2db44b086d860c51a4f45f43a739cd20fb0822189deb1c1cf13e4b5a3b05bc3b

Analysis

max time kernel
95s
max time network
76s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
04/09/2024, 17:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

gpg4win-4.3.1.exe
Size

33.9MB
MD5

cff05af81adc5ca0066baf07d17edb24
SHA1

7c5fa919c2eb90194e844de027a36e87c7be8a80
SHA256

2db44b086d860c51a4f45f43a739cd20fb0822189deb1c1cf13e4b5a3b05bc3b
SHA512

6db824e5da2a9c0af492e78f06fd18fc864eefeb3de4861b09eee6e9da7db2b4a5c181061262deb530dedd56640c314647cac4b49c9b7bb65f7b6020f79f4e10
SSDEEP

786432:4xIC7bI5s6sxkbB2mULpBWfrw5nqGBbC7cSEW/4jHQrXcvbYZJiGLEhUiqQS:QwK6sSbB3ULpBWM5qG62HqBiqFQS

Score

7^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 58 IoCs

pid	Process
1612	gnupg-w32-2.4.5_20240307-bin.exe
2972	kleopatra.exe
1624	gpgme-w32spawn.exe
4372	gpgconf.exe
3556	gpgme-w32spawn.exe
3756	gpgconf.exe
4680	gpgme-w32spawn.exe
1296	gpg.exe
1152	gpgme-w32spawn.exe
796	gpgsm.exe
1104	gpgme-w32spawn.exe
1464	gpgconf.exe
1904	gpgconf.exe
3032	dirmngr.exe
2756	gpgconf.exe
1800	gpg-agent.exe
3840	gpg-connect-agent.exe
3780	gpg-agent.exe
3440	gpgme-w32spawn.exe
3108	gpgconf.exe
436	gpgme-w32spawn.exe
1108	gpgconf.exe
4740	gpg.exe
1136	gpg.exe
396	gpgme-w32spawn.exe
4800	gpgconf.exe
8	gpgsm.exe
2436	gpgsm.exe
3948	gpgme-w32spawn.exe
5108	gpgconf.exe
2808	keyboxd.exe
1920	keyboxd.exe
2020	gpgme-w32spawn.exe
2040	gpgconf.exe
2304	gpg-agent.exe
1364	gpg-agent.exe
4968	gpgme-w32spawn.exe
2968	gpgconf.exe
4712	scdaemon.exe
2332	scdaemon.exe
796	gpgme-w32spawn.exe
2244	gpgconf.exe
1952	dirmngr.exe
3004	dirmngr.exe
764	gpgme-w32spawn.exe
3828	gpgconf.exe
1824	gpgme-w32spawn.exe
2764	gpgconf.exe
2776	gpgme-w32spawn.exe
4576	gpgme-w32spawn.exe
1936	gpgsm.exe
4444	gpg.exe
1784	keyboxd.exe
3096	gpgme-w32spawn.exe
3620	gpgme-w32spawn.exe
1096	gpg.exe
456	gpgsm.exe
4228	scdaemon.exe

