Analysis
-
max time kernel
53s -
max time network
80s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
13-05-2024 15:43
Errors
General
-
Target
chat.exe
-
Size
45KB
-
MD5
87639df87df52ab646411f86c2fce0c3
-
SHA1
6d6d21dd0af987380edc0b4fafebfc6d3e5d9a1c
-
SHA256
9c8bf9ebe2a4086492d67929fd36c4918e7d9069d67d3aa43faf24e25cb6bfe0
-
SHA512
39dacf01b97b0189644533dd545594d8daa755ea6d9cd1a2b61fa4dead15e6a088edf969c1487683fb35a623ac4e22ab0ecbb72bad4e5a9e770c6f0fc986e578
-
SSDEEP
768:BdhO/poiiUcjlJInwr6BH9Xqk5nWEZ5SbTDaTuI7CPW5Q:/w+jjgndH9XqcnW85SbT2uI4
Malware Config
Extracted
xenorat
0.tcp.eu.ngrok.io
radnom123_34X41
-
delay
5000
-
install_path
appdata
-
port
15597
-
startup_name
window system
Signatures
-
XenorRat
XenorRat is a remote access trojan written in C#.
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Drops desktop.ini file(s) 1 IoCs
-
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Drops file in Program Files directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 22 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 6 IoCs
-
Modifies Internet Explorer settings 1 TTPs 6 IoCs
-
Modifies data under HKEY_USERS 2 IoCs
-
Modifies registry class 44 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 54 IoCs
-
Suspicious use of SendNotifyMessage 21 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\chat.exe"C:\Users\Admin\AppData\Local\Temp\chat.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\XenoManager\chat.exe"C:\Users\Admin\AppData\Roaming\XenoManager\chat.exe"2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /Create /TN "window system" /XML "C:\Users\Admin\AppData\Local\Temp\tmp59E7.tmp" /F3⤵
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\cmd.execmd /c start "" "%windir%\system32\fodhelper.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\fodhelper.exe"C:\Windows\system32\fodhelper.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\XenoManager\chat.exe"C:\Users\Admin\AppData\Roaming\XenoManager\chat.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /Create /TN "window system" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBD26.tmp" /F6⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\System32\rundll32.exe shell32.dll,#613⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-sandbox --allow-no-sandbox-job --disable-gpu --user-data-dir=C:\EdgeAutomationData3⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler --user-data-dir=C:\EdgeAutomationData /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\EdgeAutomationData\Crashpad --metrics-dir=C:\EdgeAutomationData --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ff98fe346f8,0x7ff98fe34708,0x7ff98fe347184⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1880,5448175122160715051,2333791721355355704,131072 --no-sandbox --user-data-dir="C:\EdgeAutomationData" --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2188 --allow-no-sandbox-job /prefetch:24⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1880,5448175122160715051,2333791721355355704,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\EdgeAutomationData" --mojo-platform-channel-handle=2276 --allow-no-sandbox-job /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1880,5448175122160715051,2333791721355355704,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\EdgeAutomationData" --mojo-platform-channel-handle=2496 --allow-no-sandbox-job /prefetch:84⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-sandbox --field-trial-handle=1880,5448175122160715051,2333791721355355704,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\EdgeAutomationData" --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3204 --allow-no-sandbox-job /prefetch:14⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-sandbox --field-trial-handle=1880,5448175122160715051,2333791721355355704,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\EdgeAutomationData" --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 --allow-no-sandbox-job /prefetch:14⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-sandbox --field-trial-handle=1880,5448175122160715051,2333791721355355704,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\EdgeAutomationData" --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3580 --allow-no-sandbox-job /prefetch:14⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-sandbox --field-trial-handle=1880,5448175122160715051,2333791721355355704,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\EdgeAutomationData" --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3688 --allow-no-sandbox-job /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-sandbox --field-trial-handle=1880,5448175122160715051,2333791721355355704,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\EdgeAutomationData" --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3796 --allow-no-sandbox-job /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-sandbox --field-trial-handle=1880,5448175122160715051,2333791721355355704,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\EdgeAutomationData" --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3884 --allow-no-sandbox-job /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-sandbox --field-trial-handle=1880,5448175122160715051,2333791721355355704,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\EdgeAutomationData" --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3928 --allow-no-sandbox-job /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-sandbox --field-trial-handle=1880,5448175122160715051,2333791721355355704,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\EdgeAutomationData" --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3964 --allow-no-sandbox-job /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-sandbox --field-trial-handle=1880,5448175122160715051,2333791721355355704,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\EdgeAutomationData" --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 --allow-no-sandbox-job /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-sandbox --field-trial-handle=1880,5448175122160715051,2333791721355355704,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\EdgeAutomationData" --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 --allow-no-sandbox-job /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-sandbox --field-trial-handle=1880,5448175122160715051,2333791721355355704,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\EdgeAutomationData" --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5048 --allow-no-sandbox-job /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1880,5448175122160715051,2333791721355355704,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\EdgeAutomationData" --mojo-platform-channel-handle=5480 --allow-no-sandbox-job /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings4⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff709325460,0x7ff709325470,0x7ff7093254805⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1880,5448175122160715051,2333791721355355704,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\EdgeAutomationData" --mojo-platform-channel-handle=5480 --allow-no-sandbox-job /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-sandbox --field-trial-handle=1880,5448175122160715051,2333791721355355704,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\EdgeAutomationData" --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4972 --allow-no-sandbox-job /prefetch:14⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --no-sandbox --allow-no-sandbox-job --disable-gpu --user-data-dir=C:\ChromeAutomationData3⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\ChromeAutomationData /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\ChromeAutomationData\Crashpad --metrics-dir=C:\ChromeAutomationData --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ff9803aab58,0x7ff9803aab68,0x7ff9803aab784⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-sandbox --user-data-dir="C:\ChromeAutomationData" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1716 --field-trial-handle=2240,i,6584526138081767347,14908404734219739407,131072 /prefetch:24⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\ChromeAutomationData" --mojo-platform-channel-handle=1920 --field-trial-handle=2240,i,6584526138081767347,14908404734219739407,131072 /prefetch:84⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --user-data-dir="C:\ChromeAutomationData" --mojo-platform-channel-handle=2012 --field-trial-handle=2240,i,6584526138081767347,14908404734219739407,131072 /prefetch:84⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\ChromeAutomationData" --first-renderer-process --no-sandbox --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2772 --field-trial-handle=2240,i,6584526138081767347,14908404734219739407,131072 /prefetch:14⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\ChromeAutomationData" --no-sandbox --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2796 --field-trial-handle=2240,i,6584526138081767347,14908404734219739407,131072 /prefetch:14⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\ChromeAutomationData" --extension-process --no-sandbox --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3444 --field-trial-handle=2240,i,6584526138081767347,14908404734219739407,131072 /prefetch:14⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\ChromeAutomationData" --extension-process --no-sandbox --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3524 --field-trial-handle=2240,i,6584526138081767347,14908404734219739407,131072 /prefetch:14⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\ChromeAutomationData" --no-sandbox --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=3864 --field-trial-handle=2240,i,6584526138081767347,14908404734219739407,131072 /prefetch:14⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-sandbox --user-data-dir="C:\ChromeAutomationData" --mojo-platform-channel-handle=3076 --field-trial-handle=2240,i,6584526138081767347,14908404734219739407,131072 /prefetch:84⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-sandbox --user-data-dir="C:\ChromeAutomationData" --mojo-platform-channel-handle=3968 --field-trial-handle=2240,i,6584526138081767347,14908404734219739407,131072 /prefetch:84⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-sandbox --user-data-dir="C:\ChromeAutomationData" --mojo-platform-channel-handle=4016 --field-trial-handle=2240,i,6584526138081767347,14908404734219739407,131072 /prefetch:84⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\ChromeAutomationData" --mojo-platform-channel-handle=4128 --field-trial-handle=2240,i,6584526138081767347,14908404734219739407,131072 /prefetch:84⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\ChromeAutomationData" --no-sandbox --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4204 --field-trial-handle=2240,i,6584526138081767347,14908404734219739407,131072 /prefetch:14⤵
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings4⤵
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff716dbae48,0x7ff716dbae58,0x7ff716dbae685⤵
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=05⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff716dbae48,0x7ff716dbae58,0x7ff716dbae686⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-sandbox --user-data-dir="C:\ChromeAutomationData" --mojo-platform-channel-handle=4320 --field-trial-handle=2240,i,6584526138081767347,14908404734219739407,131072 /prefetch:84⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\ChromeAutomationData" --mojo-platform-channel-handle=4848 --field-trial-handle=2240,i,6584526138081767347,14908404734219739407,131072 /prefetch:84⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-sandbox --user-data-dir="C:\ChromeAutomationData" --mojo-platform-channel-handle=4540 --field-trial-handle=2240,i,6584526138081767347,14908404734219739407,131072 /prefetch:84⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-sandbox --user-data-dir="C:\ChromeAutomationData" --mojo-platform-channel-handle=4648 --field-trial-handle=2240,i,6584526138081767347,14908404734219739407,131072 /prefetch:84⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-sandbox --user-data-dir="C:\ChromeAutomationData" --mojo-platform-channel-handle=4596 --field-trial-handle=2240,i,6584526138081767347,14908404734219739407,131072 /prefetch:84⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\ChromeAutomationData" --extension-process --no-sandbox --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=4764 --field-trial-handle=2240,i,6584526138081767347,14908404734219739407,131072 /prefetch:14⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe3⤵
