xenorat | hxxps://github[.]com/moom825/xeno-rat/releases/download/1[.]8[.]7/Release[.]zip

Analysis

max time kernel
266s
max time network
245s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
27/11/2024, 10:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/moom825/xeno-rat/releases/download/1.8.7/Release.zip

Score

10^/10

xenorat discovery rat trojan

Malware Config

Extracted

Family

xenorat

127.0.0.1

Mutex

Xeno_rat_nd8912d

Attributes

delay
5000
install_path
nothingset
port
4444
startup_name
nothingset

Signatures

Detect XenoRat Payload 8 IoCs

resource	yara_rule
behavioral1/files/0x000500000002a854-115.dat	family_xenorat
behavioral1/memory/3288-117-0x0000000000330000-0x0000000000342000-memory.dmp	family_xenorat
behavioral1/memory/3288-168-0x0000000005910000-0x000000000591C000-memory.dmp	family_xenorat
behavioral1/memory/3288-235-0x0000000000C90000-0x0000000000CA2000-memory.dmp	family_xenorat
behavioral1/memory/3288-245-0x0000000000CA0000-0x0000000000CA8000-memory.dmp	family_xenorat
behavioral1/memory/3288-256-0x0000000000CC0000-0x0000000000CCA000-memory.dmp	family_xenorat
behavioral1/memory/3288-267-0x00000000061F0000-0x00000000061FA000-memory.dmp	family_xenorat
behavioral1/memory/3288-286-0x0000000005850000-0x000000000585A000-memory.dmp	family_xenorat