Loads dropped DLL 64 IoCs

pid	Process
240	gpg4win-4.3.1.exe
240	gpg4win-4.3.1.exe
240	gpg4win-4.3.1.exe
240	gpg4win-4.3.1.exe
240	gpg4win-4.3.1.exe
240	gpg4win-4.3.1.exe
240	gpg4win-4.3.1.exe
240	gpg4win-4.3.1.exe
240	gpg4win-4.3.1.exe
240	gpg4win-4.3.1.exe
240	gpg4win-4.3.1.exe
240	gpg4win-4.3.1.exe
240	gpg4win-4.3.1.exe
240	gpg4win-4.3.1.exe
240	gpg4win-4.3.1.exe
240	gpg4win-4.3.1.exe
240	gpg4win-4.3.1.exe
240	gpg4win-4.3.1.exe
240	gpg4win-4.3.1.exe
240	gpg4win-4.3.1.exe
240	gpg4win-4.3.1.exe
240	gpg4win-4.3.1.exe
240	gpg4win-4.3.1.exe
240	gpg4win-4.3.1.exe
240	gpg4win-4.3.1.exe
240	gpg4win-4.3.1.exe
240	gpg4win-4.3.1.exe
240	gpg4win-4.3.1.exe
1612	gnupg-w32-2.4.5_20240307-bin.exe
1612	gnupg-w32-2.4.5_20240307-bin.exe
1612	gnupg-w32-2.4.5_20240307-bin.exe
1612	gnupg-w32-2.4.5_20240307-bin.exe
1612	gnupg-w32-2.4.5_20240307-bin.exe
1612	gnupg-w32-2.4.5_20240307-bin.exe
1612	gnupg-w32-2.4.5_20240307-bin.exe
240	gpg4win-4.3.1.exe
240	gpg4win-4.3.1.exe
4256	regsvr32.exe
3108	regsvr32.exe
240	gpg4win-4.3.1.exe
240	gpg4win-4.3.1.exe
4628	regsvr32.exe
4268	regsvr32.exe
240	gpg4win-4.3.1.exe
240	gpg4win-4.3.1.exe
240	gpg4win-4.3.1.exe
2972	kleopatra.exe
2972	kleopatra.exe
2972	kleopatra.exe
2972	kleopatra.exe
2972	kleopatra.exe
2972	kleopatra.exe
2972	kleopatra.exe
2972	kleopatra.exe
2972	kleopatra.exe
2972	kleopatra.exe
2972	kleopatra.exe
2972	kleopatra.exe
2972	kleopatra.exe
2972	kleopatra.exe
2972	kleopatra.exe
2972	kleopatra.exe
2972	kleopatra.exe
2972	kleopatra.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Gpg4win\share\locale\sl\LC_MESSAGES\sonnet5_qt.qm	gpg4win-4.3.1.exe
File created	C:\Program Files (x86)\Gpg4win\share\locale\sv\LC_MESSAGES\ki18n5.mo	gpg4win-4.3.1.exe
File created	C:\Program Files (x86)\Gpg4win\bin\libKF5CalendarCore.dll	gpg4win-4.3.1.exe
File created	C:\Program Files (x86)\Gpg4win\share\locale\kk\LC_MESSAGES\kleopatra.mo	gpg4win-4.3.1.exe
File created	C:\Program Files (x86)\Gpg4win\share\locale\ko\LC_MESSAGES\kiconthemes5.mo	gpg4win-4.3.1.exe
File created	C:\Program Files (x86)\Gpg4win\share\locale\lv\LC_MESSAGES\ktextwidgets5.mo	gpg4win-4.3.1.exe
File created	C:\Program Files (x86)\Gpg4win\share\locale\sk\LC_MESSAGES\okular_poppler.mo	gpg4win-4.3.1.exe
File created	C:\Program Files (x86)\Gpg4win\share\locale\fr\LC_MESSAGES\kiconthemes5.mo	gpg4win-4.3.1.exe
File created	C:\Program Files (x86)\Gpg4win\share\locale\ia\LC_MESSAGES\kcompletion5_qt.qm	gpg4win-4.3.1.exe
File created	C:\Program Files (x86)\Gpg4win\share\locale\nb\LC_MESSAGES\libkleopatra.mo	gpg4win-4.3.1.exe
File created	C:\Program Files (x86)\Gpg4win\share\locale\nl\LC_MESSAGES\okular_poppler.mo	gpg4win-4.3.1.exe
File created	C:\Program Files (x86)\GnuPG\share\locale\zh_TW\LC_MESSAGES\gnupg2.mo	gnupg-w32-2.4.5_20240307-bin.exe
File created	C:\Program Files (x86)\Gpg4win\bin\libKF5Codecs.dll	gpg4win-4.3.1.exe
File created	C:\Program Files (x86)\Gpg4win\share\locale\bg\LC_MESSAGES\kparts5.mo	gpg4win-4.3.1.exe
File created	C:\Program Files (x86)\Gpg4win\share\locale\en_GB\LC_MESSAGES\kcompletion5_qt.qm	gpg4win-4.3.1.exe
File created	C:\Program Files (x86)\Gpg4win\share\icons\hicolor\index.theme	gpg4win-4.3.1.exe
File created	C:\Program Files (x86)\Gpg4win\share\locale\ca\LC_MESSAGES\mimetreeparser.mo	gpg4win-4.3.1.exe
File created	C:\Program Files (x86)\Gpg4win\share\locale\it\LC_MESSAGES\kwidgetsaddons5_qt.qm	gpg4win-4.3.1.exe
File created	C:\Program Files (x86)\Gpg4win\share\locale\it\LC_MESSAGES\okular_poppler.mo	gpg4win-4.3.1.exe
File created	C:\Program Files (x86)\Gpg4win\share\locale\ja\LC_MESSAGES\okular.mo	gpg4win-4.3.1.exe
File created	C:\Program Files (x86)\Gpg4win\share\locale\ca\LC_MESSAGES\kcoreaddons5_qt.qm	gpg4win-4.3.1.exe
File created	C:\Program Files (x86)\Gpg4win\share\locale\es\LC_MESSAGES\kwidgetsaddons5_qt.qm	gpg4win-4.3.1.exe
File created	C:\Program Files (x86)\Gpg4win\share\locale\ia\LC_MESSAGES\ki18n5.mo	gpg4win-4.3.1.exe
File created	C:\Program Files (x86)\Gpg4win\share\locale\it\LC_MESSAGES\kiconthemes5.mo	gpg4win-4.3.1.exe
File created	C:\Program Files (x86)\GnuPG\share\locale\fi\LC_MESSAGES\gnupg2.mo	gnupg-w32-2.4.5_20240307-bin.exe
File created	C:\Program Files (x86)\GnuPG\bin\gpg-enable-keyboxd.bat	gpg4win-4.3.1.exe
File created	C:\Program Files (x86)\Gpg4win\include\gpgme.h	gpg4win-4.3.1.exe
File created	C:\Program Files (x86)\Gpg4win\bin_64\libgpgme-11.dll	gpg4win-4.3.1.exe
File created	C:\Program Files (x86)\Gpg4win\share\locale\pt_BR\LC_MESSAGES\kcodecs5_qt.qm	gpg4win-4.3.1.exe
File created	C:\Program Files (x86)\Gpg4win\share\locale\tr\LC_MESSAGES\okular.mo	gpg4win-4.3.1.exe
File created	C:\Program Files (x86)\Gpg4win\share\gpgol\sign-s.ico	gpg4win-4.3.1.exe
File created	C:\Program Files (x86)\Gpg4win\share\libkleopatra\pics\hi32-app-gpg.png	gpg4win-4.3.1.exe
File created	C:\Program Files (x86)\Gpg4win\share\locale\zh_TW\LC_MESSAGES\gpgol.mo	gpg4win-4.3.1.exe
File created	C:\Program Files (x86)\Gpg4win\share\locale\cs\LC_MESSAGES\kcompletion5_qt.qm	gpg4win-4.3.1.exe
File created	C:\Program Files (x86)\Gpg4win\share\locale\eu\LC_MESSAGES\kcompletion5_qt.qm	gpg4win-4.3.1.exe
File created	C:\Program Files (x86)\Gpg4win\share\locale\ja\LC_MESSAGES\kitemviews5_qt.qm	gpg4win-4.3.1.exe
File created	C:\Program Files (x86)\Gpg4win\bin_64\libassuan-0.dll	gpg4win-4.3.1.exe
File created	C:\Program Files (x86)\Gpg4win\share\locale\pt\LC_MESSAGES\libkleopatra.mo	gpg4win-4.3.1.exe
File created	C:\Program Files (x86)\Gpg4win\share\locale\uk\LC_MESSAGES\okular.mo	gpg4win-4.3.1.exe
File created	C:\Program Files (x86)\Gpg4win\bin\libKPim5Libkleo.dll	gpg4win-4.3.1.exe
File created	C:\Program Files (x86)\Gpg4win\share\locale\pl\LC_MESSAGES\kwidgetsaddons5_qt.qm	gpg4win-4.3.1.exe
File created	C:\Program Files (x86)\Gpg4win\share\locale\zh_TW\LC_MESSAGES\kwindowsystem5_qt.qm	gpg4win-4.3.1.exe
File created	C:\Program Files (x86)\Gpg4win\share\libkleopatra\pics\key.png	gpg4win-4.3.1.exe
File created	C:\Program Files (x86)\Gpg4win\share\locale\sv\LC_MESSAGES\gpgol.mo	gpg4win-4.3.1.exe
File created	C:\Program Files (x86)\Gpg4win\share\gpg4win\versioninfo.txt	gpg4win-4.3.1.exe
File created	C:\Program Files (x86)\Gpg4win\share\locale\ca@valencia\kf5_entry.desktop	gpg4win-4.3.1.exe
File created	C:\Program Files (x86)\Gpg4win\share\locale\de\LC_MESSAGES\sonnet5_qt.qm	gpg4win-4.3.1.exe
File created	C:\Program Files (x86)\Gpg4win\share\locale\nds\LC_MESSAGES\kleopatra.mo	gpg4win-4.3.1.exe
File created	C:\Program Files (x86)\Gpg4win\bin\gpgex.dll	gpg4win-4.3.1.exe
File created	C:\Program Files (x86)\Gpg4win\share\locale\eu\LC_MESSAGES\kleopatra.mo	gpg4win-4.3.1.exe
File created	C:\Program Files (x86)\Gpg4win\share\icons\hicolor\16x16\apps\gpg4win-compact.png	gpg4win-4.3.1.exe
File created	C:\Program Files (x86)\Gpg4win\share\locale\ka\LC_MESSAGES\kconfig5_qt.qm	gpg4win-4.3.1.exe
File created	C:\Program Files (x86)\Gpg4win\share\locale\ru\LC_MESSAGES\kwindowsystem5_qt.qm	gpg4win-4.3.1.exe
File created	C:\Program Files (x86)\Gpg4win\bin\styles\qwindowsvistastyle.dll	gpg4win-4.3.1.exe
File created	C:\Program Files (x86)\GnuPG\bin\gpgtar.exe	gnupg-w32-2.4.5_20240307-bin.exe
File created	C:\Program Files (x86)\GnuPG\share\locale\da\LC_MESSAGES\gnupg2.mo	gnupg-w32-2.4.5_20240307-bin.exe
File created	C:\Program Files (x86)\Gpg4win\bin\libKF5GuiAddons.dll	gpg4win-4.3.1.exe
File created	C:\Program Files (x86)\Gpg4win\share\locale\da\LC_MESSAGES\ktextwidgets5.mo	gpg4win-4.3.1.exe
File created	C:\Program Files (x86)\Gpg4win\share\locale\fr\LC_MESSAGES\libkleopatra.mo	gpg4win-4.3.1.exe
File created	C:\Program Files (x86)\Gpg4win\share\locale\sv\LC_MESSAGES\kcodecs5_qt.qm	gpg4win-4.3.1.exe
File created	C:\Program Files (x86)\GnuPG\share\locale\en@boldquot\LC_MESSAGES\gnupg2.mo	gnupg-w32-2.4.5_20240307-bin.exe
File created	C:\Program Files (x86)\Gpg4win\share\locale\it\kf5_entry.desktop	gpg4win-4.3.1.exe
File created	C:\Program Files (x86)\Gpg4win\share\locale\nl\LC_MESSAGES\kwindowsystem5_qt.qm	gpg4win-4.3.1.exe
File created	C:\Program Files (x86)\Gpg4win\share\locale\nn\kf5_entry.desktop	gpg4win-4.3.1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 62 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gpg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	scdaemon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gpgsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gpg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gpg-agent.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gpgconf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gpgme-w32spawn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gpgconf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gpg-agent.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gpgconf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gpgme-w32spawn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gpgsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	keyboxd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gnupg-w32-2.4.5_20240307-bin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dirmngr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gpg-connect-agent.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gpgconf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gpgsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gpgme-w32spawn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gpgconf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gpgme-w32spawn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gpgconf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gpgme-w32spawn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gpgconf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kleopatra.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gpgconf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gpgconf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gpg-agent.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	scdaemon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gpg4win-4.3.1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	keyboxd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dirmngr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gpgme-w32spawn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gpgsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	scdaemon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gpgconf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gpgconf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gpgme-w32spawn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gpg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gpgsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gpgconf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gpgme-w32spawn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gpgme-w32spawn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gpgme-w32spawn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gpgme-w32spawn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gpg-agent.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gpgme-w32spawn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gpgme-w32spawn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gpgme-w32spawn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gpg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gpgme-w32spawn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gpgme-w32spawn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gpgme-w32spawn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gpg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gpgme-w32spawn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gpgconf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gpgconf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dirmngr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	keyboxd.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\gpg4win.AssocFile.Kleopatra.KGRP\shell\open\command\ = "\"C:\\Program Files (x86)\\Gpg4win\\bin\\Kleopatra.exe\" -- \"%1\""	gpg4win-4.3.1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{42d30988-1a3a-11da-c687-000d6080e735}\InprocServer32\ThreadingModel = "Both"	gpg4win-4.3.1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GNU.GpgOL\ = "GpgOL - The GnuPG Outlook Plugin"	gpg4win-4.3.1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{42d30988-1a3a-11da-c687-000d6080e735}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\gpg4win.AssocFile.Kleopatra.ASC\PercievedType = "Document"	gpg4win-4.3.1.exe
