rhadamanthys | hxxps://www[.]youtube[.]com/redirect?event=channel_description&redir_token=QUFFLUhqbWZIYUJ4TWx6cS0tVG9DTmhDaFZDbFlJTXVJQXxBQ3Jtc0ttaVhpOW5XUkh6NnN5ek1PdWxpT3g3emZwVDA0TThMTlJyQXpHUUd5OHY0UTVKdThVel8xRnFwRXlWQUZob19jOU5FNFVVb0pJQmJjZjEwcWpDclZLVmM3Z1plbW1Td3F2M1lqeVUxaFJKYkpabDlDbw&q=https%3A%2F%2Ftinyurl[.]com%2F2h4sppnc

Analysis

max time kernel
92s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
28-09-2024 12:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.youtube.com/redirect?event=channel_description&redir_token=QUFFLUhqbWZIYUJ4TWx6cS0tVG9DTmhDaFZDbFlJTXVJQXxBQ3Jtc0ttaVhpOW5XUkh6NnN5ek1PdWxpT3g3emZwVDA0TThMTlJyQXpHUUd5OHY0UTVKdThVel8xRnFwRXlWQUZob19jOU5FNFVVb0pJQmJjZjEwcWpDclZLVmM3Z1plbW1Td3F2M1lqeVUxaFJKYkpabDlDbw&q=https%3A%2F%2Ftinyurl.com%2F2h4sppnc

Score

10^/10

rhadamanthys discovery execution persistence privilege_escalation stealer

Malware Config

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

Processes:

TQN3PxaU3w.exeCmV0h6LiiM.exe

description pid process target process

PID 3748 created 2920 3748 TQN3PxaU3w.exe sihost.exe
PID 3692 created 2920 3692 CmV0h6LiiM.exe sihost.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

4336 powershell.exe
1068 powershell.exe
Downloads MZ/PE file
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015
Executes dropped EXE 7 IoCs

Processes:

7z2408-x64.exe7zFM.exe7zG.exelauncher.exeTQN3PxaU3w.exelauncher.exeCmV0h6LiiM.exe

pid process

2876 7z2408-x64.exe
4832 7zFM.exe
2128 7zG.exe
1688 launcher.exe
3748 TQN3PxaU3w.exe
232 launcher.exe
3692 CmV0h6LiiM.exe
Loads dropped DLL 3 IoCs

Processes:

7zFM.exe7zG.exe

pid process

3444
4832 7zFM.exe
2128 7zG.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

description	pid	process	target process
PID 3748 created 2920	3748	TQN3PxaU3w.exe	sihost.exe
PID 3692 created 2920	3692	CmV0h6LiiM.exe	sihost.exe

pid	process
4336	powershell.exe
1068	powershell.exe

pid	process
2876	7z2408-x64.exe
4832	7zFM.exe
2128	7zG.exe
1688	launcher.exe
3748	TQN3PxaU3w.exe
232	launcher.exe
3692	CmV0h6LiiM.exe

pid	process
3444
4832	7zFM.exe
2128	7zG.exe

Drops file in Program Files directory 64 IoCs

Processes:

7z2408-x64.exe

description	ioc	process
File opened for modification	C:\Program Files\7-Zip\Lang\mn.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tr.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hi.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt-br.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\va.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ga.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\io.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ro.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ja.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\da.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-tw.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.dll	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ast.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bn.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\el.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sl.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spl.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ko.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz-cyrl.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\History.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ba.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\be.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fi.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ms.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pa-in.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sa.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\th.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ext.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ka.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ug.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kab.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\7zCon.sfx	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\az.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tk.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eo.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\readme.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ca.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\en.ttt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lij.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nb.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sk.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sv.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ky.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ps.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\si.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\id.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kaa.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ar.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nn.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kk.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng2.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pl.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lv.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\yo.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fy.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gu.txt	7z2408-x64.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

openwith.exeCmV0h6LiiM.exeopenwith.exe7z2408-x64.exeTQN3PxaU3w.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	openwith.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CmV0h6LiiM.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	openwith.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7z2408-x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TQN3PxaU3w.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133720011137148542"	chrome.exe