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat
Xenorat family
xenorat

Executes dropped EXE 5 IoCs

pid	Process
3288	gg.exe
2400	gg.exe
2864	gg.exe
5520	gg.exe
5984	gg.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xeno rat server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmstp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gg.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
664	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133771770684514310"	chrome.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0000000001000000ffffffff	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\ms-settings\Shell\Open	gg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\ms-settings	gg.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\1 = 7e003100000000004759406611004465736b746f7000680009000400efbe47594b607b59e7532e0000003d5702000000010000000000000000003e0000000000083d8a004400650073006b0074006f007000000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370036003900000016000000	xeno rat server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}"	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	xeno rat server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\SniffedFolderType = "Downloads"	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	xeno rat server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\ms-settings\Shell\Open\command	gg.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\ms-settings	gg.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4	xeno rat server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\1	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	xeno rat server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Generic"	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = 0100000000000000ffffffff	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	xeno rat server.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\ms-settings\Shell\Open	gg.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	xeno rat server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\ms-settings\Shell\Open\command\ = "\"C:\\Users\\Admin\\Downloads\\gg.exe\""	gg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	xeno rat server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	xeno rat server.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\ms-settings\Shell\Open\command	gg.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "5"	xeno rat server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\ms-settings\Shell\Open\command\DelegateExecute	gg.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\1\MRUListEx = ffffffff	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	xeno rat server.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\ms-settings\Shell	gg.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Release.zip:Zone.Identifier	chrome.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1992	chrome.exe
1992	chrome.exe
3288	gg.exe
3288	gg.exe
3288	gg.exe
3288	gg.exe
3288	gg.exe
3288	gg.exe
3288	gg.exe
3288	gg.exe
3288	gg.exe
3288	gg.exe
3288	gg.exe
3288	gg.exe
3288	gg.exe
3288	gg.exe
3288	gg.exe
3288	gg.exe
3288	gg.exe
3288	gg.exe
3288	gg.exe
3288	gg.exe
3288	gg.exe
3288	gg.exe
3288	gg.exe
3288	gg.exe
3288	gg.exe
3288	gg.exe
3288	gg.exe
3288	gg.exe
3288	gg.exe
3288	gg.exe
3288	gg.exe
3288	gg.exe
3288	gg.exe
3288	gg.exe
3288	gg.exe
3288	gg.exe
3288	gg.exe
3288	gg.exe
3288	gg.exe
3288	gg.exe
3288	gg.exe
3288	gg.exe
3288	gg.exe
3288	gg.exe
3288	gg.exe
3288	gg.exe
3288	gg.exe
3288	gg.exe
3288	gg.exe
3288	gg.exe
3288	gg.exe
3288	gg.exe
3288	gg.exe
3288	gg.exe
3288	gg.exe
3288	gg.exe
3288	gg.exe
3288	gg.exe
3288	gg.exe
3288	gg.exe
3288	gg.exe
3288	gg.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
5616	xeno rat server.exe
3288	gg.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
1992	chrome.exe
1992	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeCreatePagefilePrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeCreatePagefilePrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeCreatePagefilePrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeCreatePagefilePrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeCreatePagefilePrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeCreatePagefilePrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeCreatePagefilePrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeCreatePagefilePrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeCreatePagefilePrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeCreatePagefilePrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeCreatePagefilePrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeCreatePagefilePrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeCreatePagefilePrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeCreatePagefilePrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeCreatePagefilePrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeCreatePagefilePrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeCreatePagefilePrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeCreatePagefilePrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeCreatePagefilePrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeCreatePagefilePrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeCreatePagefilePrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeCreatePagefilePrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeCreatePagefilePrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeCreatePagefilePrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeCreatePagefilePrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeCreatePagefilePrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeCreatePagefilePrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeCreatePagefilePrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeCreatePagefilePrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeCreatePagefilePrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeCreatePagefilePrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeCreatePagefilePrivilege	1992	chrome.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
5616	xeno rat server.exe
5616	xeno rat server.exe
3288	gg.exe
3288	gg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 2932	1992	chrome.exe	77
PID 1992 wrote to memory of 2932	1992	chrome.exe	77
PID 1992 wrote to memory of 4868	1992	chrome.exe	78
PID 1992 wrote to memory of 4868	1992	chrome.exe	78
PID 1992 wrote to memory of 4868	1992	chrome.exe	78
PID 1992 wrote to memory of 4868	1992	chrome.exe	78
PID 1992 wrote to memory of 4868	1992	chrome.exe	78
PID 1992 wrote to memory of 4868	1992	chrome.exe	78
PID 1992 wrote to memory of 4868	1992	chrome.exe	78
PID 1992 wrote to memory of 4868	1992	chrome.exe	78
PID 1992 wrote to memory of 4868	1992	chrome.exe	78
PID 1992 wrote to memory of 4868	1992	chrome.exe	78
PID 1992 wrote to memory of 4868	1992	chrome.exe	78
PID 1992 wrote to memory of 4868	1992	chrome.exe	78
PID 1992 wrote to memory of 4868	1992	chrome.exe	78
PID 1992 wrote to memory of 4868	1992	chrome.exe	78
PID 1992 wrote to memory of 4868	1992	chrome.exe	78
PID 1992 wrote to memory of 4868	1992	chrome.exe	78
PID 1992 wrote to memory of 4868	1992	chrome.exe	78
PID 1992 wrote to memory of 4868	1992	chrome.exe	78
PID 1992 wrote to memory of 4868	1992	chrome.exe	78
PID 1992 wrote to memory of 4868	1992	chrome.exe	78
PID 1992 wrote to memory of 4868	1992	chrome.exe	78
PID 1992 wrote to memory of 4868	1992	chrome.exe	78
PID 1992 wrote to memory of 4868	1992	chrome.exe	78
PID 1992 wrote to memory of 4868	1992	chrome.exe	78
PID 1992 wrote to memory of 4868	1992	chrome.exe	78
PID 1992 wrote to memory of 4868	1992	chrome.exe	78
PID 1992 wrote to memory of 4868	1992	chrome.exe	78
PID 1992 wrote to memory of 4868	1992	chrome.exe	78
PID 1992 wrote to memory of 4868	1992	chrome.exe	78
PID 1992 wrote to memory of 4868	1992	chrome.exe	78
PID 1992 wrote to memory of 4460	1992	chrome.exe	79
PID 1992 wrote to memory of 4460	1992	chrome.exe	79
PID 1992 wrote to memory of 4772	1992	chrome.exe	80
PID 1992 wrote to memory of 4772	1992	chrome.exe	80
PID 1992 wrote to memory of 4772	1992	chrome.exe	80
PID 1992 wrote to memory of 4772	1992	chrome.exe	80
PID 1992 wrote to memory of 4772	1992	chrome.exe	80
PID 1992 wrote to memory of 4772	1992	chrome.exe	80
PID 1992 wrote to memory of 4772	1992	chrome.exe	80
PID 1992 wrote to memory of 4772	1992	chrome.exe	80
PID 1992 wrote to memory of 4772	1992	chrome.exe	80
PID 1992 wrote to memory of 4772	1992	chrome.exe	80
PID 1992 wrote to memory of 4772	1992	chrome.exe	80
PID 1992 wrote to memory of 4772	1992	chrome.exe	80
PID 1992 wrote to memory of 4772	1992	chrome.exe	80
PID 1992 wrote to memory of 4772	1992	chrome.exe	80
PID 1992 wrote to memory of 4772	1992	chrome.exe	80
PID 1992 wrote to memory of 4772	1992	chrome.exe	80
PID 1992 wrote to memory of 4772	1992	chrome.exe	80
PID 1992 wrote to memory of 4772	1992	chrome.exe	80
PID 1992 wrote to memory of 4772	1992	chrome.exe	80
PID 1992 wrote to memory of 4772	1992	chrome.exe	80
PID 1992 wrote to memory of 4772	1992	chrome.exe	80
PID 1992 wrote to memory of 4772	1992	chrome.exe	80
PID 1992 wrote to memory of 4772	1992	chrome.exe	80
PID 1992 wrote to memory of 4772	1992	chrome.exe	80
PID 1992 wrote to memory of 4772	1992	chrome.exe	80
PID 1992 wrote to memory of 4772	1992	chrome.exe	80
PID 1992 wrote to memory of 4772	1992	chrome.exe	80
PID 1992 wrote to memory of 4772	1992	chrome.exe	80
PID 1992 wrote to memory of 4772	1992	chrome.exe	80
PID 1992 wrote to memory of 4772	1992	chrome.exe	80

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/moom825/xeno-rat/releases/download/1.8.7/Release.zip
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x100,0x104,0x108,0xfc,0x10c,0x7ffbbd22cc40,0x7ffbbd22cc4c,0x7ffbbd22cc58
  2⤵
  PID:2932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1760,i,12050268330956646269,2883901528933699297,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1756 /prefetch:2
  2⤵
  PID:4868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2076,i,12050268330956646269,2883901528933699297,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2088 /prefetch:3
  2⤵
  PID:4460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2176,i,12050268330956646269,2883901528933699297,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2140 /prefetch:8
  2⤵
  PID:4772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3076,i,12050268330956646269,2883901528933699297,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3112 /prefetch:1
  2⤵
  PID:6008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3092,i,12050268330956646269,2883901528933699297,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3276 /prefetch:1
  2⤵
  PID:6084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4728,i,12050268330956646269,2883901528933699297,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4716 /prefetch:8
  2⤵
  PID:2144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4656,i,12050268330956646269,2883901528933699297,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4184 /prefetch:8
  2⤵
  - NTFS ADS
  PID:5704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4884,i,12050268330956646269,2883901528933699297,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5004 /prefetch:8
  2⤵
  PID:4356

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2552

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3920

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3548

C:\Users\Admin\Downloads\Release\xeno rat server.exe
"C:\Users\Admin\Downloads\Release\xeno rat server.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5616

C:\Users\Admin\Downloads\gg.exe
"C:\Users\Admin\Downloads\gg.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3288
- \??\c:\windows\SysWOW64\cmstp.exe
  "c:\windows\system32\cmstp.exe" /au C:\windows\temp\sp4gvmz5.inf
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3536
- C:\Users\Admin\Downloads\gg.exe
  "C:\Users\Admin\Downloads\gg.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2400
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c start "" "%windir%\system32\fodhelper.exe"
  2⤵
  PID:6100
- - C:\Windows\system32\fodhelper.exe
    "C:\Windows\system32\fodhelper.exe"
    3⤵
    PID:1152
  - - C:\Users\Admin\Downloads\gg.exe
      "C:\Users\Admin\Downloads\gg.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2864
- C:\Users\Admin\Downloads\gg.exe
  "C:\Users\Admin\Downloads\gg.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5984

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}
1⤵
- System Location Discovery: System Language Discovery
PID:4836
- C:\Windows\SysWOW64\cmd.exe
  cmd /c start "" "C:\Users\Admin\Downloads\gg.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:128
- - C:\Users\Admin\Downloads\gg.exe
    "C:\Users\Admin\Downloads\gg.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5520
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /IM cmstp.exe /F
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
1a65091b9b2d904e2f0d52f8f14ca140

