xenorat | 014d0e20da8e4c3b6b83dc594bd0cb57e5419c3eab5b075d85ce648d825fcff8

Analysis

max time kernel
599s
max time network
498s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
20-12-2024 22:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

test11.exe
Size

60KB
MD5

b17514c767f1f62dbcb166a0c6ec326c
SHA1

482eb69bb070a338368a9bb130a610b3af61cc16
SHA256

014d0e20da8e4c3b6b83dc594bd0cb57e5419c3eab5b075d85ce648d825fcff8
SHA512

f6d3cd10037d4e1a79cd4ef0aec41beb3a66d04cd1ed9131ac61adbafc959f98a2279ec8c2c22fcd0a59274600ecd4645915db418faad635bd6ead8578a15243
SSDEEP

768:1dhO/poiiUcjlJIn42gH9Xqk5nWEZ5SbTDaWuI7CPW5xqE:Lw+jjgn4LH9XqcnW85SbTDuI4E

Score

10^/10

xenorat defense_evasion discovery rat trojan

Malware Config

Extracted

Family

xenorat

127.0.0.1

Mutex

set_up_nd8912d

Attributes

delay
5000
install_path
temp
port
4444
startup_name
SecurityHealthSystray

Signatures

Detect XenoRat Payload 2 IoCs

resource	yara_rule
behavioral1/memory/3924-1-0x00000000009F0000-0x0000000000A06000-memory.dmp	family_xenorat
behavioral1/files/0x001c00000002aa5e-7.dat	family_xenorat

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat
Xenorat family
xenorat
Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
1360	test11.exe
4460	test11.exe
2892	test11.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\test11.exe:Zone.Identifier	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	test11.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	test11.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	test11.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FileCoAuth.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	test11.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133792080479137304"	chrome.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\test11.exe:Zone.Identifier	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3092	schtasks.exe
4036	schtasks.exe
584	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4888	chrome.exe
4888	chrome.exe
5640	chrome.exe
5640	chrome.exe
5640	chrome.exe
5640	chrome.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
684	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

