rhadamanthys | hxxps://github[.]com/sapperalfaboy7/nitrogen-v3/releases/tag/Download

Resubmissions

29/06/2024, 07:17

240629-h4e2matbja 10

29/06/2024, 07:14

240629-h25jhataqg 8

Analysis

max time kernel
125s
max time network
129s
platform
windows10-1703_x64
resource
win10-20240611-en
resource tags

arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
submitted
29/06/2024, 07:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/sapperalfaboy7/nitrogen-v3/releases/tag/Download

Score

10^/10

rhadamanthys discovery persistence privilege_escalation stealer

Malware Config

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2236 created 2976	2236	RegAsm.exe	49

Downloads MZ/PE file
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 6 IoCs

pid	Process
1344	Ninite WinRAR Installer.exe
1568	Ninite.exe
2072	target.exe
5052	uninstall.exe
3404	WinRAR.exe
3912	nitro.exe

Loads dropped DLL 2 IoCs

pid	Process
3376	Process not Found
4384	Process not Found

Modifies system executable filetype association 2 TTPs 8 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	uninstall.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3912 set thread context of 2236	3912	nitro.exe	113

Drops file in Program Files directory 60 IoCs

description	ioc	Process
File created	C:\Program Files\WinRAR\WinCon32.SFX	target.exe
File opened for modification	C:\Program Files\WinRAR\Zip.SFX	target.exe
File opened for modification	C:\Program Files\WinRAR	target.exe
File created	C:\Program Files\WinRAR\Uninstall.lst	target.exe
File created	C:\Program Files\WinRAR\RarFiles.lst	target.exe
File opened for modification	C:\Program Files\WinRAR\RarExt.dll	target.exe
File created	C:\Program Files\WinRAR\RarExtInstaller.exe	target.exe
File opened for modification	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-64.png	target.exe
File opened for modification	C:\Program Files\WinRAR\Default.SFX	target.exe
File opened for modification	C:\Program Files\WinRAR\WhatsNew.txt	target.exe
File opened for modification	C:\Program Files\WinRAR\Order.htm	target.exe
File created	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-64.png	target.exe
File created	C:\Program Files\WinRAR\Zip.SFX	target.exe
File created	C:\Program Files\WinRAR\UnRAR.exe	target.exe
File opened for modification	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-32.png	target.exe
File created	C:\Program Files\WinRAR\WinRAR.chm	target.exe
File created	C:\Program Files\WinRAR\Resources.pri	target.exe
File created	C:\Program Files\WinRAR\WinCon.SFX	target.exe
File opened for modification	C:\Program Files\WinRAR\WinRAR.exe	target.exe
File opened for modification	C:\Program Files\WinRAR\RarExt32.dll	target.exe
File created	C:\Program Files\WinRAR\RarExtPackage.msix	target.exe
File opened for modification	C:\Program Files\WinRAR\Resources.pri	target.exe
File created	C:\Program Files\WinRAR\WhatsNew.txt	target.exe
File created	C:\Program Files\WinRAR\WinRAR.exe	target.exe
File created	C:\Program Files\WinRAR\RarExt32.dll	target.exe
File created	C:\Program Files\WinRAR\zipnew.dat	uninstall.exe
File opened for modification	C:\Program Files\WinRAR\Uninstall.lst	target.exe
File opened for modification	C:\Program Files\WinRAR\Zip32.SFX	target.exe
File opened for modification	C:\Program Files\WinRAR\WinCon.SFX	target.exe
File opened for modification	C:\Program Files\WinRAR\Descript.ion	target.exe
File created	C:\Program Files\WinRAR\Zip32.SFX	target.exe
File opened for modification	C:\Program Files\WinRAR\WinRAR.chm	target.exe
File opened for modification	C:\Program Files\WinRAR\RarExtInstaller.exe	target.exe
File created	C:\Program Files\WinRAR\Default.SFX	target.exe
File opened for modification	C:\Program Files\WinRAR\UnRAR.exe	target.exe
File created	C:\Program Files\WinRAR\RarExt.dll	target.exe
File opened for modification	C:\Program Files\WinRAR\License.txt	target.exe
File created	C:\Program Files\WinRAR\Uninstall.exe	target.exe
File created	C:\Program Files\WinRAR\7zxa.dll	target.exe
File created	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-32.png	target.exe
File created	C:\Program Files\WinRAR\ReadMe.txt	target.exe
File created	C:\Program Files\WinRAR\License.txt	target.exe
File opened for modification	C:\Program Files\WinRAR\7zxa.dll	target.exe
File opened for modification	C:\Program Files\WinRAR\Rar.exe	target.exe
File opened for modification	C:\Program Files\WinRAR\WinCon32.SFX	target.exe
File created	C:\Program Files\WinRAR\__tmp_rar_sfx_access_check_240701062	target.exe
File opened for modification	C:\Program Files\WinRAR\ReadMe.txt	target.exe
File created	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-48.png	target.exe
File created	C:\Program Files\WinRAR\Rar.txt	target.exe
File opened for modification	C:\Program Files\WinRAR\RarFiles.lst	target.exe
File created	C:\Program Files\WinRAR\Rar.exe	target.exe
File created	C:\Program Files\WinRAR\rarnew.dat	uninstall.exe
File opened for modification	C:\Program Files\WinRAR\Rar.txt	target.exe
File created	C:\Program Files\WinRAR\Order.htm	target.exe
File created	C:\Program Files\WinRAR\Default32.SFX	target.exe
File opened for modification	C:\Program Files\WinRAR\Default32.SFX	target.exe
File opened for modification	C:\Program Files\WinRAR\RarExtPackage.msix	target.exe
File opened for modification	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-48.png	target.exe
File created	C:\Program Files\WinRAR\Descript.ion	target.exe
File opened for modification	C:\Program Files\WinRAR\Uninstall.exe	target.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\4183903823\2290032291.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\1601268389\715946058.pri	taskmgr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
5016	2236	WerFault.exe	113
1472	2236	WerFault.exe	113

