rhadamanthys | hxxp://91[.]200[.]100[.]86

Resubmissions

05-08-2024 19:15

240805-xyhynazand 10

05-08-2024 19:10

240805-xvvhaavhnm 7

Analysis

max time kernel
728s
max time network
724s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05-08-2024 19:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://91.200.100.86

Score

10^/10

rhadamanthys discovery stealer

Malware Config

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

ts.exe

description	pid	Process	procid_target
PID 5956 created 3464	5956	ts.exe	56

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ts.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	ts.exe

Executes dropped EXE 8 IoCs

Processes:

ts.exeskx111.exeskx111.exetsetup-x64.4.9.4.exetsetup-x64.4.9.4.tmpts.exeTelegram.exets.exe

pid	Process
2124	ts.exe
3704	skx111.exe
5988	skx111.exe
6156	tsetup-x64.4.9.4.exe
6124	tsetup-x64.4.9.4.tmp
5484	ts.exe
6216	Telegram.exe
5956	ts.exe

Loads dropped DLL 1 IoCs

Processes:

Telegram.exe

pid	Process
6216	Telegram.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 1 IoCs

Processes:

Telegram.exe

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	Telegram.exe

Drops file in System32 directory 2 IoCs

Processes:

chrome.exe

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

skx111.exeskx111.exets.exe

description	pid	Process	procid_target
PID 3704 set thread context of 2020	3704	skx111.exe	111
PID 5988 set thread context of 4332	5988	skx111.exe	113
PID 2124 set thread context of 5956	2124	ts.exe	119

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

tsetup-x64.4.9.4.exetsetup-x64.4.9.4.tmpts.exets.exeskx111.exeRegAsm.exeskx111.exeRegAsm.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tsetup-x64.4.9.4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tsetup-x64.4.9.4.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ts.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ts.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skx111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skx111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exeTelegram.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Telegram.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Telegram.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\	Telegram.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Telegram.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	Telegram.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct	Telegram.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133673589489017993"	chrome.exe

Modifies registry class 17 IoCs

Processes:

Telegram.exechrome.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\tdesktop.tg\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop\\Telegram.exe\" -- \"%1\""	Telegram.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\tg	Telegram.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\tg\DefaultIcon	Telegram.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\tg\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop\\Telegram.exe,1\""	Telegram.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\tg\shell	Telegram.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\tg\shell\open	Telegram.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\tdesktop.tg\shell\open	Telegram.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\tdesktop.tg\shell\open\command	Telegram.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\tg\shell\open\command	Telegram.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\tg\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop\\Telegram.exe\" -- \"%1\""	Telegram.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\tdesktop.tg\DefaultIcon	Telegram.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\tdesktop.tg\shell	Telegram.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\tg\URL Protocol	Telegram.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\tdesktop.tg	Telegram.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\tdesktop.tg\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop\\Telegram.exe,1\""	Telegram.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\tg\ = "URL:Telegram Link"	Telegram.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

RegAsm.exeTelegram.exe

pid	Process
2020	RegAsm.exe
6216	Telegram.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

Processes:

chrome.exets.exechrome.exetsetup-x64.4.9.4.tmpts.exe

pid	Process
1692	chrome.exe
1692	chrome.exe
2124	ts.exe
2124	ts.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
4456	chrome.exe
2124	ts.exe
2124	ts.exe
2124	ts.exe
6124	tsetup-x64.4.9.4.tmp
6124	tsetup-x64.4.9.4.tmp
5956	ts.exe
5956	ts.exe
5956	ts.exe
5956	ts.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

chrome.exe

pid	Process
1692	chrome.exe
1692	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	Process
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe
Token: SeShutdownPrivilege	1692	chrome.exe
Token: SeCreatePagefilePrivilege	1692	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exe

pid	Process
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe

Suspicious use of SendNotifyMessage 36 IoCs

Processes:

chrome.exeTelegram.exe

pid	Process
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
6216	Telegram.exe
6216	Telegram.exe
6216	Telegram.exe
6216	Telegram.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Telegram.exe

