xenorat | hxxps://github[.]com/moom825/xeno-rat

Analysis

max time kernel
432s
max time network
449s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
20-12-2024 12:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/moom825/xeno-rat

Score

10^/10

xenorat defense_evasion discovery privilege_escalation rat trojan

Malware Config

Extracted

Family

xenorat

127.0.0.1

Mutex

Xeno_rat_nd8912d

Attributes

delay
5000
install_path
nothingset
port
1234
startup_name
nothingset

Signatures

Detect XenoRat Payload 10 IoCs

resource	yara_rule
behavioral1/files/0x0004000000000687-303.dat	family_xenorat
behavioral1/memory/5668-305-0x0000000000810000-0x0000000000822000-memory.dmp	family_xenorat
behavioral1/memory/5668-317-0x0000000005B10000-0x0000000005B1C000-memory.dmp	family_xenorat
behavioral1/memory/5156-320-0x00000000062D0000-0x00000000062DA000-memory.dmp	family_xenorat
behavioral1/memory/5668-327-0x0000000005F50000-0x0000000005F5A000-memory.dmp	family_xenorat
behavioral1/memory/5668-337-0x0000000001110000-0x000000000111A000-memory.dmp	family_xenorat
behavioral1/memory/3408-338-0x0000000000A40000-0x0000000000AC2000-memory.dmp	family_xenorat
behavioral1/memory/3408-341-0x00000000057C0000-0x00000000057CA000-memory.dmp	family_xenorat
behavioral1/memory/5668-345-0x0000000000F00000-0x0000000000F0C000-memory.dmp	family_xenorat
behavioral1/memory/5668-346-0x0000000000F90000-0x0000000000FA2000-memory.dmp	family_xenorat

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat
Xenorat family
xenorat

Executes dropped EXE 4 IoCs

pid	Process
5668	hello people.exe
5156	hello people.exe
3408	hello people.exe
4428	hello people.exe

Abuse Elevation Control Mechanism: Bypass User Account Control 1 TTPs 1 IoCs

UAC Bypass Attempt via SilentCleanup Task.

defense_evasion privilege_escalation

Bypass User Account Control

T1548.002

pid	Process
4692	SCHTASKS.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	hello people.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
15	raw.githubusercontent.com
24	raw.githubusercontent.com

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hello people.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xeno rat server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hello people.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hello people.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hello people.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SCHTASKS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmstp.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0 = 7e003100000000004759e16411004465736b746f7000680009000400efbe4759495e945921602e000000335702000000010000000000000000003e0000000000b63a54004400650073006b0074006f007000000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370036003900000016000000	xeno rat server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\ms-settings\Shell\Open\command\DelegateExecute	hello people.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	xeno rat server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\ms-settings\Shell\Open\command\ = "\"C:\\Users\\Admin\\Downloads\\hello people.exe\""	hello people.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\ms-settings\Shell	hello people.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0000000001000000ffffffff	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	xeno rat server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}"	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0 = 78003100000000004759495e1100557365727300640009000400efbec5522d60945920602e0000006c0500000000010000000000000000003a0000000000f644520055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	xeno rat server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\ms-settings\Shell\Open\command	hello people.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	xeno rat server.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\ms-settings	hello people.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\NodeSlot = "2"	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	xeno rat server.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\ms-settings\Shell\Open	hello people.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\MRUListEx = 00000000ffffffff	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0	xeno rat server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic"	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	xeno rat server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\MRUListEx = 00000000ffffffff	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 19002f433a5c000000000000000000000000000000000000000000	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0 = 500031000000000047598665100041646d696e003c0009000400efbe4759495e945920602e0000002957020000000100000000000000000000000000000078aa9300410064006d0069006e00000014000000	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\ms-settings\Shell\Open	hello people.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\ms-settings\Shell\Open\command	hello people.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	xeno rat server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\ms-settings	hello people.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\MRUListEx = ffffffff	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "3"	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	xeno rat server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Downloads"	xeno rat server.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\ms-settings\Shell	hello people.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg	xeno rat server.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Release.zip:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5968	msedge.exe
5968	msedge.exe
5256	msedge.exe
5256	msedge.exe
4256	identity_helper.exe
4256	identity_helper.exe
5812	msedge.exe
5812	msedge.exe
640	msedge.exe
640	msedge.exe
5668	hello people.exe
5668	hello people.exe
5668	hello people.exe
5668	hello people.exe
5668	hello people.exe
5668	hello people.exe
5668	hello people.exe
5668	hello people.exe
5668	hello people.exe
5668	hello people.exe
5668	hello people.exe
5668	hello people.exe
5668	hello people.exe
5668	hello people.exe
5668	hello people.exe
5668	hello people.exe
5668	hello people.exe
5668	hello people.exe
5668	hello people.exe
5668	hello people.exe
5668	hello people.exe
5668	hello people.exe
5156	hello people.exe
5156	hello people.exe
5156	hello people.exe
5156	hello people.exe
5668	hello people.exe
5668	hello people.exe
5668	hello people.exe
5156	hello people.exe
5156	hello people.exe
5156	hello people.exe
5668	hello people.exe
5668	hello people.exe
5668	hello people.exe
5156	hello people.exe
5156	hello people.exe
5156	hello people.exe
5668	hello people.exe
5668	hello people.exe
5668	hello people.exe
5156	hello people.exe
5156	hello people.exe
5156	hello people.exe
5668	hello people.exe
5668	hello people.exe
5668	hello people.exe
5156	hello people.exe
5156	hello people.exe
5156	hello people.exe
5668	hello people.exe
5668	hello people.exe
5668	hello people.exe
5156	hello people.exe

