xenorat | hxxps://gofile[.]io/d/8IlX2b

Analysis

max time kernel
299s
max time network
302s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-11-2024 20:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/8IlX2b

Score

10^/10

xenorat discovery rat trojan

Malware Config

Extracted

Family

xenorat

192.168.1.1

Mutex

pythons

Attributes

delay
5000
install_path
appdata
port
4444
startup_name
nothingset

Signatures

Detect XenoRat Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000a000000023b80-102.dat	family_xenorat
behavioral1/memory/1376-105-0x0000000000D40000-0x0000000000D52000-memory.dmp	family_xenorat

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat
Xenorat family
xenorat
Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	yes..exe

Executes dropped EXE 4 IoCs

pid	Process
1376	yes..exe
1444	yes..exe
1496	yes..exe
2324	yes..exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yes..exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yes..exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yes..exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yes..exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133763484914031883"	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2140	chrome.exe
2140	chrome.exe
844	chrome.exe
844	chrome.exe
844	chrome.exe
844	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
2140	chrome.exe
2140	chrome.exe
2140	chrome.exe
2140	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2140	chrome.exe
Token: SeCreatePagefilePrivilege	2140	chrome.exe
Token: SeShutdownPrivilege	2140	chrome.exe
Token: SeCreatePagefilePrivilege	2140	chrome.exe
Token: SeShutdownPrivilege	2140	chrome.exe
Token: SeCreatePagefilePrivilege	2140	chrome.exe
Token: SeShutdownPrivilege	2140	chrome.exe
Token: SeCreatePagefilePrivilege	2140	chrome.exe
Token: SeShutdownPrivilege	2140	chrome.exe
Token: SeCreatePagefilePrivilege	2140	chrome.exe
Token: SeShutdownPrivilege	2140	chrome.exe
Token: SeCreatePagefilePrivilege	2140	chrome.exe
Token: SeShutdownPrivilege	2140	chrome.exe
Token: SeCreatePagefilePrivilege	2140	chrome.exe
Token: SeShutdownPrivilege	2140	chrome.exe
Token: SeCreatePagefilePrivilege	2140	chrome.exe
Token: SeShutdownPrivilege	2140	chrome.exe
Token: SeCreatePagefilePrivilege	2140	chrome.exe
Token: SeShutdownPrivilege	2140	chrome.exe
Token: SeCreatePagefilePrivilege	2140	chrome.exe
Token: SeShutdownPrivilege	2140	chrome.exe
Token: SeCreatePagefilePrivilege	2140	chrome.exe
Token: SeShutdownPrivilege	2140	chrome.exe
Token: SeCreatePagefilePrivilege	2140	chrome.exe
Token: SeShutdownPrivilege	2140	chrome.exe
Token: SeCreatePagefilePrivilege	2140	chrome.exe
Token: SeShutdownPrivilege	2140	chrome.exe
Token: SeCreatePagefilePrivilege	2140	chrome.exe
Token: SeShutdownPrivilege	2140	chrome.exe
Token: SeCreatePagefilePrivilege	2140	chrome.exe
Token: SeShutdownPrivilege	2140	chrome.exe
Token: SeCreatePagefilePrivilege	2140	chrome.exe
Token: SeShutdownPrivilege	2140	chrome.exe
Token: SeCreatePagefilePrivilege	2140	chrome.exe
Token: SeShutdownPrivilege	2140	chrome.exe
Token: SeCreatePagefilePrivilege	2140	chrome.exe
Token: SeShutdownPrivilege	2140	chrome.exe
Token: SeCreatePagefilePrivilege	2140	chrome.exe
Token: SeShutdownPrivilege	2140	chrome.exe
Token: SeCreatePagefilePrivilege	2140	chrome.exe
Token: SeShutdownPrivilege	2140	chrome.exe
Token: SeCreatePagefilePrivilege	2140	chrome.exe
Token: SeShutdownPrivilege	2140	chrome.exe
Token: SeCreatePagefilePrivilege	2140	chrome.exe
Token: SeShutdownPrivilege	2140	chrome.exe
Token: SeCreatePagefilePrivilege	2140	chrome.exe
Token: SeShutdownPrivilege	2140	chrome.exe
Token: SeCreatePagefilePrivilege	2140	chrome.exe
Token: SeShutdownPrivilege	2140	chrome.exe
Token: SeCreatePagefilePrivilege	2140	chrome.exe
Token: SeShutdownPrivilege	2140	chrome.exe
Token: SeCreatePagefilePrivilege	2140	chrome.exe
Token: SeShutdownPrivilege	2140	chrome.exe
Token: SeCreatePagefilePrivilege	2140	chrome.exe
Token: SeShutdownPrivilege	2140	chrome.exe
Token: SeCreatePagefilePrivilege	2140	chrome.exe
Token: SeShutdownPrivilege	2140	chrome.exe
Token: SeCreatePagefilePrivilege	2140	chrome.exe
Token: SeShutdownPrivilege	2140	chrome.exe
Token: SeCreatePagefilePrivilege	2140	chrome.exe
Token: SeShutdownPrivilege	2140	chrome.exe
Token: SeCreatePagefilePrivilege	2140	chrome.exe
Token: SeShutdownPrivilege	2140	chrome.exe
