xenorat | e7b275d70655db9cb43fa606bbe2e4f22478ca4962bbf9f299d66eda567d63cd

Resubmissions

30-12-2024 02:03

241230-cg45cavjcq 10

30-12-2024 02:00

241230-ce2w7strdr 10

Analysis

max time kernel
315s
max time network
317s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
30-12-2024 02:03

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

xeno rat server.exe
Size

2.0MB
MD5

3987ee127f2a2cf8a29573d4e111a8e8
SHA1

fc253131e832297967f93190217f0ce403e38cb0
SHA256

3d00a800474ddf382212e003222805bd74665b69cec43b554f91c3cd9edf04c4
SHA512

69d5ac7a691dde1a3ed7f495e9b9180e63152ddaaa3d1b596ad9cbeb4d7b088f3fc4b138ecf87070014cdfa9047be18940b720de60642389921a10053250787b
SSDEEP

49152:EnxkNTRWjxoJochWQI3kqXfd+/9AManGhR0vNgtIeGWtOc5Q:ExkNTcaJhDI3kqXf0FtWykQDCiQ

Score

10^/10

xenorat discovery persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xenorat

127.0.0.1

Mutex

Xeno_rat_nd8912d

Attributes

delay
5000
install_path
nothingset
port
4444
startup_name
nothingset

Signatures

Detect XenoRat Payload 8 IoCs

resource	yara_rule
behavioral19/files/0x001b00000002aad9-38.dat	family_xenorat
behavioral19/memory/4728-43-0x0000000000E40000-0x0000000000E52000-memory.dmp	family_xenorat
behavioral19/memory/4728-51-0x0000000006140000-0x000000000614A000-memory.dmp	family_xenorat
behavioral19/memory/4728-52-0x0000000006630000-0x0000000006642000-memory.dmp	family_xenorat
behavioral19/memory/4728-53-0x0000000005840000-0x0000000005852000-memory.dmp	family_xenorat
behavioral19/memory/4728-1526-0x0000000005A60000-0x0000000005A6C000-memory.dmp	family_xenorat
behavioral19/memory/6180-1546-0x0000000006640000-0x000000000673A000-memory.dmp	family_xenorat
behavioral19/memory/6180-1595-0x0000000005180000-0x000000000518C000-memory.dmp	family_xenorat

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat
Xenorat family
xenorat

Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Executes dropped EXE 2 IoCs

pid	Process
4728	sad.exe
6180	sad.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	explorer.exe

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\SystemTemp	chrmstp.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\metadata	chrmstp.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\settings.dat	chrmstp.exe
File opened for modification	C:\Windows\SystemTemp	chrmstp.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\metadata	chrmstp.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\settings.dat	chrmstp.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xeno rat server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sad.exe

Checks SCSI registry key(s) 3 TTPs 22 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 5 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Internet Explorer\TypedURLs	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133799981351198243"	chrome.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\NodeSlot = "1"	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = 7e003100000000004759bb6511004465736b746f7000680009000400efbe4759e5604759bb652e0000002c5702000000010000000000000000003e00000000007ddf07004400650073006b0074006f007000000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370036003900000016000000	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = ffffffff	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\PastIconsStream = 1400000005000000010001000200000014000000494c200602000400440010001000ffffffff2110ffffffffffffffff424d360000000000000036000000280000001000000040000000010020000000000000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060000000a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060000000ff00000060000000000000000000000020000000b0000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff00000060000000200000000000000020000000f00d0d0df09d9d9dffc8c8c8ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ff8f8f8fff000000ff000000603f3f3f66000000ff00000060000000900a0a0af0c0c0c0ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ff8f8f8fff000000ff0000006056565660e2e2e2ff474747eb000000d0000000e04c4c4cee999999ff939393eeb1b1b1f0e0e0e0ffe5e5e5ffe5e5e5ff8f8f8fff000000ff0000006056565660c8c8c8f7adadadf6858585ff000000ff000000ff737373ff999999ff999999ff999999ff999999ffa0a0a0e8868686ff000000ff000000606d6d6d88aaaaaaebb2b2b2ffb2b2b2ff7a7a7aff000000ff000000ff696969ff999999ff999999ff999999ff999999ff5f5f5fff000000ff0000006045454571b2b2b2ffb2b2b2ffb2b2b2ffa7a7a7ff1b1b1be8000000c0000000b0080808f08f8f8fff999999ff999999ff5f5f5fff000000ff00000060303030607f7f7fff7b7b7bf67e7e7ee2525252e20a0a0af0000000f00000003000000020000000f0101010eb5a5a5af6505050ff000000ff00000060303030607f7f7fff7f7f7fff7f7f7fff676767ff000000ff000000b000000020000000000000000000000020000000b0000000ff000000ff00000060303030607f7f7fff7f7f7fff7f7f7fff777777ff080808f0000000d0000000000000000000000000000000000000000000000060000000ff00000060000000602c2c2ceb5f5f5fff5f5f5fff3f3f3fee080808f0000000f0000000300000000000000000000000000000000000000000000000a0000000600000000000000050000000b0000000f0000000ff000000f0000000a000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060000000a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060000000ff00000060000000000000000000000020000000b0000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff00000060000000200000000000000020000000f00d0d0df09d9d9dffc8c8c8ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ff8f8f8fff000000ff000000603f3f3f66000000ff00000060000000900a0a0af0c0c0c0ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ff8f8f8fff000000ff0000006056565660e2e2e2ff474747eb000000d0000000e04c4c4cee999999ff939393eeb1b1b1f0e0e0e0ffe5e5e5ffe5e5e5ff8f8f8fff000000ff0000006056565660c8c8c8f7adadadf6858585ff000000ff000000ff737373ff999999ff999999ff999999ff999999ffa0a0a0e8868686ff000000ff000000606d6d6d88aaaaaaebb2b2b2ffb2b2b2ff7a7a7aff000000ff000000ff696969ff999999ff999999ff999999ff999999ff5f5f5fff000000ff0000006045454571b2b2b2ffb2b2b2ffb2b2b2ffa7a7a7ff1b1b1be8000000c0000000b0080808f08f8f8fff999999ff999999ff5f5f5fff000000ff00000060303030607f7f7fff7b7b7bf67e7e7ee2525252e20a0a0af0000000f00000003000000020000000f0101010eb5a5a5af6505050ff000000ff00000060303030607f7f7fff7f7f7fff7f7f7fff676767ff000000ff000000b000000020000000000000000000000020000000b0000000ff000000ff00000060303030607f7f7fff7f7f7fff7f7f7fff777777ff080808f0000000d0000000000000000000000000000000000000000000000060000000ff00000060000000602c2c2ceb5f5f5fff5f5f5fff3f3f3fee080808f0000000f0000000300000000000000000000000000000000000000000000000a0000000600000000000000050000000b0000000f0000000ff000000f0000000a000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000424d3e000000000000003e0000002800000010000000400000000100010000000000000100000000000000000000000000000000000000000000ffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffff0000fff90000fff10000800100000000000000000000000000000000000000000000000000000001000080070000c0070000c80f0000ffff0000ffff0000ffff0000fff90000fff10000800100000000000000000000000000000000000000000000000000000001000080070000c0070000c80f0000ffff0000ffff000000000000000000000000000000000000000000000000010000000800000002000000040000002400000001000000000000000100000000000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 78003100000000004759e5601100557365727300640009000400efbec5522d609e598b102e0000006c0500000000010000000000000000003a00000000005228c60055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = 00000000ffffffff	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\UserStartTime = "133727764362482282"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	xeno rat server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	xeno rat server.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2499603254-3415597248-1508446358-1000\{73EF37C0-8192-45C1-AAF5-DE5E7139E8BD}	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	xeno rat server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0000000001000000ffffffff	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	xeno rat server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 500031000000000047595d66100041646d696e003c0009000400efbe4759e5609e598b102e000000225702000000010000000000000000000000000000008bec3700410064006d0069006e00000014000000	xeno rat server.exe
Key created	\Registry\User\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\NotificationData	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	xeno rat server.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1876	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4728	sad.exe
4728	sad.exe
4728	sad.exe
4728	sad.exe
4728	sad.exe
4728	sad.exe
4728	sad.exe
4728	sad.exe
4728	sad.exe
4728	sad.exe
4728	sad.exe
4728	sad.exe
4728	sad.exe
4728	sad.exe
4728	sad.exe
4728	sad.exe
4728	sad.exe
4728	sad.exe
4728	sad.exe
4728	sad.exe
4728	sad.exe
4728	sad.exe
4728	sad.exe
4728	sad.exe
4728	sad.exe
4728	sad.exe
4728	sad.exe
4728	sad.exe
4728	sad.exe
4728	sad.exe
4728	sad.exe
4728	sad.exe
4728	sad.exe
4728	sad.exe
4728	sad.exe
4728	sad.exe
4728	sad.exe
4728	sad.exe
4728	sad.exe
4728	sad.exe
4728	sad.exe
4728	sad.exe
4728	sad.exe
4728	sad.exe
4728	sad.exe
4728	sad.exe
4728	sad.exe
4728	sad.exe
4728	sad.exe
4728	sad.exe
4728	sad.exe
4728	sad.exe
4728	sad.exe
4728	sad.exe
4728	sad.exe
4728	sad.exe
4728	sad.exe
4728	sad.exe
4728	sad.exe
4728	sad.exe
4728	sad.exe
4728	sad.exe
4728	sad.exe
4728	sad.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
3108	xeno rat server.exe
1876	explorer.exe
4728	sad.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4728	sad.exe
Token: SeShutdownPrivilege	1876	explorer.exe
Token: SeCreatePagefilePrivilege	1876	explorer.exe
Token: SeShutdownPrivilege	1876	explorer.exe
Token: SeCreatePagefilePrivilege	1876	explorer.exe
Token: SeShutdownPrivilege	1876	explorer.exe
Token: SeCreatePagefilePrivilege	1876	explorer.exe
Token: SeShutdownPrivilege	1876	explorer.exe
Token: SeCreatePagefilePrivilege	1876	explorer.exe
Token: SeShutdownPrivilege	1876	explorer.exe
Token: SeCreatePagefilePrivilege	1876	explorer.exe
Token: SeShutdownPrivilege	1876	explorer.exe
Token: SeCreatePagefilePrivilege	1876	explorer.exe
Token: SeShutdownPrivilege	1876	explorer.exe
Token: SeCreatePagefilePrivilege	1876	explorer.exe
Token: SeShutdownPrivilege	1876	explorer.exe
Token: SeCreatePagefilePrivilege	1876	explorer.exe
Token: SeShutdownPrivilege	1876	explorer.exe
Token: SeCreatePagefilePrivilege	1876	explorer.exe
Token: SeShutdownPrivilege	1876	explorer.exe
Token: SeCreatePagefilePrivilege	1876	explorer.exe
Token: SeShutdownPrivilege	1876	explorer.exe
Token: SeCreatePagefilePrivilege	1876	explorer.exe
Token: SeShutdownPrivilege	1876	explorer.exe
Token: SeCreatePagefilePrivilege	1876	explorer.exe
Token: SeShutdownPrivilege	1876	explorer.exe
Token: SeCreatePagefilePrivilege	1876	explorer.exe
Token: SeShutdownPrivilege	1876	explorer.exe
Token: SeCreatePagefilePrivilege	1876	explorer.exe
Token: SeShutdownPrivilege	4588	chrome.exe
Token: SeCreatePagefilePrivilege	4588	chrome.exe
Token: SeShutdownPrivilege	4588	chrome.exe
Token: SeCreatePagefilePrivilege	4588	chrome.exe
Token: SeShutdownPrivilege	4588	chrome.exe
Token: SeCreatePagefilePrivilege	4588	chrome.exe
Token: SeShutdownPrivilege	1876	explorer.exe
Token: SeCreatePagefilePrivilege	1876	explorer.exe
Token: SeShutdownPrivilege	1876	explorer.exe
Token: SeCreatePagefilePrivilege	1876	explorer.exe
Token: SeShutdownPrivilege	4588	chrome.exe
Token: SeCreatePagefilePrivilege	4588	chrome.exe
Token: SeShutdownPrivilege	4588	chrome.exe
Token: SeCreatePagefilePrivilege	4588	chrome.exe
Token: SeShutdownPrivilege	4588	chrome.exe
Token: SeCreatePagefilePrivilege	4588	chrome.exe
Token: SeShutdownPrivilege	4588	chrome.exe
Token: SeCreatePagefilePrivilege	4588	chrome.exe
Token: SeShutdownPrivilege	1876	explorer.exe
Token: SeCreatePagefilePrivilege	1876	explorer.exe
Token: SeShutdownPrivilege	1876	explorer.exe
Token: SeCreatePagefilePrivilege	1876	explorer.exe
Token: SeShutdownPrivilege	1876	explorer.exe
Token: SeCreatePagefilePrivilege	1876	explorer.exe
Token: SeShutdownPrivilege	4588	chrome.exe
Token: SeCreatePagefilePrivilege	4588	chrome.exe
Token: SeShutdownPrivilege	4588	chrome.exe
Token: SeCreatePagefilePrivilege	4588	chrome.exe
Token: SeShutdownPrivilege	1876	explorer.exe
Token: SeCreatePagefilePrivilege	1876	explorer.exe
Token: SeShutdownPrivilege	1876	explorer.exe
Token: SeCreatePagefilePrivilege	1876	explorer.exe
Token: SeShutdownPrivilege	1876	explorer.exe
Token: SeCreatePagefilePrivilege	1876	explorer.exe
Token: SeShutdownPrivilege	1876	explorer.exe