pid	Process
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
340	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3924 wrote to memory of 1360	3924	test11.exe	77
PID 3924 wrote to memory of 1360	3924	test11.exe	77
PID 3924 wrote to memory of 1360	3924	test11.exe	77
PID 1360 wrote to memory of 4036	1360	test11.exe	78
PID 1360 wrote to memory of 4036	1360	test11.exe	78
PID 1360 wrote to memory of 4036	1360	test11.exe	78
PID 4888 wrote to memory of 2448	4888	chrome.exe	85
PID 4888 wrote to memory of 2448	4888	chrome.exe	85
PID 4888 wrote to memory of 464	4888	chrome.exe	86
PID 4888 wrote to memory of 464	4888	chrome.exe	86
PID 4888 wrote to memory of 464	4888	chrome.exe	86
PID 4888 wrote to memory of 464	4888	chrome.exe	86
PID 4888 wrote to memory of 464	4888	chrome.exe	86
PID 4888 wrote to memory of 464	4888	chrome.exe	86
PID 4888 wrote to memory of 464	4888	chrome.exe	86
PID 4888 wrote to memory of 464	4888	chrome.exe	86
PID 4888 wrote to memory of 464	4888	chrome.exe	86
PID 4888 wrote to memory of 464	4888	chrome.exe	86
PID 4888 wrote to memory of 464	4888	chrome.exe	86
PID 4888 wrote to memory of 464	4888	chrome.exe	86
PID 4888 wrote to memory of 464	4888	chrome.exe	86
PID 4888 wrote to memory of 464	4888	chrome.exe	86
PID 4888 wrote to memory of 464	4888	chrome.exe	86
PID 4888 wrote to memory of 464	4888	chrome.exe	86
PID 4888 wrote to memory of 464	4888	chrome.exe	86
PID 4888 wrote to memory of 464	4888	chrome.exe	86
PID 4888 wrote to memory of 464	4888	chrome.exe	86
PID 4888 wrote to memory of 464	4888	chrome.exe	86
PID 4888 wrote to memory of 464	4888	chrome.exe	86
PID 4888 wrote to memory of 464	4888	chrome.exe	86
PID 4888 wrote to memory of 464	4888	chrome.exe	86
PID 4888 wrote to memory of 464	4888	chrome.exe	86
PID 4888 wrote to memory of 464	4888	chrome.exe	86
PID 4888 wrote to memory of 464	4888	chrome.exe	86
PID 4888 wrote to memory of 464	4888	chrome.exe	86
PID 4888 wrote to memory of 464	4888	chrome.exe	86
PID 4888 wrote to memory of 464	4888	chrome.exe	86
PID 4888 wrote to memory of 464	4888	chrome.exe	86
PID 4888 wrote to memory of 2324	4888	chrome.exe	87
PID 4888 wrote to memory of 2324	4888	chrome.exe	87
PID 4888 wrote to memory of 4792	4888	chrome.exe	88
PID 4888 wrote to memory of 4792	4888	chrome.exe	88
PID 4888 wrote to memory of 4792	4888	chrome.exe	88
PID 4888 wrote to memory of 4792	4888	chrome.exe	88
PID 4888 wrote to memory of 4792	4888	chrome.exe	88
PID 4888 wrote to memory of 4792	4888	chrome.exe	88
PID 4888 wrote to memory of 4792	4888	chrome.exe	88
PID 4888 wrote to memory of 4792	4888	chrome.exe	88
PID 4888 wrote to memory of 4792	4888	chrome.exe	88
PID 4888 wrote to memory of 4792	4888	chrome.exe	88
PID 4888 wrote to memory of 4792	4888	chrome.exe	88
PID 4888 wrote to memory of 4792	4888	chrome.exe	88
PID 4888 wrote to memory of 4792	4888	chrome.exe	88
PID 4888 wrote to memory of 4792	4888	chrome.exe	88
PID 4888 wrote to memory of 4792	4888	chrome.exe	88
PID 4888 wrote to memory of 4792	4888	chrome.exe	88
PID 4888 wrote to memory of 4792	4888	chrome.exe	88
PID 4888 wrote to memory of 4792	4888	chrome.exe	88
PID 4888 wrote to memory of 4792	4888	chrome.exe	88
PID 4888 wrote to memory of 4792	4888	chrome.exe	88
PID 4888 wrote to memory of 4792	4888	chrome.exe	88
PID 4888 wrote to memory of 4792	4888	chrome.exe	88
PID 4888 wrote to memory of 4792	4888	chrome.exe	88
PID 4888 wrote to memory of 4792	4888	chrome.exe	88

C:\Users\Admin\AppData\Local\Temp\test11.exe
"C:\Users\Admin\AppData\Local\Temp\test11.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3924
- C:\Users\Admin\AppData\Local\Temp\XenoManager\test11.exe
  "C:\Users\Admin\AppData\Local\Temp\XenoManager\test11.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1360
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /Create /TN "SecurityHealthSystray" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7937.tmp" /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:4036

