xenorat | hxxps://github[.]com/moom825/xeno-rat

Analysis

max time kernel
368s
max time network
366s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03-12-2024 23:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/moom825/xeno-rat

Score

10^/10

xenorat discovery rat trojan

Malware Config

Extracted

Family

xenorat

localhost

Mutex

testing 123123

Attributes

delay
1000
install_path
nothingset
port
1234
startup_name
nothingset

Signatures

Detect XenoRat Payload 2 IoCs

resource	yara_rule
behavioral1/memory/4852-309-0x0000000000300000-0x0000000000312000-memory.dmp	family_xenorat
behavioral1/files/0x000400000000073f-320.dat	family_xenorat

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat
Xenorat family
xenorat

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
31	raw.githubusercontent.com
32	raw.githubusercontent.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xeno rat server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xeno rat client.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	xeno rat server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0 = 500031000000000047590355100041646d696e003c0009000400efbe4759d2498359f5bc2e0000005ae10100000001000000000000000000000000000000d91f3b00410064006d0069006e00000014000000	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0 = 7e003100000000004759625411004465736b746f7000680009000400efbe4759d2498359f8bc2e00000064e101000000010000000000000000003e00000000005dce2d014400650073006b0074006f007000000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370036003900000016000000	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = 00000000ffffffff	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 000000000200000001000000ffffffff	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\MRUListEx = ffffffff	xeno rat server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\SniffedFolderType = "Generic"	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	xeno rat server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\SniffedFolderType = "Downloads"	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0 = 78003100000000004759d2491100557365727300640009000400efbe874f77488359f5bc2e000000c70500000000010000000000000000003a000000000054d6b60055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\NodeSlot = "5"	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1"	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0"	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\MRUListEx = 00000000ffffffff	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2 = 14002e80922b16d365937a46956b92703aca08af0000	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\NodeSlot = "6"	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\MRUListEx = ffffffff	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 020000000100000000000000ffffffff	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1"	xeno rat server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "7"	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	xeno rat server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\SniffedFolderType = "Documents"	xeno rat server.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3352	msedge.exe
3352	msedge.exe
5072	msedge.exe
5072	msedge.exe
4760	identity_helper.exe
4760	identity_helper.exe
3956	msedge.exe
3956	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4568	xeno rat server.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4568	xeno rat server.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
4568	xeno rat server.exe
4568	xeno rat server.exe
4568	xeno rat server.exe
4568	xeno rat server.exe
4568	xeno rat server.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5072 wrote to memory of 2268	5072	msedge.exe	83
PID 5072 wrote to memory of 2268	5072	msedge.exe	83
PID 5072 wrote to memory of 2108	5072	msedge.exe	84
PID 5072 wrote to memory of 2108	5072	msedge.exe	84
PID 5072 wrote to memory of 2108	5072	msedge.exe	84
PID 5072 wrote to memory of 2108	5072	msedge.exe	84
PID 5072 wrote to memory of 2108	5072	msedge.exe	84
PID 5072 wrote to memory of 2108	5072	msedge.exe	84
PID 5072 wrote to memory of 2108	5072	msedge.exe	84
PID 5072 wrote to memory of 2108	5072	msedge.exe	84
PID 5072 wrote to memory of 2108	5072	msedge.exe	84
PID 5072 wrote to memory of 2108	5072	msedge.exe	84
PID 5072 wrote to memory of 2108	5072	msedge.exe	84
PID 5072 wrote to memory of 2108	5072	msedge.exe	84
PID 5072 wrote to memory of 2108	5072	msedge.exe	84
PID 5072 wrote to memory of 2108	5072	msedge.exe	84
PID 5072 wrote to memory of 2108	5072	msedge.exe	84
PID 5072 wrote to memory of 2108	5072	msedge.exe	84
PID 5072 wrote to memory of 2108	5072	msedge.exe	84
PID 5072 wrote to memory of 2108	5072	msedge.exe	84
PID 5072 wrote to memory of 2108	5072	msedge.exe	84
PID 5072 wrote to memory of 2108	5072	msedge.exe	84
PID 5072 wrote to memory of 2108	5072	msedge.exe	84
PID 5072 wrote to memory of 2108	5072	msedge.exe	84
PID 5072 wrote to memory of 2108	5072	msedge.exe	84
PID 5072 wrote to memory of 2108	5072	msedge.exe	84
PID 5072 wrote to memory of 2108	5072	msedge.exe	84
PID 5072 wrote to memory of 2108	5072	msedge.exe	84
PID 5072 wrote to memory of 2108	5072	msedge.exe	84
PID 5072 wrote to memory of 2108	5072	msedge.exe	84
PID 5072 wrote to memory of 2108	5072	msedge.exe	84
PID 5072 wrote to memory of 2108	5072	msedge.exe	84
PID 5072 wrote to memory of 2108	5072	msedge.exe	84
PID 5072 wrote to memory of 2108	5072	msedge.exe	84
PID 5072 wrote to memory of 2108	5072	msedge.exe	84
PID 5072 wrote to memory of 2108	5072	msedge.exe	84
PID 5072 wrote to memory of 2108	5072	msedge.exe	84
PID 5072 wrote to memory of 2108	5072	msedge.exe	84
PID 5072 wrote to memory of 2108	5072	msedge.exe	84
PID 5072 wrote to memory of 2108	5072	msedge.exe	84
PID 5072 wrote to memory of 2108	5072	msedge.exe	84
PID 5072 wrote to memory of 2108	5072	msedge.exe	84
PID 5072 wrote to memory of 3352	5072	msedge.exe	85
PID 5072 wrote to memory of 3352	5072	msedge.exe	85
PID 5072 wrote to memory of 4492	5072	msedge.exe	86
PID 5072 wrote to memory of 4492	5072	msedge.exe	86
PID 5072 wrote to memory of 4492	5072	msedge.exe	86
PID 5072 wrote to memory of 4492	5072	msedge.exe	86
PID 5072 wrote to memory of 4492	5072	msedge.exe	86
PID 5072 wrote to memory of 4492	5072	msedge.exe	86
PID 5072 wrote to memory of 4492	5072	msedge.exe	86
PID 5072 wrote to memory of 4492	5072	msedge.exe	86
PID 5072 wrote to memory of 4492	5072	msedge.exe	86
PID 5072 wrote to memory of 4492	5072	msedge.exe	86
PID 5072 wrote to memory of 4492	5072	msedge.exe	86
PID 5072 wrote to memory of 4492	5072	msedge.exe	86
PID 5072 wrote to memory of 4492	5072	msedge.exe	86
PID 5072 wrote to memory of 4492	5072	msedge.exe	86
PID 5072 wrote to memory of 4492	5072	msedge.exe	86
PID 5072 wrote to memory of 4492	5072	msedge.exe	86
PID 5072 wrote to memory of 4492	5072	msedge.exe	86
PID 5072 wrote to memory of 4492	5072	msedge.exe	86
PID 5072 wrote to memory of 4492	5072	msedge.exe	86
PID 5072 wrote to memory of 4492	5072	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/moom825/xeno-rat
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff84a846f8,0x7fff84a84708,0x7fff84a84718
  2⤵
  PID:2268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,11387266873950655969,17874295772602815945,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2
  2⤵
  PID:2108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,11387266873950655969,17874295772602815945,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,11387266873950655969,17874295772602815945,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2668 /prefetch:8
  2⤵
  PID:4492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,11387266873950655969,17874295772602815945,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:2528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,11387266873950655969,17874295772602815945,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
  2⤵
  PID:448
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,11387266873950655969,17874295772602815945,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5356 /prefetch:8
  2⤵
  PID:1000
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,11387266873950655969,17874295772602815945,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5356 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,11387266873950655969,17874295772602815945,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3916 /prefetch:1
  2⤵
  PID:2280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,11387266873950655969,17874295772602815945,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4756 /prefetch:1
  2⤵
  PID:1996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,11387266873950655969,17874295772602815945,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2280 /prefetch:1
  2⤵
  PID:1384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,11387266873950655969,17874295772602815945,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
  2⤵
  PID:3388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2096,11387266873950655969,17874295772602815945,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5444 /prefetch:8
  2⤵
  PID:916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,11387266873950655969,17874295772602815945,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6008 /prefetch:1
  2⤵
  PID:4324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2096,11387266873950655969,17874295772602815945,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6056 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,11387266873950655969,17874295772602815945,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4992 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:536

