rhadamanthys | ec4cd02feeae2e57341cb7ff396fac7d635c914775357b95a0ae3bb73ced8703

Analysis

max time kernel
150s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
04-07-2024 19:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Software_Setup.exe
Size

63.9MB
MD5

9ff7e52416b7d3ca8b7e035d4b15f60d
SHA1

ecf06e8679da62922f3d52d2b9e756ba311e4203
SHA256

ec4cd02feeae2e57341cb7ff396fac7d635c914775357b95a0ae3bb73ced8703
SHA512

974b9d2d21ffc0d780fb5bb531db3f4edf979e032e2b0fa9048310885fa7cac06fc138b4aa5a9d6bb19a7fc7676c72e98a9ba9c60b35428a699774b34af474af
SSDEEP

1572864:jDkFLa2/bDkFLa2/bDkFLa2/bDkFLa2/bDkFLa2/z:j6/6/6/6/6f

Score

10^/10

rhadamanthys stealer

Malware Config

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs

Processes:

winhlp32.exewinhlp32.exewinhlp32.exe

description pid process target process

PID 1396 created 2660 1396 winhlp32.exe sihost.exe
PID 6092 created 2660 6092 winhlp32.exe sihost.exe
PID 1312 created 2660 1312 winhlp32.exe sihost.exe
Executes dropped EXE 3 IoCs

Processes:

Software_Setup.exeSoftware_Setup.exeSoftware_Setup.exe

pid process

5652 Software_Setup.exe
6016 Software_Setup.exe
3712 Software_Setup.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs

Web Service
T1102

Processes:

flow ioc

142 raw.githubusercontent.com
143 raw.githubusercontent.com
1 raw.githubusercontent.com
2 raw.githubusercontent.com
81 href.li
82 href.li
83 href.li
141 raw.githubusercontent.com

description	pid	process	target process
PID 1396 created 2660	1396	winhlp32.exe	sihost.exe
PID 6092 created 2660	6092	winhlp32.exe	sihost.exe
PID 1312 created 2660	1312	winhlp32.exe	sihost.exe

pid	process
5652	Software_Setup.exe
6016	Software_Setup.exe
3712	Software_Setup.exe

flow	ioc
142	raw.githubusercontent.com
143	raw.githubusercontent.com
1	raw.githubusercontent.com
2	raw.githubusercontent.com
81	href.li
82	href.li
83	href.li
141	raw.githubusercontent.com

Suspicious use of SetThreadContext 3 IoCs

Processes:

Software_Setup.exeSoftware_Setup.exeSoftware_Setup.exe

description	pid	process	target process
PID 1616 set thread context of 1396	1616	Software_Setup.exe	winhlp32.exe
PID 6016 set thread context of 6092	6016	Software_Setup.exe	winhlp32.exe
PID 3712 set thread context of 1312	3712	Software_Setup.exe	winhlp32.exe

Program crash 6 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3876	1396	WerFault.exe	winhlp32.exe
60	1396	WerFault.exe	winhlp32.exe
4876	6092	WerFault.exe	winhlp32.exe
5104	6092	WerFault.exe	winhlp32.exe
5472	1312	WerFault.exe	winhlp32.exe
5516	1312	WerFault.exe	winhlp32.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 1 IoCs

Processes:

chrome.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 4 IoCs

Processes:

chrome.exechrome.exeOpenWith.exefirefox.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2494989678-839960665-2515455429-1000\{EF17F50C-3EB0-4380-A28D-6A8831C49CF2}	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

winhlp32.exeopenwith.exechrome.exewinhlp32.exeopenwith.exewinhlp32.exeopenwith.exechrome.exe

pid	process
1396	winhlp32.exe
1396	winhlp32.exe
1764	openwith.exe
1764	openwith.exe
1764	openwith.exe
1764	openwith.exe
1468	chrome.exe
1468	chrome.exe
6092	winhlp32.exe
6092	winhlp32.exe
2196	openwith.exe
2196	openwith.exe
2196	openwith.exe
2196	openwith.exe
1312	winhlp32.exe
1312	winhlp32.exe
5428	openwith.exe
5428	openwith.exe
5428	openwith.exe
5428	openwith.exe
5556	chrome.exe
5556	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

OpenWith.exe

pid process

1956 OpenWith.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

chrome.exe

pid process

1468 chrome.exe
1468 chrome.exe
1468 chrome.exe
1468 chrome.exe
1468 chrome.exe
1468 chrome.exe
1468 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exeAUDIODG.EXE

