xenorat | 1ad07ccab43270cd5edc95e993836fa170e29f1b3406c9b69b3667cad7a1e753

Analysis

max time kernel
131s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10-05-2024 16:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

corruptedmodz cheat.exe
Size

45KB
MD5

d46727b08dc65590b4bf19822d69de8a
SHA1

baf05760cc92a7fb4d09c5feff975a0581c23b6f
SHA256

1ad07ccab43270cd5edc95e993836fa170e29f1b3406c9b69b3667cad7a1e753
SHA512

068573c0d670753b14bf3cfd81a5c6e291991a5e9834db20f55d9d2b67b70c8a3db532b7e08b551605f0d76144a1b5ea0d6be94e66652449ff383315a8c6c131
SSDEEP

768:xdhO/poiiUcjlJIn0QH9Xqk5nWEZ5SbTDa/WI7CPW5v:vw+jjgnNH9XqcnW85SbTGWI3

Score

10^/10

xenorat rat trojan

Malware Config

Extracted

Family

xenorat

thought-rolls.gl.at.ply.gg

Mutex

23y7-bdgd-2cb

Attributes

delay
3000
install_path
appdata
port
45999
startup_name
runtimebroker

Signatures

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

corruptedmodz cheat.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	corruptedmodz cheat.exe

Executes dropped EXE 1 IoCs

Processes:

corruptedmodz cheat.exe

pid process

1588 corruptedmodz cheat.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

5056 schtasks.exe

pid	process
1588	corruptedmodz cheat.exe

pid	process
5056	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133598310523871292"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid process

2724 chrome.exe
2724 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

2724 chrome.exe
2724 chrome.exe
2724 chrome.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	2724	chrome.exe
Token: SeCreatePagefilePrivilege	2724	chrome.exe
Token: SeShutdownPrivilege	2724	chrome.exe
Token: SeCreatePagefilePrivilege	2724	chrome.exe
Token: SeShutdownPrivilege	2724	chrome.exe
Token: SeCreatePagefilePrivilege	2724	chrome.exe
Token: SeShutdownPrivilege	2724	chrome.exe
Token: SeCreatePagefilePrivilege	2724	chrome.exe
Token: SeShutdownPrivilege	2724	chrome.exe
Token: SeCreatePagefilePrivilege	2724	chrome.exe
Token: SeShutdownPrivilege	2724	chrome.exe
Token: SeCreatePagefilePrivilege	2724	chrome.exe
Token: SeShutdownPrivilege	2724	chrome.exe
Token: SeCreatePagefilePrivilege	2724	chrome.exe
Token: SeShutdownPrivilege	2724	chrome.exe
Token: SeCreatePagefilePrivilege	2724	chrome.exe
Token: SeShutdownPrivilege	2724	chrome.exe
Token: SeCreatePagefilePrivilege	2724	chrome.exe
Token: SeShutdownPrivilege	2724	chrome.exe
Token: SeCreatePagefilePrivilege	2724	chrome.exe
Token: SeShutdownPrivilege	2724	chrome.exe
Token: SeCreatePagefilePrivilege	2724	chrome.exe
Token: SeShutdownPrivilege	2724	chrome.exe
Token: SeCreatePagefilePrivilege	2724	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

Processes:

chrome.exe

pid	process
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

corruptedmodz cheat.execorruptedmodz cheat.exechrome.exe

description	pid	process	target process
PID 3788 wrote to memory of 1588	3788	corruptedmodz cheat.exe	corruptedmodz cheat.exe
PID 3788 wrote to memory of 1588	3788	corruptedmodz cheat.exe	corruptedmodz cheat.exe
PID 3788 wrote to memory of 1588	3788	corruptedmodz cheat.exe	corruptedmodz cheat.exe
PID 1588 wrote to memory of 5056	1588	corruptedmodz cheat.exe	schtasks.exe
PID 1588 wrote to memory of 5056	1588	corruptedmodz cheat.exe	schtasks.exe
PID 1588 wrote to memory of 5056	1588	corruptedmodz cheat.exe	schtasks.exe
PID 2724 wrote to memory of 3440	2724	chrome.exe	chrome.exe
PID 2724 wrote to memory of 3440	2724	chrome.exe	chrome.exe
PID 2724 wrote to memory of 1640	2724	chrome.exe	chrome.exe
PID 2724 wrote to memory of 1640	2724	chrome.exe	chrome.exe
PID 2724 wrote to memory of 1640	2724	chrome.exe	chrome.exe
PID 2724 wrote to memory of 1640	2724	chrome.exe	chrome.exe
PID 2724 wrote to memory of 1640	2724	chrome.exe	chrome.exe
PID 2724 wrote to memory of 1640	2724	chrome.exe	chrome.exe
PID 2724 wrote to memory of 1640	2724	chrome.exe	chrome.exe
PID 2724 wrote to memory of 1640	2724	chrome.exe	chrome.exe
PID 2724 wrote to memory of 1640	2724	chrome.exe	chrome.exe
PID 2724 wrote to memory of 1640	2724	chrome.exe	chrome.exe
PID 2724 wrote to memory of 1640	2724	chrome.exe	chrome.exe
PID 2724 wrote to memory of 1640	2724	chrome.exe	chrome.exe
PID 2724 wrote to memory of 1640	2724	chrome.exe	chrome.exe
PID 2724 wrote to memory of 1640	2724	chrome.exe	chrome.exe
PID 2724 wrote to memory of 1640	2724	chrome.exe	chrome.exe
PID 2724 wrote to memory of 1640	2724	chrome.exe	chrome.exe
PID 2724 wrote to memory of 1640	2724	chrome.exe	chrome.exe
PID 2724 wrote to memory of 1640	2724	chrome.exe	chrome.exe
PID 2724 wrote to memory of 1640	2724	chrome.exe	chrome.exe
PID 2724 wrote to memory of 1640	2724	chrome.exe	chrome.exe
PID 2724 wrote to memory of 1640	2724	chrome.exe	chrome.exe
PID 2724 wrote to memory of 1640	2724	chrome.exe	chrome.exe
PID 2724 wrote to memory of 1640	2724	chrome.exe	chrome.exe
PID 2724 wrote to memory of 1640	2724	chrome.exe	chrome.exe
PID 2724 wrote to memory of 1640	2724	chrome.exe	chrome.exe
PID 2724 wrote to memory of 1640	2724	chrome.exe	chrome.exe
PID 2724 wrote to memory of 1640	2724	chrome.exe	chrome.exe
PID 2724 wrote to memory of 1640	2724	chrome.exe	chrome.exe
PID 2724 wrote to memory of 1640	2724	chrome.exe	chrome.exe
PID 2724 wrote to memory of 1640	2724	chrome.exe	chrome.exe
PID 2724 wrote to memory of 1640	2724	chrome.exe	chrome.exe
PID 2724 wrote to memory of 3540	2724	chrome.exe	chrome.exe
PID 2724 wrote to memory of 3540	2724	chrome.exe	chrome.exe
PID 2724 wrote to memory of 440	2724	chrome.exe	chrome.exe
PID 2724 wrote to memory of 440	2724	chrome.exe	chrome.exe
PID 2724 wrote to memory of 440	2724	chrome.exe	chrome.exe
PID 2724 wrote to memory of 440	2724	chrome.exe	chrome.exe
PID 2724 wrote to memory of 440	2724	chrome.exe	chrome.exe
PID 2724 wrote to memory of 440	2724	chrome.exe	chrome.exe
PID 2724 wrote to memory of 440	2724	chrome.exe	chrome.exe
PID 2724 wrote to memory of 440	2724	chrome.exe	chrome.exe
PID 2724 wrote to memory of 440	2724	chrome.exe	chrome.exe
PID 2724 wrote to memory of 440	2724	chrome.exe	chrome.exe
PID 2724 wrote to memory of 440	2724	chrome.exe	chrome.exe
PID 2724 wrote to memory of 440	2724	chrome.exe	chrome.exe
PID 2724 wrote to memory of 440	2724	chrome.exe	chrome.exe
PID 2724 wrote to memory of 440	2724	chrome.exe	chrome.exe
PID 2724 wrote to memory of 440	2724	chrome.exe	chrome.exe
PID 2724 wrote to memory of 440	2724	chrome.exe	chrome.exe
PID 2724 wrote to memory of 440	2724	chrome.exe	chrome.exe
PID 2724 wrote to memory of 440	2724	chrome.exe	chrome.exe
PID 2724 wrote to memory of 440	2724	chrome.exe	chrome.exe
PID 2724 wrote to memory of 440	2724	chrome.exe	chrome.exe
PID 2724 wrote to memory of 440	2724	chrome.exe	chrome.exe
PID 2724 wrote to memory of 440	2724	chrome.exe	chrome.exe
PID 2724 wrote to memory of 440	2724	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\corruptedmodz cheat.exe
"C:\Users\Admin\AppData\Local\Temp\corruptedmodz cheat.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3788

C:\Users\Admin\AppData\Roaming\XenoManager\corruptedmodz cheat.exe
"C:\Users\Admin\AppData\Roaming\XenoManager\corruptedmodz cheat.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1588

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /Create /TN "runtimebroker" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5F27.tmp" /F
3⤵
- Creates scheduled task(s)
PID:5056

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2724

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff7ccbab58,0x7fff7ccbab68,0x7fff7ccbab78
2⤵
PID:3440

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1632 --field-trial-handle=2076,i,8060923593047241052,13062743474770242429,131072 /prefetch:2
2⤵
PID:1640

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2040 --field-trial-handle=2076,i,8060923593047241052,13062743474770242429,131072 /prefetch:8
2⤵
PID:3540

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2244 --field-trial-handle=2076,i,8060923593047241052,13062743474770242429,131072 /prefetch:8
2⤵
PID:440

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3052 --field-trial-handle=2076,i,8060923593047241052,13062743474770242429,131072 /prefetch:1
2⤵
PID:2516

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3064 --field-trial-handle=2076,i,8060923593047241052,13062743474770242429,131072 /prefetch:1
2⤵
PID:2368

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4300 --field-trial-handle=2076,i,8060923593047241052,13062743474770242429,131072 /prefetch:1
2⤵
PID:5068

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4436 --field-trial-handle=2076,i,8060923593047241052,13062743474770242429,131072 /prefetch:8
2⤵
PID:4416

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4556 --field-trial-handle=2076,i,8060923593047241052,13062743474770242429,131072 /prefetch:8
2⤵
PID:2404

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4632 --field-trial-handle=2076,i,8060923593047241052,13062743474770242429,131072 /prefetch:8
2⤵
PID:3980

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4472 --field-trial-handle=2076,i,8060923593047241052,13062743474770242429,131072 /prefetch:8
2⤵
PID:3788

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4900 --field-trial-handle=2076,i,8060923593047241052,13062743474770242429,131072 /prefetch:8
2⤵
PID:5096

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:1428

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3968

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\8ed2bfb4-85a3-4779-9ec4-960d00bec43d.tmp
Filesize
256KB

MD5
b643c66ce289815236cefd5cc4d94026

SHA1
739fcd40d0c3b61ba84cd00464520e07edfffe12

SHA256
1b0d1a9bb565623490132b7adf1f3b34c649ad05b0df6a259cca52f27f0e63f0

SHA512
0560876a4c458f9bb7866a45070c764c1892d62f6833e9376353c48ae1b35abcf1058020b3e5cf70e25b5f2ba6a515b7e214b48122d382ecf5d9b089b90f7927

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
88f60bb715d4fdab6b99cd840068d218

SHA1
4953830d23da73c7a256b6ad9913b7ba6707b866

SHA256
fc74677ffba5b239213a82c8ec43c126ddbe7524fdb1b0b5f5712722bff51ab7

SHA512
3458e53b8def2dba9776f387f41c6cdc19f6425a1894a81ffaa73902cd5c299fbeed22d1308f000d1cdfb2718d524dfa3d50992ddbd2c2539aa8f907c4099893

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
356B

MD5
f6f9d3e3e0b502ee82e9483e6356a7bb

SHA1
4b541f88c6d60dac7214f2b4617adada5d5e36f6

SHA256
cd11b1c529eecb168c5b1d700344b9fd398aac96f3b9665dd42212731ca60ea6

SHA512
8060a8d392f798d03ebf90d978707e49cf2672aa632728f73f69d8c7142335d6e7189942f7de38cad0adb27b3771d2a04d4013f27616c673d38f4de7430b8fd2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
d94b1eefdb37026d9d2931e030118861

SHA1
322fe8dd0427746013d82ae07a1b0168bea8f904

SHA256
5db460cb04ae1c67acd4167b706e5862457bac1c11b988bb58f9635f4c6ef572

SHA512
ca17c6bb4a24374a15b7b4e82ec295da805b208745eafc3bd4dcbb35c8e234e4c0c856998c04bca9105b4841de08b5eab3c2684e8c684fe7384f00a8465c302b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
0f3e6622aa717b9a5443db7e8a20f3b4

SHA1
5b22905eef4a206da1e70ddc57b4390b967d7f0a

SHA256
4d736cf9d4a637e9de4c2fb9d32687941eda248ab35054b2e4a3d706eef750aa

SHA512
7de919d036d41c088e53734f57f23c7354b89566a2c398ad548a1372724f0356a4a7643d384c336b933f2e27c2adf2dac30b548c2a20049c6f39a49ff2d7625a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
256KB

MD5
7db2e0e8f199cdffb60e0782559214c1

SHA1
3a3441896e619334efeff210a9c90f823b84e483

SHA256
5a57c9f045eaf5c29d10bc5a474d97a720f06e1e41d034841c3cdf984ff43319

SHA512
70e7feafadba4b4ee997f87da9269f5004d0db434c350695b2df07452dc320a31f55ebf04053e6d3fefe3cd1347ab83167eacab1a4a0bc45eb33b2c51ad63d7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5F27.tmp
Filesize
1KB

MD5
5ea794b6500013fd6697dd41233b46b5

SHA1
b619c60b383aebcadba55d11572a80656f781318

SHA256
b51305cbb1a160e98a1f9274fc273c535cf57cda2e77fffe2f2254f9a19d179f

SHA512
576e164275dd5b92e9463e3f168f5c0f3c6a91797233ff0557d6ee547b4b0da688ffc2b95a29a8e84de1c038724a68016fc82f1fe4c834e1ec7105684c3b6412

Download Submit
C:\Users\Admin\AppData\Roaming\XenoManager\corruptedmodz cheat.exe
Filesize
45KB

MD5
d46727b08dc65590b4bf19822d69de8a

SHA1
baf05760cc92a7fb4d09c5feff975a0581c23b6f

SHA256
1ad07ccab43270cd5edc95e993836fa170e29f1b3406c9b69b3667cad7a1e753

SHA512
068573c0d670753b14bf3cfd81a5c6e291991a5e9834db20f55d9d2b67b70c8a3db532b7e08b551605f0d76144a1b5ea0d6be94e66652449ff383315a8c6c131

Download Submit
\??\pipe\crashpad_2724_DKMJMPIBBZFFNUOM
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1588-52-0x0000000074610000-0x0000000074DC0000-memory.dmp

Filesize
7.7MB

Download
memory/1588-14-0x0000000074610000-0x0000000074DC0000-memory.dmp

Filesize
7.7MB

Download
memory/3788-0-0x000000007461E000-0x000000007461F000-memory.dmp

Filesize
4KB

Download
memory/3788-1-0x0000000000D00000-0x0000000000D12000-memory.dmp

Filesize
72KB

Download