e7b275d70655db9cb43fa606bbe2e4f22478ca4962bbf9f299d66eda567d63cd

Analysis

max time kernel
599s
max time network
450s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-it
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-itlocale:it-itos:windows10-ltsc 2021-x64systemwindows
submitted
09-12-2024 18:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Release.zip
Size

6.4MB
MD5

89661a9ff6de529497fec56a112bf75e
SHA1

2dd31a19489f4d7c562b647f69117e31b894b5c3
SHA256

e7b275d70655db9cb43fa606bbe2e4f22478ca4962bbf9f299d66eda567d63cd
SHA512

33c765bf85fbec0e58924ece948b80a7d73b7577557eaac8865e481c61ad6b71f8b5b846026103239b3bd21f438ff0d7c1430a51a4a149f16a215faad6dab68f
SSDEEP

196608:SYNI1S7C6S230UwVLW83FUSA7WQZzwM3/C2cM7m2:rNIs7CDvB1USA7WS/vcx2

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4064	xeno rat server.exe
4460	xeno rat server.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xeno rat server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xeno rat server.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
4060	ipconfig.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133782424800496335"	chrome.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\MRUListEx = 00000000ffffffff	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0000000001000000ffffffff	xeno rat server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Generic"	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	xeno rat server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}"	xeno rat server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Downloads"	xeno rat server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Pictures"	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0100000000000000ffffffff	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 = 78003100000000005759a0761100557365727300640009000400efbe874f7748895907932e000000fd0100000000010000000000000000003a00000000008a77370055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\NodeSlot = "2"	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2 = 3a002e803accbfb42cdb4c42b0297fe99a87c641260001002600efbe110000009bd8c5405b25db018fdb11776f25db01ef3d14776f25db0114000000	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0	xeno rat server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic"	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = ffffffff	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\MRUListEx = ffffffff	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	xeno rat server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Version = "1"	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell	xeno rat server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 010000000200000000000000ffffffff	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 19002f433a5c000000000000000000000000000000000000000000	xeno rat server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\NodeSlot = "4"	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\MRUListEx = ffffffff	xeno rat server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	xeno rat server.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3312	7zFM.exe
