xenorat | 42404161307a26214069b212b830faa4b46ce3a3bdb53626ebb5d9cd9c81489b

Resubmissions

11/03/2025, 18:23

250311-w1w3ma1yht 10

11/03/2025, 18:20

250311-wy2kbszqt7 10

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
11/03/2025, 18:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

efe.exe
Size

45KB
MD5

cb25f48fae0cc0c1e2404a26bb36e087
SHA1

8686dc9b9cfc2d359253c8fda397089cbf8f14b1
SHA256

42404161307a26214069b212b830faa4b46ce3a3bdb53626ebb5d9cd9c81489b
SHA512

051225e2a0bd6eeaa25513c55d9bee75fbf0bd9fd658602f01b149a72509a4185f28c2cf00a8c0a9ab9f8e619315ce603f2c96b829fe431f9591db0365ec7a99
SSDEEP

768:edhO/poiiUcjlJInJ3EH9Xqk5nWEZ5SbTDatuI7CPW54:ow+jjgnlEH9XqcnW85SbTYuIA

Score

10^/10

xenorat discovery rat trojan

Malware Config

Extracted

Family

xenorat

192.168.0.20

Mutex

Xeno_rat_nd8912d

Attributes

delay
5000
install_path
appdata
port
4444
startup_name
nothingset

Signatures

Detect XenoRat Payload 2 IoCs

resource	yara_rule
behavioral2/memory/2616-1-0x0000000000970000-0x0000000000982000-memory.dmp	family_xenorat
behavioral2/files/0x000c000000023c6c-6.dat	family_xenorat

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat
Xenorat family
xenorat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	efe.exe

Executes dropped EXE 1 IoCs

pid	Process
1248	efe.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	efe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	efe.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133861909959476016"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1360	chrome.exe
1360	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
1360	chrome.exe
1360	chrome.exe
1360	chrome.exe
1360	chrome.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1360	chrome.exe
Token: SeCreatePagefilePrivilege	1360	chrome.exe
Token: SeShutdownPrivilege	1360	chrome.exe
Token: SeCreatePagefilePrivilege	1360	chrome.exe
Token: SeShutdownPrivilege	1360	chrome.exe
Token: SeCreatePagefilePrivilege	1360	chrome.exe
Token: SeShutdownPrivilege	1360	chrome.exe
Token: SeCreatePagefilePrivilege	1360	chrome.exe
Token: SeShutdownPrivilege	1360	chrome.exe
Token: SeCreatePagefilePrivilege	1360	chrome.exe
Token: SeShutdownPrivilege	1360	chrome.exe
Token: SeCreatePagefilePrivilege	1360	chrome.exe
Token: SeShutdownPrivilege	1360	chrome.exe
Token: SeCreatePagefilePrivilege	1360	chrome.exe
Token: SeShutdownPrivilege	1360	chrome.exe
Token: SeCreatePagefilePrivilege	1360	chrome.exe
Token: SeShutdownPrivilege	1360	chrome.exe
Token: SeCreatePagefilePrivilege	1360	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1360	chrome.exe
1360	chrome.exe
1360	chrome.exe
1360	chrome.exe
1360	chrome.exe
1360	chrome.exe
1360	chrome.exe
1360	chrome.exe
1360	chrome.exe
1360	chrome.exe
1360	chrome.exe
1360	chrome.exe
1360	chrome.exe
1360	chrome.exe
1360	chrome.exe
1360	chrome.exe
1360	chrome.exe
1360	chrome.exe
1360	chrome.exe
1360	chrome.exe
1360	chrome.exe
1360	chrome.exe
1360	chrome.exe
1360	chrome.exe
1360	chrome.exe
1360	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1360	chrome.exe
1360	chrome.exe
1360	chrome.exe
1360	chrome.exe
1360	chrome.exe
1360	chrome.exe
1360	chrome.exe
1360	chrome.exe
1360	chrome.exe
1360	chrome.exe
1360	chrome.exe
1360	chrome.exe
1360	chrome.exe
1360	chrome.exe
1360	chrome.exe
1360	chrome.exe
1360	chrome.exe
1360	chrome.exe
1360	chrome.exe
1360	chrome.exe
1360	chrome.exe
1360	chrome.exe
1360	chrome.exe
1360	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2616 wrote to memory of 1248	2616	efe.exe	89
PID 2616 wrote to memory of 1248	2616	efe.exe	89
PID 2616 wrote to memory of 1248	2616	efe.exe	89
PID 1360 wrote to memory of 2140	1360	chrome.exe	118
PID 1360 wrote to memory of 2140	1360	chrome.exe	118
PID 1360 wrote to memory of 2380	1360	chrome.exe	119
PID 1360 wrote to memory of 2380	1360	chrome.exe	119
PID 1360 wrote to memory of 2380	1360	chrome.exe	119
PID 1360 wrote to memory of 2380	1360	chrome.exe	119
PID 1360 wrote to memory of 2380	1360	chrome.exe	119
PID 1360 wrote to memory of 2380	1360	chrome.exe	119
PID 1360 wrote to memory of 2380	1360	chrome.exe	119
PID 1360 wrote to memory of 2380	1360	chrome.exe	119
PID 1360 wrote to memory of 2380	1360	chrome.exe	119
PID 1360 wrote to memory of 2380	1360	chrome.exe	119
PID 1360 wrote to memory of 2380	1360	chrome.exe	119
PID 1360 wrote to memory of 2380	1360	chrome.exe	119
PID 1360 wrote to memory of 2380	1360	chrome.exe	119
PID 1360 wrote to memory of 2380	1360	chrome.exe	119
PID 1360 wrote to memory of 2380	1360	chrome.exe	119
PID 1360 wrote to memory of 2380	1360	chrome.exe	119
PID 1360 wrote to memory of 2380	1360	chrome.exe	119
PID 1360 wrote to memory of 2380	1360	chrome.exe	119
PID 1360 wrote to memory of 2380	1360	chrome.exe	119
PID 1360 wrote to memory of 2380	1360	chrome.exe	119
PID 1360 wrote to memory of 2380	1360	chrome.exe	119
PID 1360 wrote to memory of 2380	1360	chrome.exe	119
PID 1360 wrote to memory of 2380	1360	chrome.exe	119
PID 1360 wrote to memory of 2380	1360	chrome.exe	119
PID 1360 wrote to memory of 2380	1360	chrome.exe	119
PID 1360 wrote to memory of 2380	1360	chrome.exe	119
PID 1360 wrote to memory of 2380	1360	chrome.exe	119
PID 1360 wrote to memory of 2380	1360	chrome.exe	119
PID 1360 wrote to memory of 2380	1360	chrome.exe	119
PID 1360 wrote to memory of 2380	1360	chrome.exe	119
PID 1360 wrote to memory of 3108	1360	chrome.exe	120
PID 1360 wrote to memory of 3108	1360	chrome.exe	120
PID 1360 wrote to memory of 4892	1360	chrome.exe	121
PID 1360 wrote to memory of 4892	1360	chrome.exe	121
PID 1360 wrote to memory of 4892	1360	chrome.exe	121
PID 1360 wrote to memory of 4892	1360	chrome.exe	121
PID 1360 wrote to memory of 4892	1360	chrome.exe	121
PID 1360 wrote to memory of 4892	1360	chrome.exe	121
PID 1360 wrote to memory of 4892	1360	chrome.exe	121
PID 1360 wrote to memory of 4892	1360	chrome.exe	121
PID 1360 wrote to memory of 4892	1360	chrome.exe	121
PID 1360 wrote to memory of 4892	1360	chrome.exe	121
PID 1360 wrote to memory of 4892	1360	chrome.exe	121
PID 1360 wrote to memory of 4892	1360	chrome.exe	121
PID 1360 wrote to memory of 4892	1360	chrome.exe	121
PID 1360 wrote to memory of 4892	1360	chrome.exe	121
PID 1360 wrote to memory of 4892	1360	chrome.exe	121
PID 1360 wrote to memory of 4892	1360	chrome.exe	121
PID 1360 wrote to memory of 4892	1360	chrome.exe	121
PID 1360 wrote to memory of 4892	1360	chrome.exe	121
PID 1360 wrote to memory of 4892	1360	chrome.exe	121
PID 1360 wrote to memory of 4892	1360	chrome.exe	121
PID 1360 wrote to memory of 4892	1360	chrome.exe	121
PID 1360 wrote to memory of 4892	1360	chrome.exe	121
PID 1360 wrote to memory of 4892	1360	chrome.exe	121
PID 1360 wrote to memory of 4892	1360	chrome.exe	121
PID 1360 wrote to memory of 4892	1360	chrome.exe	121
PID 1360 wrote to memory of 4892	1360	chrome.exe	121
PID 1360 wrote to memory of 4892	1360	chrome.exe	121

C:\Users\Admin\AppData\Local\Temp\efe.exe
"C:\Users\Admin\AppData\Local\Temp\efe.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2616
- C:\Users\Admin\AppData\Roaming\XenoManager\efe.exe
  "C:\Users\Admin\AppData\Roaming\XenoManager\efe.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1248

