xenorat | hxxps://github[.]com/topics/remote-access-trojan

Analysis

max time kernel
120s
max time network
122s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
17-12-2024 13:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/topics/remote-access-trojan

Score

10^/10

xenorat discovery rat trojan

Malware Config

Extracted

Family

xenorat

127.0.0.1

Mutex

Xeno_rat_nd8912d

Attributes

delay
5000
install_path
temp
port
4444
startup_name
kokot

Signatures

Detect XenoRat Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x001f00000002aadd-360.dat	family_xenorat
behavioral1/memory/1608-362-0x0000000000480000-0x0000000000492000-memory.dmp	family_xenorat

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat
Xenorat family
xenorat

Executes dropped EXE 2 IoCs

pid	Process
1608	lmao.exe
2296	lmao.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
3	raw.githubusercontent.com

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xeno rat server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133789174411508111"	chrome.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupView = "0"	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 03000000000000000200000001000000ffffffff	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	xeno rat server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\Mode = "1"	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\3 = 3a002e803accbfb42cdb4c42b0297fe99a87c641260001002600efbe11000000761c76aeaf18db01a8c763a58b50db01a8c763a58b50db0114000000	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\NodeSlot = "1"	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0000000001000000ffffffff	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupByKey:PID = "0"	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 000000000200000001000000ffffffff	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\3\MRUListEx = ffffffff	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = 7e003100000000009159406f11004465736b746f7000680009000400efbe4759d35e9159416f2e000000365702000000010000000000000000003e0000000000202787004400650073006b0074006f007000000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370036003900000016000000	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	xeno rat server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Downloads"	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 50003100000000004759cd64100041646d696e003c0009000400efbe4759d35e9159286f2e0000002c570200000001000000000000000000000000000000610ef100410064006d0069006e00000014000000	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = 00000000ffffffff	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\LogicalViewMode = "3"	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\3\NodeSlot = "4"	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	xeno rat server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000050000001800000030f125b7ef471a10a5f102608c9eebac0a000000a0000000b474dbf787420341afbaf1b13dcd75cf64000000a000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000e0859ff2f94f6810ab9108002b27b3d90500000058000000	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	xeno rat server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}"	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	xeno rat server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	xeno rat server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Generic"	xeno rat server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	xeno rat server.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Release.zip:Zone.Identifier	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2760	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4364	xeno rat server.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
2656	chrome.exe
2656	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeCreatePagefilePrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeCreatePagefilePrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeCreatePagefilePrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeCreatePagefilePrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeCreatePagefilePrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeCreatePagefilePrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeCreatePagefilePrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeCreatePagefilePrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeCreatePagefilePrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeCreatePagefilePrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeCreatePagefilePrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeCreatePagefilePrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeCreatePagefilePrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeCreatePagefilePrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeCreatePagefilePrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeCreatePagefilePrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeCreatePagefilePrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeCreatePagefilePrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeCreatePagefilePrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeCreatePagefilePrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeCreatePagefilePrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeCreatePagefilePrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeCreatePagefilePrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeCreatePagefilePrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeCreatePagefilePrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeCreatePagefilePrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeCreatePagefilePrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeCreatePagefilePrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeCreatePagefilePrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeCreatePagefilePrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeCreatePagefilePrivilege	2656	chrome.exe
Token: SeShutdownPrivilege	2656	chrome.exe
Token: SeCreatePagefilePrivilege	2656	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe
2656	chrome.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4364	xeno rat server.exe
4364	xeno rat server.exe
4364	xeno rat server.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2656 wrote to memory of 4516	2656	chrome.exe	79
PID 2656 wrote to memory of 4516	2656	chrome.exe	79
PID 2656 wrote to memory of 1016	2656	chrome.exe	80
PID 2656 wrote to memory of 1016	2656	chrome.exe	80
PID 2656 wrote to memory of 1016	2656	chrome.exe	80
PID 2656 wrote to memory of 1016	2656	chrome.exe	80
PID 2656 wrote to memory of 1016	2656	chrome.exe	80
PID 2656 wrote to memory of 1016	2656	chrome.exe	80
PID 2656 wrote to memory of 1016	2656	chrome.exe	80
PID 2656 wrote to memory of 1016	2656	chrome.exe	80
PID 2656 wrote to memory of 1016	2656	chrome.exe	80
PID 2656 wrote to memory of 1016	2656	chrome.exe	80
PID 2656 wrote to memory of 1016	2656	chrome.exe	80
PID 2656 wrote to memory of 1016	2656	chrome.exe	80
PID 2656 wrote to memory of 1016	2656	chrome.exe	80
PID 2656 wrote to memory of 1016	2656	chrome.exe	80
PID 2656 wrote to memory of 1016	2656	chrome.exe	80
PID 2656 wrote to memory of 1016	2656	chrome.exe	80
PID 2656 wrote to memory of 1016	2656	chrome.exe	80
PID 2656 wrote to memory of 1016	2656	chrome.exe	80
PID 2656 wrote to memory of 1016	2656	chrome.exe	80
PID 2656 wrote to memory of 1016	2656	chrome.exe	80
PID 2656 wrote to memory of 1016	2656	chrome.exe	80
PID 2656 wrote to memory of 1016	2656	chrome.exe	80
PID 2656 wrote to memory of 1016	2656	chrome.exe	80
PID 2656 wrote to memory of 1016	2656	chrome.exe	80
PID 2656 wrote to memory of 1016	2656	chrome.exe	80
PID 2656 wrote to memory of 1016	2656	chrome.exe	80
PID 2656 wrote to memory of 1016	2656	chrome.exe	80
PID 2656 wrote to memory of 1016	2656	chrome.exe	80
PID 2656 wrote to memory of 1016	2656	chrome.exe	80
PID 2656 wrote to memory of 1016	2656	chrome.exe	80
PID 2656 wrote to memory of 3608	2656	chrome.exe	81
PID 2656 wrote to memory of 3608	2656	chrome.exe	81
PID 2656 wrote to memory of 1848	2656	chrome.exe	82
PID 2656 wrote to memory of 1848	2656	chrome.exe	82
PID 2656 wrote to memory of 1848	2656	chrome.exe	82
PID 2656 wrote to memory of 1848	2656	chrome.exe	82
PID 2656 wrote to memory of 1848	2656	chrome.exe	82
PID 2656 wrote to memory of 1848	2656	chrome.exe	82
PID 2656 wrote to memory of 1848	2656	chrome.exe	82
PID 2656 wrote to memory of 1848	2656	chrome.exe	82
PID 2656 wrote to memory of 1848	2656	chrome.exe	82
PID 2656 wrote to memory of 1848	2656	chrome.exe	82
PID 2656 wrote to memory of 1848	2656	chrome.exe	82
PID 2656 wrote to memory of 1848	2656	chrome.exe	82
PID 2656 wrote to memory of 1848	2656	chrome.exe	82
PID 2656 wrote to memory of 1848	2656	chrome.exe	82
PID 2656 wrote to memory of 1848	2656	chrome.exe	82
PID 2656 wrote to memory of 1848	2656	chrome.exe	82
PID 2656 wrote to memory of 1848	2656	chrome.exe	82
PID 2656 wrote to memory of 1848	2656	chrome.exe	82
PID 2656 wrote to memory of 1848	2656	chrome.exe	82
PID 2656 wrote to memory of 1848	2656	chrome.exe	82
PID 2656 wrote to memory of 1848	2656	chrome.exe	82
PID 2656 wrote to memory of 1848	2656	chrome.exe	82
PID 2656 wrote to memory of 1848	2656	chrome.exe	82
PID 2656 wrote to memory of 1848	2656	chrome.exe	82
PID 2656 wrote to memory of 1848	2656	chrome.exe	82
PID 2656 wrote to memory of 1848	2656	chrome.exe	82
PID 2656 wrote to memory of 1848	2656	chrome.exe	82
PID 2656 wrote to memory of 1848	2656	chrome.exe	82
PID 2656 wrote to memory of 1848	2656	chrome.exe	82
PID 2656 wrote to memory of 1848	2656	chrome.exe	82

