meduza | hxxps://github[.]com/Apietcsvmy/xeno-executor?tab=readme-ov-file

Analysis

max time kernel
251s
max time network
253s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
29-11-2024 19:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Apietcsvmy/xeno-executor?tab=readme-ov-file

Score

10^/10

meduza collection discovery spyware stealer

Malware Config

Extracted

Family

meduza

45.130.145.152

Attributes

anti_dbg
true
anti_vm
true
build_name
Oxoxox
extensions
.txt;.doc;.docx;.pdf;.xls;.xlsx;.log;.db;.sqlite
grabber_max_size
3.145728e+06
port
15666
self_destruct
true

Signatures

Meduza
Meduza is a crypto wallet and info stealer written in C++.
stealer meduza

Meduza Stealer payload 41 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4256-373-0x0000016EFF380000-0x0000016EFF57A000-memory.dmp	family_meduza
behavioral1/memory/4256-372-0x0000016EFF380000-0x0000016EFF57A000-memory.dmp	family_meduza
behavioral1/memory/4256-369-0x0000016EFF380000-0x0000016EFF57A000-memory.dmp	family_meduza
behavioral1/memory/4256-368-0x0000016EFF380000-0x0000016EFF57A000-memory.dmp	family_meduza
behavioral1/memory/4256-367-0x0000016EFF380000-0x0000016EFF57A000-memory.dmp	family_meduza
behavioral1/memory/4256-374-0x0000016EFF380000-0x0000016EFF57A000-memory.dmp	family_meduza
behavioral1/memory/4256-366-0x0000016EFF380000-0x0000016EFF57A000-memory.dmp	family_meduza
behavioral1/memory/4256-379-0x0000016EFF380000-0x0000016EFF57A000-memory.dmp	family_meduza
behavioral1/memory/4256-375-0x0000016EFF380000-0x0000016EFF57A000-memory.dmp	family_meduza
behavioral1/memory/4256-378-0x0000016EFF380000-0x0000016EFF57A000-memory.dmp	family_meduza
behavioral1/memory/4256-389-0x0000016EFF380000-0x0000016EFF57A000-memory.dmp	family_meduza
behavioral1/memory/4256-388-0x0000016EFF380000-0x0000016EFF57A000-memory.dmp	family_meduza
behavioral1/memory/4256-392-0x0000016EFF380000-0x0000016EFF57A000-memory.dmp	family_meduza
behavioral1/memory/4256-393-0x0000016EFF380000-0x0000016EFF57A000-memory.dmp	family_meduza
behavioral1/memory/4256-400-0x0000016EFF380000-0x0000016EFF57A000-memory.dmp	family_meduza
behavioral1/memory/4256-404-0x0000016EFF380000-0x0000016EFF57A000-memory.dmp	family_meduza
behavioral1/memory/4256-403-0x0000016EFF380000-0x0000016EFF57A000-memory.dmp	family_meduza
behavioral1/memory/4256-410-0x0000016EFF380000-0x0000016EFF57A000-memory.dmp	family_meduza
behavioral1/memory/4256-412-0x0000016EFF380000-0x0000016EFF57A000-memory.dmp	family_meduza
behavioral1/memory/4256-445-0x0000016EFF380000-0x0000016EFF57A000-memory.dmp	family_meduza
behavioral1/memory/4256-439-0x0000016EFF380000-0x0000016EFF57A000-memory.dmp	family_meduza
behavioral1/memory/4256-446-0x0000016EFF380000-0x0000016EFF57A000-memory.dmp	family_meduza
behavioral1/memory/4256-436-0x0000016EFF380000-0x0000016EFF57A000-memory.dmp	family_meduza
behavioral1/memory/4256-434-0x0000016EFF380000-0x0000016EFF57A000-memory.dmp	family_meduza
behavioral1/memory/4256-429-0x0000016EFF380000-0x0000016EFF57A000-memory.dmp	family_meduza
behavioral1/memory/4256-427-0x0000016EFF380000-0x0000016EFF57A000-memory.dmp	family_meduza
behavioral1/memory/4256-422-0x0000016EFF380000-0x0000016EFF57A000-memory.dmp	family_meduza
behavioral1/memory/4256-421-0x0000016EFF380000-0x0000016EFF57A000-memory.dmp	family_meduza
behavioral1/memory/4256-418-0x0000016EFF380000-0x0000016EFF57A000-memory.dmp	family_meduza
behavioral1/memory/4256-416-0x0000016EFF380000-0x0000016EFF57A000-memory.dmp	family_meduza
behavioral1/memory/4256-406-0x0000016EFF380000-0x0000016EFF57A000-memory.dmp	family_meduza
behavioral1/memory/4256-409-0x0000016EFF380000-0x0000016EFF57A000-memory.dmp	family_meduza
behavioral1/memory/4256-405-0x0000016EFF380000-0x0000016EFF57A000-memory.dmp	family_meduza
behavioral1/memory/4256-440-0x0000016EFF380000-0x0000016EFF57A000-memory.dmp	family_meduza
behavioral1/memory/4256-433-0x0000016EFF380000-0x0000016EFF57A000-memory.dmp	family_meduza
behavioral1/memory/4256-415-0x0000016EFF380000-0x0000016EFF57A000-memory.dmp	family_meduza
behavioral1/memory/4256-399-0x0000016EFF380000-0x0000016EFF57A000-memory.dmp	family_meduza
behavioral1/memory/4256-454-0x0000016EFF380000-0x0000016EFF57A000-memory.dmp	family_meduza
behavioral1/memory/4256-450-0x0000016EFF380000-0x0000016EFF57A000-memory.dmp	family_meduza
behavioral1/memory/4256-449-0x0000016EFF380000-0x0000016EFF57A000-memory.dmp	family_meduza
behavioral1/memory/4256-453-0x0000016EFF380000-0x0000016EFF57A000-memory.dmp	family_meduza

Meduza family
meduza

Executes dropped EXE 2 IoCs

Processes:

acdd2179-5b2b-4c8c-8024-6d8ca63518e8.exea26ee7b6-b55f-4794-bc14-21d68e65d32d.exe

pid	Process
4256	acdd2179-5b2b-4c8c-8024-6d8ca63518e8.exe
1752	a26ee7b6-b55f-4794-bc14-21d68e65d32d.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 5 IoCs

collection

Email Collection

T1114

Processes:

acdd2179-5b2b-4c8c-8024-6d8ca63518e8.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	acdd2179-5b2b-4c8c-8024-6d8ca63518e8.exe
Key opened	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	acdd2179-5b2b-4c8c-8024-6d8ca63518e8.exe
Key opened	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\SOFTWARE\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	acdd2179-5b2b-4c8c-8024-6d8ca63518e8.exe
Key opened	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\SOFTWARE\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	acdd2179-5b2b-4c8c-8024-6d8ca63518e8.exe
Key opened	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	acdd2179-5b2b-4c8c-8024-6d8ca63518e8.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

Processes:

flow	ioc
2	camo.githubusercontent.com
15	camo.githubusercontent.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
2	api.ipify.org
32	api.ipify.org

Drops file in Windows directory 1 IoCs

Processes:

chrome.exe

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

Processes:

cmd.exePING.EXE

pid	Process
3432	cmd.exe
2604	PING.EXE

Delays execution with timeout.exe 9 IoCs

evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid	Process
3724	timeout.exe
6024	timeout.exe
5336	timeout.exe
4708	timeout.exe
2800	timeout.exe
4292	timeout.exe
5796	timeout.exe
4048	timeout.exe
3896	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133773835011635460"	chrome.exe

Modifies registry class 1 IoCs

Processes:

chrome.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings	chrome.exe

NTFS ADS 1 IoCs

Processes:

chrome.exe

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Update.zip:Zone.Identifier	chrome.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

Processes:

PING.EXE

pid	Process
2604	PING.EXE

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

chrome.exechrome.exeacdd2179-5b2b-4c8c-8024-6d8ca63518e8.exe

pid	Process
5420	chrome.exe
5420	chrome.exe
5760	chrome.exe
5760	chrome.exe
5760	chrome.exe
5760	chrome.exe
4256	acdd2179-5b2b-4c8c-8024-6d8ca63518e8.exe
4256	acdd2179-5b2b-4c8c-8024-6d8ca63518e8.exe
4256	acdd2179-5b2b-4c8c-8024-6d8ca63518e8.exe
4256	acdd2179-5b2b-4c8c-8024-6d8ca63518e8.exe
4256	acdd2179-5b2b-4c8c-8024-6d8ca63518e8.exe
4256	acdd2179-5b2b-4c8c-8024-6d8ca63518e8.exe
4256	acdd2179-5b2b-4c8c-8024-6d8ca63518e8.exe
4256	acdd2179-5b2b-4c8c-8024-6d8ca63518e8.exe
4256	acdd2179-5b2b-4c8c-8024-6d8ca63518e8.exe
4256	acdd2179-5b2b-4c8c-8024-6d8ca63518e8.exe
4256	acdd2179-5b2b-4c8c-8024-6d8ca63518e8.exe
4256	acdd2179-5b2b-4c8c-8024-6d8ca63518e8.exe
4256	acdd2179-5b2b-4c8c-8024-6d8ca63518e8.exe
4256	acdd2179-5b2b-4c8c-8024-6d8ca63518e8.exe
4256	acdd2179-5b2b-4c8c-8024-6d8ca63518e8.exe
4256	acdd2179-5b2b-4c8c-8024-6d8ca63518e8.exe
4256	acdd2179-5b2b-4c8c-8024-6d8ca63518e8.exe
4256	acdd2179-5b2b-4c8c-8024-6d8ca63518e8.exe
4256	acdd2179-5b2b-4c8c-8024-6d8ca63518e8.exe
4256	acdd2179-5b2b-4c8c-8024-6d8ca63518e8.exe
4256	acdd2179-5b2b-4c8c-8024-6d8ca63518e8.exe
4256	acdd2179-5b2b-4c8c-8024-6d8ca63518e8.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid	Process
5420	chrome.exe
5420	chrome.exe
5420	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	Process
Token: SeShutdownPrivilege	5420	chrome.exe
Token: SeCreatePagefilePrivilege	5420	chrome.exe
Token: SeShutdownPrivilege	5420	chrome.exe
Token: SeCreatePagefilePrivilege	5420	chrome.exe
Token: SeShutdownPrivilege	5420	chrome.exe
Token: SeCreatePagefilePrivilege	5420	chrome.exe
Token: SeShutdownPrivilege	5420	chrome.exe
Token: SeCreatePagefilePrivilege	5420	chrome.exe
Token: SeShutdownPrivilege	5420	chrome.exe
Token: SeCreatePagefilePrivilege	5420	chrome.exe
Token: SeShutdownPrivilege	5420	chrome.exe
Token: SeCreatePagefilePrivilege	5420	chrome.exe
Token: SeShutdownPrivilege	5420	chrome.exe
Token: SeCreatePagefilePrivilege	5420	chrome.exe
Token: SeShutdownPrivilege	5420	chrome.exe
Token: SeCreatePagefilePrivilege	5420	chrome.exe
Token: SeShutdownPrivilege	5420	chrome.exe
Token: SeCreatePagefilePrivilege	5420	chrome.exe
Token: SeShutdownPrivilege	5420	chrome.exe
Token: SeCreatePagefilePrivilege	5420	chrome.exe
Token: SeShutdownPrivilege	5420	chrome.exe
Token: SeCreatePagefilePrivilege	5420	chrome.exe
Token: SeShutdownPrivilege	5420	chrome.exe
Token: SeCreatePagefilePrivilege	5420	chrome.exe
Token: SeShutdownPrivilege	5420	chrome.exe
Token: SeCreatePagefilePrivilege	5420	chrome.exe
Token: SeShutdownPrivilege	5420	chrome.exe
Token: SeCreatePagefilePrivilege	5420	chrome.exe
Token: SeShutdownPrivilege	5420	chrome.exe
Token: SeCreatePagefilePrivilege	5420	chrome.exe
Token: SeShutdownPrivilege	5420	chrome.exe
Token: SeCreatePagefilePrivilege	5420	chrome.exe
Token: SeShutdownPrivilege	5420	chrome.exe
Token: SeCreatePagefilePrivilege	5420	chrome.exe
Token: SeShutdownPrivilege	5420	chrome.exe
Token: SeCreatePagefilePrivilege	5420	chrome.exe
Token: SeShutdownPrivilege	5420	chrome.exe
Token: SeCreatePagefilePrivilege	5420	chrome.exe
Token: SeShutdownPrivilege	5420	chrome.exe
Token: SeCreatePagefilePrivilege	5420	chrome.exe
Token: SeShutdownPrivilege	5420	chrome.exe
Token: SeCreatePagefilePrivilege	5420	chrome.exe
Token: SeShutdownPrivilege	5420	chrome.exe
Token: SeCreatePagefilePrivilege	5420	chrome.exe
Token: SeShutdownPrivilege	5420	chrome.exe
Token: SeCreatePagefilePrivilege	5420	chrome.exe
Token: SeShutdownPrivilege	5420	chrome.exe
Token: SeCreatePagefilePrivilege	5420	chrome.exe
Token: SeShutdownPrivilege	5420	chrome.exe
Token: SeCreatePagefilePrivilege	5420	chrome.exe
Token: SeShutdownPrivilege	5420	chrome.exe
Token: SeCreatePagefilePrivilege	5420	chrome.exe
Token: SeShutdownPrivilege	5420	chrome.exe
Token: SeCreatePagefilePrivilege	5420	chrome.exe
Token: SeShutdownPrivilege	5420	chrome.exe
Token: SeCreatePagefilePrivilege	5420	chrome.exe
Token: SeShutdownPrivilege	5420	chrome.exe
Token: SeCreatePagefilePrivilege	5420	chrome.exe
Token: SeShutdownPrivilege	5420	chrome.exe
Token: SeCreatePagefilePrivilege	5420	chrome.exe
Token: SeShutdownPrivilege	5420	chrome.exe
Token: SeCreatePagefilePrivilege	5420	chrome.exe
Token: SeShutdownPrivilege	5420	chrome.exe
Token: SeCreatePagefilePrivilege	5420	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exe

pid	Process
5420	chrome.exe
5420	chrome.exe
5420	chrome.exe
5420	chrome.exe
5420	chrome.exe
5420	chrome.exe
5420	chrome.exe
5420	chrome.exe
5420	chrome.exe
5420	chrome.exe
5420	chrome.exe
5420	chrome.exe
5420	chrome.exe
5420	chrome.exe
5420	chrome.exe
5420	chrome.exe
5420	chrome.exe
5420	chrome.exe
5420	chrome.exe
5420	chrome.exe
5420	chrome.exe
5420	chrome.exe
5420	chrome.exe
5420	chrome.exe
5420	chrome.exe
5420	chrome.exe
5420	chrome.exe
5420	chrome.exe
5420	chrome.exe
5420	chrome.exe
5420	chrome.exe
5420	chrome.exe
5420	chrome.exe
5420	chrome.exe
5420	chrome.exe
5420	chrome.exe
5420	chrome.exe
5420	chrome.exe
5420	chrome.exe
5420	chrome.exe
5420	chrome.exe
5420	chrome.exe
5420	chrome.exe
5420	chrome.exe
5420	chrome.exe
5420	chrome.exe
5420	chrome.exe
5420	chrome.exe
5420	chrome.exe
5420	chrome.exe
5420	chrome.exe
5420	chrome.exe
5420	chrome.exe
5420	chrome.exe
5420	chrome.exe
5420	chrome.exe
5420	chrome.exe
5420	chrome.exe
5420	chrome.exe
5420	chrome.exe
5420	chrome.exe
5420	chrome.exe
5420	chrome.exe
5420	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

chrome.exe

pid	Process
5420	chrome.exe
5420	chrome.exe
5420	chrome.exe
5420	chrome.exe
5420	chrome.exe
5420	chrome.exe
5420	chrome.exe
5420	chrome.exe
5420	chrome.exe
5420	chrome.exe
5420	chrome.exe
5420	chrome.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

acdd2179-5b2b-4c8c-8024-6d8ca63518e8.exea26ee7b6-b55f-4794-bc14-21d68e65d32d.exe

pid	Process
4256	acdd2179-5b2b-4c8c-8024-6d8ca63518e8.exe
1752	a26ee7b6-b55f-4794-bc14-21d68e65d32d.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	Process	procid_target
PID 5420 wrote to memory of 2740	5420	chrome.exe	77
PID 5420 wrote to memory of 2740	5420	chrome.exe	77
PID 5420 wrote to memory of 1676	5420	chrome.exe	78
PID 5420 wrote to memory of 1676	5420	chrome.exe	78
PID 5420 wrote to memory of 1676	5420	chrome.exe	78
PID 5420 wrote to memory of 1676	5420	chrome.exe	78
PID 5420 wrote to memory of 1676	5420	chrome.exe	78
PID 5420 wrote to memory of 1676	5420	chrome.exe	78
PID 5420 wrote to memory of 1676	5420	chrome.exe	78
PID 5420 wrote to memory of 1676	5420	chrome.exe	78
PID 5420 wrote to memory of 1676	5420	chrome.exe	78
PID 5420 wrote to memory of 1676	5420	chrome.exe	78
PID 5420 wrote to memory of 1676	5420	chrome.exe	78
PID 5420 wrote to memory of 1676	5420	chrome.exe	78
PID 5420 wrote to memory of 1676	5420	chrome.exe	78
PID 5420 wrote to memory of 1676	5420	chrome.exe	78
PID 5420 wrote to memory of 1676	5420	chrome.exe	78
PID 5420 wrote to memory of 1676	5420	chrome.exe	78
PID 5420 wrote to memory of 1676	5420	chrome.exe	78
PID 5420 wrote to memory of 1676	5420	chrome.exe	78
PID 5420 wrote to memory of 1676	5420	chrome.exe	78
PID 5420 wrote to memory of 1676	5420	chrome.exe	78
PID 5420 wrote to memory of 1676	5420	chrome.exe	78
PID 5420 wrote to memory of 1676	5420	chrome.exe	78
PID 5420 wrote to memory of 1676	5420	chrome.exe	78
PID 5420 wrote to memory of 1676	5420	chrome.exe	78
PID 5420 wrote to memory of 1676	5420	chrome.exe	78
PID 5420 wrote to memory of 1676	5420	chrome.exe	78
PID 5420 wrote to memory of 1676	5420	chrome.exe	78
PID 5420 wrote to memory of 1676	5420	chrome.exe	78
PID 5420 wrote to memory of 1676	5420	chrome.exe	78
PID 5420 wrote to memory of 1676	5420	chrome.exe	78
PID 5420 wrote to memory of 6080	5420	chrome.exe	79
PID 5420 wrote to memory of 6080	5420	chrome.exe	79
PID 5420 wrote to memory of 5228	5420	chrome.exe	80
PID 5420 wrote to memory of 5228	5420	chrome.exe	80
PID 5420 wrote to memory of 5228	5420	chrome.exe	80
PID 5420 wrote to memory of 5228	5420	chrome.exe	80
PID 5420 wrote to memory of 5228	5420	chrome.exe	80
PID 5420 wrote to memory of 5228	5420	chrome.exe	80
PID 5420 wrote to memory of 5228	5420	chrome.exe	80
PID 5420 wrote to memory of 5228	5420	chrome.exe	80
PID 5420 wrote to memory of 5228	5420	chrome.exe	80
PID 5420 wrote to memory of 5228	5420	chrome.exe	80
PID 5420 wrote to memory of 5228	5420	chrome.exe	80
PID 5420 wrote to memory of 5228	5420	chrome.exe	80
PID 5420 wrote to memory of 5228	5420	chrome.exe	80
PID 5420 wrote to memory of 5228	5420	chrome.exe	80
PID 5420 wrote to memory of 5228	5420	chrome.exe	80
PID 5420 wrote to memory of 5228	5420	chrome.exe	80
PID 5420 wrote to memory of 5228	5420	chrome.exe	80
PID 5420 wrote to memory of 5228	5420	chrome.exe	80
PID 5420 wrote to memory of 5228	5420	chrome.exe	80
PID 5420 wrote to memory of 5228	5420	chrome.exe	80
PID 5420 wrote to memory of 5228	5420	chrome.exe	80
PID 5420 wrote to memory of 5228	5420	chrome.exe	80
PID 5420 wrote to memory of 5228	5420	chrome.exe	80
PID 5420 wrote to memory of 5228	5420	chrome.exe	80
PID 5420 wrote to memory of 5228	5420	chrome.exe	80
PID 5420 wrote to memory of 5228	5420	chrome.exe	80
PID 5420 wrote to memory of 5228	5420	chrome.exe	80
PID 5420 wrote to memory of 5228	5420	chrome.exe	80
PID 5420 wrote to memory of 5228	5420	chrome.exe	80
PID 5420 wrote to memory of 5228	5420	chrome.exe	80

outlook_office_path 1 IoCs

Processes:

acdd2179-5b2b-4c8c-8024-6d8ca63518e8.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	acdd2179-5b2b-4c8c-8024-6d8ca63518e8.exe

outlook_win_path 1 IoCs

Processes:

acdd2179-5b2b-4c8c-8024-6d8ca63518e8.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	acdd2179-5b2b-4c8c-8024-6d8ca63518e8.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/Apietcsvmy/xeno-executor?tab=readme-ov-file
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff994dacc40,0x7ff994dacc4c,0x7ff994dacc58
  2⤵
  PID:2740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1812,i,6869430727256907286,9317625824884367411,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1804 /prefetch:2
  2⤵
  PID:1676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1676,i,6869430727256907286,9317625824884367411,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2096 /prefetch:3
  2⤵
  PID:6080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2152,i,6869430727256907286,9317625824884367411,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2300 /prefetch:8
  2⤵
  PID:5228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3092,i,6869430727256907286,9317625824884367411,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3108 /prefetch:1
  2⤵
  PID:648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3112,i,6869430727256907286,9317625824884367411,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3156 /prefetch:1
  2⤵
  PID:1956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4756,i,6869430727256907286,9317625824884367411,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4772 /prefetch:8
  2⤵
  PID:2552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4996,i,6869430727256907286,9317625824884367411,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4936 /prefetch:1
  2⤵
  PID:5572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5148,i,6869430727256907286,9317625824884367411,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5164 /prefetch:8
  2⤵
  - NTFS ADS
  PID:4532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4432,i,6869430727256907286,9317625824884367411,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5160 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5760

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1684

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2240

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4708

C:\Users\Admin\Documents\Last_Update\Xeno.exe
"C:\Users\Admin\Documents\Last_Update\Xeno.exe"
1⤵
PID:2748
- C:\Users\Admin\AppData\Local\Temp\aa6eeeff-ce63-4b84-a126-78b90d837ed6\acdd2179-5b2b-4c8c-8024-6d8ca63518e8.exe
  "C:\Users\Admin\AppData\Local\Temp\aa6eeeff-ce63-4b84-a126-78b90d837ed6\acdd2179-5b2b-4c8c-8024-6d8ca63518e8.exe"
  2⤵
  - Executes dropped EXE
  - Accesses Microsoft Outlook profiles
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - outlook_office_path
  - outlook_win_path
  PID:4256
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\aa6eeeff-ce63-4b84-a126-78b90d837ed6\acdd2179-5b2b-4c8c-8024-6d8ca63518e8.exe"
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:3432
  - - C:\Windows\system32\PING.EXE
      ping 1.1.1.1 -n 1 -w 3000
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2604

C:\Users\Admin\Documents\Last_Update\Xeno.exe
"C:\Users\Admin\Documents\Last_Update\Xeno.exe"
1⤵
PID:1316
- C:\Users\Admin\AppData\Local\Temp\3f1ac342-c65f-466b-a9ab-4bfcefe5aeb8\a26ee7b6-b55f-4794-bc14-21d68e65d32d.exe
  "C:\Users\Admin\AppData\Local\Temp\3f1ac342-c65f-466b-a9ab-4bfcefe5aeb8\a26ee7b6-b55f-4794-bc14-21d68e65d32d.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1752
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3f1ac342-c65f-466b-a9ab-4bfcefe5aeb8\cleanup.bat""
  2⤵
  PID:4796
- - C:\Windows\system32\timeout.exe
    timeout /t 2
    3⤵
    - Delays execution with timeout.exe
    PID:3896
- - C:\Windows\system32\timeout.exe
    timeout /t 2
    3⤵
    - Delays execution with timeout.exe
    PID:4292
- - C:\Windows\system32\timeout.exe
    timeout /t 2
    3⤵
    - Delays execution with timeout.exe
    PID:3724
- - C:\Windows\system32\timeout.exe
    timeout /t 2
    3⤵
    - Delays execution with timeout.exe
    PID:5796
- - C:\Windows\system32\timeout.exe
    timeout /t 2
    3⤵
    - Delays execution with timeout.exe
    PID:6024
- - C:\Windows\system32\timeout.exe
    timeout /t 2
    3⤵
    - Delays execution with timeout.exe
    PID:5336
- - C:\Windows\system32\timeout.exe
    timeout /t 2
    3⤵
    - Delays execution with timeout.exe
    PID:4048
- - C:\Windows\system32\timeout.exe
    timeout /t 2
    3⤵
    - Delays execution with timeout.exe
    PID:4708
- - C:\Windows\system32\timeout.exe
    timeout /t 2
    3⤵
    - Delays execution with timeout.exe
    PID:2800

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c82192ee-6cb5-4bc0-9ef0-fb818773790a} -Embedding
1⤵
PID:3136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
221c80a6665aac04e350ac3945ccef6e

SHA1
aebe909cdb04378bf589b060c7028ccdd5ba1340

SHA256
e9d4466cc184c1cc7f0451503b26f9137bbc0eba5dbe453c597ad23c96902366

SHA512
d655ce0f4ce12155f0dbfc1d763ab342ab8919c24b740b934fcdb862bf3f65ef659b5d601c6fc58bb69489e145d4d5b7c14bbeacd850d1d3d86773356620b531

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
e189bf3c765c870168959ca11c7b5163

SHA1
7cb5dfd076c0e42338665a59cd56cca22314cc0c

SHA256
034f1d8d82738daa3cd4c175abcf378f1d7d5054c4573e695f8df3d2d1b5b572

SHA512
10c4f591b5af2f14da6a8e40dd305e13d4e7841c155dd989b813ff22721f2cfdbf91774ee756a0c673a62d2fbc19076dbaa5c7ec7e0ff1438791bf4f5cf6638d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\History

Filesize
160KB

MD5
790c882ceb3bba0f12bc6a488d3ddb0e

SHA1
14d1fdc6c6c7d61183ad5b91be167fe3cf5ce57e

SHA256
bf9aa83e9b57737f0356683a20bbd9df92f4ea8141a7da3ebd4ee2c90599d870

SHA512
0876421c0c4bd7d0d7288efcbc2799e6868541e8e55fb2e2724e7a25b6edcc3b2b1717f8c6d49b7e92be7c1b166d97401d5ca1b9430721b76708760aeeb72011

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log

Filesize
13KB

MD5
8eedc1387884224401d744be9b4b87e5

SHA1
5abe54ae873eefffda339e0dd6621dd891144c3c

SHA256
0d47020f6f4a6014c2536b8cfade1a08bd6d533493c11393514cd29e7391fefc

SHA512
05c33b1f2f622a2042777de5a9a1029e147fa0cd595ca05edeaf3db8921cf6b9c092d3d7c9460192efc2edc67ab1798e27aed8d5d61a488fff09b61ebbce8110

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG

Filesize
329B

MD5
610ac20d47e47177c022e63ab5b67a56

SHA1
3e87c35038e04ee7b7e1a6501a5a324056e886c1

SHA256
75d31930e0f7ea97aa69189ca76993e5ef2118d170f2d781bdacb40177268d9b

SHA512
8d6f6ce8c7be8eec3d01d01d2aa55f8181f94dcea1f84a1d384919bb0c59034dbf8c3cb903877cd0addd969f2a186c9aa53369a2a1553a58479a30ff3b7201fb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\8872ede8-a291-4204-b0e8-2c7fdba40033.tmp

Filesize
1KB

MD5
baa6e865a5dd1c4813246ccb4473f9ea

SHA1
9b3ab19f3ebeeb4f4cc822d5ab77926425fd43f4

SHA256
75f1b8060513f4dd0ba89e85be4c9ab8d308dea10a05011dcf5b33e188323984

SHA512
730b51f917baa27b688be7aa6a4cf0b15cf4bad28445512478e4c1d02e6755524e6ec846aa007e6f1a0a1123d62c975233477a369e1a1ba44795b2edbca02c2c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies

Filesize
20KB

MD5
3cfad762d242fe6a324c70f611e76296

SHA1
3ce32e7aebbaed48c37c1c0bfbecd79f2026c6d1

SHA256
1355b942aedb7efaf6f46d79703e3562704a6f891be849c7cc38fbc5962c560e

SHA512
07182103eb6f99e709c9c222cd53dbd90d99e684d4ec4d1ac2df4b2b79c9a7418cd5fa35a8d75c1a98437b0832569c883c1c1a90ccb566160860ce6f322bef76

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
9d1f60aa7209cd3f3fc79794cea35bc0

SHA1
d0ed1f135084652598ec6c6c4dfae38cf1c3b0db

SHA256
4534b60cce9a9ed9c439c2b3496345714dbeb16a837236b7e93084d4e70885a4

SHA512
5a449aa4f23ec9e675cfd3e56be897ef325bf9bcbe48159ff3baadc0fa4977a9160a16be1e9c307b44c06c86edd64f8757cf490baf9278aac37048cbd080e492

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
56ed9deb47a994d87f966cc82de20dcc

SHA1
2fed24f6af9cfeeacdaddcffc79311aba6816509

SHA256
a17321692dbcb9659c482819461effaada1bcd0ff8f56f67e0d5b8d3d20edf97

SHA512
ebe1517c649513deeb039991d68f38e9aed4331e6b7f088618bd5e12869837083203ac0f7330334136a6e8578ee3751e6f79af7c1fdb33dc1849dafcdaf339c7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
93bf36d1308dbd9435b933bf1e2599f7

SHA1
902b4c7b77e1d49eab3a5b2e3a2d8b4e3ee7d136

SHA256
8a8c579fe1c2cb1981f66d61d993a965655c9df3742cc0b321b78ad8c2867b46

SHA512
79d93b038e19f0807d2ace7b37471e2221776763f4b1ebba26b3a475443c10cf1ca1db1aca6d1a12d91849e7986514dc70c3b6f20fd2175488388a82b760bce6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
cab607a57c5f6b58c012fa0c6072fb52

SHA1
439614588cbefddb183f550ce7fef171953828e8

SHA256
f4f0d6d75edb8066f55a917c506c3c8b18baa07777322b805eee5912271ddc85

SHA512
72faea139e59e03093d22efdfa6abbacfa73a17041a167b8a90658f6d689ff80ccf7eb28ec1d88f2081f24d5f7e6ba40b686b1c10adf272e16fcfa420232028b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f185ba2a4790dd7bfba628edb9e969a6

SHA1
84e9e3e2b7bd395edc6f597ce777521009ca5d20

SHA256
171c4f197a8e13d292e751a706c4724e9bef0c1bc67a048e6497fb3e1b4f77c5

SHA512
db47411c05d7842922b5ee319a92eadd214e8e17a2bf3f717a0ad2c2422bfd353b879dfd5b6fcb460a658f378d9ea5415ae84d1af1eded08b783043fafaee84f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
ae88b71bd8a9317a2688ea56c4e18d83

SHA1
0129384433f1b762b4796be8057ab93ccb5bd822

SHA256
e76f7414f3eb0954d8f313fd0f9ed7c2971acb7c0513ea21525de466033c3f04

SHA512
bcaf38c65793807729e3a982248ffc24397069a2653365df39d19bf3ee917159c551d3ccf783b6ac665140b95839f92e0bdd18a5a6ab0aca5e597e915de99b79

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
633f6ac9211c8db45303886deb2d34df

SHA1
46bf13d649467c975599c4306aac592b798a12ed

SHA256
d458534de95b9f0331671c8e8b5345263716ea7fb6b5e0263c6e038dfb5b656b

SHA512
c2b95ad62323bcda969a2e522a89d17068d89fd3e33f89e8c1ca6357ecc5d965300cb2cd95c3b894ca3dd737f0706fcbad85b4b17ed3b6e455937de6179f433c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
224e506b2838ffb055c3d79b901ea7ca

SHA1
af6716b4043a6d664c405ca973d51169e24218ac

SHA256
8f2ac943e739f52efd153a21d849c8f4865f6f9baf7fc34136dd6686caa83419

SHA512
8a804e1818a19a65a5165333694b2e5283f037f02683d240dba917e3c196effbc3937b5cbc181cb47a101932dc5a4355203f3ab00857ea826b902d69540e47bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
9d794639e995f2720c8de4c9bb9fb4aa

SHA1
45c3e9c4074d9905fbadac42ebb693158afe3b48

SHA256
63cd7dad798cd3e59b840e09289dfd25320871236f2fa84b89540a329934e917

SHA512
7dd8e91af487ae1e9f8620c035d31243ed0dd13324873a83ac0849e1531890742f72f0edfee86a4489305c400acca1f101f8038fe667d63c5fefe89b22c28738

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
e4c6e189b56a054385d13cd83bda9ab4

SHA1
bb1aae012d795774081c83576c663ba7dfaf64bb

SHA256
6ad1f079b30bb07f13c7f0b0e2e248a1cf0ae29ab054de38c8cefb683cec15d3

SHA512
1bf81d1a42190b5c21c5c2216c334bdd513788ca3d8c24e1e305f6667c7e57fbc9714bc684fbcb3e86eca0086d46298d650ca61b9fa20b4f5931ae92aa79341f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
4db050e28e2614a5e427ccc26b960e30

SHA1
2d41fbe4f8c0d653140ba46c8c904c4c3571bea4

SHA256
a07dd59b45996de4167f938fd7bb1a98c3e504e0c2d1f37d959b4deb6519be14

SHA512
7567b6d63b1ecf69c67407a1ff5f91727fe729d1c933bfbb7d6682ee0853809ec41658d5df2075d7871568437cdd2ffe6089b2d90b77006e51071c38d7ea938b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
bcfa995720cfe4cbb42b69a060618bf0

SHA1
08f76940ed7591c76521d73196ada68aa6afabf9

SHA256
1808d1d929dad975c08597d70192aab913dd7f981c2a8d1720b83b953161d44e

SHA512
5d789e8271261d79c9c96fb8c0410e57a8c4df8c6239e557dadc981f5c206b81fc53c91a2cd6a9b044ff0888448ef3bcfe7d666331d2c306afd60f840ff7a572

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
5601ec4a8a8db03f466f2cd609f3d53b

SHA1
16dc16d41c851ff51cdd364591c86420a37a8cd7

SHA256
fc79daad070e9d69eb11b2e1936053f5ab3741a7195588657113fa40d6d090fc

SHA512
e8720b8182cc63e507028feea5b224bb7b949a5507538c440dc635195561e0f52b9faa3fbab695b34232e3c8b64931139710d7fa53638b7b3b210acdf0ea64fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
82db1e04b1280aa57c5178744d881c4b

SHA1
6683fcb824e2dddd19bf1b5654259940e3ff5034

SHA256
86fc3967dbaa457e00ee2c4fe2304b7142afc9be844fd78cdd594765a0908ca6

SHA512
5358b21aa0ac222b75b4a4881a32e56041f2c3c93362c91014d6438034daa3b87724f023c35ec5e865675bbace13dd01fd0f5558426a4b8606f26e0b5c550c4a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a8dc6be9090a3192abbaf7307c53ee9c

SHA1
b6c32ffd6aec7e28d462e812259106cc65a17423

SHA256
49279a5caf8f527f69752581b3c19c9a70d204ba073a004d10d49e92807873b5

SHA512
d4be82ecad77543b27ea21baa7fe1c85a9eabe719b2c5bdb37d1d6101cfe936aa8df2dc69f5973a8a2f18ec5039be49bdbca2fbde2590f0b8bca2f943c061459

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
3a939d2372202799f1ff359941854259

SHA1
c83ffb4251dc83dc1b2104c47d208a9007d11408

SHA256
79e37bbc1021f4c49a54c3944e0fa66a01289968a4da110200bde1e4faeb891a

SHA512
9e2449b85e4eb17cff0ad80f5e1441432807ceec79a150a9accbb77c0629e2bb2edca75de3571b9fddb54589f6f2456fd2862d59efccb458da70b5ee4ec4c44f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
d03d18597662076cb9c77781f0a45739

SHA1
db65ac60ec8c24d80b41659c95b03ff09b335f72

SHA256
000e46e05d33c14c66c3e7280250066893cf7164b30796a6d1bfff2e8356accf

SHA512
513af4082f6ca7d1e230ff7c4705927034e3628f234ec04a898f94164110abca4dc5576fcbf6f170a70f69849edc55f763b746d79d73b7dd5614869244230e17

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
cbcb4f9d42735b5ba0d61aaea3a49ef7

SHA1
717758807eaf17364adcc597b31a93b6b13b9e69

SHA256
200aa50ba858fe08682d9831c4f36dd6fa02192b764a844d4a401c7f842e5e92

SHA512
8c9a85371143c27f24c297a1d2de8d0d7176be26ff54d752223ecd14c8b435a1ec9658f93ee22e0ecf717e67d8b6f80c7cd39590d1041f1b1b05dbaefcba1686

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
7718a65c336a1e0213383dcdfb9f8fff

SHA1
1096a6085d82f6bc942fffe1ea73e76a6dad5c73

SHA256
01ab5e39040a9139b43c1695a7d9adf87a0a0ef9b0075f03d05776678e8e1281

SHA512
e56ce76ac844f6c759ef53bd81f4b04fba2194dbec08ceba4a06fdd9f3649016c9319ad498dac8ae70c89103c09fde2f34f5d25a0cde149c0b04d4cae700a126

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
228KB

MD5
0c2e0a60c6a2f827527e0e456aadc06f

SHA1
b7362ed352d2ff31eb79a6404005e7c9d5a5667f

SHA256
b1c9f833a7e7d5376b80e1bf6b374c1027bf28363fb0bb38b5ef8e296e9aa051

SHA512
b9bd261e0d07ba03efca753b5c9c53c57bf284c05bdc105bcfdd0d5e27dfb8d1263b9886dc891f40fccb9c37a79545b50d8a4946d64a368bc97f4372a02903b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
228KB

MD5
4c29751eb57097070c7e831065b8028e

SHA1
99bb804bc4af337e07bf01f0208238b742fc0a8c

SHA256
40f2298dffe13d80acbaa5ce42321b6ae9b39ef778937beeac989927f56eeb4e

SHA512
52ca15f8d89a5bd58e7b2ca831b3893c44baeb5715e8a1606f88b3c4db07886fe8b30563fea2b1de48250035b2d9a854723166840532d38fb651adeff977c2ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Xeno.exe.log

Filesize
1KB

MD5
b8418ed2a59189acecef48efbc2eba7d

SHA1
14f53c898215122eb28ab41c94697e63a63ff925

SHA256
e17b3fd5b8c8ac454e8fa71e04fd011f27bfab2de07e0319be1d32e916f37a84

SHA512
1ffcaa0e0e5507fdbdb06eb08be210aa3482e587f76be82f2d35ba43a218e3b8c8e8c2aa37ab9d211ebdc7be7896cc53f6064b0694500cb235ef6a720ed9d25d

Download Submit
C:\Users\Admin\AppData\Local\Temp\3f1ac342-c65f-466b-a9ab-4bfcefe5aeb8\cleanup.bat

Filesize
379B

MD5
84d9c2c6f466e20dcf31099e7b7d14e8

SHA1
867295c8c2de360055e4185cc744ef5265c86e38

SHA256
d1c6840c661c12754a16659fbca0ea0027a271150fe11d7323997303ae277391

SHA512
80064c4d3ff5402f3d4815e0a2d6e1da72122af8fa154e5edd126589abe20088e33f7c420525bdc84763e16b1c98dcb076f7c4a599ddfb9da46789b03a431414

Download Submit
C:\Users\Admin\AppData\Local\Temp\aa6eeeff-ce63-4b84-a126-78b90d837ed6\acdd2179-5b2b-4c8c-8024-6d8ca63518e8.exe

Filesize
3.2MB

MD5
b70619f58c714eed8049ef98017fded2

SHA1
12b7feec33c78ddec2fc1911e75352d9fa1d51db

SHA256
b3de734dba8b62d2967ceb30c2390614c5f71a079798f2dbace9bd01f497604c

SHA512
44fb1cfe83a8eb550bc90f77ae0467c17d8da30599bb484a4cbe08ef6ec7b15471aeac4520739ee2031da0522d6b11f739c9635bc0030848e45a3473998d7052

Download Submit
C:\Users\Admin\Downloads\Update.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
\??\pipe\crashpad_5420_IEQBXYXRPYFGVIPP

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2748-352-0x00007FF97F660000-0x00007FF980122000-memory.dmp

Filesize
10.8MB

Download
memory/2748-448-0x00007FF97F660000-0x00007FF980122000-memory.dmp

Filesize
10.8MB

Download
memory/2748-340-0x00000246A6FB0000-0x00000246A7FB0000-memory.dmp

Filesize
16.0MB

Download
memory/2748-351-0x00007FF97F663000-0x00007FF97F665000-memory.dmp

Filesize
8KB

Download
memory/2748-339-0x00007FF97F663000-0x00007FF97F665000-memory.dmp

Filesize
8KB

Download
memory/2748-341-0x00007FF97F660000-0x00007FF980122000-memory.dmp

Filesize
10.8MB

Download
memory/4256-375-0x0000016EFF380000-0x0000016EFF57A000-memory.dmp

Filesize
2.0MB

Download
memory/4256-389-0x0000016EFF380000-0x0000016EFF57A000-memory.dmp

Filesize
2.0MB

Download
memory/4256-388-0x0000016EFF380000-0x0000016EFF57A000-memory.dmp

Filesize
2.0MB

Download
memory/4256-392-0x0000016EFF380000-0x0000016EFF57A000-memory.dmp

Filesize
2.0MB

Download
memory/4256-393-0x0000016EFF380000-0x0000016EFF57A000-memory.dmp

Filesize
2.0MB

Download
memory/4256-378-0x0000016EFF380000-0x0000016EFF57A000-memory.dmp

Filesize
2.0MB

Download
memory/4256-379-0x0000016EFF380000-0x0000016EFF57A000-memory.dmp

Filesize
2.0MB

Download
memory/4256-400-0x0000016EFF380000-0x0000016EFF57A000-memory.dmp

Filesize
2.0MB

Download
memory/4256-404-0x0000016EFF380000-0x0000016EFF57A000-memory.dmp

Filesize
2.0MB

Download
memory/4256-403-0x0000016EFF380000-0x0000016EFF57A000-memory.dmp

Filesize
2.0MB

Download
memory/4256-410-0x0000016EFF380000-0x0000016EFF57A000-memory.dmp

Filesize
2.0MB

Download
memory/4256-412-0x0000016EFF380000-0x0000016EFF57A000-memory.dmp

Filesize
2.0MB

Download
memory/4256-445-0x0000016EFF380000-0x0000016EFF57A000-memory.dmp

Filesize
2.0MB

Download
memory/4256-439-0x0000016EFF380000-0x0000016EFF57A000-memory.dmp

Filesize
2.0MB

Download
memory/4256-446-0x0000016EFF380000-0x0000016EFF57A000-memory.dmp

Filesize
2.0MB

Download
memory/4256-436-0x0000016EFF380000-0x0000016EFF57A000-memory.dmp

Filesize
2.0MB

Download
memory/4256-434-0x0000016EFF380000-0x0000016EFF57A000-memory.dmp

Filesize
2.0MB

Download
memory/4256-429-0x0000016EFF380000-0x0000016EFF57A000-memory.dmp

Filesize
2.0MB

Download
memory/4256-427-0x0000016EFF380000-0x0000016EFF57A000-memory.dmp

Filesize
2.0MB

Download
memory/4256-422-0x0000016EFF380000-0x0000016EFF57A000-memory.dmp

Filesize
2.0MB

Download
memory/4256-421-0x0000016EFF380000-0x0000016EFF57A000-memory.dmp

Filesize
2.0MB

Download
memory/4256-418-0x0000016EFF380000-0x0000016EFF57A000-memory.dmp

Filesize
2.0MB

Download
memory/4256-416-0x0000016EFF380000-0x0000016EFF57A000-memory.dmp

Filesize
2.0MB

Download
memory/4256-406-0x0000016EFF380000-0x0000016EFF57A000-memory.dmp

Filesize
2.0MB

Download
memory/4256-409-0x0000016EFF380000-0x0000016EFF57A000-memory.dmp

Filesize
2.0MB

Download
memory/4256-405-0x0000016EFF380000-0x0000016EFF57A000-memory.dmp

Filesize
2.0MB

Download
memory/4256-440-0x0000016EFF380000-0x0000016EFF57A000-memory.dmp

Filesize
2.0MB

Download
memory/4256-433-0x0000016EFF380000-0x0000016EFF57A000-memory.dmp

Filesize
2.0MB

Download
memory/4256-415-0x0000016EFF380000-0x0000016EFF57A000-memory.dmp

Filesize
2.0MB

Download
memory/4256-399-0x0000016EFF380000-0x0000016EFF57A000-memory.dmp

Filesize
2.0MB

Download
memory/4256-366-0x0000016EFF380000-0x0000016EFF57A000-memory.dmp

Filesize
2.0MB

Download
memory/4256-374-0x0000016EFF380000-0x0000016EFF57A000-memory.dmp

Filesize
2.0MB

Download
memory/4256-363-0x00007FF9A3AE0000-0x00007FF9A3CE9000-memory.dmp

Filesize
2.0MB

Download
memory/4256-454-0x0000016EFF380000-0x0000016EFF57A000-memory.dmp

Filesize
2.0MB

Download
memory/4256-450-0x0000016EFF380000-0x0000016EFF57A000-memory.dmp

Filesize
2.0MB

Download
memory/4256-449-0x0000016EFF380000-0x0000016EFF57A000-memory.dmp

Filesize
2.0MB

Download
memory/4256-453-0x0000016EFF380000-0x0000016EFF57A000-memory.dmp

Filesize
2.0MB

Download
memory/4256-367-0x0000016EFF380000-0x0000016EFF57A000-memory.dmp

Filesize
2.0MB

Download
memory/4256-368-0x0000016EFF380000-0x0000016EFF57A000-memory.dmp

Filesize
2.0MB

Download
memory/4256-369-0x0000016EFF380000-0x0000016EFF57A000-memory.dmp

Filesize
2.0MB

Download
memory/4256-372-0x0000016EFF380000-0x0000016EFF57A000-memory.dmp

Filesize
2.0MB

Download
memory/4256-373-0x0000016EFF380000-0x0000016EFF57A000-memory.dmp

Filesize
2.0MB

Download
memory/4256-364-0x0000016EFEE80000-0x0000016EFEE81000-memory.dmp

Filesize
4KB

Download