Suspicious use of FindShellTrayWindow 56 IoCs

pid	Process
728	rundll32.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
4588	chrome.exe
4588	chrome.exe
2104	firefox.exe
2104	firefox.exe
2104	firefox.exe
2104	firefox.exe
2104	firefox.exe
2104	firefox.exe
2104	firefox.exe
2104	firefox.exe
2104	firefox.exe
2104	firefox.exe
2104	firefox.exe
2104	firefox.exe
2104	firefox.exe
2104	firefox.exe
2104	firefox.exe
2104	firefox.exe
2104	firefox.exe
2104	firefox.exe
2104	firefox.exe
2104	firefox.exe
2104	firefox.exe
1876	explorer.exe
6944	chrmstp.exe

Suspicious use of SendNotifyMessage 45 IoCs

pid	Process
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
2104	firefox.exe
2104	firefox.exe
2104	firefox.exe
2104	firefox.exe
2104	firefox.exe
2104	firefox.exe
2104	firefox.exe
2104	firefox.exe
2104	firefox.exe
2104	firefox.exe
2104	firefox.exe
2104	firefox.exe
2104	firefox.exe
2104	firefox.exe
2104	firefox.exe
2104	firefox.exe
2104	firefox.exe
2104	firefox.exe
2104	firefox.exe
2104	firefox.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
3108	xeno rat server.exe
3108	xeno rat server.exe
3108	xeno rat server.exe
2772	StartMenuExperienceHost.exe
1876	explorer.exe
1876	explorer.exe
2104	firefox.exe
6180	sad.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4728 wrote to memory of 728	4728	sad.exe	85
PID 4728 wrote to memory of 728	4728	sad.exe	85
PID 4728 wrote to memory of 728	4728	sad.exe	85
PID 4728 wrote to memory of 1876	4728	sad.exe	86
PID 4728 wrote to memory of 1876	4728	sad.exe	86
PID 4728 wrote to memory of 1464	4728	sad.exe	92
PID 4728 wrote to memory of 1464	4728	sad.exe	92
PID 4728 wrote to memory of 2540	4728	sad.exe	93
PID 4728 wrote to memory of 2540	4728	sad.exe	93
PID 4728 wrote to memory of 2540	4728	sad.exe	93
PID 4728 wrote to memory of 4588	4728	sad.exe	95
PID 4728 wrote to memory of 4588	4728	sad.exe	95
PID 4588 wrote to memory of 1676	4588	chrome.exe	96
PID 4588 wrote to memory of 1676	4588	chrome.exe	96
PID 4588 wrote to memory of 4676	4588	chrome.exe	97
PID 4588 wrote to memory of 4676	4588	chrome.exe	97
PID 4588 wrote to memory of 2848	4588	chrome.exe	98
PID 4588 wrote to memory of 2848	4588	chrome.exe	98
PID 4588 wrote to memory of 3504	4588	chrome.exe	99
PID 4588 wrote to memory of 3504	4588	chrome.exe	99
PID 4588 wrote to memory of 2980	4588	chrome.exe	101
PID 4588 wrote to memory of 2980	4588	chrome.exe	101
PID 4588 wrote to memory of 4844	4588	chrome.exe	102
PID 4588 wrote to memory of 4844	4588	chrome.exe	102
PID 4588 wrote to memory of 124	4588	chrome.exe	103
PID 4588 wrote to memory of 124	4588	chrome.exe	103
PID 4588 wrote to memory of 5020	4588	chrome.exe	104
PID 4588 wrote to memory of 5020	4588	chrome.exe	104
PID 4588 wrote to memory of 1548	4588	chrome.exe	105
PID 4588 wrote to memory of 1548	4588	chrome.exe	105
PID 4728 wrote to memory of 4428	4728	sad.exe	107
PID 4728 wrote to memory of 4428	4728	sad.exe	107
PID 4428 wrote to memory of 2104	4428	firefox.exe	108
PID 4428 wrote to memory of 2104	4428	firefox.exe	108
PID 4428 wrote to memory of 2104	4428	firefox.exe	108
PID 4428 wrote to memory of 2104	4428	firefox.exe	108
PID 4428 wrote to memory of 2104	4428	firefox.exe	108
PID 4428 wrote to memory of 2104	4428	firefox.exe	108
PID 4428 wrote to memory of 2104	4428	firefox.exe	108
PID 4428 wrote to memory of 2104	4428	firefox.exe	108
PID 4428 wrote to memory of 2104	4428	firefox.exe	108
PID 4428 wrote to memory of 2104	4428	firefox.exe	108
PID 4428 wrote to memory of 2104	4428	firefox.exe	108
PID 2104 wrote to memory of 5152	2104	firefox.exe	109
PID 2104 wrote to memory of 5152	2104	firefox.exe	109
PID 2104 wrote to memory of 5152	2104	firefox.exe	109
PID 2104 wrote to memory of 5152	2104	firefox.exe	109
PID 2104 wrote to memory of 5152	2104	firefox.exe	109
PID 2104 wrote to memory of 5152	2104	firefox.exe	109
PID 2104 wrote to memory of 5152	2104	firefox.exe	109
PID 2104 wrote to memory of 5152	2104	firefox.exe	109
PID 2104 wrote to memory of 5152	2104	firefox.exe	109
PID 2104 wrote to memory of 5152	2104	firefox.exe	109
PID 2104 wrote to memory of 5152	2104	firefox.exe	109
PID 2104 wrote to memory of 5152	2104	firefox.exe	109
PID 2104 wrote to memory of 5152	2104	firefox.exe	109
PID 2104 wrote to memory of 5152	2104	firefox.exe	109
PID 2104 wrote to memory of 5152	2104	firefox.exe	109
PID 2104 wrote to memory of 5152	2104	firefox.exe	109
PID 2104 wrote to memory of 5152	2104	firefox.exe	109
PID 2104 wrote to memory of 5152	2104	firefox.exe	109
PID 2104 wrote to memory of 5152	2104	firefox.exe	109
PID 2104 wrote to memory of 5152	2104	firefox.exe	109
PID 2104 wrote to memory of 5152	2104	firefox.exe	109