Key created	\REGISTRY\MACHINE\Software\Classes\gpg4win.AssocFile.Kleopatra.PGPKEY	gpg4win-4.3.1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\gpg4win.AssocFile.Kleopatra.X509\shell\open	gpg4win-4.3.1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{42d30988-1a3a-11da-c687-000d6080e735}\ProgID\ = "GNU.GpgOL"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GNU.GpgOL	gpg4win-4.3.1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GNU.GpgOL\CLSID	gpg4win-4.3.1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\ShellEx\ContextMenuHandlers\GpgEX	gpg4win-4.3.1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\gpg4win.AssocFile.Kleopatra.GPG\CurVer\ = "4.3.1"	gpg4win-4.3.1.exe
Key created	\REGISTRY\MACHINE\Software\Classes\gpg4win.AssocFile.Kleopatra.PGPSIG\shell\open\command	gpg4win-4.3.1.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.crl\OpenWithProgIDs	gpg4win-4.3.1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\gpg4win.AssocFile.Kleopatra.X509	gpg4win-4.3.1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\gpg4win.AssocFile.Kleopatra.MIME\InfoTip = "An E-Mail file that can either be encrypted or unencrypted"	gpg4win-4.3.1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\gpg4win.AssocFile.Kleopatra.GPG\shell\open\command	gpg4win-4.3.1.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.sig\OpenWithProgIDs	gpg4win-4.3.1.exe
Key created	\REGISTRY\MACHINE\Software\Classes\gpg4win.AssocFile.Kleopatra.PGPKEY\shell\open\command	gpg4win-4.3.1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\gpg4win.AssocFile.Kleopatra.X509\shell	gpg4win-4.3.1.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.der\OpenWithProgIDs\gpg4win.AssocFile.Kleopatra.X509	gpg4win-4.3.1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CCD955E4-5C16-4A33-AFDA-A8947A94946B}\InprocServer32\ = "C:\\Program Files (x86)\\Gpg4win\\bin_64\\gpgex.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\gpg4win.AssocFile.Kleopatra.GPG\CurVer	gpg4win-4.3.1.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.gpg\OpenWithProgIDs	gpg4win-4.3.1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\gpg4win.AssocFile.Kleopatra.CMS\ = "CMS (S/MIME) File"	gpg4win-4.3.1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\gpg4win.AssocFile.Kleopatra.MIME\PercievedType = "Document"	gpg4win-4.3.1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mim\OpenWithProgIDs	gpg4win-4.3.1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\P7MFile\shell	gpg4win-4.3.1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\gpg4win.AssocFile.Kleopatra.PGPKEY\shell	gpg4win-4.3.1.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.pem\OpenWithProgIDs\gpg4win.AssocFile.Kleopatra.CMS	gpg4win-4.3.1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\gpg4win.AssocFile.Kleopatra.KGRP\PercievedType = "Document"	gpg4win-4.3.1.exe
Key created	\Registry\User\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\NotificationData	kleopatra.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{42d30988-1a3a-11da-c687-000d6080e735}\ProgID	gpg4win-4.3.1.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MIME\Database\Content Type\application/pgp	gpg4win-4.3.1.exe
Key created	\REGISTRY\MACHINE\Software\Classes\P7MFile\shell\open\command	gpg4win-4.3.1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\gpg4win.AssocFile.Kleopatra.X509\CurVer\ = "4.3.1"	gpg4win-4.3.1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\gpg4win.AssocFile.Kleopatra.KGRP	gpg4win-4.3.1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.kgrp	gpg4win-4.3.1.exe
Key created	\REGISTRY\MACHINE\Software\Classes\gpg4win.AssocFile.Kleopatra.MIME\CurVer	gpg4win-4.3.1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\openpgp4fpr\shell	gpg4win-4.3.1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\gpg4win.AssocFile.Kleopatra.GPG\shell\open\command\ = "\"C:\\Program Files (x86)\\Gpg4win\\bin\\Kleopatra.exe\" -- \"%1\""	gpg4win-4.3.1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\gpg4win.AssocFile.Kleopatra.CMS\InfoTip = "This can be encrypted data, a signature or a certificate."	gpg4win-4.3.1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{42d30988-1a3a-11da-c687-000d6080e735}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\ShellEx\ContextMenuHandlers\GpgEX	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\openpgp4fpr\shell\open\command\ = "\"C:\\Program Files (x86)\\Gpg4win\\bin\\kleopatra.exe\" --query -- \"%1\""	gpg4win-4.3.1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\P7MFile	gpg4win-4.3.1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\gpg4win.AssocFile.Kleopatra.PGPSIG\DefaultIcon\ = "C:\\Program Files (x86)\\Gpg4win\\share\\gpg4win\\file-ext.ico"	gpg4win-4.3.1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\gpg4win.AssocFile.Kleopatra.PGPKEY\DefaultIcon\ = "C:\\Program Files (x86)\\Gpg4win\\share\\gpg4win\\file-ext.ico"	gpg4win-4.3.1.exe
Key created	\REGISTRY\MACHINE\Software\Classes\gpg4win.AssocFile.Kleopatra.MIME\DefaultIcon	gpg4win-4.3.1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\gpg4win.AssocFile.Kleopatra.MIME	gpg4win-4.3.1.exe
Key created	\REGISTRY\MACHINE\Software\Classes\P7SFile\DefaultIcon	gpg4win-4.3.1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\gpg4win.AssocFile.Kleopatra.GPG\ = "OpenPGP Binary File"	gpg4win-4.3.1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\gpg4win.AssocFile.Kleopatra.GPG\FriendlyTypeName = "OpenPGP Binary File"	gpg4win-4.3.1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\gpg4win.AssocFile.Kleopatra.ASC\InfoTip = "This can be encrypted data, a signature or a certificate."	gpg4win-4.3.1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\gpg4win.AssocFile.Kleopatra.PGPSIG\PercievedType = "Document"	gpg4win-4.3.1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\GpgEX\ = "{CCD955E4-5C16-4A33-AFDA-A8947A94946B}"	gpg4win-4.3.1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\GpgEX\ = "{CCD955E4-5C16-4A33-AFDA-A8947A94946B}"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	kleopatra.exe
Key created	\REGISTRY\MACHINE\Software\Classes\gpg4win.AssocFile.Kleopatra.GPG\DefaultIcon	gpg4win-4.3.1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.pgp	gpg4win-4.3.1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\gpg4win.AssocFile.Kleopatra.CMS\DefaultIcon\ = "C:\\Program Files (x86)\\Gpg4win\\share\\gpg4win\\file-ext.ico"	gpg4win-4.3.1.exe
Key created	\REGISTRY\MACHINE\Software\Classes\gpg4win.AssocFile.Kleopatra.X509\shell\open\command	gpg4win-4.3.1.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mim\OpenWithProgIDs\gpg4win.AssocFile.Kleopatra.MIME	gpg4win-4.3.1.exe
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	kleopatra.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2972	kleopatra.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
240	gpg4win-4.3.1.exe
240	gpg4win-4.3.1.exe
240	gpg4win-4.3.1.exe
240	gpg4win-4.3.1.exe
240	gpg4win-4.3.1.exe
240	gpg4win-4.3.1.exe
240	gpg4win-4.3.1.exe
240	gpg4win-4.3.1.exe
240	gpg4win-4.3.1.exe
240	gpg4win-4.3.1.exe
240	gpg4win-4.3.1.exe
240	gpg4win-4.3.1.exe
240	gpg4win-4.3.1.exe
240	gpg4win-4.3.1.exe
240	gpg4win-4.3.1.exe
240	gpg4win-4.3.1.exe
240	gpg4win-4.3.1.exe
240	gpg4win-4.3.1.exe
240	gpg4win-4.3.1.exe
240	gpg4win-4.3.1.exe
240	gpg4win-4.3.1.exe
240	gpg4win-4.3.1.exe
240	gpg4win-4.3.1.exe
240	gpg4win-4.3.1.exe
240	gpg4win-4.3.1.exe
240	gpg4win-4.3.1.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2972	kleopatra.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
2972	kleopatra.exe
2972	kleopatra.exe
2972	kleopatra.exe
2972	kleopatra.exe
2972	kleopatra.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
2972	kleopatra.exe
2972	kleopatra.exe
2972	kleopatra.exe
2972	kleopatra.exe
2972	kleopatra.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2972	kleopatra.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 240 wrote to memory of 1612	240	gpg4win-4.3.1.exe	82
PID 240 wrote to memory of 1612	240	gpg4win-4.3.1.exe	82
PID 240 wrote to memory of 1612	240	gpg4win-4.3.1.exe	82
PID 240 wrote to memory of 4256	240	gpg4win-4.3.1.exe	83
PID 240 wrote to memory of 4256	240	gpg4win-4.3.1.exe	83
PID 240 wrote to memory of 4256	240	gpg4win-4.3.1.exe	83
PID 4256 wrote to memory of 3108	4256	regsvr32.exe	84
PID 4256 wrote to memory of 3108	4256	regsvr32.exe	84
PID 240 wrote to memory of 4628	240	gpg4win-4.3.1.exe	85
PID 240 wrote to memory of 4628	240	gpg4win-4.3.1.exe	85
PID 240 wrote to memory of 4628	240	gpg4win-4.3.1.exe	85
PID 4628 wrote to memory of 4268	4628	regsvr32.exe	86
PID 4628 wrote to memory of 4268	4628	regsvr32.exe	86
PID 2972 wrote to memory of 1624	2972	kleopatra.exe	91
PID 2972 wrote to memory of 1624	2972	kleopatra.exe	91
PID 2972 wrote to memory of 1624	2972	kleopatra.exe	91
PID 1624 wrote to memory of 4372	1624	gpgme-w32spawn.exe	92
PID 1624 wrote to memory of 4372	1624	gpgme-w32spawn.exe	92
PID 1624 wrote to memory of 4372	1624	gpgme-w32spawn.exe	92
PID 2972 wrote to memory of 3556	2972	kleopatra.exe	94
PID 2972 wrote to memory of 3556	2972	kleopatra.exe	94
PID 2972 wrote to memory of 3556	2972	kleopatra.exe	94
PID 3556 wrote to memory of 3756	3556	gpgme-w32spawn.exe	95
PID 3556 wrote to memory of 3756	3556	gpgme-w32spawn.exe	95
PID 3556 wrote to memory of 3756	3556	gpgme-w32spawn.exe	95
PID 2972 wrote to memory of 4680	2972	kleopatra.exe	97
PID 2972 wrote to memory of 4680	2972	kleopatra.exe	97
PID 2972 wrote to memory of 4680	2972	kleopatra.exe	97
PID 4680 wrote to memory of 1296	4680	gpgme-w32spawn.exe	98
PID 4680 wrote to memory of 1296	4680	gpgme-w32spawn.exe	98
PID 4680 wrote to memory of 1296	4680	gpgme-w32spawn.exe	98
PID 2972 wrote to memory of 1152	2972	kleopatra.exe	100
PID 2972 wrote to memory of 1152	2972	kleopatra.exe	100
PID 2972 wrote to memory of 1152	2972	kleopatra.exe	100
PID 1152 wrote to memory of 796	1152	gpgme-w32spawn.exe	101
PID 1152 wrote to memory of 796	1152	gpgme-w32spawn.exe	101
PID 1152 wrote to memory of 796	1152	gpgme-w32spawn.exe	101
PID 2972 wrote to memory of 1104	2972	kleopatra.exe	103
PID 2972 wrote to memory of 1104	2972	kleopatra.exe	103
PID 2972 wrote to memory of 1104	2972	kleopatra.exe	103
PID 1104 wrote to memory of 1464	1104	gpgme-w32spawn.exe	104
PID 1104 wrote to memory of 1464	1104	gpgme-w32spawn.exe	104
PID 1104 wrote to memory of 1464	1104	gpgme-w32spawn.exe	104
PID 2972 wrote to memory of 1904	2972	kleopatra.exe	106
PID 2972 wrote to memory of 1904	2972	kleopatra.exe	106
PID 2972 wrote to memory of 1904	2972	kleopatra.exe	106
PID 1904 wrote to memory of 3032	1904	gpgconf.exe	108
PID 1904 wrote to memory of 3032	1904	gpgconf.exe	108
PID 1904 wrote to memory of 3032	1904	gpgconf.exe	108
PID 2972 wrote to memory of 2756	2972	kleopatra.exe	109
PID 2972 wrote to memory of 2756	2972	kleopatra.exe	109
PID 2972 wrote to memory of 2756	2972	kleopatra.exe	109
PID 2756 wrote to memory of 1800	2756	gpgconf.exe	111
PID 2756 wrote to memory of 1800	2756	gpgconf.exe	111
PID 2756 wrote to memory of 1800	2756	gpgconf.exe	111
PID 2756 wrote to memory of 3840	2756	gpgconf.exe	112
PID 2756 wrote to memory of 3840	2756	gpgconf.exe	112
PID 2756 wrote to memory of 3840	2756	gpgconf.exe	112
PID 3840 wrote to memory of 3780	3840	gpg-connect-agent.exe	114
PID 3840 wrote to memory of 3780	3840	gpg-connect-agent.exe	114
PID 3840 wrote to memory of 3780	3840	gpg-connect-agent.exe	114
PID 2972 wrote to memory of 3440	2972	kleopatra.exe	113
PID 2972 wrote to memory of 3440	2972	kleopatra.exe	113
PID 2972 wrote to memory of 3440	2972	kleopatra.exe	113