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4400

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xe0,0x108,0x7ff925f9cc40,0x7ff925f9cc4c,0x7ff925f9cc58
  2⤵
  PID:2448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1912,i,9390663688406597547,8302243395310396707,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1904 /prefetch:2
  2⤵
  PID:464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1920,i,9390663688406597547,8302243395310396707,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2128 /prefetch:3
  2⤵
  PID:2324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2200,i,9390663688406597547,8302243395310396707,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2328 /prefetch:8
  2⤵
  PID:4792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3068,i,9390663688406597547,8302243395310396707,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3176 /prefetch:1
  2⤵
  PID:3384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3144,i,9390663688406597547,8302243395310396707,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3280 /prefetch:1
  2⤵
  PID:3508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4528,i,9390663688406597547,8302243395310396707,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4520 /prefetch:1
  2⤵
  PID:3900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4748,i,9390663688406597547,8302243395310396707,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4776 /prefetch:8
  2⤵
  PID:1392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4888,i,9390663688406597547,8302243395310396707,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4808 /prefetch:8
  2⤵
  PID:4044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4976,i,9390663688406597547,8302243395310396707,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4984 /prefetch:8
  2⤵
  PID:3060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4996,i,9390663688406597547,8302243395310396707,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4736 /prefetch:8
  2⤵
  PID:3540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5196,i,9390663688406597547,8302243395310396707,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5024 /prefetch:8
  2⤵
  PID:2940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5052,i,9390663688406597547,8302243395310396707,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5176 /prefetch:8
  2⤵
  PID:1976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=4808,i,9390663688406597547,8302243395310396707,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5228 /prefetch:2
  2⤵
  PID:844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=4804,i,9390663688406597547,8302243395310396707,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5324 /prefetch:1
  2⤵
  PID:2512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=4500,i,9390663688406597547,8302243395310396707,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5352 /prefetch:1
  2⤵
  PID:4608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=4584,i,9390663688406597547,8302243395310396707,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3320 /prefetch:1
  2⤵
  PID:4768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4428,i,9390663688406597547,8302243395310396707,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4464 /prefetch:8
  2⤵
  PID:5064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5416,i,9390663688406597547,8302243395310396707,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5476 /prefetch:8
  2⤵
  PID:4104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=5460,i,9390663688406597547,8302243395310396707,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4068 /prefetch:1
  2⤵
  PID:3112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3812,i,9390663688406597547,8302243395310396707,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5464 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:3552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --field-trial-handle=4456,i,9390663688406597547,8302243395310396707,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5496 /prefetch:1
  2⤵
  PID:1776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --field-trial-handle=5488,i,9390663688406597547,8302243395310396707,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3756 /prefetch:1
  2⤵
  PID:4076
- C:\Users\Admin\Downloads\test11.exe
  "C:\Users\Admin\Downloads\test11.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4460
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /Create /TN "SecurityHealthSystray" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDDC8.tmp" /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=3540,i,9390663688406597547,8302243395310396707,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4640 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --field-trial-handle=3336,i,9390663688406597547,8302243395310396707,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5520 /prefetch:1
  2⤵
  PID:5408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --field-trial-handle=5388,i,9390663688406597547,8302243395310396707,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:6088

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:5100

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4908

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:340

C:\Users\Admin\Downloads\test11.exe
"C:\Users\Admin\Downloads\test11.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2892
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks.exe" /Create /TN "SecurityHealthSystray" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1CC5.tmp" /F
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:3092

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:4348

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:5260

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:5292

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:5480

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DevicesFlow -s DevicesFlowUserSvc
1⤵
PID:5872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
01eab1b1723092cbf5f5c65f029c4e93

SHA1
5fffa1845752c4ac5c3d4cc861c94b108506e694

SHA256
b90baf7650a82c52feb292be7c655766192050b5e0b276d171f2cbf7a88ace7d

SHA512
93c8da7071fa58650c1b1822926638d6c7fb24d42f0ba5bfa3cff9d71077a3f7fa21ac42bc2de9594fb89ca16a004648eb2b9d3a6cecf75872763a39bda2752c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
192B

MD5
70916c4a9ab90de4d081c3b4b694d3c5

SHA1
e3e65cd13e957ec6cce1973c0b32aa19e0c56e1d

SHA256
f07a814b063593b63b9f34d04e72dcdbe320a999bafba80514107e67eeddb8e0

SHA512
a63c718c27304074d06562501175b517b947fefadf8aba2d27bf286edd7e9600a394fad6be950f69efc2b879f924a2b5d2d8e2dec9dee14e79ea60e2b50e7eac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\_locales\en\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
77653a9632a108f39745c4af3087fc39

SHA1
b6c585be03bcdd95ac035b44273268698fecbf4a

SHA256
1bade691251dcf110d3cca9d8dfec0c2128b5ce52309c0fc54717803927c9c9d

SHA512
6b1d7f955f1e92eb1ffeb8e0a56a3ad46c28402182513a739da50bd691789a5d6affe7af6386150dcd4a679f98a7f80681074c26235cbac7b2d5f579bd30b076