- Modifies Installed Components in the registry
- Drops desktop.ini file(s)
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell3⤵
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\System32\rundll32.exe shell32.dll,#613⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
-
C:\Windows\explorer.exeC:\Windows\explorer.exe3⤵
- Modifies registry class
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ChromeAutomationData\Default\Code Cache\js\indexFilesize
24B
MD554cb446f628b2ea4a5bce5769910512e
SHA1c27ca848427fe87f5cf4d0e0e3cd57151b0d820d
SHA256fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d
SHA5128f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0
-
C:\ChromeAutomationData\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.76.2_0\_locales\en_CA\messages.jsonFilesize
851B
MD507ffbe5f24ca348723ff8c6c488abfb8
SHA16dc2851e39b2ee38f88cf5c35a90171dbea5b690
SHA2566895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c
SHA5127ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6
-
C:\ChromeAutomationData\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.76.2_0\dasherSettingSchema.jsonFilesize
854B
MD54ec1df2da46182103d2ffc3b92d20ca5
SHA1fb9d1ba3710cf31a87165317c6edc110e98994ce
SHA2566c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6
SHA512939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d
-
C:\ChromeAutomationData\Default\GPUCache\data_0Filesize
8KB
MD5cf89d16bb9107c631daabf0c0ee58efb
SHA13ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA5128cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0
-
C:\ChromeAutomationData\Default\GPUCache\data_1Filesize
264KB
MD5d0d388f3865d0523e451d6ba0be34cc4
SHA18571c6a52aacc2747c048e3419e5657b74612995
SHA256902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b
SHA512376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17
-
C:\ChromeAutomationData\Default\Network\SCT Auditing Pending ReportsFilesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
C:\ChromeAutomationData\Default\PreferencesFilesize
7KB
MD5a0e8698f4258da486021d0cc62b5ceef
SHA1d42273cd437bc500e6b4044ffd95c475bbab29dd
SHA2563d93d95430f0f56cd4f2b3e4f31642bc8209a6a5377bfb61f8e55a51dbda642b
SHA51297fea31d645eddc6eaa3eb05c99615b791dcc18ddee9fd1f20722e149e618717931dd43ad11a84560af01845ce5bf4f92e80c908397ea8462ad571afedb1030a
-
C:\ChromeAutomationData\Default\PreferencesFilesize
8KB
MD57000e8e6115be0adb582dad62faed307
SHA18690e442249ac83c8cee5d90a32e34bda0cf46dc
SHA256c6ca5c22824037885b15f41b894b7948b8a47d111549724e84fd00cfb75cbc24
SHA512d151ca2b2a8d0dfaa795af98d4f25ac0f5331264820dd55820641cfb7b510ee38ecc44e3348a10258afcc8b4203041d3727a95a7cdb467066b9534587a979db5
-
C:\ChromeAutomationData\Default\Preferences~RFe58194f.TMPFilesize
2KB
MD58e5632bb5baca5f24f88c9e2a8eb2b6d
SHA171f7dee86640b602595b40c6a65d7ed4498cf00d
SHA25688575950e262396bd009db3c75b18b3a1cd44b7b869b90f9b2c961ce9b74c1ad
SHA512def476d83ba944f2fe83839108072677672a230218192751dd5e37305d42816e2db59b6f368fe8d3ca8848542ac3e3732dea3a58187c1e14f372ff2f721dffcc
-
C:\ChromeAutomationData\Default\Secure PreferencesFilesize
13KB
MD52007e94799b1c598e8e90fe592e2e33a
SHA1bf81cd28c9fbd91d978e064d620607f6dc1659ca
SHA2566ccba1a4069a88bd878142a32a48a8ec82d6ac956b892c7a3ad75723186bd142
SHA51269f9b0fe17bd50c3796f716d5ed715236c08ceb3c9b1a5ec437322883f23b0452be0915cd93652eb7624b75a4eb72d674d33ebd4abc5d8a9144a784528a367dc
-
C:\ChromeAutomationData\Default\Secure Preferences~RFe58468a.TMPFilesize
10KB
MD50f6c6c8ce29647ad50b866ab5c8cf77a
SHA16bbd186190962f42fc7bdcbf4757651a8a55c76d
SHA2569023fa59eb81f5c96cebe4285c07889881f5ccb0b8532e6a21402164b0dc3cf7
