpg4win.AssocFile.Kleopatra.X509	gpg4win-4.3.1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{42d30988-1a3a-11da-c687-000d6080e735}\InprocServer32\ThreadingModel = "Both"	gpg4win-4.3.1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\ShellEx\ContextMenuHandlers\GpgEX	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.gpg\OpenWithProgIDs	gpg4win-4.3.1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mbox\OpenWithProgIDs	gpg4win-4.3.1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\ShellEx\ContextMenuHandlers\GpgEX	gpg4win-4.3.1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\gpg4win.AssocFile.Kleopatra.PGPSIG\shell\open\command\ = "\"C:\\Program Files (x86)\\Gpg4win\\bin\\Kleopatra.exe\" -- \"%1\""	gpg4win-4.3.1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\gpg4win.AssocFile.Kleopatra.KGRP\FriendlyTypeName = "Kleopatra Certificate Groups"	gpg4win-4.3.1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\gpg4win.AssocFile.Kleopatra.KGRP\InfoTip = "Certificate groups to be used by Kleopatra for encryption."	gpg4win-4.3.1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\ShellEx\ContextMenuHandlers\GpgEX	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.pgp\OpenWithProgIDs	gpg4win-4.3.1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\gpg4win.AssocFile.Kleopatra.PGPKEY\FriendlyTypeName = "OpenPGP Certificate File"	gpg4win-4.3.1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\gpg4win.AssocFile.Kleopatra.PGPKEY\DefaultIcon\ = "C:\\Program Files (x86)\\Gpg4win\\share\\gpg4win\\file-ext.ico"	gpg4win-4.3.1.exe
Key created	\REGISTRY\MACHINE\Software\Classes\gpg4win.AssocFile.Kleopatra.MIME\shell\open\command	gpg4win-4.3.1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\gpg4win.AssocFile.Kleopatra.MIME\FriendlyTypeName = "E-Mail file"	gpg4win-4.3.1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CCD955E4-5C16-4A33-AFDA-A8947A94946B}\InprocServer32\ThreadingModel = "Apartment"	gpg4win-4.3.1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\gpg4win.AssocFile.Kleopatra.PGPSIG	gpg4win-4.3.1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\gpg4win.AssocFile.Kleopatra.PGPSIG\InfoTip = "A cryptographic signature to verify the authenticity of another file."	gpg4win-4.3.1.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.crt\OpenWithProgIDs\gpg4win.AssocFile.Kleopatra.X509	gpg4win-4.3.1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\gpg4win.AssocFile.Kleopatra.MIME\shell\open\command\ = "\"C:\\Program Files (x86)\\Gpg4win\\bin\\Kleopatra.exe\" -- \"%1\""	gpg4win-4.3.1.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.eml\OpenWithProgIDs	gpg4win-4.3.1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\openpgp4fpr\shell\open\command\ = "\"C:\\Program Files (x86)\\Gpg4win\\bin\\kleopatra.exe\" --query -- \"%1\""	gpg4win-4.3.1.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.p7c\OpenWithProgIDs\gpg4win.AssocFile.Kleopatra.X509	gpg4win-4.3.1.exe
Key created	\REGISTRY\MACHINE\Software\Classes\gpg4win.AssocFile.Kleopatra.KGRP\shell\open\command	gpg4win-4.3.1.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

kleopatra.exe

pid process

488 kleopatra.exe

pid	process
488	kleopatra.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

gpg4win-4.3.1.exe

pid	process
4364	gpg4win-4.3.1.exe
4364	gpg4win-4.3.1.exe
4364	gpg4win-4.3.1.exe
4364	gpg4win-4.3.1.exe
4364	gpg4win-4.3.1.exe
4364	gpg4win-4.3.1.exe
4364	gpg4win-4.3.1.exe
4364	gpg4win-4.3.1.exe
4364	gpg4win-4.3.1.exe
4364	gpg4win-4.3.1.exe
4364	gpg4win-4.3.1.exe
4364	gpg4win-4.3.1.exe
4364	gpg4win-4.3.1.exe
4364	gpg4win-4.3.1.exe
4364	gpg4win-4.3.1.exe
4364	gpg4win-4.3.1.exe
4364	gpg4win-4.3.1.exe
4364	gpg4win-4.3.1.exe
4364	gpg4win-4.3.1.exe
4364	gpg4win-4.3.1.exe
4364	gpg4win-4.3.1.exe
4364	gpg4win-4.3.1.exe
4364	gpg4win-4.3.1.exe
4364	gpg4win-4.3.1.exe
4364	gpg4win-4.3.1.exe
4364	gpg4win-4.3.1.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

kleopatra.exe

pid process

488 kleopatra.exe
Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

kleopatra.exe

pid process

488 kleopatra.exe
488 kleopatra.exe
488 kleopatra.exe
488 kleopatra.exe
488 kleopatra.exe
Suspicious use of SendNotifyMessage 5 IoCs

Processes:

kleopatra.exe

pid process

488 kleopatra.exe
488 kleopatra.exe
488 kleopatra.exe
488 kleopatra.exe
488 kleopatra.exe

pid	process
488	kleopatra.exe

pid	process
488	kleopatra.exe
488	kleopatra.exe
488	kleopatra.exe
488	kleopatra.exe
488	kleopatra.exe

pid	process
488	kleopatra.exe
488	kleopatra.exe
488	kleopatra.exe
488	kleopatra.exe
488	kleopatra.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

gpg4win-4.3.1.exeregsvr32.exeregsvr32.exekleopatra.exegpgme-w32spawn.exegpgme-w32spawn.exegpgme-w32spawn.exegpgme-w32spawn.exegpgme-w32spawn.exegpgconf.exegpgconf.exegpgme-w32spawn.exe