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
d896ddf25bd7cc3310659c7c5a145841

SHA1
b7b9e5ba3b236267a1bb313ae7f11888f22476e0

SHA256
1e6a56b77f26ce1d098a262ed70361134770be1b8f916e874587206012cbb661

SHA512
86d2e39c6d9ef943c084175131c9bfee8cd1690a148cb2bf43df77391e29708a974a23c4786ed229ed5840619d131a0145aa0dfa6765c36c6aa4fc1add1f02ae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
cf31cae4a42ec35077d92d32d19b9697

SHA1
c6e2ec46b1d0f22cf4cd8743a2f541498d40411f

SHA256
b9ab161973243306a5a589d3d787f24d4f31361c8f6a37deba69a8917214257c

SHA512
c8c956552dd5efc50ba432b8540ad2dfcffb47e945e2adf34ddcde5ca235a716d3aab61abbeb2d89951125abfb4536182a1807bec221ca9cf27cb837cac89113

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
690B

MD5
d6e69248441ab2a41ed47d8d59a0a004

SHA1
f446e34e3c1ca644be1e63157781cd138d0472ce

SHA256
d70af8f5b6b198f042872106af1c08fcb6f8f0bd839c246e4e8ea426e43115ac

SHA512
d2faa96c4030a234365808ec29da28026d148495ed62eee3585fabb7a983bd55708ff8629842ddde6d1974a792e92f492f92dcb4690ec0cea99124770a5b8b7c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
690B

MD5
6f7eefde3fdb27e7e0548ba469386db0

SHA1
169f295dbea454760f95b32428700bcc7b997b9b

SHA256
8b40e11b261c510d737b2191b8f358a19b11b77b494a2ca795c92c337a0d0e19

SHA512
34522ecd8872683430ea991439f4e0c0d190bd1fd8c730b034e8f45093ad3f9e726dee8d0eed846e2622bcc72f4d54eb7fcf9234d9828cd59b05db5a9c788360

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
a9265ae67ac272af278af1045fddffa3

SHA1
bf5eff53db1dc122cdeed33211db8825b6227a29

SHA256
bdff0dc49cf4d96deed0fab9c3c5213d2fe4c6460b0d7a70f1b2c120bf99e7e3

SHA512
2e404f802a91f6b211ddd46bdb4c9f65ea055d92b4b3501efceabee374a4039bc117af95a3fc6ad35e7ab28a3fe35cca5bc8d2b517b4e94f0f74947b4bf837bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0098cb739e38e66a75eaea0103f89bd8

SHA1
fac18fcb68f4323e987952ef6f488da7b06adf2d

SHA256
dff88db5fac907914abe9846746f440f29ecad8e96a3348514e0f16d27608479

SHA512
49b4994a7c0e07052980ea96bbc4992358523aab3d90f4600357e8840f0abd5d17034ee02a23914a5bcac9d004654c70f371ed341509f9936172529d99926f6d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
deccb60fff66e58c719f338a60e92ca6

SHA1
a64e189abd0e458e0073e636cd1664d871c3b87c

SHA256
c476934acc9cd32474a1e04692229d0091889c1664b9a4b1b3c2ac83ae468c0f

SHA512
559386028d743b4491df3d74f312adb5e8d6c9970dfbc7984dbc7a474bf45df237c8423960c1e03fe20c448819223cca56734273b08b31f80923234922fbdc37

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
460ebeeadfbd18c9881f198eecd6d748

SHA1
aba0a3c5fb7ff84419d1ede1e3ea5a3778f3b4f8

SHA256
288191bdc60fe27a2d5a60740c84da2de3b706195ad251d6356894cf097f9eb9

SHA512
62fc9e03980a751f468e1f5bbe08f1e9a444feb5a6858a4c07235e82d583c6385e03ba4617a480305da26f64976a18c96f7ddf64236f23b7b653527d495d818d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
604f72dcf7d54c25c1639f2bdef47152

