xenorat | 590e4e7e66f6f8e4d0838420cdba4ea3d756e644b77c433c1822a04ef455c4f9

Analysis

max time kernel
1799s
max time network
1800s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
22-03-2024 02:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Xeno.exe
Size

46KB
MD5

b9ff857cd3e61769787d6c21b45bcc6c
SHA1

92aea3ec2bf2ca4f7127ef8581e1a79059774489
SHA256

590e4e7e66f6f8e4d0838420cdba4ea3d756e644b77c433c1822a04ef455c4f9
SHA512

d87caa6133e50141458d30915f400592f0b1e20b75457c51d2c8929987fd6cce1dc7ba4539fa5efcb18f7b5510b72273a0c7c076b4a991c3539aa5bbc46bdb0b
SSDEEP

768:QdhO/poiiUcjlJInWIH9Xqk5nWEZ5SbTDazHI7CPW5I:Cw+jjgn3H9XqcnW85SbTaHIQ

Score

10^/10

xenorat rat trojan

Malware Config

Extracted

Family

xenorat

4.tcp.us-cal-1.ngrok.io

Mutex

857928375

Attributes

delay
5000
install_path
appdata
port
14628
startup_name
svchost.exe

Signatures

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat
Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	Xeno.exe

Executes dropped EXE 11 IoCs

pid	Process
2236	Xeno.exe
3416	winrar-x64-700.exe
1684	winrar-x64-700.exe
3236	Xeno.exe
1800	Xeno.exe
5592	Xeno.exe
4420	Xeno.exe
3332	Xeno.exe
4572	Xeno.exe
6124	Xeno.exe
4880	Xeno.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 32 IoCs

Web Service

T1102

flow	ioc
690	discord.com
764	4.tcp.us-cal-1.ngrok.io
917	4.tcp.us-cal-1.ngrok.io
1096	4.tcp.us-cal-1.ngrok.io
76	discord.com
235	4.tcp.us-cal-1.ngrok.io
662	4.tcp.us-cal-1.ngrok.io
863	4.tcp.us-cal-1.ngrok.io
944	4.tcp.us-cal-1.ngrok.io
994	4.tcp.us-cal-1.ngrok.io
641	4.tcp.us-cal-1.ngrok.io
969	4.tcp.us-cal-1.ngrok.io
306	4.tcp.us-cal-1.ngrok.io
738	4.tcp.us-cal-1.ngrok.io
653	4.tcp.us-cal-1.ngrok.io
1066	4.tcp.us-cal-1.ngrok.io
1122	4.tcp.us-cal-1.ngrok.io
1087	4.tcp.us-cal-1.ngrok.io
58	4.tcp.us-cal-1.ngrok.io
74	discord.com
790	4.tcp.us-cal-1.ngrok.io
814	4.tcp.us-cal-1.ngrok.io
887	4.tcp.us-cal-1.ngrok.io
1076	discord.com
493	4.tcp.us-cal-1.ngrok.io
687	4.tcp.us-cal-1.ngrok.io
713	4.tcp.us-cal-1.ngrok.io
1080	4.tcp.us-cal-1.ngrok.io
75	discord.com
838	4.tcp.us-cal-1.ngrok.io
900	discord.com
1045	4.tcp.us-cal-1.ngrok.io

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 5 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1248	schtasks.exe
1004	schtasks.exe
1328	schtasks.exe
5824	schtasks.exe
4016	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133555497233396338"	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-566096764-1992588923-1249862864-1000\{DBC8C77D-C427-4DD0-A645-3FD57196A0A1}	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4260	chrome.exe
4260	chrome.exe
3816	chrome.exe
3816	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3496	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe
Token: SeShutdownPrivilege	4260	chrome.exe
Token: SeCreatePagefilePrivilege	4260	chrome.exe