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 8 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\WinRAR\Interface\Misc	Ninite.exe
Key created	\REGISTRY\USER\.DEFAULT	Ninite.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	Ninite.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\WinRAR	Ninite.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\WinRAR\Interface	Ninite.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\WinRAR\Interface\Misc\RemShown = "1"	Ninite.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133641190743396572"	chrome.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.txz\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\DefaultIcon	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR32	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.uu\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bz2	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.tbz\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\InProcServer32\ThreadingModel = "Apartment"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.uu	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shell	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.rev\ = "WinRAR.REV"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\DefaultIcon\ = "C:\\Program Files\\WinRAR\\WinRAR.exe,0"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.tar\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.xxe\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.zip\ShellNew\FileName = "C:\\Program Files\\WinRAR\\zipnew.dat"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.arj	uninstall.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	WinRAR.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\DropHandler\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.xz\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	WinRAR.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\WinRAR	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.uue	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.zipx\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\DropHandler\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\shell\open\command	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.z	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.001\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\DropHandler	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR32	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.lz\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.lzh\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.arj\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.txz	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.001	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\InProcServer32	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.cab\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\WinRAR32	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.zip	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.uue\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell\open\command	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shell\open	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\shell	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.7z\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shell\open\command	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32\ThreadingModel = "Apartment"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.tlz	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.7z	uninstall.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD	Ninite WinRAR Installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	Ninite WinRAR Installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	Ninite WinRAR Installer.exe