description	pid	process	target process
PID 4364 wrote to memory of 3744	4364	gpg4win-4.3.1.exe	gnupg-w32-2.4.5_20240307-bin.exe
PID 4364 wrote to memory of 3744	4364	gpg4win-4.3.1.exe	gnupg-w32-2.4.5_20240307-bin.exe
PID 4364 wrote to memory of 3744	4364	gpg4win-4.3.1.exe	gnupg-w32-2.4.5_20240307-bin.exe
PID 4364 wrote to memory of 392	4364	gpg4win-4.3.1.exe	regsvr32.exe
PID 4364 wrote to memory of 392	4364	gpg4win-4.3.1.exe	regsvr32.exe
PID 4364 wrote to memory of 392	4364	gpg4win-4.3.1.exe	regsvr32.exe
PID 392 wrote to memory of 2932	392	regsvr32.exe	regsvr32.exe
PID 392 wrote to memory of 2932	392	regsvr32.exe	regsvr32.exe
PID 4364 wrote to memory of 4760	4364	gpg4win-4.3.1.exe	regsvr32.exe
PID 4364 wrote to memory of 4760	4364	gpg4win-4.3.1.exe	regsvr32.exe
PID 4364 wrote to memory of 4760	4364	gpg4win-4.3.1.exe	regsvr32.exe
PID 4760 wrote to memory of 1396	4760	regsvr32.exe	regsvr32.exe
PID 4760 wrote to memory of 1396	4760	regsvr32.exe	regsvr32.exe
PID 488 wrote to memory of 1272	488	kleopatra.exe	gpgme-w32spawn.exe
PID 488 wrote to memory of 1272	488	kleopatra.exe	gpgme-w32spawn.exe
PID 488 wrote to memory of 1272	488	kleopatra.exe	gpgme-w32spawn.exe
PID 1272 wrote to memory of 224	1272	gpgme-w32spawn.exe	gpgconf.exe
PID 1272 wrote to memory of 224	1272	gpgme-w32spawn.exe	gpgconf.exe
PID 1272 wrote to memory of 224	1272	gpgme-w32spawn.exe	gpgconf.exe
PID 488 wrote to memory of 3584	488	kleopatra.exe	gpgme-w32spawn.exe
PID 488 wrote to memory of 3584	488	kleopatra.exe	gpgme-w32spawn.exe
PID 488 wrote to memory of 3584	488	kleopatra.exe	gpgme-w32spawn.exe
PID 3584 wrote to memory of 4836	3584	gpgme-w32spawn.exe	gpgconf.exe
PID 3584 wrote to memory of 4836	3584	gpgme-w32spawn.exe	gpgconf.exe
PID 3584 wrote to memory of 4836	3584	gpgme-w32spawn.exe	gpgconf.exe
PID 488 wrote to memory of 2492	488	kleopatra.exe	gpgme-w32spawn.exe
PID 488 wrote to memory of 2492	488	kleopatra.exe	gpgme-w32spawn.exe
PID 488 wrote to memory of 2492	488	kleopatra.exe	gpgme-w32spawn.exe
PID 2492 wrote to memory of 1776	2492	gpgme-w32spawn.exe	gpg.exe
PID 2492 wrote to memory of 1776	2492	gpgme-w32spawn.exe	gpg.exe
PID 2492 wrote to memory of 1776	2492	gpgme-w32spawn.exe	gpg.exe
PID 488 wrote to memory of 4824	488	kleopatra.exe	gpgme-w32spawn.exe
PID 488 wrote to memory of 4824	488	kleopatra.exe	gpgme-w32spawn.exe
PID 488 wrote to memory of 4824	488	kleopatra.exe	gpgme-w32spawn.exe
PID 4824 wrote to memory of 508	4824	gpgme-w32spawn.exe	gpgsm.exe
PID 4824 wrote to memory of 508	4824	gpgme-w32spawn.exe	gpgsm.exe
PID 4824 wrote to memory of 508	4824	gpgme-w32spawn.exe	gpgsm.exe
PID 488 wrote to memory of 1500	488	kleopatra.exe	gpgme-w32spawn.exe
PID 488 wrote to memory of 1500	488	kleopatra.exe	gpgme-w32spawn.exe
PID 488 wrote to memory of 1500	488	kleopatra.exe	gpgme-w32spawn.exe
PID 1500 wrote to memory of 96	1500	gpgme-w32spawn.exe	gpgconf.exe
PID 1500 wrote to memory of 96	1500	gpgme-w32spawn.exe	gpgconf.exe
PID 1500 wrote to memory of 96	1500	gpgme-w32spawn.exe	gpgconf.exe
PID 488 wrote to memory of 2036	488	kleopatra.exe	gpgconf.exe
PID 488 wrote to memory of 2036	488	kleopatra.exe	gpgconf.exe
PID 488 wrote to memory of 2036	488	kleopatra.exe	gpgconf.exe
PID 2036 wrote to memory of 1248	2036	gpgconf.exe	dirmngr.exe
PID 2036 wrote to memory of 1248	2036	gpgconf.exe	dirmngr.exe
PID 2036 wrote to memory of 1248	2036	gpgconf.exe	dirmngr.exe
PID 488 wrote to memory of 4296	488	kleopatra.exe	gpgconf.exe
PID 488 wrote to memory of 4296	488	kleopatra.exe	gpgconf.exe
PID 488 wrote to memory of 4296	488	kleopatra.exe	gpgconf.exe
PID 4296 wrote to memory of 3012	4296	gpgconf.exe	gpg-agent.exe
PID 4296 wrote to memory of 3012	4296	gpgconf.exe	gpg-agent.exe
PID 4296 wrote to memory of 3012	4296	gpgconf.exe	gpg-agent.exe
PID 488 wrote to memory of 892	488	kleopatra.exe	gpgme-w32spawn.exe
PID 488 wrote to memory of 892	488	kleopatra.exe	gpgme-w32spawn.exe
PID 488 wrote to memory of 892	488	kleopatra.exe	gpgme-w32spawn.exe
PID 892 wrote to memory of 4800	892	gpgme-w32spawn.exe	gpgconf.exe
PID 892 wrote to memory of 4800	892	gpgme-w32spawn.exe	gpgconf.exe
PID 892 wrote to memory of 4800	892	gpgme-w32spawn.exe	gpgconf.exe
PID 4296 wrote to memory of 4852	4296	gpgconf.exe	gpg-connect-agent.exe
PID 4296 wrote to memory of 4852	4296	gpgconf.exe	gpg-connect-agent.exe
PID 4296 wrote to memory of 4852	4296	gpgconf.exe	gpg-connect-agent.exe

C:\Users\Admin\AppData\Local\Temp\gpg4win-4.3.1.exe
"C:\Users\Admin\AppData\Local\Temp\gpg4win-4.3.1.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4364

C:\Users\Admin\AppData\Local\Temp\gnupg-w32-2.4.5_20240307-bin.exe
"C:\Users\Admin\AppData\Local\Temp\gnupg-w32-2.4.5_20240307-bin.exe" /S /D=C:\Program Files (x86)\Gpg4win\..\GnuPG
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:3744

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32" /s "C:\Program Files (x86)\Gpg4win\bin_64\gpgol.dll"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:392

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\Gpg4win\bin_64\gpgol.dll"
3⤵
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
PID:2932

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32" /s "C:\Program Files (x86)\Gpg4win\bin_64\gpgex.dll"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4760

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\Gpg4win\bin_64\gpgex.dll"
3⤵
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
PID:1396

C:\Program Files (x86)\Gpg4win\bin\kleopatra.exe
"C:\Program Files (x86)\Gpg4win\bin\kleopatra.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:488

C:\Program Files (x86)\Gpg4win\bin\gpgme-w32spawn.exe
"C:\\Program Files (x86)\\Gpg4win\\bin\\gpgme-w32spawn.exe" "C:\\Users\\Admin\\AppData\\Local\\Temp\\gpgme-L0RRGm" "C:\\Program Files (x86)\\GnuPG\\bin\\gpgconf.exe" "--list-dirs"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1272

C:\Program Files (x86)\GnuPG\bin\gpgconf.exe
"C:\\\\Program Files (x86)\\\\GnuPG\\\\bin\\\\gpgconf.exe" "--list-dirs"
3⤵
- Executes dropped EXE
PID:224

C:\Program Files (x86)\Gpg4win\bin\gpgme-w32spawn.exe
"C:\\Program Files (x86)\\Gpg4win\\bin\\gpgme-w32spawn.exe" "C:\\Users\\Admin\\AppData\\Local\\Temp\\gpgme-SUWLdz" "C:\\Program Files (x86)\\GnuPG\\bin\\gpgconf.exe" "--list-components"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3584

C:\Program Files (x86)\GnuPG\bin\gpgconf.exe
"C:\\\\Program Files (x86)\\\\GnuPG\\\\bin\\\\gpgconf.exe" "--list-components"
3⤵
- Executes dropped EXE
PID:4836