3312	7zFM.exe
1612	chrome.exe
1612	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3312	7zFM.exe
4460	xeno rat server.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	3312	7zFM.exe
Token: 35	3312	7zFM.exe
Token: SeSecurityPrivilege	3312	7zFM.exe
Token: SeDebugPrivilege	4064	xeno rat server.exe
Token: SeSecurityPrivilege	3312	7zFM.exe
Token: SeShutdownPrivilege	1612	chrome.exe
Token: SeCreatePagefilePrivilege	1612	chrome.exe
Token: SeShutdownPrivilege	1612	chrome.exe
Token: SeCreatePagefilePrivilege	1612	chrome.exe
Token: SeShutdownPrivilege	1612	chrome.exe
Token: SeCreatePagefilePrivilege	1612	chrome.exe
Token: SeShutdownPrivilege	1612	chrome.exe
Token: SeCreatePagefilePrivilege	1612	chrome.exe
Token: SeShutdownPrivilege	1612	chrome.exe
Token: SeCreatePagefilePrivilege	1612	chrome.exe
Token: SeShutdownPrivilege	1612	chrome.exe
Token: SeCreatePagefilePrivilege	1612	chrome.exe
Token: SeShutdownPrivilege	1612	chrome.exe
Token: SeCreatePagefilePrivilege	1612	chrome.exe
Token: SeShutdownPrivilege	1612	chrome.exe
Token: SeCreatePagefilePrivilege	1612	chrome.exe
Token: SeShutdownPrivilege	1612	chrome.exe
Token: SeCreatePagefilePrivilege	1612	chrome.exe
Token: SeShutdownPrivilege	1612	chrome.exe
Token: SeCreatePagefilePrivilege	1612	chrome.exe
Token: SeShutdownPrivilege	1612	chrome.exe
Token: SeCreatePagefilePrivilege	1612	chrome.exe
Token: SeShutdownPrivilege	1612	chrome.exe
Token: SeCreatePagefilePrivilege	1612	chrome.exe
Token: SeShutdownPrivilege	1612	chrome.exe
Token: SeCreatePagefilePrivilege	1612	chrome.exe
Token: SeShutdownPrivilege	1612	chrome.exe
Token: SeCreatePagefilePrivilege	1612	chrome.exe
Token: SeShutdownPrivilege	1612	chrome.exe
Token: SeCreatePagefilePrivilege	1612	chrome.exe
Token: SeShutdownPrivilege	1612	chrome.exe
Token: SeCreatePagefilePrivilege	1612	chrome.exe
Token: SeShutdownPrivilege	1612	chrome.exe
Token: SeCreatePagefilePrivilege	1612	chrome.exe
Token: SeShutdownPrivilege	1612	chrome.exe
Token: SeCreatePagefilePrivilege	1612	chrome.exe
Token: SeShutdownPrivilege	1612	chrome.exe
Token: SeCreatePagefilePrivilege	1612	chrome.exe
Token: SeShutdownPrivilege	1612	chrome.exe
Token: SeCreatePagefilePrivilege	1612	chrome.exe
Token: SeShutdownPrivilege	1612	chrome.exe
Token: SeCreatePagefilePrivilege	1612	chrome.exe
Token: SeShutdownPrivilege	1612	chrome.exe
Token: SeCreatePagefilePrivilege	1612	chrome.exe
Token: SeShutdownPrivilege	1612	chrome.exe
Token: SeCreatePagefilePrivilege	1612	chrome.exe
Token: SeShutdownPrivilege	1612	chrome.exe
Token: SeCreatePagefilePrivilege	1612	chrome.exe
Token: SeShutdownPrivilege	1612	chrome.exe
Token: SeCreatePagefilePrivilege	1612	chrome.exe
Token: SeShutdownPrivilege	1612	chrome.exe
Token: SeCreatePagefilePrivilege	1612	chrome.exe
Token: SeShutdownPrivilege	1612	chrome.exe
Token: SeCreatePagefilePrivilege	1612	chrome.exe
Token: SeShutdownPrivilege	1612	chrome.exe
Token: SeCreatePagefilePrivilege	1612	chrome.exe
Token: SeShutdownPrivilege	1612	chrome.exe
Token: SeCreatePagefilePrivilege	1612	chrome.exe
Token: SeShutdownPrivilege	1612	chrome.exe