SHA512a8482669e04920ccfa20038984a1badeeb86764ad44818929b2b377bdb99f8911caf59c98d188e07e808283b062bc065b42a87e10cc2377f322e498caa01dc3b
-
C:\ChromeAutomationData\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\32.pngFilesize
1KB
MD52208a92644dcb1f39eb0eb2a6cd5627e
SHA192b1bb3f52841272dd5103058d10b8938d82f582
SHA2561a087dddaed584b9df580672ff112d538b02a3005862ba2a38147c498a5f4c01
SHA512f155b86f9a3806e7e204fded36c722b69f94e778b3d12684b2b5dd2ca649b02bbca24e6ec01f27e864e8004139e800cb1f7f098c9dd380363a90e686e617d90a
-
C:\ChromeAutomationData\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\32.pngFilesize
1KB
MD59bfaee3c6dba29e30e8ff9820e7495c6
SHA12baa05f75dbaf11d53aee194e3c94dc2ed2e7696
SHA256ede1cb37b65751a20f1c21b1243c5628a5e0dd5afac7ce275c65f3204dc54683
SHA512ab401201b612e9dd035aea184b9980eb7ca291d51ede3a0d7fbbf6d7d2f688a7a1d8efd6de27abdb29e531dc0a987f2a1aeb14dc0a54e0a05bf022e94d89911b
-
C:\ChromeAutomationData\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\32.pngFilesize
1KB
MD57ccd89bd73287c34e2f93232b5794397
SHA1f67272153f3beb99df55c2d321b394bd855df693
SHA256afc439984c9fb4c04101cbb7d3f72b2b123ac30d788ab58271d2f1db14ae36d4
SHA5121cc7ea3206112916750018a3aa0c90e73ba80d4e5f8652102cd9467ac68c86b99b4584e8f850dd21e9dad454c3230b3661b05f696bbf35aeff6d29951d582b47
-
C:\ChromeAutomationData\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\32.pngFilesize
1KB
MD55d7f01d87cf03ea2349c7aa61f44a8ad
SHA13b1819d2711806dafb4dc690796a39d62752c34a
SHA256709faf4aa39e22c3f77f5ec580be7d0e227506d3cc2d0b892e66d6fc5c27822c
SHA5126e149adcb9eed2b00827dbca072cf9457dc8e68de532720b570e06264e131afe226ec8fb78156c140a075998a1da260e7ce737677039e5d9497ab8f69ab5dc62
-
C:\ChromeAutomationData\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\32.pngFilesize
890B
MD5920e94dfc0a5448e1da40d06aa873d5f
SHA1b88fd200e5f7771b897528a4e869ead72144fca0
SHA256c10d2f537e072336c10afa11b9621b25d0d600ff04d12d1070dab942bdfae62a
SHA512c893a6d711249d5b546553813d5ec21dd7c8db0bf144a7f2bc47c3a4ff00615708f679f499452ce68e1bae3cb9098593c519a3055e207c86d571079f05bff4e0
-
C:\ChromeAutomationData\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\32.pngFilesize
913B
MD5c2041f6fef10364434abcc7e198eec0f
SHA138d2ed3af17e64f96f21df12c5c444138489da48
SHA256dae8a0a9c81dd21b5b593cd90968507f5eabb85f7912135143da60ea62d3ee9f
SHA512821fe3091cc3de86c642e771f606af9fe0d34f626ead5811dd136ac427475bce69893bfc11f7db5beb1bba7f74cbc49ba3bef01dbe793f9b507f343a80f7d901
-
C:\ChromeAutomationData\Local StateFilesize
130KB
MD531fe408f05925788ed977ee8880116a5
SHA1867ac0da33498fe7f652dfa626a992ea452c2d65
SHA2560e3ec2238cfba77f57ef54c19e3beb2c1212a8aa7f08dec48a0a55073e6c9f16
SHA512c18fa25c5b38900d8d1ee37ae14f567db55d3b5238af5ea2e70197a30b630ab19ca9d840541404e1c12a14a2cae55cc30184fba73bb0cf0d62dc24281e41b738
-
C:\ChromeAutomationData\Local State~RFe581940.TMPFilesize
870B
MD567d4da45b203eb168e51c68fb1c71001
SHA1d338b4c49587026090f6ca3df05fd2cb3c483a3a
SHA25607bb425dae7412cbeaef7d66284a109c6cc8a9d8cb878b78de9e8c4584436a24
SHA5126fa4c6bd54f899741d073b687090e3635373c33792d2282b6a83924c6084e1c8dc14ea2db58a1f0b1f25754ef54ca93da1ead4b5d68d4970e5a7c636b381b139
-
C:\EdgeAutomationData\9f42a793-f122-46c9-8a45-a1068fe5c97e.tmpFilesize
10KB
MD53427b76d091f41a929da61b69ba02a09
SHA18262faeb3d75914a344ae1cd69730b84ddddecae
SHA256500aad47329374e1fe3ba860b02ef47c60dc347f38aecddd492ab7f0b370aaee
SHA5120c3d2d89f2dc8a7cb348ae5efff774cea04d61a6b9036aa3c6d4b994a1cfc91b001d06fa42a47dcafb7b9bc5d87f0c9305ffe10d3f1a2c870ee567ca72874a5b
-
C:\EdgeAutomationData\Crashpad\settings.datFilesize
152B
MD5e87d87b1b67c41663aa0bc832ee2378b
SHA1ac6e59d9f851c4a81f0f8673afc69ba54e2f6030
SHA2567b99ccd709ebe38f8b00ff00e74905819b6111f02707fd7e79c18d7083e7d2c3
SHA5124674db294d2031fb5568909c1a82538f22fd210d687643a3e4bff67a39e57ac20a1b094b8397479fdfc6452836cfbb28226b128513eb3128986932717eed6043
-
C:\EdgeAutomationData\Crashpad\settings.datFilesize
152B
MD59ee98a2bae9c740ee8dbd84da4dcfb5c
SHA18b5b7181c7fca1940e8f964cc9b7c2497c68f9e7
SHA256768c23d0595f0022729949d0569b0b64ad5fe704894eae5616c2386787d8aa51