C:\Program Files (x86)\Gpg4win\bin\gpgme-w32spawn.exe
"C:\\Program Files (x86)\\Gpg4win\\bin\\gpgme-w32spawn.exe" "C:\\Users\\Admin\\AppData\\Local\\Temp\\gpgme-p07UKL" "C:\\Program Files (x86)\\GnuPG\\bin\\gpg.exe" "--version"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2492

C:\Program Files (x86)\GnuPG\bin\gpg.exe
"C:\\\\Program Files (x86)\\\\GnuPG\\\\bin\\\\gpg.exe" "--version"
3⤵
- Executes dropped EXE
PID:1776

C:\Program Files (x86)\Gpg4win\bin\gpgme-w32spawn.exe
"C:\\Program Files (x86)\\Gpg4win\\bin\\gpgme-w32spawn.exe" "C:\\Users\\Admin\\AppData\\Local\\Temp\\gpgme-2KV8hY" "C:\\Program Files (x86)\\GnuPG\\bin\\gpgsm.exe" "--version"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4824

C:\Program Files (x86)\GnuPG\bin\gpgsm.exe
"C:\\\\Program Files (x86)\\\\GnuPG\\\\bin\\\\gpgsm.exe" "--version"
3⤵
- Executes dropped EXE
PID:508

C:\Program Files (x86)\Gpg4win\bin\gpgme-w32spawn.exe
"C:\\Program Files (x86)\\Gpg4win\\bin\\gpgme-w32spawn.exe" "C:\\Users\\Admin\\AppData\\Local\\Temp\\gpgme-JZFxPa" "C:\\Program Files (x86)\\GnuPG\\bin\\gpgconf.exe" "--version"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1500

C:\Program Files (x86)\GnuPG\bin\gpgconf.exe
"C:\\\\Program Files (x86)\\\\GnuPG\\\\bin\\\\gpgconf.exe" "--version"
3⤵
- Executes dropped EXE
PID:96

C:\Program Files (x86)\GnuPG\bin\gpgconf.exe
"C:\Program Files (x86)\GnuPG\bin\gpgconf.exe" --show-versions
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2036

C:\Program Files (x86)\GnuPG\bin\dirmngr.exe
"C:\Program Files (x86)\GnuPG\bin\dirmngr.exe" --gpgconf-versions
3⤵
- Executes dropped EXE
PID:1248

C:\Program Files (x86)\GnuPG\bin\gpgconf.exe
"C:\Program Files (x86)\GnuPG\bin\gpgconf.exe" --launch gpg-agent
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4296

C:\Program Files (x86)\GnuPG\bin\gpg-agent.exe
"C:\Program Files (x86)\GnuPG\bin\gpg-agent.exe" --gpgconf-test
3⤵
- Executes dropped EXE
PID:3012

C:\Program Files (x86)\GnuPG\bin\gpg-connect-agent.exe
"C:\Program Files (x86)\GnuPG\bin\gpg-connect-agent.exe" NOP
3⤵
- Executes dropped EXE
PID:4852

C:\Program Files (x86)\GnuPG\bin\gpg-agent.exe
"C:\Program Files (x86)\GnuPG\bin\gpg-agent.exe" --homedir C:\Users\Admin\AppData\Roaming\gnupg --use-standard-socket --daemon
4⤵
- Executes dropped EXE
PID:4568

C:\Program Files (x86)\GnuPG\bin\scdaemon.exe
"C:\Program Files (x86)\GnuPG\bin\scdaemon.exe" --multi-server
5⤵
- Executes dropped EXE
PID:3932

C:\Program Files (x86)\Gpg4win\bin\gpgme-w32spawn.exe
"C:\\Program Files (x86)\\Gpg4win\\bin\\gpgme-w32spawn.exe" "C:\\Users\\Admin\\AppData\\Local\\Temp\\gpgme-bASnyn" "C:\\Program Files (x86)\\GnuPG\\bin\\gpgconf.exe" "--list-components"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:892

C:\Program Files (x86)\GnuPG\bin\gpgconf.exe
"C:\\\\Program Files (x86)\\\\GnuPG\\\\bin\\\\gpgconf.exe" "--list-components"
3⤵
- Executes dropped EXE
PID:4800

C:\Program Files (x86)\Gpg4win\bin\gpgme-w32spawn.exe
"C:\\Program Files (x86)\\Gpg4win\\bin\\gpgme-w32spawn.exe" "C:\\Users\\Admin\\AppData\\Local\\Temp\\gpgme-q3hlhA" "C:\\Program Files (x86)\\GnuPG\\bin\\gpgconf.exe" "--list-options" "gpg"
2⤵
- Executes dropped EXE
PID:4364

C:\Program Files (x86)\GnuPG\bin\gpgconf.exe
"C:\\\\Program Files (x86)\\\\GnuPG\\\\bin\\\\gpgconf.exe" "--list-options" "gpg"
3⤵
- Executes dropped EXE
PID:2452

C:\Program Files (x86)\GnuPG\bin\gpg.exe
"C:\Program Files (x86)\GnuPG\bin\gpg.exe" --dump-option-table
4⤵
- Executes dropped EXE
PID:2808

C:\Program Files (x86)\GnuPG\bin\gpg.exe
"C:\Program Files (x86)\GnuPG\bin\gpg.exe" --gpgconf-list
4⤵
- Executes dropped EXE
PID:4284

C:\Program Files (x86)\Gpg4win\bin\gpgme-w32spawn.exe
"C:\\Program Files (x86)\\Gpg4win\\bin\\gpgme-w32spawn.exe" "C:\\Users\\Admin\\AppData\\Local\\Temp\\gpgme-eHKz0M" "C:\\Program Files (x86)\\GnuPG\\bin\\gpgconf.exe" "--list-options" "gpgsm"
2⤵
- Executes dropped EXE
PID:2212

C:\Program Files (x86)\GnuPG\bin\gpgconf.exe
"C:\\\\Program Files (x86)\\\\GnuPG\\\\bin\\\\gpgconf.exe" "--list-options" "gpgsm"
3⤵
- Executes dropped EXE
PID:4340

C:\Program Files (x86)\GnuPG\bin\gpgsm.exe
"C:\Program Files (x86)\GnuPG\bin\gpgsm.exe" --dump-option-table
4⤵
- Executes dropped EXE
PID:224

C:\Program Files (x86)\GnuPG\bin\gpgsm.exe
"C:\Program Files (x86)\GnuPG\bin\gpgsm.exe" --gpgconf-list
4⤵
- Executes dropped EXE
PID:4612

C:\Program Files (x86)\Gpg4win\bin\gpgme-w32spawn.exe
"C:\\Program Files (x86)\\Gpg4win\\bin\\gpgme-w32spawn.exe" "C:\\Users\\Admin\\AppData\\Local\\Temp\\gpgme-i3y4JZ" "C:\\Program Files (x86)\\GnuPG\\bin\\gpgconf.exe" "--list-options" "keyboxd"
2⤵
- Executes dropped EXE
PID:312

C:\Program Files (x86)\GnuPG\bin\gpgconf.exe
"C:\\\\Program Files (x86)\\\\GnuPG\\\\bin\\\\gpgconf.exe" "--list-options" "keyboxd"
3⤵
- Executes dropped EXE
PID:4620

C:\Program Files (x86)\GnuPG\bin\keyboxd.exe
"C:\Program Files (x86)\GnuPG\bin\keyboxd.exe" --dump-option-table
4⤵
- Executes dropped EXE
PID:2872