Suspicious behavior: EnumeratesProcesses 52 IoCs

pid	Process
1856	chrome.exe
1856	chrome.exe
1568	Ninite.exe
1568	Ninite.exe
1856	chrome.exe
1856	chrome.exe
2236	RegAsm.exe
2236	RegAsm.exe
468	taskmgr.exe
468	taskmgr.exe
636	dialer.exe
636	dialer.exe
636	dialer.exe
636	dialer.exe
468	taskmgr.exe
468	taskmgr.exe
468	taskmgr.exe
468	taskmgr.exe
468	taskmgr.exe
468	taskmgr.exe
468	taskmgr.exe
468	taskmgr.exe
468	taskmgr.exe
468	taskmgr.exe
468	taskmgr.exe
468	taskmgr.exe
468	taskmgr.exe
468	taskmgr.exe
468	taskmgr.exe
468	taskmgr.exe
468	taskmgr.exe
468	taskmgr.exe
468	taskmgr.exe
468	taskmgr.exe
468	taskmgr.exe
468	taskmgr.exe
468	taskmgr.exe
468	taskmgr.exe
468	taskmgr.exe
468	taskmgr.exe
468	taskmgr.exe
468	taskmgr.exe
468	taskmgr.exe
468	taskmgr.exe
468	taskmgr.exe
468	taskmgr.exe
468	taskmgr.exe
2988	chrome.exe
2988	chrome.exe
468	taskmgr.exe
468	taskmgr.exe
468	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3404	WinRAR.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1856	chrome.exe
Token: SeCreatePagefilePrivilege	1856	chrome.exe
Token: SeShutdownPrivilege	1856	chrome.exe
Token: SeCreatePagefilePrivilege	1856	chrome.exe
Token: SeShutdownPrivilege	1856	chrome.exe
Token: SeCreatePagefilePrivilege	1856	chrome.exe
Token: SeShutdownPrivilege	1856	chrome.exe
Token: SeCreatePagefilePrivilege	1856	chrome.exe
Token: SeShutdownPrivilege	1856	chrome.exe
Token: SeCreatePagefilePrivilege	1856	chrome.exe
Token: SeShutdownPrivilege	1856	chrome.exe
Token: SeCreatePagefilePrivilege	1856	chrome.exe
Token: SeShutdownPrivilege	1856	chrome.exe
Token: SeCreatePagefilePrivilege	1856	chrome.exe
Token: SeShutdownPrivilege	1856	chrome.exe
Token: SeCreatePagefilePrivilege	1856	chrome.exe
Token: SeShutdownPrivilege	1856	chrome.exe
Token: SeCreatePagefilePrivilege	1856	chrome.exe
Token: SeShutdownPrivilege	1856	chrome.exe
Token: SeCreatePagefilePrivilege	1856	chrome.exe
Token: SeShutdownPrivilege	1856	chrome.exe
Token: SeCreatePagefilePrivilege	1856	chrome.exe
Token: SeShutdownPrivilege	1856	chrome.exe
Token: SeCreatePagefilePrivilege	1856	chrome.exe
Token: SeShutdownPrivilege	1856	chrome.exe
Token: SeCreatePagefilePrivilege	1856	chrome.exe
Token: SeShutdownPrivilege	1856	chrome.exe
Token: SeCreatePagefilePrivilege	1856	chrome.exe
Token: SeShutdownPrivilege	1856	chrome.exe
Token: SeCreatePagefilePrivilege	1856	chrome.exe
Token: SeShutdownPrivilege	1856	chrome.exe
Token: SeCreatePagefilePrivilege	1856	chrome.exe
Token: SeShutdownPrivilege	1856	chrome.exe
Token: SeCreatePagefilePrivilege	1856	chrome.exe
Token: SeShutdownPrivilege	1856	chrome.exe
Token: SeCreatePagefilePrivilege	1856	chrome.exe
Token: SeShutdownPrivilege	1856	chrome.exe
Token: SeCreatePagefilePrivilege	1856	chrome.exe
Token: SeShutdownPrivilege	1856	chrome.exe
Token: SeCreatePagefilePrivilege	1856	chrome.exe
Token: SeShutdownPrivilege	1856	chrome.exe
Token: SeCreatePagefilePrivilege	1856	chrome.exe
Token: SeShutdownPrivilege	1856	chrome.exe
Token: SeCreatePagefilePrivilege	1856	chrome.exe
Token: SeShutdownPrivilege	1856	chrome.exe
Token: SeCreatePagefilePrivilege	1856	chrome.exe
Token: SeShutdownPrivilege	1856	chrome.exe
Token: SeCreatePagefilePrivilege	1856	chrome.exe
Token: SeShutdownPrivilege	1856	chrome.exe
Token: SeCreatePagefilePrivilege	1856	chrome.exe
Token: SeShutdownPrivilege	1856	chrome.exe
Token: SeCreatePagefilePrivilege	1856	chrome.exe
Token: SeShutdownPrivilege	1856	chrome.exe
Token: SeCreatePagefilePrivilege	1856	chrome.exe
Token: SeShutdownPrivilege	1856	chrome.exe
Token: SeCreatePagefilePrivilege	1856	chrome.exe
Token: SeShutdownPrivilege	1856	chrome.exe
Token: SeCreatePagefilePrivilege	1856	chrome.exe
Token: SeShutdownPrivilege	1856	chrome.exe
Token: SeCreatePagefilePrivilege	1856	chrome.exe
Token: SeShutdownPrivilege	1856	chrome.exe
Token: SeCreatePagefilePrivilege	1856	chrome.exe
Token: SeShutdownPrivilege	1856	chrome.exe
Token: SeCreatePagefilePrivilege	1856	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1568	Ninite.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
1856	chrome.exe
468	taskmgr.exe
468	taskmgr.exe
468	taskmgr.exe
468	taskmgr.exe
468	taskmgr.exe
468	taskmgr.exe
468	taskmgr.exe
468	taskmgr.exe
468	taskmgr.exe
468	taskmgr.exe
468	taskmgr.exe
468	taskmgr.exe
468	taskmgr.exe
468	taskmgr.exe
468	taskmgr.exe
468	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5052	uninstall.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1856 wrote to memory of 3608	1856	chrome.exe	71
PID 1856 wrote to memory of 3608	1856	chrome.exe	71
PID 1856 wrote to memory of 272	1856	chrome.exe	73
PID 1856 wrote to memory of 272	1856	chrome.exe	73
PID 1856 wrote to memory of 272	1856	chrome.exe	73
PID 1856 wrote to memory of 272	1856	chrome.exe	73
PID 1856 wrote to memory of 272	1856	chrome.exe	73
PID 1856 wrote to memory of 272	1856	chrome.exe	73
PID 1856 wrote to memory of 272	1856	chrome.exe	73
PID 1856 wrote to memory of 272	1856	chrome.exe	73
PID 1856 wrote to memory of 272	1856	chrome.exe	73
PID 1856 wrote to memory of 272	1856	chrome.exe	73
PID 1856 wrote to memory of 272	1856	chrome.exe	73
PID 1856 wrote to memory of 272	1856	chrome.exe	73
PID 1856 wrote to memory of 272	1856	chrome.exe	73
PID 1856 wrote to memory of 272	1856	chrome.exe	73
PID 1856 wrote to memory of 272	1856	chrome.exe	73
PID 1856 wrote to memory of 272	1856	chrome.exe	73
PID 1856 wrote to memory of 272	1856	chrome.exe	73
PID 1856 wrote to memory of 272	1856	chrome.exe	73
PID 1856 wrote to memory of 272	1856	chrome.exe	73
PID 1856 wrote to memory of 272	1856	chrome.exe	73
PID 1856 wrote to memory of 272	1856	chrome.exe	73
PID 1856 wrote to memory of 272	1856	chrome.exe	73
PID 1856 wrote to memory of 272	1856	chrome.exe	73
PID 1856 wrote to memory of 272	1856	chrome.exe	73
PID 1856 wrote to memory of 272	1856	chrome.exe	73
PID 1856 wrote to memory of 272	1856	chrome.exe	73
PID 1856 wrote to memory of 272	1856	chrome.exe	73
PID 1856 wrote to memory of 272	1856	chrome.exe	73
PID 1856 wrote to memory of 272	1856	chrome.exe	73
PID 1856 wrote to memory of 272	1856	chrome.exe	73
PID 1856 wrote to memory of 272	1856	chrome.exe	73
PID 1856 wrote to memory of 272	1856	chrome.exe	73
PID 1856 wrote to memory of 272	1856	chrome.exe	73
PID 1856 wrote to memory of 272	1856	chrome.exe	73
PID 1856 wrote to memory of 272	1856	chrome.exe	73
PID 1856 wrote to memory of 272	1856	chrome.exe	73
PID 1856 wrote to memory of 272	1856	chrome.exe	73
PID 1856 wrote to memory of 272	1856	chrome.exe	73
PID 1856 wrote to memory of 252	1856	chrome.exe	74
PID 1856 wrote to memory of 252	1856	chrome.exe	74
PID 1856 wrote to memory of 2900	1856	chrome.exe	75
PID 1856 wrote to memory of 2900	1856	chrome.exe	75
PID 1856 wrote to memory of 2900	1856	chrome.exe	75
PID 1856 wrote to memory of 2900	1856	chrome.exe	75
PID 1856 wrote to memory of 2900	1856	chrome.exe	75
PID 1856 wrote to memory of 2900	1856	chrome.exe	75
PID 1856 wrote to memory of 2900	1856	chrome.exe	75
PID 1856 wrote to memory of 2900	1856	chrome.exe	75
PID 1856 wrote to memory of 2900	1856	chrome.exe	75
PID 1856 wrote to memory of 2900	1856	chrome.exe	75
PID 1856 wrote to memory of 2900	1856	chrome.exe	75
PID 1856 wrote to memory of 2900	1856	chrome.exe	75
PID 1856 wrote to memory of 2900	1856	chrome.exe	75
PID 1856 wrote to memory of 2900	1856	chrome.exe	75
PID 1856 wrote to memory of 2900	1856	chrome.exe	75
PID 1856 wrote to memory of 2900	1856	chrome.exe	75
PID 1856 wrote to memory of 2900	1856	chrome.exe	75
PID 1856 wrote to memory of 2900	1856	chrome.exe	75
PID 1856 wrote to memory of 2900	1856	chrome.exe	75
PID 1856 wrote to memory of 2900	1856	chrome.exe	75
PID 1856 wrote to memory of 2900	1856	chrome.exe	75
PID 1856 wrote to memory of 2900	1856	chrome.exe	75