Suspicious use of FindShellTrayWindow 50 IoCs

pid	Process
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
5816	7zFM.exe
5188	7zFM.exe
3496	7zFM.exe
3496	7zFM.exe
3496	7zFM.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe
4260	chrome.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
3416	winrar-x64-700.exe
3416	winrar-x64-700.exe
1684	winrar-x64-700.exe
1684	winrar-x64-700.exe
1684	winrar-x64-700.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5016 wrote to memory of 2236	5016	Xeno.exe	88
PID 5016 wrote to memory of 2236	5016	Xeno.exe	88
PID 5016 wrote to memory of 2236	5016	Xeno.exe	88
PID 2236 wrote to memory of 1328	2236	Xeno.exe	98
PID 2236 wrote to memory of 1328	2236	Xeno.exe	98
PID 2236 wrote to memory of 1328	2236	Xeno.exe	98
PID 4260 wrote to memory of 4736	4260	chrome.exe	102
PID 4260 wrote to memory of 4736	4260	chrome.exe	102
PID 4260 wrote to memory of 684	4260	chrome.exe	103
PID 4260 wrote to memory of 684	4260	chrome.exe	103
PID 4260 wrote to memory of 684	4260	chrome.exe	103
PID 4260 wrote to memory of 684	4260	chrome.exe	103
PID 4260 wrote to memory of 684	4260	chrome.exe	103
PID 4260 wrote to memory of 684	4260	chrome.exe	103
PID 4260 wrote to memory of 684	4260	chrome.exe	103
PID 4260 wrote to memory of 684	4260	chrome.exe	103
PID 4260 wrote to memory of 684	4260	chrome.exe	103
PID 4260 wrote to memory of 684	4260	chrome.exe	103
PID 4260 wrote to memory of 684	4260	chrome.exe	103
PID 4260 wrote to memory of 684	4260	chrome.exe	103
PID 4260 wrote to memory of 684	4260	chrome.exe	103
PID 4260 wrote to memory of 684	4260	chrome.exe	103
PID 4260 wrote to memory of 684	4260	chrome.exe	103
PID 4260 wrote to memory of 684	4260	chrome.exe	103
PID 4260 wrote to memory of 684	4260	chrome.exe	103
PID 4260 wrote to memory of 684	4260	chrome.exe	103
PID 4260 wrote to memory of 684	4260	chrome.exe	103
PID 4260 wrote to memory of 684	4260	chrome.exe	103
PID 4260 wrote to memory of 684	4260	chrome.exe	103
PID 4260 wrote to memory of 684	4260	chrome.exe	103
PID 4260 wrote to memory of 684	4260	chrome.exe	103
PID 4260 wrote to memory of 684	4260	chrome.exe	103
PID 4260 wrote to memory of 684	4260	chrome.exe	103
PID 4260 wrote to memory of 684	4260	chrome.exe	103
PID 4260 wrote to memory of 684	4260	chrome.exe	103
PID 4260 wrote to memory of 684	4260	chrome.exe	103
PID 4260 wrote to memory of 684	4260	chrome.exe	103
PID 4260 wrote to memory of 684	4260	chrome.exe	103
PID 4260 wrote to memory of 684	4260	chrome.exe	103
PID 4260 wrote to memory of 684	4260	chrome.exe	103
PID 4260 wrote to memory of 684	4260	chrome.exe	103
PID 4260 wrote to memory of 684	4260	chrome.exe	103
PID 4260 wrote to memory of 684	4260	chrome.exe	103
PID 4260 wrote to memory of 684	4260	chrome.exe	103
PID 4260 wrote to memory of 684	4260	chrome.exe	103
PID 4260 wrote to memory of 684	4260	chrome.exe	103
PID 4260 wrote to memory of 4604	4260	chrome.exe	104
PID 4260 wrote to memory of 4604	4260	chrome.exe	104
PID 4260 wrote to memory of 1440	4260	chrome.exe	105
PID 4260 wrote to memory of 1440	4260	chrome.exe	105
PID 4260 wrote to memory of 1440	4260	chrome.exe	105
PID 4260 wrote to memory of 1440	4260	chrome.exe	105
PID 4260 wrote to memory of 1440	4260	chrome.exe	105
PID 4260 wrote to memory of 1440	4260	chrome.exe	105
PID 4260 wrote to memory of 1440	4260	chrome.exe	105
PID 4260 wrote to memory of 1440	4260	chrome.exe	105
PID 4260 wrote to memory of 1440	4260	chrome.exe	105
PID 4260 wrote to memory of 1440	4260	chrome.exe	105
PID 4260 wrote to memory of 1440	4260	chrome.exe	105
PID 4260 wrote to memory of 1440	4260	chrome.exe	105
PID 4260 wrote to memory of 1440	4260	chrome.exe	105
PID 4260 wrote to memory of 1440	4260	chrome.exe	105
PID 4260 wrote to memory of 1440	4260	chrome.exe	105
PID 4260 wrote to memory of 1440	4260	chrome.exe	105

C:\Users\Admin\AppData\Local\Temp\Xeno.exe
"C:\Users\Admin\AppData\Local\Temp\Xeno.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5016
- C:\Users\Admin\AppData\Roaming\XenoManager\Xeno.exe
  "C:\Users\Admin\AppData\Roaming\XenoManager\Xeno.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2236
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /Create /TN "svchost.exe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp638C.tmp" /F
    3⤵
    - Creates scheduled task(s)
    PID:1328