C:\Program Files (x86)\GnuPG\bin\keyboxd.exe
"C:\Program Files (x86)\GnuPG\bin\keyboxd.exe" --gpgconf-list
4⤵
- Executes dropped EXE
PID:1776

C:\Program Files (x86)\Gpg4win\bin\gpgme-w32spawn.exe
"C:\\Program Files (x86)\\Gpg4win\\bin\\gpgme-w32spawn.exe" "C:\\Users\\Admin\\AppData\\Local\\Temp\\gpgme-c1DMtc" "C:\\Program Files (x86)\\GnuPG\\bin\\gpgconf.exe" "--list-options" "gpg-agent"
2⤵
- Executes dropped EXE
PID:216

C:\Program Files (x86)\GnuPG\bin\gpgconf.exe
"C:\\\\Program Files (x86)\\\\GnuPG\\\\bin\\\\gpgconf.exe" "--list-options" "gpg-agent"
3⤵
- Executes dropped EXE
PID:4584

C:\Program Files (x86)\GnuPG\bin\gpg-agent.exe
"C:\Program Files (x86)\GnuPG\bin\gpg-agent.exe" --dump-option-table
4⤵
- Executes dropped EXE
PID:504

C:\Program Files (x86)\GnuPG\bin\gpg-agent.exe
"C:\Program Files (x86)\GnuPG\bin\gpg-agent.exe" --gpgconf-list
4⤵
- Executes dropped EXE
PID:2956

C:\Program Files (x86)\Gpg4win\bin\gpgme-w32spawn.exe
"C:\\Program Files (x86)\\Gpg4win\\bin\\gpgme-w32spawn.exe" "C:\\Users\\Admin\\AppData\\Local\\Temp\\gpgme-YEZKdp" "C:\\Program Files (x86)\\GnuPG\\bin\\gpgconf.exe" "--list-options" "scdaemon"
2⤵
- Executes dropped EXE
PID:1248

C:\Program Files (x86)\GnuPG\bin\gpgconf.exe
"C:\\\\Program Files (x86)\\\\GnuPG\\\\bin\\\\gpgconf.exe" "--list-options" "scdaemon"
3⤵
- Executes dropped EXE
PID:1656

C:\Program Files (x86)\GnuPG\bin\scdaemon.exe
"C:\Program Files (x86)\GnuPG\bin\scdaemon.exe" --dump-option-table
4⤵
- Executes dropped EXE
PID:3756

C:\Program Files (x86)\GnuPG\bin\scdaemon.exe
"C:\Program Files (x86)\GnuPG\bin\scdaemon.exe" --gpgconf-list
4⤵
- Executes dropped EXE
PID:2400

C:\Program Files (x86)\Gpg4win\bin\gpgme-w32spawn.exe
"C:\\Program Files (x86)\\Gpg4win\\bin\\gpgme-w32spawn.exe" "C:\\Users\\Admin\\AppData\\Local\\Temp\\gpgme-pEuUXB" "C:\\Program Files (x86)\\GnuPG\\bin\\gpgconf.exe" "--list-options" "dirmngr"
2⤵
- Executes dropped EXE
PID:4356

C:\Program Files (x86)\GnuPG\bin\gpgconf.exe
"C:\\\\Program Files (x86)\\\\GnuPG\\\\bin\\\\gpgconf.exe" "--list-options" "dirmngr"
3⤵
- Executes dropped EXE
PID:1464

C:\Program Files (x86)\GnuPG\bin\dirmngr.exe
"C:\Program Files (x86)\GnuPG\bin\dirmngr.exe" --dump-option-table
4⤵
- Executes dropped EXE
PID:1856

C:\Program Files (x86)\GnuPG\bin\dirmngr.exe
"C:\Program Files (x86)\GnuPG\bin\dirmngr.exe" --gpgconf-list
4⤵
- Executes dropped EXE
PID:3548

C:\Program Files (x86)\Gpg4win\bin\gpgme-w32spawn.exe
"C:\\Program Files (x86)\\Gpg4win\\bin\\gpgme-w32spawn.exe" "C:\\Users\\Admin\\AppData\\Local\\Temp\\gpgme-jrniIO" "C:\\Program Files (x86)\\GnuPG\\bin\\gpgconf.exe" "--list-options" "pinentry"
2⤵
- Executes dropped EXE
PID:1504

C:\Program Files (x86)\GnuPG\bin\gpgconf.exe
"C:\\\\Program Files (x86)\\\\GnuPG\\\\bin\\\\gpgconf.exe" "--list-options" "pinentry"
3⤵
- Executes dropped EXE
PID:4684

C:\Program Files (x86)\Gpg4win\bin\gpgme-w32spawn.exe
"C:\\Program Files (x86)\\Gpg4win\\bin\\gpgme-w32spawn.exe" "C:\\Users\\Admin\\AppData\\Local\\Temp\\gpgme-pPXZs1" "C:\\Program Files (x86)\\GnuPG\\bin\\gpgconf.exe" "--query-swdb" "gpg4win" "4.3.1"
2⤵
- Executes dropped EXE
PID:4248

C:\Program Files (x86)\GnuPG\bin\gpgconf.exe
"C:\\\\Program Files (x86)\\\\GnuPG\\\\bin\\\\gpgconf.exe" "--query-swdb" "gpg4win" "4.3.1"
3⤵
- Executes dropped EXE
PID:3540

C:\Program Files (x86)\Gpg4win\bin\gpgme-w32spawn.exe
"C:\\Program Files (x86)\\Gpg4win\\bin\\gpgme-w32spawn.exe" "C:\\Users\\Admin\\AppData\\Local\\Temp\\gpgme-DirNde" "C:\\Program Files (x86)\\GnuPG\\bin\\gpg.exe" "--disable-dirmngr" "--no-auto-check-trustdb" "--batch" "--status-fd" "1" "--logger-fd" "5" "--no-tty" "--charset=utf8" "--enable-progress-filter" "--exit-on-status-write-error" "--ttyname=/dev/tty" "--with-colons" "--with-secret" "--with-keygrip" "--list-keys" "--"
2⤵
- Executes dropped EXE
PID:4444

C:\Program Files (x86)\GnuPG\bin\gpg.exe
"C:\\\\Program Files (x86)\\\\GnuPG\\\\bin\\\\gpg.exe" "--disable-dirmngr" "--no-auto-check-trustdb" "--batch" "--status-fd" "4" "--logger-fd" "12" "--no-tty" "--charset=utf8" "--enable-progress-filter" "--exit-on-status-write-error" "--ttyname=/dev/tty" "--with-colons" "--with-secret" "--with-keygrip" "--list-keys" "--"
3⤵
- Executes dropped EXE
PID:3012

C:\Program Files (x86)\Gpg4win\bin\gpgme-w32spawn.exe
"C:\\Program Files (x86)\\Gpg4win\\bin\\gpgme-w32spawn.exe" "C:\\Users\\Admin\\AppData\\Local\\Temp\\gpgme-1TyBYq" "C:\\Program Files (x86)\\GnuPG\\bin\\gpgsm.exe" "--logger-fd" "3" "--server"
2⤵
- Executes dropped EXE
PID:3776

C:\Program Files (x86)\GnuPG\bin\gpgsm.exe
"C:\\\\Program Files (x86)\\\\GnuPG\\\\bin\\\\gpgsm.exe" "--logger-fd" "16" "--server"
3⤵
- Executes dropped EXE
PID:4548