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4692

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5104

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5084

C:\Users\Admin\Downloads\Release\xeno rat server.exe
"C:\Users\Admin\Downloads\Release\xeno rat server.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4568

C:\Users\Admin\Downloads\Release\stub\xeno rat client.exe
"C:\Users\Admin\Downloads\Release\stub\xeno rat client.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:4852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8749e21d9d0a17dac32d5aa2027f7a75

SHA1
a5d555f8b035c7938a4a864e89218c0402ab7cde

SHA256
915193bd331ee9ea7c750398a37fbb552b8c5a1d90edec6293688296bda6f304

SHA512
c645a41180ed01e854f197868283f9b40620dbbc813a1c122f6870db574ebc1c4917da4d320bdfd1cc67f23303a2c6d74e4f36dd9d3ffcfa92d3dfca3b7ca31a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
34d2c4f40f47672ecdf6f66fea242f4a

SHA1
4bcad62542aeb44cae38a907d8b5a8604115ada2

SHA256
b214e3affb02a2ea4469a8bbdfa8a179e7cc57cababd83b4bafae9cdbe23fa33

SHA512
50fba54ec95d694211a005d0e3e6cf5b5677efa16989cbf854207a1a67e3a139f32b757c6f2ce824a48f621440b93fde60ad1dc790fcec4b76edddd0d92a75d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\39f5d9d6-6379-4d96-8232-d9df15db42ef.tmp

Filesize
6KB

MD5
893e67b46f8774265302b0496ae211a4

SHA1
70952d239beb53d6f61b70132a515fc7dfca08b8

SHA256
34f5d3070cd6a310b6b331368a061482f2076e07abae220fe71e688b96a25092

SHA512
8164c6e603b709d293a8558eaa1e9ee55cd3f3cdf134aca5f889e3cf3fcc72d06e810c7a01ecf188f3a282c18c3189c54d4d9a22001093d794a7343a4fc2255f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
38KB

MD5
4a6a239f02877981ae8696fbebde3fc9

SHA1
5f87619e1207d7983c8dfceaac80352d25a336cf

SHA256
ac546e02b937ee9ac6f6dd99081db747db7af6a4febf09cbe49e91452d9257b8

SHA512
783cf2ae4ba57031c7f4c18bdac428a1074bb64f6eb8cef126ad33f46c08767deeac51917bef0f1595295b9f8a708cb297b7cf63fc3f7db0aa4ac217ce10f7cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
20KB

MD5
dcc13e096885e2192da2ddae75ba5b26

SHA1
56bf42f76e81ebdc98f418788d239e7fef36326a

SHA256
dd359fd72402c351b879f263e6fd703008e6d641776ee6bb46a853199173f725

SHA512
15a357ecefce6278417d0d7dd6359a39882178226dcae1bd6514594837be7fde8773fa944c35764cd0f6cbeb43303158a5cb0aef9e9445718eb6cc49b10676da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
37KB

MD5
a6dd8c31c1b2b06241a71e43a49a41a6

SHA1
dc871c551fa802ed8dfcc0e754b3d4d373fddd88

SHA256
0def324bda1cf4872a205e006d8fd6aafddb19880c1678bf66f18b304eeda99c

SHA512
f3437729f25077e830e5381e4468ce8222dc893ece8527159721f07e5f85977acde921af3d47ae07ac9f35e3ad06ae06faaa23d715a207d76ba6746c55aeddbc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000010

Filesize
16KB

MD5
06b438d5e1a8ac9850ebaa924c67684e

SHA1
943849718ba03f7788c14ec43fb29cf503a0b0e3

SHA256
406f8ac9d271e8e74ff9b7dd5bd4f36d6782cd3d036fb9f62f8a252a6050f946

SHA512
0d21fe32b24b27807e96ef5c963dd1e78a89646638217c37ae0075689ad6f683895f942ae3d9b0542e74a9af22bb3756a885606c70d7ed351385bb2770533ee3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
c98a325692793b4acbf90eb7e8a8efa3

SHA1
9c6fe80339c1668aeeac49177f78a21feab9c8aa

SHA256
235c4a5eb70648052b1cc85c93937b5169a223e3226fdfec6f7933659b599029

SHA512
e982bf21f67d94df43afd60b1cbffea3576262c38cdbdeb0576f38ce7ba80978e2129a037ee50a94ad05d675c074e4b5a9d9521285080425c0a20303d618e595

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
1b1ce086d316c137c7adb7d3c0d24d77

SHA1
60dc7d08ae62e9202b4ff9e86ff30378152b4954

SHA256
80b524dedfca24d768fde5b5bef5e0af7d3a3ccbfe5d1b5ce2c8ffc4a49fbd26

SHA512
776624c554f825f5bddabb5b466f4c55d719c7682440dba3a90ad5359bebc0a8ff6b069b9765e32935178c31b6476458d418cc728b585911fe23817fdc76242d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
e2da5a5aca1c80baf37ed9741fecb91f

SHA1
ad171ff98dbea0566e3e59e2a696e7cb229c865d

SHA256
f1d0c5326f590c7f58a377f7f481652cba1fb1951b75939fc14a8fa3b7e90471

SHA512
9e4c01aa4ff85e200f4259562857dd95365b09f76763d6c4b796966d44ca4e01873ef5b908cfb4ef48541e3c68e351152513f8b27a3c24d4476b89722b00d3a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
579B

MD5
698ff6dd22f4368101b2f5794f7a18a4

SHA1
70ecbbe13ec6e225224ba66db3a8ed559f5d0411

SHA256
0eab1fd6b69900b4edf4aac8461d7a67b3741ddc478675372b81d2cd944c5a11

SHA512
17634b1dbe5e5bcb6cd22ef8f3f68d1d9e1db0628dfff0df8343726dbabfaa660ab6a7cdc33da8e415db122206cfb50cf1a1aeff32d8235d2860b624fb1ab281

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3584b5c9ffd39ad3d734d6dc7b264c61

SHA1
75fef52b7653239281740cfae691f91557389616

SHA256
423ffa937ef457468dc3fdc3d46fb7de8ed49d7361c3322ce812a5969695a1cb

SHA512
939d323cddfde8ad8d41ed0d984a7df4a371047df868c9752e6699d0fd656515b28698fd33448ae2ee97e258078444e3e39b53326ccc87fdefeb1ce9caee1b15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
99d4f63a5176cb4ebbe3774f0078f5b6

SHA1
f704e3d01c3723835b3ae8c4204550053f296f99

SHA256
c2847ae65a413457b5e39b7ca003fdbe06859c02216f78793358eb31feb4f37b

SHA512
15101820905fe17e10925ef75a2aefee0640334478c39f63b2017674f7c72f20f23016bd7133aea928842a2c4be0f84e4cf245e6e33563cb91c2cd944e5eb0e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
a049748e3a129a80be8497969308e956

SHA1
ec06093f17f9c5e80d0ef263855dcc1851cbaf05

SHA256
95a4eaa03c17f115441b8110f24c3d2de47a05272374115e2187e887d39d7779

SHA512
f41c1038666d4e21596dfb1db2e1b1c52a37a30483e57c19421be366a22262458a553ebffbaeecfe0ae97d014acf03a8355f04405d1ec8a33fc1223d8c8d25b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
78408908961cf71c38ee7a3d16aa4058

SHA1
bdb89a3a07869af92f68411c8e173418b8ee2b61

SHA256
bbec6ee6c194b51dc917adf4024f1f3560486d77ab1117bdd7fb28c48c46c622

SHA512
acdce1e93acf699679b4ba01eeee0acfaea9bdfa4aef18b90d5d508063000a15fd5316d9af944918156d065b03da7c5eb113e421eab9003a68de6b4920945195

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
f2541d1738636432464a59199b00f754

SHA1
23e12e0e44d8ddf9576e88da0a520d8ede213ee0

SHA256
a252a9cbfc175d71a8f2f6061deaa9468c60f4871fa643f3dae25adfc8909b79

SHA512
bbc3c4ed08054919bbb25585be3540978a5d404bd69dac5d9bc53769706ab9058fed1aa5e48e8f2ede8c976ccb2e4ac62d8bc0f0999fa4a316b147aaff5dea52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
4f2d11a5df98277b105ace108a863238