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x124,0x128,0x12c,0xf4,0x130,0x7ffac145cc40,0x7ffac145cc4c,0x7ffac145cc58
  2⤵
  PID:2140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1932,i,11243700180759521159,11387124848135602808,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=1928 /prefetch:2
  2⤵
  PID:2380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2220,i,11243700180759521159,11387124848135602808,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2252 /prefetch:3
  2⤵
  PID:3108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2308,i,11243700180759521159,11387124848135602808,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2532 /prefetch:8
  2⤵
  PID:4892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3184,i,11243700180759521159,11387124848135602808,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3204 /prefetch:1
  2⤵
  PID:1272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3408,i,11243700180759521159,11387124848135602808,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3416 /prefetch:1
  2⤵
  PID:1464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4588,i,11243700180759521159,11387124848135602808,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3776 /prefetch:1
  2⤵
  PID:280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4752,i,11243700180759521159,11387124848135602808,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4728 /prefetch:8
  2⤵
  PID:3128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4472,i,11243700180759521159,11387124848135602808,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4708 /prefetch:8
  2⤵
  PID:2012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4848,i,11243700180759521159,11387124848135602808,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4864 /prefetch:8
  2⤵
  PID:1376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4720,i,11243700180759521159,11387124848135602808,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4784 /prefetch:8
  2⤵
  PID:1760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3176,i,11243700180759521159,11387124848135602808,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5148 /prefetch:8
  2⤵
  PID:696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3864,i,11243700180759521159,11387124848135602808,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4872 /prefetch:8
  2⤵
  PID:4712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4920,i,11243700180759521159,11387124848135602808,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4876 /prefetch:8
  2⤵
  PID:1788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5160,i,11243700180759521159,11387124848135602808,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5164 /prefetch:8
  2⤵
  PID:3168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5136,i,11243700180759521159,11387124848135602808,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5240 /prefetch:2
  2⤵
  PID:1984

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3808

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
81ba307a6c36ed43ff26cba8d0eb2dfd

SHA1
2d8772163cfbeef308bee6640c88971bcb75395b

SHA256
cf0584fc29cb38d8ef09e6a5a2c9b9c1cb7c858eb59bc4be81c7ea32082b0957

SHA512
ee27f837fcc90e0191e6fe2c0dbbedc49a228dea9de4a5a7ca84f559416638823f95f99183590e4e7934ad3151f750bbc7f372e876251ab6f5556f5d1c3364d1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.89.1_0\_locales\en_CA\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.89.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\efe.exe.log

Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir1360_1018574487\CRX_INSTALL\_locales\en_CA\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir1360_1018574487\b065f68d-83bf-4893-b702-af6cb786ee84.tmp

Filesize
150KB

MD5
eae462c55eba847a1a8b58e58976b253

SHA1
4d7c9d59d6ae64eb852bd60b48c161125c820673

SHA256
ebcda644bcfbd0c9300227bafde696e8923ddb004b4ee619d7873e8a12eae2ad

SHA512
494481a98ab6c83b16b4e8d287d85ba66499501545da45458acc395da89955971cf2a14e83c2da041c79c580714b92b9409aa14017a16d0b80a7ff3d91bad2a3

Download Submit
C:\Users\Admin\AppData\Roaming\XenoManager\efe.exe

Filesize
45KB

MD5
cb25f48fae0cc0c1e2404a26bb36e087

SHA1
8686dc9b9cfc2d359253c8fda397089cbf8f14b1

SHA256
42404161307a26214069b212b830faa4b46ce3a3bdb53626ebb5d9cd9c81489b

SHA512
051225e2a0bd6eeaa25513c55d9bee75fbf0bd9fd658602f01b149a72509a4185f28c2cf00a8c0a9ab9f8e619315ce603f2c96b829fe431f9591db0365ec7a99

Download Submit
memory/1248-16-0x0000000074A50000-0x0000000075200000-memory.dmp

Filesize
7.7MB

Download
memory/1248-17-0x0000000074A50000-0x0000000075200000-memory.dmp

Filesize
7.7MB

Download
memory/1248-15-0x0000000074A50000-0x0000000075200000-memory.dmp

Filesize
7.7MB

Download
memory/2616-0-0x0000000074A5E000-0x0000000074A5F000-memory.dmp

Filesize
4KB

Download
memory/2616-1-0x0000000000970000-0x0000000000982000-memory.dmp

Filesize
72KB

Download