Token: SeCreatePagefilePrivilege	2140	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
2140	chrome.exe
2140	chrome.exe
2140	chrome.exe
2140	chrome.exe
2140	chrome.exe
2140	chrome.exe
2140	chrome.exe
2140	chrome.exe
2140	chrome.exe
2140	chrome.exe
2140	chrome.exe
2140	chrome.exe
2140	chrome.exe
2140	chrome.exe
2140	chrome.exe
2140	chrome.exe
2140	chrome.exe
2140	chrome.exe
2140	chrome.exe
2140	chrome.exe
2140	chrome.exe
2140	chrome.exe
2140	chrome.exe
2140	chrome.exe
2140	chrome.exe
2140	chrome.exe
2140	chrome.exe
2140	chrome.exe
2140	chrome.exe
2140	chrome.exe
2140	chrome.exe
2140	chrome.exe
2140	chrome.exe
2140	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2140	chrome.exe
2140	chrome.exe
2140	chrome.exe
2140	chrome.exe
2140	chrome.exe
2140	chrome.exe
2140	chrome.exe
2140	chrome.exe
2140	chrome.exe
2140	chrome.exe
2140	chrome.exe
2140	chrome.exe
2140	chrome.exe
2140	chrome.exe
2140	chrome.exe
2140	chrome.exe
2140	chrome.exe
2140	chrome.exe
2140	chrome.exe
2140	chrome.exe
2140	chrome.exe
2140	chrome.exe
2140	chrome.exe
2140	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2140 wrote to memory of 1320	2140	chrome.exe	83
PID 2140 wrote to memory of 1320	2140	chrome.exe	83
PID 2140 wrote to memory of 4792	2140	chrome.exe	84
PID 2140 wrote to memory of 4792	2140	chrome.exe	84
PID 2140 wrote to memory of 4792	2140	chrome.exe	84
PID 2140 wrote to memory of 4792	2140	chrome.exe	84
PID 2140 wrote to memory of 4792	2140	chrome.exe	84
PID 2140 wrote to memory of 4792	2140	chrome.exe	84
PID 2140 wrote to memory of 4792	2140	chrome.exe	84
PID 2140 wrote to memory of 4792	2140	chrome.exe	84
PID 2140 wrote to memory of 4792	2140	chrome.exe	84
PID 2140 wrote to memory of 4792	2140	chrome.exe	84
PID 2140 wrote to memory of 4792	2140	chrome.exe	84
PID 2140 wrote to memory of 4792	2140	chrome.exe	84
PID 2140 wrote to memory of 4792	2140	chrome.exe	84
PID 2140 wrote to memory of 4792	2140	chrome.exe	84
PID 2140 wrote to memory of 4792	2140	chrome.exe	84
PID 2140 wrote to memory of 4792	2140	chrome.exe	84
PID 2140 wrote to memory of 4792	2140	chrome.exe	84
PID 2140 wrote to memory of 4792	2140	chrome.exe	84
PID 2140 wrote to memory of 4792	2140	chrome.exe	84
PID 2140 wrote to memory of 4792	2140	chrome.exe	84
PID 2140 wrote to memory of 4792	2140	chrome.exe	84
PID 2140 wrote to memory of 4792	2140	chrome.exe	84
PID 2140 wrote to memory of 4792	2140	chrome.exe	84
PID 2140 wrote to memory of 4792	2140	chrome.exe	84
PID 2140 wrote to memory of 4792	2140	chrome.exe	84
PID 2140 wrote to memory of 4792	2140	chrome.exe	84
PID 2140 wrote to memory of 4792	2140	chrome.exe	84
PID 2140 wrote to memory of 4792	2140	chrome.exe	84
PID 2140 wrote to memory of 4792	2140	chrome.exe	84
PID 2140 wrote to memory of 4792	2140	chrome.exe	84
PID 2140 wrote to memory of 1792	2140	chrome.exe	85
PID 2140 wrote to memory of 1792	2140	chrome.exe	85
PID 2140 wrote to memory of 2248	2140	chrome.exe	86
PID 2140 wrote to memory of 2248	2140	chrome.exe	86
PID 2140 wrote to memory of 2248	2140	chrome.exe	86
PID 2140 wrote to memory of 2248	2140	chrome.exe	86
PID 2140 wrote to memory of 2248	2140	chrome.exe	86
PID 2140 wrote to memory of 2248	2140	chrome.exe	86
PID 2140 wrote to memory of 2248	2140	chrome.exe	86
PID 2140 wrote to memory of 2248	2140	chrome.exe	86
PID 2140 wrote to memory of 2248	2140	chrome.exe	86
PID 2140 wrote to memory of 2248	2140	chrome.exe	86
PID 2140 wrote to memory of 2248	2140	chrome.exe	86
PID 2140 wrote to memory of 2248	2140	chrome.exe	86
PID 2140 wrote to memory of 2248	2140	chrome.exe	86
PID 2140 wrote to memory of 2248	2140	chrome.exe	86
PID 2140 wrote to memory of 2248	2140	chrome.exe	86
PID 2140 wrote to memory of 2248	2140	chrome.exe	86
PID 2140 wrote to memory of 2248	2140	chrome.exe	86
PID 2140 wrote to memory of 2248	2140	chrome.exe	86
PID 2140 wrote to memory of 2248	2140	chrome.exe	86
PID 2140 wrote to memory of 2248	2140	chrome.exe	86
PID 2140 wrote to memory of 2248	2140	chrome.exe	86
PID 2140 wrote to memory of 2248	2140	chrome.exe	86
PID 2140 wrote to memory of 2248	2140	chrome.exe	86
PID 2140 wrote to memory of 2248	2140	chrome.exe	86
PID 2140 wrote to memory of 2248	2140	chrome.exe	86
PID 2140 wrote to memory of 2248	2140	chrome.exe	86
PID 2140 wrote to memory of 2248	2140	chrome.exe	86
PID 2140 wrote to memory of 2248	2140	chrome.exe	86
PID 2140 wrote to memory of 2248	2140	chrome.exe	86
PID 2140 wrote to memory of 2248	2140	chrome.exe	86