SHA1
3b6fc7e24002e5029d30fa229401b10096af2fd9

SHA256
5ba2341040ca7b3a9322c29ca672a219186203642d1b2177cf056bf7af9b798d

SHA512
1b98f611d577f4bc0c16d7d01667aa454463f3df30897f066eb7c62cda7c2381c56d0aa1b454d79f06a974c8327e8d78ba5e373c921b5aa0bf22cdf57bf186fc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b3af7559db4f94f5c5c8974d731fe56c

SHA1
e51d6028d77a8140d1d9bdb7663369bb47113926

SHA256
6004bfa030797d9fd5651122bf7574260f40fde113c639e787ad798a4ffd8b1e

SHA512
3d3311219f8f5bb0065f1c6d9ec2919cb589f86ae1c1cfbbaea6467a13743af1072f6a5714ad100a9cabe70d7d7239db5c5b35ef8653b7633d7bcac4c6d15414

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1eeb2afa95f183d16a0ff3bfa2aea67c

SHA1
1801c84acb8534d3708475c22c16dfbdfce68bd6

SHA256
805afbbc0ab0537231b4ddf64dd16d2e4406b78c84d175a71b4d6fc3ec8133a5

SHA512
d710b0c003c397a5e8f32690fd53fd5a0b277000004967790b6a22d2be816c3d4fdd8f9b862f12c9c11c4ab5755e04a0a9a0654069adf5f92cf27d8329910575

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
5d2ca2d653ab0bf9de1e138046f8653f

SHA1
abed8ffbcdf4f764c9dbe53d56796782cd9dfc0e

SHA256
c184b45c3bbd425b84e0b78a26539adc9589d63170dda0f11f85cd58fc4a029b

SHA512
2823d291175c2a7dbe7044db1196a199eb49bdb7d306b83ea8bc66179f61af070ae31de829f64dfb60524a78bf0dc834ffa19051214551f65ceaff4ef4a8a531

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
eeffdecf62464073eca1c0cb5e7908f9

SHA1
9b270bcea53fd09ae063d33c3b8c72522ddd4c8f

SHA256
108c45722c9547f9b70313c341a6c984f5b68387389be8ffd25f2345bdfc781c

SHA512
7f2d9f29ee770cbe86580fd9a7471d5b39c4a312f1de191bc3eb6bbab7abda4087ff221486f58c3e4310441aeadf32400c47edce0508e13e6f5e7f7bbbb85b90

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1d7a78290b0b3177080ab74abd1da6af

SHA1
880bf01e7071a33f30726cab2f3ef43f376b7743

SHA256
418c61926a715c3b71ba07a5ec9cf2d2404d5ddca7cde67a81fc3cb458a7e945

SHA512
ad3d18180b3d7ae4074af6ccbb80a006b0896221aabb98f22ba33bcc3aa97f1ef5ab84dd3fe71a958cba919bc9a93b82c932d4afb7938c6bb3b58008bef4bf13

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f3b119b1ac4ce4f1f1d5fa219a547485

SHA1
9958bb7de8d74fb9a5cae03ed25063054ff17fd9

SHA256
53a184eafa6c91f14481980e880167627cc05200fe4a399999b0d804b7b8be37

SHA512
c6f26c9691a03f191d10564941ffb89b44b8cba6ccdf3f8c6cdbc4b1dca3bdb38b26a5c25d53e4a51c806714efa5bab384d434d6d2406c2f383cc11edbf256ad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a400393be1ab2df8da13192908af7643

SHA1
d07c43d51a98cc3803edabb7b1cc18eb30de413a

SHA256
ea7ea17ba64d94f89119c067d9057ac97685a725047b921264509cc74e3e0fd3

SHA512
c17e7917b90fcf19afaebc2a04a0d98e22f6ddc7930bb0ec8b5caa628bddf72dc3a795a5d85c7a0c76aa8c88ddddd761b34bcd0f30db3e0a42b3e283997a55c0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
fe2e8be0414a0d2732f4fb996ee4a9d5