SHA512b186b14601fceac6b6220c430de09dba04fd9385c9bd0d685afea310c221d02214fad7e57f609dc23351e0153b4fbc4692947488d7edd2b292609cf329b55aca
-
C:\EdgeAutomationData\Crashpad\settings.datFilesize
152B
MD550fe1d19d78b96c98b83f15b114781f9
SHA1e3646e23e333bf769bd878000f3f5500aa2cb319
SHA256fb69eabda649b33f5018d325a87f1517d87021339a21c66a641c9181fcbf4620
SHA512662ed4d9dfd27648ca76a459b37a6acc6fd21950435790dec79796c1d5420d12db0a3039800ba5c23f6f19518b97b93e6b7829423615e4e0547c258c0f9d4970
-
C:\EdgeAutomationData\Crashpad\throttle_store.datFilesize
20B
MD59e4e94633b73f4a7680240a0ffd6cd2c
SHA1e68e02453ce22736169a56fdb59043d33668368f
SHA25641c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304
SHA512193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337
-
C:\EdgeAutomationData\Default\0b7fba70-d893-4efd-b200-61b758dde567.tmpFilesize
4KB
MD5471206f68576fbbf317eb2e574131508
SHA1574923c249df4590b77bb512b070f32269fd054d
SHA256110d9f8a3edf84362281d95c8b5de4aeddc980744dbc25b2136e489db9603a8f
SHA5121c96cef65dd375098f2f5191581206e68e256378c22a08334f759928ce48b2634122eaf3ef168a8a7d7ae0773f3a830f1f4e991656d62ccc5bfe2b1201a2b839
-
C:\EdgeAutomationData\Default\Cache\data_2Filesize
8KB
MD50962291d6d367570bee5454721c17e11
SHA159d10a893ef321a706a9255176761366115bedcb
SHA256ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed
-
C:\EdgeAutomationData\Default\Cache\data_3Filesize
8KB
MD541876349cb12d6db992f1309f22df3f0
SHA15cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e
-
C:\EdgeAutomationData\Default\Local Storage\leveldb\MANIFEST-000001Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
C:\EdgeAutomationData\Default\PreferencesFilesize
4KB
MD5a9606de631d404dc0492fd1c0955f686
SHA1f7d620f56e30ef702acf0d1758e09d2f8acb62dd
SHA25677470eda69effdb7e926b5b78d75930910fac4fc12eded1dab1358663bbf1bec
SHA5126432e729f98d77ab284c15cc9524472db0947e5a6c1332958cc1d0e95d521dfc1ee5a722d0f4284801a525199e9f06bb03d79e43c39e0c7f40729c99b361324a
-
C:\EdgeAutomationData\Default\Secure PreferencesFilesize
24KB
MD5265954554dd186fde0ca9bea27ecbab6
SHA1d07a5baffd116dd4c48025cdd0a2b018780c7f5f
SHA25626134bb29e726d2b7929ae75b06efa9156e9ffe6e1771057e927f936a03c384d
SHA51291b7b291f1d95e9134788d7402bae796bab9f68e3b58b50cf00322ecb4302b9291bc7abb94de4b134092acffe3560de5a281f257f73dbd894f4a20302a606d1f
-
C:\EdgeAutomationData\Default\Secure Preferences~RFe58170d.TMPFilesize
24KB
MD5f84ee5d94fcf45dac38943f74ecdaffa
SHA1154ed74e16f48ce79b657f6ac9937528e5ecc3ef
SHA256b4c25221e2f6435202b83c2e54dea1df47d6ba44945af7e2833b82df562aca22
SHA512f7889ead7f3d96b55fdb5da5adad2dbc0d042317fac6ed40855d2b07c2974689b4f123c1dbe5ae1e78d5bdae9cd0e1dfb873176d351724e0f6e14175070a1705
-
C:\EdgeAutomationData\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\48eb01f0-a54d-436e-9eff-34cea45e6461.tmpFilesize
59B
MD52800881c775077e1c4b6e06bf4676de4
SHA12873631068c8b3b9495638c865915be822442c8b
SHA256226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974
SHA512e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b
-
C:\EdgeAutomationData\Default\Sync Data\LevelDB\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\EdgeAutomationData\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Program Files\Google\Chrome\Application\SetupMetrics\011e9eaf-20e8-4d13-8c71-24e1824d666f.tmpFilesize
488B
MD56d971ce11af4a6a93a4311841da1a178
SHA1cbfdbc9b184f340cbad764abc4d8a31b9c250176
SHA256338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783
SHA512c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\chat.exe.logFilesize
226B
MD5916851e072fbabc4796d8916c5131092
SHA1d48a602229a690c512d5fdaf4c8d77547a88e7a2
SHA2567e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d
SHA51207ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{b55e0e6e-1203-45f6-9ab6-5938f9296b11}\0.0.filtertrie.intermediate.txtFilesize
28KB
MD5ab6db363a3fc9e4af2864079fd88032d
SHA1aa52099313fd6290cd6e57d37551d63cd96dbe45
SHA256373bb433c2908af2e3de58ede2087642814564560d007e61748cdb48d4e9da3f
SHA512d3d13d17df96705d0de119ad0f8380bfe6b7bc44c618e2fcd0233061a0ab15beae44d38c48a880121b35f90f56c1529e5f4cf1a19acb9e2cbba5d1c402c749c0