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:2976
- C:\Windows\SysWOW64\dialer.exe
  "C:\Windows\system32\dialer.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:636

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/sapperalfaboy7/nitrogen-v3/releases/tag/Download
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffa50b49758,0x7ffa50b49768,0x7ffa50b49778
  2⤵
  PID:3608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1588 --field-trial-handle=1720,i,17741812037521382113,10203782584341345,131072 /prefetch:2
  2⤵
  PID:272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1864 --field-trial-handle=1720,i,17741812037521382113,10203782584341345,131072 /prefetch:8
  2⤵
  PID:252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2104 --field-trial-handle=1720,i,17741812037521382113,10203782584341345,131072 /prefetch:8
  2⤵
  PID:2900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2820 --field-trial-handle=1720,i,17741812037521382113,10203782584341345,131072 /prefetch:1
  2⤵
  PID:2156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2828 --field-trial-handle=1720,i,17741812037521382113,10203782584341345,131072 /prefetch:1
  2⤵
  PID:4352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5024 --field-trial-handle=1720,i,17741812037521382113,10203782584341345,131072 /prefetch:8
  2⤵
  PID:4196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4324 --field-trial-handle=1720,i,17741812037521382113,10203782584341345,131072 /prefetch:8
  2⤵
  PID:204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4640 --field-trial-handle=1720,i,17741812037521382113,10203782584341345,131072 /prefetch:1
  2⤵
  PID:4284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=5236 --field-trial-handle=1720,i,17741812037521382113,10203782584341345,131072 /prefetch:1
  2⤵
  PID:4156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4764 --field-trial-handle=1720,i,17741812037521382113,10203782584341345,131072 /prefetch:8
  2⤵
  PID:4404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5460 --field-trial-handle=1720,i,17741812037521382113,10203782584341345,131072 /prefetch:8
  2⤵
  PID:4588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5632 --field-trial-handle=1720,i,17741812037521382113,10203782584341345,131072 /prefetch:1
  2⤵
  PID:3716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4384 --field-trial-handle=1720,i,17741812037521382113,10203782584341345,131072 /prefetch:1
  2⤵
  PID:4864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4544 --field-trial-handle=1720,i,17741812037521382113,10203782584341345,131072 /prefetch:8
  2⤵
  PID:3912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3524 --field-trial-handle=1720,i,17741812037521382113,10203782584341345,131072 /prefetch:8
  2⤵
  PID:3884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=3456 --field-trial-handle=1720,i,17741812037521382113,10203782584341345,131072 /prefetch:1
  2⤵
  PID:5072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5832 --field-trial-handle=1720,i,17741812037521382113,10203782584341345,131072 /prefetch:8
  2⤵
  PID:4916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2892 --field-trial-handle=1720,i,17741812037521382113,10203782584341345,131072 /prefetch:8
  2⤵
  PID:420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6068 --field-trial-handle=1720,i,17741812037521382113,10203782584341345,131072 /prefetch:8
  2⤵
  PID:4940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5532 --field-trial-handle=1720,i,17741812037521382113,10203782584341345,131072 /prefetch:8
  2⤵
  PID:2528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2892 --field-trial-handle=1720,i,17741812037521382113,10203782584341345,131072 /prefetch:8
  2⤵
  PID:2160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5660 --field-trial-handle=1720,i,17741812037521382113,10203782584341345,131072 /prefetch:8
  2⤵
  PID:2436
- C:\Users\Admin\Downloads\Ninite WinRAR Installer.exe
  "C:\Users\Admin\Downloads\Ninite WinRAR Installer.exe"
  2⤵
  - Executes dropped EXE
  - Modifies system certificate store
  PID:1344
- - C:\Users\Admin\AppData\Local\Temp\c42806de-35e7-11ef-9650-da9ea7e36106\Ninite.exe
    Ninite.exe "0f6f71811ab2287aea1da03bc9c80ce007b3760d" /fullpath "C:\Users\Admin\Downloads\Ninite WinRAR Installer.exe"
    3⤵
    - Executes dropped EXE
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    PID:1568
  - - C:\Users\Admin\AppData\Local\Temp\C6D24C~1\target.exe
      "C:\Users\Admin\AppData\Local\Temp\C6D24C~1\target.exe" /S
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      PID:2072
    - - C:\Windows\system32\ctfmon.exe
        
        ctfmon.exe
        5⤵
        
        PID:4584
    - - C:\Program Files\WinRAR\uninstall.exe
        
        "C:\Program Files\WinRAR\uninstall.exe" /setup
        5⤵
        Executes dropped EXE
        Modifies system executable filetype association
        Drops file in Program Files directory
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:5052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=5772 --field-trial-handle=1720,i,17741812037521382113,10203782584341345,131072 /prefetch:1
  2⤵
  PID:472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5792 --field-trial-handle=1720,i,17741812037521382113,10203782584341345,131072 /prefetch:8
  2⤵
  PID:1724
- C:\Program Files\WinRAR\WinRAR.exe
  "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\Admin\Downloads\NitroGen.rar"
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  PID:3404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5296 --field-trial-handle=1720,i,17741812037521382113,10203782584341345,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2988