SHA1
4e67aee751dd25d39d0883355d0b8aef22229fa8

SHA256
93a20139ee1f5cf8e40a658cc107e6fee54eeb3d575257754f1817fa386aa8d8

SHA512
090ec773effaeed7cc27cddb58305906115874626daac13556b02ced382ab2671840e0b9c508dc46983dc3bf2d3068b6810634ff96ce7ca4780acc9ace623452

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
5563adfd25430f71288e13198d18f9d5

SHA1
c0414723795e6c330590c011d66b00224909d369

SHA256
47df9930b1bd6dee792f9da95dc4dd5336667f33eb49122e98d3efd13f1b6730

SHA512
1465edc8344a81d71164674f913eed5aa63a14debb384b7252878f85fd7caab3a510ed0bcd3fb296d66bef93971c538095b77f041f82aef9f509dac0fb7223c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
13fa894624d8337c1f4844c1d3065c41

SHA1
e712a0e56c815c6d8b3ef35e541b639fdc77c9a2

SHA256
ace77e3e84e8b5ed7b558ed4047ad929563f36149f1a01fa01fda9f5b62c34e5

SHA512
6353b98b35ed23df2fc468ff3c9082c8783d6debdacb7c8fcb84326dbe106707231525ce728d21b97b8c9b14754cbc4add587eb378aeeabb2aef7f88f64716f9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5856280876a3d97871be4d728bb92196

SHA1
9ef84075a8336f4188dfbb0a5d6406c5935d96b7

SHA256
c83d063c01b8c66e74f50aad56fa13266d2897539b69c581bb1f1563e4c228ed

SHA512
ec699c1d81bfea35237e87314359493bac481e6138d5105cab71d155beaf0c4409291e1310adf7d9d6c493220179fc36fd638be8a797307169d89e6086484d28

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
695c5b3b6df5474daf7b25b893ee8ced

SHA1
2585803c97ba652b579a14f14b08c0358ec91389

SHA256
6c64deef05e4b3acc52d7d6115bd97b1f74ae44ed1eb3ddadef0a89a40c50e74

SHA512
7e4f435a11222d135c933c6ac309498379d5a2df2d6eb50079503bb3e40b26e1c11a33c0720fdb4e1c9a51473685c75b48dc34c5a83ceafd81d06385169bc015

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
70304271d5d111e0bdd36bcbb69e7202

SHA1
ca4c4c62c63e2c2a57a8a11c24817f9ca85b8b3a

SHA256
afbb0ce2ee3541058b1e7c587cc39dcce145370229579bdbe2892b2afccb6c90

SHA512
73f4f1e8d785f01d4874bd65657574869fe8e5307ab53afa34e1e6e32420f5d942424961bd7439c77d543fb46bb506ac71d517a768331145ac1e9dcefb84b030

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
ef6fd72f32624417a46da697bf6fe658

SHA1
fbd6829d9c13b7796a8494dfcc132cf9f2f97443

SHA256
159a16bb0b4a4b3fa2606bd2fcc6a4538bd69eebd1eaff1dd40f338a45d10bef

SHA512
296e0040b5c753653706cb6287f4e455584c00ef4c07622beca3b5eeb488fccee78a504652181e5817b979fd09b5e1ea1014948a517a1100bdbf65f7e1f58a64

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
6bbcef26531875bdf91a727f05e5bf0d

SHA1
f87d36af2f2060f9f090c5fd56ead154ab29936b

SHA256
43f57e69735305abb2b05197425be17be7c83024ab06c9cbace2cbaaf86110d4

SHA512
61c89de8fba7e3c322b5e96398110637dfb8d0b8b1f0d5222e324c721bed6af7daba7525aa24188da9222dfd67774e5d78e78a9fd366a34d0599d99466f76570

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
053b439cbb3a028336da47641ce6bf4b