Modifies registry class 22 IoCs

Processes:

7z2408-x64.exechrome.exechrome.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2408-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip	7z2408-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip	7z2408-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip32.dll"	7z2408-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension"	7z2408-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	7z2408-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	7z2408-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension"	7z2408-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	7z2408-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2408-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrome.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip.dll"	7z2408-x64.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

chrome.exepowershell.exeTQN3PxaU3w.exeopenwith.exepowershell.exeCmV0h6LiiM.exeopenwith.exe

pid	process
1152	chrome.exe
1152	chrome.exe
4336	powershell.exe
4336	powershell.exe
4336	powershell.exe
3748	TQN3PxaU3w.exe
3748	TQN3PxaU3w.exe
4084	openwith.exe
4084	openwith.exe
4084	openwith.exe
4084	openwith.exe
1068	powershell.exe
1068	powershell.exe
1068	powershell.exe
3692	CmV0h6LiiM.exe
3692	CmV0h6LiiM.exe
4912	openwith.exe
4912	openwith.exe
4912	openwith.exe
4912	openwith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

chrome.exe

pid process

1152 chrome.exe
1152 chrome.exe
1152 chrome.exe
1152 chrome.exe
1152 chrome.exe
1152 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	1152	chrome.exe
Token: SeCreatePagefilePrivilege	1152	chrome.exe
Token: SeShutdownPrivilege	1152	chrome.exe
Token: SeCreatePagefilePrivilege	1152	chrome.exe
Token: SeShutdownPrivilege	1152	chrome.exe
Token: SeCreatePagefilePrivilege	1152	chrome.exe
Token: SeShutdownPrivilege	1152	chrome.exe
Token: SeCreatePagefilePrivilege	1152	chrome.exe
Token: SeShutdownPrivilege	1152	chrome.exe
Token: SeCreatePagefilePrivilege	1152	chrome.exe
Token: SeShutdownPrivilege	1152	chrome.exe
Token: SeCreatePagefilePrivilege	1152	chrome.exe
Token: SeShutdownPrivilege	1152	chrome.exe
Token: SeCreatePagefilePrivilege	1152	chrome.exe
Token: SeShutdownPrivilege	1152	chrome.exe
Token: SeCreatePagefilePrivilege	1152	chrome.exe
Token: SeShutdownPrivilege	1152	chrome.exe
Token: SeCreatePagefilePrivilege	1152	chrome.exe
Token: SeShutdownPrivilege	1152	chrome.exe
Token: SeCreatePagefilePrivilege	1152	chrome.exe
Token: SeShutdownPrivilege	1152	chrome.exe
Token: SeCreatePagefilePrivilege	1152	chrome.exe
Token: SeShutdownPrivilege	1152	chrome.exe
Token: SeCreatePagefilePrivilege	1152	chrome.exe
Token: SeShutdownPrivilege	1152	chrome.exe
Token: SeCreatePagefilePrivilege	1152	chrome.exe
Token: SeShutdownPrivilege	1152	chrome.exe
Token: SeCreatePagefilePrivilege	1152	chrome.exe
Token: SeShutdownPrivilege	1152	chrome.exe
Token: SeCreatePagefilePrivilege	1152	chrome.exe
Token: SeShutdownPrivilege	1152	chrome.exe
Token: SeCreatePagefilePrivilege	1152	chrome.exe
Token: SeShutdownPrivilege	1152	chrome.exe
Token: SeCreatePagefilePrivilege	1152	chrome.exe
Token: SeShutdownPrivilege	1152	chrome.exe
Token: SeCreatePagefilePrivilege	1152	chrome.exe
Token: SeShutdownPrivilege	1152	chrome.exe
Token: SeCreatePagefilePrivilege	1152	chrome.exe
Token: SeShutdownPrivilege	1152	chrome.exe
Token: SeCreatePagefilePrivilege	1152	chrome.exe
Token: SeShutdownPrivilege	1152	chrome.exe
Token: SeCreatePagefilePrivilege	1152	chrome.exe
Token: SeShutdownPrivilege	1152	chrome.exe
Token: SeCreatePagefilePrivilege	1152	chrome.exe
Token: SeShutdownPrivilege	1152	chrome.exe
Token: SeCreatePagefilePrivilege	1152	chrome.exe
Token: SeShutdownPrivilege	1152	chrome.exe
Token: SeCreatePagefilePrivilege	1152	chrome.exe
Token: SeShutdownPrivilege	1152	chrome.exe
Token: SeCreatePagefilePrivilege	1152	chrome.exe
Token: SeShutdownPrivilege	1152	chrome.exe
Token: SeCreatePagefilePrivilege	1152	chrome.exe
Token: SeShutdownPrivilege	1152	chrome.exe
Token: SeCreatePagefilePrivilege	1152	chrome.exe
Token: SeShutdownPrivilege	1152	chrome.exe
Token: SeCreatePagefilePrivilege	1152	chrome.exe
Token: SeShutdownPrivilege	1152	chrome.exe
Token: SeCreatePagefilePrivilege	1152	chrome.exe
Token: SeShutdownPrivilege	1152	chrome.exe
Token: SeCreatePagefilePrivilege	1152	chrome.exe
Token: SeShutdownPrivilege	1152	chrome.exe
Token: SeCreatePagefilePrivilege	1152	chrome.exe
Token: SeShutdownPrivilege	1152	chrome.exe
Token: SeCreatePagefilePrivilege	1152	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exe

