Malware Analysis Report

2025-04-13 23:04

Sample ID 250320-qj69daxl15
Target https://github.com/moom825/xeno-rat/releases/download/1.8.7/Release.zip
Tags
xenorat discovery rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

Threat Level: Known bad

The file https://github.com/moom825/xeno-rat/releases/download/1.8.7/Release.zip was found to be: Known bad.

Malicious Activity Summary

xenorat discovery rat trojan

Xenorat family

Detect XenoRat Payload

XenorRat

Executes dropped EXE

Drops file in Program Files directory

Browser Information Discovery

System Location Discovery: System Language Discovery

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious behavior: GetForegroundWindowSpam

Scheduled Task/Job: Scheduled Task

Suspicious use of SendNotifyMessage

Enumerates system info in registry

Modifies registry class

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-03-20 13:18

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-03-20 13:18

Reported

2025-03-20 13:21

Platform

win10v2004-20250314-en

Max time kernel

148s

Max time network

144s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/moom825/xeno-rat/releases/download/1.8.7/Release.zip

Signatures

Detect XenoRat Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

XenorRat

trojan rat xenorat

Xenorat family

xenorat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\Xeno.exe N/A
N/A N/A C:\Users\Admin\Downloads\Xeno.exe N/A
N/A N/A C:\Users\Admin\Downloads\Xeno.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\chrome_Unpacker_BeginUnzipping5412_858078967\manifest.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Program Files\chrome_Unpacker_BeginUnzipping5412_858078967\typosquatting_list.pb C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Program Files\chrome_Unpacker_BeginUnzipping5412_449152959\LICENSE C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Program Files\chrome_Unpacker_BeginUnzipping5412_449152959\sets.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Program Files\chrome_Unpacker_BeginUnzipping5412_449152959\_metadata\verified_contents.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Program Files\chrome_Unpacker_BeginUnzipping5412_591414073\manifest.fingerprint C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Program Files\chrome_Unpacker_BeginUnzipping5412_858078967\manifest.fingerprint C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Program Files\chrome_Unpacker_BeginUnzipping5412_449152959\manifest.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Program Files\chrome_Unpacker_BeginUnzipping5412_449152959\manifest.fingerprint C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Program Files\chrome_Unpacker_BeginUnzipping5412_591414073\data.txt C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Program Files\chrome_Unpacker_BeginUnzipping5412_591414073\manifest.json C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Browser Information Discovery

discovery

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\Xeno.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\Xeno.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\Xeno.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133869503199787073" C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0 C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}" C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1" C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0 C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14" C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0 = 50003100000000006e5a5a3b100041646d696e003c0009000400efbe6e5a3d33745a536a2e0000004fe10100000001000000000000000000000000000000c865b000410064006d0069006e00000014000000 C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202 C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic" C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295" C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 19002f433a5c000000000000000000000000000000000000000000 C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = 00000000ffffffff C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259} C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4" C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0 = 7e003100000000006e5ac03a11004465736b746f7000680009000400efbe6e5a3d33745a5c6a2e00000059e101000000010000000000000000003e0000000000bc2355004400650073006b0074006f007000000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370036003900000016000000 C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\NodeSlot = "2" C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0000000001000000ffffffff C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "3" C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}" C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0 = 78003100000000006e5a3d331100557365727300640009000400efbe874f7748745a536a2e000000c70500000000010000000000000000003a00000000000a149a0055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000 C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\MRUListEx = 00000000ffffffff C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\MRUListEx = ffffffff C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Downloads" C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Version = "1" C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0 C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\MRUListEx = 00000000ffffffff C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3 C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3920955164-3782810283-1225622749-1000\{90F307E7-CE1A-4F6A-92EE-D820F2A5E95D} C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1" C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257" C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16" C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
N/A N/A C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5412 wrote to memory of 3164 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5412 wrote to memory of 3164 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5412 wrote to memory of 824 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5412 wrote to memory of 824 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5412 wrote to memory of 4028 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5412 wrote to memory of 4028 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5412 wrote to memory of 4028 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5412 wrote to memory of 4028 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5412 wrote to memory of 4028 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5412 wrote to memory of 4028 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5412 wrote to memory of 4028 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5412 wrote to memory of 4028 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5412 wrote to memory of 4028 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5412 wrote to memory of 4028 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5412 wrote to memory of 4028 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5412 wrote to memory of 4028 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5412 wrote to memory of 4028 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5412 wrote to memory of 4028 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5412 wrote to memory of 4028 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5412 wrote to memory of 4028 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5412 wrote to memory of 4028 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5412 wrote to memory of 4028 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5412 wrote to memory of 4028 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5412 wrote to memory of 4028 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5412 wrote to memory of 4028 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5412 wrote to memory of 4028 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5412 wrote to memory of 4028 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5412 wrote to memory of 4028 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5412 wrote to memory of 4028 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5412 wrote to memory of 4028 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5412 wrote to memory of 4028 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5412 wrote to memory of 4028 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5412 wrote to memory of 4028 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5412 wrote to memory of 4028 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5412 wrote to memory of 4028 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5412 wrote to memory of 4028 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5412 wrote to memory of 4028 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5412 wrote to memory of 4028 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5412 wrote to memory of 4028 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5412 wrote to memory of 4028 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5412 wrote to memory of 4028 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5412 wrote to memory of 4028 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5412 wrote to memory of 4028 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5412 wrote to memory of 4028 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5412 wrote to memory of 4028 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5412 wrote to memory of 4028 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5412 wrote to memory of 4028 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5412 wrote to memory of 4028 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5412 wrote to memory of 4028 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5412 wrote to memory of 4028 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5412 wrote to memory of 4028 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5412 wrote to memory of 4028 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5412 wrote to memory of 4028 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5412 wrote to memory of 4028 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5412 wrote to memory of 4028 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5412 wrote to memory of 4044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5412 wrote to memory of 4044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5412 wrote to memory of 4044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5412 wrote to memory of 4044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5412 wrote to memory of 4044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5412 wrote to memory of 4044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5412 wrote to memory of 4044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5412 wrote to memory of 4044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5412 wrote to memory of 4044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/moom825/xeno-rat/releases/download/1.8.7/Release.zip

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x23c,0x240,0x244,0x238,0x2b4,0x7ff9b376f208,0x7ff9b376f214,0x7ff9b376f220

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1848,i,16677619976432501521,13113643517035514472,262144 --variations-seed-version --mojo-platform-channel-handle=2228 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2200,i,16677619976432501521,13113643517035514472,262144 --variations-seed-version --mojo-platform-channel-handle=2196 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2548,i,16677619976432501521,13113643517035514472,262144 --variations-seed-version --mojo-platform-channel-handle=2740 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3464,i,16677619976432501521,13113643517035514472,262144 --variations-seed-version --mojo-platform-channel-handle=3544 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3472,i,16677619976432501521,13113643517035514472,262144 --variations-seed-version --mojo-platform-channel-handle=3572 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5036,i,16677619976432501521,13113643517035514472,262144 --variations-seed-version --mojo-platform-channel-handle=5092 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5052,i,16677619976432501521,13113643517035514472,262144 --variations-seed-version --mojo-platform-channel-handle=5132 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5644,i,16677619976432501521,13113643517035514472,262144 --variations-seed-version --mojo-platform-channel-handle=5584 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --always-read-main-dll --field-trial-handle=5652,i,16677619976432501521,13113643517035514472,262144 --variations-seed-version --mojo-platform-channel-handle=5664 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4852,i,16677619976432501521,13113643517035514472,262144 --variations-seed-version --mojo-platform-channel-handle=5988 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6004,i,16677619976432501521,13113643517035514472,262144 --variations-seed-version --mojo-platform-channel-handle=6088 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5988,i,16677619976432501521,13113643517035514472,262144 --variations-seed-version --mojo-platform-channel-handle=6500 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5988,i,16677619976432501521,13113643517035514472,262144 --variations-seed-version --mojo-platform-channel-handle=6500 /prefetch:8

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\Downloads\Release\xeno rat server.exe

"C:\Users\Admin\Downloads\Release\xeno rat server.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=564,i,16677619976432501521,13113643517035514472,262144 --variations-seed-version --mojo-platform-channel-handle=6808 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5904,i,16677619976432501521,13113643517035514472,262144 --variations-seed-version --mojo-platform-channel-handle=6828 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6536,i,16677619976432501521,13113643517035514472,262144 --variations-seed-version --mojo-platform-channel-handle=6836 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5252,i,16677619976432501521,13113643517035514472,262144 --variations-seed-version --mojo-platform-channel-handle=5244 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6048,i,16677619976432501521,13113643517035514472,262144 --variations-seed-version --mojo-platform-channel-handle=6592 /prefetch:8

C:\Users\Admin\Downloads\Xeno.exe

"C:\Users\Admin\Downloads\Xeno.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6884,i,16677619976432501521,13113643517035514472,262144 --variations-seed-version --mojo-platform-channel-handle=6620 /prefetch:8

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /Create /TN "Windows Defender" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE3B4.tmp" /F

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=6592,i,16677619976432501521,13113643517035514472,262144 --variations-seed-version --mojo-platform-channel-handle=6064 /prefetch:8

C:\Users\Admin\Downloads\Xeno.exe

"C:\Users\Admin\Downloads\Xeno.exe"

C:\Users\Admin\Downloads\Xeno.exe

"C:\Users\Admin\Downloads\Xeno.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /Create /TN "Windows Defender" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2B6B.tmp" /F

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3436,i,16677619976432501521,13113643517035514472,262144 --variations-seed-version --mojo-platform-channel-handle=5564 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 copilot.microsoft.com udp
US 8.8.8.8:53 copilot.microsoft.com udp
US 8.8.8.8:53 api.edgeoffer.microsoft.com udp
US 8.8.8.8:53 api.edgeoffer.microsoft.com udp
US 13.107.21.239:80 edge.microsoft.com tcp
GB 20.26.156.215:443 github.com tcp
US 204.79.197.239:443 edge.microsoft.com tcp
IE 94.245.104.56:443 api.edgeoffer.microsoft.com tcp
GB 95.100.153.132:443 copilot.microsoft.com tcp
IE 94.245.104.56:443 api.edgeoffer.microsoft.com tcp
IE 94.245.104.56:443 api.edgeoffer.microsoft.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.109.133:443 objects.githubusercontent.com tcp
US 204.79.197.239:443 edge.microsoft.com tcp
GB 95.100.153.147:443 www.bing.com tcp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 150.171.28.11:443 edge.microsoft.com tcp
US 150.171.28.11:443 edge.microsoft.com tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.239:443 edge.microsoft.com tcp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 edgeassetservice.azureedge.net udp
US 8.8.8.8:53 edgeassetservice.azureedge.net udp
N/A 224.0.0.251:5353 udp
US 13.107.246.65:443 edgeassetservice.azureedge.net tcp
US 13.107.246.65:443 edgeassetservice.azureedge.net tcp
GB 95.100.153.191:443 www.bing.com tcp
GB 95.100.153.147:443 www.bing.com udp
US 8.8.8.8:53 edge-consumer-static.azureedge.net udp
US 8.8.8.8:53 edge-consumer-static.azureedge.net udp
US 13.107.246.64:443 edge-consumer-static.azureedge.net tcp
US 8.8.8.8:53 static.edge.microsoftapp.net udp
US 8.8.8.8:53 static.edge.microsoftapp.net udp
US 13.107.246.64:443 static.edge.microsoftapp.net tcp
US 150.171.28.11:443 edge.microsoft.com tcp
US 8.8.8.8:53 edge-mobile-static.azureedge.net udp
US 8.8.8.8:53 edge-mobile-static.azureedge.net udp
US 8.8.8.8:53 edge-cloud-resource-static.azureedge.net udp
US 8.8.8.8:53 edge-cloud-resource-static.azureedge.net udp
US 13.107.246.64:443 edge-cloud-resource-static.azureedge.net tcp
US 13.107.246.64:443 edge-cloud-resource-static.azureedge.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp
US 8.8.8.8:53 msedge.b.tlu.dl.delivery.mp.microsoft.com udp
US 199.232.214.172:80 msedge.b.tlu.dl.delivery.mp.microsoft.com tcp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 msedge.b.tlu.dl.delivery.mp.microsoft.com udp
N/A 127.0.0.1:4444 tcp
N/A 127.0.0.1:4444 tcp
US 8.8.8.8:53 msedge.b.tlu.dl.delivery.mp.microsoft.com udp
N/A 127.0.0.1:4444 tcp
N/A 127.0.0.1:4444 tcp
N/A 127.0.0.1:4444 tcp
N/A 127.0.0.1:4444 tcp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 8102e0aad85ab5baeb3bf75d9bc1f12d
SHA1 5852c967a408027ae301fb3a82c310d662ec56d0
SHA256 22157ffde4fb8405250f3ea4c0965753876504fb7bddd384808d1db3867295e7
SHA512 29bb2b5fa65189cb34ffa6e8807ce07533ff9071ad0c270836a8ce09e2431dd0549d13bf88b11d8a7270e4b0478fb14b0f1f9530ca62069c7f2785f929bf89ad

\??\pipe\crashpad_5412_LCTVOZGQKMSSXRNT

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 c37f9d2c357647fca20f2eaa89c18edd
SHA1 cfd1035ed2d057c317b48546f467209cbbe15f2e
SHA256 2ea3a0b7e6145fd110653b1a77cb827ad7e4a145c29378344bd3d28f595b2072
SHA512 3563f4aca9e47f35de8cb38e42a3c0448bb3ec4c9183fa392abc28fee4ca08bf16da028ffbf31cf0c0f8301ed810238961e745590e5c71621bc5a2a889dd12f7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

MD5 32df26fd00f82def98958f3a9359f794
SHA1 50a593ff1a2cbb563c0b66b67268784a6a7618dd
SHA256 8ffb22ae447cd5e416d1e4772e054081ca86c5ee9e3ea605fc5cf861975f172b
SHA512 7ee6ced3f03984038c48435ac85e61983fdd85fa350ea2f976fb26c59438ad34ba89dd25a0faad2c8aced9c3ecc644d0821b2e48c1c82219e71536df5905b709

C:\Users\Admin\Downloads\Release.zip.crdownload

MD5 89661a9ff6de529497fec56a112bf75e
SHA1 2dd31a19489f4d7c562b647f69117e31b894b5c3
SHA256 e7b275d70655db9cb43fa606bbe2e4f22478ca4962bbf9f299d66eda567d63cd
SHA512 33c765bf85fbec0e58924ece948b80a7d73b7577557eaac8865e481c61ad6b71f8b5b846026103239b3bd21f438ff0d7c1430a51a4a149f16a215faad6dab68f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

MD5 1443f3d666213b298fd89b4e89b6ee0f
SHA1 e9ec1207b7fb2dcd2a62c1218719690ad32bdd1f
SHA256 b00e3b7d0d29ce9e38944aae91220f2558c2275b453d8b64db91e0778e11f4a7
SHA512 8179733edcd7a914cad126cb1ac48c5903a341a36192eb10b221cd46307a8044c4895151025e9baf5bfeee8b1c8a1660fde6d13ab4952f2a1d412811fd9f347f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

MD5 99914b932bd37a50b983c5e7c90ae93b
SHA1 bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA256 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA512 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps

MD5 40e2018187b61af5be8caf035fb72882
SHA1 72a0b7bcb454b6b727bf90da35879b3e9a70621e
SHA256 b3efd9d75856016510dd0bdb5e22359925cee7f2056b3cde6411c55ae8ae8ee5
SHA512 a21b8f3f7d646909d6aed605ad5823269f52fda1255aa9bb4d4643e165a7b11935572bf9e0a6a324874f99c20a6f3b6d1e457c7ccd30adcac83c15febc063d12

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 1a94f9e77666347ec18c9b19aad50695
SHA1 cbd106846baf48ccec6cfa8f4dc6e9b32fc91f36
SHA256 13982238c84f875914aed92af860a6453dae2b856917fd1450e185a3a040c1a0
SHA512 22e41a3ca1cdab6a2df05a994caf1e944741306866171104782183079598ee730b581c64378afd9172bff764c781335bac7126f5a40af1c87818eb3e11f41846

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 610a7b49fa83d744a3c725753cb34017
SHA1 1471b2ffc6b5aa4cd107ec97d653fc62b99dd66b
SHA256 c1db9d0e924fe7fa752303c21485e7a9f4bc1fdd27020411f22abb9fd8a76c6f
SHA512 71458d765e26c44e9bda593bcaf98b972857440fa9aaa87766d8a550c4eacb156fd4cf40ccaab8ffcfe38ea5077d67f2e83225dc442360e6e7faea0afad9d404

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 01c884ff8825ab324a9ace83e7495671
SHA1 aeb53138f2cdb26007d9078f31183dab98baedf8
SHA256 9767ae05e0c1cb8f0977d19b583a9ad8e12708806f4ba2dbe90b8d64ab02b644
SHA512 dc10d2fc3f00a606aa482ba99cba222b2e9ea699a0f8ff54d76fefd7ba4e97a16994581178fb1ec5687166b6682cbfe1184728515b240143a75130db46c85dbd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

MD5 20d4b8fa017a12a108c87f540836e250
SHA1 1ac617fac131262b6d3ce1f52f5907e31d5f6f00
SHA256 6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d
SHA512 507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 850c129cc4dafca59909d6592c36356e
SHA1 b17678412d72f7c498e22194febf218fed0c42a2
SHA256 c78242cd90955b35c7a4ac222cf2e3546c617a7af47c087c3df2e0c428638faa
SHA512 3c87229212360bbfafa12e48b6d3fe9c2f2f0890f593676ee02790cffc8b58efab2d991684989c243cbcac7a063e49b3eefc171215e01359d10d0d2c13ff2025

memory/3796-191-0x0000000000A50000-0x0000000000C52000-memory.dmp

memory/3796-192-0x0000000005CC0000-0x0000000006264000-memory.dmp

memory/3796-193-0x0000000005660000-0x00000000056F2000-memory.dmp

memory/3796-194-0x0000000005810000-0x000000000581A000-memory.dmp

memory/3796-195-0x0000000005A60000-0x0000000005A74000-memory.dmp

memory/3796-196-0x0000000008130000-0x000000000814A000-memory.dmp

memory/3796-197-0x0000000008150000-0x0000000008162000-memory.dmp

memory/3796-198-0x000000000A050000-0x000000000A072000-memory.dmp

memory/3796-210-0x00000000081A0000-0x0000000008252000-memory.dmp

memory/3796-211-0x0000000008280000-0x00000000085D4000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

MD5 f23cc495210a24ccf1c5ba09c48098be
SHA1 b5f0d307b90ede25f575fb888f56b933c4f7f8ca
SHA256 2e93722e6690e7c22e475955ae829d2868df73beac7d21010e88f082e023c4fa
SHA512 2c1d66731d59ca4afa36a7bcbe3b59165b412921fee3bb0ce79c005ca9b5908e1134fc233bd634d62ed55eceaf837cc08a3885d350f8d6c448ad134384116fd9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

MD5 754edb3f11bebbf77872494b3e84f34d
SHA1 60ec3579bfcc42905d63526e3ef880cf01fcdcfc
SHA256 83e2ec7187043528364d9297c8e752710f31740f849739faf7d3dea4a92e25b2
SHA512 97b6b73e1a56714f9a2762b0f451a48b3811c9896fdb5147d799e29a2364e270ae3c09cba93facc790bb5d8444a050f3c54630847d67bab85d385896779564cc

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\OperationConfig

MD5 41c1930548d8b99ff1dbb64ba7fecb3d
SHA1 d8acfeaf7c74e2b289be37687f886f50c01d4f2f
SHA256 16cee17a989167242dd7ee2755721e357dd23bcfcb61f5789cc19deafe7ca502
SHA512 a684d61324c71ac15f3a907788ab2150f61e7e2b2bf13ca08c14e9822b22336d0d45d9ff2a2a145aa7321d28d6b71408f9515131f8a1bd9f4927b105e6471b75

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

MD5 e9bae4c80583f31a3aa6ee3a0477c814
SHA1 b13d3ef86ce3200f1b57b2461c73e9c211452fc1
SHA256 9011cc4350dfd4afef2933c6fbf0ee86ee17fa0db45eb3434e53e98ff5bbdd88
SHA512 674828b323a98725f02adf56e147d626dc77443023c7ae53b6e95d16bb61f9fda49ac9922eedf1d3ce723d8856f38a1a59ad96d49695255c189388cccbc67618

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 42b94f8c470abfc3fcf210a6c1f50147
SHA1 8b6da863aaa0362c0982efe7641db8df83edbb25
SHA256 639bc545621ccf0e8c6dd1bfaffba85847fe94e2a5ff565fd9a9e7651481997e
SHA512 bb95f677545bdfb86aa070f31d8fe139bbd45a49994d03aa58701cfd145dc467972928d5dcf9c5f800be3cbc6f350dac63b6f948b003062e72905067490c607b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

MD5 72cd8f96bfea4bca6181340496b7e8c8
SHA1 750fd5f2842362d5767b3c17a6303aee0f29ef32
SHA256 09e6b22811e41f1d7d1433c85f2cad0309d7e1d62425c834319b5f43610f04ca
SHA512 7642d0b01c1a00caa79845f48139ab382b5b4619d8560d7bb2bc31c00b83a033d6789dfe2bc6880ce74ab61acf784f264a0a85fed38ddb2ffb49da4fb87b4a4b

memory/3796-286-0x00000000088E0000-0x0000000008A04000-memory.dmp

memory/3796-287-0x0000000008C20000-0x0000000008C3A000-memory.dmp

C:\Users\Admin\Downloads\Xeno.exe

MD5 2683ce9c30ddb082197520afc821ce1f
SHA1 a9ed7df67171c6e06b6502f3d4e70ee6f26f00a3
SHA256 c2c172bafb120b0adcb5e4b5fe7187e99cfaf040c0f33165bba22b2812ee0809
SHA512 13b00f36c7c13f80bfcb170e0eac2da43f3b0db65a42ba249059ce0c18b7c67e4fd57b5aae8807036b66a5779d5151658491d5f5c3b0a27d807ae25e5e5ffdf9

memory/4940-317-0x0000000000D40000-0x0000000000D52000-memory.dmp

C:\Program Files\chrome_Unpacker_BeginUnzipping5412_591414073\manifest.json

MD5 22b68a088a69906d96dc6d47246880d2
SHA1 06491f3fd9c4903ac64980f8d655b79082545f82
SHA256 94be212fe6bcf42d4b13fabd22da97d6a7ef8fdf28739989aba90a7cf181ac88
SHA512 8c755fdc617fa3a196e048e222a2562622f43362b8ef60c047e540e997153a446a448e55e062b14ed4d0adce7230df643a1bd0b06a702dc1e6f78e2553aadfff

C:\Program Files\chrome_Unpacker_BeginUnzipping5412_591414073\data.txt

MD5 60beb7140ed66301648ef420cbaad02d
SHA1 7fac669b6758bb7b8e96e92a53569cf4360ab1aa
SHA256 95276c09f44b28100c0a21c161766eda784a983f019fc471290b1381e7ed9985
SHA512 6dfa4eca42aea86fba18bc4a3ab0eed87948ea1831e33d43426b3aca1816070ecb7fd024856ad571ca2734214a98cc55e413502b3deef2c4a101228a7377e9d5

C:\Users\Admin\AppData\Local\Temp\tmpE3B4.tmp

MD5 b923f5b80bab6ae4947fd855494dd1c2
SHA1 5a5e04859ab57a77bb1b08b834a854b31a506f7c
SHA256 8f8adc07489cc927ecb0e28b516cacf73506fd9721282e650695be28ce34ebf4
SHA512 34ff792ad4d0ed58da090418d36d18250bf21b6a328c22fd6a8b3be1110ca450fedd7ef679465d78b425c8b8324548d21ebe502db3715b5691727c9193322da8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 ca2c4bc507538fa1276d48e601c78a8f
SHA1 53ef02017a94f557f0d8c9c1c72b34d62decaa18
SHA256 7e5ca92f963cbdd836349b42db56a4765fcb69b568505d9d936e2fd32d54cce0
SHA512 56758fe28c091cdaad5907655e8f154b8524ea3825eb11ffc9e7d0224e66092ac2aa2e3a25133b93014a9c45c65bdc7cf7984690a332803f97c4767c7cef3ac1