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\xeno rat server.exe
"C:\Users\Admin\AppData\Local\Temp\xeno rat server.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3108

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1424

C:\Users\Admin\Desktop\sad.exe
"C:\Users\Admin\Desktop\sad.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4728
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\System32\rundll32.exe shell32.dll,#61
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  PID:728
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Drops desktop.ini file(s)
  - Enumerates connected drives
  - Checks SCSI registry key(s)
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:1876
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  - Modifies registry class
  PID:1464
- C:\Windows\SysWOW64\cmd.exe
  cmd
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --no-sandbox --allow-no-sandbox-job --disable-gpu --user-data-dir=C:\ChromeAutomationData
  2⤵
  - Drops file in Windows directory
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4588
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\ChromeAutomationData /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\ChromeAutomationData\Crashpad --metrics-dir=C:\ChromeAutomationData --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x120,0x124,0x128,0x10c,0x12c,0x7ffc0265cc40,0x7ffc0265cc4c,0x7ffc0265cc58
    3⤵
    PID:1676
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-sandbox --user-data-dir="C:\ChromeAutomationData" --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --use-gl=angle --use-angle=swiftshader-webgl --field-trial-handle=1980,i,4638295966249277053,7517188892262008964,262144 --variations-seed-version --mojo-platform-channel-handle=1976 /prefetch:2
    3⤵
    PID:4676
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\ChromeAutomationData" --no-appcompat-clear --field-trial-handle=1796,i,4638295966249277053,7517188892262008964,262144 --variations-seed-version --mojo-platform-channel-handle=2164 /prefetch:3
    3⤵
    PID:2848
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --user-data-dir="C:\ChromeAutomationData" --no-appcompat-clear --field-trial-handle=1932,i,4638295966249277053,7517188892262008964,262144 --variations-seed-version --mojo-platform-channel-handle=2176 /prefetch:8
    3⤵
    PID:3504
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\ChromeAutomationData" --no-appcompat-clear --no-sandbox --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=2824,i,4638295966249277053,7517188892262008964,262144 --variations-seed-version --mojo-platform-channel-handle=2844 /prefetch:1
    3⤵
    PID:2980
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\ChromeAutomationData" --no-appcompat-clear --no-sandbox --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=2936,i,4638295966249277053,7517188892262008964,262144 --variations-seed-version --mojo-platform-channel-handle=2848 /prefetch:1
    3⤵
    PID:4844
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\ChromeAutomationData" --extension-process --no-appcompat-clear --no-sandbox --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3336,i,4638295966249277053,7517188892262008964,262144 --variations-seed-version --mojo-platform-channel-handle=3616 /prefetch:2
    3⤵
    PID:124
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\ChromeAutomationData" --extension-process --no-appcompat-clear --no-sandbox --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=3520,i,4638295966249277053,7517188892262008964,262144 --variations-seed-version --mojo-platform-channel-handle=3620 /prefetch:2
    3⤵
    PID:5020
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\ChromeAutomationData" --no-appcompat-clear --no-sandbox --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=3848,i,4638295966249277053,7517188892262008964,262144 --variations-seed-version --mojo-platform-channel-handle=3976 /prefetch:1
    3⤵
    PID:1548
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-sandbox --user-data-dir="C:\ChromeAutomationData" --no-appcompat-clear --field-trial-handle=3716,i,4638295966249277053,7517188892262008964,262144 --variations-seed-version --mojo-platform-channel-handle=3708 /prefetch:8
    3⤵
    PID:5168
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\ChromeAutomationData" --no-appcompat-clear --field-trial-handle=4644,i,4638295966249277053,7517188892262008964,262144 --variations-seed-version --mojo-platform-channel-handle=4656 /prefetch:8
    3⤵
    PID:6356
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\ChromeAutomationData" --no-appcompat-clear --no-sandbox --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4712,i,4638295966249277053,7517188892262008964,262144 --variations-seed-version --mojo-platform-channel-handle=4768 /prefetch:1
    3⤵
    PID:6384
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\ChromeAutomationData" --no-appcompat-clear --no-sandbox --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=4740,i,4638295966249277053,7517188892262008964,262144 --variations-seed-version --mojo-platform-channel-handle=4732 /prefetch:1
    3⤵
    PID:6392
- - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    - Drops file in Windows directory
    PID:6672
  - - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x260,0x264,0x268,0x23c,0x26c,0x7ff7b11b4698,0x7ff7b11b46a4,0x7ff7b11b46b0
      4⤵
      Drops file in Windows directory
      PID:7000
  - - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\initial_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      Drops file in Windows directory
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      PID:6944
    - - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x260,0x264,0x268,0x23c,0x26c,0x7ff7b11b4698,0x7ff7b11b46a4,0x7ff7b11b46b0
        5⤵
        Drops file in Windows directory
        
        PID:5500
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\ChromeAutomationData" --no-appcompat-clear --no-sandbox --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=4780,i,4638295966249277053,7517188892262008964,262144 --variations-seed-version --mojo-platform-channel-handle=4824 /prefetch:1
    3⤵
    PID:408
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-sandbox --user-data-dir="C:\ChromeAutomationData" --no-appcompat-clear --field-trial-handle=4872,i,4638295966249277053,7517188892262008964,262144 --variations-seed-version --mojo-platform-channel-handle=4520 /prefetch:8
    3⤵
    PID:4912
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\ChromeAutomationData" --no-appcompat-clear --no-sandbox --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=4772,i,4638295966249277053,7517188892262008964,262144 --variations-seed-version --mojo-platform-channel-handle=4916 /prefetch:1
    3⤵
    PID:4000
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\ChromeAutomationData" --no-appcompat-clear --no-sandbox --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=4852,i,4638295966249277053,7517188892262008964,262144 --variations-seed-version --mojo-platform-channel-handle=4452 /prefetch:1
    3⤵
    PID:5464
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-sandbox --user-data-dir="C:\ChromeAutomationData" --no-appcompat-clear --field-trial-handle=4856,i,4638295966249277053,7517188892262008964,262144 --variations-seed-version --mojo-platform-channel-handle=4808 /prefetch:8
    3⤵
    PID:1108
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\ChromeAutomationData" --no-appcompat-clear --no-sandbox --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=4524,i,4638295966249277053,7517188892262008964,262144 --variations-seed-version --mojo-platform-channel-handle=4432 /prefetch:1
    3⤵
    PID:6596
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-sandbox --user-data-dir="C:\ChromeAutomationData" --no-appcompat-clear --field-trial-handle=4512,i,4638295966249277053,7517188892262008964,262144 --variations-seed-version --mojo-platform-channel-handle=4564 /prefetch:8
    3⤵
    PID:6652
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\ChromeAutomationData" --no-appcompat-clear --no-sandbox --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=4968,i,4638295966249277053,7517188892262008964,262144 --variations-seed-version --mojo-platform-channel-handle=4436 /prefetch:1
    3⤵
    PID:7056
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-sandbox --user-data-dir="C:\ChromeAutomationData" --no-appcompat-clear --field-trial-handle=4880,i,4638295966249277053,7517188892262008964,262144 --variations-seed-version --mojo-platform-channel-handle=4424 /prefetch:8
    3⤵
    PID:6376
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\ChromeAutomationData" --extension-process --no-appcompat-clear --no-sandbox --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --field-trial-handle=4380,i,4638295966249277053,7517188892262008964,262144 --variations-seed-version --mojo-platform-channel-handle=3932 /prefetch:2
    3⤵
    PID:6600
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -no-remote -profile C:\FirefoxAutomationData
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4428
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -no-remote -profile C:\FirefoxAutomationData
    3⤵
    - Checks processor information in registry
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2104
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2108 -parentBuildID 20240401114208 -prefsHandle 2020 -prefMapHandle 1860 -prefsLen 21255 -prefMapSize 243020 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b32934ab-e214-4b7a-9e9d-6459bd3b1691} 2104 "\\.\pipe\gecko-crash-server-pipe.2104" gpu
      4⤵
      PID:5152
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2324 -parentBuildID 20240401114208 -prefsHandle 2484 -prefMapHandle 2368 -prefsLen 21255 -prefMapSize 243020 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {181d2264-fbed-4393-8aba-917d6edec740} 2104 "\\.\pipe\gecko-crash-server-pipe.2104" socket
      4⤵
      PID:5260
  - - C:\Program Files\Mozilla Firefox\minidump-analyzer.exe
      "C:\Program Files\Mozilla Firefox\minidump-analyzer.exe" "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Crash Reports\pending\8dd7a508-4674-4264-a166-135a4ef5f8a9.dmp"
      4⤵
      PID:5404
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2780 -parentBuildID 20240401114208 -prefsHandle 2788 -prefMapHandle 2180 -prefsLen 21865 -prefMapSize 243020 -appDir "C:\Program Files\Mozilla Firefox\browser" - {84a73626-fff3-474c-9a14-0daae62c1512} 2104 "\\.\pipe\gecko-crash-server-pipe.2104" gpu
      4⤵
      PID:5444
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3088 -childID 1 -isForBrowser -prefsHandle 3080 -prefMapHandle 3076 -prefsLen 21373 -prefMapSize 243020 -jsInitHandle 984 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a4cac7f3-55ef-4c42-924b-888ab802c2ba} 2104 "\\.\pipe\gecko-crash-server-pipe.2104" tab
      4⤵
      PID:5760
  - - C:\Program Files\Mozilla Firefox\minidump-analyzer.exe
      "C:\Program Files\Mozilla Firefox\minidump-analyzer.exe" "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Crash Reports\pending\d56561d7-9e55-486d-b65d-142058e26d2d.dmp"
      4⤵
      PID:5784
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3204 -parentBuildID 20240401114208 -prefsHandle 3364 -prefMapHandle 2780 -prefsLen 22113 -prefMapSize 243020 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6fef6f1a-ee35-4be9-bcfe-0d7f8fc740e2} 2104 "\\.\pipe\gecko-crash-server-pipe.2104" gpu
      4⤵
      PID:5796
  - - C:\Program Files\Mozilla Firefox\minidump-analyzer.exe
      "C:\Program Files\Mozilla Firefox\minidump-analyzer.exe" "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Crash Reports\pending\40138b7c-f04e-4e65-8f56-b19708929c26.dmp"
      4⤵
      PID:5968
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3428 -childID 2 -isForBrowser -prefsHandle 1912 -prefMapHandle 2828 -prefsLen 22176 -prefMapSize 243020 -jsInitHandle 984 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b8d02531-39be-489f-b74b-0b557d8aa675} 2104 "\\.\pipe\gecko-crash-server-pipe.2104" tab
      4⤵
      PID:4852
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4680 -parentBuildID 20240401114208 -prefsHandle 4864 -prefMapHandle 4860 -prefsLen 28817 -prefMapSize 243020 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9429c0d0-aef8-45ad-8e81-8870b1a08f97} 2104 "\\.\pipe\gecko-crash-server-pipe.2104" rdd
      4⤵
      PID:6044
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5360 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4872 -prefMapHandle 4384 -prefsLen 34640 -prefMapSize 243020 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b9916918-49a0-440a-8fc6-1f3466c8f10e} 2104 "\\.\pipe\gecko-crash-server-pipe.2104" utility
      4⤵
      Checks processor information in registry
      PID:6724
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5360 -childID 3 -isForBrowser -prefsHandle 1688 -prefMapHandle 5580 -prefsLen 28631 -prefMapSize 243020 -jsInitHandle 984 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7d0f1fa6-7764-4ef9-b9a9-ee467db1319f} 2104 "\\.\pipe\gecko-crash-server-pipe.2104" tab
      4⤵
      PID:6860
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5792 -childID 4 -isForBrowser -prefsHandle 5148 -prefMapHandle 5144 -prefsLen 28631 -prefMapSize 243020 -jsInitHandle 984 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0c500b1a-5d3f-4163-8544-d67b9b7b7447} 2104 "\\.\pipe\gecko-crash-server-pipe.2104" tab
      4⤵
      PID:7008
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5648 -childID 5 -isForBrowser -prefsHandle 5752 -prefMapHandle 5140 -prefsLen 28631 -prefMapSize 243020 -jsInitHandle 984 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7a317386-79cb-4c64-a0c6-c7e51a921e38} 2104 "\\.\pipe\gecko-crash-server-pipe.2104" tab
      4⤵
      PID:7032
- C:\Users\Admin\Desktop\sad.exe
  "C:\Users\Admin\Desktop\sad.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:6180

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2772

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:3168

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2024

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:6980

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:5976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ChromeAutomationData\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
6a8c4fd35bc389b43e0c3d2fc0cedfd9

SHA1
7da5c8a7b9f0667334497fa0f9a3b34d9f887982

SHA256
a72677bbc262ac62a9a37593561a7f66717999a370c87656bb60d757793d0d89

SHA512
ffbd6e11b59b2654deb80354ccb92ef8ad452b20199231c96a016150264212d2cdc0f72e5b3183f01ddb756364a8b2243c542bc52acd10bb64e492f5dba39709

Download Submit
C:\ChromeAutomationData\Default\Code Cache\js\index-dir\the-real-index

Filesize
96B

MD5
5d31a6bca93b42f527ef42f475e03440

SHA1
dddedf6fcfeb6058c9ab08fb552a8fe1b4728231

SHA256
ca2226446e5794ad7622c8cace5c35658e41765233969b930a571744aacbcde4

SHA512
88f030b480db8716298b66598001797c9c0c1fea17be076faf73016e74650ee2b405f72f636336ced6df1651b5c4cd3bbefc24e07ad76a2f320edaf669399f21

Download Submit
C:\ChromeAutomationData\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\_locales\en\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\ChromeAutomationData\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\ChromeAutomationData\Default\Local Storage\leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\ChromeAutomationData\Default\Local Storage\leveldb\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\ChromeAutomationData\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\ChromeAutomationData\Default\Preferences

Filesize
8KB

MD5
aeb7cdb4db0dac5d54ee3a513ad36a7d

SHA1
48f7d4c7530a29f717c8cac1d01a5ab7e2291461

SHA256
a980be5636eac5c1104e34c9d10a36ecf2c527cbc31ea4816e63387779c1051c

SHA512
6e706ac3a639caa63187734bc4e7fdcabb91fb11b5437837087fe38e2711c6f8e60f37d785136cf0491a7e8ed04671fe128b936f89f9058920a3118a4748fcd9

Download Submit
C:\ChromeAutomationData\Default\Preferences

Filesize
8KB

MD5
8aa4241fa2005c0aa70797bf080b177b

SHA1
6a099abb8d6f131f6e06b5ce869876b268031351

SHA256
74c4a19915ecdbd3bf1b92d6eba56f385c5e148fa016f591e5e1813f0dd6e2e4

SHA512
c2fb23498a1b6b6ab2bc26f355992d8c07c859328c8c98851985c0fee6817c0872df9269c70cacb408a6d32fd8edf828e6caaa4c60c177b8e541925904090461

Download Submit
C:\ChromeAutomationData\Default\Preferences

Filesize
8KB

MD5
7785c8c5aa70a75614b54a2447ab3019

SHA1
25dce197f79a36b6e80292d8fc2d5f1af93c0a21

SHA256
21b9fffef9c0d01ed75b417b6e85d623369139eee77a12791563a2700fca1a3e

SHA512
53eb94762f7d23a0480086efc929eed172eef180f2faf1464e49ba3fd6b6d6069c782df648af7e0b24cbcd977ab3596ee531909b40c75bf04b888822d2961d48

Download Submit
C:\ChromeAutomationData\Default\Preferences~RFe5bc0cc.TMP

Filesize
1KB

MD5
a460fcbb8854f0c644e82ed07a368bd0

SHA1
4958622ecbc9cac1dbae05c0f81ec325cc85249d

SHA256
423a82fb7ec3639b7bdde36c53a6bd939a43981c355a5af02f344c3aa74724af

SHA512
553556f797c72541e3391b30a9446fe08323dd18266bde9cf2628b99f39aa2a540ec49fd572726cc8f404ab1c0a3a31965a702dc8b84f728a68366c467e6d69b

Download Submit
C:\ChromeAutomationData\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
46df0b18d8f041978f51fcb49b2ec6e9

SHA1
54684b29148e4b8f528c7671878553100cc89e49

SHA256
82fd77912ee16d110953edb2933fe04a63d596546ff098b59bdee357ac697252

SHA512
15285293a17d66c7863f9f527150a5dde269627d31f9bc9122a410e25e99cc0fb372ec79cd1d5b43edc7ddc6b4fbff8344e90bf587c3c858a0c8641af58d6aee

Download Submit
C:\ChromeAutomationData\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5c0de2.TMP

Filesize
72B

MD5
acef7ff49da807c1dc893a82b278aacb

SHA1
cb29c2eeb9d6df73e99d5813e625aed71a95de4d

SHA256
e16868ca2454cf2f30cad182ecbbf2e4d5274e4d92330f76409bfbde203da3e9

SHA512
5565e34bc71ff1347f8e8f29b04eecc03d63c06acd6f32c70a9d661ddcf59b5f4015bf14e55edf9cd6125a92bafbce2c59a854147f2fabc54e1508e25058d357

Download Submit
C:\ChromeAutomationData\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\32.png

Filesize
1KB

MD5
40c4ea664da063cccf37a00d0dea5f88

SHA1
f524c4c8544d5e8b7d5a29ba74fbe865c0fa303b

SHA256
91289705a496311822aa52d067f2a029025293f1c22779f3a8bc483e211ce1d8

SHA512
bbe182958560fa196423bc1b50575b078e4a3b2b170427074442a42a3f21ae7d91d3115e75f38335c778070142d2d1bc929bfa22bf0fb2ae644c0478f6d58d51

Download Submit
C:\ChromeAutomationData\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\48.png

Filesize
2KB

MD5
9e1a6c45e7a5b26e6dfcb060fe4ec411

SHA1
8895839baaf4a6ce1189fd8c5572c3c8298ddcc0

SHA256
102aeb88e02ce1cd5c91ce4ab3c5880be33b6a440ee7f24c9e38741e79b46273

SHA512
323180dbdb0ebed3f398d5e7233f681ec85bd0815ef463d8351e17e99ee6f9f47badc9bdd9ab197249fe85e2c0d2457760f7bb7550c9c55110f333d13bfbe8fb

Download Submit
C:\ChromeAutomationData\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\64.png

Filesize
3KB

MD5
65e00211feede352e87ff869cd3d1b1e

SHA1
2ede8e165651f24a165f31bd2b4591d124d5fdde

SHA256
dc78a4be5b92c40c32dbbd4bcc3c65057105db062c088fadcf835a5e161095a1

SHA512
1fec808d0591868de3e27863e095ded619cfb825239eb05aab61f9ddb09bca28534e5a1a6f0d39a47affb7a3371d07cca9701b8dabcd297ff2fd116c9123fe61

Download Submit
C:\ChromeAutomationData\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\32.png

Filesize
1024B

MD5
ca6289a7d8f9ecc17f8de717faf1af27

SHA1
4ccf3c6a9291f0a8a3090c22aca6f1872c860073

SHA256
3d7283090cf1a87baae4032266e4d144f7ec2ea465e7b2bf02728aa394c678f0

SHA512
100fb108d3eb74eea016af82a5a6758f22173b3d9a60c5237e9a570aa14549397b224d9d4234661855ffec47930a33536d05c0eb56ac61c551184fa89b18697c

Download Submit
C:\ChromeAutomationData\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\48.png

Filesize
1KB

MD5
06c47df56a44e6ec6ed68a0c1b13fcf1

SHA1
d081069ab4c69925e2c5a8e7bb9a683f620dadb2

SHA256
6e21221baad8ccd2b71542f9d3194dc5868c0f424fea640cd4915fbdb32f4804

SHA512
e23731119c43850604eaa83c7fc17cff43681890ba3e144cc0b97cc8b33dc3f90a5370c7ae599c5469e33fcffed6492308451a0f3699bca51df665a70329a569

Download Submit
C:\ChromeAutomationData\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\64.png

Filesize
1KB

MD5
fa9b6bd6c167dc772018d4105b7f3afd

SHA1
5a8b1a8bec14f864d559667c79683735508a8036

SHA256
2a8f1a1cfac4fbe96a6cb69e9e621201875cc45b2e60bc75b08ea193c759e346

SHA512
db8b36ed049e357346a6c249dacf54a78bf7395ab8a3c8f8d2aa8d575193f59959cddfc7e1ec18b32a029aa1cfd42ffe30149d74de56d88baa0583a6c00d9a9f

Download Submit
C:\ChromeAutomationData\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\32.png

Filesize
890B

MD5
e21251a768b30062a5cd8e0b01e512bc

SHA1
3fc0c1af7c6783f743021a145016023ee73a69bf

SHA256
280a7fc31d9ba2169f4d0801c7c52bb970061c17c7b4a7959a07e8313c055df0

SHA512
f6104bcce1f2613b5f6baacd354fa6dfe448273b79e5579c7c93ab703e953e49711459bd6ef3d10ee449d9d69c4bf6bca62ac9d6e864670f4503a618425f389a

Download Submit
C:\ChromeAutomationData\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\48.png

Filesize
1KB

MD5
67e185e7131868c3af81ee10251a3205

SHA1
3f52bcd8f6dd96a2613d4e0023a6ca87f54d2bde

SHA256
fe6cef43018dd0cf284366ab4c5bc75039274374a3654b58197bfe5ebb3dcc46

SHA512
d155a9e9ad4c0e85c97bc3ec8432213b3637cece3dafa8338662055c0c593e3ce10405b5adccfc92ee6da96d01f7cbf29623bff6204653f7960a84bc782aecb2

Download Submit
C:\ChromeAutomationData\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\64.png

Filesize
1KB

MD5
ffd2836b1dfc3a7f5c24dcc4845f3b3a

SHA1
16b4d188780f05e0845014fb45ad6ebaa6b4d2b8

SHA256
f5eb403a4afbb48114e67cb9eb55ae136b86a2c8644167d53006848c8efba562

SHA512
810acdc6d1462416572b79b6e16cca23988a4bccb886db303b1dc1487d4a1abf36f94dbcf7fea7a22ae9892a3f9ebf98516ff2dfbbe424d82c735382f34adbde

Download Submit
C:\ChromeAutomationData\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\32.png

Filesize
914B

MD5
1958a9b92332cc7b500636c414649c72

SHA1
3433cd43afc96397650ecaa2f3d4c82d985aa86b

SHA256
282c4fd7aec92fbe494f71a136c9c9111a453ff07f701ba21cf2f14b24f9ff15

SHA512
9a6791a1ffcd7b2442ffa33a132b95bc66dcfa5b2814bf5b84d8385e69b7243bed9b6e4a1677c3b88cc9de421067468ef186584c43a90b7aba78e2e19a1fd81b

Download Submit
C:\ChromeAutomationData\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\48.png

Filesize
1KB

MD5
b7593fa2971ae16ea2aaefefab67658d

SHA1
df5455a066a4aa91aba3d2ad0df25e3634d04a49

SHA256
1407047a49f6220843e0b5eeb147273ac894fffb489ff02b7e920096f1cf23db

SHA512
0036d5d5b708feb7fa9dc96a705e0ef98c8dab39ee182e760515ae008e100200ee4645afa75359290f09dd1fc7f16c7830e39faaa5e302a8dd6a647adcd431c5

Download Submit
C:\ChromeAutomationData\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\64.png

Filesize
1KB

MD5
6078ddcccd0966b6c8506d28eed2026f

SHA1
86b7c92bcfb0e02d9a72bebaa6731891fa90e29f

SHA256
d982bca9f433bfdf7f7d8f759576273ee8a131e676a784a6d6231b068e21de25

SHA512
850dd615ea2422f00001b37603f25756e6304e190669aca90aaab08d2ca97d163402b3fe7a4747e76040fc9dd944861b5639c31d1b40528ca806f5f920fa3d4e

Download Submit
C:\ChromeAutomationData\GraphiteDawnCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\ChromeAutomationData\GraphiteDawnCache\data_1

Filesize
264KB

MD5
d0d388f3865d0523e451d6ba0be34cc4

SHA1
8571c6a52aacc2747c048e3419e5657b74612995

SHA256
902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b

SHA512
376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

Download Submit
C:\ChromeAutomationData\GraphiteDawnCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\ChromeAutomationData\GraphiteDawnCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\ChromeAutomationData\Local State