C:\Users\Admin\AppData\Local\Temp\gpg4win-4.3.1.exe
"C:\Users\Admin\AppData\Local\Temp\gpg4win-4.3.1.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:240
- C:\Users\Admin\AppData\Local\Temp\gnupg-w32-2.4.5_20240307-bin.exe
  "C:\Users\Admin\AppData\Local\Temp\gnupg-w32-2.4.5_20240307-bin.exe" /S /D=C:\Program Files (x86)\Gpg4win\..\GnuPG
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:1612
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\system32\regsvr32" /s "C:\Program Files (x86)\Gpg4win\bin_64\gpgol.dll"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4256
- - C:\Windows\system32\regsvr32.exe
    /s "C:\Program Files (x86)\Gpg4win\bin_64\gpgol.dll"
    3⤵
    - Loads dropped DLL
    - Modifies registry class
    PID:3108
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\system32\regsvr32" /s "C:\Program Files (x86)\Gpg4win\bin_64\gpgex.dll"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4628
- - C:\Windows\system32\regsvr32.exe
    /s "C:\Program Files (x86)\Gpg4win\bin_64\gpgex.dll"
    3⤵
    - Loads dropped DLL
    - Modifies registry class
    PID:4268

C:\Program Files (x86)\Gpg4win\bin\kleopatra.exe
"C:\Program Files (x86)\Gpg4win\bin\kleopatra.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2972
- C:\Program Files (x86)\Gpg4win\bin\gpgme-w32spawn.exe
  "C:\\Program Files (x86)\\Gpg4win\\bin\\gpgme-w32spawn.exe" "C:\\Users\\Admin\\AppData\\Local\\Temp\\gpgme-gsfdw4" "C:\\Program Files (x86)\\GnuPG\\bin\\gpgconf.exe" "--list-dirs"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1624
- - C:\Program Files (x86)\GnuPG\bin\gpgconf.exe
    "C:\\\\Program Files (x86)\\\\GnuPG\\\\bin\\\\gpgconf.exe" "--list-dirs"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4372
- C:\Program Files (x86)\Gpg4win\bin\gpgme-w32spawn.exe
  "C:\\Program Files (x86)\\Gpg4win\\bin\\gpgme-w32spawn.exe" "C:\\Users\\Admin\\AppData\\Local\\Temp\\gpgme-nCBlSY" "C:\\Program Files (x86)\\GnuPG\\bin\\gpgconf.exe" "--list-components"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3556
- - C:\Program Files (x86)\GnuPG\bin\gpgconf.exe
    "C:\\\\Program Files (x86)\\\\GnuPG\\\\bin\\\\gpgconf.exe" "--list-components"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3756
- C:\Program Files (x86)\Gpg4win\bin\gpgme-w32spawn.exe
  "C:\\Program Files (x86)\\Gpg4win\\bin\\gpgme-w32spawn.exe" "C:\\Users\\Admin\\AppData\\Local\\Temp\\gpgme-bORxeT" "C:\\Program Files (x86)\\GnuPG\\bin\\gpg.exe" "--version"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4680
- - C:\Program Files (x86)\GnuPG\bin\gpg.exe
    "C:\\\\Program Files (x86)\\\\GnuPG\\\\bin\\\\gpg.exe" "--version"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1296
- C:\Program Files (x86)\Gpg4win\bin\gpgme-w32spawn.exe
  "C:\\Program Files (x86)\\Gpg4win\\bin\\gpgme-w32spawn.exe" "C:\\Users\\Admin\\AppData\\Local\\Temp\\gpgme-muLMAN" "C:\\Program Files (x86)\\GnuPG\\bin\\gpgsm.exe" "--version"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1152
- - C:\Program Files (x86)\GnuPG\bin\gpgsm.exe
    "C:\\\\Program Files (x86)\\\\GnuPG\\\\bin\\\\gpgsm.exe" "--version"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:796
- C:\Program Files (x86)\Gpg4win\bin\gpgme-w32spawn.exe
  "C:\\Program Files (x86)\\Gpg4win\\bin\\gpgme-w32spawn.exe" "C:\\Users\\Admin\\AppData\\Local\\Temp\\gpgme-OHi4WH" "C:\\Program Files (x86)\\GnuPG\\bin\\gpgconf.exe" "--version"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1104
- - C:\Program Files (x86)\GnuPG\bin\gpgconf.exe
    "C:\\\\Program Files (x86)\\\\GnuPG\\\\bin\\\\gpgconf.exe" "--version"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1464
- C:\Program Files (x86)\GnuPG\bin\gpgconf.exe
  "C:\Program Files (x86)\GnuPG\bin\gpgconf.exe" --show-versions
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1904
- - C:\Program Files (x86)\GnuPG\bin\dirmngr.exe
    "C:\Program Files (x86)\GnuPG\bin\dirmngr.exe" --gpgconf-versions
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3032
- C:\Program Files (x86)\GnuPG\bin\gpgconf.exe
  "C:\Program Files (x86)\GnuPG\bin\gpgconf.exe" --launch gpg-agent
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Program Files (x86)\GnuPG\bin\gpg-agent.exe
    "C:\Program Files (x86)\GnuPG\bin\gpg-agent.exe" --gpgconf-test
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1800
- - C:\Program Files (x86)\GnuPG\bin\gpg-connect-agent.exe
    "C:\Program Files (x86)\GnuPG\bin\gpg-connect-agent.exe" NOP
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3840
  - - C:\Program Files (x86)\GnuPG\bin\gpg-agent.exe
      "C:\Program Files (x86)\GnuPG\bin\gpg-agent.exe" --homedir C:\Users\Admin\AppData\Roaming\gnupg --use-standard-socket --daemon
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3780
    - - C:\Program Files (x86)\GnuPG\bin\scdaemon.exe
        