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{b55e0e6e-1203-45f6-9ab6-5938f9296b11}\0.1.filtertrie.intermediate.txtFilesize
5B
MD534bd1dfb9f72cf4f86e6df6da0a9e49a
SHA15f96d66f33c81c0b10df2128d3860e3cb7e89563
SHA2568e1e6a3d56796a245d0c7b0849548932fee803bbdb03f6e289495830e017f14c
SHA512e3787de7c4bc70ca62234d9a4cdc6bd665bffa66debe3851ee3e8e49e7498b9f1cbc01294bf5e9f75de13fb78d05879e82fa4b89ee45623fe5bf7ac7e48eda96
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{b55e0e6e-1203-45f6-9ab6-5938f9296b11}\0.2.filtertrie.intermediate.txtFilesize
5B
MD5c204e9faaf8565ad333828beff2d786e
SHA17d23864f5e2a12c1a5f93b555d2d3e7c8f78eec1
SHA256d65b6a3bf11a27a1ced1f7e98082246e40cf01289fd47fe4a5ed46c221f2f73f
SHA512e72f4f79a4ae2e5e40a41b322bc0408a6dec282f90e01e0a8aaedf9fb9d6f04a60f45a844595727539c1643328e9c1b989b90785271cc30a6550bbda6b1909f8
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{b55e0e6e-1203-45f6-9ab6-5938f9296b11}\Apps.ftFilesize
38KB
MD584ac0c242b77b8fc326db0a5926b089e
SHA1cc6b367ae8eb38561de01813b7d542067fb2318f
SHA256b1557167a6df424f8b28aabd31d1b7e8a469dd50d2ae4cbbd43afd8f9c62cf92
SHA5128f63084bd5a270b7b05e80454d26127b69bcb98ec93d9fad58d77203934f46b677a3aaf20f29e73dcd7035deb61f4c0aa3b10acbc4c0fc210632c1d74f705d2f
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{b55e0e6e-1203-45f6-9ab6-5938f9296b11}\Apps.indexFilesize
1.0MB
MD5f4514c93191e0efc0f61036e4ebb341a
SHA1c80478e9a734790c18584f67a43518aa4a7dcf58
SHA25643da4fa5f62affe399ceaac2d489b7cde610963a48e72d445bebe6f2c63a3600
SHA5128aecb3491767e040a52f351908004db2c8f2f083397744585c2832212ec8aa288d3492be941a48b04774e16b43672ab167209776cbdef6692fef684fc54666a6
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133600886831198745.txtFilesize
75KB
MD579ea60e4feeffe4483ba2d0ea61852fb
SHA17d5921a1b6240cc717ad4f4478bbcfc42f3af8e8
SHA2561e85f6cd486b20682b1a6af9f34e7993a558f3b5dccd1e80a55178847e794923
SHA5124d0866c2b63af9570fa20bca628a6e67b3704d7ab5a8a1311fb614f38b54444cc6630390092282f075751cae38000a17e4bf1cb992a8900b0c72965c0b24dbf4
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_53w1yauj.14m.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\b98c713f-61d1-4826-ab82-4249ce9e1b66.tmpFilesize
1B
MD55058f1af8388633f609cadb75a75dc9d
SHA13a52ce780950d4d969792a2559cd519d7ee8c727
SHA256cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
SHA5120b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21
-
C:\Users\Admin\AppData\Local\Temp\chrome_installer.logFilesize
8KB
MD55dc9ac98bbfbb2822be90c9ac4604bc3
SHA1ef01ef7af4868a63cb21500718d8250be570d23d
SHA256d2ad931b47b3ae3d1594c251c4731e06baa03009b487666d3b2fc587790996f5
SHA512495fe6641b9790d38fc3e6fb06e78d97f57f52f327ec7ab092fbf8ec699b6a20e7a71270a3738cdbc01716449fc804fa7c07bea6abe3004d96de855fe3a3beee
-
C:\Users\Admin\AppData\Local\Temp\scoped_dir996_918511415\9f06e7db-03fa-4c27-b288-63961817b9ed.tmpFilesize
99KB
MD5e0bf4de8cdda0b744131562838ba81d2
SHA144990a237dce7eb1543b4e2c572fd098af3be4f1
SHA256506e1674928b76193ce69e72bae0e0eec9484337eee6e241267678c49a5623c4
SHA5128d976b8f1aef23eb8d3bddda99d2ba8a3c4f686be0a767a373a1ba071bfea701cf3247b0202df79130293e73ac85c30ff1d94b41f04c319588f97b8079e1ca5f
-
C:\Users\Admin\AppData\Local\Temp\scoped_dir996_918511415\CRX_INSTALL\_locales\en_CA\messages.jsonFilesize
711B
MD5558659936250e03cc14b60ebf648aa09
SHA132f1ce0361bbfdff11e2ffd53d3ae88a8b81a825
SHA2562445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b
SHA5121632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727
-
C:\Users\Admin\AppData\Local\Temp\tmp59E7.tmpFilesize
1KB
MD5b6a77db7c8b31f65bb26c9e724d7fa68
SHA1d0f030fb9977352ff658d4b562c474b3126d6e41
SHA256d4aed55472970da1681ce6ae1ddb9a64ca6369e5aa2dee4a568f7ae78264e182
SHA512cdffa7d32d7b9d4c6d264d2d853d6b5e12718071d1323d24be03f0ea76e18c29e7691514c07a737071d101cbb774837efaf5da1c735bf3062d5f1bbab41e0bd6
-
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome (2).lnkFilesize
2KB
MD5241ba602d4839c5cbdf3f6c4a35b8924
SHA1889098555dc80ddb1d3926a8638dd7feb390172c
SHA2568456e7ee8bd36795d2c31b598ba0603e07a048760261695b458a7e0b73a8d465
