xenorat | 7aad3fb29bcdcfd26a097bb164fca235000f461e1fa0a9c7434a770a3b1b36e1

Analysis

max time kernel
85s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
29-05-2024 19:04

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

xeno.exe
Size

45KB
MD5

b88f9cd14eca3f33c2819b1c96c552fa
SHA1

707c68257c2ea97fa4591f58be326e1308fd1106
SHA256

7aad3fb29bcdcfd26a097bb164fca235000f461e1fa0a9c7434a770a3b1b36e1
SHA512

7ef211c52ae69c8680ed7fdf8dadd2f2fe64f6669f8f52394e58b53e273f3532126449dab2cb0a3a82cb2d5bd6eb1b0a184686d81f7d3338616eed3f0d2ac65c
SSDEEP

768:5dhO/poiiUcjlJInvsPH9Xqk5nWEZ5SbTDawuI7CPW5N:3w+jjgnkPH9XqcnW85SbT1uIl

Score

10^/10

xenorat rat trojan

Malware Config

Extracted

Family

xenorat

taking-headquarters.gl.at.ply.gg

Mutex

MONKEYYYYYYYYYYYYY

Attributes

install_path
appdata
port
3069
startup_name
Console

Signatures

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

xeno.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	xeno.exe

Executes dropped EXE 1 IoCs

Processes:

xeno.exe

pid	Process
4628	xeno.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exe

pid	Process
2340	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133614830891924297"	chrome.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

xeno.exechrome.exe

pid	Process
4628	xeno.exe
4628	xeno.exe
4628	xeno.exe
4628	xeno.exe
4628	xeno.exe
4628	xeno.exe
4628	xeno.exe
4628	xeno.exe
4628	xeno.exe
4628	xeno.exe
4628	xeno.exe
4628	xeno.exe
4628	xeno.exe
4628	xeno.exe
4628	xeno.exe
4628	xeno.exe
4628	xeno.exe
4628	xeno.exe
4628	xeno.exe
4628	xeno.exe
4628	xeno.exe
4628	xeno.exe
4628	xeno.exe
4628	xeno.exe
4628	xeno.exe
4628	xeno.exe
4628	xeno.exe
4628	xeno.exe
4628	xeno.exe
4628	xeno.exe
4628	xeno.exe
4628	xeno.exe
4628	xeno.exe
1952	chrome.exe
1952	chrome.exe
4628	xeno.exe
4628	xeno.exe
4628	xeno.exe
4628	xeno.exe
4628	xeno.exe
4628	xeno.exe
4628	xeno.exe
4628	xeno.exe
4628	xeno.exe
4628	xeno.exe
4628	xeno.exe
4628	xeno.exe
4628	xeno.exe
4628	xeno.exe
4628	xeno.exe
4628	xeno.exe
4628	xeno.exe
4628	xeno.exe
4628	xeno.exe
4628	xeno.exe
4628	xeno.exe
4628	xeno.exe
4628	xeno.exe
4628	xeno.exe
4628	xeno.exe
4628	xeno.exe
4628	xeno.exe
4628	xeno.exe
4628	xeno.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

Processes:

chrome.exe

pid	Process
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

Processes:

xeno.exechrome.exe

description	pid	Process
Token: SeDebugPrivilege	4628	xeno.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	1952	chrome.exe
Token: SeCreatePagefilePrivilege	1952	chrome.exe
Token: SeShutdownPrivilege	4628	xeno.exe

Suspicious use of FindShellTrayWindow 27 IoCs

Processes:

chrome.exe

pid	Process
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	Process
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe
1952	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