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xdc,0x108,0x7fff52139758,0x7fff52139768,0x7fff52139778
  2⤵
  PID:4736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1728 --field-trial-handle=1876,i,16449142349640515262,11762773581364941727,131072 /prefetch:2
  2⤵
  PID:684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1916 --field-trial-handle=1876,i,16449142349640515262,11762773581364941727,131072 /prefetch:8
  2⤵
  PID:4604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2216 --field-trial-handle=1876,i,16449142349640515262,11762773581364941727,131072 /prefetch:8
  2⤵
  PID:1440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3200 --field-trial-handle=1876,i,16449142349640515262,11762773581364941727,131072 /prefetch:1
  2⤵
  PID:3824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3244 --field-trial-handle=1876,i,16449142349640515262,11762773581364941727,131072 /prefetch:1
  2⤵
  PID:4416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4604 --field-trial-handle=1876,i,16449142349640515262,11762773581364941727,131072 /prefetch:1
  2⤵
  PID:1752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5064 --field-trial-handle=1876,i,16449142349640515262,11762773581364941727,131072 /prefetch:8
  2⤵
  PID:4084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5136 --field-trial-handle=1876,i,16449142349640515262,11762773581364941727,131072 /prefetch:8
  2⤵
  PID:5224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5264 --field-trial-handle=1876,i,16449142349640515262,11762773581364941727,131072 /prefetch:8
  2⤵
  PID:5316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5348 --field-trial-handle=1876,i,16449142349640515262,11762773581364941727,131072 /prefetch:1
  2⤵
  PID:5664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5400 --field-trial-handle=1876,i,16449142349640515262,11762773581364941727,131072 /prefetch:8
  2⤵
  PID:5752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5432 --field-trial-handle=1876,i,16449142349640515262,11762773581364941727,131072 /prefetch:8
  2⤵
  PID:6004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5420 --field-trial-handle=1876,i,16449142349640515262,11762773581364941727,131072 /prefetch:8
  2⤵
  - Modifies registry class
  PID:6012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=1868 --field-trial-handle=1876,i,16449142349640515262,11762773581364941727,131072 /prefetch:1
  2⤵
  PID:5428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3280 --field-trial-handle=1876,i,16449142349640515262,11762773581364941727,131072 /prefetch:8
  2⤵
  PID:1504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5224 --field-trial-handle=1876,i,16449142349640515262,11762773581364941727,131072 /prefetch:8
  2⤵
  PID:1808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4048 --field-trial-handle=1876,i,16449142349640515262,11762773581364941727,131072 /prefetch:8
  2⤵
  PID:5920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=5128 --field-trial-handle=1876,i,16449142349640515262,11762773581364941727,131072 /prefetch:1
  2⤵
  PID:804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=2764 --field-trial-handle=1876,i,16449142349640515262,11762773581364941727,131072 /prefetch:1
  2⤵
  PID:2148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=6072 --field-trial-handle=1876,i,16449142349640515262,11762773581364941727,131072 /prefetch:1
  2⤵
  PID:5100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5912 --field-trial-handle=1876,i,16449142349640515262,11762773581364941727,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=6344 --field-trial-handle=1876,i,16449142349640515262,11762773581364941727,131072 /prefetch:1
  2⤵
  PID:4816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=5428 --field-trial-handle=1876,i,16449142349640515262,11762773581364941727,131072 /prefetch:1
  2⤵
  PID:1580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6524 --field-trial-handle=1876,i,16449142349640515262,11762773581364941727,131072 /prefetch:8
  2⤵
  PID:3536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6536 --field-trial-handle=1876,i,16449142349640515262,11762773581364941727,131072 /prefetch:8
  2⤵
  PID:620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1868 --field-trial-handle=1876,i,16449142349640515262,11762773581364941727,131072 /prefetch:8
  2⤵
  PID:5508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6812 --field-trial-handle=1876,i,16449142349640515262,11762773581364941727,131072 /prefetch:8
  2⤵
  PID:4744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6836 --field-trial-handle=1876,i,16449142349640515262,11762773581364941727,131072 /prefetch:8
  2⤵
  PID:5192
- C:\Users\Admin\Downloads\winrar-x64-700.exe
  "C:\Users\Admin\Downloads\winrar-x64-700.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6828 --field-trial-handle=1876,i,16449142349640515262,11762773581364941727,131072 /prefetch:8
  2⤵
  PID:1464

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1268

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5384

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3c4 0x294
1⤵
PID:2128

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\94d244ee925c4daaac6143e35b823be0 /t 4296 /p 3416
1⤵
PID:5376

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:4648

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
PID:5616

C:\Users\Admin\Downloads\winrar-x64-700.exe
"C:\Users\Admin\Downloads\winrar-x64-700.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1684

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\PopSkip.rar"
1⤵
- Suspicious use of FindShellTrayWindow
PID:5816

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\PopSkip.rar"
1⤵
- Suspicious use of FindShellTrayWindow
PID:5188

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Xeno.zip"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:3496
- C:\Users\Admin\AppData\Local\Temp\7zO8ADBA94C\Xeno.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO8ADBA94C\Xeno.exe"
  2⤵
  - Executes dropped EXE
  PID:3236
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /Create /TN "svchost.exe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2AF0.tmp" /F
    3⤵
    - Creates scheduled task(s)
    PID:5824

C:\Users\Admin\Desktop\Xeno.exe
"C:\Users\Admin\Desktop\Xeno.exe"
1⤵
- Executes dropped EXE
PID:1800
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks.exe" /Create /TN "svchost.exe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5BD3.tmp" /F
  2⤵
  - Creates scheduled task(s)
  PID:4016

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\a8896377b4fc42378dbf6fe281f2ec59 /t 3992 /p 1684
1⤵
PID:5604

C:\Users\Admin\Desktop\Xeno.exe
"C:\Users\Admin\Desktop\Xeno.exe"
1⤵
- Executes dropped EXE
PID:5592
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks.exe" /Create /TN "svchost.exe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9AD0.tmp" /F
  2⤵
  - Creates scheduled task(s)
  PID:1248

C:\Users\Admin\Desktop\Xeno.exe
"C:\Users\Admin\Desktop\Xeno.exe"
1⤵
- Executes dropped EXE
PID:4420
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks.exe" /Create /TN "svchost.exe" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBCFE.tmp" /F
  2⤵
  - Creates scheduled task(s)
  PID:1004

C:\Users\Admin\Desktop\Xeno.exe
"C:\Users\Admin\Desktop\Xeno.exe"
1⤵
- Executes dropped EXE
PID:3332

C:\Users\Admin\Desktop\Xeno.exe
"C:\Users\Admin\Desktop\Xeno.exe"
1⤵
- Executes dropped EXE
PID:4572

C:\Users\Admin\Desktop\Xeno.exe
"C:\Users\Admin\Desktop\Xeno.exe"
1⤵
- Executes dropped EXE
PID:6124

C:\Users\Admin\Desktop\Xeno.exe
"C:\Users\Admin\Desktop\Xeno.exe"
1⤵
- Executes dropped EXE
PID:4880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\1df60205-73a1-482d-a827-2baf9931f205.tmp