pid	process
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

7z2408-x64.exelauncher.exeTQN3PxaU3w.exelauncher.exeCmV0h6LiiM.exe

pid process

2876 7z2408-x64.exe
1688 launcher.exe
3748 TQN3PxaU3w.exe
232 launcher.exe
3692 CmV0h6LiiM.exe

pid	process
2876	7z2408-x64.exe
1688	launcher.exe
3748	TQN3PxaU3w.exe
232	launcher.exe
3692	CmV0h6LiiM.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 1152 wrote to memory of 3368	1152	chrome.exe	chrome.exe
PID 1152 wrote to memory of 3368	1152	chrome.exe	chrome.exe
PID 1152 wrote to memory of 2132	1152	chrome.exe	chrome.exe
PID 1152 wrote to memory of 2132	1152	chrome.exe	chrome.exe
PID 1152 wrote to memory of 2132	1152	chrome.exe	chrome.exe
PID 1152 wrote to memory of 2132	1152	chrome.exe	chrome.exe
PID 1152 wrote to memory of 2132	1152	chrome.exe	chrome.exe
PID 1152 wrote to memory of 2132	1152	chrome.exe	chrome.exe
PID 1152 wrote to memory of 2132	1152	chrome.exe	chrome.exe
PID 1152 wrote to memory of 2132	1152	chrome.exe	chrome.exe
PID 1152 wrote to memory of 2132	1152	chrome.exe	chrome.exe
PID 1152 wrote to memory of 2132	1152	chrome.exe	chrome.exe
PID 1152 wrote to memory of 2132	1152	chrome.exe	chrome.exe
PID 1152 wrote to memory of 2132	1152	chrome.exe	chrome.exe
PID 1152 wrote to memory of 2132	1152	chrome.exe	chrome.exe
PID 1152 wrote to memory of 2132	1152	chrome.exe	chrome.exe
PID 1152 wrote to memory of 2132	1152	chrome.exe	chrome.exe
PID 1152 wrote to memory of 2132	1152	chrome.exe	chrome.exe
PID 1152 wrote to memory of 2132	1152	chrome.exe	chrome.exe
PID 1152 wrote to memory of 2132	1152	chrome.exe	chrome.exe
PID 1152 wrote to memory of 2132	1152	chrome.exe	chrome.exe
PID 1152 wrote to memory of 2132	1152	chrome.exe	chrome.exe
PID 1152 wrote to memory of 2132	1152	chrome.exe	chrome.exe
PID 1152 wrote to memory of 2132	1152	chrome.exe	chrome.exe
PID 1152 wrote to memory of 2132	1152	chrome.exe	chrome.exe
PID 1152 wrote to memory of 2132	1152	chrome.exe	chrome.exe
PID 1152 wrote to memory of 2132	1152	chrome.exe	chrome.exe
PID 1152 wrote to memory of 2132	1152	chrome.exe	chrome.exe
PID 1152 wrote to memory of 2132	1152	chrome.exe	chrome.exe
PID 1152 wrote to memory of 2132	1152	chrome.exe	chrome.exe
PID 1152 wrote to memory of 2132	1152	chrome.exe	chrome.exe
PID 1152 wrote to memory of 2132	1152	chrome.exe	chrome.exe
PID 1152 wrote to memory of 3980	1152	chrome.exe	chrome.exe
PID 1152 wrote to memory of 3980	1152	chrome.exe	chrome.exe
PID 1152 wrote to memory of 4196	1152	chrome.exe	chrome.exe
PID 1152 wrote to memory of 4196	1152	chrome.exe	chrome.exe
PID 1152 wrote to memory of 4196	1152	chrome.exe	chrome.exe
PID 1152 wrote to memory of 4196	1152	chrome.exe	chrome.exe
PID 1152 wrote to memory of 4196	1152	chrome.exe	chrome.exe
PID 1152 wrote to memory of 4196	1152	chrome.exe	chrome.exe
PID 1152 wrote to memory of 4196	1152	chrome.exe	chrome.exe
PID 1152 wrote to memory of 4196	1152	chrome.exe	chrome.exe
PID 1152 wrote to memory of 4196	1152	chrome.exe	chrome.exe
PID 1152 wrote to memory of 4196	1152	chrome.exe	chrome.exe
PID 1152 wrote to memory of 4196	1152	chrome.exe	chrome.exe
PID 1152 wrote to memory of 4196	1152	chrome.exe	chrome.exe
PID 1152 wrote to memory of 4196	1152	chrome.exe	chrome.exe
PID 1152 wrote to memory of 4196	1152	chrome.exe	chrome.exe
PID 1152 wrote to memory of 4196	1152	chrome.exe	chrome.exe
PID 1152 wrote to memory of 4196	1152	chrome.exe	chrome.exe
PID 1152 wrote to memory of 4196	1152	chrome.exe	chrome.exe
PID 1152 wrote to memory of 4196	1152	chrome.exe	chrome.exe
PID 1152 wrote to memory of 4196	1152	chrome.exe	chrome.exe
PID 1152 wrote to memory of 4196	1152	chrome.exe	chrome.exe
PID 1152 wrote to memory of 4196	1152	chrome.exe	chrome.exe
PID 1152 wrote to memory of 4196	1152	chrome.exe	chrome.exe
PID 1152 wrote to memory of 4196	1152	chrome.exe	chrome.exe
PID 1152 wrote to memory of 4196	1152	chrome.exe	chrome.exe
PID 1152 wrote to memory of 4196	1152	chrome.exe	chrome.exe
PID 1152 wrote to memory of 4196	1152	chrome.exe	chrome.exe
PID 1152 wrote to memory of 4196	1152	chrome.exe	chrome.exe
PID 1152 wrote to memory of 4196	1152	chrome.exe	chrome.exe
PID 1152 wrote to memory of 4196	1152	chrome.exe	chrome.exe
PID 1152 wrote to memory of 4196	1152	chrome.exe	chrome.exe

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2920
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4084
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4912

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://www.youtube.com/redirect?event=channel_description&redir_token=QUFFLUhqbWZIYUJ4TWx6cS0tVG9DTmhDaFZDbFlJTXVJQXxBQ3Jtc0ttaVhpOW5XUkh6NnN5ek1PdWxpT3g3emZwVDA0TThMTlJyQXpHUUd5OHY0UTVKdThVel8xRnFwRXlWQUZob19jOU5FNFVVb0pJQmJjZjEwcWpDclZLVmM3Z1plbW1Td3F2M1lqeVUxaFJKYkpabDlDbw&q=https%3A%2F%2Ftinyurl.com%2F2h4sppnc
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fff77c9cc40,0x7fff77c9cc4c,0x7fff77c9cc58
  2⤵
  PID:3368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1932,i,8146616657914178812,5860875802193238846,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1928 /prefetch:2
  2⤵
  PID:2132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2044,i,8146616657914178812,5860875802193238846,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2108 /prefetch:3
  2⤵
  PID:3980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2248,i,8146616657914178812,5860875802193238846,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2260 /prefetch:8
  2⤵
  PID:4196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3116,i,8146616657914178812,5860875802193238846,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3160 /prefetch:1
  2⤵
  PID:3492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3144,i,8146616657914178812,5860875802193238846,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3184 /prefetch:1
  2⤵
  PID:5116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4588,i,8146616657914178812,5860875802193238846,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4596 /prefetch:8
  2⤵
  PID:3568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=3752,i,8146616657914178812,5860875802193238846,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4832 /prefetch:1
  2⤵
  PID:4872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=5060,i,8146616657914178812,5860875802193238846,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5136 /prefetch:1
  2⤵
  PID:3692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4692,i,8146616657914178812,5860875802193238846,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4916 /prefetch:1
  2⤵
  PID:4464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=5308,i,8146616657914178812,5860875802193238846,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5264 /prefetch:1
  2⤵
  PID:3288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4612,i,8146616657914178812,5860875802193238846,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3312 /prefetch:8
  2⤵
  PID:4820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4956,i,8146616657914178812,5860875802193238846,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5288 /prefetch:8
  2⤵
  PID:4876
- C:\Users\Admin\Downloads\7z2408-x64.exe
  "C:\Users\Admin\Downloads\7z2408-x64.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:2876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3360,i,8146616657914178812,5860875802193238846,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5448 /prefetch:8
  2⤵
  PID:1584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5136,i,8146616657914178812,5860875802193238846,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5228 /prefetch:8
  2⤵
  - Modifies registry class
  PID:216

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4596

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3340

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3232

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\grewgrwegrwgerg.zip"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4832

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\grewgrwegrwgerg\" -spe -an -ai#7zMap22236:92:7zEvent9318
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2128

C:\Users\Admin\Downloads\grewgrwegrwgerg\launcher.exe
"C:\Users\Admin\Downloads\grewgrwegrwgerg\launcher.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1688
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData'; Add-MpPreference -ExclusionPath 'C:\ProgramData'""
  2⤵
  PID:3352
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData'; Add-MpPreference -ExclusionPath 'C:\ProgramData'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4336
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Temp\TQN3PxaU3w.exe"
  2⤵
  PID:916
- - C:\Users\Admin\AppData\Local\Temp\TQN3PxaU3w.exe
    C:\Users\Admin\AppData\Local\Temp\TQN3PxaU3w.exe
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3748

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\grewgrwegrwgerg\pass 1234.txt
1⤵
PID:2876

C:\Users\Admin\Downloads\grewgrwegrwgerg\launcher.exe
"C:\Users\Admin\Downloads\grewgrwegrwgerg\launcher.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:232
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData'; Add-MpPreference -ExclusionPath 'C:\ProgramData'""
  2⤵
  PID:1064
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData'; Add-MpPreference -ExclusionPath 'C:\ProgramData'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1068
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Temp\CmV0h6LiiM.exe"
  2⤵
  PID:4704
- - C:\Users\Admin\AppData\Local\Temp\CmV0h6LiiM.exe
    C:\Users\Admin\AppData\Local\Temp\CmV0h6LiiM.exe
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7-zip.dll

Filesize
99KB

MD5
d346530e648e15887ae88ea34c82efc9

SHA1
5644d95910852e50a4b42375bddfef05f6b3490f

SHA256
f972b164d9a90821be0ea2f46da84dd65f85cd0f29cd1abba0c8e9a7d0140902

SHA512
62db21717f79702cbdd805109f30f51a7f7ff5f751dc115f4c95d052c5405eb34d5e8c5a83f426d73875591b7d463f00f686c182ef3850db2e25989ae2d83673

