xenorat | hxxps://github[.]com/moom825/xeno-rat/archive/refs/tags/1[.]8[.]7[.]zip

Analysis

max time kernel
269s
max time network
271s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
07/04/2025, 06:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/moom825/xeno-rat/archive/refs/tags/1.8.7.zip

Score

10^/10

xenorat discovery rat trojan

Malware Config

Extracted

Family

xenorat

localhost

Mutex

testing 123123

Attributes

delay
1000
install_path
nothingset
port
1234
startup_name
nothingset

Signatures

Detect XenoRat Payload 1 IoCs

resource	yara_rule
behavioral1/memory/232-1027-0x0000000000400000-0x0000000000412000-memory.dmp	family_xenorat

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat
Xenorat family
xenorat

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
166	raw.githubusercontent.com
167	raw.githubusercontent.com
168	raw.githubusercontent.com

Drops file in Program Files directory 29 IoCs

description	ioc	Process
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping880_541387505\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping880_541387505\travel-facilitated-booking-kayak.js	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping880_767568687\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping880_1367495545\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping880_1367495545\smart_switch_list.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping880_84400881\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping880_84400881\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping880_541387505\travel-facilitated-booking-bing.js	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping880_1038625153\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping880_1038625153\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping880_223271973\keys.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping880_223271973\_metadata\verified_contents.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping880_1038625153\nav_config.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping880_541387505\automation.js	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping880_541387505\extraction.js	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping880_740093915\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping880_84400881\LICENSE	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping880_223271973\LICENSE	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping880_541387505\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping880_1367495545\office_endpoints_list.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping880_84400881\_metadata\verified_contents.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping880_223271973\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping880_740093915\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping880_767568687\protocols.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping880_1367495545\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping880_767568687\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping880_223271973\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping880_541387505\classification.js	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping880_84400881\sets.json	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xeno rat server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xeno rat client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xeno rat client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xeno rat server.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msedge.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133884793698790027"	msedge.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-869607583-2483572573-2297019986-1000\{3F40E3C7-B4F5-4883-A5D7-DD25C314215D}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000_Classes\Local Settings	OpenWith.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
3252	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2220	msedge.exe
2220	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 4 IoCs

pid	Process
5944	xeno rat server.exe
220	OpenWith.exe
5348	OpenWith.exe
4316	xeno rat server.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe

Suspicious use of FindShellTrayWindow 46 IoCs

pid	Process
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
5944	xeno rat server.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe

Suspicious use of SetWindowsHookEx 18 IoCs

pid	Process
220	OpenWith.exe
5348	OpenWith.exe
5348	OpenWith.exe
5348	OpenWith.exe
5348	OpenWith.exe
5348	OpenWith.exe
5348	OpenWith.exe
5348	OpenWith.exe
5348	OpenWith.exe
5348	OpenWith.exe
5348	OpenWith.exe
5348	OpenWith.exe
5348	OpenWith.exe
5348	OpenWith.exe
5348	OpenWith.exe
5348	OpenWith.exe
5348	OpenWith.exe
5348	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 880 wrote to memory of 3408	880	msedge.exe	86
PID 880 wrote to memory of 3408	880	msedge.exe	86
PID 880 wrote to memory of 712	880	msedge.exe	87
PID 880 wrote to memory of 712	880	msedge.exe	87
PID 880 wrote to memory of 2828	880	msedge.exe	88
PID 880 wrote to memory of 2828	880	msedge.exe	88
PID 880 wrote to memory of 712	880	msedge.exe	87
PID 880 wrote to memory of 712	880	msedge.exe	87
PID 880 wrote to memory of 712	880	msedge.exe	87
PID 880 wrote to memory of 712	880	msedge.exe	87
PID 880 wrote to memory of 712	880	msedge.exe	87
PID 880 wrote to memory of 712	880	msedge.exe	87
PID 880 wrote to memory of 712	880	msedge.exe	87
PID 880 wrote to memory of 712	880	msedge.exe	87
PID 880 wrote to memory of 712	880	msedge.exe	87
PID 880 wrote to memory of 712	880	msedge.exe	87
PID 880 wrote to memory of 712	880	msedge.exe	87
PID 880 wrote to memory of 712	880	msedge.exe	87
PID 880 wrote to memory of 712	880	msedge.exe	87
PID 880 wrote to memory of 712	880	msedge.exe	87
PID 880 wrote to memory of 712	880	msedge.exe	87
PID 880 wrote to memory of 712	880	msedge.exe	87
PID 880 wrote to memory of 712	880	msedge.exe	87
PID 880 wrote to memory of 712	880	msedge.exe	87
PID 880 wrote to memory of 712	880	msedge.exe	87
PID 880 wrote to memory of 712	880	msedge.exe	87
PID 880 wrote to memory of 712	880	msedge.exe	87
PID 880 wrote to memory of 712	880	msedge.exe	87
PID 880 wrote to memory of 712	880	msedge.exe	87
PID 880 wrote to memory of 712	880	msedge.exe	87
PID 880 wrote to memory of 712	880	msedge.exe	87
PID 880 wrote to memory of 712	880	msedge.exe	87
PID 880 wrote to memory of 712	880	msedge.exe	87
PID 880 wrote to memory of 712	880	msedge.exe	87
PID 880 wrote to memory of 712	880	msedge.exe	87
PID 880 wrote to memory of 712	880	msedge.exe	87
PID 880 wrote to memory of 712	880	msedge.exe	87
PID 880 wrote to memory of 712	880	msedge.exe	87
PID 880 wrote to memory of 712	880	msedge.exe	87
PID 880 wrote to memory of 712	880	msedge.exe	87
PID 880 wrote to memory of 712	880	msedge.exe	87
PID 880 wrote to memory of 712	880	msedge.exe	87
PID 880 wrote to memory of 712	880	msedge.exe	87
PID 880 wrote to memory of 712	880	msedge.exe	87
PID 880 wrote to memory of 712	880	msedge.exe	87
PID 880 wrote to memory of 712	880	msedge.exe	87
PID 880 wrote to memory of 712	880	msedge.exe	87
PID 880 wrote to memory of 712	880	msedge.exe	87
PID 880 wrote to memory of 712	880	msedge.exe	87
PID 880 wrote to memory of 712	880	msedge.exe	87
PID 880 wrote to memory of 712	880	msedge.exe	87
PID 880 wrote to memory of 712	880	msedge.exe	87
PID 880 wrote to memory of 712	880	msedge.exe	87
PID 880 wrote to memory of 712	880	msedge.exe	87
PID 880 wrote to memory of 712	880	msedge.exe	87
PID 880 wrote to memory of 348	880	msedge.exe	89
PID 880 wrote to memory of 348	880	msedge.exe	89
PID 880 wrote to memory of 348	880	msedge.exe	89
PID 880 wrote to memory of 348	880	msedge.exe	89
PID 880 wrote to memory of 348	880	msedge.exe	89
PID 880 wrote to memory of 348	880	msedge.exe	89
PID 880 wrote to memory of 348	880	msedge.exe	89
PID 880 wrote to memory of 348	880	msedge.exe	89
PID 880 wrote to memory of 348	880	msedge.exe	89

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/moom825/xeno-rat/archive/refs/tags/1.8.7.zip
1⤵
- Drops file in Program Files directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x23c,0x240,0x244,0x238,0x250,0x7ff8b8f8f208,0x7ff8b8f8f214,0x7ff8b8f8f220
  2⤵
  PID:3408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2396,i,9979573645953198249,13689987260469786433,262144 --variations-seed-version --mojo-platform-channel-handle=2392 /prefetch:2
  2⤵
  PID:712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1912,i,9979573645953198249,13689987260469786433,262144 --variations-seed-version --mojo-platform-channel-handle=2448 /prefetch:3
  2⤵
  PID:2828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=1924,i,9979573645953198249,13689987260469786433,262144 --variations-seed-version --mojo-platform-channel-handle=2176 /prefetch:8
  2⤵
  PID:348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3448,i,9979573645953198249,13689987260469786433,262144 --variations-seed-version --mojo-platform-channel-handle=3472 /prefetch:1
  2⤵
  PID:4936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3460,i,9979573645953198249,13689987260469786433,262144 --variations-seed-version --mojo-platform-channel-handle=3504 /prefetch:1
  2⤵
  PID:1160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4216,i,9979573645953198249,13689987260469786433,262144 --variations-seed-version --mojo-platform-channel-handle=4284 /prefetch:1
  2⤵
  PID:5092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=4252,i,9979573645953198249,13689987260469786433,262144 --variations-seed-version --mojo-platform-channel-handle=4312 /prefetch:2
  2⤵
  PID:4680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5200,i,9979573645953198249,13689987260469786433,262144 --variations-seed-version --mojo-platform-channel-handle=5224 /prefetch:8
  2⤵
  PID:5052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3612,i,9979573645953198249,13689987260469786433,262144 --variations-seed-version --mojo-platform-channel-handle=5360 /prefetch:8
  2⤵
  PID:948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5568,i,9979573645953198249,13689987260469786433,262144 --variations-seed-version --mojo-platform-channel-handle=5616 /prefetch:8
  2⤵
  PID:1704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5064,i,9979573645953198249,13689987260469786433,262144 --variations-seed-version --mojo-platform-channel-handle=5636 /prefetch:8
  2⤵
  PID:4580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6132,i,9979573645953198249,13689987260469786433,262144 --variations-seed-version --mojo-platform-channel-handle=6152 /prefetch:8
  2⤵
  PID:3428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --always-read-main-dll --field-trial-handle=6148,i,9979573645953198249,13689987260469786433,262144 --variations-seed-version --mojo-platform-channel-handle=6288 /prefetch:1
  2⤵
  PID:4468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4596,i,9979573645953198249,13689987260469786433,262144 --variations-seed-version --mojo-platform-channel-handle=5072 /prefetch:8
  2⤵
  PID:8
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6676,i,9979573645953198249,13689987260469786433,262144 --variations-seed-version --mojo-platform-channel-handle=6692 /prefetch:8
  2⤵
  PID:3068
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6676,i,9979573645953198249,13689987260469786433,262144 --variations-seed-version --mojo-platform-channel-handle=6692 /prefetch:8
  2⤵
  PID:1648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6920,i,9979573645953198249,13689987260469786433,262144 --variations-seed-version --mojo-platform-channel-handle=6936 /prefetch:8
  2⤵
  PID:1644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7092,i,9979573645953198249,13689987260469786433,262144 --variations-seed-version --mojo-platform-channel-handle=7124 /prefetch:8
  2⤵
  PID:4420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7128,i,9979573645953198249,13689987260469786433,262144 --variations-seed-version --mojo-platform-channel-handle=7132 /prefetch:8
  2⤵
  PID:2616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7156,i,9979573645953198249,13689987260469786433,262144 --variations-seed-version --mojo-platform-channel-handle=5320 /prefetch:8
  2⤵
  PID:2276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5500,i,9979573645953198249,13689987260469786433,262144 --variations-seed-version --mojo-platform-channel-handle=5504 /prefetch:8
  2⤵
  PID:2392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7360,i,9979573645953198249,13689987260469786433,262144 --variations-seed-version --mojo-platform-channel-handle=7216 /prefetch:8
  2⤵
  PID:2344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7544,i,9979573645953198249,13689987260469786433,262144 --variations-seed-version --mojo-platform-channel-handle=7588 /prefetch:8
  2⤵
  PID:4936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7524,i,9979573645953198249,13689987260469786433,262144 --variations-seed-version --mojo-platform-channel-handle=7508 /prefetch:8
  2⤵
  PID:888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4360,i,9979573645953198249,13689987260469786433,262144 --variations-seed-version --mojo-platform-channel-handle=4556 /prefetch:8
  2⤵
  PID:5924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4296,i,9979573645953198249,13689987260469786433,262144 --variations-seed-version --mojo-platform-channel-handle=4572 /prefetch:8
  2⤵
  PID:5932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4580,i,9979573645953198249,13689987260469786433,262144 --variations-seed-version --mojo-platform-channel-handle=4244 /prefetch:8
  2⤵
  PID:5940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5696,i,9979573645953198249,13689987260469786433,262144 --variations-seed-version --mojo-platform-channel-handle=5680 /prefetch:8
  2⤵
  PID:5836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6436,i,9979573645953198249,13689987260469786433,262144 --variations-seed-version --mojo-platform-channel-handle=4316 /prefetch:8
  2⤵
  PID:4856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --always-read-main-dll --field-trial-handle=5748,i,9979573645953198249,13689987260469786433,262144 --variations-seed-version --mojo-platform-channel-handle=4436 /prefetch:1
  2⤵
  PID:5456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3408,i,9979573645953198249,13689987260469786433,262144 --variations-seed-version --mojo-platform-channel-handle=7472 /prefetch:8
  2⤵
  PID:5284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4472,i,9979573645953198249,13689987260469786433,262144 --variations-seed-version --mojo-platform-channel-handle=5772 /prefetch:8
  2⤵
  PID:4376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=7844,i,9979573645953198249,13689987260469786433,262144 --variations-seed-version --mojo-platform-channel-handle=7316 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7316,i,9979573645953198249,13689987260469786433,262144 --variations-seed-version --mojo-platform-channel-handle=7344 /prefetch:8
  2⤵
  PID:1396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=764,i,9979573645953198249,13689987260469786433,262144 --variations-seed-version --mojo-platform-channel-handle=5460 /prefetch:8
  2⤵
  PID:5160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6044,i,9979573645953198249,13689987260469786433,262144 --variations-seed-version --mojo-platform-channel-handle=5464 /prefetch:8
  2⤵
  PID:3640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3296,i,9979573645953198249,13689987260469786433,262144 --variations-seed-version --mojo-platform-channel-handle=4500 /prefetch:8
  2⤵
  PID:2180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5972,i,9979573645953198249,13689987260469786433,262144 --variations-seed-version --mojo-platform-channel-handle=3976 /prefetch:8
  2⤵
  PID:2724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4448,i,9979573645953198249,13689987260469786433,262144 --variations-seed-version --mojo-platform-channel-handle=5708 /prefetch:8
  2⤵
  PID:4812

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:2388

C:\Windows\system32\BackgroundTaskHost.exe
"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider
1⤵
PID:948

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4720

C:\Users\Admin\Downloads\Release\xeno rat server.exe
"C:\Users\Admin\Downloads\Release\xeno rat server.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:5944

C:\Users\Admin\Downloads\Release\stub\xeno rat client.exe
"C:\Users\Admin\Downloads\Release\stub\xeno rat client.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:232

C:\Users\Admin\Downloads\Release\stub\xeno rat client.exe
"C:\Users\Admin\Downloads\Release\stub\xeno rat client.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:5576

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:220

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5348
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Release\Config.json
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:3252

C:\Users\Admin\Downloads\Release\xeno rat server.exe
"C:\Users\Admin\Downloads\Release\xeno rat server.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
PID:4316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\chrome_Unpacker_BeginUnzipping880_1038625153\manifest.json

Filesize
160B

MD5
c3911ceb35539db42e5654bdd60ac956

SHA1
71be0751e5fc583b119730dbceb2c723f2389f6c

SHA256
31952875f8bb2e71f49231c95349945ffc0c1dd975f06309a0d138f002cfd23d

SHA512
d8b2c7c5b7105a6f0c4bc9c79c05b1202bc8deb90e60a037fec59429c04fc688a745ee1a0d06a8311466b4d14e2921dfb4476104432178c01df1e99deb48b331

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping880_1367495545\manifest.json

Filesize
160B

MD5
a24a1941bbb8d90784f5ef76712002f5

SHA1
5c2b6323c7ed8913b5d0d65a4d21062c96df24eb

SHA256
2a7fe18a087d8e8be847d9569420b6e8907917ff6ca0fa42be15d4e3653c8747

SHA512
fd7dfec3d46b2af0bddb5aaeae79467507e0c29bab814007a39ea61231e76123659f18a453ed3feb25f16652a0c63c33545e2a0d419fafea89f563fca6a07ce2

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping880_223271973\LICENSE

Filesize
1KB

MD5
ee002cb9e51bb8dfa89640a406a1090a

SHA1
49ee3ad535947d8821ffdeb67ffc9bc37d1ebbb2

SHA256
3dbd2c90050b652d63656481c3e5871c52261575292db77d4ea63419f187a55b

SHA512
d1fdcc436b8ca8c68d4dc7077f84f803a535bf2ce31d9eb5d0c466b62d6567b2c59974995060403ed757e92245db07e70c6bddbf1c3519fed300cc5b9bf9177c

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping880_223271973\manifest.json

Filesize
79B

MD5
7f4b594a35d631af0e37fea02df71e72

SHA1
f7bc71621ea0c176ca1ab0a3c9fe52dbca116f57

SHA256
530882d7f535ae57a4906ca735b119c9e36480cbb780c7e8ad37c9c8fdf3d9b1

SHA512
bf3f92f5023f0fbad88526d919252a98db6d167e9ca3e15b94f7d71ded38a2cfb0409f57ef24708284ddd965bda2d3207cd99c008b1c9c8c93705fd66ac86360

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping880_541387505\manifest.json

Filesize
135B

MD5
4055ba4ebd5546fb6306d6a3151a236a

SHA1
609a989f14f8ee9ed9bffbd6ddba3214fd0d0109

SHA256
cb929ae2d466e597ecc4f588ba22faf68f7cfc204b3986819c85ac608d6f82b5

SHA512
58d39f7ae0dafd067c6dba34c686506c1718112ad5af8a255eb9a7d6ec0edca318b557565f5914c5140eb9d1b6e2ffbb08c9d596f43e7a79fdb4ef95457bf29a

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping880_740093915\manifest.json

Filesize
43B

MD5
af3a9104ca46f35bb5f6123d89c25966

SHA1
1ffb1b0aa9f44bdbc57bdf4b98d26d3be0207ee8

SHA256
81bd82ac27612a58be30a72dd8956b13f883e32ffb54a58076bd6a42b8afaeea

SHA512
6a7a543fa2d1ead3574b4897d2fc714bb218c60a04a70a7e92ecfd2ea59d67028f91b6a2094313f606560087336c619093f1d38d66a3c63a1d1d235ca03d36d1

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping880_767568687\manifest.json

Filesize
134B

MD5
049c307f30407da557545d34db8ced16

SHA1
f10b86ebfe8d30d0dc36210939ca7fa7a819d494

SHA256
c36944790c4a1fa2f2acec5f7809a4d6689ecb7fb3b2f19c831c9adb4e17fc54

SHA512
14f04e768956bdd9634f6a172104f2b630e2eeada2f73b9a249be2ec707f4a47ff60f2f700005ca95addd838db9438ad560e5136a10ed32df1d304d65f445780

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping880_84400881\manifest.json

Filesize
85B

MD5
c3419069a1c30140b77045aba38f12cf

SHA1
11920f0c1e55cadc7d2893d1eebb268b3459762a

SHA256
db9a702209807ba039871e542e8356219f342a8d9c9ca34bcd9a86727f4a3a0f

SHA512
c5e95a4e9f5919cb14f4127539c4353a55c5f68062bf6f95e1843b6690cebed3c93170badb2412b7fb9f109a620385b0ae74783227d6813f26ff8c29074758a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\AutoLaunchProtocolsComponent\1.0.0.9\protocols.json

Filesize
3KB

MD5
f9fd82b572ef4ce41a3d1075acc52d22

SHA1
fdded5eef95391be440cc15f84ded0480c0141e3

SHA256
5f21978e992a53ebd9c138cb5391c481def7769e3525c586a8a94f276b3cd8d6

SHA512
17084cc74462310a608355fbeafa8b51f295fb5fd067dfc641e752e69b1ee4ffba0e9eafa263aab67daab780b9b6be370dd3b54dd4ba8426ab499e50ff5c7339

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
4facd0ff10154cde70c99baa7df81001

SHA1
65267ea75bcb63edd2905e288d7b96b543708205

SHA256
a13534df0cd0a79a3a1b91085a6d575b47d5a9aad7fc6d712fd2616c0e95a23b

SHA512
ad8d2b965851c0ddc23e92ae151b3b0b2bcda850c446f4278bdb0754d6b42ead8fc034b394749578a27b33ad7e4ab0633f974dfd4773fbe4d93ae477f00b73f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
049e5a246ed025dee243db0ba8e2984c

SHA1
15ec2d2b28dcfc17c1cfb5d0c13482d0706f942d

SHA256
33071ca42c472861a2fabd0f82f8b03ef0daaa6796b24b83f3df02587e4c3d12

SHA512
bc5f6fa6a8cae20ab40eae4552650d75f38ebb158c95288a79d9f332623bb507946513c39d19c00a5aee323df01f0f1a51c54594ef1c293289baf45f4ae2145b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
5KB

MD5
e286408184a3cc2c2bfa7dab1a4ac62f

SHA1
45d7b84959f8434243ff8a146757eb772262a9d8

SHA256
b01fe81fed8f1f07e12e48730365c784faeaa4b77335b6959ea0b1cb75c97b26

SHA512
18637115c9af7d203c5b9be41cb1ee6c929b63f9a64408777ba7e6177c74a1e9597631ce0a07ef0758e6af8652be4ada0bb852253772816b19032386d2789c93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
b2389ad8a471a4b0f33eddec2a4330bb

SHA1
b0e8dd70d5e9c36300ce30449665dc19dc14a4ea

SHA256
b2ac0da7959d9ea990d99f5f3c0242b19cddd48ea4c5be9a08f86d6effb002a3

SHA512
241030602544ef53cb777dd73c004f4639cb19634421a62ff3193ebbebd47a7dbc91a636917f966c0d30d77798b2a3bfe82089066eb473a6e48b194fb9e618b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe57f0e8.TMP

Filesize
3KB

MD5
22fac65716cddc025108863fa0b4f203

SHA1
f1dd4d7316fd2556ce1659ac29be995d7a7f9545

SHA256
e56ea49fee08ad8a5ef440c1d4caf9060444b22ab67f771a76dcb6bb86e55c2f

SHA512
4c4cc96dec59f953a0dcb23b4fa6fd2c2c9a314b4e6dc9d3247733123b63fde4ff121fae07b5c60de0288cb80074cd418136d89134465629e42d147433ad5a03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
69KB

MD5
164a788f50529fc93a6077e50675c617

SHA1
c53f6cd0531fd98d6abbd2a9e5fbb4319b221f48

SHA256
b305e470fb9f8b69a8cd53b5a8ffb88538c9f6a9c7c2c194a226e8f6c9b53c17

SHA512
ec7d173b55283f3e59a468a0037921dc4e1bf3fab1c693330b9d8e5826273c917b374c4b802f3234bbb5e5e210d55e52351426867e0eb8c9f6fba1a053cb05d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps

Filesize
107KB

MD5
2b66d93c82a06797cdfd9df96a09e74a

SHA1
5f7eb526ee8a0c519b5d86c845fea8afd15b0c28

SHA256
d4c064db769b3c109da2ed80a53fbab00987c17421a47921e41e213781d67954

SHA512
95e45c0aea0e704be5f512dffaae377d4abef78da99b3bca769264d69be20f2570daf2f47905645217e1b2696e42b101f26149219f148b4d6dd97a6c2868b6f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
8dcca953243bcfcb7ab533fe9fe00999

SHA1
333e9c8255f573646828e230c7b7cd906d4624bf

SHA256
7a82909a3752d98c1158342f1068be08ea2e52e92b0457a8fa6a35645725daf8

SHA512
295b3dda04b7161419d25093d339bd16fc2fbd28301df21a12d2bb39c73c6130710a7398d31938c0f16520a32757c8aa2c8df543d08f7021d5949f96f54bf969

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
0fc50adddb81fa5f0373251ce9d5305e

SHA1
7aa118c6c9e6f45cac3aeb3892a483628f7d4389

SHA256
135f06b408b095ba3efde2379afc5f8a4b631ac503277f25ff7d2dd930b13470

SHA512
7366b0aaad3a9755982f271f8f70a845908d037ae7daaca59b87e39491961c2ec125fb3dd3203a6d6f64aacbbca0c8102c7996d42f68ef58f3f9ef9dfd01acd7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
7ea95512aad8d63a4dfe2c45b0757506

SHA1
d2af1edf6e2205b1dd72b13b55ede82014222da8

SHA256
92b992fcd84b1ca3bb1898326a96c8c7ea49cf322b79c5690e15550e0aff2e11

SHA512
ddc2ab8ff1a595b6156cae46959177775f071d734df476eb40ed3ef950230fb67d812d2b815c555bcf8596b42c12784e56bd8230eeb50e490d1c4f5641fe51dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
14KB

MD5
44241f1132fb30bee117c726ef689bce

SHA1
74465d3b18dbad104cea780de3e9d02e7161e563

SHA256
701a3ec57669641f8a71d673286c3e1e3ac27c22ed2a3381133723ca3206256c

SHA512
1ba59fc42c6badace18cce58dc3d7a8c474f50e038192c8f05792e0190918007c711294bd9be1eaf568e0a220373641033b129ca570d68f6f7833a74782db5ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
13KB

MD5
33bf5e99ce5576a26d0361d07eefb55b

SHA1
2e803f8809d9ef9a4776d43e98f0435dcbb397b9

SHA256
68f4d8fdefe9da87dc999e268183bd339eedd88e805e6f9b3ee6ff95946e087b

SHA512
b69e77ec56180066e1992a8915c9f586f5254c149605b6252bb038d55bdde586d2697cfb1367d16d044a3fa12f94f64809893ca6c5691d53cedcdb9085e1a0c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
15KB

MD5
9b2f5df2f6fcb88323a45c92aa5b5863

SHA1
ad06c3a7fb3892f83c1186e0c1bdc3bedd825d5c

SHA256
470b6d421e088f46dae432e434b7d087410fd8027a2cec28eb5d3ea1ff8a8be0

SHA512
9400fb033df7eb60c4e6ed1ede663b3b62eac3d81f104fa158168ebde8b4d03f99b57c2771b93c54e9c660f058b3fd69567f29e93982fa68e2f8e29ee44f8c85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
36KB

MD5
b475f2515192881f40fb2550f10a3b28

SHA1
981287ed15138f2511d70d569828dd8fa567b6f3

SHA256
2dff399fdd74cf4041f00b5a99f19c2756519e4f8f669e815ca6e741900d4583

SHA512
1c9dd59a45fca88f77bdc028b2e3b239e0ee7179494730c8c88cbce024d4bc00987070f24b9fcdefe8e351658625c6444f3136d9b5cd51a7f7bf08007cf6d6c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

Filesize
4KB

MD5
9b183293b16deeefec78eea6f6dd577e

SHA1
2f6d30bf97e2899010bf2adbc7b8a0217eb9dc9c

SHA256
a1dd9a4bb22b17515b4ace32455e3c8834c4cdf5fb1b159fec7dd1f9bb3f512c

SHA512
eb41bcc40c2e9cf2ae07c9ddaa84cc5a294abfeb74d291c71e46b2380d0cc0286fbd4dfd0626e7600543c4e15237488ddbb7a86effe6e3e7973491246ece0526

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\favorites_diagnostic.log

Filesize
1KB

MD5
3cb8816c9b5e6a63209b3cb1c5591aa6

SHA1
420d91975e7a0510a2f955e767346e7d21eaf3bb

SHA256
0da208e7813ff7c1395673c79b25428dcf8d89520710a90afe1f32b2b94e3c52

SHA512
f2d2c0f27e2ad864228c2c2a7eacc7e8a3c60488da2256472fb03852b747b5db791ba39a0f58d6485c41ff56de8fe0777965080e72de7d416b6b44584c60db25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
23KB

MD5
e2eb9d64756953561144e268dea5c13e

SHA1
f1bfbaf8a93b68cfad8be421ad4a835705028816

SHA256
3d5a10c4c6664f1997a338bb3e39840f857fca718cb8852e017e838426792d83

SHA512
47d012970b5637e444f0da902ef2b1860b84de3012f19c62fa01329e8b8d605bbf2111ef44bb83e61f8b1035eac47b32da29478716f35f30eb35d79cd4438685

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
868B

MD5
efd22dab6f347d4083aca5f287bb050b

SHA1
e84aaac791f63a9492a80878934eb4a121003f6f

SHA256
3b5bcfde59e112fb2a385e7e0037d3262837a69e370d2988ddfc9bd93e4777e4

SHA512
0ca30409ec4631c5e860696129d805dc63e95d08e9fc191234a71f0084b1641df269668827476f3cb3be2720264c747c7a96c1c59d9c3fbc77d968fa988c9833

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog~RFe588f1c.TMP

Filesize
463B

MD5
db4b07a306aae0a2cbe0edeadbb9dd82

SHA1
ed11c3526e302323b26cc770689f67f01923ec3e

SHA256
c0a6a677c2d1ec88ab0d812368f5d0dd2e414208b1a427db615427e1918d33dc

SHA512
c5fc8f3d69d6986eb5c150894ce90bb09bf1207545ac8e098e1a47a8cca6ded700f3231aa7a65583941bd1bca5c0878aefe1bb7f6c39f63ceb76be5d8ff259dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\OperationConfig

Filesize
22KB

MD5
3f8927c365639daa9b2c270898e3cf9d

SHA1
c8da31c97c56671c910d28010f754319f1d90fa6

SHA256
fc80d48a732def35ab6168d8fd957a6f13f3c912d7f9baf960c17249e4a9a1f2

SHA512
d75b93f30989428883cb5e76f6125b09f565414cf45d59053527db48c6cf2ac7f54ed9e8f6a713c855cd5d89531145592ef27048cf1c0f63d7434cfb669dbd72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\OperationConfig~RFe5891cb.TMP

Filesize
3KB

MD5
47430e0e9ad4838b6b88191b7966810f

SHA1
8933b4ce19e396751f93687305d3d378c48e2e0f

SHA256
98c1f419b9efe0d2a9f4350442d90916bd07593d9ecde4706030d1502cfb90d2

SHA512
e3a4e44240a11ce2173acfe66f6b52bdae8fc9c97dfdca441700ab47b5c73a46b71405da95a2cc08c34507fddf4349923c33da57da244e45b5019b9898e6b65c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Data Protection Lists\2.0.0.0\office_endpoints_list.json

Filesize
3KB

MD5
94406cdd51b55c0f006cfea05745effb

SHA1
a15dc50ca0fd54d6f54fbc6e0788f6dcfc876cc9

SHA256
8480f3d58faa017896ba8239f3395e3551325d7a6466497a9a69bf182647b25e

SHA512
d4e621f57454fea7049cffc9cc3adfb0d8016360912e6a580f6fe16677e7dd7aa2ee0671cb3c5092a9435708a817f497c3b2cc7aba237d32dbdaae82f10591c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
34KB

MD5
7ef2f010bfffc383e492df2473961837

SHA1
379a6c9980a4af9ad63d7379b7f63cabc25c1661

SHA256
5c7967932365cb53a1d1e862d28b1f2d30f0900d6a5b80666fbb6f7d6ffe9965

SHA512
3d81cf7b8686f61877c38179f50c629e507bf47e4f1b0b3a3680e805355fdad41319396d702d5e38148445a6421ec1778cf6cb08dab51f0b4fb8dce66b2d7e87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
7KB

MD5
1f654d7a03c2a483b9110e4f494c2c02

SHA1
23638bcbc14edaaa9ab2fc253f65034cad56402a

SHA256
fe89c7e650a1aa0d21e4d60f281af93751140ec2561ffc1ff04aaf0306bb3645

SHA512
acd64a6c7d24e3fee471f3cf49d649d6a8cc90bde899d447a651e55a648a70c3310e079ac836a96f2ef3cf6d1b57465f5f5f87409749527086b4799eb52fb600

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
34KB

MD5
37af198e5941ad8a77a517c292889e99

SHA1
d40d8ecad4fe9b7615222de6514ea35f4d0946b0

SHA256
afca9dfd506f7c232f489006cb81c7cc5d203e39d88aaa848df093c8dbd99abb

SHA512
9f83cfb9aa3835403b1407dbeef5a6906b1b89ad85be16a5e609dea155a593f23db9048d2e42dfc9052a1ae58eb7da343dffffefcb3fc3c6556ee602e3a6482e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
6KB

MD5
7c5a0ca25f145a182d1b2f21255a2dc6

SHA1
09e012c7071d02d7563da3b0879c8997c61dc50a

SHA256
044f49f9f6aae741630ff335ce6d6f44ebef815c1f32b2f4d24e66ac4c4aa35d

SHA512
0cf069e14e529495795e910257bcf12e20c42c3e3d0ddad66a8e5a20f22d7c6cf8079b9550674646021b2fa863f4e446995c6fe78c9d973d5036c7e9e4fb9799

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
30KB

MD5
e00e88f74a71660eeb874499a174f728

SHA1
11eb9d9ace97203b62afbc0973488116999f05da

SHA256
1c74921e68bcfb53828cf726acd1433db855203953a3fe3885e02f41053f0b8c

SHA512
72b487ac6c0ce586f7efc01751c82268ddf1c6a47b2288b3d1632f8d29ed3aa9114111bac0de2248428b37d8228daecdd3a5b1887fa34a786542cb7116781b26

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\TrustTokenKeyCommitments\2025.1.17.1\keys.json

Filesize
6KB

MD5
bef4f9f856321c6dccb47a61f605e823

SHA1
8e60af5b17ed70db0505d7e1647a8bc9f7612939

SHA256
fd1847df25032c4eef34e045ba0333f9bd3cb38c14344f1c01b48f61f0cfd5c5

SHA512
bdec3e243a6f39bfea4130c85b162ea00a4974c6057cd06a05348ac54517201bbf595fcc7c22a4ab2c16212c6009f58df7445c40c82722ab4fa1c8d49d39755c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\WorkspacesNavigationComponent\1.0.0.5\nav_config.json

Filesize
2KB

MD5
499d9e568b96e759959dc69635470211

SHA1
2462a315342e0c09fd6c5fbd7f1e7ff6914c17e6

SHA256
98252dc9f9e81167e893f2c32f08ee60e9a6c43fadb454400ed3bff3a68fbf0d

SHA512
3a5922697b5356fd29ccf8dcc2e5e0e8c1fd955046a5bacf11b8ac5b7c147625d31ade6ff17be86e79c2c613104b2d2aebb11557399084d422e304f287d8b905

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

Filesize
2KB

MD5
2cd398c60711cf8172b45692d88991ce

SHA1
7ba77434b9ef24b895f0637a8889832a8b9d059f

SHA256
d7ab5f1ce957bb6e269d6d14f43f169852564c8cf531f82e6940d61ffa0d0ace

SHA512
ecd8fbd81954089b8ad097a790827248ca506f7a86d1090481878f58837ed1e493d8d9f561bc0b33f1f7632c661ab49695ee9329788338b041ad7abb917e01e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\3901618c-b787-4438-8560-b12b5574a94b.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Temp\9e901454-489f-4adb-a512-9e4ddbb4f7dc.tmp

Filesize
10KB

MD5
78e47dda17341bed7be45dccfd89ac87

SHA1
1afde30e46997452d11e4a2adbbf35cce7a1404f

SHA256
67d161098be68cd24febc0c7b48f515f199dda72f20ae3bbb97fcf2542bb0550

SHA512
9574a66d3756540479dc955c4057144283e09cae11ce11ebce801053bb48e536e67dc823b91895a9e3ee8d3cb27c065d5e9030c39a26cbf3f201348385b418a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir880_1975005633\4cfee46a-8bb0-4eb0-9417-d9784f179de5.tmp

Filesize
152KB

MD5
dd9bf8448d3ddcfd067967f01e8bf6d7

SHA1
d7829475b2bd6a3baa8fabfaf39af57c6439b35e

SHA256
fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

SHA512
65347df34378c2bbb34417e2cccfb3251a0b2412422cc190eed9df525b6e0a9948e0295ea3c33b3ad873ce81e369e89a138ac41d6eb7229546c3269107e661de

Download Submit
C:\Users\Admin\Downloads\Release.zip.crdownload

Filesize
6.4MB

MD5
89661a9ff6de529497fec56a112bf75e

SHA1
2dd31a19489f4d7c562b647f69117e31b894b5c3

SHA256
e7b275d70655db9cb43fa606bbe2e4f22478ca4962bbf9f299d66eda567d63cd

SHA512
33c765bf85fbec0e58924ece948b80a7d73b7577557eaac8865e481c61ad6b71f8b5b846026103239b3bd21f438ff0d7c1430a51a4a149f16a215faad6dab68f

Download Submit
C:\Users\Admin\Downloads\Release\Config.json

Filesize
462B

MD5
583a319b6dea1f675f81b83860aba123

SHA1
0a5cbc4241fad250c83bc86f38622a79757c7159

SHA256
596290a83136810084638abe18dfe86ee2a576360406e57c9836a5c7b6b5b70f

SHA512
ceda8a041134f6deccc6eda77c336263249c94c6df2f7f0f3ceb6aa08b05b7c77ec707c5005dbb9116a3236c3350d25f3a2df07b2f0fc0ad0fd8af71fa2bca04

Download Submit
C:\Users\Admin\Downloads\xeno-rat-1.8.7.zip.crdownload

Filesize
4.5MB

MD5
2eed3ed3ca9b2ccf831be504648d985f

SHA1
694664aa4b8a4c048de177b09ea2296b0bbe2c41

SHA256
7f63b1aa09ed2469dde49f6c1ebedb8a0fdf01b7f4fad1dc9030ed4d60b52f86

SHA512
eec80187d388b407e6270d7391262000294c93467324d2c8ead048e9522a200ab28baaa5e01fd3f275f3c2db7d87dbe968e82fe91db54ae2e50c7c2a9d40b281

Download Submit
memory/232-1027-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4316-1183-0x0000000007FC0000-0x0000000007FD4000-memory.dmp

Filesize
80KB

Download
memory/5944-975-0x0000000000370000-0x0000000000572000-memory.dmp

Filesize
2.0MB

Download
memory/5944-1002-0x0000000007AB0000-0x0000000007E04000-memory.dmp

Filesize
3.3MB

Download
memory/5944-1001-0x0000000006140000-0x00000000061F2000-memory.dmp

Filesize
712KB

Download
memory/5944-1000-0x0000000009960000-0x0000000009982000-memory.dmp

Filesize
136KB

Download
memory/5944-999-0x0000000007A60000-0x0000000007A72000-memory.dmp

Filesize
72KB

Download
memory/5944-998-0x0000000007A30000-0x0000000007A4A000-memory.dmp

Filesize
104KB

Download
memory/5944-997-0x0000000005580000-0x0000000005594000-memory.dmp

Filesize
80KB

Download
memory/5944-996-0x0000000004F80000-0x0000000004F8A000-memory.dmp

Filesize
40KB

Download
memory/5944-977-0x0000000004FE0000-0x0000000005072000-memory.dmp

Filesize
584KB

Download
memory/5944-976-0x0000000005590000-0x0000000005B34000-memory.dmp

Filesize
5.6MB

Download