C:\Program Files (x86)\GnuPG\bin\keyboxd.exe
"C:\Program Files (x86)\GnuPG\bin\keyboxd.exe" --homedir C:\Users\Admin\AppData\Roaming\gnupg --daemon
4⤵
- Executes dropped EXE
PID:2940

C:\Program Files (x86)\Gpg4win\bin\gpgme-w32spawn.exe
"C:\\Program Files (x86)\\Gpg4win\\bin\\gpgme-w32spawn.exe" "C:\\Users\\Admin\\AppData\\Local\\Temp\\gpgme-QhwaKD" "C:\\Program Files (x86)\\GnuPG\\bin\\gpgsm.exe" "--logger-fd" "1" "--server"
2⤵
- Executes dropped EXE
PID:5004

C:\Program Files (x86)\GnuPG\bin\gpgsm.exe
"C:\\\\Program Files (x86)\\\\GnuPG\\\\bin\\\\gpgsm.exe" "--logger-fd" "16" "--server"
3⤵
- Executes dropped EXE
PID:2904

C:\Program Files (x86)\Gpg4win\bin\gpgme-w32spawn.exe
"C:\\Program Files (x86)\\Gpg4win\\bin\\gpgme-w32spawn.exe" "C:\\Users\\Admin\\AppData\\Local\\Temp\\gpgme-9EtJvQ" "C:\\Program Files (x86)\\GnuPG\\bin\\gpg.exe" "--disable-dirmngr" "--batch" "--status-fd" "13" "--logger-fd" "17" "--no-tty" "--charset=utf8" "--enable-progress-filter" "--exit-on-status-write-error" "--ttyname=/dev/tty" "--with-colons" "--with-secret" "--with-keygrip" "--with-sig-check" "--list-options" "show-sig-subpackets=\"20,26\"" "--check-sigs" "--"
2⤵
- Executes dropped EXE
PID:2452

C:\Program Files (x86)\GnuPG\bin\gpg.exe
"C:\\\\Program Files (x86)\\\\GnuPG\\\\bin\\\\gpg.exe" "--disable-dirmngr" "--batch" "--status-fd" "4" "--logger-fd" "12" "--no-tty" "--charset=utf8" "--enable-progress-filter" "--exit-on-status-write-error" "--ttyname=/dev/tty" "--with-colons" "--with-secret" "--with-keygrip" "--with-sig-check" "--list-options" "show-sig-subpackets=\"20,26\"" "--check-sigs" "--"
3⤵
- Executes dropped EXE
PID:372

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GnuPG\bin\gpg-agent.exe
Filesize
471KB

MD5
5f18625ef82543f30a920db287955861

SHA1
9b76257d15eb5c67d9a894a88cb4eb0c1824bcc3

SHA256
0cd595b333c54cd4e651545617dda5f124f355c866a186061ea1d05b17c86f0e

SHA512
852302b13c09fefbda392ffa1156c0a504e06125a13f9bf2bddfbc4e5705d8859339d42b892e1f17b2b6966a4782a9b350b948e0e0dbc1be04ca233af304d38f

Download Submit
C:\Program Files (x86)\GnuPG\bin\gpg.exe
Filesize
1.3MB

MD5
b21d70fe736a3661fb304dc7f08a5cfe

SHA1
c755ecdc7bcb7ee3818e1cdeb171ead709618b69

SHA256
ed445e4b7cb92a254d74ba8bc8e42f876b3d78ef7bac5f531f7cfa707dc93438

SHA512
6811113ed0e720a0be7750c29ec956cd7c90bc317a1e39d918ef8e94052ee5cf5adeff96b9bfafc1e12f2c7da3f77da767144e171e3ea99f385fe03f2f2bd0c2

Download Submit
C:\Program Files (x86)\GnuPG\bin\gpgconf.exe
Filesize
205KB

MD5
bb95839098aab6a4a89666798e5dd267

SHA1
bfc7d70a600ed33f41d85435fc8b52a9108b4bcf

SHA256
bd65cfd40742fadf8eceeb3b2682079e1d5c6f81604b6d34baaeb584a8945989

SHA512
e1da9d66f240449a04f8679b5eca61495fea43074c0ae893ce13e4bdfd105e5410e823d9549e9d7fa2bb3161437ea9d77ef11704135073e93e0d3c77ec892add

Download Submit
C:\Program Files (x86)\GnuPG\bin\gpgsm.exe
Filesize
666KB

MD5
dc58d4df08480af127defc59162f10d0

SHA1
124db1cb7db963a3aa5846b65b5611d602bd9476

SHA256
8ca8bfd1783ae951c40e1c84e135ebb721b4d44ecf0fe5417d69004c97db8882

SHA512
a6cd52f3bbb1e0c1fd9d90255eff9f9521da6b0e63a11895705b1d9a2be39c494ce3158f20c3b6ebec8c6874aebb3c0d61182a167e078e1d47da9ce2e188526f

Download Submit
C:\Program Files (x86)\GnuPG\share\locale\pl\LC_MESSAGES\gnupg2.mo
Filesize
238KB

MD5
954e63685bf62aa9ae12c14c76131a63

SHA1
6fd1c5ca2d16e5e995c32fe9038dd4751d0d14f2

SHA256
27076a5fa4e6ad7b0fd43df445d1d6986c2d3add094d8885ed7ca390fa7ae68a

SHA512
677a32afe059b79f2a6856b8afc6b6a065d656d72a3fdb2363c0c47d8c9ca607ba0a8ad6ca5f97992a0873160ae155c117cecaaafd4a2fa3805c7b6dec3105b7

Download Submit
C:\Program Files (x86)\Gpg4win\bin\kleopatra.exe
Filesize
4.8MB

MD5
56b7add491410755af6cad3fca38e0d5

SHA1
4608b90cf847963fc1ca500f4e21e0be45648827

SHA256
b83d684e1e5ca6ca9bb06ba01beb38745a9b11df2d9077435010ac8c7c92d4ad

SHA512
2fed1998b4e4f6bccc6cf57dba88495e8ea793c998fc5ed8a33a9e1743b1960cdbe669a6a1b7229eee92c0857e7573ab0d88d16dcb39e19563cc6b71f81e00bb

Download Submit
C:\Program Files (x86)\Gpg4win\bin\libKF5CoreAddons.dll
Filesize
770KB

MD5
f948d00cd0e97581b734369fc66f204c

SHA1
7c9380f16c7040f477d9ca76cf263c240d053adc

SHA256
9bcb657bda5153391e7016471e16ad72364e1745929be1dfc3d577aefdf8328f

SHA512
2a5fdceb12a595f065bb2424d35e6124b1c2576e72a9c8d5fcbb172aca17d06e40ff3c96df458985fd56894c1cb74c50bb44329ad7141c7f200160a65c555a32

Download Submit
C:\Program Files (x86)\Gpg4win\bin\libkleopatraclientcore.dll
Filesize
101KB

MD5
99b348c1671f79cb5b50b3929df1d34f

SHA1
7e73e393a4e15d1ba84ad91aa256d6c4620d8a81

SHA256
acfe84c4348b136c77b3781264edf04432504faa1dfea8f9d2bb144c021e5e82

SHA512
1b44a48cb3cf06efc0eceb09c19a985399fe7706dc4bd265dc020a2c62df625029f0759b24d86db01224aa9cdbdb5ff36c4d0007ac3dd6b4cb7b92693dacc883