Download Submit
C:\Program Files\7-Zip\7z.dll

Filesize
1.8MB

MD5
1143c4905bba16d8cc02c6ba8f37f365

SHA1
db38ac221275acd087cf87ebad393ef7f6e04656

SHA256
e79ddfb6319dbf9bac6382035d23597dad979db5e71a605d81a61ee817c1e812

SHA512
b918ae107c179d0b96c8fb14c2d5f019cad381ba4dcdc760c918dfcd5429d1c9fb6ce23f4648823a0449cb8a842af47f25ede425a4e37a7b67eb291ce8cce894

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
963KB

MD5
004d7851f74f86704152ecaaa147f0ce

SHA1
45a9765c26eb0b1372cb711120d90b5f111123b3

SHA256
028cf2158df45889e9a565c9ce3c6648fb05c286b97f39c33317163e35d6f6be

SHA512
16ebda34803977a324f5592f947b32f5bb2362dd520dc2e97088d12729024498ddfa6800694d37f2e6e5c6fc8d4c6f603414f0c033df9288efc66a2c39b5ec29

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
692KB

MD5
4159ff3f09b72e504e25a5f3c7ed3a5b

SHA1
b79ab2c83803e1d6da1dcd902f41e45d6cd26346

SHA256
0163ec83208b4902a2846de998a915de1b9e72aba33d98d5c8a14a8fbf0f6101

SHA512
48f54f0ab96be620db392b4c459a49a0fa8fbe95b1c1b7df932de565cf5f77adfaae98ef1e5998f326172b5ae4ffa9896aeac0f7b98568fcde6f7b1480df4e2d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
9fe56db356b9fadabafbc65f90914bd3

SHA1
cc8bb49cdb278d9d8e4ae07ae74d8689001ed58d

SHA256
0e525aca59b4062ad62b02abc0046831dcc71e3636605242bf9315c01e3e068c

SHA512
4bceae23ddef5948f43da745b1374c57886f1556d7b8d6e60e5633e33c4f4af27b000455cbd3193cd9cc1db8647d39a6b0385ebbad11d4932f7016eaff670009

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
d5cdc8f804c62c8ea6f2e8cfc9a6f6b5

SHA1
a64ef5aceadd16dbea03b5b8705bbfd54b24b1e0

SHA256
69970ef927f403f73c570ee62a3ece0cf03de6d2964245efbcecd99837f6144e

SHA512
cff2a2dde4d0d1225dc714a2d434054398f21261a1d82815f24b8cbb36f488de0b3a75d7605c03f453760068a9cd03decbffe36e1d9fa72c8b769e915d29cf88

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
858B

MD5
9fd5ac97448e53661c7034cc1437997e

SHA1
cfb43786c8be60abc4efdb4f6e824f217f754ed8

SHA256
0d511c2b249fd40094ab333ac4436bd0f93a3b168ddb79e6e441f19a5b10061a

SHA512
7e9a28db021646c2322c34d1551bcca1bda2536bff62c5a522f67956ea41206f76bfda6aab5b683cfadc472f97b0909e825839ec05b129f710fce76ac4158ef2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
858B

MD5
d5a51745531b2aad538696bc4d1734e0

SHA1
403aa714a34ec2420cf310e4fe27e2ba985ee0d0

SHA256
574a0cf6b2c580eb7841e929b59d0a6e8ec19af96d05412d152dc3388f1f51a7

SHA512
41f168a4026d5943cc9cd7ec136c63f789f4b10ed7f0510208dc3cdce650dd38828fc8a375079df0ebd44eac688a50f42c545a6200c4f1f94af9cfd82b8b7c6d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
22f06b780bbb004ff23503f0a0178a14

SHA1
d156944f33a3981c18d972628e5da6f08051410f

SHA256
941b5978a5639e50a53370af8d56608a502c66b3bc1e9256b7767e1444f40723

SHA512
7ab47d760c6e28a5076ef2a12ce7d17195306f73fffcb7bdbd3f5afb75e2896c720157ce9c3760d2fbe88b1eebf50bb0e5fd870fb21a7a5078a22a9431f92487

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
0f7a072a99f255781610bf78703398cf