SHA1
98e62ab5c8a5a8bb1192dab29e7f5a6fed50f96c

SHA256
f4009e5075168084be47a293d8a30fde64dfdda02221ea979ff6d97d15a7e81d

SHA512
7498972417641bc779fe0d92bb17f4a1588ddc23aa3aef632888e9de30ce6bb912d9be584f3112c39625dbb7fdb405328e9a2d0d957d24dce26a270b3d48ff83

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
5373ddbaadfffbd22266654175a93beb

SHA1
3ccf1c0629b7bcb9a796a2c3bb15a2b33cb06c89

SHA256
50c01f728747ee30b8524c275a800b430e1f550cbc735dc70b003e5239c21420

SHA512
ba98adea92f6382f4cced85102eab2d1f9a8d74a1a8c928a3c5815b3e095a14776e89f3586f91676b57b909782e7ff5e01955e0e670b6187141300ae74a01757

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
2f156d87d74ce17e856100fbef499ca2

SHA1
1a7f65304f3ede50316b37cdcce92d570e4d2d35

SHA256
398e5e726aabd2c7f5f78effc68006a0c749c08581ea3276da7daa216f7810ea

SHA512
0687e1c46bb23ccb7549e2fc385d13e588083b32673db5dccf8c89682ee4419c744f076a3ce37ee76dcaa0c0e69f24578cb710f7a80852240841cc50c3974ad0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
5f996524cf131567bee0d2291235e576

SHA1
918849ced36ce7fa27e120b336abfbf8d1dd51ab

SHA256
749a32cac817f76e674c28917834a8dc31e756eeb33899788ccd45d4d3c9f56f

SHA512
9777c601b9ddce007991650e558b87532802107bef9f0fc6c4ef45b93dc2f441b6737ee6fd60a73d2dbb79bcfb189803470481615243899fa7f88ee95e25828d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\test11.exe.log

Filesize
226B

MD5
1294de804ea5400409324a82fdc7ec59

SHA1
9a39506bc6cadf99c1f2129265b610c69d1518f7

SHA256
494398ec6108c68573c366c96aae23d35e7f9bdbb440a4aab96e86fcad5871d0

SHA512
033905cc5b4d0c0ffab2138da47e3223765146fa751c9f84b199284b653a04874c32a23aae577d2e06ce6c6b34fec62331b5fc928e3baf68dc53263ecdfa10c1

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\20a31751-d54c-4959-9c5f-6c9d7f8c11b8.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
96329c73cc49cd960e2485210d01c4d2

SHA1
a496b98ad2f2bbf26687b5b7794a26aa4470148e

SHA256
4c159cab6c9ef5ff39e6141b0ccb5b8c6251a3d637520609dfbdd852fa94d466

SHA512
e98736a879cad24c693d6c5939654b2fd25bf9d348f738668624214f22d541a9b781c967201ab2d43cbac9207946824a0299d482485f4b63c48d5d2a839e5baf

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
847a64ce22adca83e091e5403ef844ed

SHA1
f2cf8559f0eba3d237cee1162b811613d2a0c308

SHA256
1db255895b125edbed50b5296edafaf303dde2b93a600313b6a1aa61f9ec2b88

SHA512
94abff56e498bfd7af0e72a652a0b03d29cbe7d0322f43cb8fa4182cfa829ec6d608c5bb3f6deaaf1dcaae764c90036beedb503109c8080999dfaf2d6a2e9de6

Download Submit
C:\Users\Admin\AppData\Local\Temp\XenoManager\test11.exe

Filesize
60KB

MD5
b17514c767f1f62dbcb166a0c6ec326c

SHA1
482eb69bb070a338368a9bb130a610b3af61cc16

SHA256
014d0e20da8e4c3b6b83dc594bd0cb57e5419c3eab5b075d85ce648d825fcff8

SHA512
f6d3cd10037d4e1a79cd4ef0aec41beb3a66d04cd1ed9131ac61adbafc959f98a2279ec8c2c22fcd0a59274600ecd4645915db418faad635bd6ead8578a15243

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4888_977387083\49fe7186-be00-4ace-bd9c-4e4674dfbcd2.tmp

Filesize
150KB

MD5
14937b985303ecce4196154a24fc369a

SHA1
ecfe89e11a8d08ce0c8745ff5735d5edad683730

SHA256
71006a5311819fef45c659428944897184880bcdb571bf68c52b3d6ee97682ff

SHA512
1d03c75e4d2cd57eee7b0e93e2de293b41f280c415fb2446ac234fc5afd11fe2f2fcc8ab9843db0847c2ce6bd7df7213fcf249ea71896fbf6c0696e3f5aee46c

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4888_977387083\CRX_INSTALL\_locales\en\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7937.tmp

Filesize
1KB

MD5
00b2ac135eb2a2a01756c263048ad49d

SHA1
6f532cb1deb42bd07edebe7016951990fb84df5e

SHA256
7b79b809b0523db9465f64520c7ba243b734ad2d542983ca5588afc7511edc6b

SHA512
8242f4950e7ff50f99a7f13249625b8aa92b38d2ceb652e998d20e72b07346a1dc377bb0e30e005aac60a7adb2e94d19ffea9d4579425d5b3463ff3d7b489fb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDDC8.tmp

Filesize
1KB

MD5
1194ea28f4e665ca4f74d6f1d75721e8

SHA1
431ed30261a0cf6ddc7ccb1719d222914a015a4c

SHA256
e6802382a077d96f6817c4a5b0b8e8f5109482e1038173fd37d39da503db615e

SHA512
3914dc04a23dcbe2ac1fec95a45407deea2aa8024047f31d0a944c9a4838ff309309d51a6c3d29a6b20ddacf691743937385223cce0175e3cc4a2a858bd7e747

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5d696d521de238c3.customDestinations-ms

Filesize
9KB

MD5
39d830d61d8b8031daf53e99e0708c50

SHA1
f58e548e3fcfb958b0656e2e82cca2088a90924f

SHA256
571fea111af1024566ff808cc0a81478cf03c1a44a83741b9122b9a35999da08

SHA512
1c72db81e0bc740917ab48fd67eb09786e6e26ab6e52dec36bee51e9e0a8def6622401b9bdc4df335901a16727739c9ab1fb3ab4c33ac8e5e5e7117ec7aa5810

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5d696d521de238c3.customDestinations-ms

Filesize
11KB

MD5
c14d57c9e5e968dd67f348b658785e86

SHA1
0ec26ed0fd6c66cb5f9b64862219940dd8af5d80

SHA256
74410e980a7416cebeb66675342e5f8b7fe57575fcf21fc876576eb0058a7054

SHA512
1bcb7e7bf7d631f1dbf097178548123a07a9e4c95361f5fe6ba477e321601b83de6563c752a4d77f008b95b96c4c49157291c36966e450a23aca094b0e691ca9

Download Submit
C:\Users\Admin\Downloads\test11.exe:Zone.Identifier

Filesize
153B

MD5
7ec6bcb7a93319c5e9975dcf92c9d183

SHA1
209e9bb4523dd651d37d3f5c90791901a8b0318a

SHA256
452a177d76e8335a918b0c737913fcb63732aa4cfcea142be53507704282829c

SHA512
1a26962cba6610bc965971d96643c8d73b534f2c18d2e648e9ad2211d3188184766d87768dfdbd5b807a441b148daa4fc78e714fd99ba125e7b296fe6cfd3a47

Download Submit
memory/1360-15-0x00000000746E0000-0x0000000074E91000-memory.dmp

Filesize
7.7MB

Download
memory/1360-18-0x00000000746E0000-0x0000000074E91000-memory.dmp

Filesize
7.7MB

Download
memory/1360-19-0x00000000746E0000-0x0000000074E91000-memory.dmp

Filesize
7.7MB

Download
memory/3924-0-0x00000000746EE000-0x00000000746EF000-memory.dmp

Filesize
4KB

Download
memory/3924-1-0x00000000009F0000-0x0000000000A06000-memory.dmp

Filesize
88KB

Download