Filesize
15KB

MD5
c954f58e277dfd7c930116f434cfc604

SHA1
d46feb3ed604d4bc8f066c6719651257ecdf1838

SHA256
5d5ff6d73bdf1b56e7396cb97e204d47d90fd2675ffbbb5baef2128fbe0b70f4

SHA512
55c79fdb1e2c22f663ff8d9def13c10a989cfda8137e5f0a9cfb83129f505ac589807a0e4c25fa458f7ff00db02c03ab37e7c760cc3cd24863bb864a91664f67

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00004b

Filesize
196KB

MD5
813c1b41e435242e7365a4bcd7adcf23

SHA1
2d25e1564eaf93455640413b95646b3f88f9075b

SHA256
70cb2151ee4ef83195855d29819491a23c5eafee2e72b7ffd9041b35363d1542

SHA512
268c4fa1797700a205e37e716c1472592ad6242344645c703ab1ab8d4d68452c3ccce7cdc4d56a0b42d4061bdc793f1c79dffc397f038133387b94b2a1f4051e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
4KB

MD5
406a86b97b437e95bc917d264ea68725

SHA1
d8cb22b87947b44984c30e02bcf9031d697ff073

SHA256
e5a0bb4c16703eb5479752d00bfa8c76e73696522e7c62ae0b7a9ae5888420a6

SHA512
91b61bad693153ba74f0153b825e1a6f11d13fc4785b846954142f81bb4989df2997cb490cd18f58b109a7a865f4d76c9f9816e3cd67fd999b345c010e8658b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
c42b5a5f31ce8d50e3338bc602c7a26b

SHA1
59ea8c1c7f7cbe821c12b961cd71db2d84ba35ca

SHA256
1e1c13fd04644c621c260b1e0ccc7de0a145cf583b1872cd2c83ad08a518615f

SHA512
8d58e68a8fd381d91b1235cc8a066509e0bce124b98951b6cbeef8d2819f06616594597ac3ee7a76a4d73d930176f7945e052b61119698340fc3039a005be02f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
16feebe440b0466c9c4f813a5539096c

SHA1
1c30acff946daea76215257a5753083f533db9a9

SHA256
f7f68117b38cf6511e7f0b987dc22eca805d4bbdda5fffab34c5fdcbc0fa2adc

SHA512
fe10b2814761b0c8a1dc4be42c0408a7c42cc733c6ec3d07d659f220633da9b032efc0fe4bc76b7e6e33f0b3ee87104983e784349b71fa2d812b1e203fa2394c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
6280c540f50334541d00f8faf8afbd41

SHA1
a824c856fe37a032ea721d3a563a0de81e45a315

SHA256
603d01b9a0cef713ccdadb148e780f13b6b41d97f69d5e5652f059346b7a76c3

SHA512
0f1130f386b3204a38411ee0ed67c8fbec7bc0f5670630b107394363323349000e9a8489e4ae1a39bc3107cf7f38766a56e69fdf7961c9101a2bc66ddd0acfaf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
5980ea5423238b77decdee05399b7739

SHA1
80dc33053d1f2b3b25306a2ffdcf921327a1d003

SHA256
da35dc246d6b54884ba2399e0899eebd09645b9126a944c105f14f67f16035c3

SHA512
feda5553179603ce8c4861a2de36932c521cbb67efbfb8ebb93dcfb035440eefadebd588c30fbac750d72d05c4e0f0ded76c4fb2f7672bd10e1edf31303ae4cd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
568665b39a32faeacd59e38081a744ce

SHA1
10c68d4fdad5f28dc550c88f0dbd6f6ca75715e3

SHA256
20111320b54890d7221ec2739506dfb7a124ca27ee2eac947a70287a14c14b40

SHA512
d4984ba16ffde9b8f7bef543f4b3021a91027d83260f8c5f0dc381cdde68c5102cd84ecd43502859f75f62f2a0d35fb096e40afad6a900113d00f75cd5bf1848

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
85f34fbad44a9ff4d8990e0ae1788748

SHA1
59e43d33a14af32d041f3a65e057c98d8c05361f

SHA256
ab96020835650c131f4fb9bb8105c8c4eebfdccab2755c3f852095b9d351acc8

SHA512
7937d469b915f30b1558d96421fadf50eafcc97939dab6c114f9a4506d7a305842c1b4f39958fe66a217279139d990a7cd17cba92866c9b84982fc10506e3248

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
f62311fa3d248e9c41d0ccebd5d112d0

SHA1
5bd90d0766bec44c26d86b76c13ae3e85d1a2800

SHA256
dc20b6b83b60ae8c454ff1dc74b149eb451af631650ceeee5c3cb6442e6c0b27

SHA512
66222ff1ed7aea3de1a51257d2b083b4296ba0a82ffdd64cae9570c227bcf1213178111494fa955c83e1b450f508b1fc5500b3ed61a39add6e3df20df191bffb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
8aa769a00a2ded15fdd476d6af001b7a

SHA1
9f58797831ba5179770886a6c6f42f443d844f85

SHA256
cad4b2841571b4688f1b17db8952e148fa7a80d164b97aaae1301fa18aa0db34

SHA512
f3625326fcf4fbb89ce943b2b9a7417a676fec9fc26c99e7890b3fdd3db0101befc706f0740ac8ad83b2cfba398c12f05f4e165a002d8c7a8ec432c972d3bf0a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
6c7b7731051926008978d659580622c0