pid	Process
6216	Telegram.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	Process	procid_target
PID 1692 wrote to memory of 4508	1692	chrome.exe	83
PID 1692 wrote to memory of 4508	1692	chrome.exe	83
PID 1692 wrote to memory of 4000	1692	chrome.exe	84
PID 1692 wrote to memory of 4000	1692	chrome.exe	84
PID 1692 wrote to memory of 4000	1692	chrome.exe	84
PID 1692 wrote to memory of 4000	1692	chrome.exe	84
PID 1692 wrote to memory of 4000	1692	chrome.exe	84
PID 1692 wrote to memory of 4000	1692	chrome.exe	84
PID 1692 wrote to memory of 4000	1692	chrome.exe	84
PID 1692 wrote to memory of 4000	1692	chrome.exe	84
PID 1692 wrote to memory of 4000	1692	chrome.exe	84
PID 1692 wrote to memory of 4000	1692	chrome.exe	84
PID 1692 wrote to memory of 4000	1692	chrome.exe	84
PID 1692 wrote to memory of 4000	1692	chrome.exe	84
PID 1692 wrote to memory of 4000	1692	chrome.exe	84
PID 1692 wrote to memory of 4000	1692	chrome.exe	84
PID 1692 wrote to memory of 4000	1692	chrome.exe	84
PID 1692 wrote to memory of 4000	1692	chrome.exe	84
PID 1692 wrote to memory of 4000	1692	chrome.exe	84
PID 1692 wrote to memory of 4000	1692	chrome.exe	84
PID 1692 wrote to memory of 4000	1692	chrome.exe	84
PID 1692 wrote to memory of 4000	1692	chrome.exe	84
PID 1692 wrote to memory of 4000	1692	chrome.exe	84
PID 1692 wrote to memory of 4000	1692	chrome.exe	84
PID 1692 wrote to memory of 4000	1692	chrome.exe	84
PID 1692 wrote to memory of 4000	1692	chrome.exe	84
PID 1692 wrote to memory of 4000	1692	chrome.exe	84
PID 1692 wrote to memory of 4000	1692	chrome.exe	84
PID 1692 wrote to memory of 4000	1692	chrome.exe	84
PID 1692 wrote to memory of 4000	1692	chrome.exe	84
PID 1692 wrote to memory of 4000	1692	chrome.exe	84
PID 1692 wrote to memory of 4000	1692	chrome.exe	84
PID 1692 wrote to memory of 2096	1692	chrome.exe	85
PID 1692 wrote to memory of 2096	1692	chrome.exe	85
PID 1692 wrote to memory of 4620	1692	chrome.exe	86
PID 1692 wrote to memory of 4620	1692	chrome.exe	86
PID 1692 wrote to memory of 4620	1692	chrome.exe	86
PID 1692 wrote to memory of 4620	1692	chrome.exe	86
PID 1692 wrote to memory of 4620	1692	chrome.exe	86
PID 1692 wrote to memory of 4620	1692	chrome.exe	86
PID 1692 wrote to memory of 4620	1692	chrome.exe	86
PID 1692 wrote to memory of 4620	1692	chrome.exe	86
PID 1692 wrote to memory of 4620	1692	chrome.exe	86
PID 1692 wrote to memory of 4620	1692	chrome.exe	86
PID 1692 wrote to memory of 4620	1692	chrome.exe	86
PID 1692 wrote to memory of 4620	1692	chrome.exe	86
PID 1692 wrote to memory of 4620	1692	chrome.exe	86
PID 1692 wrote to memory of 4620	1692	chrome.exe	86
PID 1692 wrote to memory of 4620	1692	chrome.exe	86
PID 1692 wrote to memory of 4620	1692	chrome.exe	86
PID 1692 wrote to memory of 4620	1692	chrome.exe	86
PID 1692 wrote to memory of 4620	1692	chrome.exe	86
PID 1692 wrote to memory of 4620	1692	chrome.exe	86
PID 1692 wrote to memory of 4620	1692	chrome.exe	86
PID 1692 wrote to memory of 4620	1692	chrome.exe	86
PID 1692 wrote to memory of 4620	1692	chrome.exe	86
PID 1692 wrote to memory of 4620	1692	chrome.exe	86
PID 1692 wrote to memory of 4620	1692	chrome.exe	86
PID 1692 wrote to memory of 4620	1692	chrome.exe	86
PID 1692 wrote to memory of 4620	1692	chrome.exe	86
PID 1692 wrote to memory of 4620	1692	chrome.exe	86
PID 1692 wrote to memory of 4620	1692	chrome.exe	86
PID 1692 wrote to memory of 4620	1692	chrome.exe	86
PID 1692 wrote to memory of 4620	1692	chrome.exe	86