Download Submit
C:\Program Files (x86)\Gpg4win\bin\translations\qtxmlpatterns_en.qm
Filesize
16B

MD5
bcebcf42735c6849bdecbb77451021dd

SHA1
4884fd9af6890647b7af1aefa57f38cca49ad899

SHA256
9959b510b15d18937848ad13007e30459d2e993c67e564badbfc18f935695c85

SHA512
f951b511ffb1a6b94b1bcae9df26b41b2ff829560583d7c83e70279d1b5304bde299b3679d863cad6bb79d0beda524fc195b7f054ecf11d2090037526b451b78

Download Submit
C:\Program Files (x86)\Gpg4win\bin_64\gpgol.dll
Filesize
2.8MB

MD5
cb24c4a9759526e8b1b1186e1bfc6371

SHA1
b71236abfeb6de237d8543db885d774ceadd1dce

SHA256
00cf36f72afabcba8c4b48d57b9afcae080d5df802501b488e4c16a8f712478e

SHA512
4d6b79c81d27acc0fec927eb1a56b269b074aa29030d03338a343d054d4e86c980b371cdc673d5598d54a34d3ece8e1ea7fbc05e809c73ad87b9e19d36f76fb1

Download Submit
C:\Program Files (x86)\Gpg4win\share\locale\eo\LC_MESSAGES\kio5.mo
Filesize
186KB

MD5
e91d1c7c64d01abf95b5c0e998aca584

SHA1
aae9ba479aca06991eaaedb54694ad7ed19fb66a

SHA256
29d0e8b53abaca6efa2e4d6b498ebee47b67460e4c8c2dbec4169021784603a3

SHA512
f0e7469ab29225b67a2867f2ab9801405384d3cbf07c9e2e199235dbf2794af478f91289277106fbe71f330d7d6957e4dbe90ce0e34e7678aa6437ad897a9546

Download Submit
C:\Program Files (x86)\Gpg4win\share\locale\es\LC_MESSAGES\okular.mo
Filesize
90KB

MD5
62da3c407727099a17afc361687f59a6

SHA1
4c0315143aa676e9a2e93282c226f32bbcfb5c48

SHA256
86cc5df4aae6df0d5bb6096cfde13bec5eb87f2fd03fcbb3992c6d75d7a17207

SHA512
ccf05c83c371ae1b8cd2ebd87d5906c3665b422118ed5a33a2f84acc86cfbc5a918c41b4186de99bbce70b12aa895008f2784521628103bde713b714ab0e0f1c

Download Submit
C:\Program Files (x86)\Gpg4win\share\locale\kk\LC_MESSAGES\kitemviews5_qt.qm
Filesize
30B

MD5
b83230a03cb46ec13cf38dfbb0f3b744

SHA1
f071802c2c5a46be2a65bd6282608034bdef99ed

SHA256
71f6122a857122143f1b51b5dc7669668a77e93d4c1bfa8c93c370330a7d4335

SHA512
6ca19700cbd8decfa19b897d1b073f1c2322544c659bc8cb7dbbc8fe381932e58205619f156026457a8cbf6088e178c33b31e6cc0337e5b1a553e97fa21dd4db

Download Submit
C:\Program Files (x86)\Gpg4win\share\locale\km\LC_MESSAGES\kitemviews5_qt.qm
Filesize
30B

MD5
da4e374c6587f14ec35db9b151acb1a5

SHA1
7a7f4bb69fd9f3762d75e385cd981902a3bced22

SHA256
962c69a60bf953b54428464f6acee3d68deb3b96f19e83ad1e5528e14e03170f

SHA512
6ad9c41d8441b4084cfb730ad857145a2b53b646f1af8fa6e36a17096407a5abe29eca86ed1e3750c463f728c48468714f3c15b41ea88fd09e30f179f183eab4

Download Submit
C:\Program Files (x86)\Gpg4win\share\locale\lv\LC_MESSAGES\kitemviews5_qt.qm
Filesize
36B

MD5
05dde48e23fac68bddfadd39c3b29ca5

SHA1
c9b83d712c2b9f68e5f631e4e1f0aa7779fc208c

SHA256
2327768f504d96b61af841e0673c88bc0eb093fd2ec45d5f9b257b2ad0609507

SHA512
991b5cc0fd0688364ab73b7548d9ce93681e44066cf11e20856d56625268da657aad1ae6b887fa5a4b11769e6c0d989a729ca443ed126e3f66cc060a14ea668b

Download Submit
C:\Program Files (x86)\Gpg4win\share\locale\nl\LC_MESSAGES\kleopatra.mo
Filesize
242KB

MD5
b97b250ccd52c1f4b787f9090f08eed9

SHA1
89f64bddba985e89f2f8f80004530a954097db8c

SHA256
bfbe5debd2d5ae555b96155b8bedd324e56164db4e0c5f7edfeb8a0018a0100a

SHA512
308641ab36a1005e5efa330953918d970ced65e0570435986312e9772859cc22b270d5d3951637d8a651264d8f23bd74ad545f406b186178b2c86ff50314561d

Download Submit
C:\Users\Admin\AppData\Local\Temp\gnupg-w32-2.4.5_20240307-bin.exe
Filesize
5.3MB

MD5
6efb76e751a360f5ef7bdee99b93a0f4

SHA1
9ffe88554341f28e077ef42150b149a851af2fae

SHA256
d2ac821ceacf9409ebcdb42ae330087ada30c732981f00b356f9c2f08fac4dc1

SHA512
2f08e850d00c951139ea2993c92915a884c9a49c64a547a186cd310eb43c5b9c9b59c46931eb38f241a5c66f76aa81fb85533db01ac848532cec9ab180b60b8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\gpgme-JZFxPa
Filesize
18B

MD5
dc07682612150fbea67f103bebe1fa26

SHA1
269dd24c33c82a9cbca5e80ea500dc09c47d9fbb

SHA256
0ed101d7d58f7a1b6726b14b616a7f9b636e57ab107ff5e62271790348db0b3c

SHA512
6d599e85dddeef2160d11e0f3bb1f437057e78143aba4efba16b3315d485270c1caf8beb2fa5dedc41a9a23d8dff55de593e165801b08e9ce723ac73c1519073

Download Submit
\Program Files (x86)\Gpg4win\bin\gpgex.dll
Filesize
536KB

MD5
6de54fbe7f86a98ab5c5b0ec513df79c

SHA1
c01632940bf6abf4e86278b420489e5d25c2e986

SHA256
37ac2063dd1372979909aa119e273b03c535208eac5039d14064d8ac960a0324

SHA512
7fd9ddd9910a853198e7660ab6ad08cc4865c39747d98a13049d1d7404a119f7738ee5a542b4b50d9e323dac0c05bf7bb7810c9e1550f5b9edaa9ae7fc67dabd

Download Submit
\Program Files (x86)\Gpg4win\bin\gpgol.dll
Filesize
2.9MB

MD5
0a6bd76d29c84f06d86c25a112c0f5a1

SHA1
781d480bb2326f708058d3ddc38a0e9051d632b3

SHA256
cdba64b14b33405f3efb988a6f15768563c8f620af4678f32a45be10ef2ce20a

SHA512
94660ce2e3550b7d897f8ec8ea86915190fa12dfd98b68ccc3d843af8a0109d65319a56c6fd31a0604b1527f203c073536b666986e6c3bb89424fe1b0fbb8bb7