        "C:\Program Files (x86)\GnuPG\bin\scdaemon.exe" --multi-server
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4228
- C:\Program Files (x86)\Gpg4win\bin\gpgme-w32spawn.exe
  "C:\\Program Files (x86)\\Gpg4win\\bin\\gpgme-w32spawn.exe" "C:\\Users\\Admin\\AppData\\Local\\Temp\\gpgme-PEHAoC" "C:\\Program Files (x86)\\GnuPG\\bin\\gpgconf.exe" "--list-components"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3440
- - C:\Program Files (x86)\GnuPG\bin\gpgconf.exe
    "C:\\\\Program Files (x86)\\\\GnuPG\\\\bin\\\\gpgconf.exe" "--list-components"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3108
- C:\Program Files (x86)\Gpg4win\bin\gpgme-w32spawn.exe
  "C:\\Program Files (x86)\\Gpg4win\\bin\\gpgme-w32spawn.exe" "C:\\Users\\Admin\\AppData\\Local\\Temp\\gpgme-gXJ9Pw" "C:\\Program Files (x86)\\GnuPG\\bin\\gpgconf.exe" "--list-options" "gpg"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:436
- - C:\Program Files (x86)\GnuPG\bin\gpgconf.exe
    "C:\\\\Program Files (x86)\\\\GnuPG\\\\bin\\\\gpgconf.exe" "--list-options" "gpg"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1108
  - - C:\Program Files (x86)\GnuPG\bin\gpg.exe
      "C:\Program Files (x86)\GnuPG\bin\gpg.exe" --dump-option-table
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4740
  - - C:\Program Files (x86)\GnuPG\bin\gpg.exe
      "C:\Program Files (x86)\GnuPG\bin\gpg.exe" --gpgconf-list
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1136
- C:\Program Files (x86)\Gpg4win\bin\gpgme-w32spawn.exe
  "C:\\Program Files (x86)\\Gpg4win\\bin\\gpgme-w32spawn.exe" "C:\\Users\\Admin\\AppData\\Local\\Temp\\gpgme-xSfThr" "C:\\Program Files (x86)\\GnuPG\\bin\\gpgconf.exe" "--list-options" "gpgsm"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:396
- - C:\Program Files (x86)\GnuPG\bin\gpgconf.exe
    "C:\\\\Program Files (x86)\\\\GnuPG\\\\bin\\\\gpgconf.exe" "--list-options" "gpgsm"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4800
  - - C:\Program Files (x86)\GnuPG\bin\gpgsm.exe
      "C:\Program Files (x86)\GnuPG\bin\gpgsm.exe" --dump-option-table
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:8
  - - C:\Program Files (x86)\GnuPG\bin\gpgsm.exe
      "C:\Program Files (x86)\GnuPG\bin\gpgsm.exe" --gpgconf-list
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2436
- C:\Program Files (x86)\Gpg4win\bin\gpgme-w32spawn.exe
  "C:\\Program Files (x86)\\Gpg4win\\bin\\gpgme-w32spawn.exe" "C:\\Users\\Admin\\AppData\\Local\\Temp\\gpgme-j8dPJl" "C:\\Program Files (x86)\\GnuPG\\bin\\gpgconf.exe" "--list-options" "keyboxd"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3948
- - C:\Program Files (x86)\GnuPG\bin\gpgconf.exe
    "C:\\\\Program Files (x86)\\\\GnuPG\\\\bin\\\\gpgconf.exe" "--list-options" "keyboxd"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5108
  - - C:\Program Files (x86)\GnuPG\bin\keyboxd.exe
      "C:\Program Files (x86)\GnuPG\bin\keyboxd.exe" --dump-option-table
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2808
  - - C:\Program Files (x86)\GnuPG\bin\keyboxd.exe
      "C:\Program Files (x86)\GnuPG\bin\keyboxd.exe" --gpgconf-list
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1920
- C:\Program Files (x86)\Gpg4win\bin\gpgme-w32spawn.exe
  "C:\\Program Files (x86)\\Gpg4win\\bin\\gpgme-w32spawn.exe" "C:\\Users\\Admin\\AppData\\Local\\Temp\\gpgme-IyrQbg" "C:\\Program Files (x86)\\GnuPG\\bin\\gpgconf.exe" "--list-options" "gpg-agent"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2020
- - C:\Program Files (x86)\GnuPG\bin\gpgconf.exe
    "C:\\\\Program Files (x86)\\\\GnuPG\\\\bin\\\\gpgconf.exe" "--list-options" "gpg-agent"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2040
  - - C:\Program Files (x86)\GnuPG\bin\gpg-agent.exe
      "C:\Program Files (x86)\GnuPG\bin\gpg-agent.exe" --dump-option-table
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2304
  - - C:\Program Files (x86)\GnuPG\bin\gpg-agent.exe
      "C:\Program Files (x86)\GnuPG\bin\gpg-agent.exe" --gpgconf-list
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1364
- C:\Program Files (x86)\Gpg4win\bin\gpgme-w32spawn.exe
  "C:\\Program Files (x86)\\Gpg4win\\bin\\gpgme-w32spawn.exe" "C:\\Users\\Admin\\AppData\\Local\\Temp\\gpgme-L7a0Da" "C:\\Program Files (x86)\\GnuPG\\bin\\gpgconf.exe" "--list-options" "scdaemon"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4968
- - C:\Program Files (x86)\GnuPG\bin\gpgconf.exe
    "C:\\\\Program Files (x86)\\\\GnuPG\\\\bin\\\\gpgconf.exe" "--list-options" "scdaemon"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2968
  - - C:\Program Files (x86)\GnuPG\bin\scdaemon.exe
      "C:\Program Files (x86)\GnuPG\bin\scdaemon.exe" --dump-option-table
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4712
  - - C:\Program Files (x86)\GnuPG\bin\scdaemon.exe
      "C:\Program Files (x86)\GnuPG\bin\scdaemon.exe" --gpgconf-list
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2332
- C:\Program Files (x86)\Gpg4win\bin\gpgme-w32spawn.exe
  "C:\\Program Files (x86)\\Gpg4win\\bin\\gpgme-w32spawn.exe" "C:\\Users\\Admin\\AppData\\Local\\Temp\\gpgme-k68g64" "C:\\Program Files (x86)\\GnuPG\\bin\\gpgconf.exe" "--list-options" "dirmngr"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:796
- - C:\Program Files (x86)\GnuPG\bin\gpgconf.exe
    "C:\\\\Program Files (x86)\\\\GnuPG\\\\bin\\\\gpgconf.exe" "--list-options" "dirmngr"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2244
  - - C:\Program Files (x86)\GnuPG\bin\dirmngr.exe
      "C:\Program Files (x86)\GnuPG\bin\dirmngr.exe" --dump-option-table
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1952
  - - C:\Program Files (x86)\GnuPG\bin\dirmngr.exe
      "C:\Program Files (x86)\GnuPG\bin\dirmngr.exe" --gpgconf-list
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3004
- C:\Program Files (x86)\Gpg4win\bin\gpgme-w32spawn.exe
  "C:\\Program Files (x86)\\Gpg4win\\bin\\gpgme-w32spawn.exe" "C:\\Users\\Admin\\AppData\\Local\\Temp\\gpgme-gQYFyZ" "C:\\Program Files (x86)\\GnuPG\\bin\\gpgconf.exe" "--list-options" "pinentry"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:764
- - C:\Program Files (x86)\GnuPG\bin\gpgconf.exe
    "C:\\\\Program Files (x86)\\\\GnuPG\\\\bin\\\\gpgconf.exe" "--list-options" "pinentry"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3828
- C:\Program Files (x86)\Gpg4win\bin\gpgme-w32spawn.exe
  "C:\\Program Files (x86)\\Gpg4win\\bin\\gpgme-w32spawn.exe" "C:\\Users\\Admin\\AppData\\Local\\Temp\\gpgme-BhFc1T" "C:\\Program Files (x86)\\GnuPG\\bin\\gpgconf.exe" "--query-swdb" "gpg4win" "4.3.1"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1824
- - C:\Program Files (x86)\GnuPG\bin\gpgconf.exe
    "C:\\\\Program Files (x86)\\\\GnuPG\\\\bin\\\\gpgconf.exe" "--query-swdb" "gpg4win" "4.3.1"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2764
- C:\Program Files (x86)\Gpg4win\bin\gpgme-w32spawn.exe
  "C:\\Program Files (x86)\\Gpg4win\\bin\\gpgme-w32spawn.exe" "C:\\Users\\Admin\\AppData\\Local\\Temp\\gpgme-MBDMtO" "C:\\Program Files (x86)\\GnuPG\\bin\\gpg.exe" "--disable-dirmngr" "--no-auto-check-trustdb" "--batch" "--status-fd" "1" "--logger-fd" "5" "--no-tty" "--charset=utf8" "--enable-progress-filter" "--exit-on-status-write-error" "--ttyname=/dev/tty" "--with-colons" "--with-secret" "--with-keygrip" "--list-keys" "--"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4576
- - C:\Program Files (x86)\GnuPG\bin\gpg.exe
    "C:\\\\Program Files (x86)\\\\GnuPG\\\\bin\\\\gpg.exe" "--disable-dirmngr" "--no-auto-check-trustdb" "--batch" "--status-fd" "4" "--logger-fd" "12" "--no-tty" "--charset=utf8" "--enable-progress-filter" "--exit-on-status-write-error" "--ttyname=/dev/tty" "--with-colons" "--with-secret" "--with-keygrip" "--list-keys" "--"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4444
- C:\Program Files (x86)\Gpg4win\bin\gpgme-w32spawn.exe
  "C:\\Program Files (x86)\\Gpg4win\\bin\\gpgme-w32spawn.exe" "C:\\Users\\Admin\\AppData\\Local\\Temp\\gpgme-DRCmWI" "C:\\Program Files (x86)\\GnuPG\\bin\\gpgsm.exe" "--logger-fd" "7" "--server"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2776
- - C:\Program Files (x86)\GnuPG\bin\gpgsm.exe
    "C:\\\\Program Files (x86)\\\\GnuPG\\\\bin\\\\gpgsm.exe" "--logger-fd" "16" "--server"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1936
  - - C:\Program Files (x86)\GnuPG\bin\keyboxd.exe
      "C:\Program Files (x86)\GnuPG\bin\keyboxd.exe" --homedir C:\Users\Admin\AppData\Roaming\gnupg --daemon
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1784
- C:\Program Files (x86)\Gpg4win\bin\gpgme-w32spawn.exe
  "C:\\Program Files (x86)\\Gpg4win\\bin\\gpgme-w32spawn.exe" "C:\\Users\\Admin\\AppData\\Local\\Temp\\gpgme-SL56oD" "C:\\Program Files (x86)\\GnuPG\\bin\\gpg.exe" "--disable-dirmngr" "--batch" "--status-fd" "1" "--logger-fd" "5" "--no-tty" "--charset=utf8" "--enable-progress-filter" "--exit-on-status-write-error" "--ttyname=/dev/tty" "--with-colons" "--with-secret" "--with-keygrip" "--with-sig-check" "--list-options" "show-sig-subpackets=\"20,26\"" "--check-sigs" "--"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3096
- - C:\Program Files (x86)\GnuPG\bin\gpg.exe
    "C:\\\\Program Files (x86)\\\\GnuPG\\\\bin\\\\gpg.exe" "--disable-dirmngr" "--batch" "--status-fd" "4" "--logger-fd" "12" "--no-tty" "--charset=utf8" "--enable-progress-filter" "--exit-on-status-write-error" "--ttyname=/dev/tty" "--with-colons" "--with-secret" "--with-keygrip" "--with-sig-check" "--list-options" "show-sig-subpackets=\"20,26\"" "--check-sigs" "--"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1096
- C:\Program Files (x86)\Gpg4win\bin\gpgme-w32spawn.exe
  "C:\\Program Files (x86)\\Gpg4win\\bin\\gpgme-w32spawn.exe" "C:\\Users\\Admin\\AppData\\Local\\Temp\\gpgme-8wARRx" "C:\\Program Files (x86)\\GnuPG\\bin\\gpgsm.exe" "--logger-fd" "7" "--server"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3620
- - C:\Program Files (x86)\GnuPG\bin\gpgsm.exe
    "C:\\\\Program Files (x86)\\\\GnuPG\\\\bin\\\\gpgsm.exe" "--logger-fd" "16" "--server"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:456