Suspicious use of FindShellTrayWindow 31 IoCs

pid	Process
3312	7zFM.exe
3312	7zFM.exe
3312	7zFM.exe
4460	xeno rat server.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe
1612	chrome.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4460	xeno rat server.exe
4460	xeno rat server.exe
4460	xeno rat server.exe
4460	xeno rat server.exe
4460	xeno rat server.exe
4460	xeno rat server.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3312 wrote to memory of 4064	3312	7zFM.exe	82
PID 3312 wrote to memory of 4064	3312	7zFM.exe	82
PID 3312 wrote to memory of 4064	3312	7zFM.exe	82
PID 3312 wrote to memory of 4460	3312	7zFM.exe	87
PID 3312 wrote to memory of 4460	3312	7zFM.exe	87
PID 3312 wrote to memory of 4460	3312	7zFM.exe	87
PID 3212 wrote to memory of 4060	3212	cmd.exe	100
PID 3212 wrote to memory of 4060	3212	cmd.exe	100
PID 1612 wrote to memory of 3496	1612	chrome.exe	102
PID 1612 wrote to memory of 3496	1612	chrome.exe	102
PID 1612 wrote to memory of 2168	1612	chrome.exe	103
PID 1612 wrote to memory of 2168	1612	chrome.exe	103
PID 1612 wrote to memory of 2168	1612	chrome.exe	103
PID 1612 wrote to memory of 2168	1612	chrome.exe	103
PID 1612 wrote to memory of 2168	1612	chrome.exe	103
PID 1612 wrote to memory of 2168	1612	chrome.exe	103
PID 1612 wrote to memory of 2168	1612	chrome.exe	103
PID 1612 wrote to memory of 2168	1612	chrome.exe	103
PID 1612 wrote to memory of 2168	1612	chrome.exe	103
PID 1612 wrote to memory of 2168	1612	chrome.exe	103
PID 1612 wrote to memory of 2168	1612	chrome.exe	103
PID 1612 wrote to memory of 2168	1612	chrome.exe	103
PID 1612 wrote to memory of 2168	1612	chrome.exe	103
PID 1612 wrote to memory of 2168	1612	chrome.exe	103
PID 1612 wrote to memory of 2168	1612	chrome.exe	103
PID 1612 wrote to memory of 2168	1612	chrome.exe	103
PID 1612 wrote to memory of 2168	1612	chrome.exe	103
PID 1612 wrote to memory of 2168	1612	chrome.exe	103
PID 1612 wrote to memory of 2168	1612	chrome.exe	103
PID 1612 wrote to memory of 2168	1612	chrome.exe	103
PID 1612 wrote to memory of 2168	1612	chrome.exe	103
PID 1612 wrote to memory of 2168	1612	chrome.exe	103
PID 1612 wrote to memory of 2168	1612	chrome.exe	103
PID 1612 wrote to memory of 2168	1612	chrome.exe	103
PID 1612 wrote to memory of 2168	1612	chrome.exe	103
PID 1612 wrote to memory of 2168	1612	chrome.exe	103
PID 1612 wrote to memory of 2168	1612	chrome.exe	103
PID 1612 wrote to memory of 2168	1612	chrome.exe	103
PID 1612 wrote to memory of 2168	1612	chrome.exe	103
PID 1612 wrote to memory of 2168	1612	chrome.exe	103
PID 1612 wrote to memory of 2996	1612	chrome.exe	104
PID 1612 wrote to memory of 2996	1612	chrome.exe	104
PID 1612 wrote to memory of 948	1612	chrome.exe	105
PID 1612 wrote to memory of 948	1612	chrome.exe	105
PID 1612 wrote to memory of 948	1612	chrome.exe	105
PID 1612 wrote to memory of 948	1612	chrome.exe	105
PID 1612 wrote to memory of 948	1612	chrome.exe	105
PID 1612 wrote to memory of 948	1612	chrome.exe	105
PID 1612 wrote to memory of 948	1612	chrome.exe	105
PID 1612 wrote to memory of 948	1612	chrome.exe	105
PID 1612 wrote to memory of 948	1612	chrome.exe	105
PID 1612 wrote to memory of 948	1612	chrome.exe	105
PID 1612 wrote to memory of 948	1612	chrome.exe	105
PID 1612 wrote to memory of 948	1612	chrome.exe	105
PID 1612 wrote to memory of 948	1612	chrome.exe	105
PID 1612 wrote to memory of 948	1612	chrome.exe	105
PID 1612 wrote to memory of 948	1612	chrome.exe	105
PID 1612 wrote to memory of 948	1612	chrome.exe	105
PID 1612 wrote to memory of 948	1612	chrome.exe	105
PID 1612 wrote to memory of 948	1612	chrome.exe	105
PID 1612 wrote to memory of 948	1612	chrome.exe	105
PID 1612 wrote to memory of 948	1612	chrome.exe	105
PID 1612 wrote to memory of 948	1612	chrome.exe	105
PID 1612 wrote to memory of 948	1612	chrome.exe	105

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Release.zip"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3312
- C:\Users\Admin\AppData\Local\Temp\7zO0FCDB747\xeno rat server.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO0FCDB747\xeno rat server.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4064
- C:\Users\Admin\AppData\Local\Temp\7zO0FCC30B7\xeno rat server.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO0FCC30B7\xeno rat server.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:4460

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3212
- C:\Windows\system32\ipconfig.exe
  ipconfig
  2⤵
  - Gathers network information
  PID:4060