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1016

C:\Users\Admin\Desktop\nitro.exe
"C:\Users\Admin\Desktop\nitro.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3912
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Suspicious behavior: EnumeratesProcesses
  PID:2236
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2236 -s 644
    3⤵
    - Program crash
    PID:5016
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2236 -s 652
    3⤵
    - Program crash
    PID:1472

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SendNotifyMessage
PID:468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\WinRAR\Rar.txt

Filesize
105KB

MD5
b954981a253f5e1ee25585037a0c5fee

SHA1
96566e5c591df1c740519371ee6953ac1dc6a13f

SHA256
59e40b34b09be2654b793576035639c459ad6e962f9f9cd000d556fa21b1c7cd

SHA512
6a7772c6b404cd7fee50110b894ff0c470e5813264e605852b8dcc06bfaeb62b8cc79adcb695b3da149e42d5372a0d730cc7e8ed893c0bd0edb015fc088b7531

Download Submit
C:\Program Files\WinRAR\Uninstall.exe

Filesize
477KB

MD5
d36be447f422abc82276af9cb2f2741b

SHA1
f3ba2f58a88086f1b420a7520a5439a9eb851b79

SHA256
82a495858708b726f26cb86e2fbab8df86b9008a671be4c1f6c4f24ed3013735

SHA512
b9f5ffe578185b2f112d0bba21fdd6677d64986445ff971e9f6e8aa87a4684c0722b97a473150aff2742929fcaa79f6e336bd05d462bbdce149d634eb2f2d3d0

Download Submit
C:\Program Files\WinRAR\WhatsNew.txt

Filesize
45KB

MD5
1c44c85fdab8e9c663405cd8e4c3dbbd

SHA1
74d44e9cb2bf6f4c152aadb61b2ffc6b6ccd1c88

SHA256
33108dd40b4e07d60e96e1bcfa4ad877eb4906de2cc55844e40360e5d4dafb5d

SHA512
46d3fb4f2d084d51b6fd01845823100abc81913ebd1b0bcfeb52ef18e8222199d282aa45cae452f0716e0e2bf5520f7a6a254363d22b65f7ab6c10f11292ee2d

Download Submit
C:\Program Files\WinRAR\WinRAR.chm

Filesize
316KB

MD5
6ca1bc8bfe8b929f448e1742dacb8e7f

SHA1
eca3e637db230fa179dcd6c6499bd7d616f211e8

SHA256
997184b6f08d36dedc2cd12ee8dc5afb5e6e4bf77f7ab10f7ade9eefdb163344

SHA512
d823f2c960a4d92129b9bda0f4f9195d32e64b929082b5efb9149546b5053021255d1dd03cb443f0a03106314554f76b94173e280a553a81e4ac2ac282877973

Download Submit
C:\Program Files\WinRAR\WinRAR.exe

Filesize
3.1MB

MD5
0d76233931dfa993fd9b546bd5229976

SHA1
ce8de59e2277e9003f3a9c96260ce099ca7cda6c

SHA256
648a5d7064cdf2a86f465ea6b318d0b1ceac905f77c438dac2778a001b50647c

SHA512
dd7b6bd5545c60e9ce21fbde35f20d8807bdaf9e4408321f7f709c9324c719f1a9f68648260cfeb7e5f94f4eabc631dd95e348e55d93b32ea12e899d030b91ee

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinRAR\WinRAR.lnk

Filesize
1KB

MD5
2f0179a4d21cc116cb1e3b7d11bc35c2

SHA1
ec3f4e146a8478d964ccdccf58916506f955d131

SHA256
813e5ef297df7b919d24ede6e09d26eedaaba78836df3c126058376c46e43da9

SHA512
fa42361b9a3e97f84897052464efb75f0477edd4e8da78bb1a369895ebb672d63ba5376fb5ffc98f3a6fc4202c5c6151ea58488254b5e94e8dc8a05482aff8c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\75CA58072B9926F763A91F0CC2798706_645BC4A49DCDC40FE5917FA45C6D4517

Filesize
1KB

MD5
115e48d721272cd582881255f85db755

SHA1
66c6c377ac26c37a84e1728db47d02bb19505623

SHA256
10fc3ed271279f868bc0e7407f1daebde0a671012cd2f8f45e3a8ec7273e53f4

SHA512
3cbce32172ecf0839eeb7fe73f20bc2d67c2147b3eb015b195820bde337ac5130cf1c0dc8205e78e47fef0c58b20a4abb5441222281a5fe0c13ab9cfdff9d3a1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62

Filesize
2KB

MD5
fe60c260ece33c99ae4bfb918fc0a80c

SHA1
d4eda8ca85ad356706667fd494c252f5149c9d9e

SHA256
eb16aad2a77596855e22539a3ba4f86d59c820bf613f5d53e0b1851c479baa85

SHA512
b9bd86f3d7acacf3e180e86ccb9f140f1a60c94e52a176ae00c76f13399f32a446763b040c83cb014b7ad5262d06d8844d522c399e27c177bbe32f6728c11351