xeno.exexeno.exechrome.exe

description	pid	Process	procid_target
PID 2848 wrote to memory of 4628	2848	xeno.exe	84
PID 2848 wrote to memory of 4628	2848	xeno.exe	84
PID 2848 wrote to memory of 4628	2848	xeno.exe	84
PID 4628 wrote to memory of 2340	4628	xeno.exe	85
PID 4628 wrote to memory of 2340	4628	xeno.exe	85
PID 4628 wrote to memory of 2340	4628	xeno.exe	85
PID 1952 wrote to memory of 4020	1952	chrome.exe	98
PID 1952 wrote to memory of 4020	1952	chrome.exe	98
PID 1952 wrote to memory of 3484	1952	chrome.exe	99
PID 1952 wrote to memory of 3484	1952	chrome.exe	99
PID 1952 wrote to memory of 3484	1952	chrome.exe	99
PID 1952 wrote to memory of 3484	1952	chrome.exe	99
PID 1952 wrote to memory of 3484	1952	chrome.exe	99
PID 1952 wrote to memory of 3484	1952	chrome.exe	99
PID 1952 wrote to memory of 3484	1952	chrome.exe	99
PID 1952 wrote to memory of 3484	1952	chrome.exe	99
PID 1952 wrote to memory of 3484	1952	chrome.exe	99
PID 1952 wrote to memory of 3484	1952	chrome.exe	99
PID 1952 wrote to memory of 3484	1952	chrome.exe	99
PID 1952 wrote to memory of 3484	1952	chrome.exe	99
PID 1952 wrote to memory of 3484	1952	chrome.exe	99
PID 1952 wrote to memory of 3484	1952	chrome.exe	99
PID 1952 wrote to memory of 3484	1952	chrome.exe	99
PID 1952 wrote to memory of 3484	1952	chrome.exe	99
PID 1952 wrote to memory of 3484	1952	chrome.exe	99
PID 1952 wrote to memory of 3484	1952	chrome.exe	99
PID 1952 wrote to memory of 3484	1952	chrome.exe	99
PID 1952 wrote to memory of 3484	1952	chrome.exe	99
PID 1952 wrote to memory of 3484	1952	chrome.exe	99
PID 1952 wrote to memory of 3484	1952	chrome.exe	99
PID 1952 wrote to memory of 3484	1952	chrome.exe	99
PID 1952 wrote to memory of 3484	1952	chrome.exe	99
PID 1952 wrote to memory of 3484	1952	chrome.exe	99
PID 1952 wrote to memory of 3484	1952	chrome.exe	99
PID 1952 wrote to memory of 3484	1952	chrome.exe	99
PID 1952 wrote to memory of 3484	1952	chrome.exe	99
PID 1952 wrote to memory of 3484	1952	chrome.exe	99
PID 1952 wrote to memory of 3484	1952	chrome.exe	99
PID 1952 wrote to memory of 3484	1952	chrome.exe	99
PID 1952 wrote to memory of 2148	1952	chrome.exe	100
PID 1952 wrote to memory of 2148	1952	chrome.exe	100
PID 1952 wrote to memory of 2648	1952	chrome.exe	101
PID 1952 wrote to memory of 2648	1952	chrome.exe	101
PID 1952 wrote to memory of 2648	1952	chrome.exe	101
PID 1952 wrote to memory of 2648	1952	chrome.exe	101
PID 1952 wrote to memory of 2648	1952	chrome.exe	101
PID 1952 wrote to memory of 2648	1952	chrome.exe	101
PID 1952 wrote to memory of 2648	1952	chrome.exe	101
PID 1952 wrote to memory of 2648	1952	chrome.exe	101
PID 1952 wrote to memory of 2648	1952	chrome.exe	101
PID 1952 wrote to memory of 2648	1952	chrome.exe	101
PID 1952 wrote to memory of 2648	1952	chrome.exe	101
PID 1952 wrote to memory of 2648	1952	chrome.exe	101
PID 1952 wrote to memory of 2648	1952	chrome.exe	101
PID 1952 wrote to memory of 2648	1952	chrome.exe	101
PID 1952 wrote to memory of 2648	1952	chrome.exe	101
PID 1952 wrote to memory of 2648	1952	chrome.exe	101
PID 1952 wrote to memory of 2648	1952	chrome.exe	101
PID 1952 wrote to memory of 2648	1952	chrome.exe	101
PID 1952 wrote to memory of 2648	1952	chrome.exe	101
PID 1952 wrote to memory of 2648	1952	chrome.exe	101
PID 1952 wrote to memory of 2648	1952	chrome.exe	101
PID 1952 wrote to memory of 2648	1952	chrome.exe	101
PID 1952 wrote to memory of 2648	1952	chrome.exe	101

C:\Users\Admin\AppData\Local\Temp\xeno.exe
"C:\Users\Admin\AppData\Local\Temp\xeno.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2848
- C:\Users\Admin\AppData\Roaming\XenoManager\xeno.exe
  "C:\Users\Admin\AppData\Roaming\XenoManager\xeno.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4628
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /Create /TN "Console" /XML "C:\Users\Admin\AppData\Local\Temp\tmp47F6.tmp" /F
    3⤵
    - Creates scheduled task(s)
    PID:2340

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff8b8f3ab58,0x7ff8b8f3ab68,0x7ff8b8f3ab78
  2⤵
  PID:4020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1828 --field-trial-handle=1960,i,3290770518313725379,11361094276464737327,131072 /prefetch:2
  2⤵
  PID:3484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 --field-trial-handle=1960,i,3290770518313725379,11361094276464737327,131072 /prefetch:8
  2⤵
  PID:2148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2292 --field-trial-handle=1960,i,3290770518313725379,11361094276464737327,131072 /prefetch:8
  2⤵
  PID:2648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3128 --field-trial-handle=1960,i,3290770518313725379,11361094276464737327,131072 /prefetch:1
  2⤵
  PID:4888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3136 --field-trial-handle=1960,i,3290770518313725379,11361094276464737327,131072 /prefetch:1
  2⤵
  PID:1932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4408 --field-trial-handle=1960,i,3290770518313725379,11361094276464737327,131072 /prefetch:1
  2⤵
  PID:3968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4664 --field-trial-handle=1960,i,3290770518313725379,11361094276464737327,131072 /prefetch:8
  2⤵
  PID:4384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4600 --field-trial-handle=1960,i,3290770518313725379,11361094276464737327,131072 /prefetch:8
  2⤵
  PID:4472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4924 --field-trial-handle=1960,i,3290770518313725379,11361094276464737327,131072 /prefetch:8
  2⤵
  PID:2072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5040 --field-trial-handle=1960,i,3290770518313725379,11361094276464737327,131072 /prefetch:8
  2⤵
  PID:5056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4924 --field-trial-handle=1960,i,3290770518313725379,11361094276464737327,131072 /prefetch:8
  2⤵
  PID:4300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4308 --field-trial-handle=1960,i,3290770518313725379,11361094276464737327,131072 /prefetch:8
  2⤵
  PID:3940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4700 --field-trial-handle=1960,i,3290770518313725379,11361094276464737327,131072 /prefetch:8
  2⤵
  PID:1756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=4972 --field-trial-handle=1960,i,3290770518313725379,11361094276464737327,131072 /prefetch:1
  2⤵
  PID:2300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=4412 --field-trial-handle=1960,i,3290770518313725379,11361094276464737327,131072 /prefetch:1
  2⤵
  PID:4968

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:3960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
744B

MD5
2407761ca8bba74e17b2bff49dbbfdfd

SHA1
35b0669b595038f4195e181990b1e9e3affa267b

SHA256
7913ac7a104a3884cec0f43b7abebf922bfc9935d20f2c545ea9e639dbfc7b01

SHA512
bb217d1cc6bc711c9a4dd2c2cb3e0cfefa00e13ff3d015882a303f93f8058fbc269dff371b535efda0ba15cabaa2fe5799aa61310fd4ae010ac236fc011f3cfe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
c8ee6ed9697279555d669909f9cea23f

SHA1
eb80aec91be69e4ba62f8aaf5725d84911320785

SHA256
00ab5e0dd58a0acabd8d299e4cc646194cdadcd76481dad7f6854413ecc0f9ce

SHA512
425cf0efb50ff679fb22bff77811803dcafa088fd31196d9a60450e631285d30eeec77862a00fefe3ed6bf7d9bd1f65969cd05005820f8a2c69a19606ac7acee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1024B

MD5
067022e3b93359839be0f33d1bc746e2

SHA1
d7677022d8ce7e90d52f2728e97ea885ca41a5a8

SHA256
5291a20c3c967f9e2b8f1e94e4d697a96c4dcf593153a7e94a2c2b01ad24464e

SHA512
bdeb209c13230d3403e66dadd33eb39202424edda0a5240bb7098718a7e40e390211d7aa523f1c420a735b7a75e428fe2a006aa111be3dcec43c68aecb4f7fcd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1024B

MD5
8a6b95cfdbc705613c84746382612267

SHA1
c609fff83163d53d6d46d5db3f59460505f8acdd

SHA256
f4cb5630872b6fa4aceccdfb21a16941cb15d1e9bfdfa72c41bba83a42edb770

SHA512
9d7c819d4215513882f2a3ad94910046d2e6262de00fc3d18bc5dd821c3255cdad647c9424bd794f209f6658b8c009fbace4c0eb9252e55100d26900621b8219

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
a8d2b24350880d295263b356e98405d8

SHA1
e17997ebd9523a6d3e1a24b99e8f551ff46ebf20

SHA256
c50984a95a84c951078cb5add3b360bf2e42835980bc6567d0abf7c62b81a390

SHA512
03368889c0ada2b46d480510ffbdf6952d940a69711b874332275345f2f28180e129c1de5ddf856e0b86bdec93652284f7046d6c90a2e8e0fd41606a2e1dcd4f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
e375a2ad87f6d20d0b7f5a68777e36e6

SHA1
5134e75b96beb2ae6676d4226845112ac636d303

SHA256
8104133cded209a46163db66ae717b9f65cb537830d615fa63c598d6771b2971

SHA512
d7ef03d93350dc2f4ff75a08e182a5f43566a67e3779d8ac6c96a7ef3c871c6fe6ac507a3eef0ad69aca8a9ce8dcbced3e39f287f46820530eeaf131c858aec6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
88f4684b8bfd527a0bd89f4c5d7d0e31

SHA1
b8984b94ccc235b96f00ba740d4263d99906e918

SHA256
74ff8c51b7d890e123e2b5a69e1c0209d14a9aac18d0c7dd165182c7f8658b1c

SHA512
51647a8e87f4a78b563668bdc04685f2145fb99dc6cd60f3a92c631bd90359a6a096a40df15e8358d3534f6ebf000fc1c1998965b2485c03200a9c1ad6421639

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
120B

MD5
5d6f86ca66f0033b8d0cf5a2fa956464

SHA1
cb1d3a3f8593f085b095f43d2b4c8fe37c4e064a

SHA256
3b417a1cebd681e70d5d36abf2c67b234526993b0ad0410cc066f64a0985b1b3

SHA512
2402fb7e5a336a7f654c8db064cf15c450e96351a091a6a18d2b2d53d7625e634238b6984bef8021b54eb9ec9e0af6d142dfbb7bea7e1aea97db9f0e2d8bcb8b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
260KB

MD5
ea76a8f27c82c343d0878bbdc5b61746

SHA1
d5003d05860c746f3ed231a4e0c90b0fbb6847b1

SHA256
06f03fdd442560a2f285bd0bafcfde2443ac1e7434d75185e70667e898640ce3

SHA512
1d20d14a3e98cefba74514b1586b7708b9a98ab02c4e28a41b671dc5eff4fb45427e12d75ac7868176c72fab2b57b3d54dbde1b37c00bc8febcbbe6a117ca3a4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
260KB

MD5
1c8b05edcbc590736da448293dcfcd4e

SHA1
c7036475a746d84f01a7d399db2257cad007e967

SHA256
7416c2fe0e81f82fa351a4d484f15f941799767a6dc49297ae60bc900783f319

SHA512
ca71134631cb284b8de193eaba4f09c254903747076bb56520a60b97486080bbea79942a477f02bdfb10bb4ead748a996de7995926fac4a49dbf96bdda0ef862

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\xeno.exe.log

Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp47F6.tmp

Filesize
1KB

MD5
1e78117969f90bf8f7b3c698c5037874

SHA1
8cf49de603072420bd6f788f59da0ea363a32352

SHA256
8ef88e1b240d1bc3b39921b7b4f8fa9bb06d2b8ec2c7e30e62decdb40a309172

SHA512
ef8d712fe12aa0e5e3210ca2762e8ebe73f169deed848cb7b5e213b75853708d1bc4ac50b03c473b8cb25cc245e9e4c8ca6257bbaa7b094478e41b6296f50815

Download Submit
C:\Users\Admin\AppData\Roaming\XenoManager\xeno.exe

Filesize
45KB

MD5
b88f9cd14eca3f33c2819b1c96c552fa

SHA1
707c68257c2ea97fa4591f58be326e1308fd1106

SHA256
7aad3fb29bcdcfd26a097bb164fca235000f461e1fa0a9c7434a770a3b1b36e1

SHA512
7ef211c52ae69c8680ed7fdf8dadd2f2fe64f6669f8f52394e58b53e273f3532126449dab2cb0a3a82cb2d5bd6eb1b0a184686d81f7d3338616eed3f0d2ac65c

Download Submit
\??\pipe\crashpad_1952_VFUTSYGYUMWXPIKV

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2848-0-0x0000000074BAE000-0x0000000074BAF000-memory.dmp

Filesize
4KB

Download
memory/2848-1-0x0000000000C90000-0x0000000000CA2000-memory.dmp

Filesize
72KB

Download
memory/4628-23-0x0000000074BA0000-0x0000000075350000-memory.dmp

Filesize
7.7MB

Download
memory/4628-22-0x0000000074BA0000-0x0000000075350000-memory.dmp

Filesize
7.7MB

Download
memory/4628-21-0x00000000066D0000-0x0000000006C74000-memory.dmp

Filesize
5.6MB

Download
memory/4628-20-0x0000000006080000-0x0000000006112000-memory.dmp

Filesize
584KB

Download
memory/4628-19-0x0000000005BC0000-0x0000000005BCA000-memory.dmp

Filesize
40KB

Download
memory/4628-18-0x0000000005C30000-0x0000000005C96000-memory.dmp

Filesize
408KB

Download
memory/4628-16-0x0000000074BA0000-0x0000000075350000-memory.dmp

Filesize
7.7MB

Download
memory/4628-312-0x00000000063E0000-0x00000000063EA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads