lumma | 1c9140a0d2304adf5a9473b4d0d85e7dad564dbb1cfac21de272a93d214c8245

Resubmissions

08/03/2025, 15:37

250308-s2xtrsyrz3 10

08/03/2025, 08:36

250308-khk2vstyfx 10

Analysis

max time kernel
132s
max time network
246s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
08/03/2025, 15:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Release/Xeno.exe
Size

170.0MB
MD5

1be9acba391286c29ef5e385615affa9
SHA1

86e63d16ecca6f301ca471c7c8868d88d3ca1155
SHA256

12ef7d95da3af71fa220b44d3fba210e11e67ae1a11e2a933a5b361794fb3ddf
SHA512

76d13f211853db7816d949cd80f2fe154c9211cb8d682170c6e555375d0f477b69f246691621bdcfd516a09e72431e77bfb0db92133bc27c3adb434f495c9f58
SSDEEP

49152:pGbdnE2gcDHphKyc5TrdOWZ+4A6rzlLke1uZVq2brb:prqRWdv9kxC2Xb

Score

10^/10

lumma discovery spyware stealer

Malware Config

Extracted

Family

lumma

https://tonedanswered.today/api

https://begindecafer.world/api

https://garagedrootz.top/api

https://modelshiverd.icu/api

https://arisechairedd.shop/api

https://catterjur.run/api

https://orangemyther.live/api

https://fostinjec.today/api

https://sterpickced.digital/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Executes dropped EXE 1 IoCs

pid	Process
2580	Elite.com

Loads dropped DLL 5 IoCs

pid	Process
2736	cmd.exe
1784	WerFault.exe
1784	WerFault.exe
1784	WerFault.exe
1784	WerFault.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
2760	tasklist.exe
2908	tasklist.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\InterestingWalter	Xeno.exe
File opened for modification	C:\Windows\JimFujitsu	Xeno.exe
File opened for modification	C:\Windows\OpinionDeleted	Xeno.exe
File opened for modification	C:\Windows\DairyPropose	Xeno.exe
File opened for modification	C:\Windows\DaddyPottery	Xeno.exe
File opened for modification	C:\Windows\RecruitmentOaks	Xeno.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1784	2580	WerFault.exe	43

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Xeno.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Elite.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	expand.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies registry class 51 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\LogicalViewMode = "3"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1092616257"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\IconSize = "48"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupView = "0"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\NodeSlot = "4"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 000000000200000001000000ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Mode = "1"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:PID = "0"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2 = 14001f44471a0359723fa74489c55595fe6b30ee0000	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\MRUListEx = ffffffff	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByDirection = "1"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 020000000000000001000000ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg	chrome.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2580	Elite.com
2580	Elite.com
2580	Elite.com
2232	chrome.exe
2232	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2760	tasklist.exe
Token: SeDebugPrivilege	2908	tasklist.exe
Token: 33	2272	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2272	AUDIODG.EXE
Token: 33	2272	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2272	AUDIODG.EXE
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe
Token: SeShutdownPrivilege	2232	chrome.exe

Suspicious use of FindShellTrayWindow 54 IoCs

pid	Process
2580	Elite.com
2580	Elite.com
2580	Elite.com
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe

Suspicious use of SendNotifyMessage 51 IoCs

pid	Process
2580	Elite.com
2580	Elite.com
2580	Elite.com
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe
2232	chrome.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2428	chrome.exe
2428	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2216 wrote to memory of 2736	2216	Xeno.exe	30
PID 2216 wrote to memory of 2736	2216	Xeno.exe	30
PID 2216 wrote to memory of 2736	2216	Xeno.exe	30
PID 2216 wrote to memory of 2736	2216	Xeno.exe	30
PID 2736 wrote to memory of 2844	2736	cmd.exe	32
PID 2736 wrote to memory of 2844	2736	cmd.exe	32
PID 2736 wrote to memory of 2844	2736	cmd.exe	32
PID 2736 wrote to memory of 2844	2736	cmd.exe	32
PID 2736 wrote to memory of 2760	2736	cmd.exe	33
PID 2736 wrote to memory of 2760	2736	cmd.exe	33
PID 2736 wrote to memory of 2760	2736	cmd.exe	33
PID 2736 wrote to memory of 2760	2736	cmd.exe	33
PID 2736 wrote to memory of 2984	2736	cmd.exe	34
PID 2736 wrote to memory of 2984	2736	cmd.exe	34
PID 2736 wrote to memory of 2984	2736	cmd.exe	34
PID 2736 wrote to memory of 2984	2736	cmd.exe	34
PID 2736 wrote to memory of 2908	2736	cmd.exe	36
PID 2736 wrote to memory of 2908	2736	cmd.exe	36
PID 2736 wrote to memory of 2908	2736	cmd.exe	36
PID 2736 wrote to memory of 2908	2736	cmd.exe	36
PID 2736 wrote to memory of 2692	2736	cmd.exe	37
PID 2736 wrote to memory of 2692	2736	cmd.exe	37
PID 2736 wrote to memory of 2692	2736	cmd.exe	37
PID 2736 wrote to memory of 2692	2736	cmd.exe	37
PID 2736 wrote to memory of 2800	2736	cmd.exe	38
PID 2736 wrote to memory of 2800	2736	cmd.exe	38
PID 2736 wrote to memory of 2800	2736	cmd.exe	38
PID 2736 wrote to memory of 2800	2736	cmd.exe	38
PID 2736 wrote to memory of 2780	2736	cmd.exe	39
PID 2736 wrote to memory of 2780	2736	cmd.exe	39
PID 2736 wrote to memory of 2780	2736	cmd.exe	39
PID 2736 wrote to memory of 2780	2736	cmd.exe	39
PID 2736 wrote to memory of 2672	2736	cmd.exe	40
PID 2736 wrote to memory of 2672	2736	cmd.exe	40
PID 2736 wrote to memory of 2672	2736	cmd.exe	40
PID 2736 wrote to memory of 2672	2736	cmd.exe	40
PID 2736 wrote to memory of 1260	2736	cmd.exe	41
PID 2736 wrote to memory of 1260	2736	cmd.exe	41
PID 2736 wrote to memory of 1260	2736	cmd.exe	41
PID 2736 wrote to memory of 1260	2736	cmd.exe	41
PID 2736 wrote to memory of 1456	2736	cmd.exe	42
PID 2736 wrote to memory of 1456	2736	cmd.exe	42
PID 2736 wrote to memory of 1456	2736	cmd.exe	42
PID 2736 wrote to memory of 1456	2736	cmd.exe	42
PID 2736 wrote to memory of 2580	2736	cmd.exe	43
PID 2736 wrote to memory of 2580	2736	cmd.exe	43
PID 2736 wrote to memory of 2580	2736	cmd.exe	43
PID 2736 wrote to memory of 2580	2736	cmd.exe	43
PID 2736 wrote to memory of 2156	2736	cmd.exe	44
PID 2736 wrote to memory of 2156	2736	cmd.exe	44
PID 2736 wrote to memory of 2156	2736	cmd.exe	44
PID 2736 wrote to memory of 2156	2736	cmd.exe	44
PID 2580 wrote to memory of 1784	2580	Elite.com	45
PID 2580 wrote to memory of 1784	2580	Elite.com	45
PID 2580 wrote to memory of 1784	2580	Elite.com	45
PID 2580 wrote to memory of 1784	2580	Elite.com	45
PID 2232 wrote to memory of 3004	2232	chrome.exe	51
PID 2232 wrote to memory of 3004	2232	chrome.exe	51
PID 2232 wrote to memory of 3004	2232	chrome.exe	51
PID 2232 wrote to memory of 2292	2232	chrome.exe	52
PID 2232 wrote to memory of 2292	2232	chrome.exe	52
PID 2232 wrote to memory of 2292	2232	chrome.exe	52
PID 2232 wrote to memory of 2292	2232	chrome.exe	52
PID 2232 wrote to memory of 2292	2232	chrome.exe	52

C:\Users\Admin\AppData\Local\Temp\Release\Xeno.exe
"C:\Users\Admin\AppData\Local\Temp\Release\Xeno.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2216
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c expand Sake.mpeg Sake.mpeg.bat & Sake.mpeg.bat
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2736
- - C:\Windows\SysWOW64\expand.exe
    expand Sake.mpeg Sake.mpeg.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2844
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2760
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2984
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2908
- - C:\Windows\SysWOW64\findstr.exe
    findstr "bdservicehost AvastUI AVGUI nsWscSvc ekrn SophosHealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2692
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 627100
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2800
- - C:\Windows\SysWOW64\extrac32.exe
    extrac32 /Y /E Commissioners.mpeg
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2780
- - C:\Windows\SysWOW64\findstr.exe
    findstr /V "Depth" Baghdad
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2672
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b 627100\Elite.com + Iv + Pen + Specialized + Entirely + Routine + Prediction + Dance + Helmet + Governor 627100\Elite.com
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1260
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Alleged.mpeg + ..\Violations.mpeg + ..\Better.mpeg + ..\Der.mpeg + ..\Informed.mpeg + ..\Library.mpeg + ..\Sample.mpeg q
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1456
- - C:\Users\Admin\AppData\Local\Temp\627100\Elite.com
    Elite.com q
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2580
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2580 -s 1180
      4⤵
      Loads dropped DLL
      Program crash
      PID:1784
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2156