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://91.200.100.86
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1692
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffe7afccc40,0x7ffe7afccc4c,0x7ffe7afccc58
    3⤵
    PID:4508
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1892,i,3332746137709646819,4022258052750002978,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1888 /prefetch:2
    3⤵
    PID:4000
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2136,i,3332746137709646819,4022258052750002978,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2156 /prefetch:3
    3⤵
    PID:2096
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2252,i,3332746137709646819,4022258052750002978,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2384 /prefetch:8
    3⤵
    PID:4620
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3036,i,3332746137709646819,4022258052750002978,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3052 /prefetch:1
    3⤵
    PID:3900
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3040,i,3332746137709646819,4022258052750002978,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3300 /prefetch:1
    3⤵
    PID:2120
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4608,i,3332746137709646819,4022258052750002978,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4616 /prefetch:8
    3⤵
    PID:1360
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5132,i,3332746137709646819,4022258052750002978,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5144 /prefetch:8
    3⤵
    PID:4068
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5124,i,3332746137709646819,4022258052750002978,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5288 /prefetch:8
    3⤵
    PID:2632
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4908,i,3332746137709646819,4022258052750002978,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3820 /prefetch:8
    3⤵
    PID:3484
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4808,i,3332746137709646819,4022258052750002978,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3768 /prefetch:8
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    PID:4456
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4856,i,3332746137709646819,4022258052750002978,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5100 /prefetch:8
    3⤵
    PID:1400
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5164,i,3332746137709646819,4022258052750002978,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3768 /prefetch:8
    3⤵
    PID:4496
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=956,i,3332746137709646819,4022258052750002978,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4644 /prefetch:8
    3⤵
    PID:348
- - C:\Users\Admin\Downloads\skx111.exe
    "C:\Users\Admin\Downloads\skx111.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:3704
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: AddClipboardFormatListener
      PID:2020
- C:\Users\Admin\Downloads\ts.exe
  "C:\Users\Admin\Downloads\ts.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2124
- - C:\Users\Admin\Desktop\tsetup-x64.4.9.4.exe
    "C:\Users\Admin\Desktop\tsetup-x64.4.9.4.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:6156
  - - C:\Users\Admin\AppData\Local\Temp\is-NB2EK.tmp\tsetup-x64.4.9.4.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-NB2EK.tmp\tsetup-x64.4.9.4.tmp" /SL5="$1101C0,40563523,814592,C:\Users\Admin\Desktop\tsetup-x64.4.9.4.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:6124
    - - C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe
        
        "C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops desktop.ini file(s)
        Enumerates system info in registry
        Modifies registry class
        Suspicious behavior: AddClipboardFormatListener
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:6216
- - C:\Users\Admin\Downloads\ts.exe
    "C:\Users\Admin\Downloads\ts.exe"
    3⤵
    - Executes dropped EXE
    PID:5484
- - C:\Users\Admin\Downloads\ts.exe
    "C:\Users\Admin\Downloads\ts.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:5956
- C:\Users\Admin\Downloads\skx111.exe
  "C:\Users\Admin\Downloads\skx111.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:5988
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4332
- C:\Windows\system32\certreq.exe
  "C:\Windows\system32\certreq.exe"
  2⤵
  PID:2628

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1832

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2504

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
a60d5fb50d74c655e95927209a3944d9

SHA1
aba056363087ca64c6a891a577556e7761d135ba

SHA256
4ffb1410cc2c4848580d758f8749b91f987b728efebbe03247e71a822d9af786

SHA512
63662e7073abde5cba5599fdb4381f766977be8a1f9fc324df0ca4a2db2e3d522d97604e1c3e5f75aa97dc3fc3cdc46c8eafb161659253104f03cbf0a03857a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
06262606d02cf28ffe3d8a328cdc98ac

SHA1
0531c24c48b83169fcfb881f2dd9ed106d8c4a18

SHA256
3fe1abb4d56b49ae4f9689b6e7d6a5399111763b2e7ea0024fe8b378916cd94d

SHA512
8e546beebdbdb5e17cac1bdfe0c536b169880074abefa45f5c8a48ff1e10b5df9ad97082f6a36ef290aa2a3c020a05c5db2a6fb3c293050a70c9dbebd160e2cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
965edb9184f4abb5cc4ac7c7252fc837

SHA1
79a9a595d7019f799155de19fa27b093f8862cc5

SHA256
958e8430a25d947b99494f287fa2ba2db3e83d79005c189d0c2f21a64f19605f

SHA512
e213697790faad4198cf9ae3751fa407eeb119a3808a5875e0f5e530824a1ff8bdd7288be1323b9f91210e444a17b5e16349965efeb8eaea5264465148814418

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
be7a25addf4bd1bcb56fcb50329e7959

SHA1
a5bd34e579ff65eb8b1af89bcc23edafe72e4e3f

SHA256
11892c37aa022bd320c3560e684323d54a8576764086d06878205f4982d21409

SHA512
bc5cef29073e5759c17610383f18e72b0d7fd7b37cd613096c6b9fc0dffb023ff4a870a2658e8386fbe244a257282d8d357bef3202226ccc36f2522424085408

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d89c412beab88b9b10190614ab13862e

SHA1
ecc45776f44b60b301f6671aecd8cdd11c05208d

SHA256
68a1586a77173745f34e9c37d5ff8f341e4a2e622a62c2bf7384c35ccc522bbf

SHA512
23cac87474bdb6dbf3df5473f34e1f4c5386607268c9e2588a3b2bd104fa857582251dace7fe11942c2b863337b9eda4a9cb66e5bb4a4084d192fe373e7f6c80

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3c147309b883be6aa8c9694de42eb56e

SHA1
50e462d7d4c1da0fc5d652febeb5dc03f904646a

SHA256
ddd608e38620c3979268cc6166eee5a99864ad8c67d2e3749fa4e0ddbc203a75

SHA512
28b649e08a6e7ad87562e9d6cb3cf47c01da5765113a9cd0eaab6c1dd52f4f4365864d1a64e4959b4a5dc22919446beff83d07eb85932928822f4c6f3dc4a69e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8923feeaa767b7729e157d408edb1a02