description	pid	process
Token: SeShutdownPrivilege	1468	chrome.exe
Token: SeCreatePagefilePrivilege	1468	chrome.exe
Token: SeShutdownPrivilege	1468	chrome.exe
Token: SeCreatePagefilePrivilege	1468	chrome.exe
Token: SeShutdownPrivilege	1468	chrome.exe
Token: SeCreatePagefilePrivilege	1468	chrome.exe
Token: SeShutdownPrivilege	1468	chrome.exe
Token: SeCreatePagefilePrivilege	1468	chrome.exe
Token: SeShutdownPrivilege	1468	chrome.exe
Token: SeCreatePagefilePrivilege	1468	chrome.exe
Token: SeShutdownPrivilege	1468	chrome.exe
Token: SeCreatePagefilePrivilege	1468	chrome.exe
Token: SeShutdownPrivilege	1468	chrome.exe
Token: SeCreatePagefilePrivilege	1468	chrome.exe
Token: SeShutdownPrivilege	1468	chrome.exe
Token: SeCreatePagefilePrivilege	1468	chrome.exe
Token: SeShutdownPrivilege	1468	chrome.exe
Token: SeCreatePagefilePrivilege	1468	chrome.exe
Token: SeShutdownPrivilege	1468	chrome.exe
Token: SeCreatePagefilePrivilege	1468	chrome.exe
Token: SeShutdownPrivilege	1468	chrome.exe
Token: SeCreatePagefilePrivilege	1468	chrome.exe
Token: SeShutdownPrivilege	1468	chrome.exe
Token: SeCreatePagefilePrivilege	1468	chrome.exe
Token: SeShutdownPrivilege	1468	chrome.exe
Token: SeCreatePagefilePrivilege	1468	chrome.exe
Token: SeShutdownPrivilege	1468	chrome.exe
Token: SeCreatePagefilePrivilege	1468	chrome.exe
Token: SeShutdownPrivilege	1468	chrome.exe
Token: SeCreatePagefilePrivilege	1468	chrome.exe
Token: SeShutdownPrivilege	1468	chrome.exe
Token: SeCreatePagefilePrivilege	1468	chrome.exe
Token: SeShutdownPrivilege	1468	chrome.exe
Token: SeCreatePagefilePrivilege	1468	chrome.exe
Token: SeShutdownPrivilege	1468	chrome.exe
Token: SeCreatePagefilePrivilege	1468	chrome.exe
Token: SeShutdownPrivilege	1468	chrome.exe
Token: SeCreatePagefilePrivilege	1468	chrome.exe
Token: SeShutdownPrivilege	1468	chrome.exe
Token: SeCreatePagefilePrivilege	1468	chrome.exe
Token: SeShutdownPrivilege	1468	chrome.exe
Token: SeCreatePagefilePrivilege	1468	chrome.exe
Token: SeShutdownPrivilege	1468	chrome.exe
Token: SeCreatePagefilePrivilege	1468	chrome.exe
Token: SeShutdownPrivilege	1468	chrome.exe
Token: SeCreatePagefilePrivilege	1468	chrome.exe
Token: SeShutdownPrivilege	1468	chrome.exe
Token: SeCreatePagefilePrivilege	1468	chrome.exe
Token: SeShutdownPrivilege	1468	chrome.exe
Token: SeCreatePagefilePrivilege	1468	chrome.exe
Token: SeShutdownPrivilege	1468	chrome.exe
Token: SeCreatePagefilePrivilege	1468	chrome.exe
Token: SeShutdownPrivilege	1468	chrome.exe
Token: SeCreatePagefilePrivilege	1468	chrome.exe
Token: 33	216	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	216	AUDIODG.EXE
Token: SeShutdownPrivilege	1468	chrome.exe
Token: SeCreatePagefilePrivilege	1468	chrome.exe
Token: SeShutdownPrivilege	1468	chrome.exe
Token: SeCreatePagefilePrivilege	1468	chrome.exe
Token: SeShutdownPrivilege	1468	chrome.exe
Token: SeCreatePagefilePrivilege	1468	chrome.exe
Token: SeShutdownPrivilege	1468	chrome.exe
Token: SeCreatePagefilePrivilege	1468	chrome.exe

Suspicious use of FindShellTrayWindow 38 IoCs

Processes:

chrome.exefirefox.exe7zG.exe

pid	process
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
832	firefox.exe
832	firefox.exe
832	firefox.exe
832	firefox.exe
5340	7zG.exe

Suspicious use of SendNotifyMessage 27 IoCs

Processes:

chrome.exefirefox.exe

pid	process
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
1468	chrome.exe
832	firefox.exe
832	firefox.exe
832	firefox.exe

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

OpenWith.exefirefox.exe

pid	process
1956	OpenWith.exe
1956	OpenWith.exe
1956	OpenWith.exe
1956	OpenWith.exe
1956	OpenWith.exe
1956	OpenWith.exe
1956	OpenWith.exe
1956	OpenWith.exe
1956	OpenWith.exe
1956	OpenWith.exe
1956	OpenWith.exe
1956	OpenWith.exe
1956	OpenWith.exe
1956	OpenWith.exe
1956	OpenWith.exe
832	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Software_Setup.exewinhlp32.exechrome.exe