Filesize
118KB

MD5
d8d1ecaf5a2a7f3b0a719de3179a4c59

SHA1
605d15e58c9dd60d50144773788a310e22c8f735

SHA256
ac57cfb0ec64a75b2393eb487fcab163ab904af0405154b8799a938dafe998af

SHA512
2760f31ccc1c208f8a2fd4ce3ab0d4670615c6d7791ff1024bd91a5ec1bbb22a73305a931b3ad6786a202d0b72e44fec50681ca7346423564110710d35ce64ab

Download Submit
C:\ChromeAutomationData\Local State

Filesize
118KB

MD5
c74bd66a4566973625be6131ea5d4834

SHA1
3cae777c5e6fe262edbfb65b50e450e9bba2cf9a

SHA256
5a1bb806baa17208f1fe1f251852840d906b867326c5ec7977767d302d0dafec

SHA512
e6a27e99471016941df51f05b5801e584a0fcdd07285a55a26a894fee98996b519389acf17bf3f4b15e4de8aeaabe39fd52bb8ecd6dc5eb7e04f00c9a2e3d25d

Download Submit
C:\ChromeAutomationData\Local State~RFe5bc0ad.TMP

Filesize
931B

MD5
6f28eba1f863718bad8131436b3e6e23

SHA1
c2530e69b3714075233a2b47d01582edaefaa50b

SHA256
b184eaf4631b9ea03bcde775b135b287ad4e9870625f17cbe9b5f335e057fced

SHA512
e4e60661a5acd6c46e2fd6072be627a039028218a4a1166b2fdfc8acffbcaa522697f792b614c20566cc8b6b3781aa6a4d22b019c18a170b7ab423d3209bef64

Download Submit
C:\FirefoxAutomationData\AlternateServices.bin

Filesize
7KB

MD5
a7709d799430aac97e1ab608b7393d4c

SHA1
7d633d4a5e687b5cecdba665429461e248f599fd

SHA256
7535ce42731f061c10b929dc08799e6b10098f5feaeee1320b9a71c76e20bb85

SHA512
afe5cc18c6eb097fa020c672e5bf1d86d84fecea97d381c003f1d4eec26e025e88df3ba6e28d84870ece0f584882e0a2da84e00ae98f9688b7b40a4dca709da4

Download Submit
C:\FirefoxAutomationData\activity-stream.discovery_stream.json

Filesize
24KB

MD5
30e9b372419c97f6de9cec7a6ba89760

SHA1
a8cb917345487b8a1a758ae7b0211c472b0c31d8

SHA256
406f53aa874e892f145be93ea538c35412f8de92b40ec691e5a4d7dbe982bea0

SHA512
4d4d6e327079adfae84e1979ddf57c5ea1476163ba5d19d6163a1579b1ce074adfbfb06429df036aeed2f9f4018bf10708b8593686dd26442d054895ef232172

Download Submit
C:\FirefoxAutomationData\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
67b0160f92032dbdf118a61c670eb3a7

SHA1
68ba49a6be82cb55a2fca37a0a3327c4d41043af

SHA256
9fb96405ac3df69bd4f1d5e8361babc964597202b3b12313eb324c87811134aa

SHA512
f358ed749de835e43dc218b5ab90c884757c6ff1aff7178d192de04367aa029fd09a8da469644d8d102ad86d311f381b12f650cd823a4446fa23f735c05d62d4

Download Submit
C:\FirefoxAutomationData\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
d2204b61c1cbc0fdc214a2901efa8bf5

SHA1
3aa4bc272b55dcb7fdc9e8ac7315c143a2564a99

SHA256
3025f2258cbbf201e619bfe16236d4f553609522c486398dc963632652f58a33

SHA512
560fa66eb398b95dde8da948b89209471023b6c95b71843376550a742540803a9935a9eca3d8d779ca711a8e052edb8275d48a970ef56ae6c281e0c053642601

Download Submit
C:\FirefoxAutomationData\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
81a2462ae72784903dbc753006e6c421

SHA1
aa5a27b2d925dbfa3ac6eb9d2c4024179633a571

SHA256
f6c5e10d7f4f4ca8f33ad998cba195beb79a16505addb243bab8140c57c597fd

SHA512
1ab1d9499c5d43ab2601378651891d181891a1c40e703221be141c7b6335aa1ac750869165da62ea1f90481645121bb4fc10ac032cedc0def601f070786b81a0

Download Submit
C:\FirefoxAutomationData\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
6a7660a0df708ab3dbf5e7947458fb3c

SHA1
fad6797979c2ed9ce33ec50fb57d4d5588666904

SHA256
576f68b42647ac8c6f2427bdf325498c84ff4622102ea8e924ce42ff83e5aa5f

SHA512
91dd363c82aab1df62fde36ce06471a2ac61cc537516f25504d2df4d18823fbe49cfe631d638f52246c3b7cf8a76b70adae483fc7cb376b3ae3891e3aa393f8f

Download Submit
C:\FirefoxAutomationData\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
d3d9ca1a5037ba34306a293be67c0f98

SHA1
f8ace2778ef967f45bd74292e98cf3389f5eb4d3

SHA256
fbc791ba64d4eff9cdf307872acb22b8872898d2a090dcd47e5b3ca5f74a5ef1

SHA512
5f8e598ff866599586885147b531fb0f4cf093e24533994773d10c156b02cb33cbe722786d65f2f09cfd2d5d6d985d41698ac96a67497fc5de711791d2a195b0

Download Submit
C:\FirefoxAutomationData\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
648a86bc0fd86fcd40a9c2e8c12d6b1c

SHA1
da3219e1e32a46364bfc01c9a46eb8860949665d

SHA256
d94d1bc9ca3fa0157e9616559ea558542d4923ee16ef4096828805c9de49a2bc

SHA512
348d6c0886768b1cc3a4daa24c003d176110e97aa65aaa5dc604cf02039b9d51de8a3ac2500cd8642034bb0854aefd4a8b9295392892261770e1be4ee5e44b17

Download Submit
C:\FirefoxAutomationData\datareporting\glean\pending_pings\0dd9b68a-a5fd-4f13-b01b-27c358adbe6d

Filesize
767B

MD5
54c6bfbb08a0481d4689efdc973d63d4

SHA1
fc5a931e33bedac8c1580bbf56abc45c8b4620a7

SHA256
f8f385679ea0c7ba8bab394189ad21b931e343a9837a9cd33891f42b76804310

SHA512
e8130d7c24d773405e098b79966d44d236577b67eb1ecb69d46ae4b7f97ada35366a894b8a7cfb9fe70d55f5a3676f528fad2bbbc707932f9450b0546dd244e4

Download Submit
C:\FirefoxAutomationData\datareporting\glean\pending_pings\1a4c49d3-a973-4fd4-96b9-d3a8258196b2

Filesize
566B

MD5
582e25717f70e27e4bb420022ef4bfd5

SHA1
3cf5dba4e7795d6bfdf4d93aa0ac0f6b18982284

SHA256
0d7cbcfcd8499d81d76f905badb7d548d5305e2d692a37b043dc8fb1508f4419

SHA512
ecca4fc242885135e856c2d7b5feaddee0772e50c92c1b65ba2dc63c7d849950a748d126db0fbdfac1f3587373a066d26e0d82c8bc85ee443b1093a1fd7f65fd

Download Submit
C:\FirefoxAutomationData\datareporting\glean\pending_pings\64ad2899-5988-44fa-8bea-30b8fab7dd03

Filesize
768B

MD5
af635e2abe906ee4c6e964ee38908966

SHA1
5388411536790623701bb9566df950fd8f1be072

SHA256
bb9b563950bbc2425db52e2a4a4740c32a8ffb3603ad2c52bdecfd8633bdaeb8

SHA512
a8c6ff37dc7ed250557cedc1de8f9f2caf949a2862027de20f7b1ed09fdf3ad03daad47f1b8d669f5b75e79c12671cc2fab195b91caa4655d9e9d617b403e8be

Download Submit
C:\FirefoxAutomationData\datareporting\glean\pending_pings\93abc356-cc90-46bc-a516-d4ebdd7de04d

Filesize
766B

MD5
52da2a761c0a46ff61e70075e1990f3e

SHA1
5bff7cc2f4d618b2ba6de1960ee06acac1af1cfb

SHA256
041ec342644b7ef17bf1456cba50dce5da2e33a8a3d0b23594e9a0b3198f2542

SHA512
f86f34577262e92ad9f23ba07734141e466d9817a406d87df31b4c0602b03db968ba25f28a43021836e1107b40f7aaccaf23ff410c806cc641b3a48cc38791c6

Download Submit
C:\FirefoxAutomationData\extensions.json

Filesize
34KB

MD5
a3e89dc5fe1ec1865b7f3a7968ad9e5c

SHA1
12d1fa2aed10dbc69d3e7dbb7731b4771ac8f58f

SHA256
751964b2ae0b4b8ae590021bf1b7a50f32d2262e2d8b6a36c9870b6f0ec66070

SHA512
c261adba2482f8cd48e6f3f888cc270b2fe4a4b72861a2556d4f39e2924c3f1a446cf8deb8417fdad35f56b63bd769fa1b246df6e3699dc81b605c1c4bb82bab

Download Submit
C:\FirefoxAutomationData\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\FirefoxAutomationData\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\FirefoxAutomationData\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\FirefoxAutomationData\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\FirefoxAutomationData\key4.db

Filesize
288KB

MD5
b6b9e7d4dc70bba8831ae90afbae44a0

SHA1
d1ae8f9d446b5b5e97994da3e0c2793dc145ea8b

SHA256
588ba600c31481d4ee8fca547b0765689f59119c14314955454f91255c6548fd

SHA512
d08570e15cc920fc98755a4669aa326daa619fcb585a80425e779764bbff84b086ad146147610451455323f134fff9b2204cfc225aa5c8e78ce0f63a56f61139

Download Submit
C:\FirefoxAutomationData\prefs-1.js

Filesize
10KB

MD5
823fc0fd9c6ef69e8fae7c1034f6fe6f

SHA1
84e2a7f9403318e167b6d4f1e6a85b5c14f9b6dc

SHA256
cca85efabc9ff47785c96596d3981bcb568e207e1b0ea7b2ecf95659d1f43191

SHA512
3561a639dd2eda26a17b19e93331bfc55c8e5cc8602ccbeee0437442c3faf51d1a055ddb5663fce06d889c14cdb58ddc4d5d951da92e1e5cd10380fd54987ad3

Download Submit
C:\FirefoxAutomationData\prefs-1.js

Filesize
10KB

MD5
158c75f37908649018c3c4eec4b2d111

SHA1
b1beae0836592b796de7e0c8a38dd7edd1dfb52b

SHA256
bf3273882de858a0d9498f4a896ccece47b1a9e9f632043eb547aae733499971

SHA512
fffa74d4d092bdb0f963f61209fc96288a9ff3889c97668fad0558643522ae4ae359a1dc21119825cdb6736c2c949a676793290cccdce7459697b76aa0780b08

Download Submit
C:\FirefoxAutomationData\prefs.js

Filesize
2KB

MD5
49e548f3a3ee05fe6aa03c1b10e6ea8d

SHA1
52016fb89dc196a4f237c3e608bc2b8ae8c09cd4

SHA256
8abee44d2175b4920e323afa3225f03193be3f5736112e51e5ed30747d2b4792

SHA512
2976d3f9a5cb85155d7e4322d837e099730e158e274c459ab9eea6334e917dcf9288cf2d72df4604e85b6688fc83756ed3eff5e77a4875bd4738b38a40c4448f

Download Submit
C:\FirefoxAutomationData\prefs.js

Filesize
5KB

MD5
dbab388a53b9d67d4cb9332f8dcdcadd

SHA1
16380f07763ae95560500d326991ad8ea6ed392e

SHA256
da01ac111f3c40a5c97cf09a233adbab69735faf16906512fd53aebadb0fb4f9

SHA512
a0ee6fc26745700ded95ad2e0fe1e85e62c082a44ed648e755fd1077e6fcd5e03434f1fc36ea9ab3f252236c3a522ab0f847be17429416b9a5c7b737d56cb729

Download Submit
C:\FirefoxAutomationData\startupCache\webext.sc.lz4

Filesize
107KB

MD5
61cac9a189ce84cfcd04dbd127106292

SHA1
f5fa4c7748ad8a95b6513fc054349ddd48ecf1d3

SHA256
15b836a893dd3cd03eb906fc1205bb34e959fc115a98cbd0a6faaaf33e589ea9

SHA512
c10fbeb7ccf3ead3c3df78728fe3e3e2a7a07a070625597c14a4a99185f3b51522ea09a10a61f7555957161c4df94e1317162d4f717177e1691678d800ff8d69

Download Submit
C:\FirefoxAutomationData\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
48KB

MD5
e8cdf129bd2ad1c896a3419e2d3cd21b

SHA1
09cb4d70088bdf2005f9aedc88c5c860bf9a02ac

SHA256
34de1392e4fd61bb18af33be0f0fd06f48f6e6e28786e913e39c5bd09593fbd1

SHA512
42c09bc12aa3f365ee10daa607484f1178df8ed856d3ea79af3395b482f3734a1db4a116aa108f0c4e2b799dc050b497fe03e03a268ca9714ba77ff26de98310

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\a5dce49d-664a-49ac-9bce-8530cc07af7e.tmp

Filesize
520B

MD5
d7bdecbddac6262e516e22a4d6f24f0b

SHA1
1a633ee43641fa78fbe959d13fa18654fd4a90be

SHA256
db3be7c6d81b2387c39b32d15c096173022cccee1015571dd3e09f2a69b508a9

SHA512
1e72db18de776fe264db3052ce9a842c9766a720a9119fc6605f795c36d4c7bf8f77680c5564f36e591368ccd354104a7412f267c4157f04c4926bce51aeeaa1

Download Submit
C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\update-config.json

Filesize
102B

MD5
7d1d7e1db5d8d862de24415d9ec9aca4

SHA1
f4cdc5511c299005e775dc602e611b9c67a97c78

SHA256
ffad3b0fb11fc38ea243bf3f73e27a6034860709b39bf251ef3eca53d4c3afda

SHA512
1688c6725a3607c7b80dfcd6a8bea787f31c21e3368b31cb84635b727675f426b969899a378bd960bd3f27866023163b5460e7c681ae1fcb62f7829b03456477

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

Filesize
28KB

MD5
feda7dffd481c577a9267ed600c59b36

SHA1
5b9f3348be555493fa69cb950500e520cc4ee1d7

SHA256
1b7cb7d83e25eccb4f234c616c6396c07ace3cee6790fd91ab0da93496bb3824

SHA512
6cc76c62f70c752aa0fe6d1a65dd193f41f00482dc7ef3623e14c5e4269e86d6c4544929999d811294c25a8d4769780d0d7808d1d2f316511d03b6fae2cc4586

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

Filesize
14KB

MD5
fd286b581402fa04e9ecacab8a36a0e9

SHA1
c243096ba258d3ce0d827d20b977b84ce5a7c213

SHA256
ce5ef0614cb985471b29f3e028b8a28247aa928f89cd47ac54066095b5b5ad33

SHA512
ccec0ea1990ae24d06ff1bc198f1cb420f77fdec93aeada4e46a31dfb6bab7cbbf16544c09e9b8c34b8d27827a7b0f96b2f3af79ef1a73586fdbaa0eff8444b8

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\063f1a55-f6db-4abc-b0f6-50592df36a95.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\20qix1ci.gyn

Filesize
160KB

MD5
f310cf1ff562ae14449e0167a3e1fe46

SHA1
85c58afa9049467031c6c2b17f5c12ca73bb2788

SHA256
e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855

SHA512
1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
89ac0fe86e18982ae956974bf65f5161

SHA1
09fe7430bae37fb6f7ff7e80ff902d8070495a87

SHA256
2eefe3ccbf28d665af0eaa636a41e3300fad0a7db7318e1917859929ce874255

SHA512
4c36370866a6857df36303645aca882764b88796c96dcad41d7112dc0034c64a8b25382063d82047505b5fa3601fe89274c824f895702f1dd08f1881e59ca8f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4588_725824848\43496039-342b-449e-85d4-885f4d2a0122.tmp

Filesize
150KB

MD5
14937b985303ecce4196154a24fc369a

SHA1
ecfe89e11a8d08ce0c8745ff5735d5edad683730

SHA256
71006a5311819fef45c659428944897184880bcdb571bf68c52b3d6ee97682ff

SHA512
1d03c75e4d2cd57eee7b0e93e2de293b41f280c415fb2446ac234fc5afd11fe2f2fcc8ab9843db0847c2ce6bd7df7213fcf249ea71896fbf6c0696e3f5aee46c

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4588_725824848\CRX_INSTALL\_locales\en\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome (2).lnk

Filesize
2KB

MD5
81c90c7c269dc6162d90470929220db6

SHA1
8a8283f4ff4ff6b7f5cadbe92b1fab7ac35f2ef1

SHA256
f2fb01cd22b9d7b1b63dcf00b3d68e31a06636b13adcdab81b23f3afb92db3b7

SHA512
4228c2d7c5df98131d5ff278dd168bced3a6d2bfdee8ebc5b2e96bc9fd6f731d4eb99a699f034297e94616ec6dc0dfc79ea59d7e471ef2c5bf5b9ea9a197d65a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Crash Reports\pending\40138b7c-f04e-4e65-8f56-b19708929c26.dmp

Filesize
84KB

MD5
73cdb1760a1f9c90c248c93c7cebb4d8

SHA1
488efe17728a55ecb26e92582b9bf9bd6cc0d7e7

SHA256
cd7366e944cc0d87a22f9221ac7acf9153994fcaf26758be4ef6e30f1c01a16e

SHA512
9b057d07864598e694309baf2fb6e8af209bea15818d8055cd9ff9e0b66a1dc76690353c54c24c879bed95261490436f2c0641d017e8347b059b2deb82c0523e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Crash Reports\pending\40138b7c-f04e-4e65-8f56-b19708929c26.extra