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
- System Location Discovery: System Language Discovery
PID:4716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GnuPG\share\locale\pl\LC_MESSAGES\gnupg2.mo

Filesize
238KB

MD5
954e63685bf62aa9ae12c14c76131a63

SHA1
6fd1c5ca2d16e5e995c32fe9038dd4751d0d14f2

SHA256
27076a5fa4e6ad7b0fd43df445d1d6986c2d3add094d8885ed7ca390fa7ae68a

SHA512
677a32afe059b79f2a6856b8afc6b6a065d656d72a3fdb2363c0c47d8c9ca607ba0a8ad6ca5f97992a0873160ae155c117cecaaafd4a2fa3805c7b6dec3105b7

Download Submit
C:\Program Files (x86)\Gpg4win\bin\gpgex.dll

Filesize
536KB

MD5
6de54fbe7f86a98ab5c5b0ec513df79c

SHA1
c01632940bf6abf4e86278b420489e5d25c2e986

SHA256
37ac2063dd1372979909aa119e273b03c535208eac5039d14064d8ac960a0324

SHA512
7fd9ddd9910a853198e7660ab6ad08cc4865c39747d98a13049d1d7404a119f7738ee5a542b4b50d9e323dac0c05bf7bb7810c9e1550f5b9edaa9ae7fc67dabd

Download Submit
C:\Program Files (x86)\Gpg4win\bin\gpgol.dll

Filesize
2.9MB

MD5
0a6bd76d29c84f06d86c25a112c0f5a1

SHA1
781d480bb2326f708058d3ddc38a0e9051d632b3

SHA256
cdba64b14b33405f3efb988a6f15768563c8f620af4678f32a45be10ef2ce20a

SHA512
94660ce2e3550b7d897f8ec8ea86915190fa12dfd98b68ccc3d843af8a0109d65319a56c6fd31a0604b1527f203c073536b666986e6c3bb89424fe1b0fbb8bb7

Download Submit
C:\Program Files (x86)\Gpg4win\bin\kleopatra.exe

Filesize
4.8MB

MD5
56b7add491410755af6cad3fca38e0d5

SHA1
4608b90cf847963fc1ca500f4e21e0be45648827

SHA256
b83d684e1e5ca6ca9bb06ba01beb38745a9b11df2d9077435010ac8c7c92d4ad

SHA512
2fed1998b4e4f6bccc6cf57dba88495e8ea793c998fc5ed8a33a9e1743b1960cdbe669a6a1b7229eee92c0857e7573ab0d88d16dcb39e19563cc6b71f81e00bb

Download Submit
C:\Program Files (x86)\Gpg4win\bin\libKF5Codecs.dll

Filesize
274KB

MD5
7b11e553121fd8faefd52200777a6a40

SHA1
a5812b8b6edc196f0d7a1850558ed2290d503deb

SHA256
45bbb83e60198480ad39a652a5fc91f1238f3e51e25c07762b6eca7c4e2898bc

SHA512
f17398c4290ae6e9a2d7f5020ec990fe199dadd16126fb6ca81a394938a94fdd66271f90def56f9b9f5845170d8f7bed0fa52c42515c7c4593ea096034aeb2d1

Download Submit
C:\Program Files (x86)\Gpg4win\bin\libKF5ConfigCore.dll

Filesize
499KB

MD5
f716b2fa37dff739f08f3993b79d09b9

SHA1
724e4a865745a71c400b2b5a3d44a3b75e2aab06

SHA256
35c7e5d505ab4c35135157049cb057ee7a5729ac2b738570590aa7622bff64a3

SHA512
24dbda31d14e26606f8c3b2554f4ca6c717420a361db04c48197f91afa05a3a254b2530f884637e8778696a78aef205c5b2aece85bb37dcfe39794bc6643f362

Download Submit
C:\Program Files (x86)\Gpg4win\bin\libKF5ConfigGui.dll

Filesize
168KB

MD5
551427752ca4a73cfb85b7275d66f0d0

SHA1
1c212683f0ac6beee0ae0d015e99da198559b747

SHA256
a27ebf9a417ea3f561139eaea6b7d8318f802099c85e8d707bd088546872ec77

SHA512
e0dd4336f48ed79899409347a159a8d52376712fd594ab5e9e4b1f1873edea5cfee501adcd6c408af4449fe0b40adf933da517dc738e0db5a33e2e240c79b21d

Download Submit
C:\Program Files (x86)\Gpg4win\bin\libKF5ConfigWidgets.dll

Filesize
452KB

MD5
f3cd64079c40cede28c50bdf44cdf96d

SHA1
7d8a7e209165c499623a84e7cbee1f969a4e6d00

SHA256
3b0348d40f83b9b3edcb9168cb318140fa0a03823b4badd5c5991b8ab2d89365

SHA512
cfc7eec6b86d4b574550a1f5bcc9bb6807c4be3b9b97d64294466360886708a6baea078d8ff3a7ad436451b8e81a092efa5e8a6a53a7ac2beb76d9f1dc44ae39

Download Submit
C:\Program Files (x86)\Gpg4win\bin\libkleopatraclientcore.dll

Filesize
101KB

MD5
99b348c1671f79cb5b50b3929df1d34f

SHA1
7e73e393a4e15d1ba84ad91aa256d6c4620d8a81

SHA256
acfe84c4348b136c77b3781264edf04432504faa1dfea8f9d2bb144c021e5e82

SHA512
1b44a48cb3cf06efc0eceb09c19a985399fe7706dc4bd265dc020a2c62df625029f0759b24d86db01224aa9cdbdb5ff36c4d0007ac3dd6b4cb7b92693dacc883