SHA1
5ee22541c84282ac398399b99c7a45acaab15445

SHA256
d2abbbd7e67b2beb3f83c7867ed1e7ce1c5d2403f7d8882961f6e034883eca29

SHA512
e8e4023b6ef6ddf214c8dab051a85acb8b5776eebd4c3a58cf80f6d7cb1afbe38c4490bb62c32124a032834c16c76c87404841393c75f5741a2abe7cca54b87c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c424c4f29a5bba3f3d4f8db8f81e5ecf

SHA1
ac0aae58cc5c76439acb7990b1424853c2aa1154

SHA256
6201cd15e79fcef95e9aa7922730f69d11692da7da5da70e852ea32dfabb3c6c

SHA512
c3ca210d77bac23afba6cbb1cb839f44c6040b76ce9b7c32b2448c55dd91440f43c886c1fcd8f0be727828f89922449e285e32850c62f5f3318359da286f5846

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
22ee9c673ea6fed1b62997e246136f1a

SHA1
835c1dac8b3bdfc09e123cee07f1b6e48d4d7a3c

SHA256
8ba955f1f618c73806bc2b0694c92b3e8a3c5e7209905c1eabcd46223fa81fc8

SHA512
4935fe933dd4adc38924abcdff9cf1676386812d12157a2873507fd787f3200e7ebf70ddae9df505ddb0219e65092741cb2fdff9e24f14f318c4a9bb349f6463

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d2136601be387757dcc3ed71f46cb756

SHA1
c840f75a6ea68e295262b841e3cdcf51438ee78c

SHA256
af9bf60b3b1c0ecb1a327a5871e229a93adbd9fce6aeb5a1dd4babff53857788

SHA512
bb7c58410700d464cd074d37bf76b9fc6d3eb4e60eb12710406781bda46ab07e4d75fbff88dd1cb97bf3ce225cda2eb5621c1c829894f210eef543255f78e189

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8bf1955032b8ad035355db89b2031bc9

SHA1
94bc02d56a55a81a7f853729ca2474c9961df10f

SHA256
43d99eadc462ac2cd98e0060100e23aece25b0cdab8b85406a62f88cd1f8d3c7

SHA512
9b2205045b9caba9b6302495b40d5c7d2b95880bc16d57da60176e47a23d377d48c4651ed622ea4b0c774d7ca50ddd7cb84fdfae452ca06dd25682da389e8e1f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8c5524622adc9f1e1a978c1c7ef7b656

SHA1
1efe699210ec755c439febbf05a91d0149daa0dd

SHA256
28c9b5374708964d30279b0e1d27cfe267ad8af2e0dcb3e6145da8f778c37f72

SHA512
0fee3588458c61676bc0d3ca75b6a1f5899ee0df42c29b881db6093013591211534415b783edf984cd6f2f7a06b7cef1d2f19b55377be9dcc423fefc93015e72

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
fcf0cc2f82deec2c6b5c1a8d0ecccbe5

SHA1
ef94d68196b607dcd2202db2997ee667787f5825

SHA256
e2202d3d6595fbb2cfc469585687faab5288dc99762476c8b7e4077213975e99

SHA512
8f51de3a48d7104b171d92143d512b5dd922bfb1ef12440d205e19ac949ac3b00ba4838fdaca8c932a1a198cef5d45bd926fec366440c1d2bb57f08e54d95955

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5fd5c6f122b4b581e9513d4b6c1bbfe8

SHA1
0708771b10e8756dbcc145ebd0786f813211c0b6

SHA256
a2ba3ae2a468d0743be438a40728ad84086da5d3f9748746f6460d621331e0b1

SHA512
474a2931e7756eecc14b262d931866230a2d30553af1fb2b7712f4f41973f7e22964f8be717b1d7190ad4e4706c98d52ae990af8f3597a6f0c9cf230293eed63

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3307c36217d927062b4015d5ea3f99cf

SHA1
b4748fd0b6c770392f072d702cc0b159bc2916ce

SHA256
3a65c5fd3d9937ee55286168372f65812b1867dde2119e161e5a73518749b3d2

SHA512
0731f944b884cf7e3fdda0b3ebc4176ddbd0982973ad92d7ea3b7e12d6fee3daac7e1c005af9edee04a7edf168315733787a1b110ba1504ebf9767992f65edca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
80dc208094ac8d06bd3b14a17c067d44

SHA1
5bf77c7c8781be71e4447bfd234ddca67e6a702d

SHA256
6af1cb9a6f7f71f75297a4f69bc538b70578e8ceb4d92de80133b7213701a7f9

SHA512
2fd28fcfca7287c4ca76be89fe68ced721593da0655f9c6e5d7dcc000aee855532ebc58d994c2e81d9a1e62e4e1d97a0deda5b5429909b45aa869e67aca29426

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ee31a1b60ae3abbe5ca4623c3e020dbb