SHA512121974d4f341bdbfc96a6dc2b7628df51380b8a48de8162ac87123350de376e5bf4c9d4ca1f02e5d202d6d8cca298dfc7bceca0ef4b521e63c02da58473c5c87
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\L97WHYZU0JIJ17863ZBV.tempFilesize
3KB
MD5ffcaf96fe2229e23b454d2be60c0ce5c
SHA102e59149009a45ae7ca75e66f15280d9c0bc8f26
SHA2566fa4ca9e0b60a4fa09974d257961e2cc96d6c12347a9181067b79d86e2a19618
SHA5129586bec14b0adca155004977a750e7c948ea08db90109b139a560ecbc44e8d67fa542acbc8269490721ee980c3d85a1011d3c7c4ac0d5c699276b2cfe0600c35
-
C:\Users\Admin\AppData\Roaming\XenoManager\chat.exeFilesize
45KB
MD587639df87df52ab646411f86c2fce0c3
SHA16d6d21dd0af987380edc0b4fafebfc6d3e5d9a1c
SHA2569c8bf9ebe2a4086492d67929fd36c4918e7d9069d67d3aa43faf24e25cb6bfe0
SHA51239dacf01b97b0189644533dd545594d8daa755ea6d9cd1a2b61fa4dead15e6a088edf969c1487683fb35a623ac4e22ab0ecbb72bad4e5a9e770c6f0fc986e578
-
C:\Users\Admin\Desktop\Microsoft Edge.lnkFilesize
2KB
MD54c81090a5051487e1ff231ccb85d395d
SHA18eec3f85a19089e933a54ece6fd48712caf0910f
SHA256160a76f01a69e1e9e9b1db6228364d6f81cbc30a289f849022f2c60c2005c035
SHA51214cbac016729227109e450c68d5b3b4ae8bdf40c466336f39566b060f9482d471d65adfa9904e72700de6b1c65022afbb5a88a8535ac827b214b09e67dbe3e15
-
C:\Windows\TEMP\Crashpad\settings.datFilesize
40B
MD56e9319c87d01b21884d7f851cb25d666
SHA14d08696e6b04bd0932925cb09d5ef21091b777a5
SHA25640c16af51c11d7adc21004018a8d0fb7f4450fa2b96563559fca1add101264a2
SHA512bae6da753827bcbdb90d2d47d4228a44c02fd79cea631eab033c675794809d0b24da3d51b1ebe6a3b3a5ad6b1c2889a52aafe535f02241ab68529709f8040e40
-
\??\pipe\LOCAL\crashpad_1948_PLNKXEIKQQHKMQFWMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1320-537-0x00000000031D0000-0x00000000031D1000-memory.dmpFilesize
4KB
-
memory/2340-28-0x0000000006850000-0x0000000006862000-memory.dmpFilesize
72KB
-
memory/2340-29-0x0000000006A60000-0x0000000006AF2000-memory.dmpFilesize
584KB
-
memory/2340-16-0x0000000074640000-0x0000000074DF0000-memory.dmpFilesize
7.7MB
-
memory/2340-1296-0x00000000018E0000-0x00000000018EA000-memory.dmpFilesize
40KB
-
memory/2340-1297-0x0000000008C50000-0x00000000091F4000-memory.dmpFilesize
5.6MB
-
memory/2340-23-0x00000000063C0000-0x00000000063CC000-memory.dmpFilesize
48KB
-
memory/2340-27-0x00000000067C0000-0x00000000067CA000-memory.dmpFilesize
40KB
-
memory/2340-15-0x0000000074640000-0x0000000074DF0000-memory.dmpFilesize
7.7MB
-
memory/2340-22-0x0000000074640000-0x0000000074DF0000-memory.dmpFilesize
7.7MB
-
memory/2340-21-0x0000000074640000-0x0000000074DF0000-memory.dmpFilesize
7.7MB
-
memory/2340-20-0x0000000006380000-0x0000000006392000-memory.dmpFilesize
72KB
-
memory/2340-19-0x00000000063D0000-0x0000000006436000-memory.dmpFilesize
408KB
-
memory/3856-1-0x0000000000D20000-0x0000000000D32000-memory.dmpFilesize
72KB
-
memory/3856-0-0x000000007464E000-0x000000007464F000-memory.dmpFilesize
4KB
-
memory/5144-741-0x0000000004BC0000-0x0000000004BE2000-memory.dmpFilesize
136KB
-
memory/5144-885-0x0000000006C30000-0x0000000006C4A000-memory.dmpFilesize
104KB
-
memory/5144-884-0x0000000007290000-0x000000000790A000-memory.dmpFilesize
6.5MB
-
memory/5144-861-0x0000000006B90000-0x0000000006C06000-memory.dmpFilesize
472KB
-
memory/5144-859-0x0000000005FE0000-0x0000000006024000-memory.dmpFilesize
272KB
-
memory/5144-759-0x0000000006060000-0x00000000060AC000-memory.dmpFilesize
304KB
-
memory/5144-758-0x0000000005A90000-0x0000000005AAE000-memory.dmpFilesize
120KB
-
memory/5144-752-0x0000000005470000-0x00000000057C4000-memory.dmpFilesize
3.3MB
-
memory/5144-742-0x0000000005390000-0x00000000053F6000-memory.dmpFilesize
408KB
-
memory/5144-736-0x0000000004D60000-0x0000000005388000-memory.dmpFilesize
6.2MB
-
memory/5144-735-0x0000000002150000-0x0000000002186000-memory.dmpFilesize
216KB
-
memory/6656-576-0x000001F00C820000-0x000001F00C840000-memory.dmpFilesize
128KB
-
memory/6656-591-0x000001F00CC20000-0x000001F00CC40000-memory.dmpFilesize
128KB
-
memory/6656-568-0x000001F00C860000-0x000001F00C880000-memory.dmpFilesize
128KB
-
memory/6656-562-0x000001E80A500000-0x000001E80A600000-memory.dmpFilesize
1024KB
