rhadamanthys | 5ff55b93a1e7df7e5f0cc6403292f078cd7b5d0e369162083d24cffa9b0ab5b7

Analysis

max time kernel
178s
max time network
178s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
09-10-2024 03:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

launcher_pass_1234.zip
Size

105.0MB
MD5

add38a069ae17cdf99141bddc0a0621d
SHA1

9f7455269638c489e97fc094e4b162d05739adc4
SHA256

5ff55b93a1e7df7e5f0cc6403292f078cd7b5d0e369162083d24cffa9b0ab5b7
SHA512

02054aadd0bb5b7b01d18bd39140608c7420a223886b831d64f78d7b988a7611f8a37a154ca869038b8106c39b3537a4f8886dc3786efee9f4bdc7ea1b5b05a3
SSDEEP

3145728:C6ZyPeW26Ff9B8s4IjWcLV+dpKTt8ZfgD1ru:KP5FX8bpCOpuYfgD1ru

Score

10^/10

rhadamanthys discovery evasion execution stealer themida trojan

Malware Config

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

Processes:

TQhQIkJqOp.exeHnPQX6hz6Y.exe

description pid process target process

PID 4592 created 2852 4592 TQhQIkJqOp.exe sihost.exe
PID 2568 created 2852 2568 HnPQX6hz6Y.exe sihost.exe

description	pid	process	target process
PID 4592 created 2852	4592	TQhQIkJqOp.exe	sihost.exe
PID 2568 created 2852	2568	HnPQX6hz6Y.exe	sihost.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

TQhQIkJqOp.exeHnPQX6hz6Y.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	TQhQIkJqOp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	HnPQX6hz6Y.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

4944 powershell.exe
1080 powershell.exe

pid	process
4944	powershell.exe
1080	powershell.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

HnPQX6hz6Y.exeTQhQIkJqOp.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	HnPQX6hz6Y.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	HnPQX6hz6Y.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	TQhQIkJqOp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	TQhQIkJqOp.exe

Executes dropped EXE 2 IoCs

Processes:

TQhQIkJqOp.exeHnPQX6hz6Y.exe

pid process

4592 TQhQIkJqOp.exe
2568 HnPQX6hz6Y.exe

pid	process
4592	TQhQIkJqOp.exe
2568	HnPQX6hz6Y.exe

Themida packer 13 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\TQhQIkJqOp.exe	themida
behavioral1/memory/4592-150-0x0000000000EF0000-0x0000000001389000-memory.dmp	themida
behavioral1/memory/4592-152-0x0000000000EF0000-0x0000000001389000-memory.dmp	themida
behavioral1/memory/4592-153-0x0000000000EF0000-0x0000000001389000-memory.dmp	themida
behavioral1/memory/4592-154-0x0000000000EF0000-0x0000000001389000-memory.dmp	themida
behavioral1/memory/4592-155-0x0000000000EF0000-0x0000000001389000-memory.dmp	themida
behavioral1/memory/4592-174-0x0000000000EF0000-0x0000000001389000-memory.dmp	themida
behavioral1/memory/2568-247-0x0000000000DA0000-0x0000000001239000-memory.dmp	themida
behavioral1/memory/2568-248-0x0000000000DA0000-0x0000000001239000-memory.dmp	themida
behavioral1/memory/2568-249-0x0000000000DA0000-0x0000000001239000-memory.dmp	themida
behavioral1/memory/2568-251-0x0000000000DA0000-0x0000000001239000-memory.dmp	themida
behavioral1/memory/2568-250-0x0000000000DA0000-0x0000000001239000-memory.dmp	themida
behavioral1/memory/2568-264-0x0000000000DA0000-0x0000000001239000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

TQhQIkJqOp.exeHnPQX6hz6Y.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	TQhQIkJqOp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	HnPQX6hz6Y.exe

Drops file in Windows directory 1 IoCs

Processes:

chrome.exe

description ioc process

File opened for modification C:\Windows\SystemTemp chrome.exe
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

description	ioc	process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

TQhQIkJqOp.exeopenwith.exeHnPQX6hz6Y.exeopenwith.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TQhQIkJqOp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	openwith.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HnPQX6hz6Y.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	openwith.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133729189409395219"	chrome.exe