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://gofile.io/d/8IlX2b
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffb1f64cc40,0x7ffb1f64cc4c,0x7ffb1f64cc58
  2⤵
  PID:1320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1964,i,4038978374523709607,13347044487727458384,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1960 /prefetch:2
  2⤵
  PID:4792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1880,i,4038978374523709607,13347044487727458384,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2120 /prefetch:3
  2⤵
  PID:1792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2240,i,4038978374523709607,13347044487727458384,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2384 /prefetch:8
  2⤵
  PID:2248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3136,i,4038978374523709607,13347044487727458384,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3152 /prefetch:1
  2⤵
  PID:3032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3148,i,4038978374523709607,13347044487727458384,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3184 /prefetch:1
  2⤵
  PID:3376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3716,i,4038978374523709607,13347044487727458384,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4544 /prefetch:1
  2⤵
  PID:2596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4232,i,4038978374523709607,13347044487727458384,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4744 /prefetch:8
  2⤵
  PID:536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4740,i,4038978374523709607,13347044487727458384,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4744 /prefetch:1
  2⤵
  PID:1992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5148,i,4038978374523709607,13347044487727458384,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5168 /prefetch:8
  2⤵
  PID:3656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5156,i,4038978374523709607,13347044487727458384,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5184 /prefetch:8
  2⤵
  PID:872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5020,i,4038978374523709607,13347044487727458384,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5492 /prefetch:8
  2⤵
  PID:4556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5472,i,4038978374523709607,13347044487727458384,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5632 /prefetch:8
  2⤵
  PID:3400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5484,i,4038978374523709607,13347044487727458384,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5772 /prefetch:8
  2⤵
  PID:2240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3392,i,4038978374523709607,13347044487727458384,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5128 /prefetch:8
  2⤵
  PID:3096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4512,i,4038978374523709607,13347044487727458384,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4808 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:844