SHA1
3322bfb0d320490711b8f563aa09790914742ebe

SHA256
acfd1350221cc205029d9e4878bdeaa0f809e79cf34e7ab3f0589d2e1abfaef0

SHA512
655407c91880d9799d6e4f60ce6d6a9a73abe41fdcce011b4bd9dc8e55d161c32d39ab650c53c084edd353ee88295812ecd52aa7586a8986c6698319e5f7a485

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
e6e09cea78a01c26b842fb76ba1fec5a

SHA1
466a447f4644d28802f75f1edafcb0257cfbce15

SHA256
39f5c2ab9ddd1bfac1ceb527bb212f7d9eb18b544204003bfd1e3cbaa5974bdb

SHA512
a71f9156ec0a5a01416963253af8a3122e38fe375404b36e779a224c9905d91e06797fd014fd689335a3c84fbaaca732e4bc8e3d7491a0c4e3b3b7a61d401ae6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
40de4f3ed987f95f2396dd679eaa7ba6

SHA1
0ab14ee0a120234fca653fff7fdf54b078715e5a

SHA256
7b2e24d6145e0f2e51f33e26837a51308940de2e8bbfb5bc946f6f0883d77197

SHA512
8c8c163b24fbfb33682a9e39c4be5689ff6771f41c3996fa31385cab50b5aa1b2fb2d8341342b965cfbe83ad63d04ee67176545a6bd26d386b00ede04ec5a53f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
cfbfa2f1f57934ced6a0f3f005051733

SHA1
251ca81cf7c5375212f3eb4ec108c8cb6ada3c0c

SHA256
917cb92ccc715127650b00115fb1747f4167884d0ef59ad961cc1eae508c0fdc

SHA512
3f48e4ffcc2e9e73388de2fc25daaedf29382b1247264c384896b1ffdc65cf26255e17ac1ffb6efa7ab737c9bcdd24cba7940ff063613553c5951e8097ef3f44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
4c5058dc383b9e67436342c020f45e84

SHA1
11bd6d0744533f419ee9adcaf362c12282e50172

SHA256
1fcc5bce66dfdedb7b15859a16fd0da2b370d68ea197a3590c2ab7706a19c611

SHA512
27832f3388cea96873b66e9a6e7a64fe374b94b3ca9e3d2e347a73e6f724d181c1a97bffb33ab4836e4d229f475b93af78a6cf81ae6092295458b1583ed2c009

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
019ae4340253552b257fd534cb722d16

SHA1
7b2f9081f3454b8afd05a50ee9f655ed552a0b65

SHA256
f05aa113d94cc906a9e0da19d8437f4701702bef7f94377bf7716b32c2149a96

SHA512
09dc5afae7103943d3823b5cbc2d82e8985ce5cb297750e15303b07231ba32afee7a542a603bfbfd61959c2addabd25039f45b2f353d0fe1e09766694f149559

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
a5ebcd43c50a1096cd35df9d176954db

SHA1
f442b3f8c768705ea461c8c8da94b3b45ea52e81

SHA256
a355810bdaae05c76597fd5c170a8a81c34e21b0b75cf24bc05b46c0c3627d85

SHA512
e756c406ee81afa6619233882b1515884da4f53ac0b1c742c8227a479691b13db36fa27a11d63e3a8ab51e3f5944097a7e58f08df9cf20fe5686c32533b7dd8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
69b6dca167049e35874536b10006b2b4

SHA1
71b072ce2449720b6c4ae981cab10dd1df0969e3

SHA256
90235763b16ebf665bfad781a4aef5c7fb5e38ca587800862e4760c64a23ee36

SHA512
080f9205aad9baecce26e3b3125b9e3c0df8dba16ad62130a63af36099613c90dc32eb7a6119fefe4b0509683e1b9250e2805589a3964ecbac27df85ede50f7b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
b5bd70c83d8adc5091eb7ef27ed83a3c

SHA1
d241454838a9d1f87032fde9c9f4cbec724a7742

SHA256
30308fa732cd824f73c275ccdcab971361e816a226ba3d4a366ae8844d867ea1

SHA512
0327e5d4e35cddf1db72f4c83838fc9dff970dd4eb7645f0a4c97c6e011e943d63f7fc5aca4a337d92fc7cc8b870152145e9152ca973d5d3db36fbd97bd89a27

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe580ab9.TMP

Filesize
872B

MD5
4211b17c52ad4fe7aa089751d42c4360

SHA1
3d02718b8faaf4ae7db93d1be5ab1a283066d40a

SHA256
66813ab5a60dd72556a6bd3b466433e22cdf02855a201270273a9dcb8ccb4b0a

SHA512
e78b1c7a7f983ae6510490f2ffb00a134580e18edc22ae367e150b041bd0e958487e961596dd4a43a28e14302f63180862f9608a058ff216c1e126761c973c51

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
2258933f3931ec85fc69677534028e64

SHA1
52adc3ada5e518441b1e2d62a2172990e5a4aac6

SHA256
696a9106f819f245c35f38b26819cf242c0a60a1e07b5ff40d07d324fd240bcd

SHA512
86bdc8335f92ee8fefa5f936414ecdda5b8da9ffa7d89a0b1d915c3b8865db2c718d2c38eac6dbfd64df32ef835fcab7280b5ed7f024664e2a394589986e3efa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
9858d1b6e5b1a82bb999fa4e74c374e0

SHA1
3578c0c8bb0a084c0b24a476764fd6bcbd1d00fd

SHA256
737aa244eb8be7cf5a46edb68d83df458c40b9ddc59dbbbc5e647601b14d6719

SHA512
375d12d1c8e9ed9d714f665b57e1491d350d2fb896b27c25d8c9a795853d47463b181471b8198869c8178df4d18d5e6b49b5cf16a98e33d4ed9db65b76ad2df2

Download Submit
C:\Users\Admin\Desktop\skibidi.exe

Filesize
45KB

MD5
d5b7b204afac18801a1ca5c59fbfd174

SHA1
d1055abbbf9087e0493e1cdaa08122681a2c53f7

SHA256
bcef8e922dbd1a1d98d5f2d0fc00cfb111267f8a8ca29bcb305f80204024a187

SHA512
3eeba46b5914b084f58823f5f24d90406a7398f4873b01886015a3b06f2cca428c142e65a98cb5e875cf971460cbefae42106e6c2ab575229cba4351b9717200

Download Submit
C:\Users\Admin\Downloads\Release.zip

Filesize
6.4MB

MD5
89661a9ff6de529497fec56a112bf75e

SHA1
2dd31a19489f4d7c562b647f69117e31b894b5c3

SHA256
e7b275d70655db9cb43fa606bbe2e4f22478ca4962bbf9f299d66eda567d63cd

SHA512
33c765bf85fbec0e58924ece948b80a7d73b7577557eaac8865e481c61ad6b71f8b5b846026103239b3bd21f438ff0d7c1430a51a4a149f16a215faad6dab68f

Download Submit
memory/4568-299-0x0000000008930000-0x000000000894A000-memory.dmp

Filesize
104KB

Download
memory/4568-254-0x0000000005E50000-0x00000000063F4000-memory.dmp

Filesize
5.6MB

Download
memory/4568-255-0x0000000005940000-0x00000000059D2000-memory.dmp

Filesize
584KB

Download
memory/4568-253-0x0000000000BF0000-0x0000000000DF2000-memory.dmp

Filesize
2.0MB

Download
memory/4568-256-0x0000000005820000-0x000000000582A000-memory.dmp

Filesize
40KB

Download
memory/4568-257-0x0000000005B70000-0x0000000005B84000-memory.dmp

Filesize
80KB

Download
memory/4568-259-0x00000000082F0000-0x0000000008302000-memory.dmp

Filesize
72KB

Download
memory/4568-298-0x00000000087E0000-0x0000000008904000-memory.dmp

Filesize
1.1MB

Download
memory/4568-258-0x00000000082D0000-0x00000000082EA000-memory.dmp

Filesize
104KB

Download
memory/4568-272-0x0000000008420000-0x0000000008774000-memory.dmp

Filesize
3.3MB

Download
memory/4568-271-0x0000000008340000-0x00000000083F2000-memory.dmp

Filesize
712KB

Download
memory/4568-260-0x000000000A1F0000-0x000000000A212000-memory.dmp

Filesize
136KB

Download
memory/4852-309-0x0000000000300000-0x0000000000312000-memory.dmp

Filesize
72KB

Download