Download Submit
C:\Program Files (x86)\Gpg4win\bin\libkleopatraclientgui.dll

Filesize
44KB

MD5
3d6173c0a2d499a43a12b8369a36e715

SHA1
ea370ed5cd5e63ec057fe063ee6a2b7298a666d0

SHA256
fd77fe0a7a1879260a2c2614291ba85e88f88d249a84f34d4da14909631cb52c

SHA512
eb4e7feefd0bd325c7fd87de88189ea190500ce84aee355cb614b63ccdbfdb4c2b58002394a7126adfde1a77b420ec7898183328ffa53fcb59de5b473e6ebbb9

Download Submit
C:\Program Files (x86)\Gpg4win\bin\libwinpthread-1.dll

Filesize
60KB

MD5
f3087bf95436d720143a1ed88c53edcd

SHA1
e82ec2fb41fd00bff787b6c0afdbfb7e2b260dc9

SHA256
0d2598850642932cf2fa3cfc344230796fd61c3171c784f3c523883893e0b5fb

SHA512
e6cc54d79f6ab32a555a791a0ea15e6e336443119d45f6ccef1c4de8fc196d9bcaeee22293badddab60fd4a771f79c4006d11a3b404834a9294c561a7c24fa89

Download Submit
C:\Program Files (x86)\Gpg4win\bin\translations\qtxmlpatterns_en.qm

Filesize
16B

MD5
bcebcf42735c6849bdecbb77451021dd

SHA1
4884fd9af6890647b7af1aefa57f38cca49ad899

SHA256
9959b510b15d18937848ad13007e30459d2e993c67e564badbfc18f935695c85

SHA512
f951b511ffb1a6b94b1bcae9df26b41b2ff829560583d7c83e70279d1b5304bde299b3679d863cad6bb79d0beda524fc195b7f054ecf11d2090037526b451b78

Download Submit
C:\Program Files (x86)\Gpg4win\bin_64\gpgex.dll

Filesize
492KB

MD5
6e3aa6891c29084e022089c4767396c8

SHA1
b91a892fa7ada3f5736960445abb1a1c1e86e19a

SHA256
5c99a4689c519fc0f918130cba268664a01e2ea23ede4e9aad5aee9abc1a3bc3

SHA512
65866cfbd80c451305c2f466ebc0c82018c0f280256e3e9f0f9b4084dffc4af2a0643d9283f5ba6cf7219102ea504b2880bc441719f0d079c9e78865d629431d

Download Submit
C:\Program Files (x86)\Gpg4win\bin_64\gpgol.dll

Filesize
2.8MB

MD5
cb24c4a9759526e8b1b1186e1bfc6371

SHA1
b71236abfeb6de237d8543db885d774ceadd1dce

SHA256
00cf36f72afabcba8c4b48d57b9afcae080d5df802501b488e4c16a8f712478e

SHA512
4d6b79c81d27acc0fec927eb1a56b269b074aa29030d03338a343d054d4e86c980b371cdc673d5598d54a34d3ece8e1ea7fbc05e809c73ad87b9e19d36f76fb1

Download Submit
C:\Program Files (x86)\Gpg4win\share\locale\eo\LC_MESSAGES\kio5.mo

Filesize
186KB

MD5
e91d1c7c64d01abf95b5c0e998aca584

SHA1
aae9ba479aca06991eaaedb54694ad7ed19fb66a

SHA256
29d0e8b53abaca6efa2e4d6b498ebee47b67460e4c8c2dbec4169021784603a3

SHA512
f0e7469ab29225b67a2867f2ab9801405384d3cbf07c9e2e199235dbf2794af478f91289277106fbe71f330d7d6957e4dbe90ce0e34e7678aa6437ad897a9546

Download Submit
C:\Program Files (x86)\Gpg4win\share\locale\es\LC_MESSAGES\okular.mo

Filesize
90KB

MD5
62da3c407727099a17afc361687f59a6

SHA1
4c0315143aa676e9a2e93282c226f32bbcfb5c48

SHA256
86cc5df4aae6df0d5bb6096cfde13bec5eb87f2fd03fcbb3992c6d75d7a17207

SHA512
ccf05c83c371ae1b8cd2ebd87d5906c3665b422118ed5a33a2f84acc86cfbc5a918c41b4186de99bbce70b12aa895008f2784521628103bde713b714ab0e0f1c

Download Submit
C:\Program Files (x86)\Gpg4win\share\locale\kk\LC_MESSAGES\kitemviews5_qt.qm

Filesize
30B

MD5
b83230a03cb46ec13cf38dfbb0f3b744

SHA1
f071802c2c5a46be2a65bd6282608034bdef99ed

SHA256
71f6122a857122143f1b51b5dc7669668a77e93d4c1bfa8c93c370330a7d4335

SHA512
6ca19700cbd8decfa19b897d1b073f1c2322544c659bc8cb7dbbc8fe381932e58205619f156026457a8cbf6088e178c33b31e6cc0337e5b1a553e97fa21dd4db

Download Submit
C:\Program Files (x86)\Gpg4win\share\locale\km\LC_MESSAGES\kitemviews5_qt.qm

Filesize
30B

MD5
da4e374c6587f14ec35db9b151acb1a5

SHA1
7a7f4bb69fd9f3762d75e385cd981902a3bced22

SHA256
962c69a60bf953b54428464f6acee3d68deb3b96f19e83ad1e5528e14e03170f

SHA512
6ad9c41d8441b4084cfb730ad857145a2b53b646f1af8fa6e36a17096407a5abe29eca86ed1e3750c463f728c48468714f3c15b41ea88fd09e30f179f183eab4

Download Submit
C:\Program Files (x86)\Gpg4win\share\locale\lv\LC_MESSAGES\kitemviews5_qt.qm

Filesize
36B

MD5
05dde48e23fac68bddfadd39c3b29ca5

SHA1
c9b83d712c2b9f68e5f631e4e1f0aa7779fc208c

SHA256
2327768f504d96b61af841e0673c88bc0eb093fd2ec45d5f9b257b2ad0609507

SHA512
991b5cc0fd0688364ab73b7548d9ce93681e44066cf11e20856d56625268da657aad1ae6b887fa5a4b11769e6c0d989a729ca443ed126e3f66cc060a14ea668b

Download Submit
C:\Program Files (x86)\Gpg4win\share\locale\nl\LC_MESSAGES\kleopatra.mo

Filesize
242KB

MD5
b97b250ccd52c1f4b787f9090f08eed9

SHA1
89f64bddba985e89f2f8f80004530a954097db8c

SHA256
bfbe5debd2d5ae555b96155b8bedd324e56164db4e0c5f7edfeb8a0018a0100a

SHA512
308641ab36a1005e5efa330953918d970ced65e0570435986312e9772859cc22b270d5d3951637d8a651264d8f23bd74ad545f406b186178b2c86ff50314561d

Download Submit
C:\Users\Admin\AppData\Local\Temp\gnupg-w32-2.4.5_20240307-bin.exe

Filesize
5.3MB

MD5
6efb76e751a360f5ef7bdee99b93a0f4

SHA1
9ffe88554341f28e077ef42150b149a851af2fae

SHA256
d2ac821ceacf9409ebcdb42ae330087ada30c732981f00b356f9c2f08fac4dc1

SHA512
2f08e850d00c951139ea2993c92915a884c9a49c64a547a186cd310eb43c5b9c9b59c46931eb38f241a5c66f76aa81fb85533db01ac848532cec9ab180b60b8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\gpgme-OHi4WH

Filesize
18B

MD5
dc07682612150fbea67f103bebe1fa26

SHA1
269dd24c33c82a9cbca5e80ea500dc09c47d9fbb

SHA256
0ed101d7d58f7a1b6726b14b616a7f9b636e57ab107ff5e62271790348db0b3c

SHA512
6d599e85dddeef2160d11e0f3bb1f437057e78143aba4efba16b3315d485270c1caf8beb2fa5dedc41a9a23d8dff55de593e165801b08e9ce723ac73c1519073

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsaC5A3.tmp\InstallOptions.dll

Filesize
28KB

MD5
7770a504cf10db9899f7adc59d4c7dec

SHA1
d1ecc15b69af83aa8065199261e28d78947f7da8

SHA256
e2e74adc3704c5e7d52f10e17f384ba7d8d80c11900dda0ce8e578a9944c4dda

SHA512
694726085477e7e82c3b960d853910e12f24a6d97ac629586124b8d02def44da24f3ace6a3404ffa7bf2d410e93a1c6e918e149801201f4c9800991aabd6f212

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsaC5A3.tmp\g4wihelp.dll

Filesize
60KB

MD5
b0379f02947c072a1898230dcbe1e961

SHA1
b218c6ef3083c61ccceb562557b274ee2e0c29cc

SHA256
64167cab813702ae208521282121dba5bdf30fcda68809ae18c3a79ee31d4b30

SHA512
105949e108b1a9f1e404e6b6578de9427c3e0f424f95a6d0a5c4c0b9ea2554ab66419dbe49b70e39fc1dd45279a3ac8f0317c9da4d966647760fd9a2bd2b5239