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2432

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:544

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1736

C:\Users\Admin\Downloads\yes..exe
"C:\Users\Admin\Downloads\yes..exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1376
- C:\Users\Admin\AppData\Roaming\XenoManager\yes..exe
  "C:\Users\Admin\AppData\Roaming\XenoManager\yes..exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1444

C:\Users\Admin\Downloads\yes..exe
"C:\Users\Admin\Downloads\yes..exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1496

C:\Users\Admin\Downloads\yes..exe
"C:\Users\Admin\Downloads\yes..exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
27d7b64032e525d3d74f50952766de39

SHA1
141c378534bbf9e40a24be7198c02e363e760aad

SHA256
72ab152ff4c4d82bfb567441f15513b43ccb53ccc3fce1d2cba5cd5d924256b6

SHA512
b35a03e472ab5ce0c6b6e51c09a0720d1ff30e0cad93183cb616fe6a954b3f36fb2163b166ad41ca2092ea9149b166de6de7782d546760895ff44a61a97a6050

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
336B

MD5
8d49c87374b3c082176b820540ee5c22

SHA1
c6050eaad53ecd9b630cdf5c48388841a2ebcbd6

SHA256
b63492496d4cb05dbfe3da5140d39d288109ea69da85e6c3968b938269198040

SHA512
b5ab50cef68101ca16a772a280485bc257eff0d301e4364aa0962b271c51b278e8f7e19c9b3c0b34a8670d2f1594bc49ec650cdcf2ff1c219d0b42dd9bf4a46a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
b3cfa1f71a2ba4ab3c7ff9413a2019a0

SHA1
aa517c86c7d8e80ae1c4a50455361428cd984a75

SHA256
d3a07f2e207171e5d3ba4157782dddf75e0a164930120f0d889022662911f7c6

SHA512
2beefc55316fc9d9ee8a0125da70064c50b081d4c2ed61eb67b1026056028ddda3d2c99fcc008655e5617b4a80973cea1dcd37fb28446aa1469d03aa27d1c18e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
686B

MD5
cc4abcc582fbbb38c447492d06a5c5f0

SHA1
29444eb241b10d8de47e41d654820dbe3e9435fa

SHA256
4a23d526a719cdbb05a5293e72049df9f42d5d61d0a51a865db9134f011a04c6

SHA512
0cef620b869c14a2ca6bdfd4509ca18e54c98e6b81decf0c777d152eae4cafc42d0aeda31efe9556d349daff3bf8cd1caa47fa01b4c6b79c1edd1d10a790280c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b8aa00dcea5f0bbec7c18e9034881c2f

SHA1
23a666eb1633af195a27194c134b4f456c819783

SHA256
70123163e6f9738ffd1e8b760111c783b33b02e4098c7c94e01aeec9a21c0bea

SHA512
a63661fe3f4136283f718290c653a19cd8cbf52db83cdc7cd9b040fe91e2c79227c577bc606ae4461dcd719ca43f183d350f09160fb048a9e422386e34698bd2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7460d1d7eb056d8c9fe69b7116358b4c

SHA1
0eb8366e2553fd7f8951151403d981b0e9ebf957

SHA256
5c259b51e4ec3d644ab0c1d0dedfc561ba18353ba759090856ee696d5c797e81

SHA512
ff628f62d6aabfda7dafcaccd48e22d172b6bef631ba1212127f33f5de1874dd41ce697f6e95b1b3e487a6075c82c81dd30bd179bea16cd5c442c67f6c6733d2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b9d0adfaae083afe6c01dddec350df38

SHA1
b0efa6387286dff73ebad84d9d29746af1191a1e

SHA256
93ef26d4f229f60b00a5a556b222f5709949dcc360ff77d999d0504aafae401f

SHA512
bc610cee0e87ca2dee79f56d2fc2a334ccdeb063ab3e187255d5974585a8db23ddacd1372ade488ed61b81b19612b4f7bcdc36c362f81950a0cba2ff5116ce29

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7b53463dd1fa9fd299ae5a30dc3d119f

SHA1
0279090c4bc82cbfb4e6e431d1b1e50332430521

SHA256
a618108d23074f3b6415d2ba8f05fffa5789dcdb7b93436cd3429d3194b87242

SHA512
8b5712616e44438968cc25e81507a00d25e21784627ca3af07d42a18b3de0adf9cfe4adf4f18407d6db58a57a12590e6eb2b0ae2488b4a02aed75f7b9de3320b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f36e9b66cd1b31153940eb997ebc4faf

SHA1
724c2a27896e8a95e52985ad7c8c020b73f11bbf

SHA256
e9af071787fa1b9ac42036594c64262cb3c5a00e56a109cfd554ba52d337283f

SHA512
79ba7a51a8c959cf64f63aa4cd1b814518d884ab51ead4fc3a5ea36f6fb77966ec4c2ee645f6aa4b48e49d615bd78e3d1072fb611046b82de8dd0533cbb05c05

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
71e4a78a07419cb481375820d91a2865

SHA1
6478b31754b0fb7c8628eefc5f9dafea5a658299

SHA256
ff50c159a154c739ac0aed238ed5c8c7d43050b4395d4ab6e7bb746f1a03523d

SHA512
7b8bfbb926d3735f1745c42979e2afe7a1cb27b1a1c67d2c4cec153b676bc7121270032794f2cd1e575c98ace1ce49aafbcbbe85ae1dbc03166589eb689a6b87

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
64a65c6380e3817d12d4ff1b88649302

SHA1
0171201a0d498eeb482e7a729a201af199ec82e5

SHA256
7429556cbbebc099bbaed40f5199eca427fa13f806d724a94f447fdcdbe86e70

SHA512
4ea9a7130fb74961d0b5fb4de291fb194d0e3b3b86c6c64afb4c467ae8e5a14f1d3d67f2e766fa1bdb8d588f83cb965573d63da45ead702707c04f6258a6330d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
06e6d2b43d73ef2df81203de9d36232b

SHA1
f13b1c4d6a11bbd008ee308279faace32361e8bb

SHA256
9bfe3ed81602c284b8d09d610a4e51a4499bbf043a5c635aa867b48bd15adeed

SHA512
9a684f8b403b3170b98728b77ebfb62b015fd21e662a83c1d6285da834295c0de3c379b440c43aac995e180a5ad3c96aed94165ada92754812bc0914f14d917b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8fddaaf8cce886c0124da2e664a111b6

SHA1
11ea4714c00f216d2087d70317f33d1f987e3fe3

SHA256
5819f686a9ff5805b6e90e010ea45d7c4005b629ffaa65beba00a61838bd5af1

SHA512
4b43aab830e239766988ca372675f3c3c43b55357c76de2b0e6fc65f4bae0475393bcbcb12631772936257e027e11d5b8715e495a5edce96c682eb88911e441a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4284539705c75647061c0abfe104ed4f

