xenorat | hxxps://github[.]com/moom825/xeno-rat/releases

Resubmissions

07-02-2025 05:38

250207-gb719s1jht 3

07-02-2025 05:33

250207-f8yneszre1 10

Analysis

max time kernel
259s
max time network
246s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
07-02-2025 05:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/moom825/xeno-rat/releases

Score

10^/10

xenorat discovery rat trojan

Malware Config

Extracted

Family

xenorat

localhost

127.0.0.1

Mutex

testing 123123

Attributes

delay
1000
install_path
nothingset
port
1234
startup_name
nothingset

Signatures

Detect XenoRat Payload 4 IoCs

resource	yara_rule
behavioral1/memory/4536-210-0x00000000009C0000-0x00000000009D2000-memory.dmp	family_xenorat
behavioral1/files/0x0008000000023dda-283.dat	family_xenorat
behavioral1/files/0x000e000000023db6-341.dat	family_xenorat
behavioral1/memory/1820-343-0x0000000000010000-0x0000000000022000-memory.dmp	family_xenorat

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat
Xenorat family
xenorat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\Control Panel\International\Geo\Nation	XenoBuilder.exe

Executes dropped EXE 2 IoCs

pid	Process
1820	XenoBuilder.exe
3156	XenoBuilder.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xeno rat client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XenoBuilder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XenoBuilder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xeno rat server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xeno rat server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xeno rat client.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133833800101204607"	chrome.exe