SHA1
a5171d3c7d6378018c05379ee6e2c9668bac5302

SHA256
f43e464b645d2d9a0de92d98bbb4d9e14f96d62edc10bccefa3cb254cae9a3d7

SHA512
df90e626a0e8aaa16e55fdab44ad877a1162fe3106b7eb5db90977f14ef292be3a444512c101b8d4a8588973adaa8cf71e25a1ba0aab5bfcb593c86f1168ee28

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
c828e0228ef7b37373e3581c0663700f

SHA1
258cff28df6b30f8b29dfb766eda69ff46450899

SHA256
a8a7024d5f3b861dbc6317ec729484fc4aec31ae3cb604821efe5eab8f7c8f37

SHA512
292e9bc7bd6a7549bd36bef5618a55bdd1e094e211116dada35ca69274114333007cfb59ba49ded97e89d6b02e430f8a9a1abf4d3361e03ef9baa20bac17e7f3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
1a5b269c15897ac26a5b4c5a81e9a5e6

SHA1
88927e40c823ea47ee311017ceff289bcb6dd1c5

SHA256
7868c1b6529ce446739046490e3495647a346ba95b15663eb851e65fdfd0dce9

SHA512
12f8972eaa8a1cc023cd8dee44ad9251a3efb7c8f6ebed3c97826caaba760652ccd454ad25863bd01975a67c44fd46f86ecbedd68948fe77b5e7c590a3728da1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
ae6410dc821a8b8e3bac08600ea13689

SHA1
da5407e72c4ef56d654a79f5863c725f0f81d6a2

SHA256
cf6e56f9da9ee92557f4f3ac3c2663c8ce7b9f32cc28abfd072ba0f7d3c5a231

SHA512
bb7c4004a44af1789ee4555fa15c516d98da29620f5949d475f88b02182f82e527725a79aedf49fe55ea03b4ab1d9e22943e5d8b7b39af4b5bad4c181b6d5772

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4a0f7e3eb3245e366e5dff606f14b576

SHA1
74dd5e610ffc20594dda1106e579b50f2dea20e0

SHA256
12cb2b4cabac4df6a2897656db79b2435367dcc5b47a66a80cfddb011f3350c3

SHA512
c6beef275d53797f465dd2cec9478124917660a523fc87d75dbfdc48d493aab1e2194cd35d4a089c2640cf47651c2206a24c8d81db38b6edb2be80689c2d129a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
562b8e8f5146a21a4e9d3e98f73cbcb2

SHA1
3a453344e9f1a8347e9ccca31178ccb3406c8bcb

SHA256
52ff9c1d342476f41230032c6904172180df1a44ed48e1ce9fc118bac0466ed4

SHA512
f4e3f4b8a90bc326ca2ced1445b4f93c1b4caafc14328961057f8934162c634863e56dcef671b84ef42d9ee31dc3e2bf1b53abdc5b5fa9c7d5ff930ca8d1b9f8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
1406a0ccaef071d7779eb01bc5e99ac2

SHA1
ae0cf6193bce495770c7fd819025656436e13873

SHA256
7c655f7dc545bd1ef8ca8f269655c0aa1879f948be3247e041a9c98d4c1a4d7b

SHA512
649ecf9c4e1c756dcbd6db8b308738e5cef6bee6746bf4614544316b319788c39a1ed7c804d29e70c5a704f8238da9805327dfc63be5622e27da11961f3d7fed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
eebf7fc8eed629b407d8718ca62082eb

SHA1
724d192b5f1ffefe3c14a78527b60fb7b0616307

SHA256
2fa1a9284b8bb738f345cc70fffc38f97110f67b14d4b605869087c066158755

SHA512
ae455d1ab0c7f18c8c7504857efbaba9739b4454a62731ca3f07c6df759b336bb6c2a0de7283f18370d3eaa4b6f505448f0e321d78e1a07fe512b4c9be25b940