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff9c6dbcc40,0x7ff9c6dbcc4c,0x7ff9c6dbcc58
  2⤵
  PID:3496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1652,i,4113364226685856204,12835408182685843173,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=1708 /prefetch:2
  2⤵
  PID:2168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1924,i,4113364226685856204,12835408182685843173,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=1640 /prefetch:3
  2⤵
  PID:2996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2312,i,4113364226685856204,12835408182685843173,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2328 /prefetch:8
  2⤵
  PID:948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3160,i,4113364226685856204,12835408182685843173,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3180 /prefetch:1
  2⤵
  PID:1888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3188,i,4113364226685856204,12835408182685843173,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3212 /prefetch:1
  2⤵
  PID:5028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3720,i,4113364226685856204,12835408182685843173,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4584 /prefetch:1
  2⤵
  PID:4292
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4828,i,4113364226685856204,12835408182685843173,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4840 /prefetch:8
  2⤵
  PID:4412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4952,i,4113364226685856204,12835408182685843173,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4964 /prefetch:8
  2⤵
  PID:3800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4844,i,4113364226685856204,12835408182685843173,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4864 /prefetch:8
  2⤵
  PID:4644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5072,i,4113364226685856204,12835408182685843173,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5044 /prefetch:8
  2⤵
  PID:4448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4856,i,4113364226685856204,12835408182685843173,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5364 /prefetch:8
  2⤵
  PID:3356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5352,i,4113364226685856204,12835408182685843173,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4868 /prefetch:8
  2⤵
  PID:2072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5548,i,4113364226685856204,12835408182685843173,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5560 /prefetch:2
  2⤵
  PID:4356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=4804,i,4113364226685856204,12835408182685843173,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4840 /prefetch:1
  2⤵
  PID:1288

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4264

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
c94b8c367be8585a0ad41d818fab6a10

SHA1
dfe3797058c0a239744fb9882a97e02ab7edb824

SHA256
a47fcc692d9d092b937a0577a5a1f2e425d7a6136a5fd3a02923b1d9dbf3525d

SHA512
37085202367d6599c02fecae5a33c0a0c639ba92592147754d14855608112bac51bafa9acf39f4a193a1c331df12d6b7e76c42fe59fbd1ca089a5f5d153a86c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

Filesize
215KB

MD5
2be38925751dc3580e84c3af3a87f98d

SHA1
8a390d24e6588bef5da1d3db713784c11ca58921

SHA256
1412046f2516b688d644ff26b6c7ef2275b6c8f132eb809bd32e118208a4ec1b

SHA512
1341ffc84f16c1247eb0e9baacd26a70c6b9ee904bc2861e55b092263613c0f09072efd174b3e649a347ef3192ae92d7807cc4f5782f8fd07389703d75c4c4e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
754581a50ffec52d7037531354308494

SHA1
8a080ab156b831ea264c466411baceb0b536af4d

SHA256
60ee66788107d656429a551602ed60523d3b01f502659b431cb7fb16c3ab8d4b

SHA512
733a198571c31e03a55c9d367a9f7b2e5cd3432f35ad1b82cd26e753abe807c33fc4d7bc851f4ccf977f17717c9b4bc1ba571a073d245d3c64c2824ad1440967

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
240B

MD5
19e48606d951ae11c56c88f9f98bca7e

SHA1
62df91bb5af2677121b9d09853b6ae6c95c6c25b

SHA256
86a9a4f86d302fcfad564b56b19c747d36d845367cf0866b8e4e482cb3c37159

SHA512
2185e7aaa8adf3f398a5b5b2f074b59616d6a5e56ee3efb23b718414ba53b67c87c1e78ae228072ab27504dfe6c1180d2659dad4ffb9bc858e9207e4bb7d620e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
b1778788b3b0d59f04adeaebb8faa162

SHA1
7a1d5a8a606eda0287b96a49fdb2bb211592fa1d

SHA256
d060083b8ce10e6af74776fa2b9fd87061df724916c93d942f14d28fb9d39e2d

SHA512
7fd4191551787a04a3eddff44f41b833d56dbf28ec0ce29ac5dc63d323024ef757e3851d82091a924a3771ba9a0d43ef105d310cded1a56a569727a563de735d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.84.1_0\_locales\en_CA\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.84.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
31056a18b993ac0b1cf8c7774d13ec20

SHA1
59aa63a02f8e6973d868ab8a4e21df07a8a11a43

SHA256
c41ef5544e9dd52fc9460631fbfcd672f9af0d250787dfba2772a0935f6aa7a3

SHA512
cb25b8c1f08a00094875862f9917674e489ba14b5c2db22af1b7a49914040a2381358e53a1c30810fcd4757412bdbcac69f3e82b8283bafa0126f174ce9144f7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
607d97727ab2ce02824d85d6c303a337

