meduza | hxxps://github[.]com/Apietcsvmy/xeno-executor

Analysis

max time kernel
228s
max time network
230s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
06-12-2024 08:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Apietcsvmy/xeno-executor

Score

10^/10

meduza collection discovery spyware stealer

Malware Config

Extracted

Family

meduza

45.130.145.152

Attributes

anti_dbg
true
anti_vm
true
build_name
Oxoxox
extensions
.txt;.doc;.docx;.pdf;.xls;.xlsx;.log;.db;.sqlite
grabber_max_size
3.145728e+06
port
15666
self_destruct
true

Signatures

Meduza
Meduza is a crypto wallet and info stealer written in C++.
stealer meduza

Meduza Stealer payload 41 IoCs

resource	yara_rule
behavioral1/memory/2648-352-0x0000020D93110000-0x0000020D9330A000-memory.dmp	family_meduza
behavioral1/memory/2648-351-0x0000020D93110000-0x0000020D9330A000-memory.dmp	family_meduza
behavioral1/memory/2648-348-0x0000020D93110000-0x0000020D9330A000-memory.dmp	family_meduza
behavioral1/memory/2648-347-0x0000020D93110000-0x0000020D9330A000-memory.dmp	family_meduza
behavioral1/memory/2648-346-0x0000020D93110000-0x0000020D9330A000-memory.dmp	family_meduza
behavioral1/memory/2648-345-0x0000020D93110000-0x0000020D9330A000-memory.dmp	family_meduza
behavioral1/memory/2648-358-0x0000020D93110000-0x0000020D9330A000-memory.dmp	family_meduza
behavioral1/memory/2648-357-0x0000020D93110000-0x0000020D9330A000-memory.dmp	family_meduza
behavioral1/memory/2648-354-0x0000020D93110000-0x0000020D9330A000-memory.dmp	family_meduza
behavioral1/memory/2648-353-0x0000020D93110000-0x0000020D9330A000-memory.dmp	family_meduza
behavioral1/memory/2648-366-0x0000020D93110000-0x0000020D9330A000-memory.dmp	family_meduza
behavioral1/memory/2648-365-0x0000020D93110000-0x0000020D9330A000-memory.dmp	family_meduza
behavioral1/memory/2648-378-0x0000020D93110000-0x0000020D9330A000-memory.dmp	family_meduza
behavioral1/memory/2648-379-0x0000020D93110000-0x0000020D9330A000-memory.dmp	family_meduza
behavioral1/memory/2648-389-0x0000020D93110000-0x0000020D9330A000-memory.dmp	family_meduza
behavioral1/memory/2648-390-0x0000020D93110000-0x0000020D9330A000-memory.dmp	family_meduza
behavioral1/memory/2648-385-0x0000020D93110000-0x0000020D9330A000-memory.dmp	family_meduza
behavioral1/memory/2648-408-0x0000020D93110000-0x0000020D9330A000-memory.dmp	family_meduza
behavioral1/memory/2648-431-0x0000020D93110000-0x0000020D9330A000-memory.dmp	family_meduza
behavioral1/memory/2648-432-0x0000020D93110000-0x0000020D9330A000-memory.dmp	family_meduza
behavioral1/memory/2648-426-0x0000020D93110000-0x0000020D9330A000-memory.dmp	family_meduza
behavioral1/memory/2648-425-0x0000020D93110000-0x0000020D9330A000-memory.dmp	family_meduza
behavioral1/memory/2648-438-0x0000020D93110000-0x0000020D9330A000-memory.dmp	family_meduza
behavioral1/memory/2648-437-0x0000020D93110000-0x0000020D9330A000-memory.dmp	family_meduza
behavioral1/memory/2648-434-0x0000020D93110000-0x0000020D9330A000-memory.dmp	family_meduza
behavioral1/memory/2648-433-0x0000020D93110000-0x0000020D9330A000-memory.dmp	family_meduza
behavioral1/memory/2648-422-0x0000020D93110000-0x0000020D9330A000-memory.dmp	family_meduza
behavioral1/memory/2648-420-0x0000020D93110000-0x0000020D9330A000-memory.dmp	family_meduza
behavioral1/memory/2648-419-0x0000020D93110000-0x0000020D9330A000-memory.dmp	family_meduza
behavioral1/memory/2648-414-0x0000020D93110000-0x0000020D9330A000-memory.dmp	family_meduza
behavioral1/memory/2648-413-0x0000020D93110000-0x0000020D9330A000-memory.dmp	family_meduza
behavioral1/memory/2648-407-0x0000020D93110000-0x0000020D9330A000-memory.dmp	family_meduza
behavioral1/memory/2648-404-0x0000020D93110000-0x0000020D9330A000-memory.dmp	family_meduza
behavioral1/memory/2648-402-0x0000020D93110000-0x0000020D9330A000-memory.dmp	family_meduza
behavioral1/memory/2648-401-0x0000020D93110000-0x0000020D9330A000-memory.dmp	family_meduza
behavioral1/memory/2648-398-0x0000020D93110000-0x0000020D9330A000-memory.dmp	family_meduza
behavioral1/memory/2648-395-0x0000020D93110000-0x0000020D9330A000-memory.dmp	family_meduza
behavioral1/memory/2648-392-0x0000020D93110000-0x0000020D9330A000-memory.dmp	family_meduza
behavioral1/memory/2648-391-0x0000020D93110000-0x0000020D9330A000-memory.dmp	family_meduza
behavioral1/memory/2648-396-0x0000020D93110000-0x0000020D9330A000-memory.dmp	family_meduza
behavioral1/memory/2648-386-0x0000020D93110000-0x0000020D9330A000-memory.dmp	family_meduza

Meduza family
meduza

Executes dropped EXE 3 IoCs

pid	Process
2648	librarydll.exe
3956	librarydll.exe
1740	librarydll.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 15 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	librarydll.exe
Key opened	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	librarydll.exe
Key opened	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	librarydll.exe
Key opened	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\SOFTWARE\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	librarydll.exe
Key opened	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	librarydll.exe
Key opened	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	librarydll.exe
Key opened	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\SOFTWARE\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	librarydll.exe
Key opened	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\SOFTWARE\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	librarydll.exe
Key opened	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\SOFTWARE\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	librarydll.exe
Key opened	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	librarydll.exe
Key opened	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	librarydll.exe
Key opened	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	librarydll.exe
Key opened	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\SOFTWARE\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	librarydll.exe
Key opened	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	librarydll.exe
Key opened	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\SOFTWARE\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	librarydll.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
2	camo.githubusercontent.com
16	camo.githubusercontent.com

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
8	api.ipify.org
55	api.ipify.org
63	api.ipify.org
72	api.ipify.org

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
436	cmd.exe
2504	PING.EXE
2292	cmd.exe
3724	PING.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133779471376649461"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 4 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\UpdateV4.zip:Zone.Identifier	chrome.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
3724	PING.EXE
2504	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2568	chrome.exe
2568	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
4596	chrome.exe
2700	Xeno.exe
2700	Xeno.exe
2648	librarydll.exe
2648	librarydll.exe
2648	librarydll.exe
2648	librarydll.exe
2648	librarydll.exe
2648	librarydll.exe
2648	librarydll.exe
2648	librarydll.exe
2648	librarydll.exe
2648	librarydll.exe
2648	librarydll.exe
2648	librarydll.exe
2648	librarydll.exe
2648	librarydll.exe
2648	librarydll.exe
2648	librarydll.exe
2648	librarydll.exe
2648	librarydll.exe
2648	librarydll.exe
2648	librarydll.exe
2648	librarydll.exe
2648	librarydll.exe
4672	Xeno.exe
3956	librarydll.exe
3956	librarydll.exe
3956	librarydll.exe
3956	librarydll.exe
3956	librarydll.exe
3956	librarydll.exe
3956	librarydll.exe
3956	librarydll.exe
3956	librarydll.exe
3956	librarydll.exe
3956	librarydll.exe
3956	librarydll.exe
3956	librarydll.exe
3956	librarydll.exe
716	Xeno.exe
1740	librarydll.exe
1740	librarydll.exe
1740	librarydll.exe
1740	librarydll.exe
1740	librarydll.exe
1740	librarydll.exe
1740	librarydll.exe
1740	librarydll.exe
1740	librarydll.exe
1740	librarydll.exe
1740	librarydll.exe
1740	librarydll.exe
1740	librarydll.exe
1740	librarydll.exe
1740	librarydll.exe
1740	librarydll.exe
1740	librarydll.exe
1740	librarydll.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeCreatePagefilePrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeCreatePagefilePrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeCreatePagefilePrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeCreatePagefilePrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeCreatePagefilePrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeCreatePagefilePrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeCreatePagefilePrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeCreatePagefilePrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeCreatePagefilePrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeCreatePagefilePrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeCreatePagefilePrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeCreatePagefilePrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeCreatePagefilePrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeCreatePagefilePrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeCreatePagefilePrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeCreatePagefilePrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeCreatePagefilePrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeCreatePagefilePrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeCreatePagefilePrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeCreatePagefilePrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeCreatePagefilePrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeCreatePagefilePrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeCreatePagefilePrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeCreatePagefilePrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeCreatePagefilePrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeCreatePagefilePrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeCreatePagefilePrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeCreatePagefilePrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeCreatePagefilePrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeCreatePagefilePrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeCreatePagefilePrivilege	2568	chrome.exe
Token: SeShutdownPrivilege	2568	chrome.exe
Token: SeCreatePagefilePrivilege	2568	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe

Suspicious use of SendNotifyMessage 16 IoCs

pid	Process
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe
2568	chrome.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2648	librarydll.exe
3956	librarydll.exe
1740	librarydll.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2568 wrote to memory of 4132	2568	chrome.exe	77
PID 2568 wrote to memory of 4132	2568	chrome.exe	77
PID 2568 wrote to memory of 1968	2568	chrome.exe	78
PID 2568 wrote to memory of 1968	2568	chrome.exe	78
PID 2568 wrote to memory of 1968	2568	chrome.exe	78
PID 2568 wrote to memory of 1968	2568	chrome.exe	78
PID 2568 wrote to memory of 1968	2568	chrome.exe	78
PID 2568 wrote to memory of 1968	2568	chrome.exe	78
PID 2568 wrote to memory of 1968	2568	chrome.exe	78
PID 2568 wrote to memory of 1968	2568	chrome.exe	78
PID 2568 wrote to memory of 1968	2568	chrome.exe	78
PID 2568 wrote to memory of 1968	2568	chrome.exe	78
PID 2568 wrote to memory of 1968	2568	chrome.exe	78
PID 2568 wrote to memory of 1968	2568	chrome.exe	78
PID 2568 wrote to memory of 1968	2568	chrome.exe	78
PID 2568 wrote to memory of 1968	2568	chrome.exe	78
PID 2568 wrote to memory of 1968	2568	chrome.exe	78
PID 2568 wrote to memory of 1968	2568	chrome.exe	78
PID 2568 wrote to memory of 1968	2568	chrome.exe	78
PID 2568 wrote to memory of 1968	2568	chrome.exe	78
PID 2568 wrote to memory of 1968	2568	chrome.exe	78
PID 2568 wrote to memory of 1968	2568	chrome.exe	78
PID 2568 wrote to memory of 1968	2568	chrome.exe	78
PID 2568 wrote to memory of 1968	2568	chrome.exe	78
PID 2568 wrote to memory of 1968	2568	chrome.exe	78
PID 2568 wrote to memory of 1968	2568	chrome.exe	78
PID 2568 wrote to memory of 1968	2568	chrome.exe	78
PID 2568 wrote to memory of 1968	2568	chrome.exe	78
PID 2568 wrote to memory of 1968	2568	chrome.exe	78
PID 2568 wrote to memory of 1968	2568	chrome.exe	78
PID 2568 wrote to memory of 1968	2568	chrome.exe	78
PID 2568 wrote to memory of 1968	2568	chrome.exe	78
PID 2568 wrote to memory of 1632	2568	chrome.exe	79
PID 2568 wrote to memory of 1632	2568	chrome.exe	79
PID 2568 wrote to memory of 3384	2568	chrome.exe	80
PID 2568 wrote to memory of 3384	2568	chrome.exe	80
PID 2568 wrote to memory of 3384	2568	chrome.exe	80
PID 2568 wrote to memory of 3384	2568	chrome.exe	80
PID 2568 wrote to memory of 3384	2568	chrome.exe	80
PID 2568 wrote to memory of 3384	2568	chrome.exe	80
PID 2568 wrote to memory of 3384	2568	chrome.exe	80
PID 2568 wrote to memory of 3384	2568	chrome.exe	80
PID 2568 wrote to memory of 3384	2568	chrome.exe	80
PID 2568 wrote to memory of 3384	2568	chrome.exe	80
PID 2568 wrote to memory of 3384	2568	chrome.exe	80
PID 2568 wrote to memory of 3384	2568	chrome.exe	80
PID 2568 wrote to memory of 3384	2568	chrome.exe	80
PID 2568 wrote to memory of 3384	2568	chrome.exe	80
PID 2568 wrote to memory of 3384	2568	chrome.exe	80
PID 2568 wrote to memory of 3384	2568	chrome.exe	80
PID 2568 wrote to memory of 3384	2568	chrome.exe	80
PID 2568 wrote to memory of 3384	2568	chrome.exe	80
PID 2568 wrote to memory of 3384	2568	chrome.exe	80
PID 2568 wrote to memory of 3384	2568	chrome.exe	80
PID 2568 wrote to memory of 3384	2568	chrome.exe	80
PID 2568 wrote to memory of 3384	2568	chrome.exe	80
PID 2568 wrote to memory of 3384	2568	chrome.exe	80
PID 2568 wrote to memory of 3384	2568	chrome.exe	80
PID 2568 wrote to memory of 3384	2568	chrome.exe	80
PID 2568 wrote to memory of 3384	2568	chrome.exe	80
PID 2568 wrote to memory of 3384	2568	chrome.exe	80
PID 2568 wrote to memory of 3384	2568	chrome.exe	80
PID 2568 wrote to memory of 3384	2568	chrome.exe	80
PID 2568 wrote to memory of 3384	2568	chrome.exe	80

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	librarydll.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	librarydll.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/Apietcsvmy/xeno-executor
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffca7a2cc40,0x7ffca7a2cc4c,0x7ffca7a2cc58
  2⤵
  PID:4132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1792,i,11365008821465205720,18303155411864308269,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1788 /prefetch:2
  2⤵
  PID:1968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2068,i,11365008821465205720,18303155411864308269,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2080 /prefetch:3
  2⤵
  PID:1632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2156,i,11365008821465205720,18303155411864308269,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2344 /prefetch:8
  2⤵
  PID:3384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3056,i,11365008821465205720,18303155411864308269,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3104 /prefetch:1
  2⤵
  PID:1764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3064,i,11365008821465205720,18303155411864308269,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3252 /prefetch:1
  2⤵
  PID:4320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4644,i,11365008821465205720,18303155411864308269,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4608 /prefetch:1
  2⤵
  PID:1512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4836,i,11365008821465205720,18303155411864308269,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4888 /prefetch:1
  2⤵
  PID:2724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4828,i,11365008821465205720,18303155411864308269,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5128 /prefetch:8
  2⤵
  PID:4372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=3680,i,11365008821465205720,18303155411864308269,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4612 /prefetch:1
  2⤵
  PID:4700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3112,i,11365008821465205720,18303155411864308269,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3176 /prefetch:8
  2⤵
  - NTFS ADS
  PID:4788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1040,i,11365008821465205720,18303155411864308269,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=736 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4596

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2712

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:3936

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4872

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4372

C:\Users\Admin\Downloads\UpdateV4\Last_Update\Xeno.exe
"C:\Users\Admin\Downloads\UpdateV4\Last_Update\Xeno.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2700
- C:\Users\Admin\AppData\Local\Temp\librarydll.exe
  "C:\Users\Admin\AppData\Local\Temp\librarydll.exe"
  2⤵
  - Executes dropped EXE
  - Accesses Microsoft Outlook profiles
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2648
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\librarydll.exe"
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:2292
  - - C:\Windows\system32\PING.EXE
      ping 1.1.1.1 -n 1 -w 3000
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3724

C:\Users\Admin\Downloads\UpdateV4\Last_Update\Xeno.exe
"C:\Users\Admin\Downloads\UpdateV4\Last_Update\Xeno.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4672
- C:\Users\Admin\AppData\Local\Temp\librarydll.exe
  "C:\Users\Admin\AppData\Local\Temp\librarydll.exe"
  2⤵
  - Executes dropped EXE
  - Accesses Microsoft Outlook profiles
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:3956
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\librarydll.exe"
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:436
  - - C:\Windows\system32\PING.EXE
      ping 1.1.1.1 -n 1 -w 3000
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2504

C:\Users\Admin\Downloads\UpdateV4\Last_Update\Xeno.exe
"C:\Users\Admin\Downloads\UpdateV4\Last_Update\Xeno.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:716
- C:\Users\Admin\AppData\Local\Temp\librarydll.exe
  "C:\Users\Admin\AppData\Local\Temp\librarydll.exe"
  2⤵
  - Executes dropped EXE
  - Accesses Microsoft Outlook profiles
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - outlook_office_path
  - outlook_win_path
  PID:1740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
1KB

MD5
67e486b2f148a3fca863728242b6273e

SHA1
452a84c183d7ea5b7c015b597e94af8eef66d44a

SHA256
facaf1c3a4bf232abce19a2d534e495b0d3adc7dbe3797d336249aa6f70adcfb

SHA512
d3a37da3bb10a9736dc03e8b2b49baceef5d73c026e2077b8ebc1b786f2c9b2f807e0aa13a5866cf3b3cafd2bc506242ef139c423eaffb050bbb87773e53881e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

Filesize
436B

MD5
971c514f84bba0785f80aa1c23edfd79

SHA1
732acea710a87530c6b08ecdf32a110d254a54c8

SHA256
f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895

SHA512
43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
174B

MD5
4f9af1f1137099c00811f09faec0094e

SHA1
baf6cd88a3ebaf076317ba754c2acd4b0d10ec81

SHA256
f0e1fb25024c9b92585872448df1053333cbeac2b47d66d1f88d92251bca0aa4

SHA512
30d589ed442e64a4791ee68f2e8a2e3c63b36fb1e271ba3bdd835df30328f835fb8477e489e6093388f2fe90bc1c013581c4c5efbfd56ec736226c72d7def01d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

Filesize
170B

MD5
8022df454b9b4199f6709733685a60f4

SHA1
6e367c27989b373eb28e501a326fb113f4f13bba

SHA256
ccdb0d3a59c67ca40ec396766faa7add41cfe199e0a7dbd788f1e61358b59149

SHA512
5af1c9fdc65690b1d27bf4f6f0a9d4e233e3a3d4cf03a19f354994140d20ce101287c0194372d5341dd5291c48a38fdcd2a8887c922d38d09cd4925d8c8c2809

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
10bb8acb05e4d03998645b2c42723d7d

SHA1
1b5720ce72d70dfb1b3fc9aefbba45c1572ce82a

SHA256
23674e2eac89bd83f7c54abdfcb4ca077c33744c94b19d1089d7177f2f40778c

SHA512
4e52fdf9f3309838bbe04a387f5b1565274f357bffc8811a554c6f8d28cd22584e2869c3bd4c77b71c1fa4cc5ca6c05361821e64ea02e9a01e2708d3b47e91b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
9948bf50866bf7b7a105a3799fe6542a

SHA1
0566ef0fe3202c529a699182f75e01086c0bf7e6

SHA256
c9eb32c3dbc52cb20419a7f1d1a06ce00dafaff421db81ec8491adaca4061c31

SHA512
5ccaae2729b0edd85b646510d1e102c36e215e8fb615f38ecd1a8e7e4a96e7ccf6822e73b2e008775a28968861f1cfe0f4379eaf49b147c9757a941e967c594d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\History

Filesize
160KB

MD5
de1cac78be18a1cb809480e9220d11b7

SHA1
b7a31d04a45fea600cd041db9bedc552cdd6b0df

SHA256
6f2852a2ccd412784b53c13ebb573aa7bd9f98deea56f894d42492fce9881712

SHA512
65cf1a75e0515910ee0669617f3b5d89d5efcba410cab5cd0cf2b17b6c55901785d03523bd3ba8c4b2da5380d73f78ae89712d90275a20ac57616f6a04a1f28d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log

Filesize
11KB

MD5
596c8d0b2de8f258b544f830a030e4f4

SHA1
8d72471fb36803ea3488134b293badf761d8c158

SHA256
b229d1f1065bb5d045713f5bc1b488d626832bf1aaed3b66550f717016ea5e4a

SHA512
d005e894ab694561d8fecc8f65e715fb811093a0624c00615e0b77e246e35edab7ac5da8b53f6b02c3be77ff9127a190de9ce2362ad4f72a1281b7879c4a39db

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG

Filesize
329B

MD5
de776b5d1d7667d6112a8664e493a430

SHA1
574af2ebd95169fbdf06bb04d1f7f4abd8a3f885

SHA256
1e7ef976635632397487620911fc8c22a3915d50ab25d469e1b36690f5dcce53

SHA512
72353b0ec3a780811ceca3a695d35d25b57b9185e50018e762f909c24cdf5eb859de0d36993b812fa298e801e426144759faf7b9b25d5928265812959e40820c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies

Filesize
20KB

MD5
b025f09b222934ebd69fa06bd7e12207

SHA1
23041dd1ef8513c3b6483add5006d30f099daa83

SHA256
3e822a393323b934319ae6c9c7ccaea0e14107b9308df068b87691c87932f342

SHA512
66814537f3c376e5fbee8d11c47b525fed4f3739242d2bdc72c5449df9484b0408e9939c0dcae0e14c1e702b7ef08d8846eb6bcd6509fe92a8ac231181f78def

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies

Filesize
20KB

MD5
e492d2ea2fc77e18fbac5fe3c4e33977

SHA1
d0f2e41e36fb4b65345bbbbd2b743b303caa5d1f

SHA256
3b5162c783a0126256b7603c66474f07d5d2be8ab2e98cd18e629a21686a9a9e

SHA512
c634e140b2a67e4a515b077749458be85886f21f6d92e1f73f6efc23bc7cb7360a3f1cd2ebdf129276c2e6028641a01b0acdb67e4e00edcfd556ff5148ddc313

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
e18c9ed1aa6b2c752a86c8e117251ee0

SHA1
aa9319661cc6d6644ec428c49a9f70247c8219e0

SHA256
6cc242f4f3896b220f342af83a475a15b8684104ac05e33012705faea806860d

SHA512
e14cc622bc0b49dd1b672b5fd86b308a25599295bb355f146cc5daf8073aa3e3c6a2c25863a88a19ed971a7533d899162535b059e67621827663885f354198ac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
a2673912a7051b7928688dc878f9704e

SHA1
b3947010738b2de7eb3aaed1d7de18106260eb22

SHA256
646e412725504de2f277f7b103ef0ea9308a4746037cf07691f188ffa64cf44c

SHA512
bd6026225209eb28f1230c1f41c57481e46746b236e0bf8f0f16628b96c59ea7d4ebf2c08d48b520dbd8250a716b5e788d1402e234c2af9919cbc0015980ef1c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
7ff2b27f7428c621f5b6a4d84e746355

SHA1
d04a971d21773ab27ac231d515f1af440f5fc0ba

SHA256
349d553c28bda65b357538d54344643908bb2388bf84280d102d56325c950829

SHA512
5439e28b9b534b55254791d143cf4958716a0322811861dc5a353a87c663a666a480904a1fa4eae69a2deca0346a0b36766b6f000bb126116c818acc586b23cc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
4fbb3e3b075b0fcc58afbd95fd63dd3a

SHA1
2d704f6cfd7110b46301aeef072497455dc799fc

SHA256
49b8e788226ade42265b3bf7700788ef7d58c7b99f101b772007ce37a85ef9ec

SHA512
5320ca92395cc3464ecc8d19cd581344876531a765e6079715ac717fc1337163c9d2721f614e2ab652fbd90bc8973e776f3fb21642bcb4711140d3de6b40beb2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
c9107f927f976e30f3dc756db63c39b3

SHA1
b2d2633349628967c2ca6c9c4d3fc1042698a23e

SHA256
b0e455dca2208755cd377c6bab2b6041872a4d0201c2d34bf7a678aab8844a17

SHA512
e43c8b0144ec5ee56a62a59c673ea74762f4d7c3134ffc42498afb5cd969c8b428368d0ca3175fdcffe227b49da514e50e8c59793b13417c9aea06916ca403e5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
823f1ab15934c1eddebe6312431c2cca

SHA1
2be86e915e673d352aa756f3a0b09aadadc5ae42

SHA256
a03c157300812f9adf958fad13b9fd3cf185ff40b2bae8a04a02f467c5e0b397

SHA512
a1a939a4ad0c4d17735b07fe9834d7c3d032b0fc900eec769a57aae2bf2b9c518c910098bedefb24a7c5743dbddbee31d1caba5ba2ef856e4accc2fb9259dc52

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
4d3f475bfe7ac5a9f3dd95ffb17dfd9a

SHA1
6697d158704784699e1ea022859ff3e8f577c299

SHA256
ffee8938ee029b786c8f9ae4da32fc0dd8e9722d90b3493d2e1b522ea3cd9c43

SHA512
27b41e51d92bf8ab8abe9eb6cfbe2da812649185f02dd65974b58bc50b7dc1649e2936b1bede92830771688e91476d88769e755344848eccc81ee4c57e4013f4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
45347ed9036891b7f2c989da38ce89f0

SHA1
6b4db31a2504c05a47a9d5d7493fec9b0a806a0f

SHA256
fecf8dd44a5918a4c730bde630c0b69734b0a7c540e2d7785adc86042ebf3a5d

SHA512
e903da072b117dead1de6a9e5444a41c7f3e54d1c90bf2e6d71ec06bb12ce2119963a4674283e937523d389df7c667a900f3bc0d99c9d722ece80056f22b03bb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
2808d4c7f5a7968798413e0bc4fb74e5

SHA1
dac4bb79c2f17cc5db38a1bc4ddee4dc80158cbc

SHA256
7e2e725b99a6fa74e9443b2cdd84e7f5e81ce60dbbbaeae41b3078d3af53c5ef

SHA512
11329512d3129a956ec967d06ba12099ac02e124d05c13cf044be9f3617b673c3f281e48f58dfc3553304806705655f7a027bae45c7a8063888ad8c49f5a57cc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
1ad097d269f1e7904558eef5dccf37aa

SHA1
543b16ca1a75c066c0ff876e9c118963ed83a4b4

SHA256
fc4b6882fa7fbec8d9666d0bcd135f1c5a6f79edb2b725eabc2eb3662f54f45a

SHA512
880fd5fe865ede533546e49685bcc44c7faaa2ae2e85019fc34422df0706063453bd7627d2c15ba6120b12eb2f1cc1f6be112fe2bf369a88654f7a58ea71fdf7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
37d9f9bb8ad1b3e5bb1a38f421b82187

SHA1
a288d55c5105cc6e832011931a96257f498acc9d

SHA256
15a836f5810213d6b956c89948b29867b58b9090d993598a12ecc25974e5a8e7

SHA512
4941e3aa71c04b6a5ead119e32b4f52784c4714d1805ea88f3153ec63fd6af94710435a2285c58d1833f595522abb14953ce8486a7566180da7e156fd0a91971

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
a8c3fc1f291850364462b61043a5e2bd

SHA1
8c83bfd0309e5a879abf6d7a3ca3e405883ea626

SHA256
7fa7adbeb93c55d931cd87b480af4c8fcf8fc663bdd0db75ae7ec95c65e06712

SHA512
e95821ef4587008fcd60b32192f79ae39e8b2a3a9587e2a2d5816d693605f051dbeaa0b9c913520c4911f24ed64d2834119c2fe9567075877411240a6c11aa48

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
7a825d6a1e9aa3867393111f39352e1e

SHA1
85b48aa8d6f2b02080964e22e1f7d903f8db3c99

SHA256
8134c7d247f55e5f7d8ea4ff102da0059d4a6599fb31d9cdc4c28eee281a065f

SHA512
4d73ac99edae16071ec0653cb60d6c28114cc782489fbd8458aaf188308f29492984dced6d0d875ba53966b8f467d76fa91226394a50b505a52dacbc001619e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
7c186939fb501d5b964db26b80dea137

SHA1
43f9141612ef2a6cbd919aad360f10b0a7251590

SHA256
1a1e39ca1518f92577488121efe2a57bbf97a137ebab30536ab40f36ed2fb81f

SHA512
8fc2f4c70b04eed5afa6de3181e54c29dcc4a71fa75050e8dc9c2071dfbbaaa43e9a8e47babef798f90b63ba99a274096aacd43c4dc15647feaabfa3269101dd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
f7dd7e9fc1caf0ae3eb55dc3e83964eb

SHA1
17be7d701b86d2b960efd6178082cab074d1d092

SHA256
b70840380b73f61e84e68cc3edffd028fb1dc9571fa11032c691bf5ed07b13df

SHA512
41428b060368073993aba1b749a598369cd9104cda15049742d81a0c08f070ffd2c41904a3976c431b2bd7cdaef36af0474035e3e7f96387f9f85213041fff67

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
7c0183a3913a2738a4de0106de9a8e9b

SHA1
24845a87f13804e45f874213e79a2c47efac1bd6

SHA256
68c709c114a8604d212e9cd79e1adb31a955b345756108fa10ae6e099ac767fc

SHA512
06e7e40f963accb4a2271bab250fd126019acb7f0b80a1fb47df661eedcaa64c6493d7fd0fd91995a90a81d079fea3e46fce0cfe2d1199a5b936d4c6030552cd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
f50252567ae8bc506c8a4161c4378c18

SHA1
528cc83d07daa8eeb847e10c09956b61a6346cb2

SHA256
0b3dcc24c62b53fd34376b2e06507281e04e64e35f4a5ed62258d855472ed1f6

SHA512
3414b2a3cbd796ee27d919ec84e5fc7d2f096177ba79bf12d11f8833c4990c66feddc2c70b43040323a2b16e92ac25a9b672057da90aa240dd176fb02271a74e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
a6e6c4a1d199f363a6efa9bba00ac664

SHA1
cbf2ff91079e8c6c8d2a747c1c034ec9c7d2f713

SHA256
e2327f0bfadb0560c18c2ce03d8f807abca34ef81c8e7e4ca1821160c6a7f63b

SHA512
95d926f524fb4bee19a4111fa6fe9a356eb62b796e1407dec3cd490dad93191b3cd2baf4710568b67dc594206b8f0ad808d669910c97d17a5e48d35b0c0313bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
61d16b2362420bbfed268b9436ab9acc

SHA1
7fd721238d714b4e460d833a964cfd493f33dec8

SHA256
1abbfc4247d1bfef8cbe3cfc9c711923798c5624f5194e3983548a298e4c163b

SHA512
64c0b3f09f7b429247f289fd04bacd0d40b9f7229453fd8c407853a23a5cfc028347f3dd11fe6204f07d56ae783480dc88bcd6e573451df2ca13d16a3960ce96

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
346b8bc48f759ca3505a510dbbf90343

SHA1
da8a6945d0d7444bd1717d83aec9e78a6dbaad93

SHA256
09870cc0155e354b4731905ee73dd01c26f7e6598bee7ea89f32fb757241e88a

SHA512
d30af87412cd4788dcc74f4047850feb2d69a6459139c4cf742c9e308d9fe747d15325f1db9e6449cbfdeae19905e05f24b8dd002ebfb465558cb95844746a52

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f8ebb97d6068c210a21901e51daaa5ee

SHA1
0e10311bc92f318c7f6f432fa252755f40d828be

SHA256
95062f3d9516c438e02245de700332d994fdc5ec2c35309ea92f23bdaa1eafe2

SHA512
06b6c6949e9589466819c4ff69d8cfae906f319b513ad0020d9f6edc385e0389d3471f0acb45fbcf25677d6959a20babfae885babec7aabaa5ae2e25e01d7ec3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
228KB

MD5
824123cfe948f0a850e9f9111b827dc7

SHA1
e7acfc4b5434039f6dd32687b324cbb36f526abc

SHA256
27b9d74b69db5cfa0703ae99af93792c35396b1f7badaba1b681fe279b5b0830

SHA512
dec066d20eefb3d8a1fbf5800dbdd651c0c622139ecfe8e9bc423e2baeef50c83bf10b7c5a7b94595901f5c5f413395c634135841f7cefe836b6b8d73e334616

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
228KB

MD5
11419a3ab10180ff034ea7aa20de8ac0

SHA1
ec2c90843d9886f8adb17607c0b947ae8a2bf932

SHA256
f9d444dfeb462787525d0fdc9b4dd726e0b06f849177d087c89b3f12974ec461

SHA512
e7e3f058c37bae02458a7c1714ea421a0e9fb49175473af91a40fe9d78f85cdd809827f9e37ac7bbc50a43e67b9485895288d55b9fe3541bf1ee61574d5b57c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Xeno.exe.log

Filesize
4KB

MD5
a85e600b255a03a0737d109d2088ed7c

SHA1
0bdea4d91624083339e1a209c4036b7fe80d2fb1

SHA256
38e7c0615b8d013a1fac4223a5e480f829033bea93d3ffd2ad80c8710d19d268

SHA512
2d5b2ae019e9f600f408d8300b0217b9a0da0e3bc71b25dbeb7ee602c39441369994a282cba724d4769cbe7edee3d2cec6dc55715e6a876dcd368ebe81899b60

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
62KB

MD5
90536810cb19adaa10dc1a6809d3fd7e

SHA1
f3c8dd44452e0137cd94f47541e3211eb4b5f0c9

SHA256
52fbf990cee6f91a3e5b6b0d64560fa5a95cd46a707b2003143a4f838dc6ecfe

SHA512
478e69fb7692e5fc2620bd10a86466e0e98a9714a26cd9ecb2b8eec2a1092f150c48a69fb82affb7199900dc1cb959c804c318872b36b65ece042d5131181c26

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\c53de544-f0f0-4882-bc33-743287266c2c.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jr05waxi.yuj.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\librarydll.exe

Filesize
3.2MB

MD5
f1f7885b88771aa8992a8e3153f00042

SHA1
54fac2d930f97dd4898cb3da404f96d3d944a45b

SHA256
2fd0f8faeb98aa486b52854fa2701c91dd8afc5f2af16766f0516a7d1d4f2916

SHA512
53fe4495556222792d7f421afb1e77879edb9524c01c744e220f6424096abb42522d1b7923ff97d99a8d2cb7a9159c07348a5268eec97ff065c8567c443f1105

Download Submit
C:\Users\Admin\Downloads\UpdateV4.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
memory/2648-385-0x0000020D93110000-0x0000020D9330A000-memory.dmp

Filesize
2.0MB

Download
memory/2648-402-0x0000020D93110000-0x0000020D9330A000-memory.dmp

Filesize
2.0MB

Download
memory/2648-378-0x0000020D93110000-0x0000020D9330A000-memory.dmp

Filesize
2.0MB

Download
memory/2648-365-0x0000020D93110000-0x0000020D9330A000-memory.dmp

Filesize
2.0MB

Download
memory/2648-389-0x0000020D93110000-0x0000020D9330A000-memory.dmp

Filesize
2.0MB

Download
memory/2648-390-0x0000020D93110000-0x0000020D9330A000-memory.dmp

Filesize
2.0MB

Download
memory/2648-366-0x0000020D93110000-0x0000020D9330A000-memory.dmp

Filesize
2.0MB

Download
memory/2648-408-0x0000020D93110000-0x0000020D9330A000-memory.dmp

Filesize
2.0MB

Download
memory/2648-431-0x0000020D93110000-0x0000020D9330A000-memory.dmp

Filesize
2.0MB

Download
memory/2648-432-0x0000020D93110000-0x0000020D9330A000-memory.dmp

Filesize
2.0MB

Download
memory/2648-426-0x0000020D93110000-0x0000020D9330A000-memory.dmp

Filesize
2.0MB

Download
memory/2648-425-0x0000020D93110000-0x0000020D9330A000-memory.dmp

Filesize
2.0MB

Download
memory/2648-438-0x0000020D93110000-0x0000020D9330A000-memory.dmp

Filesize
2.0MB

Download
memory/2648-437-0x0000020D93110000-0x0000020D9330A000-memory.dmp

Filesize
2.0MB

Download
memory/2648-434-0x0000020D93110000-0x0000020D9330A000-memory.dmp

Filesize
2.0MB

Download
memory/2648-433-0x0000020D93110000-0x0000020D9330A000-memory.dmp

Filesize
2.0MB

Download
memory/2648-422-0x0000020D93110000-0x0000020D9330A000-memory.dmp

Filesize
2.0MB

Download
memory/2648-420-0x0000020D93110000-0x0000020D9330A000-memory.dmp

Filesize
2.0MB

Download
memory/2648-419-0x0000020D93110000-0x0000020D9330A000-memory.dmp

Filesize
2.0MB

Download
memory/2648-414-0x0000020D93110000-0x0000020D9330A000-memory.dmp

Filesize
2.0MB

Download
memory/2648-413-0x0000020D93110000-0x0000020D9330A000-memory.dmp

Filesize
2.0MB

Download
memory/2648-407-0x0000020D93110000-0x0000020D9330A000-memory.dmp

Filesize
2.0MB

Download
memory/2648-404-0x0000020D93110000-0x0000020D9330A000-memory.dmp

Filesize
2.0MB

Download
memory/2648-379-0x0000020D93110000-0x0000020D9330A000-memory.dmp

Filesize
2.0MB

Download
memory/2648-401-0x0000020D93110000-0x0000020D9330A000-memory.dmp

Filesize
2.0MB

Download
memory/2648-398-0x0000020D93110000-0x0000020D9330A000-memory.dmp

Filesize
2.0MB

Download
memory/2648-395-0x0000020D93110000-0x0000020D9330A000-memory.dmp

Filesize
2.0MB

Download
memory/2648-392-0x0000020D93110000-0x0000020D9330A000-memory.dmp

Filesize
2.0MB

Download
memory/2648-391-0x0000020D93110000-0x0000020D9330A000-memory.dmp

Filesize
2.0MB

Download
memory/2648-396-0x0000020D93110000-0x0000020D9330A000-memory.dmp

Filesize
2.0MB

Download
memory/2648-386-0x0000020D93110000-0x0000020D9330A000-memory.dmp

Filesize
2.0MB

Download
memory/2648-342-0x00007FFCB67C0000-0x00007FFCB69C9000-memory.dmp

Filesize
2.0MB

Download
memory/2648-343-0x0000020D93070000-0x0000020D93071000-memory.dmp

Filesize
4KB

Download
memory/2648-353-0x0000020D93110000-0x0000020D9330A000-memory.dmp

Filesize
2.0MB

Download
memory/2648-354-0x0000020D93110000-0x0000020D9330A000-memory.dmp

Filesize
2.0MB

Download
memory/2648-357-0x0000020D93110000-0x0000020D9330A000-memory.dmp

Filesize
2.0MB

Download
memory/2648-358-0x0000020D93110000-0x0000020D9330A000-memory.dmp

Filesize
2.0MB

Download
memory/2648-345-0x0000020D93110000-0x0000020D9330A000-memory.dmp

Filesize
2.0MB

Download
memory/2648-346-0x0000020D93110000-0x0000020D9330A000-memory.dmp

Filesize
2.0MB

Download
memory/2648-347-0x0000020D93110000-0x0000020D9330A000-memory.dmp

Filesize
2.0MB

Download
memory/2648-348-0x0000020D93110000-0x0000020D9330A000-memory.dmp

Filesize
2.0MB

Download
memory/2648-351-0x0000020D93110000-0x0000020D9330A000-memory.dmp

Filesize
2.0MB

Download
memory/2648-352-0x0000020D93110000-0x0000020D9330A000-memory.dmp

Filesize
2.0MB

Download
memory/2700-333-0x00000282DD260000-0x00000282DD26A000-memory.dmp

Filesize
40KB

Download
memory/2700-332-0x00000282DD020000-0x00000282DD042000-memory.dmp

Filesize
136KB

Download
memory/2700-307-0x0000028299270000-0x000002829A270000-memory.dmp

Filesize
16.0MB

Download