Filesize
9KB

MD5
95c1c8633a4e1e988f966f02b0df54b8

SHA1
208199bc0dd085675aeaf1979d4ea2785f9e684e

SHA256
03d1e6d9558f9a630b168fc339301557c285826e4c9b430b47caffc67b7428df

SHA512
622bfc33f43d8f20afdd94978dee289d88343dd858f8c6b9384a26addcbd9b4ea26259b32192318d7e78e9a858ded667c8e99254bf5ab1633e6aebb20819eb50

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Crash Reports\pending\8dd7a508-4674-4264-a166-135a4ef5f8a9.dmp

Filesize
71KB

MD5
4b60119159eb782840dc1238a716a25b

SHA1
a43970fccd3453694448b4c69068d5037ff5051c

SHA256
157bb37f84090b0b5476aff608128a966f3c95fa559aa3a1b611c39530222ad1

SHA512
7a487f1ffe7194212ac39d85fbc03ca4e48160b148ebb423b684bb66913549c943e7fc9e9fa2f51951c413f90ab2c14c635e2e42fd7bf19f1540d62888fca1da

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Crash Reports\pending\8dd7a508-4674-4264-a166-135a4ef5f8a9.extra

Filesize
5KB

MD5
cedd80c5b5c2de8c6187ae2ebf936da2

SHA1
5d1788a6628a1ae2667c9f7e4794295d4597d927

SHA256
96cbaccc4e2c9e2e1ec40496e4bcb6b75fd7a6b427f46f90cb4fd91c940cd71f

SHA512
df4da00f9c558ec3e6514fd33af1695d501cd19f68223b83f90d7c20ffc36af3e847edfa7fdffe4ab70bf6decbd861d70e95819406cb771ee9b03b5684dd5ce1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Crash Reports\pending\d56561d7-9e55-486d-b65d-142058e26d2d.dmp

Filesize
85KB

MD5
61ead9665536f11025387a9b86fa9fdd

SHA1
1f908cd365a52f24169965510a63c92a2c9f88c6

SHA256
29fc1894bcf8d452f9e7220bc7acdcfd666a56e8a32a854726630ed8251e6baf

SHA512
27ae19962c4009a65ef3eb54a6d895f8bffcaf0085a2c1147dadb38f50737dc8ddda360c2ab0ef2c793bc7c896237b552b3a94cb4c02a3b70dcb4c1836fc8904

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Crash Reports\pending\d56561d7-9e55-486d-b65d-142058e26d2d.extra

Filesize
9KB

MD5
d11a26889587044a19b6b730974c4efb

SHA1
65ae152c50780a7ae08fc43bf879050bbe3e9006

SHA256
711addf07aa96fd198c289948bd25d39740ca4095c786f513a079dc07f97f3fa

SHA512
5fdfcc560a877f7f518156266aefa69cb5ea2cab31eddf32d4edc298769fe8fa5ce30c4fca15776506c6d3d28195b6898476849630104f04ca4795662f6bf646

Download Submit
C:\Users\Admin\Desktop\sad.exe

Filesize
45KB

MD5
e069304f72f1993e3a4227b5fb5337a1

SHA1
131c2b3eb9afb6a806610567fe846a09d60b5115

SHA256
5d00cfc66ae11f68bae4ac8e5a0f07158dae6bfd4ea34035b8c7c4e3be70f2c5

SHA512
26f18e40b1d4d97d997815fe3921af11f8e75e99a9386bbe39fb8820af1cbe4e9f41d3328b6a051f1d63a4dfff5b674a0abafae975f848df4272aa036771e2e9

Download Submit
C:\Windows\SystemTemp\Crashpad\settings.dat

Filesize
40B

MD5
5ac7c6582d5ebcb1c1941d252d1952cd

SHA1
5ffa9403bbff25965421cdca1c3f6ccb7cf7f7ca

SHA256
6d7e3ddf29ae13df46e4f982683e2a6780cf84495571e748cb3e38fd8a8bc3bf

SHA512
dbe1bf21c2a26aef78935a6b8a81a345925717f8ebc77c0f7c3d587099e8fa430cb8374f6583caba567854e39fb9ad6c40499b3b498cba5d8a8bd3ab6116a662

Download Submit
memory/3108-13-0x00000000089B0000-0x0000000008A62000-memory.dmp

Filesize
712KB

Download
memory/3108-9-0x000000000A2A0000-0x000000000A2C2000-memory.dmp

Filesize
136KB

Download
memory/3108-16-0x0000000009050000-0x0000000009174000-memory.dmp

Filesize
1.1MB

Download
memory/3108-22-0x0000000074D60000-0x0000000075511000-memory.dmp

Filesize
7.7MB

Download
memory/3108-14-0x0000000008A70000-0x0000000008DC7000-memory.dmp

Filesize
3.3MB

Download
memory/3108-3-0x0000000005960000-0x00000000059F2000-memory.dmp

Filesize
584KB

Download
memory/3108-12-0x0000000074D60000-0x0000000075511000-memory.dmp

Filesize
7.7MB

Download
memory/3108-11-0x0000000074D6E000-0x0000000074D6F000-memory.dmp

Filesize
4KB

Download
memory/3108-10-0x0000000074D60000-0x0000000075511000-memory.dmp

Filesize
7.7MB

Download
memory/3108-17-0x0000000009170000-0x000000000918A000-memory.dmp

Filesize
104KB

Download
memory/3108-0-0x0000000074D6E000-0x0000000074D6F000-memory.dmp

Filesize
4KB

Download
memory/3108-8-0x00000000083A0000-0x00000000083B2000-memory.dmp

Filesize
72KB

Download
memory/3108-7-0x0000000008380000-0x000000000839A000-memory.dmp

Filesize
104KB

Download
memory/3108-1-0x0000000000DE0000-0x0000000000FE2000-memory.dmp

Filesize
2.0MB

Download
memory/3108-6-0x00000000082B0000-0x00000000082C4000-memory.dmp

Filesize
80KB

Download
memory/3108-4-0x0000000005A10000-0x0000000005A1A000-memory.dmp

Filesize
40KB

Download
memory/3108-5-0x0000000074D60000-0x0000000075511000-memory.dmp

Filesize
7.7MB

Download
memory/3108-50-0x000000000D6B0000-0x000000000D74C000-memory.dmp

Filesize
624KB

Download
memory/3108-47-0x0000000006F10000-0x0000000006F22000-memory.dmp

Filesize
72KB

Download
memory/3108-2-0x0000000006020000-0x00000000065C6000-memory.dmp

Filesize
5.6MB

Download
memory/4728-52-0x0000000006630000-0x0000000006642000-memory.dmp

Filesize
72KB

Download
memory/4728-46-0x0000000006190000-0x00000000061F6000-memory.dmp

Filesize
408KB

Download
memory/4728-53-0x0000000005840000-0x0000000005852000-memory.dmp

Filesize
72KB

Download
memory/4728-51-0x0000000006140000-0x000000000614A000-memory.dmp

Filesize
40KB

Download
memory/4728-49-0x0000000074D60000-0x0000000075511000-memory.dmp

Filesize
7.7MB

Download
memory/4728-48-0x0000000074D60000-0x0000000075511000-memory.dmp

Filesize
7.7MB

Download
memory/4728-45-0x0000000074D60000-0x0000000075511000-memory.dmp

Filesize
7.7MB

Download
memory/4728-44-0x0000000074D60000-0x0000000075511000-memory.dmp

Filesize
7.7MB

Download
memory/4728-43-0x0000000000E40000-0x0000000000E52000-memory.dmp

Filesize
72KB

Download
memory/4728-1526-0x0000000005A60000-0x0000000005A6C000-memory.dmp

Filesize
48KB

Download
memory/6180-1546-0x0000000006640000-0x000000000673A000-memory.dmp

Filesize
1000KB

Download
memory/6180-1547-0x0000000006910000-0x0000000006AD2000-memory.dmp

Filesize
1.8MB

Download
memory/6180-1595-0x0000000005180000-0x000000000518C000-memory.dmp

Filesize
48KB

Download
memory/6180-1550-0x0000000007010000-0x000000000753C000-memory.dmp

Filesize
5.2MB

Download
memory/6180-1548-0x0000000006790000-0x00000000067E0000-memory.dmp

Filesize
320KB

Download
memory/6180-1549-0x0000000006860000-0x00000000068D6000-memory.dmp

Filesize
472KB

Download
memory/6180-1560-0x00000000086C0000-0x0000000008940000-memory.dmp

Filesize
2.5MB

Download
memory/6180-1551-0x0000000006B50000-0x0000000006B6E000-memory.dmp

Filesize
120KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads