Malware Analysis Report

2024-08-06 18:07

Sample ID 240626-w9l9saxcle
Target https://github.com/moom825/xeno-rat
Tags
xenorat rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

Threat Level: Known bad

The file https://github.com/moom825/xeno-rat was found to be: Known bad.

Malicious Activity Summary

xenorat rat spyware stealer trojan

XenorRat

Executes dropped EXE

Checks computer location settings

Reads user/profile data of web browsers

Legitimate hosting services abused for malware hosting/C2

Enumerates physical storage devices

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious behavior: GetForegroundWindowSpam

Gathers network information

Scheduled Task/Job: Scheduled Task

Suspicious use of SetWindowsHookEx

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Enumerates system info in registry

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Command and Scripting Interpreter
T1059
Scheduled Task/Job
T1053
Scheduled Task
T1053.005
Persistence
TA0003
Scheduled Task/Job
T1053
Scheduled Task
T1053.005
Privilege Escalation
TA0004
Scheduled Task/Job
T1053
Scheduled Task
T1053.005
Defense Evasion
TA0005
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Exfiltration
TA0010
Command and Control
TA0011
Web Service
T1102
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-26 18:37

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-26 18:37

Reported

2024-06-26 18:41

Platform

win10v2004-20240508-en

Max time kernel

257s

Max time network

247s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/moom825/xeno-rat

Signatures

XenorRat

trojan rat xenorat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Desktop\dsadas.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
N/A N/A C:\Users\Admin\Desktop\dsadas.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\dsadas.exe N/A

Reads user/profile data of web browsers

spyware stealer

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\system32\ipconfig.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0 = 5000310000000000a8588265100041646d696e003c0009000400efbea8582d61da58ae942e00000068e10100000001000000000000000000000000000000edac1001410064006d0069006e00000014000000 C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 020000000000000001000000ffffffff C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1" C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = 00000000ffffffff C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\MRUListEx = 00000000ffffffff C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295" C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 = 19002f433a5c000000000000000000000000000000000000000000 C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0100000000000000ffffffff C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14" C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0000000001000000ffffffff C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Downloads" C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\MRUListEx = 00000000ffffffff C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0 C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0 C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1" C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\SniffedFolderType = "Generic" C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257" C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16" C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0 = 7800310000000000a8582d611100557365727300640009000400efbe874f7748da58ae942e000000c70500000000010000000000000000003a00000000005423290055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000 C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 010000000200000000000000ffffffff C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0 C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\NodeSlot = "4" C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\NodeSlot = "5" C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202 C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}" C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2 C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202 C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0 = 7e00310000000000a858db6411004465736b746f7000680009000400efbea8582d61da58b1942e00000072e101000000010000000000000000003e0000000000d63c6e004400650073006b0074006f007000000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370036003900000016000000 C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Generic" C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2 = 3a002e803accbfb42cdb4c42b0297fe99a87c641260001002600efbe11000000ac3bd29140a1da01fcec2e9540a1da013759fe9540a1da0114000000 C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\MRUListEx = ffffffff C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5 C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4 C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\dsadas.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\dsadas.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\dsadas.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\dsadas.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\dsadas.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\dsadas.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\dsadas.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\dsadas.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\dsadas.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\dsadas.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\dsadas.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\dsadas.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\dsadas.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\dsadas.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\dsadas.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\dsadas.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\dsadas.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\dsadas.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\dsadas.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\dsadas.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\dsadas.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\dsadas.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\dsadas.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\dsadas.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\dsadas.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\dsadas.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\dsadas.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\dsadas.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\dsadas.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\dsadas.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\dsadas.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\dsadas.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\dsadas.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\dsadas.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\dsadas.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\dsadas.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\dsadas.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\dsadas.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\dsadas.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\dsadas.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\dsadas.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\dsadas.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\dsadas.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\dsadas.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\dsadas.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\dsadas.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\dsadas.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\dsadas.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\dsadas.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\dsadas.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\dsadas.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\dsadas.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\dsadas.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XenoManager\dsadas.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files\7-Zip\7zG.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
N/A N/A C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
N/A N/A C:\Users\Admin\Downloads\Release\xeno rat server.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\dsadas.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3684 wrote to memory of 3544 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3684 wrote to memory of 3544 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3684 wrote to memory of 2992 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3684 wrote to memory of 2992 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3684 wrote to memory of 2992 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3684 wrote to memory of 2992 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3684 wrote to memory of 2992 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3684 wrote to memory of 2992 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3684 wrote to memory of 2992 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3684 wrote to memory of 2992 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3684 wrote to memory of 2992 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3684 wrote to memory of 2992 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3684 wrote to memory of 2992 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3684 wrote to memory of 2992 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3684 wrote to memory of 2992 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3684 wrote to memory of 2992 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3684 wrote to memory of 2992 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3684 wrote to memory of 2992 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3684 wrote to memory of 2992 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3684 wrote to memory of 2992 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3684 wrote to memory of 2992 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3684 wrote to memory of 2992 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3684 wrote to memory of 2992 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3684 wrote to memory of 2992 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3684 wrote to memory of 2992 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3684 wrote to memory of 2992 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3684 wrote to memory of 2992 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3684 wrote to memory of 2992 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3684 wrote to memory of 2992 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3684 wrote to memory of 2992 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3684 wrote to memory of 2992 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3684 wrote to memory of 2992 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3684 wrote to memory of 2992 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3684 wrote to memory of 2992 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3684 wrote to memory of 2992 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3684 wrote to memory of 2992 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3684 wrote to memory of 2992 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3684 wrote to memory of 2992 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3684 wrote to memory of 2992 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3684 wrote to memory of 2992 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3684 wrote to memory of 2992 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3684 wrote to memory of 2992 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3684 wrote to memory of 3136 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3684 wrote to memory of 3136 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3684 wrote to memory of 3308 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3684 wrote to memory of 3308 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3684 wrote to memory of 3308 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3684 wrote to memory of 3308 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3684 wrote to memory of 3308 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3684 wrote to memory of 3308 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3684 wrote to memory of 3308 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3684 wrote to memory of 3308 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3684 wrote to memory of 3308 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3684 wrote to memory of 3308 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3684 wrote to memory of 3308 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3684 wrote to memory of 3308 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3684 wrote to memory of 3308 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3684 wrote to memory of 3308 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3684 wrote to memory of 3308 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3684 wrote to memory of 3308 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3684 wrote to memory of 3308 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3684 wrote to memory of 3308 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3684 wrote to memory of 3308 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3684 wrote to memory of 3308 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/moom825/xeno-rat