description	pid	process	target process
PID 1616 wrote to memory of 1396	1616	Software_Setup.exe	winhlp32.exe
PID 1616 wrote to memory of 1396	1616	Software_Setup.exe	winhlp32.exe
PID 1616 wrote to memory of 1396	1616	Software_Setup.exe	winhlp32.exe
PID 1616 wrote to memory of 1396	1616	Software_Setup.exe	winhlp32.exe
PID 1616 wrote to memory of 1396	1616	Software_Setup.exe	winhlp32.exe
PID 1616 wrote to memory of 1396	1616	Software_Setup.exe	winhlp32.exe
PID 1616 wrote to memory of 1396	1616	Software_Setup.exe	winhlp32.exe
PID 1616 wrote to memory of 1396	1616	Software_Setup.exe	winhlp32.exe
PID 1616 wrote to memory of 1396	1616	Software_Setup.exe	winhlp32.exe
PID 1616 wrote to memory of 1396	1616	Software_Setup.exe	winhlp32.exe
PID 1396 wrote to memory of 1764	1396	winhlp32.exe	openwith.exe
PID 1396 wrote to memory of 1764	1396	winhlp32.exe	openwith.exe
PID 1396 wrote to memory of 1764	1396	winhlp32.exe	openwith.exe
PID 1396 wrote to memory of 1764	1396	winhlp32.exe	openwith.exe
PID 1396 wrote to memory of 1764	1396	winhlp32.exe	openwith.exe
PID 1468 wrote to memory of 3740	1468	chrome.exe	chrome.exe
PID 1468 wrote to memory of 3740	1468	chrome.exe	chrome.exe
PID 1468 wrote to memory of 1432	1468	chrome.exe	chrome.exe
PID 1468 wrote to memory of 1432	1468	chrome.exe	chrome.exe
PID 1468 wrote to memory of 1432	1468	chrome.exe	chrome.exe
PID 1468 wrote to memory of 1432	1468	chrome.exe	chrome.exe
PID 1468 wrote to memory of 1432	1468	chrome.exe	chrome.exe
PID 1468 wrote to memory of 1432	1468	chrome.exe	chrome.exe
PID 1468 wrote to memory of 1432	1468	chrome.exe	chrome.exe
PID 1468 wrote to memory of 1432	1468	chrome.exe	chrome.exe
PID 1468 wrote to memory of 1432	1468	chrome.exe	chrome.exe
PID 1468 wrote to memory of 1432	1468	chrome.exe	chrome.exe
PID 1468 wrote to memory of 1432	1468	chrome.exe	chrome.exe
PID 1468 wrote to memory of 1432	1468	chrome.exe	chrome.exe
PID 1468 wrote to memory of 1432	1468	chrome.exe	chrome.exe
PID 1468 wrote to memory of 1432	1468	chrome.exe	chrome.exe
PID 1468 wrote to memory of 1432	1468	chrome.exe	chrome.exe
PID 1468 wrote to memory of 1432	1468	chrome.exe	chrome.exe
PID 1468 wrote to memory of 1432	1468	chrome.exe	chrome.exe
PID 1468 wrote to memory of 1432	1468	chrome.exe	chrome.exe
PID 1468 wrote to memory of 1432	1468	chrome.exe	chrome.exe
PID 1468 wrote to memory of 1432	1468	chrome.exe	chrome.exe
PID 1468 wrote to memory of 1432	1468	chrome.exe	chrome.exe
PID 1468 wrote to memory of 1432	1468	chrome.exe	chrome.exe
PID 1468 wrote to memory of 1432	1468	chrome.exe	chrome.exe
PID 1468 wrote to memory of 1432	1468	chrome.exe	chrome.exe
PID 1468 wrote to memory of 1432	1468	chrome.exe	chrome.exe
PID 1468 wrote to memory of 1432	1468	chrome.exe	chrome.exe
PID 1468 wrote to memory of 1432	1468	chrome.exe	chrome.exe
PID 1468 wrote to memory of 1432	1468	chrome.exe	chrome.exe
PID 1468 wrote to memory of 1432	1468	chrome.exe	chrome.exe
PID 1468 wrote to memory of 1432	1468	chrome.exe	chrome.exe
PID 1468 wrote to memory of 1432	1468	chrome.exe	chrome.exe
PID 1468 wrote to memory of 3536	1468	chrome.exe	chrome.exe
PID 1468 wrote to memory of 3536	1468	chrome.exe	chrome.exe
PID 1468 wrote to memory of 1052	1468	chrome.exe	chrome.exe
PID 1468 wrote to memory of 1052	1468	chrome.exe	chrome.exe
PID 1468 wrote to memory of 1052	1468	chrome.exe	chrome.exe
PID 1468 wrote to memory of 1052	1468	chrome.exe	chrome.exe
PID 1468 wrote to memory of 1052	1468	chrome.exe	chrome.exe
PID 1468 wrote to memory of 1052	1468	chrome.exe	chrome.exe
PID 1468 wrote to memory of 1052	1468	chrome.exe	chrome.exe
PID 1468 wrote to memory of 1052	1468	chrome.exe	chrome.exe
PID 1468 wrote to memory of 1052	1468	chrome.exe	chrome.exe
PID 1468 wrote to memory of 1052	1468	chrome.exe	chrome.exe
PID 1468 wrote to memory of 1052	1468	chrome.exe	chrome.exe
PID 1468 wrote to memory of 1052	1468	chrome.exe	chrome.exe
PID 1468 wrote to memory of 1052	1468	chrome.exe	chrome.exe
PID 1468 wrote to memory of 1052	1468	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2660

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1764

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2196

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5428

C:\Users\Admin\AppData\Local\Temp\Software_Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Software_Setup.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1616

C:\Windows\winhlp32.exe
"C:\Windows\winhlp32.exe"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1396 -s 464
3⤵
- Program crash
PID:3876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1396 -s 472
3⤵
- Program crash
PID:60

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 1396 -ip 1396
1⤵
PID:760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1396 -ip 1396
1⤵
PID:3572

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1468

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffbccb8ab58,0x7ffbccb8ab68,0x7ffbccb8ab78
2⤵
PID:3740

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1732 --field-trial-handle=1948,i,16371251788697571010,6182112573742297945,131072 /prefetch:2
2⤵
PID:1432

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 --field-trial-handle=1948,i,16371251788697571010,6182112573742297945,131072 /prefetch:8
2⤵
PID:3536

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2224 --field-trial-handle=1948,i,16371251788697571010,6182112573742297945,131072 /prefetch:8
2⤵
PID:1052

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3112 --field-trial-handle=1948,i,16371251788697571010,6182112573742297945,131072 /prefetch:1
2⤵
PID:4924

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3144 --field-trial-handle=1948,i,16371251788697571010,6182112573742297945,131072 /prefetch:1
2⤵
PID:632

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4376 --field-trial-handle=1948,i,16371251788697571010,6182112573742297945,131072 /prefetch:1
2⤵
PID:1840

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4688 --field-trial-handle=1948,i,16371251788697571010,6182112573742297945,131072 /prefetch:8
2⤵
PID:4328

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4820 --field-trial-handle=1948,i,16371251788697571010,6182112573742297945,131072 /prefetch:8
2⤵
PID:3268

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4992 --field-trial-handle=1948,i,16371251788697571010,6182112573742297945,131072 /prefetch:8
2⤵
PID:376

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5040 --field-trial-handle=1948,i,16371251788697571010,6182112573742297945,131072 /prefetch:1
2⤵
PID:2852

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4872 --field-trial-handle=1948,i,16371251788697571010,6182112573742297945,131072 /prefetch:1
2⤵
PID:4888

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5020 --field-trial-handle=1948,i,16371251788697571010,6182112573742297945,131072 /prefetch:8
2⤵
PID:1684

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4236 --field-trial-handle=1948,i,16371251788697571010,6182112573742297945,131072 /prefetch:8
2⤵
- Modifies registry class
PID:2628

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=5016 --field-trial-handle=1948,i,16371251788697571010,6182112573742297945,131072 /prefetch:1
2⤵
PID:3296

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=3332 --field-trial-handle=1948,i,16371251788697571010,6182112573742297945,131072 /prefetch:1
2⤵
PID:2352

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5304 --field-trial-handle=1948,i,16371251788697571010,6182112573742297945,131072 /prefetch:8
2⤵
PID:4036

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4528 --field-trial-handle=1948,i,16371251788697571010,6182112573742297945,131072 /prefetch:8
2⤵
PID:3324

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5668 --field-trial-handle=1948,i,16371251788697571010,6182112573742297945,131072 /prefetch:8
2⤵
PID:4928

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5376 --field-trial-handle=1948,i,16371251788697571010,6182112573742297945,131072 /prefetch:8
2⤵
PID:4428

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2604 --field-trial-handle=1948,i,16371251788697571010,6182112573742297945,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5556

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:648

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3cc 0x468
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:216

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1956

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:3204

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:832

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="832.0.1973953401\163077856" -parentBuildID 20230214051806 -prefsHandle 1756 -prefMapHandle 1748 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {132951e6-0758-4fcf-a044-5829406c3732} 832 "\\.\pipe\gecko-crash-server-pipe.832" 1836 1d133ef2158 gpu
3⤵
PID:4052

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="832.1.176021429\2034999113" -parentBuildID 20230214051806 -prefsHandle 2392 -prefMapHandle 2388 -prefsLen 22112 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6f94d361-562c-40c7-a0f4-660b275702b1} 832 "\\.\pipe\gecko-crash-server-pipe.832" 2404 1d120c89958 socket
3⤵
PID:824

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="832.2.940189599\1734019921" -childID 1 -isForBrowser -prefsHandle 2984 -prefMapHandle 2980 -prefsLen 22150 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d361b01a-5529-465c-8e17-35a73888fa71} 832 "\\.\pipe\gecko-crash-server-pipe.832" 2996 1d137d1c158 tab
3⤵
PID:1408

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="832.3.1405958792\620255070" -childID 2 -isForBrowser -prefsHandle 3544 -prefMapHandle 3540 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {235ea6ea-55ae-4248-b7ad-efe0d343c71c} 832 "\\.\pipe\gecko-crash-server-pipe.832" 3556 1d120c7a858 tab
3⤵
PID:4968

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="832.4.807706760\108680470" -childID 3 -isForBrowser -prefsHandle 5060 -prefMapHandle 2904 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {942cf0b8-1b12-46c5-b510-950bac8cd740} 832 "\\.\pipe\gecko-crash-server-pipe.832" 5132 1d139806258 tab
3⤵
PID:4440

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="832.5.897516102\150901743" -childID 4 -isForBrowser -prefsHandle 5352 -prefMapHandle 5348 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3e5d66cb-8748-4d76-baef-05a46aa2d4fb} 832 "\\.\pipe\gecko-crash-server-pipe.832" 5272 1d139806558 tab
3⤵
PID:392

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="832.6.1936131000\1345819099" -childID 5 -isForBrowser -prefsHandle 5152 -prefMapHandle 5476 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1292 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8078b21f-f40a-4710-bb97-8a8f59b5dd40} 832 "\\.\pipe\gecko-crash-server-pipe.832" 5464 1d139809b58 tab
3⤵
PID:3032

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5192

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\FullSoftware(Package)\" -spe -an -ai#7zMap2277:104:7zEvent30989
1⤵
- Suspicious use of FindShellTrayWindow
PID:5340

C:\Users\Admin\Downloads\FullSoftware(Package)\Sp00f(NEW)\Software_Setup.exe
"C:\Users\Admin\Downloads\FullSoftware(Package)\Sp00f(NEW)\Software_Setup.exe"
1⤵
- Executes dropped EXE
PID:5652

C:\Windows\winhlp32.exe
"C:\Windows\winhlp32.exe"
2⤵
PID:5768

C:\Users\Admin\Downloads\FullSoftware(Package)\Sp00f(NEW)\Software_Setup.exe
"C:\Users\Admin\Downloads\FullSoftware(Package)\Sp00f(NEW)\Software_Setup.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:6016

C:\Windows\winhlp32.exe
"C:\Windows\winhlp32.exe"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
PID:6092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6092 -s 444
3⤵
- Program crash
PID:4876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6092 -s 440
3⤵
- Program crash
PID:5104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 6092 -ip 6092
1⤵
PID:5204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 6092 -ip 6092
1⤵
PID:3796

C:\Users\Admin\Downloads\FullSoftware(Package)\Sp00f(NEW)\Software_Setup.exe
"C:\Users\Admin\Downloads\FullSoftware(Package)\Sp00f(NEW)\Software_Setup.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3712

C:\Windows\winhlp32.exe
"C:\Windows\winhlp32.exe"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
PID:1312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1312 -s 464
3⤵
- Program crash
PID:5472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1312 -s 444
3⤵
- Program crash
PID:5516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1312 -ip 1312
1⤵
PID:5440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 192 -p 1312 -ip 1312
1⤵
PID:5500

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419
Filesize
471B

MD5
0e76ff84d31e1e085820dee79a5dcd6a

SHA1
28a13c821bd48160774de86d9131fb9642790b9d

SHA256
5dd0b77a3b0fcbebd2040b0fa2f733576a1a46017eb4ba10568c22186ebfdbe1

SHA512
77e8ceb46d3301cb0560d0e6ee01a0ce00ae240522c7804458f2c0947df62063a4a7ecdb92bd8c220693ecce72e3857742f13075be519e88acaba1c96afd52b8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419
Filesize
412B

MD5
b70348ee3287660c19c2c88263ff402d

SHA1
5e4eb9bbe01652ea167325b574c65ed7d03a0b47

SHA256
195ed3cb8491d2747001262236f9dd44e9029a93d943f7edc780bf9f9990947d

SHA512
7b2c5c094ba6d97185064617a266fe0a07dff412912f477035d5a51ae59de99528043f5ab09c9c57a85940ab19655c0b5e9012da52b11b8d13bcd2cb3a32ac71

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
552B

MD5
3d66db3a09aaa5b09e878656bdab1fb1

SHA1
dad1e2a6f359735ead22f8f7e92be84d7775ea93

SHA256
7a4a6081186f06297e93820fbe4874736b1d9b15eb799a79ad9c0412243dda6c

SHA512
eb0bdb822ed1d56e7696c19b76a49030cbca146f64fa975118603d7d8258c5811faee81716b5eff0ae10cae9f2d977c464d9e5626e4fa1e9eb7c19967c80506d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\File System\000\p\Paths\MANIFEST-000001
Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\File System\Origins\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\LOG.old
Filesize
376B

MD5
39bd112369d4e8f1f309095f04fd0169

SHA1
c5c0beda1d8afb84980aece84d5d9d57aa98a7ad

SHA256
747f15ee4432d5ab6ffe65b93070d61674f4f4f1ae620f1be037c8edfafcaa90

SHA512
cbca6d2d8bdd7f0af95169cdc2ffa8064f84a4bd37ee880f1d80a0f06c9aa856ca17cb1f10c00ae209e81563742838b02f03b465a947d1ef02a78666fe38b60f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\LOG.old~RFe58b3ca.TMP
Filesize
335B

MD5
82b1e93e6ff4ddab5d7e646dd1d6dfce

SHA1
2681b45f00cdb0c2b290705bf56e907b56ba1b42

SHA256
b5c3c2ac97fa57edb2e0689cb1708bfc56233a2437b3ea9b6c0e109f509f7901

SHA512
e6810af1eb478b765a13dfe270f0356d38b9d19929f6876ceed3d4d88d6a4b2ff3f117a2b2cb44d678245e9842bbdc39827205053852505dc97e44ac45ba1b10

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\MANIFEST-000001
Filesize
23B