Suspicious behavior: GetForegroundWindowSpam 4 IoCs

pid	Process
4724	xeno rat server.exe
5668	hello people.exe
5156	hello people.exe
3408	hello people.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
5256	msedge.exe
5256	msedge.exe
5256	msedge.exe
5256	msedge.exe
5256	msedge.exe
5256	msedge.exe
5256	msedge.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	5668	hello people.exe
Token: SeDebugPrivilege	5156	hello people.exe
Token: SeDebugPrivilege	3408	hello people.exe
Token: 33	2880	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2880	AUDIODG.EXE
Token: SeDebugPrivilege	4428	hello people.exe
Token: SeShutdownPrivilege	4696	chrome.exe
Token: SeCreatePagefilePrivilege	4696	chrome.exe
Token: SeShutdownPrivilege	4696	chrome.exe
Token: SeCreatePagefilePrivilege	4696	chrome.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
5256	msedge.exe
5256	msedge.exe
5256	msedge.exe
5256	msedge.exe
5256	msedge.exe
5256	msedge.exe
5256	msedge.exe
5256	msedge.exe
5256	msedge.exe
5256	msedge.exe
5256	msedge.exe
5256	msedge.exe
5256	msedge.exe
5256	msedge.exe
5256	msedge.exe
5256	msedge.exe
5256	msedge.exe
5256	msedge.exe
5256	msedge.exe
5256	msedge.exe
5256	msedge.exe
5256	msedge.exe
5256	msedge.exe
5256	msedge.exe
5256	msedge.exe
5256	msedge.exe
5256	msedge.exe
5256	msedge.exe
5256	msedge.exe
5256	msedge.exe
5256	msedge.exe
5256	msedge.exe
5256	msedge.exe
5256	msedge.exe
4696	chrome.exe
4696	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
5256	msedge.exe
5256	msedge.exe
5256	msedge.exe
5256	msedge.exe
5256	msedge.exe
5256	msedge.exe
5256	msedge.exe
5256	msedge.exe
5256	msedge.exe
5256	msedge.exe
5256	msedge.exe
5256	msedge.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4724	xeno rat server.exe
5668	hello people.exe
5668	hello people.exe
5668	hello people.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5256 wrote to memory of 5408	5256	msedge.exe	77
PID 5256 wrote to memory of 5408	5256	msedge.exe	77
PID 5256 wrote to memory of 5632	5256	msedge.exe	78
PID 5256 wrote to memory of 5632	5256	msedge.exe	78
PID 5256 wrote to memory of 5632	5256	msedge.exe	78
PID 5256 wrote to memory of 5632	5256	msedge.exe	78
PID 5256 wrote to memory of 5632	5256	msedge.exe	78
PID 5256 wrote to memory of 5632	5256	msedge.exe	78
PID 5256 wrote to memory of 5632	5256	msedge.exe	78
PID 5256 wrote to memory of 5632	5256	msedge.exe	78
PID 5256 wrote to memory of 5632	5256	msedge.exe	78
PID 5256 wrote to memory of 5632	5256	msedge.exe	78
PID 5256 wrote to memory of 5632	5256	msedge.exe	78
PID 5256 wrote to memory of 5632	5256	msedge.exe	78
PID 5256 wrote to memory of 5632	5256	msedge.exe	78
PID 5256 wrote to memory of 5632	5256	msedge.exe	78
PID 5256 wrote to memory of 5632	5256	msedge.exe	78
PID 5256 wrote to memory of 5632	5256	msedge.exe	78
PID 5256 wrote to memory of 5632	5256	msedge.exe	78
PID 5256 wrote to memory of 5632	5256	msedge.exe	78
PID 5256 wrote to memory of 5632	5256	msedge.exe	78
PID 5256 wrote to memory of 5632	5256	msedge.exe	78
PID 5256 wrote to memory of 5632	5256	msedge.exe	78
PID 5256 wrote to memory of 5632	5256	msedge.exe	78
PID 5256 wrote to memory of 5632	5256	msedge.exe	78
PID 5256 wrote to memory of 5632	5256	msedge.exe	78
PID 5256 wrote to memory of 5632	5256	msedge.exe	78
PID 5256 wrote to memory of 5632	5256	msedge.exe	78
PID 5256 wrote to memory of 5632	5256	msedge.exe	78
PID 5256 wrote to memory of 5632	5256	msedge.exe	78
PID 5256 wrote to memory of 5632	5256	msedge.exe	78
PID 5256 wrote to memory of 5632	5256	msedge.exe	78
PID 5256 wrote to memory of 5632	5256	msedge.exe	78
PID 5256 wrote to memory of 5632	5256	msedge.exe	78
PID 5256 wrote to memory of 5632	5256	msedge.exe	78
PID 5256 wrote to memory of 5632	5256	msedge.exe	78
PID 5256 wrote to memory of 5632	5256	msedge.exe	78
PID 5256 wrote to memory of 5632	5256	msedge.exe	78
PID 5256 wrote to memory of 5632	5256	msedge.exe	78
PID 5256 wrote to memory of 5632	5256	msedge.exe	78
PID 5256 wrote to memory of 5632	5256	msedge.exe	78
PID 5256 wrote to memory of 5632	5256	msedge.exe	78
PID 5256 wrote to memory of 5968	5256	msedge.exe	79
PID 5256 wrote to memory of 5968	5256	msedge.exe	79
PID 5256 wrote to memory of 5852	5256	msedge.exe	80
PID 5256 wrote to memory of 5852	5256	msedge.exe	80
PID 5256 wrote to memory of 5852	5256	msedge.exe	80
PID 5256 wrote to memory of 5852	5256	msedge.exe	80
PID 5256 wrote to memory of 5852	5256	msedge.exe	80
PID 5256 wrote to memory of 5852	5256	msedge.exe	80
PID 5256 wrote to memory of 5852	5256	msedge.exe	80
PID 5256 wrote to memory of 5852	5256	msedge.exe	80
PID 5256 wrote to memory of 5852	5256	msedge.exe	80
PID 5256 wrote to memory of 5852	5256	msedge.exe	80
PID 5256 wrote to memory of 5852	5256	msedge.exe	80
PID 5256 wrote to memory of 5852	5256	msedge.exe	80
PID 5256 wrote to memory of 5852	5256	msedge.exe	80
PID 5256 wrote to memory of 5852	5256	msedge.exe	80
PID 5256 wrote to memory of 5852	5256	msedge.exe	80
PID 5256 wrote to memory of 5852	5256	msedge.exe	80
PID 5256 wrote to memory of 5852	5256	msedge.exe	80
PID 5256 wrote to memory of 5852	5256	msedge.exe	80
PID 5256 wrote to memory of 5852	5256	msedge.exe	80
PID 5256 wrote to memory of 5852	5256	msedge.exe	80