Download Submit
\Program Files (x86)\Gpg4win\bin\libKF5Codecs.dll
Filesize
274KB

MD5
7b11e553121fd8faefd52200777a6a40

SHA1
a5812b8b6edc196f0d7a1850558ed2290d503deb

SHA256
45bbb83e60198480ad39a652a5fc91f1238f3e51e25c07762b6eca7c4e2898bc

SHA512
f17398c4290ae6e9a2d7f5020ec990fe199dadd16126fb6ca81a394938a94fdd66271f90def56f9b9f5845170d8f7bed0fa52c42515c7c4593ea096034aeb2d1

Download Submit
\Program Files (x86)\Gpg4win\bin\libKF5ConfigCore.dll
Filesize
499KB

MD5
f716b2fa37dff739f08f3993b79d09b9

SHA1
724e4a865745a71c400b2b5a3d44a3b75e2aab06

SHA256
35c7e5d505ab4c35135157049cb057ee7a5729ac2b738570590aa7622bff64a3

SHA512
24dbda31d14e26606f8c3b2554f4ca6c717420a361db04c48197f91afa05a3a254b2530f884637e8778696a78aef205c5b2aece85bb37dcfe39794bc6643f362

Download Submit
\Program Files (x86)\Gpg4win\bin\libKF5ConfigGui.dll
Filesize
168KB

MD5
551427752ca4a73cfb85b7275d66f0d0

SHA1
1c212683f0ac6beee0ae0d015e99da198559b747

SHA256
a27ebf9a417ea3f561139eaea6b7d8318f802099c85e8d707bd088546872ec77

SHA512
e0dd4336f48ed79899409347a159a8d52376712fd594ab5e9e4b1f1873edea5cfee501adcd6c408af4449fe0b40adf933da517dc738e0db5a33e2e240c79b21d

Download Submit
\Program Files (x86)\Gpg4win\bin\libKF5ConfigWidgets.dll
Filesize
452KB

MD5
f3cd64079c40cede28c50bdf44cdf96d

SHA1
7d8a7e209165c499623a84e7cbee1f969a4e6d00

SHA256
3b0348d40f83b9b3edcb9168cb318140fa0a03823b4badd5c5991b8ab2d89365

SHA512
cfc7eec6b86d4b574550a1f5bcc9bb6807c4be3b9b97d64294466360886708a6baea078d8ff3a7ad436451b8e81a092efa5e8a6a53a7ac2beb76d9f1dc44ae39

Download Submit
\Program Files (x86)\Gpg4win\bin\libkleopatraclientgui.dll
Filesize
44KB

MD5
3d6173c0a2d499a43a12b8369a36e715

SHA1
ea370ed5cd5e63ec057fe063ee6a2b7298a666d0

SHA256
fd77fe0a7a1879260a2c2614291ba85e88f88d249a84f34d4da14909631cb52c

SHA512
eb4e7feefd0bd325c7fd87de88189ea190500ce84aee355cb614b63ccdbfdb4c2b58002394a7126adfde1a77b420ec7898183328ffa53fcb59de5b473e6ebbb9

Download Submit
\Program Files (x86)\Gpg4win\bin\libwinpthread-1.dll
Filesize
60KB

MD5
f3087bf95436d720143a1ed88c53edcd

SHA1
e82ec2fb41fd00bff787b6c0afdbfb7e2b260dc9

SHA256
0d2598850642932cf2fa3cfc344230796fd61c3171c784f3c523883893e0b5fb

SHA512
e6cc54d79f6ab32a555a791a0ea15e6e336443119d45f6ccef1c4de8fc196d9bcaeee22293badddab60fd4a771f79c4006d11a3b404834a9294c561a7c24fa89

Download Submit
\Program Files (x86)\Gpg4win\bin_64\gpgex.dll
Filesize
492KB

MD5
6e3aa6891c29084e022089c4767396c8

SHA1
b91a892fa7ada3f5736960445abb1a1c1e86e19a

SHA256
5c99a4689c519fc0f918130cba268664a01e2ea23ede4e9aad5aee9abc1a3bc3

SHA512
65866cfbd80c451305c2f466ebc0c82018c0f280256e3e9f0f9b4084dffc4af2a0643d9283f5ba6cf7219102ea504b2880bc441719f0d079c9e78865d629431d

Download Submit
\Users\Admin\AppData\Local\Temp\nsm64E6.tmp\LangDLL.dll
Filesize
7KB

MD5
20850d4d5416fbfd6a02e8a120f360fc

SHA1
ac34f3a34aaa4a21efd6a32bc93102639170e219

SHA256
860b409b065b747aab2a9937f02d08b6fd7309993b50d8e4b53983c8c2b56b61

SHA512
c8048b9ae0ced72a384c5ab781083a76b96ae08d5c8a5c7797f75a7e54e9cd9192349f185ee88c9cf0514fc8d59e37e01d88b9c8106321c0581659ebe1d1c276

Download Submit
\Users\Admin\AppData\Local\Temp\nsm64E6.tmp\System.dll
Filesize
26KB

MD5
4f25d99bf1375fe5e61b037b2616695d

SHA1
958fad0e54df0736ddab28ff6cb93e6ed580c862

SHA256
803931797d95777248dee4f2a563aed51fe931d2dd28faec507c69ed0f26f647

SHA512
96a8446f322cd62377a93d2088c0ce06087da27ef95a391e02c505fb4eb1d00419143d67d89494c2ef6f57ae2fd7f049c86e00858d1b193ec6dde4d0fe0e3130

Download Submit
\Users\Admin\AppData\Local\Temp\nsm64E6.tmp\UserInfo.dll
Filesize
6KB

MD5
9c8190bf734e58469eeb894b04c9fda0

SHA1
8ba2d3474ee1acf315fbccb7253e7cbdbae414c2

SHA256
88860534a424835a4bc47d3db8d0f4b1481442ed3efdeb7338a7ddf616651a60

SHA512
910af7da023bccda2dba873ff95769d24174b09c5f053e676e56a2f99f6e376009b7ee62fb23835285160c4c6feaba99c530b978c1085a37d610d3fa1a4f3727

Download Submit
\Users\Admin\AppData\Local\Temp\nsm64E6.tmp\g4wihelp.dll
Filesize
82KB

MD5
1d21fa410d54e5782078f759c3b95a7d

SHA1
0e2d21ad8f6532a8c9dfb60c4f4058ef5985f2be

SHA256
5d360cffc1ff6c0f49289fab1181daa93164022228e87dd136c8fbbf100f2bb3

SHA512
79a0fef74d9c901ffd7a9a4de7c09b496564cfe8db2cd22feaf3ca3c42586a100294e3d937a5e7cfd150c8f5a9879d817030c08bf38ab26a328183fbf0f4c744

Download Submit
\Users\Admin\AppData\Local\Temp\nsm64E6.tmp\nsDialogs.dll
Filesize
12KB

MD5
2029c44871670eec937d1a8c1e9faa21

SHA1
e8d53b9e8bc475cc274d80d3836b526d8dd2747a

SHA256
a4ae6d33f940a80e8fe34537c5cc1f8b8679c979607969320cfb750c15809ac2

SHA512
6f151c9818ac2f3aef6d4cabd8122c7e22ccf0b84fa5d4bcc951f8c3d00e8c270127eac1e9d93c5f4594ac90de8aff87dc6e96562f532a3d19c0da63a28654b7