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/topics/remote-access-trojan
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffca2cecc40,0x7ffca2cecc4c,0x7ffca2cecc58
  2⤵
  PID:4516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1808,i,8520191984717189375,652741264541548893,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1800 /prefetch:2
  2⤵
  PID:1016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2072,i,8520191984717189375,652741264541548893,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2116 /prefetch:3
  2⤵
  PID:3608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2172,i,8520191984717189375,652741264541548893,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2376 /prefetch:8
  2⤵
  PID:1848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3088,i,8520191984717189375,652741264541548893,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3104 /prefetch:1
  2⤵
  PID:1804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3092,i,8520191984717189375,652741264541548893,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3248 /prefetch:1
  2⤵
  PID:5088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4076,i,8520191984717189375,652741264541548893,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4592 /prefetch:8
  2⤵
  PID:3856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4752,i,8520191984717189375,652741264541548893,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4888 /prefetch:8
  2⤵
  - NTFS ADS
  PID:3528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4404,i,8520191984717189375,652741264541548893,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4712 /prefetch:8
  2⤵
  PID:1788

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3532

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:6052

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3340

C:\Users\Admin\Desktop\xeno rat server.exe
"C:\Users\Admin\Desktop\xeno rat server.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4364

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
- System Location Discovery: System Language Discovery
PID:3172

C:\Users\Admin\Desktop\lmao.exe
"C:\Users\Admin\Desktop\lmao.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1608
- C:\Users\Admin\AppData\Local\Temp\XenoManager\lmao.exe
  "C:\Users\Admin\AppData\Local\Temp\XenoManager\lmao.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2296
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /Create /TN "kokot" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD934.tmp" /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2760

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:2948

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\ConvertFromMount.docx" /o ""
1⤵
PID:1660

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\ConvertFromMount.docx" /o ""
1⤵
PID:1728

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\ConvertFromMount.docx" /o ""
1⤵
PID:5552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\5e7a50d8-b856-4f70-b713-50afce2ad491.tmp

Filesize
10KB

MD5
9e0f125deb9d6aa648b4e495603d851a

SHA1
5444aaa71f6f89232814bdf5b31dfbfd1254ff4c

SHA256
9b4fa9029ee9b232a5568283d9f68fc9f3683f390296ab90541c6a2c00bc6002

SHA512
c7388a04e8ac8fa4e4b59204adbb3332593cf57d5b045a57001f040aee291444ba24b0d565425ad922e68ab2d865b2bd0a6ff9fa83109ed45d5f287fd4f5f98a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
405187bee9097205214b39f0f4bce0b7

SHA1
1375f6e80cee2ad8b6a30e7989182355432e8506

SHA256
222a11ddcdfd09a291310da08307f2f8f0a598704d06957adefaea006c109819

SHA512
5b7ff342e050a6ba545cf6cd8b5960ac015c3071821057f3c16651b213e6c4ddba0e0c3081e0bd19849f8be1bf82e3800dba580629eb07011ac59bb91a9cd564

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
9f990f5a03d466bfce07500784aca506

SHA1
8b6acdba73eb7b145dcf047a6aa4e2802d63d4d2

SHA256
40e85fa2f555af6590a1048671d01ee45ee90477d8abe5d344a95c93aee20d2f

SHA512
80a84caf130ac06e4809626d4ebe7b82578c8b12998a25076258bc633ea9de3257d8087c3258447950536c9e5a00327bf64955eac16abf9d60ae8f1f0cbc920f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\2f83fd7d-7f6b-429c-9626-e2977831de17.tmp

Filesize
2KB

MD5
228fa38c1d78077602012d5f3c633a16

SHA1
7b079628a15f8134b240bef073cbf7d5526a81b1

SHA256
c2bc934f0be76f8ab5327733def86497ad4ed137b139c82d4e60f9ba349b47ce

SHA512
d8a4330ba06b44a7f4c9ff934ed532f4d836b6b462e21371915ced6e5d9b9e327d2fb3be2b0ca725b3996d8b2c50eadc3dff0e1c4314da704031c3580f77446c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
f8e7399d41c8b6e233ee27bd80d3394c

SHA1
455525b2b5e6853dc25459dbbd93c230444cd96a

SHA256
9ac44871c5c1302c9d71a2f76ce9c7547a0a944f67aca1fc3f462c70dd6a2797

SHA512
4e9e709c9a72c8c2ab0ce9d653c7e6158c34c81880fad05ac42ec5e6a8855ca8e7f05404d450104789747b07309ab4c5fd06379cd5c6cfe8ab19b699f6ec92b5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
39b99ba1b2293585f4233864acccff52

SHA1
9226101f4712d55fe24319444f57d6458f7b0fc7

SHA256
058201d7491d2b8d935866b2390c87c738d05fa1ca6d3d412c2a1e9f09dadc83

SHA512
6103be193f18882d36fafc5373cd93596fb2463c7b7b1be8bf7c5c5f7b987790c5e9b7539c73cf47ceb13b73e1def99d42938f161d012636b2dae715efc09831

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
7d596d7e2d7190c33cf85ce2b125243b

SHA1
685964025dac04d07e1df796e3f63882d9f81cf0

SHA256
a3057e2f1d3d6cb9b30ce0051704fffa53506c346c03ec0a60a50c8162e5dcc0

SHA512
7791ebed4c0a3fc16df6ba3a19a8f06b65c1930d4765a794dd7e90d553416b2f516b2fece0aa9d279e04c6f67c84866d2da3b37346e3f2d5aaf122e32036b959

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0378d0cbe7e5aa497bf5a1cf1941654a

SHA1
97026adf070f12edf6f3a136ea27ba4037e407b3

SHA256
a40b36b92985f4ff3c72e883c036922333115f6516dfbb11d8b7779d39bc1ce7

SHA512
f9b0939273e38992907cd87337454592f164b9707326582855c0260778f13d09a86e274ac27651dc7595638b298ebb73557ea6eaacc5ef2ace17fa3aa5926101

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2f2132e73c260d8c4525087b273f1cd8

SHA1
ba5478c9407af982ced66516f796be43796e792d

SHA256
fc5ed12dfc257370671e30f96197f3e408c2b7c92bc5321b80af9fbb57df8f40

SHA512
1090cf1c5beb620f80c322f6d5727040f805c8ec6b8165d2fc1baa9195b19a3ea1f6d58108a5a46b5e010a92d61c0fd8f4325a86c3bbd63658359f82af9ab3ed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
4e2819054b0b7f5579d3c779ac4f08be

SHA1
c738b34ffb052ec4aa26c14b71396d4425e4aed8

SHA256
2eefb7403eac3358757fcfdc5b772c4161f35d7c38446999feb6292b21b59436

SHA512
c67ccee122e55f15452754ab9eefdcafa40cf42ee48da89345442ffc26dfa5d9031ba43fb34dd46665d9e3ee9cc2a4ec42d5c745005b5b60fed3328e193b6f08

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
94943d4fd91b0a6a901c4131c3760a32

SHA1
89944950c69167fe42f9a24de639362fa475ddaf

SHA256
c1d5f334a1aec90bc9ef41e7f2ea775362d2560e98e33980a7aaed3f3598d1e0

SHA512
5cb624a47690cbd8e92a1362c0ff2e6ef7303fea96f96d8624fe74deabc55f9d42a6a87c55e123b2faf448d583286d1ae0c73a69768549e98fb4c494a055c96a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
a6cb62c5f720e13ee2b7d73b447f7899

SHA1
4d03f8c77d0314060c62407d52659b43a9d9c21c

SHA256
253d9df25d3abebcd74b7126b8d6e04132e959db650fbf8408023bfe1a4f92ce

SHA512
3ac2c6bbd54ec1bd8d9e68a06367eccee6770e55cc6d61d5c2c64a9f96391321203733e10fcd6993b2f8e61410dff2567bc8c2eba30ba2d46d5bf8b1c55042d2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
613d6c01acef1452d440908f42d68c81

SHA1
3210e1fafdd884a2280321b6700bf584691dc811

SHA256
82d875ffbf7c88636b73e45f28f7832e31553a8519f2ce705470eb6cb17098a6

SHA512
44d84677584c61b429acc9932d5b00530cf679321512555e69abb9035993fcf4429cf2cb81674df3801806c580f02da9a5a645af0a8fe33710bfc610b48ca82e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
228KB

MD5
4867d23a65cc7e739666003770e5ce2f

SHA1
52f29ebe3b4ea3fde2e2af5dda6337deaa9fb4fe

SHA256
18017728f91508b719c46d48b14127d2c07156e5c455859d2ba907ffb160710d

SHA512
43445f88c475242d51c3e1b4a696e7fd96907149a8565fe0f4600eea038c8acdd528fe49580b4dc4944a18ab69be94ce35f174c670ffa220ccda249150193e7f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
228KB

MD5
83f4d239214c5241d41708b38a6464c2

SHA1
d3a7bfb283cd80bdcfdaf41119f9a7bc53032f36

SHA256
0142d0475beb2fe39e0925287706c7c42f35d5256310ac38608a2415ea0bd676

SHA512
e3615f0355f1de392b3711e5edd9fb8053212fa7db56acb28f32d21048e2b8d9e27d6ed9f17e2b2a08da72ae9f47b38695e37276b38288834b55e1d0d026ea1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\lmao.exe.log

Filesize
226B

MD5
1294de804ea5400409324a82fdc7ec59

SHA1
9a39506bc6cadf99c1f2129265b610c69d1518f7

SHA256
494398ec6108c68573c366c96aae23d35e7f9bdbb440a4aab96e86fcad5871d0

SHA512
033905cc5b4d0c0ffab2138da47e3223765146fa751c9f84b199284b653a04874c32a23aae577d2e06ce6c6b34fec62331b5fc928e3baf68dc53263ecdfa10c1

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\2625305a-0835-495c-8d9c-8a440949f205.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD934.tmp

Filesize
1KB

MD5
6b4ac005091391e67cfd495944ac890b

SHA1
19b0ec68b6300459f7733e530bf7aad994aa523a

SHA256
eddf3395c96c450abc64741308b66a67d22fb1360901ef5c14ece3c1c3162e13

SHA512
b1c866b3cf5c1755974837631edfa076487760619ed5d704e3d65d90ba2e56424b1b6a2f77e364b7fabe1bf2fca566434338d61eff4109fa8fd14528bd4b3829

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
398B

MD5
ddeff36e77af0963e78bf6645325bdee

SHA1
79d991350ab08537ba0f53f795bbcb68bcc0125b

SHA256
692921614fe4a34ea61155ebfb49b0b1aeb6919c0b91acc670d702f8289b5f72

SHA512
98ecbe0368d553a9433c88743d1d121d83898cdd81145745496287c01fd73d46056f2ed26fcc59632f980ed5e16ee97ef11264452222693dee0188ab337fcd2b

Download Submit
C:\Users\Admin\Desktop\lmao.exe

Filesize
45KB

MD5
8f8347adee256176de694e5b3aa8da68

SHA1
0b9acb5b843a2905c3559c79f2b3be22fc8dccbe

SHA256
ee393c9f627d6d86b70c0758acc519e0300308690b6a8fa9a8df53a89beaeb12

SHA512
edce398a4c5d9812e57300536e6ed571ed018b9aa6f236f1a7203e087d06a65dd4837c873d000883561ed8aa587acaf67a8358d8fdfabfdc98390ddeda71efc6

Download Submit
C:\Users\Admin\Downloads\Release.zip.crdownload

Filesize
6.4MB

MD5
89661a9ff6de529497fec56a112bf75e

SHA1
2dd31a19489f4d7c562b647f69117e31b894b5c3

SHA256
e7b275d70655db9cb43fa606bbe2e4f22478ca4962bbf9f299d66eda567d63cd

SHA512
33c765bf85fbec0e58924ece948b80a7d73b7577557eaac8865e481c61ad6b71f8b5b846026103239b3bd21f438ff0d7c1430a51a4a149f16a215faad6dab68f

Download Submit
C:\Users\Admin\Downloads\Release.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
memory/1608-362-0x0000000000480000-0x0000000000492000-memory.dmp

Filesize
72KB

Download
memory/1660-418-0x00007FFC728B0000-0x00007FFC728C0000-memory.dmp

Filesize
64KB

Download
memory/1660-419-0x00007FFC728B0000-0x00007FFC728C0000-memory.dmp

Filesize
64KB

Download
memory/1660-420-0x00007FFC70580000-0x00007FFC70590000-memory.dmp

Filesize
64KB

Download
memory/1660-421-0x00007FFC70580000-0x00007FFC70590000-memory.dmp

Filesize
64KB

Download
memory/1660-417-0x00007FFC728B0000-0x00007FFC728C0000-memory.dmp

Filesize
64KB

Download
memory/1660-416-0x00007FFC728B0000-0x00007FFC728C0000-memory.dmp

Filesize
64KB

Download
memory/1660-415-0x00007FFC728B0000-0x00007FFC728C0000-memory.dmp

Filesize
64KB

Download
memory/1728-444-0x00007FFC728B0000-0x00007FFC728C0000-memory.dmp

Filesize
64KB

Download
memory/1728-443-0x00007FFC728B0000-0x00007FFC728C0000-memory.dmp

Filesize
64KB

Download
memory/1728-442-0x00007FFC728B0000-0x00007FFC728C0000-memory.dmp

Filesize
64KB

Download
memory/1728-441-0x00007FFC728B0000-0x00007FFC728C0000-memory.dmp

Filesize
64KB

Download
memory/4364-293-0x0000000005400000-0x0000000005492000-memory.dmp

Filesize
584KB

Download
memory/4364-338-0x0000000009630000-0x000000000964A000-memory.dmp

Filesize
104KB

Download
memory/4364-337-0x0000000009D30000-0x0000000009E54000-memory.dmp

Filesize
1.1MB

Download
memory/4364-324-0x00000000748E0000-0x0000000075091000-memory.dmp

Filesize
7.7MB

Download
memory/4364-322-0x0000000008420000-0x0000000008777000-memory.dmp

Filesize
3.3MB

Download
memory/4364-321-0x0000000007E50000-0x0000000007F02000-memory.dmp

Filesize
712KB

Download
memory/4364-320-0x00000000748E0000-0x0000000075091000-memory.dmp

Filesize
7.7MB

Download
memory/4364-319-0x00000000748EE000-0x00000000748EF000-memory.dmp

Filesize
4KB

Download
memory/4364-309-0x00000000748E0000-0x0000000075091000-memory.dmp

Filesize
7.7MB

Download
memory/4364-299-0x0000000009D00000-0x0000000009D22000-memory.dmp

Filesize
136KB

Download
memory/4364-298-0x0000000007E00000-0x0000000007E12000-memory.dmp

Filesize
72KB

Download
memory/4364-297-0x0000000007DE0000-0x0000000007DFA000-memory.dmp

Filesize
104KB

Download
memory/4364-296-0x0000000007C10000-0x0000000007C24000-memory.dmp

Filesize
80KB

Download
memory/4364-295-0x00000000748E0000-0x0000000075091000-memory.dmp

Filesize
7.7MB

Download
memory/4364-294-0x00000000053D0000-0x00000000053DA000-memory.dmp

Filesize
40KB

Download
memory/4364-292-0x0000000005A60000-0x0000000006006000-memory.dmp

Filesize
5.6MB

Download
memory/4364-291-0x0000000000700000-0x0000000000902000-memory.dmp

Filesize
2.0MB

Download
memory/4364-290-0x00000000748EE000-0x00000000748EF000-memory.dmp

Filesize
4KB

Download