Modifies registry class 40 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0 = 50003100000000003d5a1051100041646d696e003c0009000400efbe3d5a8749475a2d2c2e00000054e101000000010000000000000000000000000000000fbb8200410064006d0069006e00000014000000	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0 = 78003100000000003d5a87491100557365727300640009000400efbe874f7748475a2d2c2e000000c70500000000010000000000000000003a0000000000ba34910055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0 = 7e00310000000000475a3b2c11004465736b746f7000680009000400efbe3d5a8749475a3b2c2e0000005ee101000000010000000000000000003e0000000000ee22a2004400650073006b0074006f007000000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370036003900000016000000	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\NodeSlot = "3"	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\MRUListEx = 00000000ffffffff	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 19002f433a5c000000000000000000000000000000000000000000	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff	xeno rat server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	xeno rat server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic"	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = 00000000ffffffff	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\MRUListEx = 00000000ffffffff	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\MRUListEx = ffffffff	xeno rat server.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3720	chrome.exe
3720	chrome.exe
4720	chrome.exe
4720	chrome.exe
4720	chrome.exe
4720	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4612	xeno rat server.exe
3412	xeno rat server.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
3720	chrome.exe
3720	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3720	chrome.exe
Token: SeCreatePagefilePrivilege	3720	chrome.exe
Token: SeShutdownPrivilege	3720	chrome.exe
Token: SeCreatePagefilePrivilege	3720	chrome.exe
Token: SeShutdownPrivilege	3720	chrome.exe
Token: SeCreatePagefilePrivilege	3720	chrome.exe
Token: SeShutdownPrivilege	3720	chrome.exe
Token: SeCreatePagefilePrivilege	3720	chrome.exe
Token: SeShutdownPrivilege	3720	chrome.exe
Token: SeCreatePagefilePrivilege	3720	chrome.exe
Token: SeShutdownPrivilege	3720	chrome.exe
Token: SeCreatePagefilePrivilege	3720	chrome.exe
Token: SeShutdownPrivilege	3720	chrome.exe
Token: SeCreatePagefilePrivilege	3720	chrome.exe
Token: SeShutdownPrivilege	3720	chrome.exe
Token: SeCreatePagefilePrivilege	3720	chrome.exe
Token: SeShutdownPrivilege	3720	chrome.exe
Token: SeCreatePagefilePrivilege	3720	chrome.exe
Token: SeShutdownPrivilege	3720	chrome.exe
Token: SeCreatePagefilePrivilege	3720	chrome.exe
Token: SeShutdownPrivilege	3720	chrome.exe
Token: SeCreatePagefilePrivilege	3720	chrome.exe
Token: SeShutdownPrivilege	3720	chrome.exe
Token: SeCreatePagefilePrivilege	3720	chrome.exe
Token: SeShutdownPrivilege	3720	chrome.exe
Token: SeCreatePagefilePrivilege	3720	chrome.exe
Token: SeShutdownPrivilege	3720	chrome.exe
Token: SeCreatePagefilePrivilege	3720	chrome.exe
Token: SeShutdownPrivilege	3720	chrome.exe
Token: SeCreatePagefilePrivilege	3720	chrome.exe
Token: SeShutdownPrivilege	3720	chrome.exe
Token: SeCreatePagefilePrivilege	3720	chrome.exe
Token: SeShutdownPrivilege	3720	chrome.exe
Token: SeCreatePagefilePrivilege	3720	chrome.exe
Token: SeShutdownPrivilege	3720	chrome.exe
Token: SeCreatePagefilePrivilege	3720	chrome.exe
Token: SeShutdownPrivilege	3720	chrome.exe
Token: SeCreatePagefilePrivilege	3720	chrome.exe
Token: SeShutdownPrivilege	3720	chrome.exe
Token: SeCreatePagefilePrivilege	3720	chrome.exe
Token: SeShutdownPrivilege	3720	chrome.exe
Token: SeCreatePagefilePrivilege	3720	chrome.exe
Token: SeShutdownPrivilege	3720	chrome.exe
Token: SeCreatePagefilePrivilege	3720	chrome.exe
Token: SeShutdownPrivilege	3720	chrome.exe
Token: SeCreatePagefilePrivilege	3720	chrome.exe
Token: SeShutdownPrivilege	3720	chrome.exe
Token: SeCreatePagefilePrivilege	3720	chrome.exe
Token: SeShutdownPrivilege	3720	chrome.exe
Token: SeCreatePagefilePrivilege	3720	chrome.exe
Token: SeShutdownPrivilege	3720	chrome.exe
Token: SeCreatePagefilePrivilege	3720	chrome.exe
Token: SeShutdownPrivilege	3720	chrome.exe
Token: SeCreatePagefilePrivilege	3720	chrome.exe
Token: SeShutdownPrivilege	3720	chrome.exe
Token: SeCreatePagefilePrivilege	3720	chrome.exe
Token: SeShutdownPrivilege	3720	chrome.exe
Token: SeCreatePagefilePrivilege	3720	chrome.exe
Token: SeShutdownPrivilege	3720	chrome.exe
Token: SeCreatePagefilePrivilege	3720	chrome.exe
Token: SeShutdownPrivilege	3720	chrome.exe
Token: SeCreatePagefilePrivilege	3720	chrome.exe
Token: SeShutdownPrivilege	3720	chrome.exe
Token: SeCreatePagefilePrivilege	3720	chrome.exe

Suspicious use of FindShellTrayWindow 42 IoCs

pid	Process
3720	chrome.exe
3720	chrome.exe
3720	chrome.exe
3720	chrome.exe
3720	chrome.exe
3720	chrome.exe
3720	chrome.exe
3720	chrome.exe
3720	chrome.exe
3720	chrome.exe
3720	chrome.exe
3720	chrome.exe
3720	chrome.exe
3720	chrome.exe
3720	chrome.exe
3720	chrome.exe
3720	chrome.exe
3720	chrome.exe
3720	chrome.exe
3720	chrome.exe
3720	chrome.exe
3720	chrome.exe
3720	chrome.exe
3720	chrome.exe
3720	chrome.exe
3720	chrome.exe
3720	chrome.exe
3720	chrome.exe
3720	chrome.exe
3720	chrome.exe
3720	chrome.exe
3720	chrome.exe
3720	chrome.exe
3720	chrome.exe
3720	chrome.exe
3720	chrome.exe
3720	chrome.exe
3720	chrome.exe
3720	chrome.exe
3720	chrome.exe
4612	xeno rat server.exe
3412	xeno rat server.exe