SHA1
52f57f914691309d44b7d83a6a2e01853a417d66

SHA256
8751b99d3d09425c30e31dca1f1fcff5f14df518c51ce3ae4ea09de41ae9280b

SHA512
af1f3e4e371394d3179a9e8c2d1d87ec1714e2f168e9a02f08c7c978bb4bf87869d245aa73702baceec936d94a19b93d48c008e3aab5e45fafd9f510ca4e60c0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b0bbd24779a8e3f052d8d13b953d137a

SHA1
32fa63c1bb0235ea45d8c486dd672b7ba815c28e

SHA256
55dc60a2d0e882101bf749bc70c1f21fbf888fd329a81499fc415c73cda34c98

SHA512
98a98f6a97e85b59b89c951a790cdc02a5ea5f4642437c7da3b9fe0829c90c9527173b16632905226023f0ce5a915acd9614b1931ba62807a96e78f4726c2abc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5796ed32cafe5625e3163735156a4443

SHA1
1e2b68ed4d5e38d59043087d71823aa671632583

SHA256
39a779a0f2b4f8d01c39b1a502d3b64d8492e25f8670364ec01e34b5aadce382

SHA512
8bc4c6f1b4bdfd51476eff777e6874ef339af157b9922c8d5f5f96fd15534a0aecacd415b2f964b9b699767fcd8a2fb47172dd8fa9adf6d6fc4e9412ec12e1f8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a9e03dfb3d9794f2aaa44d45b775ceb8

SHA1
6bf3cbd18f4605d7f2729b0b04e04d3018fe1589

SHA256
06cded7b7339a1ee74e9706bf89dc05618025169df56589eb16401482149786c

SHA512
98110ddce614d95538c451ca3a0b126e71c8bc2a6b7604ae396d8134e49488420abbc460f412ccce4aef7db1d6064ac8cc7032c8510dc97f95e7753940412867

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e5c4fd2f38a9f8cc44af40f1833a8eb8

SHA1
ea27fe83cb205c80f4040d337190a26e6ce1817b

SHA256
1c7c85e9af112d24a340a6d87ab8e802d491e79770aa7c38f77e81a387bb8f57

SHA512
46f16cbf50ac74176b8df63e3018fcf3cf321fd6144893a2ab0db2f63895825c7bd3f7206860cb16a4026433be566d8f269fe4151eaca5283bcec7cc449da9c6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
25e93618231623772cd889465ca8a545

SHA1
84d8b22e8a9bb57f53beed3c5efac50c6d373fc7

SHA256
fd189e04f44edaaa9159d694e6f64b6ef1e8968ed997c0b8852808e4499ec18f

SHA512
b17f8b6e0436eb71b19831a6082359ef31fa45f5ce8134184378a425cf280daee2bd43ada4834e2278018be8e927b7c43dd2de83d883032ad24d33ddc21a5a67

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
46429b37cbfa175df20e7cc78a076f9c

SHA1
b2280f9d14c3ad1f64777abcf5765a2bbbacdbf8

SHA256
236bc6772870272fd77565e9e5301a6e9407b7b63c4a7f92236400dcee9de0a7

SHA512
b37af229eebecca7e5b2c94da7c6dacc314897b302fabcd0f44ec71592d86873e8ef83412076c990d201d123379ebe255938455924319c1af6d89906d8a710fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
15f49a7d0b9b709e8de2fb72bf2ab80c

SHA1
699b6397b482658a5d88d60960bc6d7c061f6e5d

SHA256
bc0b8283353185b9460eafa86deef145a95198166ec2856e790e195d79ffe747

SHA512
117065b8d167fdf06feac4f5257c222bd2718cf7f815ed02b8370e37949d5bb15b1ef41e10a4bcb626e16fe5ef382d2a21cef22c12a23de8e3067687cd99d702

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b08b49d53e8bceb90c3a7d1fa8d5f403

SHA1
7cf7fb3ef2c3eb37e9f2fbbea9810584d64c395a

SHA256
5e745a4b7e5229ddd75239f47a53f2ee4df959ef38441547999bf7b59c28358f

SHA512
85a98cbf9725fc8d41a589ea11d806ec797f7708349fa317c45be1e76e40aa4bf1de330b7270290c245b850cdb6a6a003810126c8807e75e13fbc2cbbe5ed762

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2950fbd0955e0c84997f02fcdc619cd2

SHA1
aeef7befa027b3d7b809c395b409aefe75840c6f

SHA256
7f870733ece051f0fc94438d669e329f203d1201ea90fbb0cb7c5a6bf86c633c

SHA512
ca753772f196f4480b220fa44a45213d1667ffa0c568fea59e30baf55c1298ac8b6b244829e3924592f16a589660b30288cde7a782b9410c8737338257a8a2ec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
eacef34a221df060aa7ed3c7f59e9dc8