Download Submit
\Users\Admin\AppData\Local\Temp\nsz9D1C.tmp\InstallOptions.dll
Filesize
28KB

MD5
7770a504cf10db9899f7adc59d4c7dec

SHA1
d1ecc15b69af83aa8065199261e28d78947f7da8

SHA256
e2e74adc3704c5e7d52f10e17f384ba7d8d80c11900dda0ce8e578a9944c4dda

SHA512
694726085477e7e82c3b960d853910e12f24a6d97ac629586124b8d02def44da24f3ace6a3404ffa7bf2d410e93a1c6e918e149801201f4c9800991aabd6f212

Download Submit
\Users\Admin\AppData\Local\Temp\nsz9D1C.tmp\g4wihelp.dll
Filesize
60KB

MD5
b0379f02947c072a1898230dcbe1e961

SHA1
b218c6ef3083c61ccceb562557b274ee2e0c29cc

SHA256
64167cab813702ae208521282121dba5bdf30fcda68809ae18c3a79ee31d4b30

SHA512
105949e108b1a9f1e404e6b6578de9427c3e0f424f95a6d0a5c4c0b9ea2554ab66419dbe49b70e39fc1dd45279a3ac8f0317c9da4d966647760fd9a2bd2b5239

Download Submit
memory/224-1475-0x00000000655C0000-0x000000006570A000-memory.dmp

Filesize
1.3MB

Download
memory/224-1476-0x000000006B480000-0x000000006B4C1000-memory.dmp

Filesize
260KB

Download
memory/224-1474-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/488-1465-0x0000000064AC0000-0x0000000064C4E000-memory.dmp

Filesize
1.6MB

Download
memory/488-1457-0x0000000069E00000-0x0000000069E43000-memory.dmp

Filesize
268KB

Download
memory/488-1399-0x0000000001540000-0x0000000001C84000-memory.dmp

Filesize
7.3MB

Download
memory/488-1433-0x0000000002470000-0x0000000002638000-memory.dmp

Filesize
1.8MB

Download
memory/488-1435-0x0000000002640000-0x000000000273E000-memory.dmp

Filesize
1016KB

Download
memory/488-1438-0x00000000001C0000-0x00000000001E3000-memory.dmp

Filesize
140KB

Download
memory/488-1437-0x0000000002740000-0x00000000027C3000-memory.dmp

Filesize
524KB

Download
memory/488-1425-0x0000000002300000-0x0000000002463000-memory.dmp

Filesize
1.4MB

Download
memory/488-1400-0x0000000000BA0000-0x0000000000BFB000-memory.dmp

Filesize
364KB

Download
memory/488-1428-0x0000000000110000-0x0000000000124000-memory.dmp

Filesize
80KB

Download
memory/488-1440-0x0000000066240000-0x00000000662AD000-memory.dmp

Filesize
436KB

Download
memory/488-1579-0x0000000000400000-0x00000000008C4000-memory.dmp

Filesize
4.8MB

Download
memory/488-1397-0x0000000001170000-0x00000000012EA000-memory.dmp

Filesize
1.5MB

Download
memory/488-1441-0x000000006FEC0000-0x000000006FEDE000-memory.dmp

Filesize
120KB

Download
memory/488-1443-0x0000000066940000-0x0000000066F73000-memory.dmp

Filesize
6.2MB

Download
memory/488-1444-0x0000000066240000-0x00000000662AD000-memory.dmp

Filesize
436KB

Download
memory/488-1442-0x0000000001540000-0x0000000001C84000-memory.dmp

Filesize
7.3MB

Download
memory/488-1446-0x000000006FEC0000-0x000000006FEDE000-memory.dmp

Filesize
120KB

Download
memory/488-1448-0x0000000001C90000-0x00000000022FE000-memory.dmp

Filesize
6.4MB

Download
memory/488-1451-0x0000000063B80000-0x0000000063BAE000-memory.dmp

Filesize
184KB

Download
memory/488-1450-0x000000006C440000-0x000000006C489000-memory.dmp

Filesize
292KB

Download
memory/488-1453-0x0000000001170000-0x00000000012EA000-memory.dmp

Filesize
1.5MB

Download
memory/488-1452-0x000000006BAC0000-0x000000006BB85000-memory.dmp

Filesize
788KB

Download
memory/488-1454-0x000000006BAC0000-0x000000006BB85000-memory.dmp

Filesize
788KB

Download
memory/488-1455-0x00000000615C0000-0x000000006160A000-memory.dmp

Filesize
296KB

Download
memory/488-1456-0x00000000641C0000-0x00000000641F7000-memory.dmp

Filesize
220KB

Download
memory/488-1458-0x0000000000BA0000-0x0000000000BFB000-memory.dmp

Filesize
364KB

Download
memory/488-1426-0x0000000001C90000-0x00000000022FE000-memory.dmp

Filesize
6.4MB

Download
memory/488-1460-0x000000006D400000-0x000000006D55F000-memory.dmp

Filesize
1.4MB

Download
memory/488-1459-0x0000000062F40000-0x0000000062F88000-memory.dmp

Filesize
288KB

Download
memory/488-1461-0x0000000068740000-0x0000000068784000-memory.dmp

Filesize
272KB

Download
memory/488-1463-0x0000000002300000-0x0000000002463000-memory.dmp

Filesize
1.4MB

Download
memory/488-1578-0x0000000064AC0000-0x0000000064C4E000-memory.dmp

Filesize
1.6MB

Download
memory/488-1466-0x0000000063EC0000-0x0000000063F1A000-memory.dmp

Filesize
360KB

Download
memory/488-1467-0x0000000000400000-0x00000000008C4000-memory.dmp

Filesize
4.8MB

Download
memory/488-1468-0x0000000070EC0000-0x0000000070EF9000-memory.dmp

Filesize
228KB

Download
memory/488-1577-0x0000000002300000-0x0000000002463000-memory.dmp

Filesize
1.4MB

Download
memory/488-1576-0x0000000062F40000-0x0000000062F88000-memory.dmp

Filesize
288KB

Download
memory/488-1575-0x000000006BAC0000-0x000000006BB85000-memory.dmp

Filesize
788KB

Download
memory/488-1522-0x0000000001C90000-0x00000000022FE000-memory.dmp

Filesize
6.4MB

Download
memory/488-1521-0x0000000001540000-0x0000000001C84000-memory.dmp

Filesize
7.3MB

Download
memory/488-1520-0x0000000066940000-0x0000000066F73000-memory.dmp

Filesize
6.2MB

Download
memory/1272-1472-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3584-1479-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3744-280-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/4364-1367-0x0000000073F10000-0x0000000073F1E000-memory.dmp

Filesize
56KB

Download
memory/4364-1326-0x0000000073F10000-0x0000000073F1E000-memory.dmp

Filesize
56KB

Download
memory/4364-1329-0x000000006A180000-0x000000006A19D000-memory.dmp

Filesize
116KB

Download
memory/4364-1366-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4364-1325-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4364-1427-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4364-53-0x0000000073F10000-0x0000000073F1E000-memory.dmp

Filesize
56KB

Download
memory/4364-54-0x0000000073E20000-0x0000000073E2B000-memory.dmp

Filesize
44KB

Download
memory/4364-52-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4836-1480-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4836-1481-0x00000000655C0000-0x000000006570A000-memory.dmp

Filesize
1.3MB

Download