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1120

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x514
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2272

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6d89758,0x7fef6d89768,0x7fef6d89778
  2⤵
  PID:3004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1188 --field-trial-handle=1300,i,14270397959537830580,16411073009758364405,131072 /prefetch:2
  2⤵
  PID:2292
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1528 --field-trial-handle=1300,i,14270397959537830580,16411073009758364405,131072 /prefetch:8
  2⤵
  PID:2524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1616 --field-trial-handle=1300,i,14270397959537830580,16411073009758364405,131072 /prefetch:8
  2⤵
  PID:1720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2332 --field-trial-handle=1300,i,14270397959537830580,16411073009758364405,131072 /prefetch:1
  2⤵
  PID:1968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2364 --field-trial-handle=1300,i,14270397959537830580,16411073009758364405,131072 /prefetch:1
  2⤵
  PID:2716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1340 --field-trial-handle=1300,i,14270397959537830580,16411073009758364405,131072 /prefetch:2
  2⤵
  PID:1320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3192 --field-trial-handle=1300,i,14270397959537830580,16411073009758364405,131072 /prefetch:1
  2⤵
  PID:2788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3460 --field-trial-handle=1300,i,14270397959537830580,16411073009758364405,131072 /prefetch:8
  2⤵
  PID:2036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3576 --field-trial-handle=1300,i,14270397959537830580,16411073009758364405,131072 /prefetch:8
  2⤵
  PID:2980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3692 --field-trial-handle=1300,i,14270397959537830580,16411073009758364405,131072 /prefetch:8
  2⤵
  PID:2176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3464 --field-trial-handle=1300,i,14270397959537830580,16411073009758364405,131072 /prefetch:8
  2⤵
  PID:648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3504 --field-trial-handle=1300,i,14270397959537830580,16411073009758364405,131072 /prefetch:8
  2⤵
  PID:2204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3824 --field-trial-handle=1300,i,14270397959537830580,16411073009758364405,131072 /prefetch:1
  2⤵
  PID:1936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=3668 --field-trial-handle=1300,i,14270397959537830580,16411073009758364405,131072 /prefetch:1
  2⤵
  PID:2844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=2528 --field-trial-handle=1300,i,14270397959537830580,16411073009758364405,131072 /prefetch:1
  2⤵
  PID:2180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=2456 --field-trial-handle=1300,i,14270397959537830580,16411073009758364405,131072 /prefetch:1
  2⤵
  PID:2488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4012 --field-trial-handle=1300,i,14270397959537830580,16411073009758364405,131072 /prefetch:8
  2⤵
  PID:2152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4172 --field-trial-handle=1300,i,14270397959537830580,16411073009758364405,131072 /prefetch:8
  2⤵
  PID:2792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4012 --field-trial-handle=1300,i,14270397959537830580,16411073009758364405,131072 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:2428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=3948 --field-trial-handle=1300,i,14270397959537830580,16411073009758364405,131072 /prefetch:1
  2⤵
  PID:1444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=3368 --field-trial-handle=1300,i,14270397959537830580,16411073009758364405,131072 /prefetch:1
  2⤵
  PID:2792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=3364 --field-trial-handle=1300,i,14270397959537830580,16411073009758364405,131072 /prefetch:1
  2⤵
  PID:2652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1956 --field-trial-handle=1300,i,14270397959537830580,16411073009758364405,131072 /prefetch:8
  2⤵
  PID:1200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1092 --field-trial-handle=1300,i,14270397959537830580,16411073009758364405,131072 /prefetch:8
  2⤵
  PID:672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2000 --field-trial-handle=1300,i,14270397959537830580,16411073009758364405,131072 /prefetch:8
  2⤵
  PID:2584

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2884

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" a -i#7zMap24842:104:7zEvent10869 -ad -saa -- "C:\Users\Admin\AppData\Local\Temp\Release\Xeno"
1⤵
PID:592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
71KB

MD5
83142242e97b8953c386f988aa694e4a

SHA1
833ed12fc15b356136dcdd27c61a50f59c5c7d50

SHA256
d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755

SHA512
bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001b

Filesize
215KB

MD5
786c4894e2393c2a6df8fe0fd6aeee3f

SHA1
2242cd681f699ef3d642ed9ed1f202dbf6b0c1b0

SHA256
258ce3bda497a9ddf8e00e70ab2b08608c3f3211aecc90348179eea95be084a4

SHA512
73751c1624a8a7e8141c387159a700f637e4fed6f5974d7402fc4faf4dd72c0779eae74049746098ad2c05765fa97329c51e9cc5f422c02abaaa92035aa991db

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00002b

Filesize
41KB

MD5
0aea3df744bd8aec677dd4777a6c570b

SHA1
41dc951a8a2bd2fcfb3dc81c196c8828ada7c4e1

SHA256
bb15265a5766a6351a8673cfa79d8622332f9a5ba175e1c09ae99a49d6deadd0

SHA512
d6d8a1f873e4e328332854545d0ef268fc7c92666f7412549f76340cdf0dec3634cc809da6eb4a8c0902cc5720d1a778c344cf199d4f250daf61184f0a405785

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000037

Filesize
20KB

MD5
87e8230a9ca3f0c5ccfa56f70276e2f2

SHA1
eb116c8fd20cb2f85b7a942c7dae3b0ed6d27fe7

SHA256
e18d7214e7d3d47d913c0436f5308b9296ca3c6cd34059bf9cbf03126bafafe9

SHA512
37690a81a9e48b157298080746aa94289a4c721c762b826329e70b41ba475bb0261d048f9ab8e7301e43305c5ebf53246c20da8cd001130bf156e8b3bd38b9b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00003c

Filesize
106KB

MD5
707bf2b3d9eb3cc25d00fa46bc27f48d

SHA1
536ce2f6d23beb2970a292dc5bf565765edad2ae

SHA256
2d2c540688197ec7c33fed0fc49d55880888632b8e38b398cf5bc4f797918b6c

SHA512
d3350c09f866f3f9229ebdaa2511a9091800c117666f93482e41ca8a1bb92f38dad5d17d1640d5e1f9317e7c73399a5ba8ebe69a209dc70a05170c039edaa1aa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
6f5e9e5e95c8866cbfa3603549ffeef3

SHA1
6d896e1a5de4013291049affeb406896ced05e5e

SHA256
e4dbdd78fe32fde9940741066709805ab28c94563694dc616aa1794286ee2f46

SHA512
5d34b846f2769f63469106a0584cb20f0e695a26a5fb0f05241f3c5a4a645956145ce321ba4a707b974bb1e0fe028251ea4b45b6e50859d4426831c5db771d20

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
49f562bc78b1787c12c7c6f54f95e354

SHA1
9c4bb732917cf931efef539a5a7fb544fe291aa3

SHA256
f427e73f77af18e9795acb198e6a6b2ebd71d138a5a343a31ec5068848f593b7

SHA512
79f39d9fe8f6c15676a229061751cbc5ef193c30b4d9ead978bfdc4a5f3f107ebf47fd778152b6bebc9b52409710e79a173db998aee813881a260bd5941c50dd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
912B

MD5
480b37daa2019f334292c673896db211

SHA1
c38296f26dbf094a059ab67611b5dccb10c959b8

SHA256
ee03d091a38f5ec6c388b47f233b0a9cd879833ef28a7eb73b431e512d147fe8

SHA512
82ba2a1c30ec4990db9e8c3824c386cf0d3359c531072c180f275865bf2119d1136cc47546674fc7d8af3c9986139b0797e989c1f612312b2bb828edcbd82867

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
0434f3ff3916900cdfcc28b509fc31e9

SHA1
80bc9328f3b470caa0c784c2137d5e0d27ebad0f

SHA256
1960f9d295f68d6f2294cb1f6eadb21e0e9309fc49b2f88836da6a9d328d4b14

SHA512
fbb5edfb9375dce2dbf24cd920cbe8b67159aaab6c680053c13aacd03688172d3e68672ee5607f04f2423bd9dbbe85883ad3a5a94984a74ffadb67773a08d1a4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
97d3d2a215afeb318b6514d15b1a2b3f

SHA1
6ee9ec94582e24b83ca04081cb64614fe637e166

SHA256
674420ad787bcf052138eda5901984f4ff73263ec348e4031cb111059e6d58d0

SHA512
7c960102ca0ebb12f5b04173cd3461a15bde3d4018675bc18f451839dac5d3f8624dc17b434688d141f5d15547a0557c59d5ad8fefc24c353cbd5d00f80b11e6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
11b29b328f6396794e72264ee55a352d

SHA1
8c812903f57c9a0fc53afc1d3da7ccf7970b9832

SHA256
e8799439b3d26330204ea43ced6268099e82896d288e7be5158693e949c3a2c2

SHA512
dfeedf81f5e5191b771de9c13252c45bb958e19f318481f08b9faf425d206f0b9bc38f6f4579bdedd07a7f587c09e96be724dc6d8683409c59fd2c956158a768

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
ec6dbcdee7ebc2236ef4f0e9fec38815

SHA1
291c2b445320be6cc195da0ff23d9c06d5dd4806

SHA256
b43abde1d31f4489acec7b1aa67c77bde4ec9f2778f8d5671ab9a4f2f40f299e

SHA512
b875f34d4ec3b44928d9edc956fbb33012f1ed989cad34e653def4cfa3aed077b2beff99e3ef0e28af297488a812ffd9fa4e42edb1a848775784253b1cf6617f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
527B

MD5
3f6a78f574767b355edfd777f9120689

SHA1
7e25e52c290b7bc507e992fe6727a1289ab3fa12

SHA256
e32a4dd9717f84c6140c83c3d05a11a3696e6b65d33785ed2934f9f159992ee6

SHA512
7d10d846e068651574167b0742422cb7bb8cabfbe5f8171296608fb13c1c3bab1c18c80454e710d321197ca76e41c994454868da9f4ec8fbe488bfe73bf02028

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
690B

MD5
b5f36576a00cd5c9ee2d7eacdc748de5

SHA1
d113e2c0fd41a51407b3665c435f5ce0ef91bec2

SHA256
2d8eb9f08cc08973678de53fc1d55b5f33fc172d3849336c48c2f90a336d9fbc

SHA512
ae682567ae6bc75a5e955480e72468a943dca806dc1662f841dd484fae6a19a9379808dc2a6ba14c2b560a929cbbee178e1c47eb457e3b84cdb4daae3135f3ee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
fda7beb8768335fd2f40510f99c08be3

SHA1
f6ee047e1d91bfc1a635fa7548bdeb55a60b2fc8

SHA256
2b97079029996e5545b718f442bdfb0e7479bca25361fe81f7d5e332aed4889f

SHA512
4bb0e51cc5450ad9430e2c8590b71af867bfea210cc95d6285c1555c39b6337594d0cec2a0bcf2555c6fe92cc48b9ca4dd24154dfe64b369233495656953916b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
9d95dfada219cc6aff060b8730f2c6e8

SHA1
9354e9420ad57507f8452a9061d9b074c19aec03

SHA256
cd3a59177e0b0f6f9daae4c60fcd9e798e814ec3db8e3c9815ae4334610e184e

SHA512
fcd0612ecf15c742c76fe8f6d7a384a1890a14decb13a0cab1114fc1c30c5756ea77699be4464c720f1376df49b48295bb323860ddbe18f3fc0ea23dcd0be1eb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
dee3c02920aca6a7236d4dd4a502ab4f

SHA1
4bce17e88e31c4290c84850a3f880477219c8d8b

SHA256
f2d5d51774958e46bfbcfe30621b88d4753a53dd5eb78690dfd067392cb32c3a

SHA512
e6d9a95ff020703df7f9fe65e2fa8c8bc54b4e763673cde535a388efc0790f99f1d6016f6e9a5e1cb95a06661895a251c1dd2a524b07a613e658aa9bd00de098

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
d5b6f115c8387ccc1cc51dbe20d5eae6

SHA1
5062420a0befed4339c4b116fd166e4130aa9a78

SHA256
4ca7edb7a0a4d68c82239a368001496fc0fd1f279157c91ee6767cca3be1e7fe

SHA512
810dc8f38074718f69ef861021e8e3fb17825606e4b6fff115ea4590eca5d6b7790d0f59d85a24c9a19e99dc67c55664b3aea94a14fa5d5e1286bcbc9aaaa535

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
9a00a5c3acfebfaadca6b5353d129ecc

SHA1
029291a3ec512d9c321c530321d6a9acaf205985

SHA256
94b866a83464b29eb8d98bca938b75e299a5d4d015491d71e772fe0d536945d7

SHA512
0257d99fa2568a0db06843ca4633e344040b388b0a937ee2d727604f0ccce32157c3f1af0cf00d304652b90b16ce4529463b7fa81698846f4ede53194de19458

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\CURRENT~RFf79274f.TMP

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\b27a0c93-c4a0-43ea-bf8d-70c0794c12fb.tmp

Filesize
7KB

MD5
26995a778e15d92bbf622f49df11376a

SHA1
6ffa133b5bdc940fea7f7848f47d58dff6d28a2a

SHA256
01daa1efa5c41ec72313c08fb3a32f286a8015e76e8a80dde241bd5f307e49fe

SHA512
e58be36f2757794fe9cf19880a1f93c2068193038ed835ba1dd8fcac9a12b50af016a5f7f898ef91acf5421bf5c6e57e5faf8e205f9ae3d673452b345598fd79

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
81KB

MD5
f46d560224d59c29bb073420a7ff5440

SHA1
f7489b2f14eeb235774cc46a92de5b7898ba8e48

SHA256
72c88bdd333a49d516eedd5cb5dceea90280f8f71eddb57b78b128102a7c216b

SHA512
929ef1f2ffc60ec0fe3966f28a5867b703f9bcc968b753931d9c108266983e4e825b486c116ad6af7c5e42249a721b9576b21d4fa1ed90c568589f42ee6dfc04

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
79KB

MD5
2b48089f60a2cbded55573d73d81d7fe

SHA1
2851c29f011228635c49ab149c4a329be45b5daf

SHA256
507bccf2b1a37910ef8db25a358e3e8a5eeccc3b2f743b176e00f44f10a781b1

SHA512
c3162fd37b09b70d01afb01fefcad7c80057d3b0c08fc3247dbe062194c76cc8027103763521c40b30e71771adb3f0f6141ae1d48db09e0aa8c828d4e24f8e2c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\627100\Elite.com

Filesize
393KB

MD5
2e12eded8a07fa34307ff7ebb038f1eb

SHA1
e20342793f1a4c2dd08302e89a6ae6a932b14330

SHA256
4469a699b97e87eab8ee311a5b1875bdc2377e4bf7cfb731ca8085d4fd724d23

SHA512
6263ef6b0dc4649be9b494a677853583fada8720f0e8054ec3f29bfe6cbe0a6154b5c2dc5e1019293a53270d6f93e3eb5c036616946ad3d015717794fdb242c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\627100\q

Filesize
512KB

MD5
ac70fbd1211cbdfa66cb6587bc4ecc55

SHA1
a2c00dacb75b4dcd52046297b7e73a154c0e1288

SHA256
c32a5069e5c067dfdd701c57b8a7639f2f2da094f28eb0fba4e7d7fd400ddd3f

SHA512
de14c2ec4db7d0028cd1de205bc402a627628b6cc702cb2333f3541bc49dac433f4225fa8142a0a497787853be60c9c7c17e5b94e029c59124ce90bc7ad059be

Download Submit
C:\Users\Admin\AppData\Local\Temp\Alleged.mpeg

Filesize
75KB

MD5
1829cf2cda1b1e4c1af4aa48a5ac4ab1

SHA1
b227182ee9cc580b77483d4c4587fecb7039f077

SHA256
94238b145e9343b60cbc9f694f30ac007c7abb44514d78c4abb71e0dee2d0657

SHA512
f4cae01dbeb67da1d3a8f424efeb116e99f3cabdf8a167e0a80fe6645072af26e0e927e91de72b4b85bdb271f7dc0f836b01e75c9291042d78d46a2af9eda852

Download Submit
C:\Users\Admin\AppData\Local\Temp\Baghdad

Filesize
1KB

MD5
af8375cb7a9727382d08ebbd612b79a0

SHA1
63263ef10d46b3f15bf94242b97cbe6af652a63e

SHA256
14f0770a5e9f63db995798aaf30a9828a1da9b87f3f8e9dfabca4ca2a77af68f

SHA512
d227afbb7cbaaa286703045cf44bf48ce67c4fe7ac6d73f5dc40376e7d20c29f8449ae018334062cf720a90a0337bb3b2da678efef7624ca810d2828419f7337

Download Submit
C:\Users\Admin\AppData\Local\Temp\Better.mpeg

Filesize
78KB

MD5
146d4cc09fd20005b2899f6b44f68bbf

SHA1
368eed4a19670ac9444015ff2194ee2e0b0b859c

SHA256
d17e6317079a94e74f6fe31d3772d398144f2924bc18e7abe6569c3096e4511e

SHA512
700cd119b2cb576351fec997aaaca627a05ee15e74440669e27ec3b2158946c3fb6286f3c3a4ed9a39bd6a7764f0b25ed55a3b9a473c8a240c7755f7ae933e52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Commissioners.mpeg

Filesize
477KB

MD5
4ccd46acee34c369ec34a8c621e19f17

SHA1
2b0b10f3766d37f624810f29c6612e5790408608

SHA256
24b1b6cecd27d0289eff8b7683d527115c48c8e2bf63f88d59e8d9d4159ff489

SHA512
2d1da02fafaff11880e1a738896036f1e7a2aaeabe94f5fc95bc3ccd6393863e9800583949a7e9f26047c5b24a9cb67348db32c2806c025a205e3675437865bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dance

Filesize
89KB

MD5
b6e206f75cfb297db4e5b66b21f2b23a

SHA1
fb8d49c71e7cde19ecbf298c23330b1c058e874f

SHA256
86d9324f288c5c2a6547d065b4e0a93eb2bc62d7f8a33741ef17e77ff0a50c59

SHA512
40614328fd7ba50fdc123039b25df20e71e3e12c7d867e4697f2d51a684b4611f0990485013edc6e490f0ad8dbb4ed8b4692c01173d4beefa076a56720dcfb8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Der.mpeg

Filesize
87KB

MD5
784bb120449ddcc0877119dd9adb58ad

SHA1
1069a0220aaa122c41727647a02d5f9beeb15b75

SHA256
55a857e4a2a37c21ae1702597126219fe073f22cdf80be35ab16569390be2920

SHA512
3a40a37e8805d07af385510bb605408cee53a50125c153595f21da5ca650a41d288f50fc6fcd7c390053e461184fff27497083139c9b50931d04c6151c09dc43

Download Submit
C:\Users\Admin\AppData\Local\Temp\Entirely

Filesize
82KB

MD5
341c79d83d7ac8c8b4c34c1906a5e77d

SHA1
e88e60eb44945bef37e177bbba4f7b26e2a55a9c

SHA256
047a19ad0bf30a97576eaf443862c64630edb10b6b6f6f7222d0931fa5b89b37

SHA512
00820d2fd05f2333169754b5f411e51c774bdb3a581ecf3b7f4e6d3b4c50bfb35154fe30685ccc1521cda24a2f8b7f61da82f06def68b6c7671dd17f971e7757

Download Submit
C:\Users\Admin\AppData\Local\Temp\Governor

Filesize
62KB

MD5
e4431d379c5423df0e30aa6de7371da9

SHA1
1378fc682ee7d1cbe1a5d4f7cf8d2f08c53092fe

SHA256
de69cd1f6001d0f35a920ef3dee39569f9a2fd2747391b31285cdd78d1ed1823

SHA512
f1226e20c6a0e49da4affbba6e0426846d5b91bea8a92a4515617da45e314ff3feeb4da1f660193ae1a2d4b81104a069b4fc6470cde3df024a627647e37cafd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Helmet

Filesize
107KB

MD5
e8bf5faafb1291519c0f81849ef4e446

SHA1
0c5b4aba22fdeb4b2be21aa7aaa5d69113cb0bba

SHA256
63e18608ff015b2c0d203c0c54576f0e6ca60493d7b284eb5bfbb262cf0beebe

SHA512
0336851a0f01e33a1e771083bae01fdc865327c9963d22a3f8d1a94b281d2fec8c7731099f0a2241053e3017591f8bdcc71a94c866905f9e34b3624fbc635439

Download Submit
C:\Users\Admin\AppData\Local\Temp\Informed.mpeg

Filesize
91KB

MD5
366eaa00de650c7e0c51dfbd64689f05

SHA1
cc682a87230b291a82cb23c1b5e754b69e45b5f8

SHA256
a92e044fcd9cc433d5f8aac78afd72da4ed31877b25d259dc1d259452ffe7bbc

SHA512
8df6672481c775d39a6f7c957086a304f3ccfa2790dd551848c08c36969491265ed6be0d32e28b8c64013cb3433d0049e3f237185bb3bc045cc2acd226c66fbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Iv

Filesize
120KB

MD5
c4ef7dd056d4c31db48d9da03b732648

SHA1
79893fafe734ccf66d792eaa8047a6c5326a865c

SHA256
36d402a58d390d2c14ca9566a6c319ffd090d1e8be5826af0bc148b4d8d02258

SHA512
d643ac5b9dcf36a7982a37284a6d34db92682e8777301d3c54c7cd61496c1c8dea25342a17e4a06d957796f871813688aa2441a8f4a056beb4780994b7d9a535

Download Submit
C:\Users\Admin\AppData\Local\Temp\Library.mpeg

Filesize
86KB

MD5
d74575fc1a31a85be78cdb8596f7cd61

SHA1
0074b4239aee3187df21d114ceb4adc4a0e6673c

SHA256
9ead7ce6cfc377bf27a9482964853b22983c779d4cf57551760544e0f308a9d2

SHA512
e7f1a28f6bb068a196f9eb8dd5833ca1525002762f216d509a22bd61a2d83cbd0c0dc4738ccc024b8d083ad1bfac83c9b69285ad6f7a7a1aaabe3b98b9782482

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pen

Filesize
139KB

MD5
c258a480db7eda77ee0bbbc2b956969e

SHA1
d180ac78dd378d3126429395ffe88ee31a9748c6

SHA256
74c7abaa72a3eedda6300898ecfa5c0c32f7bb508cdd76b85bcc5eeedccd9654

SHA512
fc61ce88b99eafd251c294c902059dcef9b9b09b4c885e913476f15375d82c254f8a3338a717b2f6f660fc43aa82ed5c1f99735c2cc5c2fe745b5053a86c44b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Prediction

Filesize
83KB

MD5
3ee499c6fc8280bc7dfb743b515a41e2

SHA1
30664e477f83ebd3c24c7a4a01d140b41fa0403b

SHA256
e0017a2f94babee8b16740aced58e1ebac872ff91ff070050d296f351576c842

SHA512
eaaa727784c9a7320bca74f54cdc5e7fd4b0eb89800cd1cde834297235ab19bcb093087d1468ca37ad537520b8bb4072ec8455d59440fc92b3bdf4ceb1eb7b35

Download Submit
C:\Users\Admin\AppData\Local\Temp\Release\Xeno.7z

Filesize
1.5MB

MD5
b8e6895897ae16b80e21f8fdb4a40d68

SHA1
d800abef24fade566e33e2611e1fd93adba34381

SHA256
10796cf5f6a465fae6eb7888f619009babb84b2f7158ce1588094ee95546fc44

SHA512
34cf01cb145c1539157efb0715e245e693df7008203a4bf283b5b012c7829b5234b6eab6387f1e04dd93a0bdf147fcd478f51a55509a935c0d0e756afe64b906

Download Submit
C:\Users\Admin\AppData\Local\Temp\Routine

Filesize
108KB

MD5
3b15f324fc1046867c865b9209e65a5c

SHA1
0180edf599c00510b751fc22d8cb5b7ce0f94f2d

SHA256
d2ea01651c7bb6b2de7ff81f9e422b653abc6fc94f3781045c15e52b9c106f3d

SHA512
e929250f43ba562ddad0a659bd3ca2e95d8ed63b65d3427a40ff6167c3d2e0f0733d59ac3e028e0037bca8f327e6526c08d528643af682752c2cbebe19f24d5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sample.mpeg

Filesize
10KB

MD5
2f60b0321e3a1e982337177b59d829ad

SHA1
a97d3ae408706c19b10af6046e0cf9bc2689f9cc

SHA256
045b6d6be2902d33ff4a4588a01384836118a911938bf1250762163f955edcfd

SHA512
c5ab31747a44f066f4820ef7c823d8791a80a74e08eb4f5251e370d3cc34fc1a22965b45758455fabd923f9ca6bf5bef8668245d1c93fc8193f4993d5018377f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Specialized

Filesize
133KB

MD5
c422cff1e466a6a0802b42a24d3385a5

SHA1
d4e4f6625ea49fdbbe5679f9e55345a0f8cd750b

SHA256
2a14eb03567ce41700be5156be106278f506ae3ae61254f91d5645bc84401c84

SHA512
5ab937cad5ddcc1b86aa3e00d083448e39ea175977c93b5012fa50f0eb53b4d5d976772e9e0ab26e4438730c0fb531b406126c3d8971196bb789d35cbda383d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar398E.tmp

Filesize
183KB

MD5
109cab5505f5e065b63d01361467a83b

SHA1
4ed78955b9272a9ed689b51bf2bf4a86a25e53fc

SHA256
ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673

SHA512
753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Violations.mpeg

Filesize
85KB

MD5
eacb8e5f0bd07603ffac9b2284569108

SHA1
7fa7d2343313d316156f7487be934b14f45e2080

SHA256
4270eb130079192243c0f03f648c9546bf7651be3392dc3b80e38c8b301a1345

SHA512
12ae6b5d7eba50ceffe16d60824eb138042ca873183e10286c44d606069ae289316def4e7dfce186d3e4dabdce96bd6aaddd80b95c188c3720bf85690a6fd7cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\sake.mpeg

Filesize
12KB

MD5
ef0c24bdeaedf9ce76b94ba897d61b96

SHA1
c8b81be9dc66e312c7551e5c46f42636fbf29b72

SHA256
f58a162b05c52b98dba4a1ce9bb878e3c7f9950418c459790959b38faa11ea2d

SHA512
a4bcfac5c8db83a81da9390151e1e714534b6b9351a7cedfee2f2114f63f001badf65cb48e41f75553f85dfb88a472f2f728612b2d18d2912cec6c2d52051699

Download Submit
\Users\Admin\AppData\Local\Temp\627100\Elite.com

Filesize
925KB

MD5
62d09f076e6e0240548c2f837536a46a

SHA1
26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

SHA256
1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

SHA512
32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

Download Submit
memory/2580-71-0x00000000037C0000-0x0000000003824000-memory.dmp

Filesize
400KB

Download
memory/2580-72-0x00000000037C0000-0x0000000003824000-memory.dmp

Filesize
400KB

Download
memory/2580-70-0x00000000037C0000-0x0000000003824000-memory.dmp

Filesize
400KB

Download
memory/2580-69-0x00000000037C0000-0x0000000003824000-memory.dmp

Filesize
400KB

Download
memory/2580-73-0x00000000037C0000-0x0000000003824000-memory.dmp

Filesize
400KB

Download