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894

Filesize
1KB

MD5
6d1b25772a500f0e089744897b9262e9

SHA1
16f670204a7b20797e06a1e7c2100f7bf64294e3

SHA256
e6e04c2143d140a4b8d1ac4f907045d47a49516c9022b53cc9afe06cae00721b

SHA512
44d3d6ebd186afcf136f58000062a34d968ff4f7673d9ff8dc5d6a316dc08e111dafe34a18a8a55fef2de480fa7db8200c4508162d333ab5a1bfa24c8fbf2481

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\75CA58072B9926F763A91F0CC2798706_645BC4A49DCDC40FE5917FA45C6D4517

Filesize
434B

MD5
5d1580a91b75d0c6310e693e7139dd9e

SHA1
10f8c5b3df9ac6075a0b24a8490d7529ae5b5e0b

SHA256
2e2085e189e79df1973a11dcfd2c4ca3c0206dd65a71157b91870447eb499af1

SHA512
35bc4254e349f0cd2d099fc3b65309397b6efd65c4764b7fe0eb7152d0d640630b08fbffb5a049eb7c4d757692386014c3373da592b74b1d5191d44d11cdce1b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62

Filesize
458B

MD5
abc78935ebdbf34fa2ca9702ce7fff4c

SHA1
a491ccdbe08869eaacc0de91831ba1c7c8aa1c6f

SHA256
8178e99afdb535490d35a20aad3c5ef44089bc0c79fcd189187ce95237daea74

SHA512
db2278ff3cd52135a0cefe31e52c496b0eb9197ef18ddf05c7533ba994259e776b03302390f9b9d8ef8504d2d76b8c87c36f87b7738cdbb03ee0813dcf4fd8ac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894

Filesize
432B

MD5
79508bb23b2c3d9ff267b1524f1133ff

SHA1
9c19af8034cee4c3f5f405ee883350cade3a7e25

SHA256
3ee45a20e8e64812869c56937e41bfceae186fecf7d33600d4c56a78421f83c3

SHA512
653ed9486897587520358c3b5247a2700e6a03bfacabade8df2e18db987c3167e70c4d14da287f021ac5165e0ec8ac9b240dabff28df1a1eae5e4dcdda4810e9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
8976ca2265a2cb311b03fd01c5e4f453

SHA1
7d849cdb18c860bbc4316ac210cf7eb3ed88a157

SHA256
edee6e3f4f1d4e5a06d7a195077468fed0f5555128534b740088f9b1cb8c3c4a

SHA512
89103b9489838d65a0fafa742b7ce4f8825650d96f2ad3f94beaa71760c91121a1ebf795d54bce8512cdd76f370beb5fde5805b590e285664602f67863637771

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
8e692598827978d1d9e54e60d5a24a06

SHA1
3f3cbe2eb78ad5beb4c5a0d63ceed875d85a2935

SHA256
5695f03cdcec78d5b0075e8582c76014af77f76d091426e8601c991afe2d4b4a

SHA512
0aeeccfa3d96a61b4fc55b269549584a53061eacd21e386dc75e55e562c96e8df848245e578d3872769068504a18c1f5c498196eff900a1e6b61598a1dd8c633

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
ff8c6c4321a35366ddc9f80308b4ec54

SHA1
4bf8044663eab49ec75509bd331a1d10142a5def

SHA256
2dd8c6ebae0ec6e5a9b606cafeb641833fc02572e61cf7506035b3e6df03829c

SHA512
82dea2d59655a981cd23ec98aaeebc36f1c64534e61cb1ff22d3d46047ea7326de6931707da59fbb46a4d31b605a3b0a5650d8fcfa7b412a73349a09fea79971

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
f0bb2f7bfe0bcb23b2c94ee2fab35fd7

SHA1
cf303f7aa4a9badfb04bb11c64ed791dde5eeef1

SHA256
a61bb59e6766e364f7fb096151c2eb7c811a626bfedf99e21981c2513696da17

SHA512
b7be7db8cc0361eb8b90c6da7539cbb24463093419697c0d14f666cadb12e509c60b334d4125c07212858845a7c8a29e43b58f14afd79746efdee05abcb6db23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
77a2813fe2afddb991b5f997daa0cc0a

SHA1
50d4f7f1a82894ab2474c4219784e024f81a9a26

SHA256
f1072b365bbd3577e48883f6e87a3321f71afbda7f7f06ebc12ca78816461934

SHA512
6191c56a06890e91756e1132a49f067bccc1dd790fdd386bdc93565f8dd42c8fcceca3b0592028c4e4e3d8fa4060c16b27368e62eb730e08a8a1e89bb4322c79

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
2551b17d8d4e3caa6cf646ab04b77623

SHA1
9f981920276f1b1ef989d14790c29d0bcf1c0529

SHA256
427bc0a2a2bc5f2ba94188c148e826d6095e82556ce1d231b3546ec1327711b0

SHA512
6a950e5964573261fe0059e7c053af02bc5f3a69e22beebecc5ad562a910130d5fe83ade1327f72c4d1f06c9b5f1997bb7569f2cadea9713e6f7577151bc7743

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity~RFe58b021.TMP

Filesize
874B

MD5
fd044cebd8a69e2481455cee8c9bce0a

SHA1
a02ccb4b0ef63f4b801d7f966876c6e52e14e078

SHA256
c2ea734942f2ae8c2d63472d78e6c6978598ca53b249cd9819e4b7648f9ca032

SHA512
f0e878d38aa720db5f173f51054ebe2e5be6ca3cc293d76acb158ddd09c6df1b254b177b6647093677a6a77608f945abd3a9d955897b5ad981dda122f64223ba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
cb6c3c2caa11045b4dd033cffe26c72c

SHA1
8131cacb0fdacec51b5d8df36d649eb1a31fc933

SHA256
02f366b7310e9b83a829e367e4038f257cf14f73aba2398edf767220368006a8

SHA512
dd171a1e3dbe8587a5a1bd5ccc4b425953c88ad93dfbcbcd7a1ef0abd776667f6582766e447f48c7e5ca2b265ccd38c55596decea2e5a5a5ac50c02c1c3ede31

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
70120b723fab94abc02b6edbcb418656

SHA1
d5841328d7959076ef0e75afe9c1d9f7a6f678f9

SHA256
ecdffaf456a2daffe6749d61573b015a18d53f8ba88b286335dd2f99fe23a885

SHA512
20c09c36aeeb7ac80c8b4c4ec306c5ad2fffb05fcd791eeb47dbb2cad56242cea684c0fb4809d062bebeb1cf94d743c1cbb95bf0381a418418f7bc16a093ccc1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
7d233bcc64f004565ed278b137edb576

SHA1
6ebf3ba48d4a18858bbebbf5d4be9c1886e6432c

SHA256
475c3f9eaa13386b51068f6a12e70af41c1528224d31baab26fcb2c9eea0f147

SHA512
e3f2ea3e2cf75f2ada16b2ae1400cfbf03ac7555105c33f2073a30108f49e88e6a8288cb0b2ab7daa08406036fc2a07c4f11cc2c1c6f9ed5ab521effa529eaa7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
74d250239175e6c611e7e1f135130057

SHA1
0140c30ebdde88477a0b4869d579750ee77a704a

SHA256
25f0c86c0987fad66bf3d3a1fa13ab49938c8b2f00f504878472f441545fbfd6

SHA512
3df3004fb51e398a4b4afab1db0e92d3ac616cf4316f846857c85fa0e51906bb1725d64d8e789e094a5104a5608fc3800e33fc932840c39a0de68d325cfe078e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
c239c29d9aca703199ab77947f7b9092

SHA1
d3a83200893e24f40d31bde4207d7bc24364cac6

SHA256
08d1c1e4a67dd4ef07de41e68eacfcc8344fbe921d68ee4bc6466d4e3e73de37

SHA512
7089e8826385dbdaabf0b6c086608559598ea94498b7e10c0eafbed881b3fcbd6a689dbe10c981df56ae77c410164c7f209554dbf37ec26dd15dda374c91b2fa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
5KB

MD5
c8238a92cc7e75d69107babe661506f5

SHA1
75f01f499c050ddc68a63230385ba4c93957821c

SHA256
50a9afa7996e8f069d7c739c5fa8049c8b6c394c208e4273f9dcb83de0b34740

SHA512
07af61a09cf3adc2154ded8d5e6cea84f38cf1389e26dc851bb713ad8607bd759d2588954646f937b3c6801ff3510f256f16f484132db664e3a30acaa1a167db

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
5KB

MD5
4d945c659e56c9a302a3b4765137225c

SHA1
bc86df929add269cc920a0c97ff6e67dd057b027

SHA256
73853f167c463a515fcde7dd88a225e1743df5fcc29ccc232bbd0bda4dfa0eac

SHA512
7a6ef5ae5b4cbf9ebd4bb4eaaf0992611c59caa763f6f26749aa56316ac3fbf1b18e558e8cde339efef0b3943694ff574cb3f7e59b5c7de32841aaccc31dbd87

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
4KB

MD5
1bbc153c4a42f18ebc602b8b196d60ed

SHA1
4f3f4962b4a19fd315212f4cb6de2db8ddd54da3

SHA256
56c124d56d272df65770852adf583e6c60a3b1bde6fc11ece0196c9f47074481

SHA512
791e7da2af70c0367405d50e852ee7bb5198f1b1b0f69fd1ce1097f09de9c0b6646e5fdc01542b4c165ee73b295c3a4d6e8851bf402f4b7f3276f40a54bf33d2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
5KB

MD5
34396d90545ccc047ec0c5f2967faf6a

SHA1
c95c3fd173ebe0c360fb8ec45a51d029a2f808d0

SHA256
573190f30428878978a9ccc5eb89fdd75b6b0114f7f84d8700344a23d5ec6226

SHA512
963369908a03a8e6d0b258569c3459cad3b5e3323dd43f8726879c50afd575282769b5b15e2149ea624b0c046deca605dd62abcddbd0d7071695c34071ef3bfb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
4KB

MD5
bc4dcbe77097692df3ebd8edbaba7a5f

SHA1
d18b9f502fc8addacbaeece12f04470b88e0f5d8

SHA256
50a55599987e8bb2b245a6ead0daee1f7da1820fa137c80c9425f0967802babd

SHA512
e7ecde76e63e797a84fcdb5d7f03fa1d31fccf8ab22347a4fd6f0416fc893fcac07afc252cb10b4154a4eeeba802e1883e6ab809daa5b44ea3ce85d71f78f86a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
22KB

MD5
dcd1910e19c55cb69ee5e59eaf43bb47

SHA1
4fcad077b5f2fc0a610b9b4e6d5f0155320090bc

SHA256
e346aed3ce1a2f58f6a01975c4a6d2335a8d63ca30aaf6b9c423f1345ccc405a

SHA512
187a0c05925be391d61fbf533d834655ccd579bbc734b7cf5895505bd157928b9b05ac9c6229611c00eabccfef635d27f3ee499040db98aae580d6ec015f4aad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
111KB