SHA1
fe6c16e176fabf2c8be56e82427c37430769f8a8

SHA256
25632edf5f4d0771e5ec01134a74e9855fe9107addf861aaff88c56b347d4c45

SHA512
26dddce081df39393a02a2cc8a4ec0d4fc7716967359ea2d528d4b2be996a43d5eaaabb6ae7c051838a7bc320e9b0d0734baebda6a122b471173429ec87c1b88

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
fa389cf6857e6f66aaed214d9477647f

SHA1
f4520cc299519f3429e2118b13a7ff9264c931bf

SHA256
f53ffc4905d9336cbfda3dbc34d44cc01170ccfd5cc78b98785f58e96f74314d

SHA512
68aebb484683c845d4052c6bbe7b1bd8f1b5a5821cba3f9a0ca8661c77ee574d8034dc4924daf3c5308df26f9dfc998f1787b8df122fa89642f2a2fbeea9f7ae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e563367ff471e3389b1f4739f6c212de

SHA1
9574ad2470d7e791e52b132445afa22900aead15

SHA256
4626910a78537c1ba03e47fb2dc9c40973457bbfff756ae9280d5eec74c864cf

SHA512
01aad0f9fbb4920c98d073fd6af404b923add5baf49d1aeb257d6adf2d5311f34109f6bc297fbd213c19cb081eaab6ccbcb7dd725a03f1c8be819d672064290e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3a9f5c9e95de422deae887c1565d851f

SHA1
3707e695c0149c0497c91f3c219da1d7c3ba51a3

SHA256
c4bea2e19f32c32347e8e481c3760ba9def2e4b72da968187c3f40a82405e954

SHA512
7513ac9f3396c64132021b580425f5f06b529bc1d2f1b4d21dac5fca3522cd32bcad4aca2acb50710d9c17456f3e8740ae7795b961adc5a8b10ecf2fa878e176

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e218267c0322e2414cf2d68094101ecc

SHA1
3cef61c0a061deea6b9a68e4fe038f6044dda209

SHA256
1373ad5e68dc39683173b1e82545bc51a81eb2feca8b35766d71c6bad34ab717

SHA512
9a778ace10c82bf5f8f2e4dd34c7d309282c56d8e970a8f4583306e73f50f548db21af9776ed4f5c635851eab4ef98515fb728d146014dc75482a9e542850b54

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
00ffc8f199edceda0ff80d3a5cbd50bf

SHA1
103a53acfbe484ddd0ed88331b7dd3e2f0d830f3

SHA256
f9002e0c791dcad8b411d33a1a937f76cc414508392748505769d93d995524da

SHA512
8c70eb10ac0eb5435c2573b16f5a3ae6de4342f1e7193bb757e4b103137482eeee6545a84edd705254eb2688616a132abecaee8c756a35bc59e6a342c33ed2f9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c6b0d12daaafb1588bb1c503689f050f

SHA1
85e77ac9d50da94bda24f2d88feb4d11bbd7d44b

SHA256
14168b136052f8feb5e1ba246825efc521ecba0e3378530d349e1f66d7bef85e

SHA512
422cef7e30869ca485a250ea870eca244ef51e901748a951d336bd7e2e000322bf8692627548bc12d07efc0c049f048313f576185c5402420a61105e2ced1902

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a1675cf313582592597063cfcd41d557

SHA1
944b93e6e065a242f49858e79422b8d14c0b2e98

SHA256
019ec182216bd158320471b73cc812c98b29a416e7b3cf13bd17d1e192da8bf8

SHA512
fa829c345aed04e093861721309cf6ebbfec76ffbda5e236a766b59e6f2976629cca51478f914ed97d81cb827367ebf9e32d08b73a30b6c033b826499917c323

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7b6819387e8089e6de4834583c26ebf0

SHA1
1ce52fe660997cfa8e403033d9e3b773f6a5f196

SHA256
74dc59126a34d921ef2cb43f60b130b28537cf284f71a4b08038fb5dc1c2d6ee

SHA512
beed743d6442c4748d52a1e83ac5f05d9fd9e96b785f6248c837d85f856d2f29aab83143178b4a11b84f089826294282fcdc52ac20ed2c943c226ddb2db8615d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d6d365d717d728235765aed019c2ab21

SHA1
36ec8127a9a707a4bc1aacb41ee853ac930ac4ec

SHA256
ee0203b8abc43a32aacd137d25e403ba428c1814cfe4494bda144cebe508c315

SHA512
d3d89280cd081918640646b95cf436f7a59d746c0fb1ca4cdc9eaa8a7a800be070ddbc0e2e86b387455c107747b5657ee1aced7b3789deddd5ca4c0b9dc59f76

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6d0510dd19acf7769e3161bfe0452240

SHA1
a0d3f65a94115b07c36799aa7c81f5126da1dd7d

SHA256
5c32f9e1ab4f9b58427f54477826596831fa7f446d111d7ae8a741938e28f7de

SHA512
0630582c1f3312f7d1785a5a16a171d52498988f6ee701af5b7b27416415db0176b374e4620188de7ab4eaad9a216dbf10716ca2e8cdac18dc08e2537c810ff1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
af77467745752f7888434408a242eb50