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/moom825/xeno-rat
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd34fa3cb8,0x7ffd34fa3cc8,0x7ffd34fa3cd8
  2⤵
  PID:5408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1920,17173106543810986303,17933371077935361715,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1936 /prefetch:2
  2⤵
  PID:5632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1920,17173106543810986303,17933371077935361715,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2084 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1920,17173106543810986303,17933371077935361715,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2700 /prefetch:8
  2⤵
  PID:5852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17173106543810986303,17933371077935361715,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
  2⤵
  PID:2940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17173106543810986303,17933371077935361715,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:3284
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1920,17173106543810986303,17933371077935361715,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5320 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1920,17173106543810986303,17933371077935361715,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5536 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17173106543810986303,17933371077935361715,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4068 /prefetch:1
  2⤵
  PID:1928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1920,17173106543810986303,17933371077935361715,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5332 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17173106543810986303,17933371077935361715,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4756 /prefetch:1
  2⤵
  PID:4416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17173106543810986303,17933371077935361715,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4816 /prefetch:1
  2⤵
  PID:3348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17173106543810986303,17933371077935361715,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:1
  2⤵
  PID:3684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,17173106543810986303,17933371077935361715,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6472 /prefetch:1
  2⤵
  PID:3708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1920,17173106543810986303,17933371077935361715,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1712 /prefetch:2
  2⤵
  PID:4336

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4944

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4252

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5912

C:\Users\Admin\Downloads\Release\xeno rat server.exe
"C:\Users\Admin\Downloads\Release\xeno rat server.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4724

C:\Users\Admin\Downloads\hello people.exe
"C:\Users\Admin\Downloads\hello people.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5668
- C:\Users\Admin\Downloads\hello people.exe
  "C:\Users\Admin\Downloads\hello people.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:5156
- - C:\Windows\SysWOW64\SCHTASKS.exe
    "SCHTASKS.exe" /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I
    3⤵
    - Abuse Elevation Control Mechanism: Bypass User Account Control
    - System Location Discovery: System Language Discovery
    PID:4692
- \??\c:\windows\SysWOW64\cmstp.exe
  "c:\windows\system32\cmstp.exe" /au C:\windows\temp\mb0pzk5g.inf
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2960
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c start "" "%windir%\system32\fodhelper.exe"
  2⤵
  PID:3044
- - C:\Windows\system32\fodhelper.exe
    "C:\Windows\system32\fodhelper.exe"
    3⤵
    PID:964
  - - C:\Users\Admin\Downloads\hello people.exe
      "C:\Users\Admin\Downloads\hello people.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --no-sandbox --allow-no-sandbox-job --disable-gpu --user-data-dir=C:\ChromeAutomationData
  2⤵
  - Drops file in Windows directory
  - Enumerates system info in registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:4696
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\ChromeAutomationData /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\ChromeAutomationData\Crashpad --metrics-dir=C:\ChromeAutomationData --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffd22a1cc40,0x7ffd22a1cc4c,0x7ffd22a1cc58
    3⤵
    PID:4692
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-sandbox --user-data-dir="C:\ChromeAutomationData" --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --use-gl=angle --use-angle=swiftshader-webgl --field-trial-handle=1920,i,16781739059084580459,1351951146919197924,262144 --variations-seed-version --mojo-platform-channel-handle=1904 /prefetch:2
    3⤵
    PID:2492
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\ChromeAutomationData" --no-appcompat-clear --field-trial-handle=1884,i,16781739059084580459,1351951146919197924,262144 --variations-seed-version --mojo-platform-channel-handle=1980 /prefetch:3
    3⤵
    PID:964
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --user-data-dir="C:\ChromeAutomationData" --no-appcompat-clear --field-trial-handle=1992,i,16781739059084580459,1351951146919197924,262144 --variations-seed-version --mojo-platform-channel-handle=2012 /prefetch:8
    3⤵
    PID:4112
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\ChromeAutomationData" --no-appcompat-clear --no-sandbox --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=2804,i,16781739059084580459,1351951146919197924,262144 --variations-seed-version --mojo-platform-channel-handle=2812 /prefetch:1
    3⤵
    PID:1624
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\ChromeAutomationData" --no-appcompat-clear --no-sandbox --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=2828,i,16781739059084580459,1351951146919197924,262144 --variations-seed-version --mojo-platform-channel-handle=2840 /prefetch:1
    3⤵
    PID:452
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\ChromeAutomationData" --extension-process --no-appcompat-clear --no-sandbox --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3424,i,16781739059084580459,1351951146919197924,262144 --variations-seed-version --mojo-platform-channel-handle=3652 /prefetch:2
    3⤵
    PID:6092
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\ChromeAutomationData" --extension-process --no-appcompat-clear --no-sandbox --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=2788,i,16781739059084580459,1351951146919197924,262144 --variations-seed-version --mojo-platform-channel-handle=3696 /prefetch:2
    3⤵
    PID:3972
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\ChromeAutomationData" --no-appcompat-clear --no-sandbox --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4068,i,16781739059084580459,1351951146919197924,262144 --variations-seed-version --mojo-platform-channel-handle=4024 /prefetch:1
    3⤵
    PID:5628
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-sandbox --user-data-dir="C:\ChromeAutomationData" --no-appcompat-clear --field-trial-handle=4136,i,16781739059084580459,1351951146919197924,262144 --variations-seed-version --mojo-platform-channel-handle=3168 /prefetch:8
    3⤵
    PID:4252
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\ChromeAutomationData" --no-appcompat-clear --field-trial-handle=4428,i,16781739059084580459,1351951146919197924,262144 --variations-seed-version --mojo-platform-channel-handle=2940 /prefetch:8
    3⤵
    PID:4672
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\ChromeAutomationData" --no-appcompat-clear --no-sandbox --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4944,i,16781739059084580459,1351951146919197924,262144 --variations-seed-version --mojo-platform-channel-handle=4976 /prefetch:1
    3⤵
    PID:1692
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\ChromeAutomationData" --no-appcompat-clear --no-sandbox --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=4996,i,16781739059084580459,1351951146919197924,262144 --variations-seed-version --mojo-platform-channel-handle=4940 /prefetch:1
    3⤵
    PID:4444
- - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
    3⤵
    PID:1784
  - - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x270,0x274,0x278,0x24c,0x27c,0x7ff6ec974698,0x7ff6ec9746a4,0x7ff6ec9746b0
      4⤵
      PID:1188
  - - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\initial_preferences" --create-shortcuts=1 --install-level=0
      4⤵
      PID:4092
    - - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x260,0x264,0x268,0x23c,0x26c,0x7ff6ec974698,0x7ff6ec9746a4,0x7ff6ec9746b0
        5⤵
        
        PID:3032
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\ChromeAutomationData" --no-appcompat-clear --no-sandbox --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5068,i,16781739059084580459,1351951146919197924,262144 --variations-seed-version --mojo-platform-channel-handle=4972 /prefetch:1
    3⤵
    PID:4864
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-sandbox --user-data-dir="C:\ChromeAutomationData" --no-appcompat-clear --field-trial-handle=5204,i,16781739059084580459,1351951146919197924,262144 --variations-seed-version --mojo-platform-channel-handle=5076 /prefetch:8
    3⤵
    PID:4768
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\ChromeAutomationData" --no-appcompat-clear --no-sandbox --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5236,i,16781739059084580459,1351951146919197924,262144 --variations-seed-version --mojo-platform-channel-handle=5328 /prefetch:1
    3⤵
    PID:5296
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\ChromeAutomationData" --no-appcompat-clear --no-sandbox --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=5064,i,16781739059084580459,1351951146919197924,262144 --variations-seed-version --mojo-platform-channel-handle=5372 /prefetch:1
    3⤵
    PID:2184
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\ChromeAutomationData" --no-appcompat-clear --no-sandbox --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=5216,i,16781739059084580459,1351951146919197924,262144 --variations-seed-version --mojo-platform-channel-handle=5352 /prefetch:1
    3⤵
    PID:5452
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\ChromeAutomationData" --no-appcompat-clear --no-sandbox --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=5380,i,16781739059084580459,1351951146919197924,262144 --variations-seed-version --mojo-platform-channel-handle=4628 /prefetch:1
    3⤵
    PID:556
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-sandbox --user-data-dir="C:\ChromeAutomationData" --no-appcompat-clear --field-trial-handle=5328,i,16781739059084580459,1351951146919197924,262144 --variations-seed-version --mojo-platform-channel-handle=4632 /prefetch:8
    3⤵
    PID:6016
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-sandbox --user-data-dir="C:\ChromeAutomationData" --no-appcompat-clear --field-trial-handle=5248,i,16781739059084580459,1351951146919197924,262144 --variations-seed-version --mojo-platform-channel-handle=4416 /prefetch:8
    3⤵
    PID:3372
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-sandbox --user-data-dir="C:\ChromeAutomationData" --no-appcompat-clear --field-trial-handle=5372,i,16781739059084580459,1351951146919197924,262144 --variations-seed-version --mojo-platform-channel-handle=5296 /prefetch:8
    3⤵
    PID:5960
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\ChromeAutomationData" --extension-process --no-appcompat-clear --no-sandbox --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --field-trial-handle=4916,i,16781739059084580459,1351951146919197924,262144 --variations-seed-version --mojo-platform-channel-handle=5052 /prefetch:2
    3⤵
    PID:4916

C:\Users\Admin\Downloads\hello people.exe
"C:\Users\Admin\Downloads\hello people.exe"
1⤵
- Executes dropped EXE
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3408

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E0 0x00000000000004EC
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2880

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:1028

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}
1⤵
- System Location Discovery: System Language Discovery
PID:4712

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1032

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1716

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:4516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ChromeAutomationData\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\_locales\en\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\ChromeAutomationData\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\ChromeAutomationData\Default\Local Storage\leveldb\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\ChromeAutomationData\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\ChromeAutomationData\Default\Preferences

Filesize
7KB

MD5
92d66cb03229d34ac81124e4e989726a

SHA1
16564dae45ae7f91e87333f5127e26abe86621be

SHA256
9f5ffcb1ec6844b0c77db9d346a40928ceb303500a2b5f0169a6cd9da51c34a0

SHA512
9eb2d3837237b173ff03406eea197dea9e642ea1559211f19c943d5820f8e326d3f417cb7a76be9f882ec1f376140e8b7ea609c518c1eb12e3e3a84907b89058

Download Submit
C:\ChromeAutomationData\Default\Preferences~RFe5e7722.TMP

Filesize
1KB

MD5
5b1f01a7369202c13e85968d18a141f5

SHA1
70a788912c8456ac631fb6f5071083320cfcf56a

SHA256
15400d2037e246ec2b316b2b5f90a46c03047fa1bd42e2c64313cff08eb17ae6

SHA512
beab72a4eada76a5726d2ed971f639a14b5a11c0d669a127e731e8656a87cd971dad3146091693b8da659458d94d9e992dc4b1fc313a0af76e7726ce36229481

Download Submit
C:\ChromeAutomationData\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\32.png

Filesize
1KB

MD5
40c4ea664da063cccf37a00d0dea5f88

SHA1
f524c4c8544d5e8b7d5a29ba74fbe865c0fa303b

SHA256
91289705a496311822aa52d067f2a029025293f1c22779f3a8bc483e211ce1d8

SHA512
bbe182958560fa196423bc1b50575b078e4a3b2b170427074442a42a3f21ae7d91d3115e75f38335c778070142d2d1bc929bfa22bf0fb2ae644c0478f6d58d51

Download Submit
C:\ChromeAutomationData\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\48.png

Filesize
2KB

MD5
9e1a6c45e7a5b26e6dfcb060fe4ec411

SHA1
8895839baaf4a6ce1189fd8c5572c3c8298ddcc0

SHA256
102aeb88e02ce1cd5c91ce4ab3c5880be33b6a440ee7f24c9e38741e79b46273

SHA512
323180dbdb0ebed3f398d5e7233f681ec85bd0815ef463d8351e17e99ee6f9f47badc9bdd9ab197249fe85e2c0d2457760f7bb7550c9c55110f333d13bfbe8fb

Download Submit
C:\ChromeAutomationData\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\64.png

Filesize
3KB

MD5
65e00211feede352e87ff869cd3d1b1e

SHA1
2ede8e165651f24a165f31bd2b4591d124d5fdde

SHA256
dc78a4be5b92c40c32dbbd4bcc3c65057105db062c088fadcf835a5e161095a1

SHA512
1fec808d0591868de3e27863e095ded619cfb825239eb05aab61f9ddb09bca28534e5a1a6f0d39a47affb7a3371d07cca9701b8dabcd297ff2fd116c9123fe61

Download Submit
C:\ChromeAutomationData\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\32.png

Filesize
1024B

MD5
ca6289a7d8f9ecc17f8de717faf1af27

SHA1
4ccf3c6a9291f0a8a3090c22aca6f1872c860073

SHA256
3d7283090cf1a87baae4032266e4d144f7ec2ea465e7b2bf02728aa394c678f0

SHA512
100fb108d3eb74eea016af82a5a6758f22173b3d9a60c5237e9a570aa14549397b224d9d4234661855ffec47930a33536d05c0eb56ac61c551184fa89b18697c

Download Submit
C:\ChromeAutomationData\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\48.png

Filesize
1KB

MD5
06c47df56a44e6ec6ed68a0c1b13fcf1

SHA1
d081069ab4c69925e2c5a8e7bb9a683f620dadb2

SHA256
6e21221baad8ccd2b71542f9d3194dc5868c0f424fea640cd4915fbdb32f4804

SHA512
e23731119c43850604eaa83c7fc17cff43681890ba3e144cc0b97cc8b33dc3f90a5370c7ae599c5469e33fcffed6492308451a0f3699bca51df665a70329a569

Download Submit
C:\ChromeAutomationData\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\64.png

Filesize
1KB

MD5
fa9b6bd6c167dc772018d4105b7f3afd

SHA1
5a8b1a8bec14f864d559667c79683735508a8036

SHA256
2a8f1a1cfac4fbe96a6cb69e9e621201875cc45b2e60bc75b08ea193c759e346

SHA512
db8b36ed049e357346a6c249dacf54a78bf7395ab8a3c8f8d2aa8d575193f59959cddfc7e1ec18b32a029aa1cfd42ffe30149d74de56d88baa0583a6c00d9a9f

Download Submit
C:\ChromeAutomationData\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\32.png

Filesize
1KB

MD5
cfd1c4fa219ea739c219d4fb8c9ccf8d

SHA1
1bd9c4a0c08a594966efe48802af8cdd46aa724c

SHA256
36670568a87c7b3cd1a4448ffe5bde9b6fd3d65b58e6dca38cc4ea2e9e8c11b3

SHA512
59918179057447aa18668abbdaacd11ee3f5e83c25a93f916a050a559ea1457d6ab61abd3db9def22b5214a1767911e9cf9fa8e638852032cca3696424c6a903

Download Submit
C:\ChromeAutomationData\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\48.png

Filesize
2KB

MD5
f484337ddad3b425b5788e5ce7082bc8

SHA1
79c7e4c0202a06ef3a287cc76ea498fcf26009c2

SHA256
fa58e3209e408e4f0d60a7ed330d6f62884ccf9b593e37cde03e7916c116dd1f

SHA512
518a8e3d53fe86dc714a59cc70f8f0c44396d7569d25837c1cfe6212a10204080e0c4d19c43729f1815093af9f075693decbb9496700a2f00bd57dd3ed0b0a3c

Download Submit
C:\ChromeAutomationData\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\64.png

Filesize
2KB

MD5
9ca95e4d4941acee74cd1bef23eaba35

SHA1
1717e5136bf97a89b5dca5178f4d4d320b21fb48

SHA256
80c1e2f4d89d5266f82dc0295f232eda894812820c5c625a036adf980536e5a8

SHA512
9fb11e36e626b0d9eb43548ba0e90cda27e70d027361c52437f01287e94f07d07da01a385ee2466963e305516f56e37020644ce03d1132322d7e796440c633b5

Download Submit
C:\ChromeAutomationData\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\32.png

Filesize
914B

MD5
1958a9b92332cc7b500636c414649c72

SHA1
3433cd43afc96397650ecaa2f3d4c82d985aa86b

SHA256
282c4fd7aec92fbe494f71a136c9c9111a453ff07f701ba21cf2f14b24f9ff15

SHA512
9a6791a1ffcd7b2442ffa33a132b95bc66dcfa5b2814bf5b84d8385e69b7243bed9b6e4a1677c3b88cc9de421067468ef186584c43a90b7aba78e2e19a1fd81b

Download Submit
C:\ChromeAutomationData\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\48.png

Filesize
1KB

MD5
b7593fa2971ae16ea2aaefefab67658d

SHA1
df5455a066a4aa91aba3d2ad0df25e3634d04a49

SHA256
1407047a49f6220843e0b5eeb147273ac894fffb489ff02b7e920096f1cf23db

SHA512
0036d5d5b708feb7fa9dc96a705e0ef98c8dab39ee182e760515ae008e100200ee4645afa75359290f09dd1fc7f16c7830e39faaa5e302a8dd6a647adcd431c5

Download Submit
C:\ChromeAutomationData\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\64.png

Filesize
1KB

MD5
6078ddcccd0966b6c8506d28eed2026f

SHA1
86b7c92bcfb0e02d9a72bebaa6731891fa90e29f

SHA256
d982bca9f433bfdf7f7d8f759576273ee8a131e676a784a6d6231b068e21de25

SHA512
850dd615ea2422f00001b37603f25756e6304e190669aca90aaab08d2ca97d163402b3fe7a4747e76040fc9dd944861b5639c31d1b40528ca806f5f920fa3d4e

Download Submit
C:\ChromeAutomationData\Default\Web Applications\Temp\scoped_dir4696_1649558161\Icons\128.png

Filesize
5KB

MD5
c592b8809b071c071577fff963bd1ad5

SHA1
f628a6edd48da4aebdfdc05ee3ce852b27706cee

SHA256
8a9434f0ede8c6edf65f8d5750852be574847a62a4534e1b6b372078463b6d04

SHA512
418f074fe6b91e4393bc670a75d26db28ddfa370e3b33c17db2a402dd008175be910c3fe9714051d55c13fb28d3901fc6e7e81f73587144d053d8b25bf9c8c90

Download Submit
C:\ChromeAutomationData\GraphiteDawnCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\ChromeAutomationData\GraphiteDawnCache\data_1

Filesize
264KB

MD5
d0d388f3865d0523e451d6ba0be34cc4

SHA1
8571c6a52aacc2747c048e3419e5657b74612995

SHA256
902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b

SHA512
376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

Download Submit
C:\ChromeAutomationData\GraphiteDawnCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\ChromeAutomationData\GraphiteDawnCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\ChromeAutomationData\Local State

Filesize
3KB

MD5
676f32f6eea7f64a075248c5186fe04e

SHA1
fc12b305263e185fc4dd9ea1f297fc385cfb1995

SHA256
cfa8a0bf4be2ffd312c48bbca7d89588a68c962865304261b5c5a080449777cf

SHA512
ea6d01eb3724715febaa4f56263344c24f98d2124daf3c8976122c3a1e5eccabb9fe7466ad1c6929750e43aa4790abf1a562fcdbe38e7bd73de1d68b903e1658

Download Submit
C:\ChromeAutomationData\Local State~RFe5e7628.TMP

Filesize
968B

MD5
3ef044c79a48876426f9c9ea0700bc6c

SHA1
ad28feef4d0b04355ce4196a245583df73962dc1

SHA256
ae54b9db1abe1696ef42b49fa0cf4aa722e6b74d673d749a8f98af896cac7eec

SHA512
4b3854292f576b88ce0d85abb9a0a0af387f02473e7722d34b51acd11b1ff15839113278b389d99a62d746a2480d04a7d2ae09f5e049cc8af40e0e49b4876de4

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\1f3306e1-9779-4420-bd8f-e71b4ebeb462.tmp

Filesize
520B

MD5
d7bdecbddac6262e516e22a4d6f24f0b

SHA1
1a633ee43641fa78fbe959d13fa18654fd4a90be

SHA256
db3be7c6d81b2387c39b32d15c096173022cccee1015571dd3e09f2a69b508a9

SHA512
1e72db18de776fe264db3052ce9a842c9766a720a9119fc6605f795c36d4c7bf8f77680c5564f36e591368ccd354104a7412f267c4157f04c4926bce51aeeaa1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c0a1774f8079fe496e694f35dfdcf8bc

SHA1
da3b4b9fca9a3f81b6be5b0cd6dd700603d448d3

SHA256
c041da0b90a5343ede7364ccf0428852103832c4efa8065a0cd1e8ce1ff181cb

SHA512
60d9e87f8383fe3afa2c8935f0e5a842624bb24b03b2d8057e0da342b08df18cf70bf55e41fa3ae54f73bc40a274cf6393d79ae01f6a1784273a25fa2761728b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e11c77d0fa99af6b1b282a22dcb1cf4a

SHA1
2593a41a6a63143d837700d01aa27b1817d17a4d

SHA256
d96f9bfcc81ba66db49a3385266a631899a919ed802835e6fb6b9f7759476ea0

SHA512
c8f69f503ab070a758e8e3ae57945c0172ead1894fdbfa2d853e5bb976ed3817ecc8f188eefd5092481effd4ef650788c8ff9a8d9a5ee4526f090952d7c859f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\09283bcd-5bc6-43f0-a5f4-113ad7fc2366.tmp

Filesize
1KB

MD5
75269aaf8bc39d31182969d953e40930

SHA1
d3cea0edcda2a3ef8606535445d9fa55b3ef1870

SHA256
6db182d8b53d2d66cafd7d885b1f9bcd3d2573817ea9945f9622f2dc1f5f9865

SHA512
2deee2a51860b94fcd9063f5bf9c4509d81e1c1035537df17763ad22ac8170791c9b38f5cda6a39bf44f72603a07bedcf9871f4747bcc1ae37744b31d2d0c710

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
0864e426f5b1c8629b6bd4f14a190acf

SHA1
ffeb7db0a26883f01bc28224e0b1ce26aad7cb23

SHA256
309cd7b15f56c1e3293a08793cc2124a0b9d77e94c0f6c3e750f3650b11cc797

SHA512
e0a6083ceb1fdd99f2f42f09ebe329fe5a45be1de95694cd48257f53acd9d1bfb9a31c9ec65b1d606e365aedcbe15992fc4ad2d20d7a39fc73baa44032f9e520

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
579B

MD5
40dd678cec574d6326557a14cb6f834c

SHA1
f0b14b34f321f4728009294f33487cdfea30edf6

SHA256
310d1d471850a5bc0537d92f583b821800d30e1b1b25fa7ae8d3c9d6665fdda5

SHA512
852bd6cd07d0f3b2df06eee539d331a030e734b066aed5731c3923bdbc3218dd8bbe6b3237af4c5082ef368e8fbd531b304ec117b4bf28f7e70f1c45e218f0c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4d5e0f26e6cd604ff1468a6df544e738

SHA1
abf37e440d9ec37c1bd2bfe60f36e73c924467cb

SHA256
27b31184875290a163a56ebe39b8dddea4b6a79bf9859883a6a444da93cd9fe2

SHA512
2c0a16730d192c727c4e72032ced534debc273bacfa880c904946218e02318c0a75a994266e8d29e7567aa62e7d91b67c6d398f7489b43f1e48632706aca2fd5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
0cb923e5e677d9391242f62f81f59738

SHA1
39c75d6fc01dda5072ac2b6eb0f464a52a06fd95

SHA256
3bc4e10079655768ac56b713cbfa6297bc66364e6df0097c7ca81998d3a015c3

SHA512
682313b1a89940c81c77edad242dfa94e88be11e00681c6559e016b9330f5cfff0abfcc5fc72dd54ec4d2a819d916cd19af4866cba7f888f5619559d072cbecf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
3b69d59010e6528ee562f45317e40ad2

SHA1
7f784c63ecaf219d5f1e4786e649168b0830d9a7

SHA256
80f8b36a132408570a3f05e727ed925a05a71f2d3cbfa3eb1bba984af9ba372f

SHA512
856b1b531cb97669919d5b7b8dc7dff2e61bae0e2d139026a6215c470ea77acc3bf13af300eef936680d48f5992ac48e2ac8c1b31bbb11d3f9f62a9183e9f2b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5817aa.TMP

Filesize
1KB

MD5
1aa4ea54f18047797d580d333dc3483e

SHA1
2f0ba15794890525b1224c3e0f3ad5aacf83e886

SHA256
84277d7009f7d022c354a5bb599ef3139be5396df0c962318c26fa53bc193aae

SHA512
ea300232cf7b637202b02c319150be69db2ce60114298744830df159aba43ec20333ec1633d2ca236740c2e4146537083557b41540b7913f3aa05f77d3eac8f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
265453b3cfd4f47e352316355c6a86bc

SHA1
7d9c571e7d4e5d58a51bb25063a84ebc793c8886

SHA256
67472921bbcef9f171cef1db4ea6cf709ccadf5422d6fd87e19410bb68901c55

SHA512
6a92af04daa18cd626c3fbbadd743339a1f55a68240c9ce0421998eff8843ac7048d394f6058d0ea6e78d8d486e8e02ba4b99c43e943ae1e7d598bb31221e7fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
7540c10f4a9be26a5e84b97b9022fd37

SHA1
7510fe37fd1462b0a7918a6bac3ebe8ecd5dacd7

SHA256
fdaa4930e51edf08a0d1c88efa3242dd9c85f24fd9b00aaf4815f9558b619254

SHA512
18cbab89e1841fd5868112cd0918a316f64ec8c6053bc3fdd37a2cc32786cd2971235ccebd266335cc5cb7fbd54f32e0152ed2c057b33853c96a00b9e294a69c

Download Submit
C:\Users\Admin\AppData\Local\Temp\86ea0879-8766-4323-a13e-0e0f154c89fa.tmp

Filesize
150KB

MD5
14937b985303ecce4196154a24fc369a

SHA1
ecfe89e11a8d08ce0c8745ff5735d5edad683730

SHA256
71006a5311819fef45c659428944897184880bcdb571bf68c52b3d6ee97682ff

SHA512
1d03c75e4d2cd57eee7b0e93e2de293b41f280c415fb2446ac234fc5afd11fe2f2fcc8ab9843db0847c2ce6bd7df7213fcf249ea71896fbf6c0696e3f5aee46c

Download Submit
C:\Users\Admin\AppData\Local\Temp\c06ecbd4-0610-4aa6-a06a-07efdbd377be.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
8KB

MD5
765a6ebf8856d9aecb56988b17e7c0c2

SHA1
e027d22419d1bd462d8b48d2bd52933169366e11

SHA256
cf2cc571a3d49246b131a897ecfc51d99538e2fde2339101f9cb51ac331c662c

SHA512
994bac0bac2182ecda5128d0c878b6394ee95268730fc09273f5f53718c0b7ededa10a96f32439e0dcfdf90e03cc1b775b4c053804410eabe79c21897fa15f0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4696_1288666828\CRX_INSTALL\_locales\en\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\Downloads\Release.zip

Filesize
6.4MB

MD5
89661a9ff6de529497fec56a112bf75e

SHA1
2dd31a19489f4d7c562b647f69117e31b894b5c3

SHA256
e7b275d70655db9cb43fa606bbe2e4f22478ca4962bbf9f299d66eda567d63cd

SHA512
33c765bf85fbec0e58924ece948b80a7d73b7577557eaac8865e481c61ad6b71f8b5b846026103239b3bd21f438ff0d7c1430a51a4a149f16a215faad6dab68f

Download Submit
C:\Users\Admin\Downloads\Release.zip:Zone.Identifier

Filesize
94B

MD5
cced52b34bfd2387c302c3d496259fb2

SHA1
a79d213261354f108441ff54499b139e3bf08f58

SHA256
0c5027dc525ff889968304a5303a2b4ff978be996cf7df2b02df1a01cecf47bf

SHA512
04080f3321d80560d749238073dce291ca35f2a8e61176dbd76ac4fa368f3436b848568ea746be85cd4c9acda145d8cb9b423ba44b7e624944b4de4024a5024b

Download Submit
C:\Users\Admin\Downloads\hello people.exe

Filesize
45KB

MD5
49af6057ecbb668b5c87d41cac31cc64

SHA1
3cf6f550d278065caba3abbf4a74b92e2262d324

SHA256
14c5612de16de605ff4bbb89efa3f9707841787a0667f8def30f1f2658b342d6

SHA512
4861d1543f4bbc0aa43c7b88e04f975b4f09167fc15dfbe6aa6fefdee5b683bd2ceb595fae5999307af96e340ee60e98081852555931a562d6337ef78505a466

Download Submit
C:\Windows\SystemTemp\Crashpad\settings.dat

Filesize
40B

MD5
2e4e611906521376a60755e32c73b71c

SHA1
74916bc0885b922aca68df29c8397b6ee6f390d1

SHA256
31e95627557dec9a859432041225a73a2ede29f1e1f37abf3f8761e354a26ef9

SHA512
e32df01d9ae24d345d2ff4ad2a12d17ed335219c5a3ea46c3c5d50338ab46a2355be8a8a600f98ac7e5573835d103acf48ff6f8929777fd3e3d471e0ceb0025b

Download Submit
C:\windows\temp\mb0pzk5g.inf

Filesize
628B

MD5
b51d94ecc7b0da0ff61fae9d49b3beba

SHA1
c77516841689f3482fbc0e293a3c563c7634f833

SHA256
dd74bf93fde0d5001fd0781638271f2aeadfb8e22f9996a12440d1ef1821d873

SHA512
132a1a4c2506a52d4d20ca8acaa356f02d72809dcfc04f7b27f6da751a7ac43775ddc8c7a743761b002e943b85aa8ce34e24d3669e482ff0c8ed93b5cdb9a3d8

Download Submit
memory/3408-341-0x00000000057C0000-0x00000000057CA000-memory.dmp

Filesize
40KB

Download
memory/3408-338-0x0000000000A40000-0x0000000000AC2000-memory.dmp

Filesize
520KB

Download
memory/4724-233-0x0000000005440000-0x0000000005454000-memory.dmp

Filesize
80KB

Download
memory/4724-232-0x0000000004CE0000-0x0000000004CEA000-memory.dmp

Filesize
40KB

Download
memory/4724-229-0x0000000000010000-0x0000000000212000-memory.dmp

Filesize
2.0MB

Download
memory/4724-340-0x00000000009E0000-0x00000000009F4000-memory.dmp

Filesize
80KB

Download
memory/4724-339-0x0000000000A10000-0x0000000000A44000-memory.dmp

Filesize
208KB

Download
memory/4724-230-0x0000000005460000-0x0000000005A06000-memory.dmp

Filesize
5.6MB

Download
memory/4724-231-0x0000000004D10000-0x0000000004DA2000-memory.dmp

Filesize
584KB

Download
memory/4724-326-0x0000000000AF0000-0x0000000000B8C000-memory.dmp

Filesize
624KB

Download
memory/4724-237-0x0000000007760000-0x0000000007812000-memory.dmp

Filesize
712KB

Download
memory/4724-236-0x0000000009610000-0x0000000009632000-memory.dmp

Filesize
136KB

Download
memory/4724-316-0x0000000009B70000-0x0000000009B82000-memory.dmp

Filesize
72KB

Download
memory/4724-234-0x00000000076F0000-0x000000000770A000-memory.dmp

Filesize
104KB

Download
memory/4724-235-0x0000000007710000-0x0000000007722000-memory.dmp

Filesize
72KB

Download
memory/4724-241-0x0000000008180000-0x000000000819A000-memory.dmp

Filesize
104KB

Download
memory/4724-240-0x0000000008040000-0x0000000008164000-memory.dmp

Filesize
1.1MB

Download
memory/4724-238-0x0000000008AB0000-0x0000000008E07000-memory.dmp

Filesize
3.3MB

Download
memory/5156-320-0x00000000062D0000-0x00000000062DA000-memory.dmp

Filesize
40KB

Download
memory/5668-327-0x0000000005F50000-0x0000000005F5A000-memory.dmp

Filesize
40KB

Download
memory/5668-305-0x0000000000810000-0x0000000000822000-memory.dmp

Filesize
72KB

Download
memory/5668-315-0x0000000005B60000-0x0000000005BC6000-memory.dmp

Filesize
408KB

Download
memory/5668-317-0x0000000005B10000-0x0000000005B1C000-memory.dmp

Filesize
48KB

Download
memory/5668-346-0x0000000000F90000-0x0000000000FA2000-memory.dmp

Filesize
72KB

Download
memory/5668-337-0x0000000001110000-0x000000000111A000-memory.dmp

Filesize
40KB

Download
memory/5668-345-0x0000000000F00000-0x0000000000F0C000-memory.dmp

Filesize
48KB

Download