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg8A02.tmp\LangDLL.dll

Filesize
7KB

MD5
20850d4d5416fbfd6a02e8a120f360fc

SHA1
ac34f3a34aaa4a21efd6a32bc93102639170e219

SHA256
860b409b065b747aab2a9937f02d08b6fd7309993b50d8e4b53983c8c2b56b61

SHA512
c8048b9ae0ced72a384c5ab781083a76b96ae08d5c8a5c7797f75a7e54e9cd9192349f185ee88c9cf0514fc8d59e37e01d88b9c8106321c0581659ebe1d1c276

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg8A02.tmp\System.dll

Filesize
26KB

MD5
4f25d99bf1375fe5e61b037b2616695d

SHA1
958fad0e54df0736ddab28ff6cb93e6ed580c862

SHA256
803931797d95777248dee4f2a563aed51fe931d2dd28faec507c69ed0f26f647

SHA512
96a8446f322cd62377a93d2088c0ce06087da27ef95a391e02c505fb4eb1d00419143d67d89494c2ef6f57ae2fd7f049c86e00858d1b193ec6dde4d0fe0e3130

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg8A02.tmp\UserInfo.dll

Filesize
6KB

MD5
9c8190bf734e58469eeb894b04c9fda0

SHA1
8ba2d3474ee1acf315fbccb7253e7cbdbae414c2

SHA256
88860534a424835a4bc47d3db8d0f4b1481442ed3efdeb7338a7ddf616651a60

SHA512
910af7da023bccda2dba873ff95769d24174b09c5f053e676e56a2f99f6e376009b7ee62fb23835285160c4c6feaba99c530b978c1085a37d610d3fa1a4f3727

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg8A02.tmp\g4wihelp.dll

Filesize
82KB

MD5
1d21fa410d54e5782078f759c3b95a7d

SHA1
0e2d21ad8f6532a8c9dfb60c4f4058ef5985f2be

SHA256
5d360cffc1ff6c0f49289fab1181daa93164022228e87dd136c8fbbf100f2bb3

SHA512
79a0fef74d9c901ffd7a9a4de7c09b496564cfe8db2cd22feaf3ca3c42586a100294e3d937a5e7cfd150c8f5a9879d817030c08bf38ab26a328183fbf0f4c744

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg8A02.tmp\modern-wizard.bmp

Filesize
150KB

MD5
5aedfe21c520c2b506c5e1fa6259121e

SHA1
abdcab24f2f5104a45f79577e7214d1edb9d3159

SHA256
abd76ed6755782d7a2fda3ee9e0c8ecad259e977d9d40c48b5fa3701b275fabb

SHA512
73580b56451b59e46187904158cbd5afbe23a2ce9914ddfaabf6d6cb02fadfaf4603b9d26a1b004cff913dacf5ac6881aa2d123ffc3dd24e5bd57c6cfb8f31dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsg8A02.tmp\nsDialogs.dll

Filesize
12KB

MD5
2029c44871670eec937d1a8c1e9faa21

SHA1
e8d53b9e8bc475cc274d80d3836b526d8dd2747a

SHA256
a4ae6d33f940a80e8fe34537c5cc1f8b8679c979607969320cfb750c15809ac2

SHA512
6f151c9818ac2f3aef6d4cabd8122c7e22ccf0b84fa5d4bcc951f8c3d00e8c270127eac1e9d93c5f4594ac90de8aff87dc6e96562f532a3d19c0da63a28654b7

Download Submit
C:\Users\Admin\AppData\Roaming\kleopatra\emaildefaults

Filesize
63B

MD5
4ba0bf22ec6e852f5de46c499ce450ac

SHA1
780b33a898ebddfc29baa2c7ee479f2714a43638

SHA256
13cae11b6762140835aac30ebc908cd7a39832723c24d9ad20ffc5629c0f6471

SHA512
b260b5b3b89e8d9c3961a3b9b9f58da4a8c806b7fe85acffb86502918cf1dc65acfd9f9e414c43c4814c05f53697043504316c07cf3af36d3371e3a24c7ac49a

Download Submit
memory/240-1361-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/240-1417-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/240-1362-0x0000000073F20000-0x0000000073F2E000-memory.dmp

Filesize
56KB

Download
memory/240-54-0x0000000073E30000-0x0000000073E3B000-memory.dmp

Filesize
44KB

Download
memory/240-52-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/240-53-0x0000000073F20000-0x0000000073F2E000-memory.dmp

Filesize
56KB

Download
memory/796-1447-0x00000000655C0000-0x000000006570A000-memory.dmp

Filesize
1.3MB

Download
memory/796-1446-0x0000000065A80000-0x0000000065AAA000-memory.dmp

Filesize
168KB

Download
memory/796-1448-0x000000006B480000-0x000000006B4C1000-memory.dmp

Filesize
260KB

Download
memory/796-1449-0x0000000064D80000-0x0000000064DCE000-memory.dmp

Filesize
312KB

Download
memory/796-1450-0x000000006A800000-0x000000006A80F000-memory.dmp

Filesize
60KB

Download
memory/796-1445-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/1104-1451-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1152-1443-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1296-1436-0x0000000000400000-0x000000000054E000-memory.dmp

Filesize
1.3MB

Download
memory/1296-1442-0x0000000063080000-0x00000000630A9000-memory.dmp

Filesize
164KB

Download
memory/1296-1441-0x0000000066580000-0x00000000666AA000-memory.dmp

Filesize
1.2MB

Download
memory/1296-1440-0x000000006A800000-0x000000006A80F000-memory.dmp

Filesize
60KB

Download
memory/1296-1439-0x000000006B480000-0x000000006B4C1000-memory.dmp

Filesize
260KB

Download
memory/1296-1438-0x00000000655C0000-0x000000006570A000-memory.dmp

Filesize
1.3MB

Download
memory/1296-1437-0x0000000065A80000-0x0000000065AAA000-memory.dmp

Filesize
168KB

Download
memory/1464-1453-0x00000000655C0000-0x000000006570A000-memory.dmp

Filesize
1.3MB

Download
memory/1464-1454-0x000000006B480000-0x000000006B4C1000-memory.dmp

Filesize
260KB

Download
memory/1464-1452-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1612-280-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1624-1421-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1800-1472-0x00000000655C0000-0x000000006570A000-memory.dmp

Filesize
1.3MB

Download
memory/1800-1471-0x0000000065A80000-0x0000000065AAA000-memory.dmp

Filesize
168KB

Download
memory/1800-1474-0x000000006A800000-0x000000006A80F000-memory.dmp

Filesize
60KB

Download
memory/1800-1473-0x000000006B480000-0x000000006B4C1000-memory.dmp

Filesize
260KB

Download
memory/1800-1470-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1904-1464-0x000000006B480000-0x000000006B4C1000-memory.dmp

Filesize
260KB

Download
memory/1904-1463-0x00000000655C0000-0x000000006570A000-memory.dmp

Filesize
1.3MB

Download
memory/1904-1462-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2972-1410-0x000000006C440000-0x000000006C489000-memory.dmp

Filesize
292KB

Download
memory/2972-1412-0x000000006BAC0000-0x000000006BB85000-memory.dmp

Filesize
788KB

Download
memory/2972-1408-0x0000000066240000-0x00000000662AD000-memory.dmp

Filesize
436KB

Download
memory/2972-1416-0x0000000064B00000-0x0000000064B5B000-memory.dmp

Filesize
364KB

Download
memory/2972-1415-0x0000000069E00000-0x0000000069E43000-memory.dmp

Filesize
268KB

Download
memory/2972-1414-0x00000000641C0000-0x00000000641F7000-memory.dmp

Filesize
220KB

Download
memory/2972-1413-0x00000000615C0000-0x000000006160A000-memory.dmp

Filesize
296KB

Download
memory/2972-1409-0x000000006FEC0000-0x000000006FEDE000-memory.dmp

Filesize
120KB

Download
memory/2972-1411-0x0000000063B80000-0x0000000063BAE000-memory.dmp

Filesize
184KB

Download
memory/3032-1460-0x000000006A800000-0x000000006A80F000-memory.dmp

Filesize
60KB

Download
memory/3032-1461-0x0000000064D80000-0x0000000064DCE000-memory.dmp

Filesize
312KB

Download
memory/3032-1459-0x000000006B480000-0x000000006B4C1000-memory.dmp

Filesize
260KB

Download
memory/3032-1458-0x00000000655C0000-0x000000006570A000-memory.dmp

Filesize
1.3MB

Download
memory/3032-1457-0x0000000065A80000-0x0000000065AAA000-memory.dmp

Filesize
168KB

Download
memory/3032-1456-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/3440-1477-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3556-1427-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3756-1430-0x000000006B480000-0x000000006B4C1000-memory.dmp

Filesize
260KB

Download
memory/3756-1428-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3756-1429-0x00000000655C0000-0x000000006570A000-memory.dmp

Filesize
1.3MB

Download
memory/3840-1487-0x0000000065A80000-0x0000000065AAA000-memory.dmp

Filesize
168KB

Download
memory/3840-1486-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4372-1423-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4372-1424-0x00000000655C0000-0x000000006570A000-memory.dmp

Filesize
1.3MB

Download
memory/4372-1425-0x000000006B480000-0x000000006B4C1000-memory.dmp

Filesize
260KB

Download
memory/4680-1433-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download