SHA1
2600ab5ca8fe2c857317157b0bb9012c9f818c1e

SHA256
7c7b2d0aeda5dde883fbd213aa72336a9aeb53583c7a83074ab68d12bd843ba0

SHA512
a6eee87130c69f6459c1652f3177919c7ca05eb9942eeac7dbff7f9d29f95cf5df80bcb49a461b3adb83bacc5a844a96fc939b8f6d921b24227e6b7f22dae1e3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
87898567a8ce35789e92685a3d09a091

SHA1
70dfe893c5bf1af27bf80d23ef3e27cc258e22ef

SHA256
b5686bba9fc92eda40992e4bb651045b963bd343456d724a94ccf57911dab933

SHA512
abf4f6d50da8fe8106e983b0e04561fa68eaf4bae25d482baba26523968bb61322b742c6427b801e2b3dcbb1a3dcd49d6cba73ebb979b6b20b4dbb23ca6937b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NB2EK.tmp\tsetup-x64.4.9.4.tmp

Filesize
3.0MB

MD5
00b1abecaab874aa90802eacb452777b

SHA1
fceb8b05fe820cc123853dab33c0c2d674c4a13b

SHA256
abb50d96a89230f2b7c634c93095984524e275c5e2428d6f76d4df0e8b70227d

SHA512
a516bfe2eb615ad0906c2551d1f73ee542b65820eeab2e09728a6e2b6797b740528490cbd075ba8d3a9d18a252ba3ce53146b667cbadb528ca601cf70411b74a

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram Desktop\modules\x64\d3d\d3dcompiler_47.dll

Filesize
4.7MB

MD5
62a89e7867d853fee9ad07b7c9d64379

SHA1
944a53602492187308352103d80ff27af1093abf

SHA256
d412909f1b597045b856caecedfc677eb4708af00e5b70788a01fa6af49c09d9

SHA512
7f66bf278222bf1079a3695ad55086ccc7d8b05d7db4f9a5bcbfe4ac8d82bc1a618b1c6dc675da61d47f48fce2b0670ce6f66db63e79e232604304cfc629d6d0

Download Submit
C:\Users\Admin\Desktop\tsetup-x64.4.9.4.exe

Filesize
39.5MB

MD5
baa5106fee67a9e17a589c9158db173d

SHA1
671c463276497b04efddb227c16e9469d4938fb3

SHA256
8d9fc09be8f851ab9b3cd33c100f5c1609561a070e61e1b6a2f2988138695bb9

SHA512
1eea8c2095f777aad4da3a591a1b445d4b0da4cdaeaeea3f0add36b39085d1cc708227405504814eefccffd99c1563fb93d52f9683c1d3995d5d49f2c6fc697f

Download Submit
C:\Users\Admin\Downloads\skx111.exe.crdownload

Filesize
3.4MB

MD5
2e0f601995d25e0450495a0dc2878020

SHA1
445d778481648f5195de19674da03763c2d648ac

SHA256
fbf8a85d0acbf3e891939ecbfeade11e445a897277dd41c30bd27abddb7f4d38

SHA512
7fd712ec6d6013f44cb9f65694edb980f162a5ab38ac1017c22d069a92c78ea8af3ebcb6393e0ab7563832d54717a3f0361704304013b1833585306f7c1b158f

Download Submit
\??\pipe\crashpad_1692_QPIQRYZKNXEFBWTB

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2020-1222-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2020-1223-0x0000000005230000-0x00000000052F6000-memory.dmp

Filesize
792KB

Download
memory/2020-2076-0x0000000005450000-0x00000000054A6000-memory.dmp

Filesize
344KB

Download
memory/2124-97-0x0000000008E50000-0x0000000008EE2000-memory.dmp

Filesize
584KB

Download
memory/2124-4212-0x00000000088E0000-0x00000000088E6000-memory.dmp

Filesize
24KB

Download
memory/2124-4211-0x000000000BE10000-0x000000000BE2A000-memory.dmp

Filesize
104KB

Download
memory/2124-98-0x0000000008FA0000-0x000000000903C000-memory.dmp

Filesize
624KB

Download
memory/2124-96-0x00000000094B0000-0x0000000009A54000-memory.dmp

Filesize
5.6MB

Download
memory/2124-99-0x0000000074640000-0x0000000074DF0000-memory.dmp

Filesize
7.7MB

Download
memory/2124-100-0x0000000009E00000-0x0000000009E0A000-memory.dmp

Filesize
40KB

Download
memory/2124-101-0x000000000ADB0000-0x000000000ADF2000-memory.dmp

Filesize
264KB

Download
memory/2124-111-0x000000007464E000-0x000000007464F000-memory.dmp

Filesize
4KB

Download
memory/2124-121-0x0000000074640000-0x0000000074DF0000-memory.dmp

Filesize
7.7MB

Download
memory/2124-95-0x0000000000740000-0x000000000447C000-memory.dmp

Filesize
61.2MB

Download
memory/2124-4324-0x0000000074640000-0x0000000074DF0000-memory.dmp

Filesize
7.7MB

Download
memory/2124-94-0x000000007464E000-0x000000007464F000-memory.dmp

Filesize
4KB

Download
memory/3704-226-0x0000000005360000-0x00000000054D0000-memory.dmp

Filesize
1.4MB

Download
memory/3704-181-0x0000000005360000-0x00000000054D0000-memory.dmp

Filesize
1.4MB

Download
memory/3704-1217-0x0000000005570000-0x0000000005666000-memory.dmp

Filesize
984KB

Download
memory/3704-1218-0x0000000005670000-0x00000000056BC000-memory.dmp

Filesize
304KB

Download
memory/3704-182-0x0000000005360000-0x00000000054D0000-memory.dmp

Filesize
1.4MB

Download
memory/3704-216-0x0000000005360000-0x00000000054D0000-memory.dmp

Filesize
1.4MB

Download
memory/3704-218-0x0000000005360000-0x00000000054D0000-memory.dmp

Filesize
1.4MB

Download
memory/3704-222-0x0000000005360000-0x00000000054D0000-memory.dmp

Filesize
1.4MB

Download
memory/3704-224-0x0000000005360000-0x00000000054D0000-memory.dmp

Filesize
1.4MB

Download
memory/3704-212-0x0000000005360000-0x00000000054D0000-memory.dmp

Filesize
1.4MB

Download
memory/3704-228-0x0000000005360000-0x00000000054D0000-memory.dmp

Filesize
1.4MB

Download
memory/3704-232-0x0000000005360000-0x00000000054D0000-memory.dmp

Filesize
1.4MB

Download
memory/3704-234-0x0000000005360000-0x00000000054D0000-memory.dmp

Filesize
1.4MB

Download
memory/3704-240-0x0000000005360000-0x00000000054D0000-memory.dmp

Filesize
1.4MB

Download
memory/3704-242-0x0000000005360000-0x00000000054D0000-memory.dmp

Filesize
1.4MB

Download
memory/3704-244-0x0000000005360000-0x00000000054D0000-memory.dmp

Filesize
1.4MB

Download
memory/3704-236-0x0000000005360000-0x00000000054D0000-memory.dmp

Filesize
1.4MB

Download
memory/3704-220-0x0000000005360000-0x00000000054D0000-memory.dmp

Filesize
1.4MB

Download
memory/3704-214-0x0000000005360000-0x00000000054D0000-memory.dmp

Filesize
1.4MB

Download
memory/3704-1219-0x0000000005770000-0x00000000057C4000-memory.dmp

Filesize
336KB

Download
memory/3704-190-0x0000000005360000-0x00000000054D0000-memory.dmp

Filesize
1.4MB

Download
memory/3704-206-0x0000000005360000-0x00000000054D0000-memory.dmp

Filesize
1.4MB

Download
memory/3704-180-0x0000000005360000-0x00000000054D6000-memory.dmp

Filesize
1.5MB

Download
memory/3704-170-0x0000000000670000-0x00000000009D6000-memory.dmp

Filesize
3.4MB

Download
memory/3704-184-0x0000000005360000-0x00000000054D0000-memory.dmp

Filesize
1.4MB

Download
memory/3704-186-0x0000000005360000-0x00000000054D0000-memory.dmp

Filesize
1.4MB

Download
memory/3704-188-0x0000000005360000-0x00000000054D0000-memory.dmp

Filesize
1.4MB

Download
memory/3704-192-0x0000000005360000-0x00000000054D0000-memory.dmp

Filesize
1.4MB

Download
memory/3704-194-0x0000000005360000-0x00000000054D0000-memory.dmp

Filesize
1.4MB

Download
memory/3704-196-0x0000000005360000-0x00000000054D0000-memory.dmp

Filesize
1.4MB

Download
memory/3704-198-0x0000000005360000-0x00000000054D0000-memory.dmp

Filesize
1.4MB

Download
memory/3704-200-0x0000000005360000-0x00000000054D0000-memory.dmp

Filesize
1.4MB

Download
memory/3704-202-0x0000000005360000-0x00000000054D0000-memory.dmp

Filesize
1.4MB

Download
memory/3704-204-0x0000000005360000-0x00000000054D0000-memory.dmp

Filesize
1.4MB

Download
memory/3704-208-0x0000000005360000-0x00000000054D0000-memory.dmp

Filesize
1.4MB

Download
memory/3704-210-0x0000000005360000-0x00000000054D0000-memory.dmp

Filesize
1.4MB

Download
memory/3704-230-0x0000000005360000-0x00000000054D0000-memory.dmp

Filesize
1.4MB

Download
memory/3704-238-0x0000000005360000-0x00000000054D0000-memory.dmp

Filesize
1.4MB

Download