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xe0,0x108,0x7ffc002046f8,0x7ffc00204708,0x7ffc00204718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,5627386421336748242,17249762288665419149,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,5627386421336748242,17249762288665419149,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2464 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,5627386421336748242,17249762288665419149,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2780 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,5627386421336748242,17249762288665419149,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,5627386421336748242,17249762288665419149,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,5627386421336748242,17249762288665419149,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5276 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,5627386421336748242,17249762288665419149,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5276 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,5627386421336748242,17249762288665419149,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5664 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,5627386421336748242,17249762288665419149,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2092,5627386421336748242,17249762288665419149,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3328 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,5627386421336748242,17249762288665419149,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2092,5627386421336748242,17249762288665419149,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6076 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,5627386421336748242,17249762288665419149,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5972 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,5627386421336748242,17249762288665419149,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6304 /prefetch:1

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Program Files\7-Zip\7zG.exe

"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Release\" -ad -an -ai#7zMap5541:76:7zEvent19353

C:\Users\Admin\Downloads\Release\xeno rat server.exe

"C:\Users\Admin\Downloads\Release\xeno rat server.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,5627386421336748242,17249762288665419149,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5520 /prefetch:2

C:\Users\Admin\Desktop\dsadas.exe

"C:\Users\Admin\Desktop\dsadas.exe"

C:\Users\Admin\AppData\Roaming\XenoManager\dsadas.exe

"C:\Users\Admin\AppData\Roaming\XenoManager\dsadas.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /Create /TN "Google" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7FB5.tmp" /F

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaultc5936299h9601h4aaahb5beh3a44ee54c644

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffc002046f8,0x7ffc00204708,0x7ffc00204718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2180,15821034267936057395,8413366470813479202,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2180,15821034267936057395,8413366470813479202,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:3

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\ipconfig.exe

ipconfig

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 avatars.githubusercontent.com udp
US 8.8.8.8:53 github.githubassets.com udp
US 185.199.108.133:443 avatars.githubusercontent.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 8.8.8.8:53 user-images.githubusercontent.com udp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 8.8.8.8:53 github-cloud.s3.amazonaws.com udp
US 185.199.109.154:443 github.githubassets.com tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 154.109.199.185.in-addr.arpa udp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 collector.github.com udp
US 8.8.8.8:53 api.github.com udp
US 185.199.109.154:443 github.githubassets.com tcp
US 140.82.113.21:443 collector.github.com tcp
US 140.82.113.21:443 collector.github.com tcp
GB 20.26.156.210:443 api.github.com tcp
US 8.8.8.8:53 210.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 21.113.82.140.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
GB 20.26.156.210:443 api.github.com tcp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
N/A 127.0.0.1:4444 tcp
N/A 127.0.0.1:4444 tcp
N/A 127.0.0.1:4444 tcp
N/A 127.0.0.1:4444 tcp
N/A 127.0.0.1:4444 tcp
N/A 127.0.0.1:4444 tcp
N/A 127.0.0.1:4444 tcp
N/A 127.0.0.1:4444 tcp
N/A 127.0.0.1:4444 tcp
N/A 127.0.0.1:4444 tcp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 439b5e04ca18c7fb02cf406e6eb24167
SHA1 e0c5bb6216903934726e3570b7d63295b9d28987
SHA256 247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654
SHA512 d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2

\??\pipe\LOCAL\crashpad_3684_NJBABCRAQNCFKXMC

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 a8e767fd33edd97d306efb6905f93252
SHA1 a6f80ace2b57599f64b0ae3c7381f34e9456f9d3
SHA256 c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb
SHA512 07b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 995084a01a6b861313373b20bab2229c
SHA1 53aead04af0ae724352bb182784b5b41098f0320
SHA256 50c5fe65de8130a43470f3b3f17b66271fd8ecbe7e98995498fb9ddb283b3236
SHA512 971fc2dc6777a6ecbc8f41b86cb00a3ecfeea6e1daf287cdf93f66ac218aa251dada02164554463289c152c9225c0845cc33c3854660c61a732d33ce6ae7721c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 cae4514c17297fb86424409c3ee67203
SHA1 b567298817d702c4f9c0b2b1e0d0d7c4e7c04d11
SHA256 d0fc9cd1f02e82399189ebb10012b24f104a2201fb5c1a13157d61a3aa6eaa35
SHA512 7e9545c00d6d142473ad619b038afa56805a8886c191ec214e027efc1925ddb9243f2354792bb730da98ce144d4e23efad41014ab82e7d35ce27fc293cf6b15d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 1659fc2508cf02c8dcec2c23e01aba4c
SHA1 ebdf87989787eb9413d3c89fc04fb0f09a579148
SHA256 1a95acf075b9de53df6f506123a8cb31d2dc17d3282763a7fce3053e9ba3b39a
SHA512 1be2b990bd2457ada8cff003bc617e3816b9a6fa2483573d985f1babf06c44ee2e1492667428b36ec50c4da6742892cf624ed25a1453403da6a7baf400010efa

C:\Users\Admin\Downloads\Release.zip

MD5 89661a9ff6de529497fec56a112bf75e
SHA1 2dd31a19489f4d7c562b647f69117e31b894b5c3
SHA256 e7b275d70655db9cb43fa606bbe2e4f22478ca4962bbf9f299d66eda567d63cd
SHA512 33c765bf85fbec0e58924ece948b80a7d73b7577557eaac8865e481c61ad6b71f8b5b846026103239b3bd21f438ff0d7c1430a51a4a149f16a215faad6dab68f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 0b7721cf092e8f0fbba9fd4587a105cc
SHA1 7a99d0544345b4720ca8defa0e4784e21278e85d
SHA256 f1442ed690fb31e05a551473d7e9daa0df307522425191023e0bd21f6965e39e
SHA512 5d7fbf14bf6f0ad9d2cc1b5dfeb10c6ea3525cb0ba808b27fc946032ef9f5fbf4bf908d72bafcc79848602dc25b9a9d374fa44bf48575be7e7be9c30654fcad3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 84cce82d42c0284422c437629c1a9db2
SHA1 61d136916e39dd6bd0cb1729ab725446a2a5927c
SHA256 9671fc45c717d397545b482e52498eed76aad2aee7893654cbdbd8e0cedb0a4e
SHA512 8959adf68dbd82936fd43bd9bbb7d7d18693e43e7f7fdd15b0ee49a559f1c3eff221c50f3767214ba10d054b3b9bfc2f410bfb46acdf234d5c0e3cdc7260f291

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 a8cd33313be03fee801a7b3bd31ba878
SHA1 9bce99407605d96d546016b6070505841528bc58
SHA256 fc1e4791731a2da480ddda4a8153b9ea2bf9a529f26252bd3b1ea2a7825ad1e3
SHA512 f5ad4198349f0168f850df38d3c6557412ba41b781736f226fd2f1171dfd95b20b6499f10c79c72da98b95056465e1f26890161741ede9515565061f1b031253

C:\Users\Admin\Downloads\Release\country_flags\no.png

MD5 a74dab3185ca47f60c3eb2a023cbb723
SHA1 496e6dd69c241ba662c9d91a6274a1477a4d8f23
SHA256 5bd80f95e6698c93044e18885ca1d234cc802b0b1e720d31e1d37b36eb6f4e5f
SHA512 508ee8bd337a54ef243a3539f5c64140bc90a7c223c473849cad27ddfbe7b1c6489b72819591c92c5954d59adb91f91dd7f923220d47c9db23e94f72fe2f3d9d

C:\Users\Admin\Downloads\Release\xeno rat server.exe

MD5 3987ee127f2a2cf8a29573d4e111a8e8
SHA1 fc253131e832297967f93190217f0ce403e38cb0
SHA256 3d00a800474ddf382212e003222805bd74665b69cec43b554f91c3cd9edf04c4
SHA512 69d5ac7a691dde1a3ed7f495e9b9180e63152ddaaa3d1b596ad9cbeb4d7b088f3fc4b138ecf87070014cdfa9047be18940b720de60642389921a10053250787b

memory/6120-763-0x0000000000FD0000-0x00000000011D2000-memory.dmp

memory/6120-764-0x0000000006280000-0x0000000006824000-memory.dmp

memory/6120-765-0x0000000005CD0000-0x0000000005D62000-memory.dmp

memory/6120-766-0x0000000005BF0000-0x0000000005BFA000-memory.dmp

memory/6120-767-0x0000000006260000-0x0000000006274000-memory.dmp

memory/6120-768-0x00000000086A0000-0x00000000086BA000-memory.dmp

memory/6120-769-0x00000000086D0000-0x00000000086E2000-memory.dmp

C:\Users\Admin\Downloads\Release\country_flags\ad.png

MD5 68474a4935598753955993ccbd7062b3
SHA1 79f32a99fa7a3761d7e7b592bbac279c7a1d5559
SHA256 6e45d3cec2a17a9b9353b68288934e7c4931a36ec271b595750bf8441afae019
SHA512 631cb2594d55d14f3321cb1975cf7e35ee0e79d63c9eec23a39851849ef17cfb81edf74a6f906d92ef4dc9ed48c230ec7e3966e71a91c603beb6708f81aa90fe

C:\Users\Admin\Downloads\Release\country_flags\ae.png

MD5 0aad6b193a525af068832a5f3312dc3e
SHA1 75d2268655d2e9c2cfd39f4512c1ba46d701e91d
SHA256 6af9e1cb4e4c86a1d1b9f2fdb5c9a4eb554f4cfb674d8357f2e7e1086de4b4be
SHA512 0cbbdba73d929ff425b55abc437b82c8b56f29ec9a7b59573d134e3df5ceaf8bf928f0c4049f7a9b09638337cde8cc9cdcb0a823101d121ce99e57f5f5726cc2

C:\Users\Admin\Downloads\Release\country_flags\ao.png

MD5 1b6993d439cd730838399aec3b0fb44b
SHA1 18b30a13eda5a7b00e1ab12f9b7534ffbcd3eedd
SHA256 27e99589098bf031636fa0eae8ad7881e54181978135375c7f599f6e49fa8fa6
SHA512 4ab06e0d6eec0cd1480baf66d5c4bb9d5a88ca0cd16d95b52bc2f26da23c18a7b63a75f4cddc27d4b7563375d1f49d3deae8b108adff29c3c0a0dc520307ffd6

C:\Users\Admin\Downloads\Release\country_flags\am.png

MD5 d833529f7fa3d6229f5d2022dfefd1e6
SHA1 6f46a741c8f13f4811fff2be726617cc679f5514
SHA256 484fb381d03d5e519fab2c4dde2b78f13e67594713dcf4083a55d713a1eddae7
SHA512 126c39597b26569f52757cd16796886f180b04d78182070a586852df87413205e01d4e6fe9e041da207011804fba3db6c5f0adc27ab378ce7a6ddb2300b1ac75

C:\Users\Admin\Downloads\Release\country_flags\bd.png

MD5 4ff4808e4ed9fd060050379d38ed7bac
SHA1 3115ffe9a401d0f1f5c7cbbcd9ada9f365acc5af
SHA256 02f8bff79a1eb5201547755ec8fc8611b605fa8a85c225c38de7578040976cca
SHA512 ab86bc614a1ec6a8656559cb6ad5c0adb3b059f1080db8d53a63f14e115612ff51ae783f35f64490ee8626f3df4d8760e796cd66128ee53c5abaa84384d9b568

C:\Users\Admin\Downloads\Release\country_flags\bb.png

MD5 e1e028da72b38c64d76c1043ebf917cc
SHA1 b09a3bbbd52ebf6cb0a246267e5636db1f879853
SHA256 a944e7cce43b21f0780eb94a8a1571ab233b2b73222cba01cfccaef9734a064f
SHA512 740bf0a81f5da2f9320339271d8511af00f84dd869bfdc9678662afa6d5d7df751c2536037e10d448d77c2667c9f61c2d8545123ac03b983e83bd0289de08fe8

C:\Users\Admin\Downloads\Release\country_flags\ba.png

MD5 4eb708fb9510b271281d25752d504718
SHA1 077fbcc85234448e47052d161f8af2effe5b587b
SHA256 7b523c68fefe0a7df99e8703980206e728d3c339e1326b70824292ce654097ff
SHA512 bdb346006ce4006866570a914d890a3cefdc509770faeb8535ace87d93101f85add3f58872dac15b928d230dd2942aeebdec1ed90303db2ed122b1c8d343b405

C:\Users\Admin\Downloads\Release\country_flags\az.png

MD5 8e6c46e33d4ab8ce843fd82bf0cd164b
SHA1 41ccf6b437adf53667e86cd55398aba51093919a
SHA256 95df1829f101a8f4adc6e3e7f4e1f8d6224cc0b8127729032d645b26cca7b0fd
SHA512 05812b0a89f709de4130c6b9c0835153a77b496118c9beef962abbac7a8b960ffa5e8f19c750fbe24d94707a3ee5e8af4744a5e48ff59f92eb9dd17a82f6b1b8

C:\Users\Admin\Downloads\Release\country_flags\ax.png

MD5 27e057f1aa91f3a3fdbf354c701e9ab8
SHA1 176861508ebf7c814ba29409a7e5b5bbc04aa5f3
SHA256 f81df1b62a4476dbbc0237f024f18bb509c62037c319fb252b86d8de8d59d122
SHA512 756307faac7289f6d4250d2ef1d1086b5076cb6275be7b5d867d3451cb65a8fb70584e4286ad7aa483ab5342f6dff9bfd27562b583dc5e921530236e4c89d3b3

C:\Users\Admin\Downloads\Release\country_flags\aw.png

MD5 15b939b6f1e18d1c00c7365cbefe135f
SHA1 8cacf901d1207cecb8b925678701b75e2c19c403
SHA256 88dfe3018ff9550227b65d71eb80ca826e77cd760b12790fcd84bb6c2a6ea79a
SHA512 1a933aae54a5d6ac4c52c2de249de5dd7180e4fdc630b4c993bcd1d018712edfad69d6c0ffd033fbc050a95c7fba90937ff2c349c5c7c3ccd73644aabfe6da2d

C:\Users\Admin\Downloads\Release\country_flags\au.png

MD5 15bbd2633ed2f55b2022585c40300988
SHA1 16faecc7bc0e49d9703427823201da8a9dee0f3e
SHA256 515102fb7dab425bb3492eaa94e7ac51306d93d01dc8fa83aaf7ad9d3df00b62
SHA512 0456431b748414c018c8fd7080bcf7dd65c68d97475111cb2aecdfb8b8b5d17bb6ef1786a91e26c480bdef5c018b5e4043cba82d88b3c789e55a1a46d28bdfcf

C:\Users\Admin\Downloads\Release\country_flags\at.png

MD5 47386d35c3bc3d7ba01d5a1adcb240ee
SHA1 77993763b9809110d121436e2eba607a401b9a7f
SHA256 f9167d1381d27d03c461b8d467406b08b1ec1ca128ef455224a79a54ef1c4cba
SHA512 2cc35e482f8788bb112f60ce1dd18dc3ca2d791ae80994a7a0e3a1c4bc0b95f29edc5bed6df012197089f04712edb263ffd494b5e73c8a369af1bcffea3cd27c

C:\Users\Admin\Downloads\Release\country_flags\as.png

MD5 d3fa2caf8084ea005f29dace6a1c1a2b
SHA1 8922a843a5a7b6ecb0a47dfef6525346b762b64f
SHA256 4c4d9b46ee8b8648976fbf45f3baa20f1d2bd81d955f4ad12e5f185f0184bec0
SHA512 fdc0ed2421d1c9a1dd8199cb047a35c6b25cbb231dc0c2beae22c9dad997273d73ebd1e3a4f52f980909c1dbcc3157832eb73072d23c77fc76652dccf7c4b341

C:\Users\Admin\Downloads\Release\country_flags\aq.png

MD5 bf7280a322bac987ee3e421dbc5f6330
SHA1 6c4a9108c1a5125975f235df5956e7bc16794d20
SHA256 956390e90c1a201ed454b741eead49964393c3026d5882c47b02f564c7c94564
SHA512 d037387964cbc1c6fcb1efc780996886e2e92fa580f374fc7ae5026854635209f69efb6f57e0a65f06a1e3fd60a8ebaa31482f2f278e9af1c4efd90a345fe2f0

C:\Users\Admin\Downloads\Release\country_flags\ar.png

MD5 69cf780d75e1619d4ef97a1cfb485f37
SHA1 8d65ef01654415778dbfe664a4c3167ccd5cbbbe
SHA256 8438d5e69e23edc2054c6ca8f5b5eae4bbda37adec341a2f63e44ec7af2ee3ae
SHA512 df83d8938e5d7508b385a209bafa0ed11afdfb0dd8d4e16782e397f0addd2c54d1a55dac7bc14a704b50010ba1fa013041d8fc19aa3b98126614e0282821658e

C:\Users\Admin\Downloads\Release\country_flags\al.png

MD5 8109adb0c3baf5d82c44385afb369943
SHA1 4bc749135d32c08bd0557bb67ddc98a858354835
SHA256 2e005216be2a847983ebe9a5a4b4ff2936c9008cc7c925ed7059350d4fcf370d
SHA512 56f8f92eef8b8ae2e79f0a3a3b08df2ca22da658cd417fc3928d0895058776536f33ae93b61be7032295c9dafbc9b369016a16be0e0a4aa3243ad60f3ac3ff1d

C:\Users\Admin\Downloads\Release\country_flags\ai.png

MD5 2e5628753b22d149925f2edca861cce8
SHA1 eb12eec16eceaf289cb33cb4cd777b369d85e793
SHA256 d95df82e43d2e94018a777083e68bb5a00260912037fc02243ddfe3a0a377f45
SHA512 7db7b846c7710e8733928113acb9f70893ff16d06775c9862d03d075ad0fbe429a382df1f26ebd4836eefeabc1b8cf7734a7ef1b4b478c45cc2bf5ed2a1e8be8

C:\Users\Admin\Downloads\Release\country_flags\ag.png

MD5 f16d86d6cd9efed9d56c4e27222225cc
SHA1 2e1a7b01df725adcbdde98b683a2788c68eeeff2
SHA256 8cf632b5d10c24e29c68082bdba8737269f5160360985f9c306e8b20940552ac
SHA512 5b970073ad7b7561311d83ab5bd8d6de5486be90fd6e4ddf0581eadbdfaf007926ae8747141cd2bcd243bc254bfe0eb2db0ea3db01759361601350759d426a8c

C:\Users\Admin\Downloads\Release\country_flags\af.png

MD5 b438e2fcc22b7b7138a2270b0c46c11c
SHA1 a725f3930551e5d9ff2c719d1a159942c33ee659
SHA256 2e738e232ba262bd7b40d39f0a8ef1b68204381b0f5d97367c8b827aea9e83be
SHA512 01df36890f1cf4fff686ae1c16f2e18edb5fd2b88ba659e3cce651b3ffebe371e4dec1fb16b27c2714a6d4dbace1c7da9e7c59aff58579b111b444622eceff13

C:\Users\Admin\Downloads\Release\country_flags\cn.png

MD5 8d729fd10d6709776f37228c7e0532d5
SHA1 4131fd3b5b330c26208d1c22a794d5462df5fd91
SHA256 fa710c79afe55745037b1a612d07da1ba8769f873d831c2a23e9bd9551506766
SHA512 7614287440b385af788cfe26d99e0f855b68a06c03b2e5b7cfd2c20a508cb0812a6aa112f28d529192180978143eb83ca7cb6a6b6c7cd756f04d9eed59d926c3

C:\Users\Admin\Downloads\Release\country_flags\cm.png

MD5 cce1ba4ea50e8fd18e1575fd5812f4eb
SHA1 891ef1744c054387b6354840405aa052c61a2eb0
SHA256 e7372b1387febacd6e1612ff16f6fce0d178d7c5e0cc3e766002f147a4aef2d7
SHA512 8679e46a75790ab096f23e90ab5fd29e5115bc256d6841215f5ac4b355e03f1da1b4cb19a89e8f63fc310dbb9192b8f424b3646f36b8ead0cf3c6588762ef809

C:\Users\Admin\Downloads\Release\country_flags\cl.png

MD5 4eb4919d32968b0df973d95491d61e89
SHA1 cecfa3ef8929ba2b8420beb9a18a66cbd239efb0
SHA256 f3fea7c8853556f3400d6b92e1aada01c8798db5a53f46aa4ac7fd83562d0df4
SHA512 6f89cc393e550e13f9aad61213e30c14ceb799b9bfd0306fff8b13fbebe0783fe72a631ca5b9adeb568d8170d62c7fc36b274eb905ce0136beb206395073b547

C:\Users\Admin\Downloads\Release\country_flags\ck.png

MD5 d613e7401a410a218ed40a0a2da07f20
SHA1 b658b2d0ee868c0693ddeff3780f14846a9e148e
SHA256 b6d57adbb3af27167f9f3ec627e62241ee43ad2d9a7e8e2d67351d2e7cbc2ad0
SHA512 cae4fb83bc9786b491851e58fdca33f1569e57b0be4f449d4a3d67f15b47ff2c97fb2edeaac1b86fab07e9062f31fcfb2861ed581c755a67ca145e4188c30672

C:\Users\Admin\Downloads\Release\country_flags\ci.png

MD5 349c70fd34895e1fd7da09cec3e3a213
SHA1 48b68dc1e9dff0b78efa3749151600d598b1845a
SHA256 fcca98be86a64a9ec6263fbcc5d5e2597a29e97217a1828080c868d8a470d548
SHA512 ee6083b6876662053f2109f00cc46efe6794949887f47b2047dcb3f2b0c7fe354ef12f77cf3644c588a560144786f71cb610dc5044dc862eac2be9e3e2a8997e

C:\Users\Admin\Downloads\Release\country_flags\ch.png

MD5 acf0658dfd8c84f1f306f3fea2c92d67
SHA1 9b12a8ccb9ca119a73b0a84a995670ca63d8e168
SHA256 4c1725303c045742c8521d0d534bd4246f909f9c289e861c0edacbe0b97ca118
SHA512 54c5fbab65b10e575f8aea3a49ee7a950d01c000fc01a916e03eea120adc26ee632bd805ee6771e3dbdf95f0ddf0df035b4683cb479bd8a5bb6587e59cd31c4e

C:\Users\Admin\Downloads\Release\country_flags\cg.png

MD5 1434cb15bc1666c296b2e23bacda5aa0
SHA1 8b6416de2b072a4be3ada2ecfe22bddf3fe35931
SHA256 1003afdd38cdfa5c45aa8977b8f0906260ebb4d4063cf5bbf2bdeba4b797f694
SHA512 0a94ab8b617f752190c09d3a24aa1c7b12d984238987c657bd6f1298997a86fb644a4c0f50724acc188cb51b4f8e948369e8ada1b0c39daadd1ba31a3bce7952

C:\Users\Admin\Downloads\Release\country_flags\cf.png

MD5 06baaa819f4877ca461c78366f7281de
SHA1 1296d1334691690c95cf7ee27faa5b0e15c4a837
SHA256 5ad829236ef89cc8d9d8ff4bae28cc4066186d3520194bc91ae3d2e050308e33
SHA512 2869fe105dbd89098cfc198c9a8beecd9fdb270295911c6cc6b6d8a1c8306869b67ec4f04fcee5090b023036615f05d2ed80aeac9760f810b9725777b54b381d

C:\Users\Admin\Downloads\Release\country_flags\cd.png

MD5 f39d846c77218c4be0cabb86c5de400f
SHA1 1ece3bf46c237048ab866fc9396e0a5ff7b10416
SHA256 0890c7a0ca097f03cb9c09f24ab2e55a1ab234635eaf0b6c2e98e0afaf60e43c
SHA512 8970dfd053d6911c07c62ba353e817a2732fbb318b122eb1865f760b209d47bfee9e63dbe0af978fb831cf8a322aeebfd370b2b1d9a9b839bc752a93836e825c

C:\Users\Admin\Downloads\Release\country_flags\cc.png

MD5 4e5f94be5a63a2fb0f7f09b13c709ca3
SHA1 919700a8ff35c79293af2293e1211f1a513e5504
SHA256 0156d11191c6c7cf9164cfadb164b07d15ccc2b4e07182714d0c44a7f29a8451
SHA512 66e018c28ba5231b4aa3564b8aff87addae970ee48cecb042254d7d7c20ef763cfce8b24153878a7179bfe4e038941a1dca506989e21134785673cef4f5c408f

C:\Users\Admin\Downloads\Release\country_flags\ca.png

MD5 5941934b5f8ff897111959984b554b5f
SHA1 f3789b6d8f923c3dec484a50c1a898ff4f8ee9a3
SHA256 7b4509c54260961e637aa3e44c3c911631137ce300ebcea5cac297286023ec93
SHA512 0cec0e8f4210ca3ea4df7ce795ce463c7de3f2c0d18cb41d431aef6041893f1fdcd56cdec6955858c1e759b615264567d9cd4a4ac5d0b640ca3688c7c890a30e

C:\Users\Admin\Downloads\Release\country_flags\bz.png

MD5 04df3acbfaba16034f2bfd9370d36209
SHA1 2dd58919c12245b59b782e930353b2dc781cf58b
SHA256 91327f9a8a46a2a660f70fd22ad589b9ae07b8617ee21d24dc0360d6b00ff0b2
SHA512 59cd1cd196cc35e9775229ad1cbe72beb56fa2e54a9b6cc3ae0073024cfc6b0e2002003b667976025b5dc649571d1c0ead89264a5dc341d1aaec210b95f48444

C:\Users\Admin\Downloads\Release\country_flags\by.png

MD5 39e046973fc2969bf7e54c8b61770d3d
SHA1 a39723071a4426f8627802f952c11b41696ae5e2
SHA256 25a1fb58dec67ada5090771415da58ea598ae629f28e52420ba53f5f59d0504d
SHA512 2691b0eb7c69aca4f00be377bfa477ce9c38d0c901dfd2ffd56348f1960b3931e8183487b8208159b17785ce7e7ca206e999c80042d83824b4631d2c410dd73f

C:\Users\Admin\Downloads\Release\country_flags\bw.png

MD5 3243d26cca90de9992b6067af59fe61b
SHA1 c9494ff65c1acf60cf748772069598a0446962d8
SHA256 ba18f482f566315edc8db6e8874fdec95731f9e46cda105092080ca02f0c2540
SHA512 fdd3053487ddd46913503392b1c1047c7ff031dd96f7e26b659ebfb49ac991dc082bea686527cb3d78e7deeafef2cf8318bd798fb57b600cb5148879af10a114

C:\Users\Admin\Downloads\Release\country_flags\bt.png

MD5 871708b85a41dbf488c83c0f6d38847e
SHA1 af8858c51803ab9925e1168eea4374eab453b10f
SHA256 5cb7a5818b14e0d879a9b91aeecd9c64c6dab2f468a8147b86b117f6cd43d311
SHA512 14cce6c1b446e54517dde1241a984374808ca8e20683e49a941fa19342d4958853e000ce99d8308fde9b0d6f092f16734ce8ffc6a7b0b3e7635ba04926808b47

C:\Users\Admin\Downloads\Release\country_flags\bs.png

MD5 567968761d29569f8f4ae2008922d64a
SHA1 5651bf8b16071adc0bc86d0de6412ab580601a6b
SHA256 8c6827bd280ef162aff6b42c25416a61daf36c0982862dc5cac9d31480f79ab0
SHA512 1d88648063003e5b4fd1109337fad4cbb769cba30be811676634abe6d082dfa86543153e01944e3368d72dc1802ba9bcda19de8ae321920dd0fb0fc0e817299f

C:\Users\Admin\Downloads\Release\country_flags\br.png

MD5 e650e4a38ab3cc1dd03e835db4fabf46
SHA1 d517da25d527101ae9fbcf4d7567759252cf4b3c
SHA256 ba2c9ed05d5e1d7c6b8a460f1f21d6630938d179eb38a2e59a5841ec5afea543
SHA512 c216e68cc9ae43ba24c3d4cc86549e2efb0de86980197b6ea2cb6653f6d79aca66f948c2eb598746d0750bed4f0cef0551d6a4b1c651671e424de3b06fd8f55a

C:\Users\Admin\Downloads\Release\country_flags\bq.png

MD5 98b2ab646a5e61eff3dcc3456fa5ef5c
SHA1 c2ecf619bef994cfbdeb7761fe81ef0b05044c9f
SHA256 a9d2823ef28a3f87d60526f7d71ca2df41dab1ab0adaab11409e05e8e5207971
SHA512 c88b888b62e8844ab175fd7d5106fd14c34479003a57524d2e362d5db14b097d7b07676f59484f2f4b1a0a77c4913e56be1971c73163ad59d3f969532c7f5605

C:\Users\Admin\Downloads\Release\country_flags\bo.png

MD5 a00567a7f443d14523d414e1d1c37c01
SHA1 c143926a9127570a0a4e8ccc5af374c6f155b029
SHA256 ce52a198a07350d5d0fcdd55e914aea5ad81d2ec10e39e76b32255631017f838
SHA512 cab600088b03f2ade41a88f0a1b0cca9e86a1edd832a5f270d81f3e4009a9d4833e17b5fdecf80ee3106d1da2d3b11d809320dc9fd26c2db60542f28dd2c040d

C:\Users\Admin\Downloads\Release\country_flags\bn.png

MD5 f96f107fc7dc89b9113214c81d883576
SHA1 f10f384b6a5f6a3979b59b1e33f7e4f4b3d6cc18
SHA256 5e9484dbc8a347b857258606d4705394f7ba8aa6f10b53b5dc58e55524ad39a7
SHA512 9e94355db2dba83c097976dcc1f74d39f01449e376418d4a5907d7a6a15aafa6c30d78445550d16d5ef1ecc5f0a1d1255e4954d8496e4bc89cf974e5f6519f46

C:\Users\Admin\Downloads\Release\country_flags\bm.png

MD5 37d93c75e0c74aff9ab7d8d37c3b8e7f
SHA1 ae5a8e8178c60cecba78c529c94c23e079e94414
SHA256 42bd53dba164f119c44148e6c9bc28c0b92220800a007d499f253d1ae438c72d
SHA512 bd00f76432d816a3e81f34fd19e3002d134da223cbe6d811c4487fadceec42f6cfda17eb7577ebf514dfc1ab9a3b3cbc0c556654331c5fb76578a49a197b7043

C:\Users\Admin\Downloads\Release\country_flags\bl.png

MD5 ffa7d1b59636928e39881f1d0a0edaa3
SHA1 400ad9971d41b7f31a109f0cc7e90d2020600356
SHA256 750e0d9fb423608a1de413c843cbec1ac8d2e3e82d6a2531afcf2a472f899515
SHA512 fece6377840a8cb3a395b433a144fe244b9b4a0f24e3e821fb9d8d5c1c78ab9d4e4a2275b17d142d16ad9f8f590fa19c9a0e716fc929bb8fe13a0553693193fc

C:\Users\Admin\Downloads\Release\country_flags\bj.png

MD5 03cdcda8b815a5309282300402e338a5
SHA1 76892ab949477e558fe4760d17a5a357242a7b6f
SHA256 5bcaef0b2129ee077c6a45fad9614b1c20fa7087e20a9a85e4146dbe47cab7b0
SHA512 a4f523eb92e7a82114625761cc4aa493242e3a27da54cdbbb9945793b753931e966840c30608a56237658e83579f73ab402b3f9ff10748bccec3934ff989fd1a

C:\Users\Admin\Downloads\Release\country_flags\bi.png

MD5 18b763caf78d097de5d2ec4c70836263
SHA1 fdc6fd9635f09f1c4531258d0ac1fb271a4e9fb0
SHA256 0bf069eadc836e452702cb7217a85bcf4df656702155c96414b272bab0321a8b
SHA512 3011f6763f2787e7110813bc7c93386fd9b658fb7197094ab138bd67367d5ab67780df9f46de8b9eab625dc04caab862f6eb3b15530e38f5e257cad2bb9780d1

C:\Users\Admin\Downloads\Release\country_flags\bh.png

MD5 34f84d7c72119f0b672641450bbe6c40
SHA1 6aef283ad7f3b8bd4d45c955731d715290925d50
SHA256 ab9af1e42b20793174222b3755837cf06b574dba14b9c939db7ef01dc4ccb277
SHA512 b182ada47015996f3052311a2f1e3db556e8bc2b597e73b78f2f7f4366727a69287ad998fc83f8b782a0d1f2f606240bea433fa6251e605d891d92a2bf2a263c

C:\Users\Admin\Downloads\Release\country_flags\bg.png

MD5 15d9a2d4d4eb0a045c7f082ff2987ee9
SHA1 d780bcec786ff9a78f0d0acd47a86fd096c79117
SHA256 963e10d9f42d27225a514bc1fb89aeb77ab258cb278e4850b2207d80d572ae74
SHA512 2c816e9d6948d60716618bed3f7d87f8a28c5369dca80fe9ebb30fbf0f35d6e576fa55a879b53a3843246e118fc39cbb5a266fc83ef1a4306d0fc088d3229b9d

C:\Users\Admin\Downloads\Release\country_flags\bf.png

MD5 09096c9b04a4dcab8c716b2d6f3fe878
SHA1 5dcdbec1eb0adb7c5b478ae9626c76c092100b8d
SHA256 053a5ac85416b8c8355ba613b79325ff8734f3ac16305616ac2bcfcde95a8fe6
SHA512 d10b823bd048360075f7a915f7d4a3ca96d7c647d72616e4fafd09d5095c7660a9ccf5207faa8af9c5c88a01ffb9cc85f25025c6b00542e89f88c265892505b8

C:\Users\Admin\Downloads\Release\country_flags\be.png

MD5 56ae68a6e0b4aadf02609736ee65dd0a
SHA1 54f6b698277409722b16427e5e7a1db2e2783e2a
SHA256 968ad30023dbefef58409fb7e86d7ff43f9207ad136444a4cddcf2a29a7602e9
SHA512 d8ea14b827b60fc4cefcc0e36db862300533473742f33d7e70bf359f02874f47a0a54289341537384e5d680319542eafa46d80d506f28ca22b19e3e138507095

memory/6120-818-0x000000000A5D0000-0x000000000A5F2000-memory.dmp

memory/6120-819-0x0000000008720000-0x00000000087D2000-memory.dmp

memory/6120-820-0x0000000008800000-0x0000000008B54000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 2b9d09d0adfd85e55b2274e3e3a0c874
SHA1 1b1ec63251485eb37d1bb4c89a094b3aad902f17
SHA256 c55ff84b294b896f7cc6399f4ffe114266c718620f0428ea5f1ff4a8a2484f79
SHA512 3608243d7194d5c68c765b68368caec44bd87339456e458a9a2b6b664b21fc6b404b4321d66a9b2fa1a239213a9129a64b3379032828e369cdd9852f9b950f50

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe584958.TMP

MD5 4340339ca31634cf4ebecd6724a6616a
SHA1 777937bedbaf99cab6c2ed7bdd02c2cefcba0893
SHA256 4e47c7f6c6dca91b2ba14dd4a87a8df3fd12c83e82df11edc622f658a6a461f3
SHA512 116affd329347144e406197277f7d9e7429aca359084819693246e2fcb9e82371c2750ad358cdf169deff9eadc8909420753307bcf831c8568d25818a99f72b9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 abcec1c7edbf55c225ee392b2de21ce7
SHA1 383a3bb1c4fb18e9e6e1c381ce0e8b50fb549033
SHA256 3e72162865c8d9549acdcc915949cacac97a155ef6f745a32546592848ac1323
SHA512 34c73ba0a23aa96e8c0b6f1f24ba784a444bc54183454bd4dd3bb767f59f726550ec28508555172c547c440c517360458dfff5c104868c14906733d4b6a8fcad

memory/6120-877-0x0000000009180000-0x00000000092A4000-memory.dmp

memory/6120-878-0x0000000006EB0000-0x0000000006ECA000-memory.dmp

C:\Users\Admin\Desktop\XenoRat.exe

MD5 9375422010f4512d56916be1329a9e9c
SHA1 64be9f67d1acfeeb221a3cc1ff39493393eac50e
SHA256 6f4baee8d86a5413a2b1f6d42b7c822bb2dbc47017c64e91be4d5f520deb2e81
SHA512 fa43051f575156aed191b84a0e4dd3037c07ad22b1d7b3b7255651a9d376bc8ee617ee5306c5062753f80ba7bec45999e1f7d4f3b1fa1d353598a3e6ea5f04b6

memory/5856-903-0x00000000002F0000-0x0000000000302000-memory.dmp

C:\Users\Admin\AppData\Roaming\XenoManager\dsadas.exe

MD5 e8331fceefe3a040e0743b629174dc18
SHA1 12ae773d0e1e71b9ee620622584cb9a6d0908888
SHA256 e18c00e63439d4c2cd649cb60ec9839cc84ec9a895d12d1f3ba712e1cfc3033c
SHA512 3d36a5a4b8bd59c0b1b752a0dd3c1d4f3518499ea8d86c086b2b2f164b4c093ab44266e4e9e5b518dd13dc4ea78b0c8f833ac54fee79d0c614f28e88007155a3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 407fb867fc56d038aa9419637b520e12
SHA1 b8afd9818cb962b9f335fa2107e191011f4611af
SHA256 d402427b42b8926bf5a2ed8c298e980a590556b88538da27ff42d6292254a975
SHA512 47bd015df954a39065fc604bbaba87c6951f150c39dd7ece8cac7b15b6a551ad25d612d78a05529257fa47470c336fe4a22a16bffcfa48c962e2e870f17cf9bd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 2853ee1fe9372092fcc4aa9e7e699fbb
SHA1 f395ac7ace580fd7235750330c3d1a6b08919ea4
SHA256 a3192c10bd1162a2ab1fde7fe739eaf2563f713e3a422237673a85ceeaa9a795
SHA512 5dcf99efe13a6c0cb427c942ed83106ac7008794e7a83b3807e175af7f2d505f863e43b9079c12d7ca9f8f934a3b2faa93372e75b9b1b7629503f69619c1954f

memory/5268-933-0x0000000006240000-0x00000000062A6000-memory.dmp

memory/6120-934-0x000000000B3C0000-0x000000000B3D2000-memory.dmp

memory/5268-935-0x00000000066F0000-0x0000000006702000-memory.dmp

memory/5268-936-0x0000000006860000-0x000000000686A000-memory.dmp

memory/5268-937-0x0000000006CE0000-0x0000000006CEA000-memory.dmp

memory/5268-938-0x00000000075C0000-0x00000000076BA000-memory.dmp

memory/5268-939-0x0000000007890000-0x0000000007A52000-memory.dmp

memory/5268-940-0x00000000059C0000-0x0000000005A10000-memory.dmp

memory/5268-941-0x0000000007740000-0x00000000077B6000-memory.dmp

memory/5268-942-0x0000000007F90000-0x00000000084BC000-memory.dmp

memory/5268-943-0x0000000007700000-0x000000000771E000-memory.dmp

memory/5268-945-0x0000000007B60000-0x0000000007BFC000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 ed7e7050690810bb601c729c395512d3
SHA1 2c85dbc0cbe40c6a11fb564cf1793a431128b167
SHA256 93256ee6e6980a74cdab542417fede8baece2433f19517bce101ffffde885b57
SHA512 c972adf1ca0d504902fe6c1dcf41c8d73d3c85d6474eead85d414fbf16fbb4c4608cb1bbb25dc27d6bfea7093062427b5e889aebd97c4aa4bddd798d41e2e451