MD5
cbb6cf86e483d0bba6029169e31599c7

SHA1
bdfb11589ae06e1ea94d13004ca5c789e1975be9

SHA256
5f27ec7b73b15cbf18e212489b6098460ec11d0fa44ef78c480160e981f64589

SHA512
3d758d18382e200eb6800015b273a41fb1fd335ded70e2c39e5061cdfbe5a672620df61bc4d49ed292cbd0f823c377365e63b8046cd72f0cb290d85ef85253ee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe58d56c.TMP

Filesize
98KB

MD5
f811200e3a8a8c980d82ef00d1bbae49

SHA1
0f530f970958fb9452f07d8da67200fec5706240

SHA256
832226e945ff297ae4d01fc3e9777bb614625a5c1a5261d2b2b87e8399f70d16

SHA512
60a84f34eae53bf39ba2bdfa952a0c55d7e8c539ab036a798ccf6c11cd56289ec6f5c8f53c77d7697a82c6d967a1bfdc1e1a296bd4d9d7e1244a92896ef14cdb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\C6D24C~1\target.exe

Filesize
3.7MB

MD5
3a2f16a044d8f6d2f9443dff6bd1c7d4

SHA1
48c6c0450af803b72a0caa7d5e3863c3f0240ef1

SHA256
31f7ba37180f820313b2d32e76252344598409cb932109dd84a071cd58b64aa6

SHA512
61daee2ce82c3b8e79f7598a79d72e337220ced7607e3ed878a3059ac03257542147dbd377e902cc95f04324e2fb7c5e07d1410f0a1815d5a05c5320e5715ef6

Download Submit
C:\Users\Admin\AppData\Local\Temp\c42806de-35e7-11ef-9650-da9ea7e36106\Ninite.exe

Filesize
1.6MB

MD5
f1db4fe1d4559183cd1b35a257c970cc

SHA1
57d3904540930c3ebf80f30b6b6097bd055b6940

SHA256
a5f912ccbde324b7c5f5d81076ccda813b2d80d311f4c854d358b85b02094d56

SHA512
7ca2546d31b88d701d195adf62e10209f3216033692348b4f8ff54e254baca7c1e72dfbae66ccd5e684cf53900cbed3f5a05ddc24adb251ce752541fb1f56c69

Download Submit
C:\Users\Admin\Desktop\nitro.exe

Filesize
448KB

MD5
247e118fea545a3c2fe66e2f6cbb909e

SHA1
9b3111d641b4d298c1929bb854fe625dce04a31e

SHA256
fb60104722bd3e978deb9f646a66c645669b56976f3860422151936945104b0d

SHA512
339d33716e0906b40ec99e959f364681af828d9e4c6756955ca20d4bd309ce534e77593d9e662fbf15b848f480dcd6ca73d94407499b067e1984d0070af96078

Download Submit
C:\Users\Admin\Downloads\Ninite WinRAR Installer.exe

Filesize
415KB

MD5
469dfc626de4d1fa8eaeb1a377b03d5a

SHA1
c4035adfd7a61aba930e17e9e0696dfa54d3cd9d

SHA256
8f80d6cd5bb4b12e474c945e10f44507d11ae0979853306eb4a481384fe1833c

SHA512
265e43892fbab4053209dd3a31d23f3a7365d6059854f97244645526225a56ed2489a6c996857b2b17b7835df8ef57103fb19c7d88b2d683c5f302f07a138eab

Download Submit
C:\Users\Admin\Downloads\NitroGen.rar.crdownload

Filesize
8.3MB

MD5
ede1266566f1f5b72445b54fdd777871

SHA1
03174101545f6d9b39a39628c851ff217fbf23a2

SHA256
587322c9740d55c91f25992cdfa74bea19ee360e2c435a2bc099f02605166dc6

SHA512
5ee0d863d74d407b196ac3480e0921ef77c0c084a626e85cb0c16c2b09ef62c1d831debc87b4a0b6c5d7d71e3e778c7e5acad8d374eb922a55589f66794f2829

Download Submit
\Program Files\WinRAR\RarExt.dll

Filesize
636KB

MD5
1e86c3bfcc0688bdbe629ed007b184b0

SHA1
793fada637d0d462e3511af3ffaec26c33248fac

SHA256
7b08daee81a32f72dbc10c5163b4d10eb48da8bb7920e9253be296774029f4ef

SHA512
4f8ae58bbf55acb13600217ed0eef09fa5f124682cedd2bfc489d83d921f609b66b0294d8450acb1a85d838adb0e8394dadf5282817dba576571e730704f43ac

Download Submit
memory/636-532-0x0000000003230000-0x0000000003239000-memory.dmp

Filesize
36KB

Download
memory/636-537-0x0000000074070000-0x0000000074232000-memory.dmp

Filesize
1.8MB

Download
memory/636-535-0x00007FFA5D310000-0x00007FFA5D4EB000-memory.dmp

Filesize
1.9MB

Download
memory/636-534-0x0000000004D30000-0x0000000005130000-memory.dmp

Filesize
4.0MB

Download
memory/2236-517-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2236-529-0x00007FFA5D310000-0x00007FFA5D4EB000-memory.dmp

Filesize
1.9MB

Download
memory/2236-531-0x0000000074070000-0x0000000074232000-memory.dmp

Filesize
1.8MB

Download
memory/2236-528-0x0000000003D00000-0x0000000004100000-memory.dmp

Filesize
4.0MB

Download
memory/2236-527-0x0000000003D00000-0x0000000004100000-memory.dmp

Filesize
4.0MB

Download
memory/2236-514-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3912-502-0x0000000000AE0000-0x0000000000B56000-memory.dmp

Filesize
472KB

Download