SHA1
80696a9728d3f05c60830e47f0633aa0370ea94c

SHA256
316a185bad00956db33e7c8718e15c0b8e4d4f7ede09c55422db7203faaef5db

SHA512
5cff8aea82127b660ab69cd2f6fbd358deba0e88f75ddcea1d18cd41b9db3a64b0d5e975ac1e75b77f1d565b189b6ff664eb192ebf9da9a7d2e59230c8de1585

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
a6a5d45db3982b228a72aced85157845

SHA1
37a77b48b2ea601c4da456db305c5d037d6ccbe8

SHA256
d0f0db1bb294bf0a3f4314bcbbff8fd24e7b279e89bad571cfbed5fcae68f88e

SHA512
9a45e0590021c456de3d23f966bdb248c8c63d8970554add3596a35b9323b7899151cf04be0bf1329908992dca273896aac8d35c0ccb8fa009ea1011e93d4ef4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
d72693f9d5f1ed61de39a63f27b7a420

SHA1
d3e23ab69451aaa7101a1d9748218ed2ffb95700

SHA256
32ec19894d7934b07f42fc59758882286a086bd6e1b6762ae1d4478b9c705a4f

SHA512
979e934b7814b728076ab27e94b5cdc3fb68bbcf73e57a77d9e3c912124700911e2e6f8d23e55cd46f62e75b79ac60cfb433530a205f04fc443fdd9be4bbbdb6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
523B

MD5
e896441c1d2af6b514d2a5ffffa11905

SHA1
2d5b6e03ef8fbe00a2990b946986dacdd1b51cff

SHA256
9c686f2cdc339659721278f34ffc566ea4665549dae97d6253f06ac6cc9e4dc9

SHA512
4542359ad1e77bb71c55490dec0db46f744b9339f965e8888bfe1a743373bc39f7fe003a2afdcf8580532dd8703934f5df9f201d7ff6a3aae12131a184af0b6b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6eb0e20b53c9e65f9a55c498f8240a88

SHA1
150be243360f8420935d0c4c162e230c0da60dc5

SHA256
5f7bb6597ea92f824cbeaff95e00049ce78afd655801095730a2c6f52bf0738d

SHA512
c20024ccdff3dc80cf55503abbbe9caff4a2e65c9e85444629934afee38e56b76365fc2e43a0eec28b637693f43e3b3e9b95946b352b8f3c530e752201be8fa6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f925d0511a9161f423f68e36faf2f69e

SHA1
c9a7a9b213289d8142aaa2fcf0c9dd68fb99ea29

SHA256
84c0071babadc48ab51b645f6632e958b08e8e01800ffe5cac4481d42102fda1

SHA512
e540d5484fc18d02a5748b4981d55123cfc9c9cad4ad3ffab4c4a6ebfad34d26e5cee5983f01c96751c727cf225673822c327fdccc161456974db4e42b18f951

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4d5dd51da95ecdef8210922fdf192e53

SHA1
2fcf8bbbac31744e641f038f2ecaae233db180c0

SHA256
1bef120abcacf9b05027f3dfd5af2b863385497f764af079c86b67a392cb84f5

SHA512
4e3e212aec29fa2aae95424f3adcc518a6c9031e25e57e4744973f2fc8afda5e2b2431cc541efbd63f9af384bcce5915aebe0322e60303c0a2aed1c4f5ed957c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
351bb53a90681c584ed4a1e870731c58

SHA1
f83954401e04ac6f98ecb7364ccea0e9145558b5

SHA256
0e9b57bfd898ea0f1067454a11fa9a6fd80e69510d4cfec1b2fcc128a2019b96

SHA512
f914476aba61335972027792108ced360ea7b06be13bb94d4392a39c2fd456dc140288b553f65d697d0d9b6e668767343260f36718526237be52d70ec39edecd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9494c9f041a4028a4d688be7158233e5

SHA1
3aee4f1630ca17b8369126398dc0fb926bfa5d9a

SHA256
dcb99a2335811c5b58085167e9942ec477c788e21d060fed161057ff2e915ff2

SHA512
3ba08d707a3141e761cfc3697ee72e51c9618023e0481952199fe1e04401a8340d4493be3a6c7b93b8a335710e32813a00c056ac53d38e95e771f6b63f735d5f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
fe3be193c18cbeac497370b4148107c1

SHA1
531ac48d1a962055db4e8fcd7c2c4c931e4702b4

SHA256
d575e60dc35acba4da19a6042770a166ee8a6cab4353fca9eec5a36b75ac9332

SHA512
24077c586c13c72716bed960524adc714416b38b2d28de5318d55bb3d78d1e38e03dfb24de3106cc6944f377872b7c9be29fa37dc1486c13fd371c41289c3c21

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
429d10a74e5b196548e4efeeb6c8e892

SHA1
945207cb47700071f0fa1c1fea5ce7fb2198dde7

SHA256
087e10e96c0a31a1d07cf3b77060ecf384517393d264cd13a3cbf3d01cd3df44

SHA512
a3e268f5ba66d13d7563619e69b66ad0e09c631a99d6276899b4689d286f918e8760292a49cb9bc1fbcab78e233da3fd2ee3239eed65040cb8d63adba62572fe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9f7762ede3b8a6d0da10c284203248a1

SHA1
d15aff7dba5de1795fada7696602e3aadb0417d6

SHA256
fc230ffbb62a354971f2b62e31510e3530304463bf97c2b0d51e95ee03c2e8a0

SHA512
90dd64a269e990919c311310a409a4076c6a745a74c5fb50b894bd710f2e0665507bc931e746ff60de46f14449f453a7ee0d6e1c7355f6d8dfaa5b2fb2f5ffce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ccc8ecee5c514f222be6e3a60d72a0f9

SHA1
68d28aa5ae0b7d4efa6959634981e5f4144513c5

SHA256
25233ff94fac1af63df9c6a039dbe9b6a6ea2410b1ab79821cff9195b2bbf806

SHA512
7c3d40ee976545f26398dd1c2ef9f1dde8bc3693a55d1006bb908d409f87e3aca08639359dc72eba917f20663c0dc58c14718680b68ef3356708a8504db727e7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7706aed12c80b977c20b62f521a2a3d5

SHA1
027d852110aa5548e3e0b0a827db7e933c678efa

SHA256
5039e23067b3e2a968ede5d020893b381fc26067a4aa217eb711bd214ca95310

SHA512
7eff8fe3f2dc22aa89da110af77f3d2f6838b981040eff77252319eda760a14f7f95fd9d7820c949e5fbda2c8b72e5fb731d6d27095020c4f1f660fc1c1328a5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8edc00a09b2702562383032402c07cf9

SHA1
f76b15ac520294bc1b299c89d9256580abda73c8

SHA256
512e57fb782c0727174b04a401dd4c0e19abbbc7cf41e333d9f8896a72844a1f

SHA512
b348a6af92ec11718062c54a160d7fc575ebf73b4b2c4bfb44a11d1fd171c8ae5e347c0bf86c7139d2bb092c8e8e31d8a3d79097c7315bfa6034c16619d92a3b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
121c8ffc5527579b0115a96fa941f53c

SHA1
21dd22740172db8be3a530e673801586edfd697d

SHA256
c257ba1a23b203eeb074c7b8d82b593704fd7eab923247b53a6465535cedbe85

SHA512
e58314c0601a50ccb844f9d4e960c07385d79b58d0dd32c8899db8c48c9879b8108b06e22b01a5eeba391f2ced2a44f8c0a3934ccb371fe65e997ff91ad52b57

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
504a9a41b74751297e529b85fd6c034a

SHA1
b02bfb899d9b46db17b54f1a7fbd878451380d4f

SHA256
7871c58056e4541175fccd4b6f2b3cf9f0dfd62b88b87b7d29f61fb19b4c1d4e

SHA512
94551e16a4e1eed4778a468971bbe213052dce11ddd719c232ff510f68763d55f17c0a9307ba57d8096830cb42a07b8a7255610dcd0c683cfaa542a0490dd49f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
41ee3c256f3454cc50a8231dadd0891f

SHA1
57b064bf50439f90b4e93c2a12fea1f6a2d5ecb3

SHA256
c5470e44d81a84df48b66abaa17e19c0d42ce4b564ab2426c3b20182765b5211

SHA512
a513cb0e7f904ae10c701ac79b997f6ff5d1dc05d9eb63595655d47e5071f5e0de68c4ccc5aeb1441903a25fbcad111563d8df4b89bbbfabc4005c4eddc243cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
db65cf9641e23bb41c1441f248a99520

SHA1
496b51bf1873ba0317a2c52d9ca4451e860ccab9

SHA256
59b362152d8fb9656844f17d36034164496521607793822ff76566393e614c88

SHA512
6bcb921f88168ba95c44dcc72e06c56f3cac02c0ce5cab856e1143b28ae38e1099099daac970dc181a5d2992aff31dfc96337d81b51434f5711b8e0bd985d4ba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5f6b6c4f18049c7b611c2bed790f4faa

SHA1
debd01a350eb430fe0df8c7161f4ee24479dd7c1

SHA256
75e67faa10323284fb6e5f54454862d206b5c5a945be622975fcc069cd7ead0b

SHA512
5787765c5b9e344c29a628c031e3f18e003013e0ad70dd209b5be7fd30d2e1a11186fa34aaa29282f82b0f80aee9e9e45507432d30a58214136ceff6a3ecdbfa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
94a447039fed25d14a22523e3674537f

SHA1
bd1968b903fc3b78ed3e5091b7c7143910c5c53e

SHA256
0c6f089159de8d35683315fb4f9bfeaa71ecd5d394c19fb0634a44c4cd389733

SHA512
b28b04c21d45a20d3bcc4ac012f4961a89956c04577ca7ee5fa479fb5a43d7313162d7e2e4ced073cb073e164950bab21841867a41b4132cf0c4832975b6bb56

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\e67c5b7e-aafd-453f-8d95-16c0335bc977.tmp

Filesize
9KB

MD5
9f605207e5e92d909640a93fdaa33c0d

SHA1
9de4e8abfe672cbafaa6fcfbbdc78c5cd53d59e6

SHA256
ff28be18a69138d8eb6a7905bae748a626bfce20c775fe80867ee2c62cf7903d

SHA512
fde549d980a2be33d7a6203cd906b1ab2368c924cc8f24c1013893d120750ba004a1ae703fb65ab9572ffb973fff1acf396b69dcf12a3c62773cd4dd9ebb61ba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
228KB

MD5
ee0b3229333d384ab26c9bd18910cd4f

SHA1
4d51b25ed171962cd93765c04157effe4af3fee8

SHA256
2972b7a49e3e8e014e89607f9c68a8329ef165f8f67c85de0d7e39308b5ceb53

SHA512
058239fefa6614b0663f570c062b10f6d7cb4157dfe93ef5db69c5f09467e2f8cde3e3947ec06b53c25c20e47a3bcf8412a53640b339031607ba29d46753b8ce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
228KB

MD5
8f2594c69eec72bdb54508104aeeaabd

SHA1
71f495c2a369803fc2821f18fbc30c8705174d00

SHA256
88e46472cc73031e49ecc517f1237eb6cff9e24c746af5030c97566af2a1159e

SHA512
0955df5ddad0a353c16ae1c918f0bce6e7267a77bc887f51dd28df5459732c46488fab224e6e6a7fd7e100c7dae55d19be3d486f5bd85f9bdb0cabcc29bb9722

Download Submit
C:\Users\Admin\Downloads\Release.zip.crdownload

Filesize
6.4MB

MD5
89661a9ff6de529497fec56a112bf75e

SHA1
2dd31a19489f4d7c562b647f69117e31b894b5c3

SHA256
e7b275d70655db9cb43fa606bbe2e4f22478ca4962bbf9f299d66eda567d63cd

SHA512
33c765bf85fbec0e58924ece948b80a7d73b7577557eaac8865e481c61ad6b71f8b5b846026103239b3bd21f438ff0d7c1430a51a4a149f16a215faad6dab68f

Download Submit
C:\Users\Admin\Downloads\Release.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\gg.exe

Filesize
45KB

MD5
e069304f72f1993e3a4227b5fb5337a1

SHA1
131c2b3eb9afb6a806610567fe846a09d60b5115

SHA256
5d00cfc66ae11f68bae4ac8e5a0f07158dae6bfd4ea34035b8c7c4e3be70f2c5

SHA512
26f18e40b1d4d97d997815fe3921af11f8e75e99a9386bbe39fb8820af1cbe4e9f41d3328b6a051f1d63a4dfff5b674a0abafae975f848df4272aa036771e2e9

Download Submit
C:\windows\temp\sp4gvmz5.inf

Filesize
618B

MD5
36d176c8e2db19d36a30026520f12aa9

SHA1
f2c5a47e585a3d17f4eba26e3bf2b63149b33743

SHA256
e54d902db91a4c25be72ece8a377859c1803b26f4f7a80b16bfcfbc997b03095

SHA512
76b1d3c829e051f0fbe2e2463f18cbc341ec03ff3d9ae36b3906441fbd1bc10a83eb6f599288f9018b3f90a8213bdcf53309999a32e1cb8de11a0ebc6276ccdd

Download Submit
memory/3288-117-0x0000000000330000-0x0000000000342000-memory.dmp

Filesize
72KB

Download
memory/3288-235-0x0000000000C90000-0x0000000000CA2000-memory.dmp

Filesize
72KB

Download
memory/3288-147-0x0000000005930000-0x0000000005996000-memory.dmp

Filesize
408KB

Download
memory/3288-286-0x0000000005850000-0x000000000585A000-memory.dmp

Filesize
40KB

Download
memory/3288-267-0x00000000061F0000-0x00000000061FA000-memory.dmp

Filesize
40KB

Download
memory/3288-256-0x0000000000CC0000-0x0000000000CCA000-memory.dmp

Filesize
40KB

Download
memory/3288-168-0x0000000005910000-0x000000000591C000-memory.dmp

Filesize
48KB

Download
memory/3288-245-0x0000000000CA0000-0x0000000000CA8000-memory.dmp

Filesize
32KB

Download
memory/5616-64-0x0000000007890000-0x00000000078A2000-memory.dmp

Filesize
72KB

Download
memory/5616-60-0x0000000005020000-0x000000000502A000-memory.dmp

Filesize
40KB

Download
memory/5616-81-0x000000007518E000-0x000000007518F000-memory.dmp

Filesize
4KB

Download
memory/5616-66-0x0000000075180000-0x0000000075931000-memory.dmp

Filesize
7.7MB

Download
memory/5616-65-0x0000000009420000-0x0000000009442000-memory.dmp

Filesize
136KB

Download
memory/5616-107-0x0000000007C60000-0x0000000007C7A000-memory.dmp

Filesize
104KB

Download
memory/5616-63-0x00000000078A0000-0x00000000078BA000-memory.dmp

Filesize
104KB

Download
memory/5616-62-0x0000000005280000-0x0000000005294000-memory.dmp

Filesize
80KB

Download
memory/5616-83-0x00000000060F0000-0x00000000061A2000-memory.dmp

Filesize
712KB

Download
memory/5616-82-0x0000000075180000-0x0000000075931000-memory.dmp

Filesize
7.7MB

Download
memory/5616-84-0x0000000007900000-0x0000000007C57000-memory.dmp

Filesize
3.3MB

Download
memory/5616-61-0x0000000075180000-0x0000000075931000-memory.dmp

Filesize
7.7MB

Download
memory/5616-86-0x0000000075180000-0x0000000075931000-memory.dmp

Filesize
7.7MB

Download
memory/5616-59-0x0000000004F20000-0x0000000004FB2000-memory.dmp

Filesize
584KB

Download
memory/5616-266-0x000000000B9C0000-0x000000000BA5C000-memory.dmp

Filesize
624KB

Download
memory/5616-106-0x0000000008240000-0x0000000008364000-memory.dmp

Filesize
1.1MB

Download
memory/5616-58-0x00000000054D0000-0x0000000005A76000-memory.dmp

Filesize
5.6MB

Download
memory/5616-57-0x00000000001B0000-0x00000000003B2000-memory.dmp

Filesize
2.0MB

Download
memory/5616-148-0x00000000098B0000-0x00000000098C2000-memory.dmp

Filesize
72KB

Download
memory/5616-56-0x000000007518E000-0x000000007518F000-memory.dmp

Filesize
4KB

Download