SHA1
dfcd49b0dc50ae799eee5bd91c16bc71f06c4440

SHA256
6da1459de398bdfff51c0b965b97463f5d362e216ec55ac7f4f97cddeb0ca2e1

SHA512
01faa130cc17e41a4f5741eaf9b01561556fd3329708d26973bce05103016203b60cad933aecbf0c51de51dc3111491efc90e22b637f74a9f10d91e044127dd0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
55f346c62bb993a5c94a4f137f38b22e

SHA1
a7591b63ad64b322e8b5170bc46c7df79470af5c

SHA256
adfef48f8912a9f9196b6d8eec8d469025e73af3608ca8862b30f1e2e9cf5035

SHA512
3e60cdd0dbcf60ef0bfb4da52a56d3e9dda432c69a5523c2d5b8c9c3b6d6878c1396f7d72d18d870bd757bdf657c814095c5fcc03ddb9c27311b1e65aec9a173

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
13511d543530029e6d61f2f1eff45b71

SHA1
da22c44d50b5729c94646c4d4dcf84c406b95803

SHA256
d68af548dc7865836e0cf565b2a500ada7a714c7801ab43cbda79f90c8152448

SHA512
4d72c28d680fe30747a7b8061efc87228b181f2bde93e8a3409f7579245d790f888e62991199798d6f6d5fb628414d8bb27f36daabdc2956c73e1dfbf8f1479e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
bf6774573bd05a624bab19f282711cb4

SHA1
097c18e8687370d6b4cfb9f63b0f2cc9226829df

SHA256
b87b2c0d4ec9b7d2102e22c86c96efab86cd4eff3579f7262c601b5e39c74991

SHA512
a641ecbfc083677d402a6aa75112354bf8e994f197d3a58c1d10a968d04cd4aa204e9f5c6cd4fa71ec929abd7ca1d87b3be9d00b0a2b3e1986545d68569eaaa2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c7f17022b1cd5f7cc20230a9ff77c17b

SHA1
a4a89dc452f074125160ed610dbebdfaf1e033d3

SHA256
02872245f30d2c8a77e7c4b03e0de3a275f0e4668da54602573bdcfb4c50640a

SHA512
4d56b2c39c4b24c20a0f61197cef6537077e0452f2c8f963266e7c5bffde333591041c2e7f3b1ca769d30033ef7c9394acc8f12a624af0519ad55b40071baa6b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
4de94745003580526271d83e1dd9b585

SHA1
0a78b7986f7745ce1415ed728836b7e5a80f5476

SHA256
31941dbd72766a615b5e92e6b462b2507feaa2020b8faec3b80b18e024c07e1d

SHA512
3b66b09daa34b400c5b1f25f8f10fcddfbaab4d2c783eb688afe369d51757a6f95ccc785122fa997e4d84196471d09808d24882a008d14534459485c36a0c3dd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
239c1fee6a6a43af58162a78cc084c01

SHA1
2ad8b9f29b12e5068b5f58129391bfc660b04b29

SHA256
9f2cdb22b22335d4fcecff5e7dc028fe182cd5570c3708df5f45786a80902a24

SHA512
87cb55f9fe31732a7c2d115407be1dfc14a970fac0ee2dc0c4a5bd58686ba465597e5da0a78520cf53a7753cf1ff6c157d07b7ecef54fdb1a4c89e57606a024f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
233KB

MD5
830d323e1c75a3be8e1498391878599a

SHA1
e4fb2aa0e27a29654a0e5b7fca649f563e803960

SHA256
b33fb675d132b99a544fa7b8824f26af67a090f059eeefdb9ada9f5bba909b25

SHA512
9e62a5723a5c9c4cafba14699b7e370b8bccb021cd6ba0ee0b1dc57ebfdf27c6bfd9dc6e817b96b0480ad5c8828424386d0ce202cc1d36c671d36875601d4bf5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
233KB