SHA1
7e5fadfe28af283cf8e64b2cefec73e7d4456f63

SHA256
4243faf0dce74426452880aba62758e44f8f1bebab36ee1fbcf0be5dbedbc999

SHA512
eaa687ffb5fc7530eaaae625b953461bd6e0d138ff5c1c2535afbd105b111ef1513f7764932af3bbe1599f44ce47eb19ca5d3c90bb748cfe07e6ef4007b831e9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
43a750062dc7070e684d6ac9bb73fe16

SHA1
3bec45c7a81f156e636e900cc578a4f4f9ca4571

SHA256
07e9d370ecd619cba7db15781465c6bf4207ef6abd39f106fa7a8147c1841429

SHA512
f261a4914aa9f60148c070f51531f23c1507300fcdd57ab424687ae6c74dd0503e000af199292af795286b0b7ec40ec66cb89b473192b7d818bb988152ead10b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
7281cd4125a1d22996af33b19bfe85b9

SHA1
be94a118831f1cd602a2b83ae14bebbf1c0d325d

SHA256
1b444b798438f330de5544f8905dfc0d3299dfe8c9d4cf3888802baef1665d63

SHA512
ec9e6d4e9f46bc42ac4b643425f044a190841506326716a87683ec51d617ec4d7d6a147d81864521ea17a12c8dcd6c41a01783d7eb21db697d4c2f06ba363406

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
256725da691c0afb866248f171de6e17

SHA1
47b1bd8a43322f7939ef8d37318541ad87c0eb72

SHA256
c88861a29c3cf34690395b1d3fd58e27a8cb355f482ca517844ef641299e08e9

SHA512
c616d97e1f1ac1981d1f0894d80f305140782faa215fc117dd148095a385a8d3d294047f520eacf83b99a66e52d02a5af42602f32231dcb3a7cc092024316284

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
830d809a9b86be7a07ccd2557ab807ca

SHA1
b9ec01e8d2c75006a148ac2d41e1a95abd957017

SHA256
ce97ad153a7dd5baf3118472574d102cc3d328e8c3e90f639dc766cd01fe13b8

SHA512
de2237e1ebd5ad3c072d94af7fecd7f546a844ac7e7659b34ee3f2bf8c86acc7a0fd579347d9cc91fa6a847212e96eb2a484b772235ca12edf95b2750fa04904

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
8a273eec6ff97efc05ef874cad96e29c

SHA1
f0f50dcca7b61af96a92cf61e4cdd55bce02d693

SHA256
5e88a7725204439269fa575b06a90580d3abdf3f500bcd3181712d448d1153d4

SHA512
fe256dcb23eca89192cb81a2ef7a894b640e513aa9c55b44f4deaeab803c1ca213d9a732e38d9c3f27313804de01c27b6cb13ff68601633ac69d62fe1421a803

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
90a439403378b662853457d9b1cd39b9

SHA1
b99209891fe67dd8b1ebedbcea7059e6af8d4fb9

SHA256
74ce3d5a2094eb838be8885dafde442ea3c8c25c2cd2cff6e6b8d6128fdbd4b2

SHA512
0b9baab4c3f0776ffda1dab88eb8ed19e05e69cc3177eee1869dc539435a0fc92a9ae81f75cdb16ea98834b101db14776e0d121db4b979a7dca48ab5c502cd90

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
253b52e32d78c3bc9ab0893df08ab430

SHA1
afa3edae0beb1a971bf22cd918c2ef6bab64df69

SHA256
8135d86ea26cce1e980adfd829a95ed52f0638226ae989cd0e00a6f3e8018d34

SHA512
ae28b57dd79954f44fbbfa7e783876091499daef5d6ca5975cb4af930328a4712ddcdf2b0027e9e54e3f270e494d700bcc05eceebb1e28acd6c11b8e720deb6e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
71533036f75db6dcf8e854ff50510f20

SHA1
972a32b90f1887857d3bc64dd643cec65f8479f8

SHA256
f18817f281f0c50abf64680da1178fcd8fac81b08c58d417d4eabd8203f70fd6

SHA512
4f2e85775976126a38243e6905b77f68cb5957f9957c2112281df4e36ec83c1d4e56ba3b5c07aed7c3d366aa63103e7502c2f5ad70c546ec97fa6b78f32eb3f4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
34bd51fe062a1b1a905863786d1b40da

SHA1
183d3024589a9d0d404d35ccce98631f2073c637

SHA256
418588fe872dd7e3d0ac6733e25d871d6394cfd447aacb8eddf750742b06f889

SHA512
f934d0967c680bb5366f1ab57246324a168b9cf2db3b16ce3e96177340a869c5a4977a9373f69f557e1060b5993d0609b47ab2bfc9847be91cec795e7a6cfcc3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
0f7ba3c46d34045c1b8481cfa9a60a34

SHA1
1d9abf29e9083da53b96bbb54c44750f17c91384

SHA256
ef0a568046b15a977bd81647df27d1144e71e4986a6212ddb6243ab4d6eeb887

SHA512
0fc54a9ac239a06d14aeddc3b16b6007f4684952c05ec930f63772fb10f32d97bed579ea9457c7f91663689c66a55e1244eff7e5ad341fd409e374c0827d3769

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
aeeaa962e9fe5c1cca2c37026b23c7f6