MD5
3fd11ff447c1ee23538dc4d9724427a3

SHA1
1335e6f71cc4e3cf7025233523b4760f8893e9c9

SHA256
720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed

SHA512
10a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
4KB

MD5
87a30a0ff4bf6a514ef51bd6c509682b

SHA1
d4eb33649cd57d44850dcdcf2b687c08983eae57

SHA256
f111526839b87d678ba70c15132eff1fcda55ef1d515735473146e0123feb9cd

SHA512
0d3be2aa92c52c96b36143a2a718591c58bd4082a5f30ed84eafeac83d21d8efc49a7d5fda58fa51bdcd0779603777a84127e089b24ba12d3a49cce67af7477b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
356B

MD5
d978e03b63609a6df0f5ad8596b691b8

SHA1
3a20c79a17c97f93451886be5b3a81e82ca21638

SHA256
ece708c1ea8d2bbbd388b9a5fab8f009b8f4e0f4e910125cf0247a53983427cc

SHA512
200d4a57fc8f16a3e46d761b36e180506026d04d219019207c6a8735f0e3ecc89cebb347e600d8bfc89884b46f8862d16d8e7ee06f3ab5c0fe0e7d15268f143d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
fee4c2edc3f0b64ae10caddc1283e715

SHA1
71d88b73af628bfb33013ee62dae6356860fe007

SHA256
c4662a25362f67dd898655db40c5be0514b5611390dcd8635e41e3e647e33b68

SHA512
b1241753e832edf05b3fbfc78de7fa5373179eca85c45f2ce763cfb0466aed7087370f6d9ad89dad036fe9aad7b08cebcc1f95a2a56d2222fd41f9831973fea1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
57467e9224e73a7c55edc184221cf1e2

SHA1
ac8f0b05fa27d4b346e375c3a9dbf7990ff0f4b0

SHA256
f12fae0d0cb36dfbccc6eb6d5b16d78262783e3dca22c91f8d142d05c69fdcf1

SHA512
6b51610858fdfa4c91548edabe45e785163ff2b509aeb8e5949d4ee2517134706925d0e831161d248df478a3f0dbe55638d732bb5e5d1c721cb6bc6835ba27e7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
b9a4df0e74668dfa3dc7264f78fd6fca

SHA1
fe44ae80c199864026e501465aebfb365d517c90

SHA256
ce536ad386f78b5b971b10f7e53da63842964e9d77b410c548747bc3032c0d11

SHA512
d1fe0efc99cd82be06ffa0ad1393c0dfd42065b8fc5feffd7a2f7ce9067f852f72923dfe21daf9151e6ecf4ce6ea56b5fc2db843ab901e72508bc2239f4c446a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
c7f72e68f2b55e38ff52667d9e1721d4

SHA1
e2364f2eab74561cfea34a50634e01a8e68a8810

SHA256
8999bd69f4eabae79eca49edf8f79e6be6660808615c7b766588c39f69364f1d

SHA512
cc97557fcae7d063d1abd10249da006dd7521b0281415a7580fac25aaf5f2762bc7c243e48cf19997e7b8b324e89a4f8ba471846980ee522e3e2b38498830a95

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
7d63bd965a6587b8ffef37a79cb84947

SHA1
34cf27c481f212ed805c9c60364d9f77c455d0d9

SHA256
7a6d7447987277dd9711d89481fe8ef211764e139f7fa032d2693772d2e5e4b9

SHA512
db2b8e3800392e941fb8ef5e1d6f4bb0b08bdb47ebc3df3b28ca07cfb76d0127617a8ba2e988b60349ad91cf7e2e24d8961b48ca6fc7e88c87c80219f69636ae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
de5d0a2cd145ae274f8f0410c0853731

SHA1
2cb032ab030f2b8ba32b5e4c7f5345b0442440ff

SHA256
f04da9c5198c3c769bc3dea112c94777a9ccccdb991298b96fd13eb21f5ccfa6

SHA512
74b3ad665f0b90c786479be2a4d9bfd9f2a56b2108c0b595281177a6fea3b864d33f529b02b3d67c35502e1009bb78faae9a98298fca3a7e9df1b82a4902e104

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
56B

MD5
94275bde03760c160b707ba8806ef545

SHA1
aad8d87b0796de7baca00ab000b2b12a26427859

SHA256
c58cb79fa4a9ade48ed821dd9f98957b0adfda7c2d267e3d07951c2d371aa968

SHA512
2aabd49bc9f0ed3a5c690773f48a92dbbbd60264090a0db2fe0f166f8c20c767a74d1e1d7cc6a46c34cfbd1587ddb565e791d494cd0d2ca375ab8cc11cd8f930

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe5879bf.TMP
Filesize
120B

MD5
20db4d22dae1eb08a576556257817d2b

SHA1
f9acb2103935e4dd07ba6f49b24fc6dc56d4132d

SHA256
aaba416faa794c4180aecba35f2dda440f6ab9bdcb6f1ecd7bc8bfc2f99bc9fe

SHA512
f25d0515c8e9d69b09d82fd24b8bfe4743aed2a2477723ca4abfb6607ab8ec579eaf3981a565e325c939f34183cda0e4086a34dcf0122bdfcd9b11a08be50986

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize
96B

MD5
0939285f69a028f752612de9d4719204

SHA1
3dc9687e3176846a2c0b066ff88dff99cd95229c

SHA256
7a3c63b79ee3a6f16a43f4e612e25ff98dc09abd86758773b73c8fa41d7af8bf

SHA512
686e88f1719d0c9061be0192de5cacbf858f75dfd56820f08bb45a2127c5a03edc7de8680b57dbeeec5a54308f9515a9b8dafa649cc7a777376fb04e2a652382

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
144KB

MD5
251cc2881e286e1f23277b2d00fe5fb1

SHA1
928047b6826e262d217024b1296529a6f3ea3523

SHA256
2f2f2ade6e6e5bd521eb76f384f275a49f8810b0d5918484db1f8a56f6ed5cc9

SHA512
51e0b89f9f9f9fbbccc9c0dbdc80b2d226c6495e9b24c303f58de4f45241c23dd13d9f1c0edacd094906bee905eec88fb4566fe607f07089bbe2eb167bb92073

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
144KB

MD5
cfe257fbc4871c1c64cc2707877817a5

SHA1
4afec944db0f39d5f24cd510e81bacce4d6acec3

SHA256
ffb84211a654e216b85b947b4ded16f7162e852871c530bee453bb68c38db6ce

SHA512
6290bf6f5325f0508cd86fd6a6be02464e41101104acc1fcc4db32a1759989784d8b50bb3d86547b624da711ab3460ebc4287e5e9e18465ccffaab72fd03f52a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
144KB

MD5
4b54380398f7c6c880f8bf6f416b04e3

SHA1
a1bb1f129c11080a276514b91bd4fbf6d9c460ce

SHA256
5b3ee061e7bbe02a1fa570a7605cc43961e1da4cf6f5cac45eaa520736e8dccb

SHA512
0c1e3371ce424d8db561eb30b35013a0c5c799aba9bff75d8ec1102252400185392470f1199dec0b3cec361a0da08ace1e58b332bc912894696b3609a14d969a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
102KB

MD5
4cbe030e5de1a3e89be1cf6866646d3e

SHA1
9ee97dd2050423f7e1117161c0b39552418842e1

SHA256
f446720a8bfdd5f0e0a90d5eb1e3894a3f473251f1e0a2e8b3a8ec8b42690d62

SHA512
26f20bee581ac10f120aebad6547f74c9078f9a6abb430f2f44a64ab7b23d1087dfd7e5b009a46b98e857d43007cbd6d26cfaf7a464dc09b07c5b4b225fdc725

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe590f48.TMP
Filesize
89KB

MD5
a039f6e79bcd216ba65d0cf7f255033b

SHA1
60f56593d1260a2c649e21652a0921c884d186e2

SHA256
5c974766c698cfd5f1369b16638d9847ed1d8dc3c5585e9524f4cf87f67d83f7

SHA512
cd7dfb70dcaa9ce88146b9c5d15f0e510fa296bcbb63a2d0f446861d7209618f14ec11f4e3a7955cd5a88f7a6cfe5acb58090b8df92eeecf08b7bf86a84011e6

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rcjasbej.default-release\activity-stream.discovery_stream.json.tmp
Filesize
22KB

MD5
b3c1bfd83562a4a9217931a7a97f4b8a

SHA1
126de869c22862e618946523c4b1a87d059a0259

SHA256
203952337656c2707c9f50fba081f4e2c38ed2f756f6c4e46ae6a2e608a47870

SHA512
f91c0685cd8ca0d84e1d0f15de721054d55cb369d333dcd47c71708938c9e2e5c42807a8eca6f15e1b7074ef8673265fc70be99c2dfb8bfc404f701965385dc3

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rcjasbej.default-release\activity-stream.discovery_stream.json.tmp
Filesize
22KB

MD5
46261a516f1bca012584edcf9070dcb7

SHA1
3904b2449383e2cb3f7dd0fd2a132caa44703f38

SHA256
664dfb41ee60290c8dd9494ace461bf97fe68e725054338139e995a4dfa8fdae

SHA512
d46d167650a650bed19384049e3dd8c5a59a0f3261a50d8e4ad09387a42d75c2652fa5a764386247f7853fba967d61976f273524e210dbc11c71ecba0c06c0f7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rcjasbej.default-release\prefs-1.js
Filesize
6KB

MD5
ac983165444cc732364f98dcc22f45dd

SHA1
4f704ba58e9722f919cacd6d3ebd25e6963d0c5d

SHA256
4a9770f784444d69f57eb04977104f10ca89e87a7851123bc374dc866f3f538e

SHA512
90e8a92cff6838ed56bb7eacb38c06007b6344d72906a8ee53baa70c6408f85c290b3afade17673a09d7f88d38cbfdb21f15c0d2548954d1ffd9b582ecca95c7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rcjasbej.default-release\prefs-1.js
Filesize
7KB

MD5
5f95b07537380fe73634a1f007841391

SHA1
c9dd457cfba46172b016c25a506b0b8317da7326

SHA256
10332d661d00e8b3f6a2eb3c7773e01640c3950136bc89b2e1439e36ae73c23b

SHA512
33ec5c2be7716301dbbb0211558c84b57a72f3f54ad7830d257833fe37f5535d49936a6d444b24b9f5fc135563b8a7ffec690075e3ee58e3d4d3e936265cfc7c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rcjasbej.default-release\prefs-1.js
Filesize
7KB

MD5
b11a4e80b7f746b3bfe761c7e0dfe5b9

SHA1
18d8384806ca6a6bf89f0c8ee988249e761c3835

SHA256
44fb8988ccbcd1e0e7ea351c8acc4631937b0fb28e7fbfecd6e6b964a0c14ec9

SHA512
69db6f499938a048c9d7115a3d7a00920f3ba3be75b1dba655d21b7647a443e639c48d7df6d425106bd796b65abc55d1965b50d8d38689bd7169a013f07f759a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rcjasbej.default-release\prefs.js
Filesize
6KB

MD5
b02fd8afbec75ffdb3cf43b48d2a5ba0

SHA1
964e7edcb0de00d0c04ee363cdac80ac9fb18e92

SHA256
73236b8e96d6c75881c654fc6bbd620e502beb5c540a11aec1b6eb4efa37ac2b

SHA512
e8f52324d11516d6a392474b5ef163ed7f80703dbfe28455dbf4ca88dc23a6c01c8c54bd6845c374d194c4c1f49974c37639d6df64bfca92d909c4e77b70c02a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rcjasbej.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
1KB

MD5
39e1807b5481ca7f70ee7c68d5950e22

SHA1
14562413e69d561eb8fd4ca7ecc872dc73bb62f2

SHA256
633afc89c4eb4b8e7657d4dd4e6cb160ea2f6a8a70f2dca3e846442f999b26e9

SHA512
21bc57e45820d479c29653513f4cd43c54763d2a2c0ceb418ebb5d08a20262418941d3d272c4ed89b6135c2d0c8b6cf3976fd2c16857ad15a769d7dc492642ea

Download Submit
\??\pipe\crashpad_1468_AABXUMATWKPTISYU
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1312-695-0x00007FFBDBEF0000-0x00007FFBDC0E5000-memory.dmp

Filesize
2.0MB

Download
memory/1312-697-0x0000000076210000-0x0000000076425000-memory.dmp

Filesize
2.1MB

Download
memory/1312-694-0x0000000003850000-0x0000000003C50000-memory.dmp

Filesize
4.0MB

Download
memory/1312-692-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1396-4-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1396-5-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1396-9-0x0000000003C60000-0x0000000004060000-memory.dmp

Filesize
4.0MB

Download
memory/1396-11-0x0000000003C60000-0x0000000004060000-memory.dmp

Filesize
4.0MB

Download
memory/1396-8-0x0000000003C60000-0x0000000004060000-memory.dmp

Filesize
4.0MB

Download
memory/1396-7-0x0000000003C60000-0x0000000004060000-memory.dmp

Filesize
4.0MB

Download
memory/1396-6-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1396-13-0x0000000076210000-0x0000000076425000-memory.dmp

Filesize
2.1MB

Download
memory/1396-3-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1396-20-0x0000000003C60000-0x0000000004060000-memory.dmp

Filesize
4.0MB

Download
memory/1396-10-0x00007FFBDBEF0000-0x00007FFBDC0E5000-memory.dmp

Filesize
2.0MB

Download
memory/1764-17-0x00007FFBDBEF0000-0x00007FFBDC0E5000-memory.dmp

Filesize
2.0MB

Download
memory/1764-14-0x0000000000680000-0x0000000000689000-memory.dmp

Filesize
36KB

Download
memory/1764-19-0x0000000076210000-0x0000000076425000-memory.dmp

Filesize
2.1MB

Download
memory/1764-16-0x00000000023D0000-0x00000000027D0000-memory.dmp

Filesize
4.0MB

Download
memory/2196-653-0x00007FFBDBEF0000-0x00007FFBDC0E5000-memory.dmp

Filesize
2.0MB

Download
memory/2196-655-0x0000000076210000-0x0000000076425000-memory.dmp

Filesize
2.1MB

Download
memory/2196-652-0x0000000000A90000-0x0000000000E90000-memory.dmp

Filesize
4.0MB

Download
memory/5428-700-0x00000000028E0000-0x0000000002CE0000-memory.dmp

Filesize
4.0MB

Download
memory/5428-701-0x00007FFBDBEF0000-0x00007FFBDC0E5000-memory.dmp

Filesize
2.0MB

Download
memory/5428-703-0x0000000076210000-0x0000000076425000-memory.dmp

Filesize
2.1MB

Download
memory/6092-649-0x0000000076210000-0x0000000076425000-memory.dmp

Filesize
2.1MB

Download
memory/6092-647-0x00007FFBDBEF0000-0x00007FFBDC0E5000-memory.dmp

Filesize
2.0MB

Download
memory/6092-646-0x0000000003EB0000-0x00000000042B0000-memory.dmp

Filesize
4.0MB

Download
memory/6092-644-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download