Modifies registry class 35 IoCs

Processes:

OpenWith.exechrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = 00000000ffffffff	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\NodeSlot = "3"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\MRUListEx = ffffffff	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0 = 8c003100000000004759c865110050524f4752417e310000740009000400efbec55259614959491d2e0000003f0000000000010000000000000000004a000000000061d11901500072006f006700720061006d002000460069006c0065007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370038003100000018000000	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 19002f433a5c000000000000000000000000000000000000000000	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	OpenWith.exe

NTFS ADS 1 IoCs

Processes:

chrome.exe

description ioc process

File opened for modification C:\Users\Admin\Downloads\launcher_pass_1234.zip:Zone.Identifier chrome.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\launcher_pass_1234.zip:Zone.Identifier	chrome.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

chrome.exepowershell.exeTQhQIkJqOp.exeopenwith.exechrome.exepowershell.exeHnPQX6hz6Y.exeopenwith.exe

pid	process
1656	chrome.exe
1656	chrome.exe
4944	powershell.exe
4944	powershell.exe
4592	TQhQIkJqOp.exe
4592	TQhQIkJqOp.exe
1576	openwith.exe
1576	openwith.exe
1576	openwith.exe
1576	openwith.exe
2116	chrome.exe
2116	chrome.exe
2116	chrome.exe
2116	chrome.exe
1080	powershell.exe
1080	powershell.exe
2568	HnPQX6hz6Y.exe
2568	HnPQX6hz6Y.exe
5016	openwith.exe
5016	openwith.exe
5016	openwith.exe
5016	openwith.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

OpenWith.exe

pid process

3220 OpenWith.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid process

1656 chrome.exe
1656 chrome.exe
1656 chrome.exe
1656 chrome.exe

pid	process
3220	OpenWith.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	1656	chrome.exe
Token: SeCreatePagefilePrivilege	1656	chrome.exe
Token: SeShutdownPrivilege	1656	chrome.exe
Token: SeCreatePagefilePrivilege	1656	chrome.exe
Token: SeShutdownPrivilege	1656	chrome.exe
Token: SeCreatePagefilePrivilege	1656	chrome.exe
Token: SeShutdownPrivilege	1656	chrome.exe
Token: SeCreatePagefilePrivilege	1656	chrome.exe
Token: SeShutdownPrivilege	1656	chrome.exe
Token: SeCreatePagefilePrivilege	1656	chrome.exe
Token: SeShutdownPrivilege	1656	chrome.exe
Token: SeCreatePagefilePrivilege	1656	chrome.exe
Token: SeShutdownPrivilege	1656	chrome.exe
Token: SeCreatePagefilePrivilege	1656	chrome.exe
Token: SeShutdownPrivilege	1656	chrome.exe
Token: SeCreatePagefilePrivilege	1656	chrome.exe
Token: SeShutdownPrivilege	1656	chrome.exe
Token: SeCreatePagefilePrivilege	1656	chrome.exe
Token: SeShutdownPrivilege	1656	chrome.exe
Token: SeCreatePagefilePrivilege	1656	chrome.exe
Token: SeShutdownPrivilege	1656	chrome.exe
Token: SeCreatePagefilePrivilege	1656	chrome.exe
Token: SeShutdownPrivilege	1656	chrome.exe
Token: SeCreatePagefilePrivilege	1656	chrome.exe
Token: SeShutdownPrivilege	1656	chrome.exe
Token: SeCreatePagefilePrivilege	1656	chrome.exe
Token: SeShutdownPrivilege	1656	chrome.exe
Token: SeCreatePagefilePrivilege	1656	chrome.exe
Token: SeShutdownPrivilege	1656	chrome.exe
Token: SeCreatePagefilePrivilege	1656	chrome.exe
Token: SeShutdownPrivilege	1656	chrome.exe
Token: SeCreatePagefilePrivilege	1656	chrome.exe
Token: SeShutdownPrivilege	1656	chrome.exe
Token: SeCreatePagefilePrivilege	1656	chrome.exe
Token: SeShutdownPrivilege	1656	chrome.exe
Token: SeCreatePagefilePrivilege	1656	chrome.exe
Token: SeShutdownPrivilege	1656	chrome.exe
Token: SeCreatePagefilePrivilege	1656	chrome.exe
Token: SeShutdownPrivilege	1656	chrome.exe
Token: SeCreatePagefilePrivilege	1656	chrome.exe
Token: SeShutdownPrivilege	1656	chrome.exe
Token: SeCreatePagefilePrivilege	1656	chrome.exe
Token: SeShutdownPrivilege	1656	chrome.exe
Token: SeCreatePagefilePrivilege	1656	chrome.exe
Token: SeShutdownPrivilege	1656	chrome.exe
Token: SeCreatePagefilePrivilege	1656	chrome.exe
Token: SeShutdownPrivilege	1656	chrome.exe
Token: SeCreatePagefilePrivilege	1656	chrome.exe
Token: SeShutdownPrivilege	1656	chrome.exe
Token: SeCreatePagefilePrivilege	1656	chrome.exe
Token: SeShutdownPrivilege	1656	chrome.exe
Token: SeCreatePagefilePrivilege	1656	chrome.exe
Token: SeShutdownPrivilege	1656	chrome.exe
Token: SeCreatePagefilePrivilege	1656	chrome.exe
Token: SeShutdownPrivilege	1656	chrome.exe
Token: SeCreatePagefilePrivilege	1656	chrome.exe
Token: SeShutdownPrivilege	1656	chrome.exe
Token: SeCreatePagefilePrivilege	1656	chrome.exe
Token: SeShutdownPrivilege	1656	chrome.exe
Token: SeCreatePagefilePrivilege	1656	chrome.exe
Token: SeShutdownPrivilege	1656	chrome.exe
Token: SeCreatePagefilePrivilege	1656	chrome.exe
Token: SeShutdownPrivilege	1656	chrome.exe
Token: SeCreatePagefilePrivilege	1656	chrome.exe