SHA1
1ddbfac69207ba0c2ad588f036ab3d3cbdcc01b0

SHA256
270a5c4449a80f380ea7d11ad76d38abef551f324cb27df65ff8ecd32dca3732

SHA512
31e2d026270e9aa9dacfe4ac1f3768aaaf3d85eeda9ac49893e62ce51fe22ced93a551aa642c39dac5f484957a00984328edbcc9e4c84aeb2732e390f0a0dc12

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
5d040bd03fa6ac0144b072f843cfb242

SHA1
b99f38bcee77e3672412f2db04cea5f4e2ac00c0

SHA256
2eef39acd9656f5cb3162f4ed6e6d12b0529c29c5575b31fc3bfea4e972f15c4

SHA512
409babcb3eee204cac7aac4e798ae26a36eae0caf254b9d3723297baa5b00f319fa1d59a267870235396e04d110047eafaa5337248d8e6c0bcd805862699cbea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
7e4d4b658e56c00b183e45c03b1452bb

SHA1
a1e9bf05e317dc94e84b0ff54f0adb184c45be2c

SHA256
dbe0bf9e8477fad2579739fd82d15d4440d0062d7c2c8d8b838858b681476729

SHA512
d3b0197d1b3095414be57f0524257d80ebf6b074bb245179f9a0fabc52f026bfe2fc8f6d1cc8e1842e4ccdb076fbe912961840c043a5ffcfbd03ac0cd1dd3975

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
011bd2c5fc16dde338468903b0b5d449

SHA1
cd2633dab50d697cc79861136dc38aa094ec3b46

SHA256
12ea487169970f2cb732e66b85e7634b1705f992bca9b35de80179eb569520ce

SHA512
cc18c16f36aa19dbffb341cc1ebe10b4eaac1050ae37deb666f6c9c04caad6153f7f81e864e706456709e38d47212c9f09c12f34490f73c38e9a040448da6f79

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
091305a1419b25d59089f28860f08881

SHA1
81d30888afe335f5555e16ebc37c68e158008523

SHA256
9befe0c9750d6e838d7a4fbb244a1c540594d476dd0f158a8ab80e800a5298f2

SHA512
2499a28eea4fcdfe9bca472f0d907dd7e67ac1d059b9cd908f30a06f2776646d8fbe827772031224fbd212fd8fed4b3b27f8d6667f92b1166d997cd3ee09e726

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
b5d4cc125db8c8d27aad43968a127e10

SHA1
67831dd7af1016c854b3d1e4cb429a9bd747e857

SHA256
6e297b9335258f01e33d962d97fcf7d59f86af20d6205344fc2713f61962e2b8

SHA512
92ab70086074c74c020f19c189cfe2c908f9c6536531c1c998bab1916a1a33aa256487df0145435ddf648659789eee275e35ada787d290fba6209c56aa72bb37

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
f8d3a0527a03d9cb43bd33dc9c50c8f9

SHA1
9a223addd886b30f91870e69dcde5276c628e521

SHA256
171c95fee9c387f3ce516c67a260df236f6d5b80c55812acdb7e1cb940fc9e0f

SHA512
ef4adc19d5963d1e8e3f77b30a4bc0a6dfa420a84be58ee68699821568549a54eae62f77d2ccf02a5d06da7384cae5ddb7dee306c72cb7492e04eeb94aba2ed5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
ba905da61de8235b0022347f4f8a5769

SHA1
ca697d20221f9203fd9278445fe65f4fdf7a7908

SHA256
5a9c84b461463bf993b4224dea55c1da4925b4ab1a43aef1696cb430e06cffaa

SHA512
33ad68816fd5722307db0723257a663968650145c880e7fe8e23f95470f0415385efb51c9f998283c9f7acd3aa3da99c7dbf1d2d4b18268e9d07ff2dab78c8e9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
fc0e37cf2581f52b8f26ec75ffac8d05

SHA1
b46609a0c02dfdb168aa782b5954d71f22dba69e

SHA256
7e96c01e84150f3e4bc523a60c89ca6aea612a67f537dac502c1fc0fa471ac40

SHA512
e9cdd6727223b00ca553bb6bcabae975b5399c5082b06530bedf5a60554166a85b545dc0e02e7b10fd75834adaebc1a540a69be88b220c8c138fbadc747b4523

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
cc633567a1f7e556630332af070a1f13

SHA1
f5c99a8fda945400d07d915abc7a23dbc4493a28

SHA256
99c2b1ea2bee318f01dca538320f32944221513fd5b7f744e5d74c4b0898bae2

SHA512
a474bcaa3a1349f80571cf9483957ba4c8e4047b7ebfe15fc3e6be1514f1c8242c09db893b709481f814862e177aef465c10f51e3a9bb6948af725cf4be27d45

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
53454ada4b5b45ec1c480e270807454a

SHA1
cc392cfaf94dbe6467d6d19d07698b870a6afea7

SHA256
f539acabebc3b0c2877ed12c8a1dc902eb3fdab83e1fe55ca04c4f6fa06d9f86

SHA512
318fc5d5480f0aa8e91fb92dacb2332620a9c22e472d029903eb0784714ae9f21c3d4150a9a1e4f608c76983d174d828120fcb02f5617684fad756d45bc5f1db

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
258KB

MD5
3e7fa3a73301a2f6b3273784c446502f

SHA1
a5c8940a884bcd6fccaa34e226cce69531e6520b

SHA256
4a4e94bb084fe2bf47ae4202a66da08a2a74c837e90879010219fa777ccb458d

SHA512
aa6e837d796250c20c3ea07db171bb164afb47b53e2a815b5e61390b8b07ca17efbc8bb8ece53837b3a41e13321fb2f62f39055a8f2c8a6aaf0cb4d004abc80b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
258KB