SHA1
70af4e08f9992686cb35407fc67b400807962a83

SHA256
6dd7a930596710be70ea9fe81414bc8411a4cd132cdc4dc5a44761d0505311e0

SHA512
b267e562a3b82305bc478e7af0a0078d8824bd53d1884104a2ae3c01288dfedbd2e3be1a6d3f83e7151ba50a3377de0941a1296781dd206c2f5bc5b8c4ded49f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7145f2b43754f50eeb7ed3eeaebc68db

SHA1
8d7b246cc6b28e0b77378ddc7090e0f74b41066a

SHA256
e496ba35b9095e4180d28ede8886681cafe0cfbc4529bedac37b14a0c0c4c64b

SHA512
a9aca903a15bf7111307c26ef78f64b124d84364c6093f62da12e8434aa163d38ebc21b857edea6ea00141f97c86ebff182409a96e04ad3d55773dbeedbd11f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b82c6201b3a52ef69fe04be152e6b31e

SHA1
f697c9df3dc6c91ac1ca840a6bcad170843bc5fe

SHA256
15c85d176f409aed56b96feb4a6d771822bfba28a3f1a3988aca20d91f0a887b

SHA512
ae7e15021a135278ac541e0fc5adb458b4144928592f96a859172364f7f84dc6cfdd801d4ee86ef509aaa0cb92499485de29e1dca2ddd0fa01d9d975a835ef90

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3ce04d0d833cc7626bca14e69192e25a

SHA1
c186f997c1ce8f551e6f97b5838db71ced62d7ee

SHA256
9a000aec73571ca9a9f5a2a11075711d6921a3f3f4ddebc3f5c86b9edde4ad71

SHA512
9ef8b7f3dfb875825eb03b1e529f1d3a1b3d17a51b430544ae464f8245b4c2937d02978a3a4f245a96228b46e466498ab3e41626ef9cc47449f692e7fdf4e2eb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7490a2a7560c80c7561f43ad36d8f219

SHA1
2979990fedf850f6c0685e043c6548dafe207045

SHA256
3990af6929abc7da1d3b30a646999d676f0e367a678773b518cb87d8c882ce1e

SHA512
3f45223c2f0b2d7aa03ded0582d456a2529570944620ca41588e808d268faa68be81a2a25ff3348b47eee77b9ec1d51d9a2916ba8c9160e5fd87cedd8032c28a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
1a8a6fc486582e16dfb8c2a4e90e9721

SHA1
e8eb486e385c05d08de69564385877be8c20cdfb

SHA256
d5387bd3f4a571f247501b8815bf761d972655042b1e228c28f07db193c33b6c

SHA512
78c2d3319108b18f01fa363562009f1d68b41b517009aeee381b8294fb9ddb8912479c9fb6cfcc26fce2e85e55c85a69ea2364824893436005fc33b107bdeb77

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
d357db83c4d20c92a4a9b7042feb1e8e

SHA1
81a7c467d941d4bee0ac95ac1a692dffc0bb3358

SHA256
738718834d4c023d58d14bcb8b2a38374f9e201420a51a0d4ddbe489a21df34f

SHA512
cae29a01d9386939e0b805e8d1de095073ef003c8df330cb021d71ab1ea4b35400b2d6e5d57de8df8e9db6225d495b263ac9f57161c58e8cb3d7964bfe283047

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\yes..exe.log

Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\Downloads\yes..exe

Filesize
45KB

MD5
8a585cdfef71690aa63a5a52658ab4cb

SHA1
3a77b7f6d454970532919d60935810d18042c5b0

SHA256
1b5876bb09d6ac462c300fc1a660a117070686022b273d6e3f24a4a93f43b5ca

SHA512
16cc31b286c05b8466bf6064e138735fc77fa04a82f19c3c2f67b8869a71bb689b6b1f580e25dbcc9e0ecb641296770e01ffc57a8e13d57f4e632e5b61b10072

Download Submit
memory/1376-104-0x0000000074A5E000-0x0000000074A5F000-memory.dmp

Filesize
4KB

Download
memory/1376-105-0x0000000000D40000-0x0000000000D52000-memory.dmp

Filesize
72KB

Download