Suspicious use of SendNotifyMessage 28 IoCs

pid	Process
3720	chrome.exe
3720	chrome.exe
3720	chrome.exe
3720	chrome.exe
3720	chrome.exe
3720	chrome.exe
3720	chrome.exe
3720	chrome.exe
3720	chrome.exe
3720	chrome.exe
3720	chrome.exe
3720	chrome.exe
3720	chrome.exe
3720	chrome.exe
3720	chrome.exe
3720	chrome.exe
3720	chrome.exe
3720	chrome.exe
3720	chrome.exe
3720	chrome.exe
3720	chrome.exe
3720	chrome.exe
3720	chrome.exe
3720	chrome.exe
3720	chrome.exe
3720	chrome.exe
3720	chrome.exe
3720	chrome.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
4612	xeno rat server.exe
4612	xeno rat server.exe
4612	xeno rat server.exe
4612	xeno rat server.exe
4612	xeno rat server.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3720 wrote to memory of 1944	3720	chrome.exe	84
PID 3720 wrote to memory of 1944	3720	chrome.exe	84
PID 3720 wrote to memory of 5112	3720	chrome.exe	85
PID 3720 wrote to memory of 5112	3720	chrome.exe	85
PID 3720 wrote to memory of 5112	3720	chrome.exe	85
PID 3720 wrote to memory of 5112	3720	chrome.exe	85
PID 3720 wrote to memory of 5112	3720	chrome.exe	85
PID 3720 wrote to memory of 5112	3720	chrome.exe	85
PID 3720 wrote to memory of 5112	3720	chrome.exe	85
PID 3720 wrote to memory of 5112	3720	chrome.exe	85
PID 3720 wrote to memory of 5112	3720	chrome.exe	85
PID 3720 wrote to memory of 5112	3720	chrome.exe	85
PID 3720 wrote to memory of 5112	3720	chrome.exe	85
PID 3720 wrote to memory of 5112	3720	chrome.exe	85
PID 3720 wrote to memory of 5112	3720	chrome.exe	85
PID 3720 wrote to memory of 5112	3720	chrome.exe	85
PID 3720 wrote to memory of 5112	3720	chrome.exe	85
PID 3720 wrote to memory of 5112	3720	chrome.exe	85
PID 3720 wrote to memory of 5112	3720	chrome.exe	85
PID 3720 wrote to memory of 5112	3720	chrome.exe	85
PID 3720 wrote to memory of 5112	3720	chrome.exe	85
PID 3720 wrote to memory of 5112	3720	chrome.exe	85
PID 3720 wrote to memory of 5112	3720	chrome.exe	85
PID 3720 wrote to memory of 5112	3720	chrome.exe	85
PID 3720 wrote to memory of 5112	3720	chrome.exe	85
PID 3720 wrote to memory of 5112	3720	chrome.exe	85
PID 3720 wrote to memory of 5112	3720	chrome.exe	85
PID 3720 wrote to memory of 5112	3720	chrome.exe	85
PID 3720 wrote to memory of 5112	3720	chrome.exe	85
PID 3720 wrote to memory of 5112	3720	chrome.exe	85
PID 3720 wrote to memory of 5112	3720	chrome.exe	85
PID 3720 wrote to memory of 5112	3720	chrome.exe	85
PID 3720 wrote to memory of 2492	3720	chrome.exe	86
PID 3720 wrote to memory of 2492	3720	chrome.exe	86
PID 3720 wrote to memory of 1972	3720	chrome.exe	87
PID 3720 wrote to memory of 1972	3720	chrome.exe	87
PID 3720 wrote to memory of 1972	3720	chrome.exe	87
PID 3720 wrote to memory of 1972	3720	chrome.exe	87
PID 3720 wrote to memory of 1972	3720	chrome.exe	87
PID 3720 wrote to memory of 1972	3720	chrome.exe	87
PID 3720 wrote to memory of 1972	3720	chrome.exe	87
PID 3720 wrote to memory of 1972	3720	chrome.exe	87
PID 3720 wrote to memory of 1972	3720	chrome.exe	87
PID 3720 wrote to memory of 1972	3720	chrome.exe	87
PID 3720 wrote to memory of 1972	3720	chrome.exe	87
PID 3720 wrote to memory of 1972	3720	chrome.exe	87
PID 3720 wrote to memory of 1972	3720	chrome.exe	87
PID 3720 wrote to memory of 1972	3720	chrome.exe	87
PID 3720 wrote to memory of 1972	3720	chrome.exe	87
PID 3720 wrote to memory of 1972	3720	chrome.exe	87
PID 3720 wrote to memory of 1972	3720	chrome.exe	87
PID 3720 wrote to memory of 1972	3720	chrome.exe	87
PID 3720 wrote to memory of 1972	3720	chrome.exe	87
PID 3720 wrote to memory of 1972	3720	chrome.exe	87
PID 3720 wrote to memory of 1972	3720	chrome.exe	87
PID 3720 wrote to memory of 1972	3720	chrome.exe	87
PID 3720 wrote to memory of 1972	3720	chrome.exe	87
PID 3720 wrote to memory of 1972	3720	chrome.exe	87
PID 3720 wrote to memory of 1972	3720	chrome.exe	87
PID 3720 wrote to memory of 1972	3720	chrome.exe	87
PID 3720 wrote to memory of 1972	3720	chrome.exe	87
PID 3720 wrote to memory of 1972	3720	chrome.exe	87
PID 3720 wrote to memory of 1972	3720	chrome.exe	87
PID 3720 wrote to memory of 1972	3720	chrome.exe	87

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/moom825/xeno-rat/releases
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffbd101cc40,0x7ffbd101cc4c,0x7ffbd101cc58
  2⤵
  PID:1944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1864,i,12025366123032596940,4400972488620740016,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=1860 /prefetch:2
  2⤵
  PID:5112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2144,i,12025366123032596940,4400972488620740016,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=2176 /prefetch:3
  2⤵
  PID:2492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2256,i,12025366123032596940,4400972488620740016,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=2264 /prefetch:8
  2⤵
  PID:1972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3140,i,12025366123032596940,4400972488620740016,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=3164 /prefetch:1
  2⤵
  PID:1240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3148,i,12025366123032596940,4400972488620740016,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=3224 /prefetch:1
  2⤵
  PID:4308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3152,i,12025366123032596940,4400972488620740016,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=4576 /prefetch:8
  2⤵
  PID:2524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4572,i,12025366123032596940,4400972488620740016,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=4920 /prefetch:8
  2⤵
  PID:512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=3720,i,12025366123032596940,4400972488620740016,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=3344 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4720

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:716

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3664

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4796

C:\Users\Admin\Desktop\Release\xeno rat server.exe
"C:\Users\Admin\Desktop\Release\xeno rat server.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4612

C:\Users\Admin\Desktop\Release\stub\xeno rat client.exe
"C:\Users\Admin\Desktop\Release\stub\xeno rat client.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:4536

C:\Users\Admin\Desktop\Release\stub\xeno rat client.exe
"C:\Users\Admin\Desktop\Release\stub\xeno rat client.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:5040

C:\Users\Admin\Desktop\XenoBuilder.exe
"C:\Users\Admin\Desktop\XenoBuilder.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1820
- C:\Users\Admin\AppData\Roaming\XenoManager\XenoBuilder.exe
  "C:\Users\Admin\AppData\Roaming\XenoManager\XenoBuilder.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3156

C:\Users\Admin\Desktop\Release\xeno rat server.exe
"C:\Users\Admin\Desktop\Release\xeno rat server.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:3412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
86197dc8f9b87a35bdecc114e8d9eae6

SHA1
d9d854a87647c3e57973d77b39b6e2e3f6fcb2b0

SHA256
4b77e2f6a1532eb92357f502b82099afd3463e95602d7ba63d8481bfc8a78bf0

SHA512
1b0e0cf62e0efcbcd89f94c9ce39a8e6d8bed7d7224c4bc61d8642efc717717535a3dcd8dc77dfb7f778adc05a76caf841d30bb884ab1ad3732720c933ad4ca0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
0e0478bd8f8724aebc8f2235f2f5c4a6

SHA1
5ded23f02efb0dd069edd3ffc487a087b44f700f

SHA256
ada40f867bfe401344c8836f75b1df38d416b47ec0874dc3e9f36b1267c61864

SHA512
2d15f0f527e11245d47f81b20af5601cdd056d3f5ea1a914df5a6aab6879bd718654e30d773f08695902d28aca238561b655dd898570e4184b9843a77d68871c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
58fe3dee08104939b0d92ac19ecba971

SHA1
f7d57ec5f54d69073955bded1327840fad10f572

SHA256
b16e74f1410742e3a7b8cf9db13e2e1f5bb9bd8bebcf267efd2051381e0bbf1a

SHA512
c1802611b5af9ebfefb4f033f54dca1cd4c1d1b65e0199bb3aa4b761713303608def8eef8fa78cb58ef2d5d42a0520b622d9de1ed6c77267602b325b9fd5bc3b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
08ec252c79799ec0116c2ba25555eb03

SHA1
2d97477beafd1e865869743063aaa24a35d15d24

SHA256
10965c99d519d6b4424ec7ed9dccc0dc7fc71529268474829b46e1f39dde9f06

SHA512
5a65998796fc5ae5108c52fb4dd197c5bc9768a14097a185285025cf7e8c32a23778a42b20aa5057f85c61c86efd39b681cc13865bf4f4c79741815904a78bd0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
d83ff9a4fb1ac35719f2725b9697c8cd

SHA1
fa9030aa81b788d5e7584fa3fb4730842d932310

SHA256
0f74b6eb38621d205a716ba8ca79cb60b554fd94c15545d36581a63d135a6076

SHA512
ffef5d630c398fc88394d6d31bde0dfb3783712e50e2d7320b60ebb7a8948231945cf7e66de98dc2f4a46b2d63650f0053c5a0c99e24211771ca1dc9cbdb6885

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4aa7d027b19c0a6962be16cf398fa345

SHA1
48601d1365acaf7403255b9c782e1e1ddd71e00b

SHA256
c0ff9762162ea8066766ce10e1bbfc318ce7d47290402d8d1a52ae2c33f837b2

SHA512
025a908a5168fc052cfacf5fb2adcde2eafbc728da4a6f6a5214571d209bdcf8c5492f522518a632a75d53a034ceb0e50add712e417a60fef23a25ab4a330409

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
8b880c64f79342071b9e81930c9f593b

SHA1
24b22d43afca4c250a4425caecabc3409eff8d11

SHA256
7424d0dc422a44180e13a02ec0ddab0d6ec3397baaffa9596b818ea50fa8c7cf

SHA512
72c632014a3d7177350d3cf0adeef3fdee678377d393ac30e5a24d0330cb0eb9bf7128ad1b85c933602aaaf147ef231b97cc0f2128c670f2e6412a8d69fab182

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
fee83cd22f8efd012d353c3481f21dc1

SHA1
fd6e7f71100dbf6bd0e16881526f391480c624ed

SHA256
a9231cd0bf689e6925c6ee93e123895fad0861af8ce2b2b4e33df8acc3943b13

SHA512
49a384771a52dfb22dba6ed184cdde5450d4b36ca9470a54673b86388af3f7a13473dc597e7c15ff4d1f8763c1f5d82c66c5a908f4b96ac73f643df9d672b793

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
8d00858977ed7fe4e2597484a26e5b00

SHA1
edaf4df050a89b5f6d38d18250e8caa48af666fb

SHA256
bf6188136819f7b1b172519ff2f747f9211f7e2710a81219a660c2680e1f992a

SHA512
c76b72b927bbdc84519bdb1025c0fcebcf4bd7afe281d491469f542cafc45d6d7027c666f7930bc29966b9dc5761ce378b600ea640a90f5672b72647a1f21474

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
aa81f03563a3057c7c44e1951a672eec

SHA1
9dc353ca33791aaa720d8184338cab8ff7c9ba53

SHA256
b7507e8937f343fcb40e6dbe73a85b13ef8196d0fe939ebdd5acc71f4b93e68a

SHA512
0e107ea2d7a509e767b7d718f39f2b3433aacbca30f19c7b62355bf5aa6cf46fd700b2ed0063d0fd0f30a63862ff028f97a9f7a90c6d45fad93ed389bcb1ace9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
b98bc9160719f481e5318648f09ae2f3

SHA1
d40189b48ccd838c7351e0e5ad21dfd739bd7b84

SHA256
8436f529a04bdf627b3b687ae0c6ed7b7437ceb66ff1b37f31f6ed715d4238e1

SHA512
f443f345af2d15d6b275ad37d4abf04d7182494fd184392727ebe3ffc0975a6108ac6b0c49c0281f2a884f5f353506c183db80f9d9a9a10ddea3ffe9cd94cab1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
076e05a633d1df86c3ec0961c9fffa7d

SHA1
ca1c03698b20dd2da9688c5b61f911d205751153

SHA256
40e79ccdcc796faafd3075fc1a8aa953c33349423da722feff4fad178200d874

SHA512
7e4afd1718371b7a55a48010b8c6fc7e38e220f14c02c3cea9b641e8d43e96b1349035680ba707564564b81ca0e94d8dfe468d474399f3cc9388bfc8820a618e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
bc5c6f26d4d0a92d7e45047aafca67d9

SHA1
be58423cb86b93208be7a1b1c2e71a3a15b73948

SHA256
5afe23a59d3bac7f1028a559ffdeeae5d73c787244a8e311be45f5f8ed9e8a45

SHA512
8f89e9faaffee8ca39f41d23f13003ac2d9464e28c9dee02b6dc5c3c857e9a1e2f7286445c5bb2f283c8bae9372b7e7f724681ca52467173f663c701ebf3f6b5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
f89cb845073c4c53b0f7837d41210030

SHA1
cba3b4a6d8f97df995a6eec97ff4a9e9c6a978e6

SHA256
80e86cf87f9b8405fdcfb5b1fa1e4a37219a66e3587e088b9f52b0c32ff3694a

SHA512
663b9afafb51d2ca91e863ec099fbf9b3d217bbfbc700f7daf51701f869dbb8a7a3904e9afa00b8fad67ee448592bedc242b7d228654eb371bb6bd597d5fa325

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
ce0a10a155ff58cff47609945a287379

SHA1
78e48fa347137428bfcd7014a0881c1a9437d9ef

SHA256
d7960bb0d5679b3b82acd84de6201c104e581e5dbe5f3e179165a9768453466a

SHA512
c19a1df68a3deaecda2b7cac0c50780882bb3deace0245b4523eb18a64d7c370e51b95fc345079ab492c1b0e2c9be356c0f05da9bb1da705cabe2782f8769ae3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
20cefc1310be01baf758653c46b50dc7

SHA1
970e2a383357fcd31aee7778274e206bd96b831e

SHA256
329de63a114fbb72213fb83f75d26a60c08eb9c85b4d7fc8336bceb4545ea1c3

SHA512
c9be5d3f7e0c15e4771531a2e423faf51204a0f87cf34f8ad8d8b6a52429ad4f56129f02a8639e64611da8bc6d450ab629d7c44504adc2f2a1d85515a3c0bc0e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4b4c4fb09bab6faa21f61ac53ca19d0e

SHA1
eea6040713ecda6f816ea0b5acb4d062cf215e50

SHA256
e99642a65985677aac81911f82c1248c0524f258cb25a566c633f348a0a6002a

SHA512
191a8da5c720380367fed1912968745779c01451a2dc2582e433b137760ae13cf08fba95e6ff71c7051f77b98783f833afd3ff93ffb499db073991c37ee1d728

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7aae92b19c5a8b82e0bba061b787f789

SHA1
6b684f3e8f75befc97112d00df7cee6b6a609ed1

SHA256
7b09ba2e907a955fa4c754a5314461e6c7c542b3a35cd3471a932e7034ab838c

SHA512
c181b67d0a81956ee3a0656647e92dfecb7e3020e7a59357249439320ff94fc3a6f73c2dfd3722935f29743fc5f45bc69d6dc4cfb83fc4a54c284ab98aab8c6a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
22ab6913980690ed650f01b9c3f5c280

SHA1
16e417d009992dcab55ef26fb6ddfc6b5d750832

SHA256
f9e13e357c21a70bb3a11070900a64128418303b44057bb41b643e3a98d6dece

SHA512
36ae47dedc63f797dcad8e76f6bab099c749b6606b3c03357562badd96dee188679efd9eaf072ad8e50f4fff4497b78f468ae8bd8f3f747acc8970ba69b9f651

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
434d8119621631827d9c8b7afe49545f

SHA1
2d16ae3b1fafb222d9bd0d0aa11eb8175cdfad63

SHA256
0b82489b841dd55d8e3c66cd4a5767c56e77fbb49ba5a94cc87e5e54de78edfe

SHA512
190df534877c0e139d4592b2f55b989fcf9b5a90b1eb6042e466af1e9271400498e41c13ca26ff8554baaf445c64315c86b51faafce21bcbd35f04973f51a174

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
36022febcfb5e47aeafe9939b209ba89

SHA1
675eb7f403955dec36f406ac394da809f7a5ae23

SHA256
fde2d35e3edbf9d1cea209eaa691577c9f979ead0cff564161009a7365023e4f

SHA512
c95984b98ae6ad16b64fbe58f2b934bbece55dd89af6adadf48268e529c3bc8cfa2417b4ec7616758cab1ec1fe8b423130c0132906a85da6e51798da189073ed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\ce9e5875-8821-406c-8dbe-5d1daea5eb89.tmp

Filesize
10KB

MD5
89c7d6721d4078fc3cecf8f5fee3d612

SHA1
89c9c496160ee5a0effa3fbd995eb8e8e89335cf

SHA256
a12abae93d0b5b13c5495de71a29a60cbce99e2f42d70499966cde0725e412d9

SHA512
9d6ce6364a73ec5b39ae68e1ba0bcf482bade7d07a36ddeea572072ea8eab80eb5588984c312c12f2d1e6c44e533403880209b5215480049dc755a8ce3359256

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
122KB

MD5
9570835275ea9bb9ec9d07aa2976e78e

SHA1
42fb1e156a86234ca99020d2afbd3723b7234255

SHA256
1d28ff7d1afe0a7da06c67a3090d88d45142a4c780a4c5dd471a0142574620f4

SHA512
40e06b5f51b49f0ddcdb371b5a6aee274281323613885a752469169ac225c4c515ec80897f0bf2da7571d79497929c47b5c85b7edb4a437df9bbe78b5fcb2782

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
122KB

MD5
54349a153736aa1ee5b5647bd4b90570

SHA1
fe7a2351c908fbc21af954aea3854a71761420c5

SHA256
c56271f112b89e3eb66fec8ee6ca2dc6769b045f4348bbe6236863619336bd4c

SHA512
43190f2af3ebcbe370e8b0fdd034b4e5157dfac6f1873d5d3f59aa2c6ebeffea24a0f2d509d3dd20194f166d9bd2b10470b9c2bd73aee3c839904661650e5876

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\XenoBuilder.exe.log

Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\Desktop\Release\Config.json

Filesize
461B

MD5
b37c326848493c8552aac7e6088c0044

SHA1
7987f4ccf3c7062d9caa1e980fee0d6e6e0f9a85

SHA256
41d5778720fd77cdd7bb7f365b052fafa3cba5a4a3803a7f7644f22416d29f6d

SHA512
25a3e8b5a515929fb6eb1f80f731046653488ddeb06303d5e3f0cfad6db8c1713ef19ed089790bca484c4ce9e528d6e34ee9023c64b8dd773861532436a77d4a

Download Submit
C:\Users\Admin\Desktop\XenoBuilder.exe

Filesize
45KB

MD5
cf77bdca8f2d2238fb573804e8c4ad5e

SHA1
06c638b0e9a2bb99dcc30036cda81405dcec4a86

SHA256
83c94f0f7dd6b2eb4f8f37c3a00d4e255d679490be079899334a9f00329e055b

SHA512
97fed210a82b5b7db58164e96e8b8806ee95c5a00cc7a8185c45c2fe2d67dea9f2ef25ba42017d0c908352bc6e6f6bc2c8ffe0d7b2e9e95e9e5d8a599d98aaae

Download Submit
C:\Users\Admin\Desktop\XenoBuilder.exe

Filesize
45KB

MD5
729c3bd81ae49caebaa87ab1731cd065

SHA1
ebeeb3f217bf6da09ec079d15c3504684b39fb46

SHA256
bba427d1b291f9af00797f4555254216697da46f3add6cc96daee9ccb20f8ad8

SHA512
7a7ccf82208be4e65b8cc8684cef1f905011f019a0f0c312b37075b5985894688f10d1fe2e171d4e15b9a025e6048a0da092df333f67c6c9e3ca28709cda9614

Download Submit
C:\Users\Admin\Downloads\Release.zip.crdownload

Filesize
6.4MB

MD5
89661a9ff6de529497fec56a112bf75e

SHA1
2dd31a19489f4d7c562b647f69117e31b894b5c3

SHA256
e7b275d70655db9cb43fa606bbe2e4f22478ca4962bbf9f299d66eda567d63cd

SHA512
33c765bf85fbec0e58924ece948b80a7d73b7577557eaac8865e481c61ad6b71f8b5b846026103239b3bd21f438ff0d7c1430a51a4a149f16a215faad6dab68f

Download Submit
memory/1820-343-0x0000000000010000-0x0000000000022000-memory.dmp

Filesize
72KB

Download
memory/3412-357-0x0000000008230000-0x0000000008244000-memory.dmp

Filesize
80KB

Download
memory/4536-210-0x00000000009C0000-0x00000000009D2000-memory.dmp

Filesize
72KB

Download
memory/4612-178-0x0000000005720000-0x00000000057B2000-memory.dmp

Filesize
584KB

Download
memory/4612-256-0x0000000001230000-0x000000000124A000-memory.dmp

Filesize
104KB

Download
memory/4612-255-0x0000000008CA0000-0x0000000008DC4000-memory.dmp

Filesize
1.1MB

Download
memory/4612-209-0x0000000074BE0000-0x0000000075390000-memory.dmp

Filesize
7.7MB

Download
memory/4612-207-0x0000000008240000-0x0000000008594000-memory.dmp

Filesize
3.3MB

Download
memory/4612-206-0x0000000006B00000-0x0000000006BB2000-memory.dmp

Filesize
712KB

Download
memory/4612-205-0x0000000074BE0000-0x0000000075390000-memory.dmp

Filesize
7.7MB

Download
memory/4612-204-0x0000000074BEE000-0x0000000074BEF000-memory.dmp

Filesize
4KB

Download
memory/4612-185-0x0000000074BE0000-0x0000000075390000-memory.dmp

Filesize
7.7MB

Download
memory/4612-184-0x000000000A0F0000-0x000000000A112000-memory.dmp

Filesize
136KB

Download
memory/4612-183-0x00000000081F0000-0x0000000008202000-memory.dmp

Filesize
72KB

Download
memory/4612-182-0x0000000005EA0000-0x0000000005EBA000-memory.dmp

Filesize
104KB

Download
memory/4612-181-0x0000000005900000-0x0000000005914000-memory.dmp

Filesize
80KB

Download
memory/4612-180-0x0000000074BE0000-0x0000000075390000-memory.dmp

Filesize
7.7MB

Download
memory/4612-179-0x0000000005700000-0x000000000570A000-memory.dmp

Filesize
40KB

Download
memory/4612-177-0x0000000005ED0000-0x0000000006474000-memory.dmp

Filesize
5.6MB

Download
memory/4612-176-0x0000000000C30000-0x0000000000E32000-memory.dmp

Filesize
2.0MB

Download
memory/4612-175-0x0000000074BEE000-0x0000000074BEF000-memory.dmp

Filesize
4KB

Download