MD5
448899d4b832a87564797bf97d5fb659

SHA1
ccf9600401162865c52cf76818548331b817e307

SHA256
0a7be054b20cbddb236549c0500f7f0c3930ffc2c864405b863a06c374cf6b47

SHA512
df641b58f0253ce3c8754b7d2dc1089bddbc59946f1a5908b716b6fbd07ef1c436a4b77f52aa67ee031624c964be072e92869c2db186ba8748403fada234fed6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
233KB

MD5
fc7db43fdf79ef78245736798f38e517

SHA1
ca966bd611ef8d57ae30fbc7d135a36aa435a6c9

SHA256
be75185122832466748b20887484bbadf516475a9a6e9e395dd7e4de64f3cfa6

SHA512
5833b521bc0eef77fdbed0edad2cff94407c1431be011d631418a8b87f9e991c5cada3abd8e55e7216a014b8f554695a78ff895f5afcbecb8bbf825e9a7a0911

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
e37427f8979fec48a7df98298da45342

SHA1
7b3982d761c1d909d4ff9f7ef8ff0ac410fe9472

SHA256
cfee36affa4bb9fb1030ab2d4e9e87c9b87744027400a7a9c33c309b95623860

SHA512
e1039142c677589b595ab87e4cdba62da3221c3c78e97d4ca9aa2111f47a2084bdec0883488524f628699eff3b511f1f0cb7c82ac9b532003c4de76d542f9f46

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO0FCDB747\xeno rat server.exe

Filesize
2.0MB

MD5
3987ee127f2a2cf8a29573d4e111a8e8

SHA1
fc253131e832297967f93190217f0ce403e38cb0

SHA256
3d00a800474ddf382212e003222805bd74665b69cec43b554f91c3cd9edf04c4

SHA512
69d5ac7a691dde1a3ed7f495e9b9180e63152ddaaa3d1b596ad9cbeb4d7b088f3fc4b138ecf87070014cdfa9047be18940b720de60642389921a10053250787b

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir1612_925751569\CRX_INSTALL\_locales\en_CA\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
memory/4064-19-0x0000000004E10000-0x0000000004E1A000-memory.dmp

Filesize
40KB

Download
memory/4064-20-0x0000000074580000-0x0000000074D31000-memory.dmp

Filesize
7.7MB

Download
memory/4064-25-0x0000000008AE0000-0x0000000008C6C000-memory.dmp

Filesize
1.5MB

Download
memory/4064-27-0x0000000074580000-0x0000000074D31000-memory.dmp

Filesize
7.7MB

Download
memory/4064-24-0x0000000008840000-0x0000000008942000-memory.dmp

Filesize
1.0MB

Download
memory/4064-22-0x0000000008340000-0x000000000835A000-memory.dmp

Filesize
104KB

Download
memory/4064-23-0x0000000008360000-0x0000000008372000-memory.dmp

Filesize
72KB

Download
memory/4064-15-0x000000007458E000-0x000000007458F000-memory.dmp

Filesize
4KB

Download
memory/4064-21-0x0000000008130000-0x0000000008144000-memory.dmp

Filesize
80KB

Download
memory/4064-26-0x0000000074580000-0x0000000074D31000-memory.dmp

Filesize
7.7MB

Download
memory/4064-16-0x0000000000340000-0x0000000000542000-memory.dmp

Filesize
2.0MB

Download
memory/4064-17-0x00000000054A0000-0x0000000005A46000-memory.dmp

Filesize
5.6MB

Download
memory/4064-18-0x0000000004EF0000-0x0000000004F82000-memory.dmp

Filesize
584KB

Download
memory/4460-45-0x0000000009890000-0x0000000009BE7000-memory.dmp

Filesize
3.3MB

Download
memory/4460-44-0x0000000009860000-0x0000000009882000-memory.dmp

Filesize
136KB

Download
memory/4460-48-0x000000000A0F0000-0x000000000A10A000-memory.dmp

Filesize
104KB

Download
memory/4460-43-0x0000000009780000-0x0000000009832000-memory.dmp

Filesize
712KB

Download
memory/4460-47-0x00000000095E0000-0x0000000009704000-memory.dmp

Filesize
1.1MB

Download