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Temp\TQN3PxaU3w.exe

Filesize
2.4MB

MD5
ec96e65299b7639d4aa60dd315acad80

SHA1
7196b8eb744f769810b390c02371872d11c33bbd

SHA256
c1df546782a82cb03e27ccfea0002f304c56bb26b3fc3d9d8e76ff7c7f61e529

SHA512
db187aedfc8046e2c3e8c49ad7e3741b56c4280e6ea0017835dc2f0121234f69ae9a24fd5a4eab19f8f3682f0d47279b3441aedb331cdb54a38951ac5626c883

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kdfp3fls.csz.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 728741.crdownload

Filesize
1.5MB

MD5
0330d0bd7341a9afe5b6d161b1ff4aa1

SHA1
86918e72f2e43c9c664c246e62b41452d662fbf3

SHA256
67cb9d3452c9dd974b04f4a5fd842dbcba8184f2344ff72e3662d7cdb68b099b

SHA512
850382414d9d33eab134f8bd89dc99759f8d0459b7ad48bd9588405a3705aeb2cd727898529e3f71d9776a42e141c717e844e0b5c358818bbeac01d096907ad1

Download Submit
C:\Users\Admin\Downloads\grewgrwegrwgerg\launcher.exe

Filesize
35.9MB

MD5
d4eca6136281d617dcfac5bae3349e70

SHA1
c6941cd9df4f7db4bdf6bd163869016a2520d644

SHA256
0777bba437bc66725d3e00f17810a1dee973fef63808d3d14aa046503a5589a6

SHA512
a17b7bc6985304008649b8b6a009f675b3570e14a39e0073ea6cd00dca5ffecc0acedcc67f9c250e35b09d3c941540e74b338795f1cff12172c137d525afeb8a

Download Submit
\??\pipe\crashpad_1152_XKZSIURPHHTGSXJQ

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/3692-440-0x0000000000400000-0x00000000007D8000-memory.dmp

Filesize
3.8MB

Download
memory/3692-449-0x0000000000400000-0x00000000007D8000-memory.dmp

Filesize
3.8MB

Download
memory/3692-445-0x00007FFF86250000-0x00007FFF86445000-memory.dmp

Filesize
2.0MB

Download
memory/3692-447-0x0000000076B30000-0x0000000076D45000-memory.dmp

Filesize
2.1MB

Download
memory/3692-444-0x0000000003620000-0x0000000003A20000-memory.dmp

Filesize
4.0MB

Download
memory/3748-390-0x0000000000400000-0x00000000007D8000-memory.dmp

Filesize
3.8MB

Download
memory/3748-399-0x0000000076B30000-0x0000000076D45000-memory.dmp

Filesize
2.1MB

Download
memory/3748-396-0x0000000003570000-0x0000000003970000-memory.dmp

Filesize
4.0MB

Download
memory/3748-395-0x0000000003570000-0x0000000003970000-memory.dmp

Filesize
4.0MB

Download
memory/3748-392-0x0000000000400000-0x00000000007D8000-memory.dmp

Filesize
3.8MB

Download
memory/3748-397-0x00007FFF86250000-0x00007FFF86445000-memory.dmp

Filesize
2.0MB

Download
memory/3748-401-0x0000000000400000-0x00000000007D8000-memory.dmp

Filesize
3.8MB

Download
memory/4084-403-0x0000000002E90000-0x0000000003290000-memory.dmp

Filesize
4.0MB

Download
memory/4084-404-0x00007FFF86250000-0x00007FFF86445000-memory.dmp

Filesize
2.0MB

Download
memory/4084-400-0x0000000001280000-0x0000000001289000-memory.dmp

Filesize
36KB

Download
memory/4084-406-0x0000000076B30000-0x0000000076D45000-memory.dmp

Filesize
2.1MB

Download
memory/4336-383-0x000001D8E5400000-0x000001D8E5422000-memory.dmp

Filesize
136KB

Download
memory/4912-451-0x00000000024A0000-0x00000000028A0000-memory.dmp

Filesize
4.0MB

Download
memory/4912-454-0x0000000076B30000-0x0000000076D45000-memory.dmp

Filesize
2.1MB

Download
memory/4912-452-0x00007FFF86250000-0x00007FFF86445000-memory.dmp

Filesize
2.0MB

Download