e2157140596246478da3eef7ac3c3279e69ed1c6820ccfe2cd3f3b90c4b9a288

Analysis

max time kernel
311s
max time network
312s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17/10/2024, 13:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Xeno-v1.0.8-x64.zip
Size

4.1MB
MD5

c232bea765c6edb442a8709a2a012279
SHA1

904cbb05a56948661a34a75f4d5484dce7cb6c03
SHA256

e2157140596246478da3eef7ac3c3279e69ed1c6820ccfe2cd3f3b90c4b9a288
SHA512

3a10f27efc5d04941bdfecd642c5241b5d2a5db5d894d6c043ef46d47084780c2f1aa8bb37707fc5b146f326855503dcab2a9670cb1e73326f332f90a9c0e5c6
SSDEEP

98304:N/eSPH4j0NL9Cteaqxt5JwlVLnwphakez+DnDHS9aIhaIkT7DRVou6NW+zsQ:NWSf44l9UeaSt5J4uhJeyLSZhw3R+7NJ

Score

8^/10

discovery evasion persistence privilege_escalation trojan

Malware Config

Signatures

Downloads MZ/PE file

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 2 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe\DisableExceptionChainValidation = "0"	MicrosoftEdgeUpdate.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	MicrosoftEdgeUpdate.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 31 IoCs

pid	Process
2872	Xeno.exe
1968	Xeno.exe
4144	Xeno.exe
4076	MicrosoftEdgeWebView2RuntimeInstallerX64.exe
700	MicrosoftEdgeWebView2RuntimeInstallerX64.exe
1804	MicrosoftEdgeUpdate.exe
4008	MicrosoftEdgeUpdate.exe
2128	MicrosoftEdgeUpdate.exe
2032	MicrosoftEdgeUpdateComRegisterShell64.exe
2956	MicrosoftEdgeUpdateComRegisterShell64.exe
1560	MicrosoftEdgeUpdateComRegisterShell64.exe
3376	MicrosoftEdgeUpdate.exe
4636	MicrosoftEdgeUpdate.exe
884	MicrosoftEdgeUpdate.exe
3796	MicrosoftEdgeUpdate.exe
3180	MicrosoftEdgeWebview_X64_129.0.2792.89.exe
2144	setup.exe
2768	setup.exe
4212	MicrosoftEdgeUpdate.exe
832	MicrosoftEdgeUpdate.exe
4816	MicrosoftEdgeUpdate.exe
3416	MicrosoftEdgeUpdate.exe
3608	MicrosoftEdgeUpdate.exe
1000	MicrosoftEdgeWebview_X64_129.0.2792.89.exe
4092	setup.exe
3764	setup.exe
3536	MicrosoftEdgeUpdate.exe
3800	Xeno.exe
1180	Xeno.exe
3476	Xeno.exe
4720	Xeno.exe

Loads dropped DLL 64 IoCs

pid	Process
2872	Xeno.exe
2872	Xeno.exe
2872	Xeno.exe
2872	Xeno.exe
2872	Xeno.exe
2872	Xeno.exe
2872	Xeno.exe
2872	Xeno.exe
1968	Xeno.exe
1968	Xeno.exe
1968	Xeno.exe
1968	Xeno.exe
1968	Xeno.exe
1968	Xeno.exe
1968	Xeno.exe
1968	Xeno.exe
4144	Xeno.exe
4144	Xeno.exe
4144	Xeno.exe
4144	Xeno.exe
4144	Xeno.exe
4144	Xeno.exe
4144	Xeno.exe
4144	Xeno.exe
1804	MicrosoftEdgeUpdate.exe
4008	MicrosoftEdgeUpdate.exe
2128	MicrosoftEdgeUpdate.exe
2032	MicrosoftEdgeUpdateComRegisterShell64.exe
2128	MicrosoftEdgeUpdate.exe
2956	MicrosoftEdgeUpdateComRegisterShell64.exe
2128	MicrosoftEdgeUpdate.exe
1560	MicrosoftEdgeUpdateComRegisterShell64.exe
2128	MicrosoftEdgeUpdate.exe
3376	MicrosoftEdgeUpdate.exe
4636	MicrosoftEdgeUpdate.exe
884	MicrosoftEdgeUpdate.exe
884	MicrosoftEdgeUpdate.exe
4636	MicrosoftEdgeUpdate.exe
3796	MicrosoftEdgeUpdate.exe
4212	MicrosoftEdgeUpdate.exe
832	MicrosoftEdgeUpdate.exe
4816	MicrosoftEdgeUpdate.exe
3416	MicrosoftEdgeUpdate.exe
3416	MicrosoftEdgeUpdate.exe
3608	MicrosoftEdgeUpdate.exe
3536	MicrosoftEdgeUpdate.exe
3800	Xeno.exe
3800	Xeno.exe
3800	Xeno.exe
3800	Xeno.exe
3800	Xeno.exe
3800	Xeno.exe
3800	Xeno.exe
3800	Xeno.exe
3800	Xeno.exe
1180	Xeno.exe
1180	Xeno.exe
1180	Xeno.exe
1180	Xeno.exe
1180	Xeno.exe
1180	Xeno.exe
1180	Xeno.exe
1180	Xeno.exe
1180	Xeno.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Xeno.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Xeno.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Xeno.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Xeno.exe

Checks system information in the registry 2 TTPs 16 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\129.0.2792.89\msedge_200_percent.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU7584.tmp\EdgeUpdate.dat	MicrosoftEdgeWebView2RuntimeInstallerX64.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\129.0.2792.89\Locales\as.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\129.0.2792.89\msedgewebview2.exe	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.89\msedgewebview2.exe.sig	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU7584.tmp\msedgeupdateres_gd.dll	MicrosoftEdgeWebView2RuntimeInstallerX64.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU4B86.tmp\msedgeupdateres_sr-Cyrl-BA.dll	MicrosoftEdgeWebView2RuntimeInstallerX64.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU7584.tmp\msedgeupdateres_zh-TW.dll	MicrosoftEdgeWebView2RuntimeInstallerX64.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\129.0.2792.89\Locales\ml.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.89\Trust Protection Lists\Sigma\Analytics	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.89\Locales\vi.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU4B86.tmp\msedgeupdateres_uk.dll	MicrosoftEdgeWebView2RuntimeInstallerX64.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.89\identity_proxy\win11\identity_helper.Sparse.Canary.msix	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\129.0.2792.89\Locales\sr-Latn-RS.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.89\Locales\qu.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\129.0.2792.89\Locales\sq.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\129.0.2792.89\Locales\ur.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\129.0.2792.89\Locales\he.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU4B86.tmp\msedgeupdate.dll	MicrosoftEdgeWebView2RuntimeInstallerX64.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.89\Locales\fil.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU7584.tmp\msedgeupdateres_mt.dll	MicrosoftEdgeWebView2RuntimeInstallerX64.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU7584.tmp\msedgeupdateres_gl.dll	MicrosoftEdgeWebView2RuntimeInstallerX64.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\129.0.2792.89\identity_proxy\win10\identity_helper.Sparse.Internal.msix	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\129.0.2792.89\libEGL.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\129.0.2792.89\identity_proxy\internal.identity_helper.exe.manifest	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\129.0.2792.89\edge_feedback\mf_trace.wprp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\129.0.2792.89\EBWebView\x86\EmbeddedBrowserWebView.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.89\Edge.dat	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU7584.tmp\psmachine.dll	MicrosoftEdgeWebView2RuntimeInstallerX64.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.89\Locales\hr.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.89\Locales\sl.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.89\VisualElements\SmallLogoBeta.png	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU7584.tmp\msedgeupdateres_sq.dll	MicrosoftEdgeWebView2RuntimeInstallerX64.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\129.0.2792.89\Locales\nl.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\129.0.2792.89\Trust Protection Lists\Mu\Content	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU7584.tmp\msedgeupdateres_es.dll	MicrosoftEdgeWebView2RuntimeInstallerX64.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.89\Locales\sv.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\129.0.2792.89\msedge.dll.sig	setup.exe
File opened for modification	C:\Program Files\MsEdgeCrashpad\settings.dat	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{FC033F0A-CA90-429C-A118-6E737E039121}\EDGEMITMP_9A12F.tmp\SETUP.EX_	MicrosoftEdgeWebview_X64_129.0.2792.89.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.89\Locales\ka.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\129.0.2792.89\Locales\zh-TW.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.89\Locales\sk.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\129.0.2792.89\Locales\es.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU7584.tmp\msedgeupdateres_pt-BR.dll	MicrosoftEdgeWebView2RuntimeInstallerX64.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\129.0.2792.89\onnxruntime.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\129.0.2792.89\Locales\sr.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU4B86.tmp\msedgeupdateres_sk.dll	MicrosoftEdgeWebView2RuntimeInstallerX64.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\129.0.2792.89\PrivacySandboxAttestationsPreloaded\manifest.json	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\129.0.2792.89\Locales\he.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\129.0.2792.89\VisualElements\LogoDev.png	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\129.0.2792.89\Trust Protection Lists\Sigma\Cryptomining	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\129.0.2792.89\Locales\eu.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU4B86.tmp\msedgeupdateres_quz.dll	MicrosoftEdgeWebView2RuntimeInstallerX64.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU7584.tmp\msedgeupdate.dll	MicrosoftEdgeWebView2RuntimeInstallerX64.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU7584.tmp\NOTICE.TXT	MicrosoftEdgeWebView2RuntimeInstallerX64.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\129.0.2792.89\Locales\ja.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\129.0.2792.89\Locales\de.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.89\Trust Protection Lists\Mu\TransparentAdvertisers	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.89\Trust Protection Lists\Sigma\Other	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU4B86.tmp\msedgeupdateres_pt-PT.dll	MicrosoftEdgeWebView2RuntimeInstallerX64.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\129.0.2792.89\Locales\af.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\129.0.2792.89\Trust Protection Lists\Sigma\Other	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU7584.tmp\msedgeupdateres_ur.dll	MicrosoftEdgeWebView2RuntimeInstallerX64.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Embeds OpenSSL 1 IoCs

Embeds OpenSSL, may be used to circumvent TLS interception.

resource	yara_rule
behavioral1/files/0x0007000000023cb9-84.dat	embeds_openssl

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeWebView2RuntimeInstallerX64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeWebView2RuntimeInstallerX64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 5 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3536	MicrosoftEdgeUpdate.exe
3376	MicrosoftEdgeUpdate.exe
3796	MicrosoftEdgeUpdate.exe
4816	MicrosoftEdgeUpdate.exe
3608	MicrosoftEdgeUpdate.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133736445569740640"	chrome.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C853632E-36CA-4999-B992-EC0D408CF5AB}\NumMethods\ = "10"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DDD4B5D4-FD54-497C-8789-0830F29A60EE}\NumMethods\ = "10"	MicrosoftEdgeUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{D1E8B1A6-32CE-443C-8E2E-EBA90C481353}\LOCALSERVER32	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9AA3288-4EA7-4E67-AE60-D18EADCB923D}\ = "IJobObserver2"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{450CF5FF-95C4-4679-BECA-22680389ECB9}\NumMethods\ = "10"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7B3B7A69-7D88-4847-A6BC-90E246A41F69}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{FF419FF9-90BE-4D9F-B410-A789F90E5A7C}\ELEVATION	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A6556DFF-AB15-4DC3-A890-AB54120BEAEC}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3805CA06-AC83-4F00-8A02-271DCD89BDEB}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCE48F77-C677-4012-8A1A-54D2E2BC07BD}\ProxyStubClsid32\ = "{31FB561A-CD57-4AF0-AE52-5652A86256B1}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9AA3288-4EA7-4E67-AE60-D18EADCB923D}\NumMethods\ = "4"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{492E1C30-A1A2-4695-87C8-7A8CAD6F936F}\Elevation\Enabled = "1"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C20433B3-0D4B-49F6-9B6C-6EE0FAE07837}\ProxyStubClsid32	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{837E40DA-EB1B-440C-8623-0F14DF158DC0}\ProxyStubClsid32	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A5135E58-384F-4244-9A5F-30FA9259413C}\NumMethods\ = "6"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5F9C80B5-9E50-43C9-887C-7C6412E110DF}\ = "IAppCommand"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{B5977F34-9264-4AC3-9B31-1224827FF6E8}\VERSIONINDEPENDENTPROGID	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2603C88B-F971-4167-9DE1-871EE4A3DC84}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{5F6A18BB-6231-424B-8242-19E5BB94F8ED}\VERSIONINDEPENDENTPROGID	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C06EE550-7248-488E-971E-B60C0AB3A6E4}\NumMethods\ = "43"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9AA3288-4EA7-4E67-AE60-D18EADCB923D}\ = "IJobObserver2"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{450CF5FF-95C4-4679-BECA-22680389ECB9}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{195A2EB3-21EE-43CA-9F23-93C2C9934E2E}\ = "IApp"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FF419FF9-90BE-4D9F-B410-A789F90E5A7C}\LocalizedString = "@C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.195.19\\msedgeupdate.dll,-3000"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2E1DD7EF-C12D-4F8E-8AD8-CF8CC265BAD0}\VersionIndependentProgID\ = "MicrosoftEdgeUpdate.CoreMachineClass"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9AA3288-4EA7-4E67-AE60-D18EADCB923D}\ = "IJobObserver2"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AB4EE1FC-0A81-4F56-B0E2-248FB78051AF}\NumMethods	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C20433B3-0D4B-49F6-9B6C-6EE0FAE07837}\NumMethods\ = "4"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F7B3738C-9BCA-4B14-90B7-89D0F3A3E497}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2EC826CB-5478-4533-9015-7580B3B5E03A}\ProxyStubClsid32\ = "{31FB561A-CD57-4AF0-AE52-5652A86256B1}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C06EE550-7248-488E-971E-B60C0AB3A6E4}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{31FB561A-CD57-4AF0-AE52-5652A86256B1}\InProcServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3805CA06-AC83-4F00-8A02-271DCD89BDEB}\ProxyStubClsid32	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9AA3288-4EA7-4E67-AE60-D18EADCB923D}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{837E40DA-EB1B-440C-8623-0F14DF158DC0}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	OpenWith.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{77857D02-7A25-4B67-9266-3E122A8F39E4}\Elevation\Enabled = "1"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{A6B716CB-028B-404D-B72C-50E153DD68DA}\LocalService = "edgeupdatem"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A6B716CB-028B-404D-B72C-50E153DD68DA}\ = "Microsoft Edge Update Legacy On Demand"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2EC826CB-5478-4533-9015-7580B3B5E03A}\ = "IAppCommandWeb"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D1E8B1A6-32CE-443C-8E2E-EBA90C481353}\Elevation	MicrosoftEdgeUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{9F3F5F5D-721A-4B19-9B5D-69F664C1A591}\VERSIONINDEPENDENTPROGID	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C853632E-36CA-4999-B992-EC0D408CF5AB}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{77857D02-7A25-4B67-9266-3E122A8F39E4}\VersionIndependentProgID	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5F6A18BB-6231-424B-8242-19E5BB94F8ED}\ = "Microsoft Edge Update CredentialDialog"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3805CA06-AC83-4F00-8A02-271DCD89BDEB}	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3A49F783-1C7D-4D35-8F63-5C1C206B9B6E}\NumMethods\ = "17"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{492E1C30-A1A2-4695-87C8-7A8CAD6F936F}\PROGID	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7E29BE61-5809-443F-9B5D-CF22156694EB}\NumMethods\ = "12"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D1E8B1A6-32CE-443C-8E2E-EBA90C481353}\ProgID	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2603C88B-F971-4167-9DE1-871EE4A3DC84}\ProxyStubClsid32\ = "{31FB561A-CD57-4AF0-AE52-5652A86256B1}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E4518371-7326-4865-87F8-D9D3F3B287A3}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E4518371-7326-4865-87F8-D9D3F3B287A3}\NumMethods\ = "4"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCE48F77-C677-4012-8A1A-54D2E2BC07BD}	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E55B90F1-DA33-400B-B09E-3AFF7D46BD83}\ = "IProgressWndEvents"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.PolicyStatusMachine\CurVer\ = "MicrosoftEdgeUpdate.PolicyStatusMachine.1.0"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.OnDemandCOMClassSvc\ = "Microsoft Edge Update Legacy On Demand"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AB4F4A7E-977C-4E23-AD8F-626A491715DF}\ProxyStubClsid32\ = "{31FB561A-CD57-4AF0-AE52-5652A86256B1}"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4F4A7E-977C-4E23-AD8F-626A491715DF}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2EC826CB-5478-4533-9015-7580B3B5E03A}\ProxyStubClsid32\ = "{31FB561A-CD57-4AF0-AE52-5652A86256B1}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{450CF5FF-95C4-4679-BECA-22680389ECB9}\NumMethods\ = "10"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B5977F34-9264-4AC3-9B31-1224827FF6E8}\LocalizedString = "@C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.195.19\\msedgeupdate.dll,-3000"	MicrosoftEdgeUpdate.exe

Suspicious behavior: EnumeratesProcesses 58 IoCs

pid	Process
2872	Xeno.exe
2872	Xeno.exe
2872	Xeno.exe
2872	Xeno.exe
2872	Xeno.exe
2872	Xeno.exe
1968	Xeno.exe
1968	Xeno.exe
1968	Xeno.exe
1968	Xeno.exe
1968	Xeno.exe
1968	Xeno.exe
4144	Xeno.exe
4144	Xeno.exe
4144	Xeno.exe
4144	Xeno.exe
4144	Xeno.exe
4144	Xeno.exe
5020	chrome.exe
5020	chrome.exe
1804	MicrosoftEdgeUpdate.exe
1804	MicrosoftEdgeUpdate.exe
832	chrome.exe
832	chrome.exe
832	chrome.exe
832	chrome.exe
1804	MicrosoftEdgeUpdate.exe
1804	MicrosoftEdgeUpdate.exe
1804	MicrosoftEdgeUpdate.exe
1804	MicrosoftEdgeUpdate.exe
4212	MicrosoftEdgeUpdate.exe
4212	MicrosoftEdgeUpdate.exe
4212	MicrosoftEdgeUpdate.exe
4212	MicrosoftEdgeUpdate.exe
3800	Xeno.exe
3800	Xeno.exe
3800	Xeno.exe
3800	Xeno.exe
3800	Xeno.exe
3800	Xeno.exe
1180	Xeno.exe
1180	Xeno.exe
1180	Xeno.exe
1180	Xeno.exe
1180	Xeno.exe
1180	Xeno.exe
3476	Xeno.exe
3476	Xeno.exe
3476	Xeno.exe
3476	Xeno.exe
3476	Xeno.exe
3476	Xeno.exe
4720	Xeno.exe
4720	Xeno.exe
4720	Xeno.exe
4720	Xeno.exe
4720	Xeno.exe
4720	Xeno.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1476	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	1476	7zFM.exe
Token: 35	1476	7zFM.exe
Token: SeSecurityPrivilege	1476	7zFM.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe
Token: SeCreatePagefilePrivilege	5020	chrome.exe
Token: SeShutdownPrivilege	5020	chrome.exe

Suspicious use of FindShellTrayWindow 55 IoCs

pid	Process
1476	7zFM.exe
1476	7zFM.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe

Suspicious use of SetWindowsHookEx 23 IoCs

pid	Process
2260	OpenWith.exe
1736	OpenWith.exe
2540	OpenWith.exe
2540	OpenWith.exe
2540	OpenWith.exe
2540	OpenWith.exe
2540	OpenWith.exe
2540	OpenWith.exe
2540	OpenWith.exe
2540	OpenWith.exe
2540	OpenWith.exe
2540	OpenWith.exe
2540	OpenWith.exe
2540	OpenWith.exe
2540	OpenWith.exe
2540	OpenWith.exe
2540	OpenWith.exe
2540	OpenWith.exe
2540	OpenWith.exe
2540	OpenWith.exe
2540	OpenWith.exe
2540	OpenWith.exe
2540	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5020 wrote to memory of 808	5020	chrome.exe	112
PID 5020 wrote to memory of 808	5020	chrome.exe	112
PID 5020 wrote to memory of 64	5020	chrome.exe	113
PID 5020 wrote to memory of 64	5020	chrome.exe	113
PID 5020 wrote to memory of 64	5020	chrome.exe	113
PID 5020 wrote to memory of 64	5020	chrome.exe	113
PID 5020 wrote to memory of 64	5020	chrome.exe	113
PID 5020 wrote to memory of 64	5020	chrome.exe	113
PID 5020 wrote to memory of 64	5020	chrome.exe	113
PID 5020 wrote to memory of 64	5020	chrome.exe	113
PID 5020 wrote to memory of 64	5020	chrome.exe	113
PID 5020 wrote to memory of 64	5020	chrome.exe	113
PID 5020 wrote to memory of 64	5020	chrome.exe	113
PID 5020 wrote to memory of 64	5020	chrome.exe	113
PID 5020 wrote to memory of 64	5020	chrome.exe	113
PID 5020 wrote to memory of 64	5020	chrome.exe	113
PID 5020 wrote to memory of 64	5020	chrome.exe	113
PID 5020 wrote to memory of 64	5020	chrome.exe	113
PID 5020 wrote to memory of 64	5020	chrome.exe	113
PID 5020 wrote to memory of 64	5020	chrome.exe	113
PID 5020 wrote to memory of 64	5020	chrome.exe	113
PID 5020 wrote to memory of 64	5020	chrome.exe	113
PID 5020 wrote to memory of 64	5020	chrome.exe	113
PID 5020 wrote to memory of 64	5020	chrome.exe	113
PID 5020 wrote to memory of 64	5020	chrome.exe	113
PID 5020 wrote to memory of 64	5020	chrome.exe	113
PID 5020 wrote to memory of 64	5020	chrome.exe	113
PID 5020 wrote to memory of 64	5020	chrome.exe	113
PID 5020 wrote to memory of 64	5020	chrome.exe	113
PID 5020 wrote to memory of 64	5020	chrome.exe	113
PID 5020 wrote to memory of 64	5020	chrome.exe	113
PID 5020 wrote to memory of 64	5020	chrome.exe	113
PID 5020 wrote to memory of 2908	5020	chrome.exe	114
PID 5020 wrote to memory of 2908	5020	chrome.exe	114
PID 5020 wrote to memory of 960	5020	chrome.exe	115
PID 5020 wrote to memory of 960	5020	chrome.exe	115
PID 5020 wrote to memory of 960	5020	chrome.exe	115
PID 5020 wrote to memory of 960	5020	chrome.exe	115
PID 5020 wrote to memory of 960	5020	chrome.exe	115
PID 5020 wrote to memory of 960	5020	chrome.exe	115
PID 5020 wrote to memory of 960	5020	chrome.exe	115
PID 5020 wrote to memory of 960	5020	chrome.exe	115
PID 5020 wrote to memory of 960	5020	chrome.exe	115
PID 5020 wrote to memory of 960	5020	chrome.exe	115
PID 5020 wrote to memory of 960	5020	chrome.exe	115
PID 5020 wrote to memory of 960	5020	chrome.exe	115
PID 5020 wrote to memory of 960	5020	chrome.exe	115
PID 5020 wrote to memory of 960	5020	chrome.exe	115
PID 5020 wrote to memory of 960	5020	chrome.exe	115
PID 5020 wrote to memory of 960	5020	chrome.exe	115
PID 5020 wrote to memory of 960	5020	chrome.exe	115
PID 5020 wrote to memory of 960	5020	chrome.exe	115
PID 5020 wrote to memory of 960	5020	chrome.exe	115
PID 5020 wrote to memory of 960	5020	chrome.exe	115
PID 5020 wrote to memory of 960	5020	chrome.exe	115
PID 5020 wrote to memory of 960	5020	chrome.exe	115
PID 5020 wrote to memory of 960	5020	chrome.exe	115
PID 5020 wrote to memory of 960	5020	chrome.exe	115
PID 5020 wrote to memory of 960	5020	chrome.exe	115
PID 5020 wrote to memory of 960	5020	chrome.exe	115
PID 5020 wrote to memory of 960	5020	chrome.exe	115
PID 5020 wrote to memory of 960	5020	chrome.exe	115
PID 5020 wrote to memory of 960	5020	chrome.exe	115
PID 5020 wrote to memory of 960	5020	chrome.exe	115

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Xeno-v1.0.8-x64.zip"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1476

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5032

C:\Users\Admin\Desktop\Xeno-v1.0.8-x64\Xeno.exe
"C:\Users\Admin\Desktop\Xeno-v1.0.8-x64\Xeno.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2872

C:\Users\Admin\Desktop\Xeno-v1.0.8-x64\Xeno.exe
"C:\Users\Admin\Desktop\Xeno-v1.0.8-x64\Xeno.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1968

C:\Users\Admin\Desktop\Xeno-v1.0.8-x64\Xeno.exe
"C:\Users\Admin\Desktop\Xeno-v1.0.8-x64\Xeno.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4144

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ff98872cc40,0x7ff98872cc4c,0x7ff98872cc58
  2⤵
  PID:808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1720,i,2704254893544843221,14316427924464309308,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1712 /prefetch:2
  2⤵
  PID:64
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2160,i,2704254893544843221,14316427924464309308,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2232 /prefetch:3
  2⤵
  PID:2908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2252,i,2704254893544843221,14316427924464309308,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2464 /prefetch:8
  2⤵
  PID:960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3164,i,2704254893544843221,14316427924464309308,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3184 /prefetch:1
  2⤵
  PID:4544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3320,i,2704254893544843221,14316427924464309308,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3340 /prefetch:1
  2⤵
  PID:5024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4408,i,2704254893544843221,14316427924464309308,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4516 /prefetch:1
  2⤵
  PID:3184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4696,i,2704254893544843221,14316427924464309308,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4664 /prefetch:8
  2⤵
  PID:4936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4828,i,2704254893544843221,14316427924464309308,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4836 /prefetch:8
  2⤵
  PID:1848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4848,i,2704254893544843221,14316427924464309308,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4924 /prefetch:8
  2⤵
  PID:3536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5112,i,2704254893544843221,14316427924464309308,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5088 /prefetch:8
  2⤵
  PID:2128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5184,i,2704254893544843221,14316427924464309308,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5212 /prefetch:1
  2⤵
  PID:2924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=3340,i,2704254893544843221,14316427924464309308,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4396 /prefetch:1
  2⤵
  PID:448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5140,i,2704254893544843221,14316427924464309308,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4044 /prefetch:1
  2⤵
  PID:1664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=3436,i,2704254893544843221,14316427924464309308,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4116 /prefetch:1
  2⤵
  PID:396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5544,i,2704254893544843221,14316427924464309308,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5564 /prefetch:8
  2⤵
  PID:4548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5560,i,2704254893544843221,14316427924464309308,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5600 /prefetch:8
  2⤵
  PID:3432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5760,i,2704254893544843221,14316427924464309308,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3484 /prefetch:8
  2⤵
  PID:3572
- C:\Users\Admin\Downloads\MicrosoftEdgeWebView2RuntimeInstallerX64.exe
  "C:\Users\Admin\Downloads\MicrosoftEdgeWebView2RuntimeInstallerX64.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:4076
- - C:\Program Files (x86)\Microsoft\Temp\EU4B86.tmp\MicrosoftEdgeUpdate.exe
    "C:\Program Files (x86)\Microsoft\Temp\EU4B86.tmp\MicrosoftEdgeUpdate.exe" /installsource taggedmi /install "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20WebView2%20Runtime&needsadmin=Prefers"
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks system information in the registry
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1804
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regsvc
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:4008
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserver
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:2128
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.19\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.19\MicrosoftEdgeUpdateComRegisterShell64.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:2032
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.19\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.19\MicrosoftEdgeUpdateComRegisterShell64.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:2956
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.19\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.19\MicrosoftEdgeUpdateComRegisterShell64.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:1560
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuMTkiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuMTkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NkYzQzEzRkItNUMzNi00NDc2LUExQTctMEQyOEMwMTQxNTJGfSIgdXNlcmlkPSJ7NDYwQzFEQjQtOUYxNy00NzNBLTkwQkYtNjFDMkQzMDE4QTZGfSIgaW5zdGFsbHNvdXJjZT0idGFnZ2VkbWkiIHJlcXVlc3RpZD0ie0Y0OTk1RkIwLTIzRDMtNDZCMC05MUJDLUIwRTEzQjZDNTVERH0iIGRlZHVwPSJjciIgZG9tYWluam9pbmVkPSIwIj48aHcgbG9naWNhbF9jcHVzPSI4IiBwaHlzbWVtb3J5PSI4IiBkaXNrX3R5cGU9IjIiIHNzZT0iMSIgc3NlMj0iMSIgc3NlMz0iMSIgc3NzZTM9IjEiIHNzZTQxPSIxIiBzc2U0Mj0iMSIgYXZ4PSIxIi8-PG9zIHBsYXRmb3JtPSJ3aW4iIHZlcnNpb249IjEwLjAuMTkwNDEuMTI4OCIgc3A9IiIgYXJjaD0ieDY0IiBwcm9kdWN0X3R5cGU9IjQ4IiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSIiLz48YXBwIGFwcGlkPSJ7RjNDNEZFMDAtRUZENS00MDNCLTk1NjktMzk4QTIwRjFCQTRBfSIgdmVyc2lvbj0iMS4zLjE0Ny4zNyIgbmV4dHZlcnNpb249IjEuMy4xOTUuMTkiIGxhbmc9IiIgYnJhbmQ9IiIgY2xpZW50PSIiPjxldmVudCBldmVudHR5cGU9IjIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjU5OTY0MTg3NzQiIGluc3RhbGxfdGltZV9tcz0iOTY2Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Checks system information in the registry
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      PID:3376
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /handoff "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20WebView2%20Runtime&needsadmin=Prefers" /installsource offline /sessionid "{6F3C13FB-5C36-4476-A1A7-0D28C014152F}" /offlinedir "{961BB9B5-5E43-4024-9647-49B805AB5C26}"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:4636
- C:\Users\Admin\Downloads\MicrosoftEdgeWebView2RuntimeInstallerX64.exe
  "C:\Users\Admin\Downloads\MicrosoftEdgeWebView2RuntimeInstallerX64.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:700
- - C:\Program Files (x86)\Microsoft\Temp\EU7584.tmp\MicrosoftEdgeUpdate.exe
    "C:\Program Files (x86)\Microsoft\Temp\EU7584.tmp\MicrosoftEdgeUpdate.exe" /installsource taggedmi /install "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20WebView2%20Runtime&needsadmin=Prefers"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks system information in the registry
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4212
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /healthcheck
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:832
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuMTkiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuMTkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7Qjc5MDFDNjEtMEI0Ni00N0VDLThDRUItMDEyRENEM0IyQjdDfSIgdXNlcmlkPSJ7NDYwQzFEQjQtOUYxNy00NzNBLTkwQkYtNjFDMkQzMDE4QTZGfSIgaW5zdGFsbHNvdXJjZT0idGFnZ2VkbWkiIHJlcXVlc3RpZD0iezlCNzlDNDlGLUEzRDQtNEU3NS1BN0FELTcwQzgxRjkxRDBFRH0iIGRlZHVwPSJjciIgZG9tYWluam9pbmVkPSIwIj48aHcgbG9naWNhbF9jcHVzPSI4IiBwaHlzbWVtb3J5PSI4IiBkaXNrX3R5cGU9IjIiIHNzZT0iMSIgc3NlMj0iMSIgc3NlMz0iMSIgc3NzZTM9IjEiIHNzZTQxPSIxIiBzc2U0Mj0iMSIgYXZ4PSIxIi8-PG9zIHBsYXRmb3JtPSJ3aW4iIHZlcnNpb249IjEwLjAuMTkwNDEuMTI4OCIgc3A9IiIgYXJjaD0ieDY0IiBwcm9kdWN0X3R5cGU9IjQ4IiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtWUFFvUDFGK2ZxMTV3UnpoMWtQTDRQTXBXaDhPUk1CNWl6dnJPQy9jaGpRPSZxdW90OyIvPjxhcHAgYXBwaWQ9IntGM0M0RkUwMC1FRkQ1LTQwM0ItOTU2OS0zOThBMjBGMUJBNEF9IiB2ZXJzaW9uPSIxLjMuMTk1LjE5IiBuZXh0dmVyc2lvbj0iMS4zLjE5NS4xOSIgbGFuZz0iIiBicmFuZD0iIiBjbGllbnQ9IiI-PGV2ZW50IGV2ZW50dHlwZT0iMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNjEwODI3NzY0NCIgaW5zdGFsbF90aW1lX21zPSI0NiIvPjwvYXBwPjwvcmVxdWVzdD4
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Checks system information in the registry
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      PID:4816
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /handoff "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20WebView2%20Runtime&needsadmin=Prefers" /installsource offline /sessionid "{B7901C61-0B46-47EC-8CEB-012DCD3B2B7C}" /offlinedir "{C0777F61-119D-4583-8C7D-2B5B14A25866}"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:3416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5196,i,2704254893544843221,14316427924464309308,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3424 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:832

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4920

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4472

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- System Location Discovery: System Language Discovery
PID:884
- C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuMTkiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuMTkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NkYzQzEzRkItNUMzNi00NDc2LUExQTctMEQyOEMwMTQxNTJGfSIgdXNlcmlkPSJ7NDYwQzFEQjQtOUYxNy00NzNBLTkwQkYtNjFDMkQzMDE4QTZGfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7NzVEMTU1MDMtMjlGNy00M0Q4LThBNzEtRDg2MzJCNzFEODgzfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjgiIHBoeXNtZW1vcnk9IjgiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O2xoVmkxMlFjazZTbDB1VTFPQjZZMTUyOWJSNmJzZXk0K2N1N2RIeHM2Y2s9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxMCIgaW5zdGFsbGRhdGV0aW1lPSIxNzI4MjkyOTAyIiBvb2JlX2luc3RhbGxfdGltZT0iMTMzNzI3NjU0Njc3Nzc0NzAwIj48ZXZlbnQgZXZlbnR0eXBlPSIzMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMjExNDMyNSIgc3lzdGVtX3VwdGltZV90aWNrcz0iNjAwMzI0NDA2OSIvPjwvYXBwPjwvcmVxdWVzdD4
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks system information in the registry
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:3796
- C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{4F2D6920-4598-4C00-910B-939DD69F39A9}\MicrosoftEdgeWebview_X64_129.0.2792.89.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{4F2D6920-4598-4C00-910B-939DD69F39A9}\MicrosoftEdgeWebview_X64_129.0.2792.89.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
  2⤵
  - Executes dropped EXE
  PID:3180
- - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{4F2D6920-4598-4C00-910B-939DD69F39A9}\EDGEMITMP_AAFE5.tmp\setup.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{4F2D6920-4598-4C00-910B-939DD69F39A9}\EDGEMITMP_AAFE5.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{4F2D6920-4598-4C00-910B-939DD69F39A9}\MicrosoftEdgeWebview_X64_129.0.2792.89.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:2144
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{4F2D6920-4598-4C00-910B-939DD69F39A9}\EDGEMITMP_AAFE5.tmp\setup.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{4F2D6920-4598-4C00-910B-939DD69F39A9}\EDGEMITMP_AAFE5.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=129.0.6668.101 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{4F2D6920-4598-4C00-910B-939DD69F39A9}\EDGEMITMP_AAFE5.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=129.0.2792.89 --initial-client-data=0x24c,0x250,0x254,0x104,0x258,0x7ff6ae0a76f0,0x7ff6ae0a76fc,0x7ff6ae0a7708
      4⤵
      Executes dropped EXE
      PID:2768
- C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuMTkiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuMTkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NkYzQzEzRkItNUMzNi00NDc2LUExQTctMEQyOEMwMTQxNTJGfSIgdXNlcmlkPSJ7NDYwQzFEQjQtOUYxNy00NzNBLTkwQkYtNjFDMkQzMDE4QTZGfSIgaW5zdGFsbHNvdXJjZT0ib2ZmbGluZSIgcmVxdWVzdGlkPSJ7MjVDQ0NCNkUtRkYxNi00NTM2LUE2RUQtQ0UzOEQ1MDgzMUQ5fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjgiIHBoeXNtZW1vcnk9IjgiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O2xoVmkxMlFjazZTbDB1VTFPQjZZMTUyOWJSNmJzZXk0K2N1N2RIeHM2Y2s9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0ie0YzMDE3MjI2LUZFMkEtNDI5NS04QkRGLTAwQzNBOUE3RTRDNX0iIHZlcnNpb249IiIgbmV4dHZlcnNpb249IjEyOS4wLjI3OTIuODkiIGxhbmc9IiIgYnJhbmQ9IiIgY2xpZW50PSIiIGV4cGVyaW1lbnRzPSJjb25zZW50PWZhbHNlIiBpbnN0YWxsYWdlPSItMSIgaW5zdGFsbGRhdGU9Ii0xIj48dXBkYXRlY2hlY2svPjxldmVudCBldmVudHR5cGU9IjkiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjYwMTAyNTEzMDEiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSI1IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI2MDEwMjcyMzAwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNjAxOTQ5MDg3NCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjYiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjYwMzYwNTc1MDQiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIyIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIxOTY3NTciIHN5c3RlbV91cHRpbWVfdGlja3M9IjY2NDI4NzU1MjkiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIGRvd25sb2FkZWQ9IjE3MzkwMzk1MiIgdG90YWw9IjE3MzkwMzk1MiIgcGFja2FnZV9jYWNoZV9yZXN1bHQ9IjEiIGluc3RhbGxfdGltZV9tcz0iNjA2NjQiLz48L2FwcD48L3JlcXVlc3Q-
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks system information in the registry
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:3608
- C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{FC033F0A-CA90-429C-A118-6E737E039121}\MicrosoftEdgeWebview_X64_129.0.2792.89.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{FC033F0A-CA90-429C-A118-6E737E039121}\MicrosoftEdgeWebview_X64_129.0.2792.89.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:1000
- - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{FC033F0A-CA90-429C-A118-6E737E039121}\EDGEMITMP_9A12F.tmp\setup.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{FC033F0A-CA90-429C-A118-6E737E039121}\EDGEMITMP_9A12F.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{FC033F0A-CA90-429C-A118-6E737E039121}\MicrosoftEdgeWebview_X64_129.0.2792.89.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:4092
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{FC033F0A-CA90-429C-A118-6E737E039121}\EDGEMITMP_9A12F.tmp\setup.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{FC033F0A-CA90-429C-A118-6E737E039121}\EDGEMITMP_9A12F.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=129.0.6668.101 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{FC033F0A-CA90-429C-A118-6E737E039121}\EDGEMITMP_9A12F.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=129.0.2792.89 --initial-client-data=0x22c,0x230,0x234,0x208,0x238,0x7ff6e8d876f0,0x7ff6e8d876fc,0x7ff6e8d87708
      4⤵
      Executes dropped EXE
      PID:3764
- C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuMTkiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuMTkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7Qjc5MDFDNjEtMEI0Ni00N0VDLThDRUItMDEyRENEM0IyQjdDfSIgdXNlcmlkPSJ7NDYwQzFEQjQtOUYxNy00NzNBLTkwQkYtNjFDMkQzMDE4QTZGfSIgaW5zdGFsbHNvdXJjZT0ib2ZmbGluZSIgcmVxdWVzdGlkPSJ7NDZBNjQzNzMtMTUwNC00RjI3LTg2RDMtMjdCQTU0NkUxQjYwfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjgiIHBoeXNtZW1vcnk9IjgiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O2xoVmkxMlFjazZTbDB1VTFPQjZZMTUyOWJSNmJzZXk0K2N1N2RIeHM2Y2s9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0ie0YzMDE3MjI2LUZFMkEtNDI5NS04QkRGLTAwQzNBOUE3RTRDNX0iIHZlcnNpb249IiIgbmV4dHZlcnNpb249IjEyOS4wLjI3OTIuODkiIGxhbmc9IiIgYnJhbmQ9IiIgY2xpZW50PSIiIGV4cGVyaW1lbnRzPSJjb25zZW50PWZhbHNlIiBpbnN0YWxsYWdlPSItMSIgaW5zdGFsbGRhdGU9Ii0xIj48dXBkYXRlY2hlY2svPjxldmVudCBldmVudHR5cGU9IjkiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjYxMjMwMzUzNTYiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSI1IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI2NjQzMDMxNDAyIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNjY1MTQ2ODk3NSIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjYiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjY2NjQ0Mzc2ODciIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIyIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIxOTY3NTciIHN5c3RlbV91cHRpbWVfdGlja3M9IjcxNzI5MTEzNDYiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIGRvd25sb2FkZWQ9IjE3MzkwMzk1MiIgdG90YWw9IjE3MzkwMzk1MiIgcGFja2FnZV9jYWNoZV9yZXN1bHQ9IjEiIGluc3RhbGxfdGltZV9tcz0iNTA4NDgiLz48L2FwcD48L3JlcXVlc3Q-
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks system information in the registry
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:3536

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
PID:2244

C:\Users\Admin\Desktop\Xeno-v1.0.8-x64\Xeno.exe
"C:\Users\Admin\Desktop\Xeno-v1.0.8-x64\Xeno.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3800

C:\Users\Admin\Desktop\Xeno-v1.0.8-x64\Xeno.exe
"C:\Users\Admin\Desktop\Xeno-v1.0.8-x64\Xeno.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1180

C:\Users\Admin\Desktop\Xeno-v1.0.8-x64\Xeno.exe
"C:\Users\Admin\Desktop\Xeno-v1.0.8-x64\Xeno.exe"
1⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3476

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:2260

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:1736

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2540
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Xeno-v1.0.8-x64\XenoUI.runtimeconfig.json
  2⤵
  PID:464

C:\Users\Admin\Desktop\Xeno-v1.0.8-x64\Xeno.exe
"C:\Users\Admin\Desktop\Xeno-v1.0.8-x64\Xeno.exe"
1⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Image File Execution Options Injection

T1546.012

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Image File Execution Options Injection

T1546.012

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\EdgeCore\129.0.2792.89\Installer\setup.exe

Filesize
6.6MB

MD5
b2b8b59239badeaed5735309a8ee41f6

SHA1
74517558c67543cc43205fa5a3103983acc6695d

SHA256
b835fc75b2cafd3860b419eb711697e15aa30c7912fd989312253e19ff0b8a50

SHA512
67a90661cb5f8923062a5364a5c3461a928d8425e9b5c3a260431f91be55343aeca0387b8f374468dd0ec46c52b46c2f2e12f5c9c5a4b9ce72889ee159d0bc61

Download Submit
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{FC033F0A-CA90-429C-A118-6E737E039121}\EDGEMITMP_9A12F.tmp\SETUP.EX_

Filesize
2.6MB

MD5
4c9d6f28d890abf84c521aba32b8339e

SHA1
3ae501680d971e15aea406cb572c28e39b73fda9

SHA256
2e5ea05380be6baa080cbd7621764b999381d6fa4bff0af1dd067c0193e51f6e

SHA512
f7c11234285a119e3705c72ca1511c35ef76c9775061f7e1a8f498d02bd38578be8db25f0be6b6f37434273aa230aac470d7011c65a8fe1db3feed45d0365717

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU4B86.tmp\MicrosoftEdgeUpdate.exe

Filesize
201KB

MD5
b0d94ffd264b31a419e84a9b027d926b

SHA1
4c36217abe4aebe9844256bf6b0354bb2c1ba739

SHA256
f471d9ff608fe58da68a49af83a7fd9a3d6bf5a5757d340f7b8224b6cd8bddf6

SHA512
d68737f1d87b9aa410d13b494c1817d5391e8f098d1cdf7b672f57713b289268a2d1e532f2fc7fec44339444205affb996e32b23c3162e2a539984be05bb20c4

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU4B86.tmp\MicrosoftEdgeUpdateCore.exe

Filesize
262KB

MD5
e468fe744cbaebc00b08578f6c71fbc0

SHA1
2ae65aadb9ab82d190bdcb080e00ff9414e3c933

SHA256
7c75c35f4222e83088de98ba25595eb76013450fc959d7feefcab592d1c9839f

SHA512
184a6f2378463c3ccc0f491f4a12d6cac38b10a916c8525a27acd91f681eb8fb0be956fc4bdb99e5a6c7b76f871069f939c996e93a68ff0a6c305195a6049276

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU4B86.tmp\msedgeupdate.dll

Filesize
2.1MB

MD5
b0da0a3975239134c6454035e5c3ed79

SHA1
fbea5c89ef828564f3d3640d38b8a9662c5260e6

SHA256
c590d1af571d75d85cfe6cb3d1aa0808c702bcefd1b74b93ea423676859fb8ba

SHA512
5fbfa431a855d634bcbef4c54e5cc62b6435629305efee11559f66473c427ad0775c09364d37aaa7a4a8a963800886f6547a52ae680a1ff2c4dcc52c87d994bb

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU4B86.tmp\msedgeupdateres_en.dll

Filesize
27KB

MD5
be845ba29484bdc95909f5253192c774

SHA1
70e17729024ab1e13328ac9821d495de1ac7d752

SHA256
28414cd85efe921a07537f8c84c0a98a2a85fdbd5dfa3141e722ed7b433d0a96

SHA512
2800ec29ece429151c4cd463c5042492ac24e82b4999a323607d142a6e1a08cb69258190a6722afbbcfb3c9cdc6eebdedf89ee6549e0f420f6fbae3aa0501fd4

Download Submit
C:\Program Files\MsEdgeCrashpad\settings.dat

Filesize
280B

MD5
dc6de82564b98e50c7315e4f3febe836

SHA1
e5c8c0badef0d7f0ac1432256dc7994804e20b36

SHA256
e95d281161a2bcddd7cbf7ebc4e070de0686cd5d1be41431a0df90615523c7bd

SHA512
c549138e0507d06a5907b1c6b681cc7aa00528d0393be1a7ee5475dc19f3527a548cb57d605084fe347cb5c66dc109da5c2fc3f412c2a683dac90bf0fc2b148f

Download Submit
C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log

Filesize
95KB

MD5
6aab5f963739722710690c9a8165cf2b

SHA1
c96237f16f064a6048b88ae180fd742d2dbdcab0

SHA256
ba9bb4af62bc47bbfd3c55f018027018bea810cae8c8fa4b3a281a50df3fbed7

SHA512
a67d40d0e3eb3a18f0a18c6e448c9b574d6aed7fee0fbda7f8baf708192c9be50de774e908112ab904e93d9e3e5da524ba904b94ac1b7634f66fdea153dc5110

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
ef637c3ffaae0ecc1157017c4c280df9

SHA1
1bb074c41b08c3ddff5889c1478b68d071c4af71

SHA256
6c2c0baeca4192febcf65f929c970fdf5e242fdc3344576fb0eb166f96087fc9

SHA512
3b05964f00464126d9ab2b59455172560a6eaf3e8853523286367de06f7f07e300350326a20ef4516c7576a9b005a03f8d404573651a1a0d730de37375915d09

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
7c824382b24a48b8df5a1afca6aa5ba1

SHA1
b0481d9eeba5a935cda2ca4dd37ce667d4755441

SHA256
6a8f6ce8ef1d0e18e11e817ffa64dfab14fcb02484a90fefa440aec846d7cde9

SHA512
3113d58ed95b4c691cb869fc991d2e247c0050a38eea289974709cab3e8ccb0b6999b86eb0c713f7736cafd417617d7737d4ffbfc77258119a073b3f465ee645

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
334472003a02adce5be36aba63d9b5a4

SHA1
059a1196e9a1e20a6fab210ec186946dc6c4dc4d

SHA256
aa38b2c7337ba77ecd34a282058d0996b0fe106b8b2f9053e945c87be54fe447

SHA512
a721116d4126253668a398fb50d48cb0a6a7631b8bc69302b1d4fdeb3c7048732552f0864bede83922ca36f3ed4fadaf2d40455d0f18dadc93d909143c20d94c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
41213dc773a73586da47ea2d2476dffa

SHA1
14d78eb14a17952318bd2a1d49f3c44aa50e9b92

SHA256
7299cd905641e8e78296e8cb3c84acca45de95315466d4580289d9c913680a34

SHA512
dc58bb64733cbf8b0696c100176c6a6643bcd1fb5922afb1ba4224e6e11cbc6d3a6946794b68654e3cae30fb5b1f2428f8d42bfb8cb59609133e72de4121ebdd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
802cf0f43b57bb710143c89a97205529

SHA1
478ce395f4ffee08a1ab69c7f680efb6a6c31f8e

SHA256
eec518bc8488a9f374e1a5439c6d5d163b066b0cf47d143940d0d146f6052134

SHA512
6c384fc2b336175d8f993616b29defc8dec2b53fdec56f11d375220c1c12597195b323cd62a4740108ba5728c99359adbb4cb1cc2a91c92c5d433819d6acf674

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
182e6f4ac9e55a02f7000471b6b2fc2a

SHA1
1bd1497bbb680e7ba13b2789857025f931a35611

SHA256
502e4839b9778db32f23809c806a3f3ff384ecda0eab8c6979de2a83b48826c5

SHA512
f8f482bc739b838c9725834e12fc33c70ccbb76178e0bc0f0a55d090233f64819257b719aee3038184c0baa2c172ae1d13b4cf665a6ab875283e4dd5881c9139

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
523B

MD5
ad5446b6881393226021da8860737fd8

SHA1
16417acfc272222c97bec046f1bfb9e1775c47e3

SHA256
150d5308b11f9e3632dcb98623217832c97440ef1782f5687c30816915d371d1

SHA512
d5266728491ccaef9a55e288b3d59b1b31e8859e4f8e18bd06170fecbf3f46e1c7e57907ed6fd18f342e111f43e349c0316be374cfeb6fdba6df2d828379edc0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
858B

MD5
f80e270f4893a61baa74f0119340aef9

SHA1
0d63dee1fd7527b49ad8d66644c73e42dc552048

SHA256
84e17a71607353ce465e8fffe17e5f920da928f57d69f98bfc6af9bbe6ba93cd

SHA512
82b6eca667c9cdfb4c62157963026f6ea88f686bc492cd52a19389b51a812bf61288bcc02c2f56397edb2aee4a53ad0b0d8acaaf93dcc9b38d078e7cd02df525

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
00f89812b6caeea4afa9413fe58fef84

SHA1
47a697bcc46485cb76a6428770041e2decb2d5e3

SHA256
4bc443e9af24776543bda846ceb1d1b63f29494518fcb7c68fff6fc0988569d1

SHA512
7dac7fb876ecef77114ab2d1c313e87c150f77702ace6aa14bece0de95f6ccb7845a4678ce7f0b88d1025a4c07263969f8ff58f53c75e9e581e3a7504e9146fa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
0da700e628365a5e0ce137ab003c9578

SHA1
f0380f62f4ba76a850140b1405bfef99101fccf1

SHA256
de0c9b5e8759367191e14109a0e2cc0cbfc808ea782953effd63c260f4bff673

SHA512
712559ff91830dbf2feb1562793f6643b2e350da3d0613eb4370991b057212edb78ffefe24228821b05e2d3e9413081f6d68ad7fd5b26133645dc344c2407ebe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d02736bc520af2383038ca200b172fd2

SHA1
8690ae1d904c20a6e9c7eb4ece375bb0a61c9fbf

SHA256
699c7d50359ea304e987a94a0d8c6b170002bb44c7ac0a1d025f9feb81ad38b1

SHA512
7187b741e717fc34bee3ff3a5f85538d05119643e7910c39020350716f4fe31b0ca7b59932b30be1112ffeb0db78626c0a388bd7fb88770a2c7863ff1913f060

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
82256ea63b2e2be502f648a5970d22d7

SHA1
585d82371efd1809af770eb55ad2ba9ac547a3b7

SHA256
6eb8b12edaf5c1f0d678a729707b33cfddc05822b3ef1eb355d7609764dd80dd

SHA512
cfc8c5ae870f125b5b8e29010a4f0065c3832727bf181a1aa7e5ecf690ca641183a69094fed42dc3851e08d3434d1daf6466c8f9d1fcf3266db73b686d6a914d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
ee63ec19c23bcf332b8e32c4c092f900

SHA1
4e2a23227cc4ea01f65dcb9d424d93f825a0c6e3

SHA256
d9e91118f22f5cd94b79c18e356cd2efcf96f902c7e6a7f0c01e3d97a545e9de

SHA512
7cfafa7102300f099d5d0ef74cc668ef1041d746d33d9bf56f55255cc19558c3d9a8a3b1232e7a97bd52ab222da79916a2ca0e713244c1c817239ddbc327aeed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
2d171bdd31c4921775b6832dd960a200

SHA1
c7c654c384bf5db1be70478ec2e58d4fd1628ff2

SHA256
055d27e098a27b7f87a12b392d23cbe8d1f3a677c26c42e595e29f3395569118

SHA512
fff42f37371e43ccefbfd1aef3734ebfd7efae17ee726558ee193f62c3a37ae91bc0c889ccf084612c6dc4be0e8b670f5ce5c539f15f0ef5d36312c21b921115

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
75e1a045b444e1f06697eba9cc23a680

SHA1
f26fdca6bbb94899df1f48572522ed90d0664df9

SHA256
1131c25b0ad14764ce9984ddb6ae41058ea3870119536aaf7bd4e510b0989664

SHA512
36a14dd865f04feb8f36190b81a77176572ca2be6bb82e399324e3fe3e2faebf01ad1925a1ff3e331827d65ed7d338fc2550d2d243d02d1e1098dda7f85aa4aa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
f8fec70f3ed8e831233cfd85aa8191d8

SHA1
2100571b699a4a148db9d6fbd2e3fff01bb310d8

SHA256
9f23ebb7e5f98e5bee91ba6d7a73b5fa0651eeaa7d62278b8ed51f502b003517

SHA512
4202aaa379c4bc308be0f63fb2e035559e57748d70484fb963d7814e4ebe0fc541b2cf193977530e8954a92180dcbe71ace4561a91e581bfb9fa0b982431b255

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
1f8599e6e216a712fbd2ce03d3cb1f3b

SHA1
901e377db4da4e286363343c360267a5fbd5abcc

SHA256
f8e8987ff1f035efc19620009656db500e56d0746e7f05fd16b0cafd78cd7b73

SHA512
6c8c50f1165ab5a4538d8910c156e0171c71090bf121e8aaa2ee8929907479c67d30db58eb6b7d78c45670e1a67491813043d631a409d2d5be22cf15e67591e8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
177a1d2854c732394287251c21665973

SHA1
96d3f03fe1bd4e5a27ca663be5571fe1303be7bd

SHA256
21cf20f1c3570deb9aa004bfa5138e51553720bd0c228ebd151a03d50eda3d77

SHA512
c7af92f2ea7baf285d81a77b274cd39bf1a40e2e40a97e6922579f7b713c3c63521f8db5d3c2417c88653ca68a234ee8c8bd4c07271f613a1d088fd02e406c62

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
7d531031a34de58b31c5040b89fb835b

SHA1
a306cf0603445065a09938d49255be6fd137a907

SHA256
dd6e574cb50abf800f8f8b449c25e579fdd81d2a74e6d897baadb7b1987447e7

SHA512
afca8277148f791cc69814ddacadfec1f03e3931ade53dd6191a7eed4c7927613024e98f6c3d7113362409b61842f8f40076b7f610bdb4f4e7f0381eea8bb5fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
d98524ba1667836976fd26739e3dbc2a

SHA1
89bffb0bf45623fb2056415ac6b6f205e3198ccf

SHA256
7e06de1a75d2f31beaf6449ad0d36e8e8ef1a8ba12922ee4207854545c1f7674

SHA512
9aa6975e3d86a0d5e09ba592502c3c812005a3c5473b5feff0c57c0d39a86ac053cb25c9fa4851b8566bca8c64f19813da1ee6bfd409d23fc7c61eb8059af9be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
86ef66afabdbd6ab607f514ce407abd9

SHA1
93cc53c77c469e749fc8c9db3e3d9db70ddc42fb

SHA256
4405424673b8ece861d83e016a0ec48b39aee679aa9ef62b15a1ce73bab74e2f

SHA512
6dd2fabab0fd35b528ef0a894c34cebc2d3ef642e8399b4080feccd98aa4efb57aaf2c0668ab69cbb6ffc0efdc3b287ec287fcd35c5ed467c171da9577341e34

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
af16a392366a3b4ba6c8414c5889a37a

SHA1
5fe5ba62f5091f65dd748ac4ee059a01be2ad86c

SHA256
65d9ce52f32b63267f51f67d01c0e52cf02ea3ec09525ee6bbe150e90b8fbadf

SHA512
1450f07b86aa4f8cce2340ace281e35e1fc06f246911bfdf5481bd8ea5ccfc34e2b10193ad9ce3ed87acc953e045c49b8bdec474e0f567aa70e9bca48b81aad1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
13c8cd39b49cfe9803597b01d63147be

SHA1
a8f08efc6882efa7eb180bb649c605b06481f215

SHA256
f1a329a8a768db028f65c37fc85ee0c31521e01bbd88e8a418b24c27369da927

SHA512
dbb08e67103a2c47794e40146f2342d0f595b9bb23670bb0607c41908c76da6b4ae23039afe536ab5195b600434d1691d20330e5421571e5ac499e7ade2142ef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
f21b6d265205ed2d7105b7349168ff42

SHA1
d8dbf1b167593187161d6882b006311b5869a16f

SHA256
6c37b9eeaf46cae4071f9481f1ed279ca8e730ec779db1474d926791b5c7664f

SHA512
4ff3cb942b2ab915fdea1a2fba4c9d763818056da1a9636cecdd7a2d6e296acd77b4c7c09b1b30a680afa4c0959ff9128b61e83b926ba14c008d12c58c2cb04d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
cba841e137525beb9b09990b2e21b0dd

SHA1
5b25dc74edf6cd68147e88124a45105e9a0ad0f0

SHA256
eb8a7f872cd0a1a6d127eee96a1e4f4a1137f4cbbc694b2b765e357ce8a079dc

SHA512
0503121fe2f7c02d0819c879b3779ee88e95dbc668de18dff7d788fbe11ad0dfbce8be95bf15558cafde42f091c83f09de54c29ee59be3a72eaadfe2de88f53f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
0c6460907fe70e2b5d09b9a6a51d55e0

SHA1
655e653c974cdddbb472268cc283e14b92d56500

SHA256
36402c65d72e59cd6bf112213495c825f6821fc176f045b6a5820acdfc47bfd3

SHA512
7b060d94138e270ec778791eb2912e1bda516d37c7856afacd5be4cd299cf4bff67b71155f07f562103710ed176198d2c95b3d7c4283b141e4f0a953b504e6de

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\f63dbfa7-c7fe-46b1-a64c-df89cc2e8541.tmp

Filesize
9KB

MD5
f0d506fda2aec495bef6c21be7e4744c

SHA1
face4dbb941391d52d2df055930a8997a7a936a7

SHA256
6533ada8518b049726c81edf70d31d55055416cde588d7b90e8c90a6eb27952d

SHA512
836e636acb6ed30d8c6f305cbc8b6afe51b0a40f319f85db02f253e4089bc6b4f3c9ca520e41a25a025e47cd534d3c5b50c801061fc6d89bd7cd67e48ec827aa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
228KB

MD5
b09558d00452d0a0a4425bf118b6955b

SHA1
66885481d4a2cc1dcfd58efad1ae4993fd1f4c56

SHA256
607e6f2258f3551f8c87383e811184a0b51fb9b44c4cb3bd4cd3713cfcab5f30

SHA512
13949faea4599afbad9eeac92bf9023972f2e8ae2422be2ce22aeb24c12679ba103356736610fc19828d32451aa2eccfe773249d6955a66cf5c77389c7936ba4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
228KB

MD5
7ce88a99749d1254848ce0c3a17572cc

SHA1
3f7b34c1a51da1e878657481c32d7bece0552846

SHA256
e754c9ebdf8d97c8acd4c773c81eb7f45e9c3d9f1bd77fe136d81b7bda2a5b18

SHA512
ac369c5b81786049480a2afee12ed84bf0a03248b741ec64e18d1c49fc02eb45481f09bf3c56a40c813da73cf25fa05d083ddc12e72263df600ca7cbfe222d52

Download Submit
C:\Users\Admin\Desktop\Xeno-v1.0.8-x64\Microsoft.Web.WebView2.Core.dll

Filesize
557KB

MD5
b037ca44fd19b8eedb6d5b9de3e48469

SHA1
1f328389c62cf673b3de97e1869c139d2543494e

SHA256
11e88b2ca921e5c88f64567f11bd83cbc396c10365d40972f3359fcc7965d197

SHA512
fa89ab3347fd57486cf3064ad164574f70e2c2b77c382785479bfd5ab50caa0881de3c2763a0932feac2faaf09479ef699a04ba202866dc7e92640246ba9598b

Download Submit
C:\Users\Admin\Desktop\Xeno-v1.0.8-x64\Microsoft.Web.WebView2.Wpf.dll

Filesize
50KB

MD5
4a292c5c2abf1aab91dee8eecafe0ab6

SHA1
369e788108e5fb0608a803fa2e5a06690b4464b5

SHA256
b628d6133bf57b7482a49aa158e45b078df73ee7d33137ac1336d24ac67ed1b4

SHA512
ca22adfff9789730e4c02343e320d80b8466cfc5a15f662cefe376b7ee29dea571004c1c26cd3f50c0d24e646f2b36b53fa86835678f46f335d65eec52431cde

Download Submit
C:\Users\Admin\Desktop\Xeno-v1.0.8-x64\Xeno.dll

Filesize
921KB

MD5
dd4e31ef1fe1a2a31fbf8f58439cf092

SHA1
8ecdbc11ab0b3553c1c7a02d01ad68c142d8671c

SHA256
21c8e1a52b1bf4a0a6fe869665db02f62bc47f9b2431f202cbbd61bbab75b1b6

SHA512
a3678b5ae47c947e498a902afad57041cb0ac5ccd707a98ff39790f0120e207efaff4058511042ded8ef0081b722e962a7eef39f08a1cbc8984f86b5eba364a4

Download Submit
C:\Users\Admin\Desktop\Xeno-v1.0.8-x64\Xeno.exe

Filesize
140KB

MD5
02e28cf07a1ee59734afeb354d1086ab

SHA1
40a9d027f2d9077876741c9058c680919a4bd538

SHA256
99b5b7f5ab6335d3ac8a05e04e7d7a3042addd6a44b6cbdc14f6e1d31a26654a

SHA512
f05e699a0c545955124199b70127f33919d87a9ac3ba5f64b7bb66ece6590623d7c930689c40c1a8caa763fd67796321a202c51f197445bccfed0ee5e1e7ebf8

Download Submit
C:\Users\Admin\Desktop\Xeno-v1.0.8-x64\XenoUI.deps.json

Filesize
1KB

MD5
1d9878fc41040177b8d42d7e2d16b139

SHA1
329e72f0ea87331a5a042a4c528fd4c154dd5f17

SHA256
0bbd19d229e6072fe8d9bbcaebf69c35177386329955f6ecc63c27146296ce0c

SHA512
eae3f122975afaaf60629296392285f5c43000becb2c9e9d65f86e53531878dae51ac7780b11abc94e65162a41c472165c35a770e5230f84d949ec996b40c287

Download Submit
C:\Users\Admin\Desktop\Xeno-v1.0.8-x64\XenoUI.dll

Filesize
63KB

MD5
561811077e02f3f89cf6746859d13628

SHA1
f16dd63bf27052ad3a8dec5397e2ea8c63fb17c8

SHA256
9c9384a4e76023c8b0f950922807f02fb96d7d94c9d6d8e8e932d5583ca7be5b

SHA512
173ffd18e2efa343a895ee28cef7508ae49629b338a62945ed74e2c1f8353f0719bdf6691f6f1f4b647f0e1e576e0323f9a407adcb15c38aaaa20d7a095ca094

Download Submit
C:\Users\Admin\Desktop\Xeno-v1.0.8-x64\XenoUI.runtimeconfig.json

Filesize
458B

MD5
07b9a30265ca4e69c7016a1b6e3ffc27

SHA1
3a4af82a2695b1423aedd8b60a5c86793c011b02

SHA256
c71152bf25e40d647b2440c5b39be157a3d356106be9d5b678ab97bb87b4e782

SHA512
efd582f8edcdba5ef48d02eee5f73d83ff35071af99b49e08e0213928568d728d0856e3b903bfcccb9237f786846cf94da83139f99e9bee86287aff2071c3f1c

Download Submit
C:\Users\Admin\Desktop\Xeno-v1.0.8-x64\libcrypto-3-x64.dll

Filesize
4.5MB

MD5
e3e4236c4483dbe1bc5954fd63c965b8

SHA1
ae8b364d2e43221466f2aa3f3c9412a713214c53

SHA256
923d7641e3655c627b80dfd63bd5e701a26e9b8b6186d56b901a60cb57494901

SHA512
7130ee5db3c7570f68b454df138926ac710e9095f1e4ff7d74ef0e329e793d20fe95eb6409730203cc706410c3efd2cf6b1c1eab26a655d29a1f74673cc8abc8

Download Submit
C:\Users\Admin\Desktop\Xeno-v1.0.8-x64\libssl-3-x64.dll

Filesize
802KB

MD5
4e2a30eba5388b0fe1838137a61ac255

SHA1
b6563a03f357478632d38f0f5ed28feb2af2ccf8

SHA256
ce0c322e48b95a719cd51728471e04197448d9f2ae1d0be0c99a745833dfd3a2

SHA512
4480c658eb4e3563f2622ba2a7f1f80a73e1f5aa27753030e1a7a8ca3abf07656067604e8042ca943d9cefc2524c830250dacf08ea7fc45d3bd7fa963b579917

Download Submit
C:\Users\Admin\Desktop\Xeno-v1.0.8-x64\runtimes\win-x64\native\WebView2Loader.dll

Filesize
161KB

MD5
c5f0c46e91f354c58ecec864614157d7

SHA1
cb6f85c0b716b4fc3810deb3eb9053beb07e803c

SHA256
465a7ddfb3a0da4c3965daf2ad6ac7548513f42329b58aebc337311c10ea0a6f

SHA512
287756078aa08130907bd8601b957e9e006cef9f5c6765df25cfaa64ddd0fff7d92ffa11f10a00a4028687f3220efda8c64008dbcf205bedae5da296e3896e91

Download Submit
C:\Users\Admin\Desktop\Xeno-v1.0.8-x64\xxhash.dll

Filesize
46KB

MD5
0e9fecea29b2b3d5ef064e112436e9d1

SHA1
69423218652f7837766ce03fe9edeaf751266cc5

SHA256
73c84884a2ccde1d10bec0820a6661920e70e4b53fa99ad510acf5ed1b36af97

SHA512
bd57bc9b8298faffc091b928537794a50c81d985d60edba7863e2976846cb08fd469c6054ff7ec574df6f0a2aea1fb72ed9cff44fa219e834129876293cd2e93

Download Submit
C:\Users\Admin\Desktop\Xeno-v1.0.8-x64\zstd.dll

Filesize
638KB

MD5
567198a0119e3e2ec94208f1cda7aa28

SHA1
350224b13d1cc2f944a4a2bdd951e9ef80be5784

SHA256
6c63d08182dede465c95e48a235894e598a61cc24e0ba4556637cc9c1a1e0951

SHA512
ed01636af37932dca7aa7709389dba184e16f93aa3be4fe622850df0f791c85111367a10434edf0c986079069a3574e0acdbbac4d9cae9c58fc01f9f034f40ec

Download Submit
memory/1804-598-0x00000000002F0000-0x0000000000325000-memory.dmp

Filesize
212KB

Download
memory/1804-754-0x0000000074980000-0x0000000074BA5000-memory.dmp

Filesize
2.1MB

Download
memory/1804-792-0x00000000002F0000-0x0000000000325000-memory.dmp

Filesize
212KB

Download
memory/1804-599-0x0000000074980000-0x0000000074BA5000-memory.dmp

Filesize
2.1MB

Download
memory/2244-1134-0x000001EE29940000-0x000001EE29950000-memory.dmp

Filesize
64KB

Download
memory/2244-1152-0x000001EE31CE0000-0x000001EE31CE1000-memory.dmp

Filesize
4KB

Download
memory/2244-1153-0x000001EE31CE0000-0x000001EE31CE1000-memory.dmp

Filesize
4KB

Download
memory/2244-1154-0x000001EE31DF0000-0x000001EE31DF1000-memory.dmp

Filesize
4KB

Download
memory/2244-1150-0x000001EE31CB0000-0x000001EE31CB1000-memory.dmp

Filesize
4KB

Download
memory/2244-1118-0x000001EE29840000-0x000001EE29850000-memory.dmp

Filesize
64KB

Download