Suspicious use of FindShellTrayWindow 48 IoCs

Processes:

chrome.exe

pid	process
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

chrome.exe

pid	process
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe

Suspicious use of SetWindowsHookEx 42 IoCs

Processes:

launcher.exeTQhQIkJqOp.exeOpenWith.exelauncher.exeHnPQX6hz6Y.exe

pid	process
1956	launcher.exe
4592	TQhQIkJqOp.exe
3220	OpenWith.exe
3220	OpenWith.exe
3220	OpenWith.exe
3220	OpenWith.exe
3220	OpenWith.exe
3220	OpenWith.exe
3220	OpenWith.exe
3220	OpenWith.exe
3220	OpenWith.exe
3220	OpenWith.exe
3220	OpenWith.exe
3220	OpenWith.exe
3220	OpenWith.exe
3220	OpenWith.exe
3220	OpenWith.exe
3220	OpenWith.exe
3220	OpenWith.exe
3220	OpenWith.exe
3220	OpenWith.exe
3220	OpenWith.exe
3220	OpenWith.exe
3220	OpenWith.exe
3220	OpenWith.exe
3220	OpenWith.exe
3220	OpenWith.exe
3220	OpenWith.exe
3220	OpenWith.exe
3220	OpenWith.exe
3220	OpenWith.exe
3220	OpenWith.exe
3220	OpenWith.exe
3220	OpenWith.exe
3220	OpenWith.exe
3220	OpenWith.exe
3220	OpenWith.exe
3220	OpenWith.exe
3220	OpenWith.exe
3220	OpenWith.exe
1444	launcher.exe
2568	HnPQX6hz6Y.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 1656 wrote to memory of 3672	1656	chrome.exe	chrome.exe
PID 1656 wrote to memory of 3672	1656	chrome.exe	chrome.exe
PID 1656 wrote to memory of 5112	1656	chrome.exe	chrome.exe
PID 1656 wrote to memory of 5112	1656	chrome.exe	chrome.exe
PID 1656 wrote to memory of 5112	1656	chrome.exe	chrome.exe
PID 1656 wrote to memory of 5112	1656	chrome.exe	chrome.exe
PID 1656 wrote to memory of 5112	1656	chrome.exe	chrome.exe
PID 1656 wrote to memory of 5112	1656	chrome.exe	chrome.exe
PID 1656 wrote to memory of 5112	1656	chrome.exe	chrome.exe
PID 1656 wrote to memory of 5112	1656	chrome.exe	chrome.exe
PID 1656 wrote to memory of 5112	1656	chrome.exe	chrome.exe
PID 1656 wrote to memory of 5112	1656	chrome.exe	chrome.exe
PID 1656 wrote to memory of 5112	1656	chrome.exe	chrome.exe
PID 1656 wrote to memory of 5112	1656	chrome.exe	chrome.exe
PID 1656 wrote to memory of 5112	1656	chrome.exe	chrome.exe
PID 1656 wrote to memory of 5112	1656	chrome.exe	chrome.exe
PID 1656 wrote to memory of 5112	1656	chrome.exe	chrome.exe
PID 1656 wrote to memory of 5112	1656	chrome.exe	chrome.exe
PID 1656 wrote to memory of 5112	1656	chrome.exe	chrome.exe
PID 1656 wrote to memory of 5112	1656	chrome.exe	chrome.exe
PID 1656 wrote to memory of 5112	1656	chrome.exe	chrome.exe
PID 1656 wrote to memory of 5112	1656	chrome.exe	chrome.exe
PID 1656 wrote to memory of 5112	1656	chrome.exe	chrome.exe
PID 1656 wrote to memory of 5112	1656	chrome.exe	chrome.exe
PID 1656 wrote to memory of 5112	1656	chrome.exe	chrome.exe
PID 1656 wrote to memory of 5112	1656	chrome.exe	chrome.exe
PID 1656 wrote to memory of 5112	1656	chrome.exe	chrome.exe
PID 1656 wrote to memory of 5112	1656	chrome.exe	chrome.exe
PID 1656 wrote to memory of 5112	1656	chrome.exe	chrome.exe
PID 1656 wrote to memory of 5112	1656	chrome.exe	chrome.exe
PID 1656 wrote to memory of 5112	1656	chrome.exe	chrome.exe
PID 1656 wrote to memory of 5112	1656	chrome.exe	chrome.exe
PID 1656 wrote to memory of 464	1656	chrome.exe	chrome.exe
PID 1656 wrote to memory of 464	1656	chrome.exe	chrome.exe
PID 1656 wrote to memory of 2128	1656	chrome.exe	chrome.exe
PID 1656 wrote to memory of 2128	1656	chrome.exe	chrome.exe
PID 1656 wrote to memory of 2128	1656	chrome.exe	chrome.exe
PID 1656 wrote to memory of 2128	1656	chrome.exe	chrome.exe
PID 1656 wrote to memory of 2128	1656	chrome.exe	chrome.exe
PID 1656 wrote to memory of 2128	1656	chrome.exe	chrome.exe
PID 1656 wrote to memory of 2128	1656	chrome.exe	chrome.exe
PID 1656 wrote to memory of 2128	1656	chrome.exe	chrome.exe
PID 1656 wrote to memory of 2128	1656	chrome.exe	chrome.exe
PID 1656 wrote to memory of 2128	1656	chrome.exe	chrome.exe
PID 1656 wrote to memory of 2128	1656	chrome.exe	chrome.exe
PID 1656 wrote to memory of 2128	1656	chrome.exe	chrome.exe
PID 1656 wrote to memory of 2128	1656	chrome.exe	chrome.exe
PID 1656 wrote to memory of 2128	1656	chrome.exe	chrome.exe
PID 1656 wrote to memory of 2128	1656	chrome.exe	chrome.exe
PID 1656 wrote to memory of 2128	1656	chrome.exe	chrome.exe
PID 1656 wrote to memory of 2128	1656	chrome.exe	chrome.exe
PID 1656 wrote to memory of 2128	1656	chrome.exe	chrome.exe
PID 1656 wrote to memory of 2128	1656	chrome.exe	chrome.exe
PID 1656 wrote to memory of 2128	1656	chrome.exe	chrome.exe
PID 1656 wrote to memory of 2128	1656	chrome.exe	chrome.exe
PID 1656 wrote to memory of 2128	1656	chrome.exe	chrome.exe
PID 1656 wrote to memory of 2128	1656	chrome.exe	chrome.exe
PID 1656 wrote to memory of 2128	1656	chrome.exe	chrome.exe
PID 1656 wrote to memory of 2128	1656	chrome.exe	chrome.exe
PID 1656 wrote to memory of 2128	1656	chrome.exe	chrome.exe
PID 1656 wrote to memory of 2128	1656	chrome.exe	chrome.exe
PID 1656 wrote to memory of 2128	1656	chrome.exe	chrome.exe
PID 1656 wrote to memory of 2128	1656	chrome.exe	chrome.exe
PID 1656 wrote to memory of 2128	1656	chrome.exe	chrome.exe

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2852
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1576
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:5016

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\launcher_pass_1234.zip
1⤵
PID:1472

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcb92bcc40,0x7ffcb92bcc4c,0x7ffcb92bcc58
  2⤵
  PID:3672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1760,i,17911376407224660966,12422926830821262669,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1756 /prefetch:2
  2⤵
  PID:5112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2060,i,17911376407224660966,12422926830821262669,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2120 /prefetch:3
  2⤵
  PID:464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2204,i,17911376407224660966,12422926830821262669,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2208 /prefetch:8
  2⤵
  PID:2128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3248,i,17911376407224660966,12422926830821262669,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3240 /prefetch:1
  2⤵
  PID:3700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3092,i,17911376407224660966,12422926830821262669,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3280 /prefetch:1
  2⤵
  PID:3564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4416,i,17911376407224660966,12422926830821262669,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3548 /prefetch:1
  2⤵
  PID:768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4552,i,17911376407224660966,12422926830821262669,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4564 /prefetch:8
  2⤵
  PID:1248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4556,i,17911376407224660966,12422926830821262669,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4692 /prefetch:8
  2⤵
  PID:2304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4832,i,17911376407224660966,12422926830821262669,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4848 /prefetch:8
  2⤵
  PID:1772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4984,i,17911376407224660966,12422926830821262669,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4992 /prefetch:8
  2⤵
  PID:2540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5132,i,17911376407224660966,12422926830821262669,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4968 /prefetch:8
  2⤵
  PID:3448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4596,i,17911376407224660966,12422926830821262669,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4584 /prefetch:8
  2⤵
  PID:2108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=3684,i,17911376407224660966,12422926830821262669,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5184 /prefetch:1
  2⤵
  PID:4368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4332,i,17911376407224660966,12422926830821262669,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4572 /prefetch:8
  2⤵
  - NTFS ADS
  PID:2308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1128,i,17911376407224660966,12422926830821262669,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4456 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2116

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3468

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2236

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2688

C:\Users\Admin\Downloads\launcher_pass_1234\launcher.exe
"C:\Users\Admin\Downloads\launcher_pass_1234\launcher.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:1956
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData'; Add-MpPreference -ExclusionPath 'C:\ProgramData'""
  2⤵
  PID:416
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData'; Add-MpPreference -ExclusionPath 'C:\ProgramData'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4944
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Temp\TQhQIkJqOp.exe"
  2⤵
  PID:5108
- - C:\Users\Admin\AppData\Local\Temp\TQhQIkJqOp.exe
    C:\Users\Admin\AppData\Local\Temp\TQhQIkJqOp.exe
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4592

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3220

C:\Users\Admin\Downloads\launcher_pass_1234\launcher.exe
"C:\Users\Admin\Downloads\launcher_pass_1234\launcher.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:1444
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData'; Add-MpPreference -ExclusionPath 'C:\ProgramData'""
  2⤵
  PID:3188
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData'; Add-MpPreference -ExclusionPath 'C:\ProgramData'"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1080
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Temp\HnPQX6hz6Y.exe"
  2⤵
  PID:2948
- - C:\Users\Admin\AppData\Local\Temp\HnPQX6hz6Y.exe
    C:\Users\Admin\AppData\Local\Temp\HnPQX6hz6Y.exe
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
12f85acfa73da7089c6d4e71f347be7f

SHA1
4319d3e92599c9ae5c27f72abc8f481670445d23

SHA256
699130089ea7d1c6022d0335f18c4f2581b36fec2f8e448b8094fde7d794d215

SHA512
b0dc7162d037f11f5751bb3ead2d666249c8e97beccb19f7fa15f5c99d274decd514dde4a3ddabcc31be656815884576e7ff261753f21a35835f9ef0b7871a1b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
432efbbaa42fafc0597df1d7b7637d74

SHA1
fae6ab85c2235edca2d0e455953b62670ecccab3

SHA256
60c511601e821e8ab33b4b917953ba4a73ee06d1e23221541991a0316cae5bac

SHA512
a85148c24e5b3fcd88e81aa9370372679eded66e9f77748e1fd3de3855cbe2eb67f90510bdbbac804f0cbf3090ed8bf83f07064fd5e54ca24fefb303e8f59c04

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
857B

MD5
99327d1f49e2dc3817365d8622628b41

SHA1
cc1203fb0f5380dac6b3145bbe0ef2c41e01be3b

SHA256
2a60406799885df2933ea1ce3753bd896cd7ce21887e52284ff50163ed9c7068

SHA512
322bb674dcc874e74d35be0969502c7c5c0af92d7f75b15c20fd2a8c0a8a984465ff5c37b0121e86678f013fe7cae13e8c7592b43dbf0ed6242dea9a458ab387

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
1e6cbe8b7cfa53a83976b7caf6c48d52

SHA1
0780113fa89d310e7f801dbff262ffd9e243355a

SHA256
bca928d35446cab1764a60b87e406bad605f5d2df1be4c09ec03ab77800a7ca0

SHA512
6fc301aace63dc110dc9782bb0264ca4ea3a8bcc70608da536b6076da86a6e60a87a1d831e7571a0a591e43d9630a98d5213dd52bf2cb998ae5b40e0ca65eb3b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
15b4f3627273a1d00fcbb2a8451278a6

SHA1
c3e99a9299822b81e73cb01f1feb7c202fe4a382

SHA256
c7fa133222f3fb1b5bb05d072f56feb8197d8bfc4994a15a68cc2cfb12c8698f

SHA512
eba15d8073dfac6d3c3c3d6f4fca41a146532b1ce6e014b41a36758345b0ff3203923fdc1a4ee2c9a7b9ea61003a732cb8f9bdb5daa740a9fa071396b3503caa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
687ed4bc04095539e23b8630752a0b3c

SHA1
e75653650079a42860585c38ac88d75f24d80d68

SHA256
79ae8ba07f114eb151bed6bed2edd204fdc3a1cb390f37c84598918cb1bd272b

SHA512
c2877ca2bf5a3cc14c8c3e49690626e41cc732fc311e95dbf574e910ade9f13fdf08985c3635d4f33460173722c38546085cf4cf05f41b48194c8a02cfc0f11b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
908c41dcaed2fc66b8ec419533d162b3

SHA1
06095b2f05110076c87500d0e8b2f4f1332817e0

SHA256
3f635c554e9de81cb38a8c54873b92066447a9cef7adb68182a120e76513e034

SHA512
9fa061edbc9c552cf9cdf4e8f34b5290cbbeb5bef2b37be957d2f7d365136420e5b477daa06751cab5297b69ec5b9cfaa210bb67b1b45c3842a0a698c6ebe6f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
4ecdc4f8e3e9f60e6a41e9b3cd38d4d7

SHA1
063f3a44c7ecf3c689f90cf83e05bec0c6632ac6

SHA256
034fab6ce772338f152a0f9d15f81c87902d65e087f45aba207fdcfc59e7807e

SHA512
59285c030db5fc8c96364a0189e44545705b807621b7a6a6de084879a7580c62b577bd869b9a8bf52e65daab0f0d3295ae7a463be691c3199005f294d931e7af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
7823f928a767b68695d4112a2d01d759

SHA1
08c137b4e18f28d6ab87ea9583f545f122078cf4

SHA256
4edc2a869ef5b0aff0bda3339f4904a5930bc43bcb8df9b23eae192e7829cba7

SHA512
eeb398c1175d607ac661ae1482fb3a08bfc792368003e1f8c80d461241772891c9713d1c28dd6f52cfe4e90416586bafbf1114c4ecb62d44034366aadbb86ee5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
a7c1cd2dc4d874091932f732c18730e2

SHA1
ce45c149b1d399f7a93c6bae931d998b6314da80

SHA256
c72cc8e142ea0df24991e45b16ab1f2cc1806d3e3c8d2a79414178fc639a253f

SHA512
f39cd04e6738a9d8d62fd3961f0f93c374b97429cd46f9ea1534b6ff4605504f9957b34b244bb2bce978fe2a333b26d333e59c7cc054ed9452a3204c2220d5f3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
d1ac93e926089e58d00ab02b949b8796

SHA1
7f54eb850d65f95389ad7c0f5b12cd4bcac4cc42

SHA256
83c7a28756b2752239cea1b190fc077d396bb60e8e51f79b252e975c10941cf2

SHA512
92ca7d1d790f4388dc43ee628bfec87c1e279927dbc4d743b98aa17d36cc8bd943c651b657cc4cee0c6e50c85dd0e7581679f2657f1c9aeb6be797a50689d01d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
58ab14607c8a90862f4ccaa7d621c2bf

SHA1
2b3f22930f56fa722e5672feb020d7db80e9f62f

SHA256
15b0c199aa9eece7424ba740032316c3af6fa7ee8fb87c3fb3bb921b9559761a

SHA512
509eaae5be3bc911a7a5008852cd99908585d83947b3e44f2d1937daf901bc2df01ee7e1c48ab21bc5cb427e190492b4f0e166bbc6745964c0f0704ebb7f1d1b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
253e3e3a6090c8cb81c9da65a85a1d37

SHA1
3e355056836e8108b08b4a3c1902ddcbf9a02569

SHA256
f89326c4b81ee929bc9e9ae966ef84cafabc6f6d25008da1d9f101efbc831190

SHA512
459b0d4a7cddf70e44679b57657de6495facf68afe0d8bef092deea99e62554b237e4977e500313eac74cc34de11d61b83cd55389306cc520a2d1e1aa2de4b30

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
e2816a0d6fed8275f8f72d7e42aaec45

SHA1
6aa07e5c3574af49104dcfa7bdd7c2fad5bd2216

SHA256
e49cb43660a7c2bf65eee6d99891135b61c66379c5697a37c82cb1fd95002d58

SHA512
7d8f37915e9a761a11d51536b889b553036b438931ee62c2bb51a5587b75c2e74888148384056b2d9a22d8ff7f8cbf3a8af7a27e7beea3cc7eecbcb93e7e908f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
a36a8433f2363ec92989ab17e672f7ce

SHA1
14a5b92460cf96e45dc7640d1dec763b0ab31cbe

SHA256
2b19a58ebf7790c140ebd5483c5ff22fa97da671acff1b447f72c8ad53192e5f

SHA512
8c37e8d6c55f1fe1d8331d35e028832f4e84c3da03ddd9ccfb893f1d6aac1b1adaa0af569a7559602e094087057a9794af408e885a49ccee37a8cdf10d427813

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
e67571b0ba7a03176a8d5856683e879e

SHA1
24635f548b7bc4f1a7337d820f564d6e0f2eb277

SHA256
f6299e49190152c15bb8bdef70d49ec67693e4116642b99e1f9d47e801cbbd8b

SHA512
c4964a38934d9c20e39fdb561a476d5abed17c8255e42d7726f734ab32163d675f3492efb0ac7df51d33525e64f11a4b4c4babc36857dde0a5e1436aed29f1d8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
227KB

MD5
c19b52930f8da3e7243bff621d713524

SHA1
4528f57721873a1f638b1168e36602c7e9d2b38c

SHA256
2888023bacfb68650e8af476f862a0b1144cbbe1eb9f157cd17b11dee2577c30

SHA512
8cf3bdb746767e090b5f14d870b68aa9db987c9af5e4cda5cd57d7eda295b5d4731e3b021165cb6a9cc7db9972a3bf70e8c9389d4c57a4523aab2728d3c75a80

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
227KB

MD5
cc3a4101642f9068171e16a4cb95e04c

SHA1
4e69ff9e8de8336595abf140e1619aefebe4c6d3

SHA256
5d5b8493881379a6514c2b22dd10d3ff61d3feb875db53821e0dd0efa4865c93

SHA512
a8fd2fe366e841cb73eb3fdaf6db0c0ffbbcde86720b32cc2bcb8178124ef74c805e72af8abaf86430b2f23a9be64e5a038948425650ca54fce6bbf799a1a73f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1a9fa92a4f2e2ec9e244d43a6a4f8fb9

SHA1
9910190edfaccece1dfcc1d92e357772f5dae8f7

SHA256
0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888

SHA512
5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64

Download Submit
C:\Users\Admin\AppData\Local\Temp\TQhQIkJqOp.exe

Filesize
4.4MB

MD5
2131426d8a3c01e0073772820265b4bd

SHA1
bac33ac453609577cccd2c6b1fb4981ff634e795

SHA256
1f53511b847a01a45e3d5d48f40dce79500175275dcf9606da1ee4864099ad8a

SHA512
9a24b0a26fed3730d301a4c56412f2df7a7505184ba848b9a38f21af48fd82ed549b6d56383bf119c712b663900a006e2016e04e958e40c5f529a22fb7bfb22b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_isynsth2.och.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\launcher_pass_1234.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
\??\pipe\crashpad_1656_IHYHJELAJGZZFJPR

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1576-170-0x0000000000640000-0x0000000000649000-memory.dmp

Filesize
36KB

Download
memory/1576-173-0x00000000025B0000-0x00000000029B0000-memory.dmp

Filesize
4.0MB

Download
memory/1576-175-0x00007FFCC8220000-0x00007FFCC8429000-memory.dmp

Filesize
2.0MB

Download
memory/1576-177-0x00000000751B0000-0x0000000075402000-memory.dmp

Filesize
2.3MB

Download
memory/2568-250-0x0000000000DA0000-0x0000000001239000-memory.dmp

Filesize
4.6MB

Download
memory/2568-256-0x00000000751B0000-0x0000000075402000-memory.dmp

Filesize
2.3MB

Download
memory/2568-264-0x0000000000DA0000-0x0000000001239000-memory.dmp

Filesize
4.6MB

Download
memory/2568-254-0x00007FFCC8220000-0x00007FFCC8429000-memory.dmp

Filesize
2.0MB

Download
memory/2568-253-0x0000000004510000-0x0000000004910000-memory.dmp

Filesize
4.0MB

Download
memory/2568-251-0x0000000000DA0000-0x0000000001239000-memory.dmp

Filesize
4.6MB

Download
memory/2568-249-0x0000000000DA0000-0x0000000001239000-memory.dmp

Filesize
4.6MB

Download
memory/2568-248-0x0000000000DA0000-0x0000000001239000-memory.dmp

Filesize
4.6MB

Download
memory/2568-247-0x0000000000DA0000-0x0000000001239000-memory.dmp

Filesize
4.6MB

Download
memory/4592-167-0x00007FFCC8220000-0x00007FFCC8429000-memory.dmp

Filesize
2.0MB

Download
memory/4592-154-0x0000000000EF0000-0x0000000001389000-memory.dmp

Filesize
4.6MB

Download
memory/4592-150-0x0000000000EF0000-0x0000000001389000-memory.dmp

Filesize
4.6MB

Download
memory/4592-165-0x0000000004680000-0x0000000004A80000-memory.dmp

Filesize
4.0MB

Download
memory/4592-153-0x0000000000EF0000-0x0000000001389000-memory.dmp

Filesize
4.6MB

Download
memory/4592-166-0x0000000004680000-0x0000000004A80000-memory.dmp

Filesize
4.0MB

Download
memory/4592-155-0x0000000000EF0000-0x0000000001389000-memory.dmp

Filesize
4.6MB

Download
memory/4592-174-0x0000000000EF0000-0x0000000001389000-memory.dmp

Filesize
4.6MB

Download
memory/4592-152-0x0000000000EF0000-0x0000000001389000-memory.dmp

Filesize
4.6MB

Download
memory/4592-169-0x00000000751B0000-0x0000000075402000-memory.dmp

Filesize
2.3MB

Download
memory/4944-140-0x00000171C1B40000-0x00000171C1B62000-memory.dmp

Filesize
136KB

Download
memory/5016-260-0x00007FFCC8220000-0x00007FFCC8429000-memory.dmp

Filesize
2.0MB

Download
memory/5016-259-0x0000000002770000-0x0000000002B70000-memory.dmp

Filesize
4.0MB

Download
memory/5016-262-0x00000000751B0000-0x0000000075402000-memory.dmp

Filesize
2.3MB

Download