MD5
81d814869d592c73b28ffca07ef126b3

SHA1
fd3317e8d6a755534f83ce6a82514ebfa6d3ca8f

SHA256
a82e1aaa6f8013bf633cda68a8cef7d0352821e0e663fedcd208afbe5d52df4b

SHA512
5bef8d8a36e401c49b3325174e26c395678df6018b7104e7ac71da0d7406841d8475d69ebb7c868ef02fad3c597516301eee64ff4ba3d3386887bbf5b30f4049

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
258KB

MD5
7bd674616cf14524b3cedbc3747c78c9

SHA1
9ecd42d91636ac323a7011f5c7042060c715f967

SHA256
47fe0bb4815e4b5d2362e19b60218475f0fca4bb912bac5ef7e966eec97d1906

SHA512
7cf69fe493f91498d0dbc908e35c06ef30695572a8cedf883ba8208b5905b1f53fee15a80e8adb6ceef3be50081d99c72a121bcc74729e10e958474ccc2c7d74

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
113KB

MD5
50bbc92ecbd9297f22e1889fe1cf574a

SHA1
d220c5f434a9d7b54b4d7ba6fb64e17e05e2dd99

SHA256
038c0f90a0f0d2457f84d93f42d1e6270c321340dffb45ba61c74763aac3be56

SHA512
e99e18ef51b00acc8846349d8bb18ed946a8f8094d3db2fd3769da2d0a2fb56d580a7bbc7e7fd8c5a39bf66a85c912a916f1f5444fd997f03c2ca7b628f7e225

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
118KB

MD5
95518acb0bbbc818e78ef24d3783f934

SHA1
06d2a87a8f53463dbd27ec47d7f851da787754e3

SHA256
f767df7d20c3515b17cfba153ba3773341af3770ce783cc75a4d2417de83b833

SHA512
d5128077b1d2560a44bed1727ce38410400696f4ddad3a91d35db4305ce73e2553d64b3b62b895735f9581170aa0626163a910c6d5e3f3967923c876968ffbf2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
104KB

MD5
ebf6bf666fc86c00edbd51c89b2642cf

SHA1
d4f1b9de1fdbc9f5b4589f08cf7a29e12573a3c3

SHA256
4472b12c255e3c8b3f5df089bfd6dfee818672d3f4aff9e3fc3441f43536bc79

SHA512
49c1b581327d61e958f57d2a1e2f8e83fdf633b553c0e795f23d5aece8090382d7836fb0006abb9e55fd4f2d4fa78c3d81a81adf2b2ae6a45b5707b94018a67a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57edcb.TMP

Filesize
97KB

MD5
31ce9047f5d0235c3f3a52f1ff2eb4fd

SHA1
573af066f4be5da0f7861a74d58a5d2e1c9c5409

SHA256
ac8adb34661167bd7c9a4e159982023f1c42536b9cc747f5baf8fa2828115fb6

SHA512
47649f198a5c446cb59da81c7683e4431d12e160e1e75e22eb9b8557c38822b397ed1b61886c4968cfee4be51f0ddec080864ff7c06f1307163e03c2430f68da

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Xeno.exe.log

Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2AF0.tmp

Filesize
1KB

MD5
cd60e1aa86745b3e5428ef4996724532

SHA1
f153c67f8aba9d2216d56c2a1ed0b56d8dd8c124

SHA256
49e4aa85a8e6d3868278cf1893a11683e0b56b9e06f0caaf1d475349642f365b

SHA512
0099239bcafc8814524d26eaf983751d6c95d68ff8625cab8cd6ecfdef6e43e332f0453129b16cb8521a3ef54f7fa91c2e4671cf405f8d578d049f75c3778114

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5BD3.tmp

Filesize
1020B

MD5
fe6f6152909c63badd74b1bc21577980

SHA1
26dd206c7ef638b6c1d9cc4eb05d394f4775b475

SHA256
33c636db61f6e46fe32704d99673098b997ba612d4214a84c0a8b23aa53b7c72

SHA512
0792e5b7b174df59b3240e3cf3c49d5dea2896a3100ce72276e1c07c85c6819ce51c76eb5dfc81da15a075c1e9604316e02b1638ca4062291c219907088254de

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp638C.tmp

Filesize
1KB

MD5
c19b33268e74b9dfb678ebbe128db491

SHA1
49dd45693580c198a87ba06464c362c7c993907b

SHA256
8ad22e22ad7494702655cea50b2228b602ed223c844148e2780610bb4bdba435

SHA512
baf521387a499412d8283f8733ced0e05aeab7e7a66e58c0110d857bfd07d68748e7805098e131fad954eb58761688dffd0c36359115d460155287ebb5ebb3e6

Download Submit
C:\Users\Admin\AppData\Roaming\XenoManager\Xeno.exe

Filesize
46KB

MD5
b9ff857cd3e61769787d6c21b45bcc6c

SHA1
92aea3ec2bf2ca4f7127ef8581e1a79059774489

SHA256
590e4e7e66f6f8e4d0838420cdba4ea3d756e644b77c433c1822a04ef455c4f9

SHA512
d87caa6133e50141458d30915f400592f0b1e20b75457c51d2c8929987fd6cce1dc7ba4539fa5efcb18f7b5510b72273a0c7c076b4a991c3539aa5bbc46bdb0b

Download Submit
C:\Users\Admin\Downloads\Xeno.zip.crdownload

Filesize
20KB

MD5
a877d6845cee78ea9f130e4450780920

SHA1
009c5c2641748ce2c5d20410300c3cecf86e451b

SHA256
7dfeea625f42a6066c5fcd5cfc514b7b6dd59022466569c07dba8ee316ce3c0b

SHA512
b034f5889c410bef8c4e176d8e04cd64c3e1ffbba2bac1ce451b4967b8527a0d127eba1ecd1ab0adef90ac01c5e493b6c0e210e9d9e2d5c2acb072aac664182e

Download Submit
C:\Users\Admin\Downloads\winrar-x64-700.exe

Filesize
406KB

MD5
9688349e758b7f4407f89ca483a93531

SHA1
9b32d6490ae27346c4b6a00d9c430fef8fafb9b8

SHA256
c97dbcd65036dd97bea0351f36a33f869c031c10483ce36c77de91a9c384f484

SHA512
adaf654fa89190eb15cf535a567277ad303a9203d073bb2c7c8ccf0b8244f86806f39c71bb708f0843b9d9d5d1f69e9c612bff5e20ba4cb6e9fedc2d5105f8e8

Download Submit
C:\Users\Admin\Downloads\winrar-x64-700.exe

Filesize
3.8MB

MD5
48deabfacb5c8e88b81c7165ed4e3b0b

SHA1
de3dab0e9258f9ff3c93ab6738818c6ec399e6a4

SHA256
ff309d1430fc97fccaa9cb82ddf3d23ce9afdf62dcf8c69512de40820df15e24

SHA512
d1d30f6267349bb23334f72376fe3384ac14d202bc8e12c16773231f5f4a3f02b76563f05b11d89d5ef6c05d4acaacc79f72f1d617ee6d1b6eddab2b866426af

Download Submit
memory/1800-894-0x0000000074590000-0x0000000074D40000-memory.dmp

Filesize
7.7MB

Download
memory/1800-910-0x0000000074590000-0x0000000074D40000-memory.dmp

Filesize
7.7MB

Download
memory/1800-895-0x0000000002AE0000-0x0000000002AF0000-memory.dmp

Filesize
64KB

Download
memory/2236-18-0x0000000074590000-0x0000000074D40000-memory.dmp

Filesize
7.7MB

Download
memory/2236-19-0x0000000005100000-0x0000000005110000-memory.dmp

Filesize
64KB

Download
memory/2236-65-0x0000000074590000-0x0000000074D40000-memory.dmp

Filesize
7.7MB

Download
memory/2236-66-0x0000000005100000-0x0000000005110000-memory.dmp

Filesize
64KB

Download
memory/3236-886-0x0000000074590000-0x0000000074D40000-memory.dmp

Filesize
7.7MB

Download
memory/3236-896-0x0000000074590000-0x0000000074D40000-memory.dmp

Filesize
7.7MB

Download
memory/3236-887-0x0000000002F10000-0x0000000002F20000-memory.dmp

Filesize
64KB

Download
memory/3332-920-0x0000000074590000-0x0000000074D40000-memory.dmp

Filesize
7.7MB

Download
memory/4420-915-0x0000000074590000-0x0000000074D40000-memory.dmp

Filesize
7.7MB

Download
memory/4420-928-0x0000000074590000-0x0000000074D40000-memory.dmp

Filesize
7.7MB

Download
memory/4572-922-0x0000000074590000-0x0000000074D40000-memory.dmp

Filesize
7.7MB

Download
memory/4572-929-0x0000000074590000-0x0000000074D40000-memory.dmp

Filesize
7.7MB

Download
memory/4880-927-0x0000000074590000-0x0000000074D40000-memory.dmp

Filesize
7.7MB

Download
memory/4880-930-0x0000000074590000-0x0000000074D40000-memory.dmp

Filesize
7.7MB

Download
memory/5016-1-0x0000000074590000-0x0000000074D40000-memory.dmp

Filesize
7.7MB

Download
memory/5016-0-0x0000000000760000-0x0000000000772000-memory.dmp

Filesize
72KB

Download
memory/5016-17-0x0000000074590000-0x0000000074D40000-memory.dmp

Filesize
7.7MB

Download
memory/5592-911-0x0000000004F60000-0x0000000004F70000-memory.dmp

Filesize
64KB

Download
memory/5592-924-0x0000000004F60000-0x0000000004F70000-memory.dmp

Filesize
64KB

Download
memory/5592-919-0x0000000074590000-0x0000000074D40000-memory.dmp

Filesize
7.7MB

Download
memory/5592-909-0x0000000074590000-0x0000000074D40000-memory.dmp

Filesize
7.7MB

Download
memory/5616-838-0x0000028470640000-0x0000028470641000-memory.dmp

Filesize
4KB

Download
memory/5616-836-0x0000028470610000-0x0000028470611000-memory.dmp

Filesize
4KB

Download
memory/5616-820-0x0000028468340000-0x0000028468350000-memory.dmp

Filesize
64KB

Download
memory/5616-804-0x0000028468240000-0x0000028468250000-memory.dmp

Filesize
64KB

Download
memory/5616-839-0x0000028470640000-0x0000028470641000-memory.dmp

Filesize
4KB

Download
memory/5616-840-0x0000028470750000-0x0000028470751000-memory.dmp

Filesize
4KB

Download
memory/6124-925-0x0000000074590000-0x0000000074D40000-memory.dmp

Filesize
7.7MB

Download