xenorat | 27178a08e0d8fb6e5e31ae9bff6194a5224406666fa1f528d4719c1e4a8efd67

Resubmissions

24-07-2024 00:10

240724-af2xgszdrh 10

24-07-2024 00:07

240724-aeqstswfnp 10

24-07-2024 00:03

240724-acj79szcna 10

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
24-07-2024 00:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

xeno rat client.exe
Size

46KB
MD5

d23d8120af87a615a456a12b43d4a98a
SHA1

73b41123d6f50aecdcf1c5e87a7d0319d753b0e7
SHA256

27178a08e0d8fb6e5e31ae9bff6194a5224406666fa1f528d4719c1e4a8efd67
SHA512

99026704fef97f9f9c01348310f199ad523851e105c7ea1f39312c7370cb6e50af5044fec1041298b96b6e661ac5f48d6af80687e21364806e62738d198ad319
SSDEEP

768:Ddqf04XKojwYybbZWsiBHUuOkU7cK9F9km3XNZ5SbTDay6t22:D4z0z3ZWsiBHUuY79kmz5SbTL6B

Score

10^/10

xenorat discovery rat trojan

Malware Config

Extracted

Family

xenorat

localhost

Mutex

testing 123123

Attributes

delay
1000
install_path
nothingset
port
1234
startup_name
nothingset

Signatures

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
110	raw.githubusercontent.com
111	raw.githubusercontent.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xeno rat client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xeno rat client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xeno rat client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xeno rat server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xeno rat client.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3419463127-3903270268-2580331543-1000\{9B0698ED-1A44-452A-B7D3-99EFA2E38DBE}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4868	msedge.exe
4868	msedge.exe
2332	msedge.exe
2332	msedge.exe
2972	identity_helper.exe
2972	identity_helper.exe
2420	msedge.exe
2420	msedge.exe
1384	msedge.exe
1384	msedge.exe
2408	msedge.exe
2408	msedge.exe
2408	msedge.exe
2408	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 20 IoCs

pid	Process
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe

Suspicious use of FindShellTrayWindow 43 IoCs

pid	Process
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2000	xeno rat server.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe
2332	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2332 wrote to memory of 4892	2332	msedge.exe	95
PID 2332 wrote to memory of 4892	2332	msedge.exe	95
PID 2332 wrote to memory of 4288	2332	msedge.exe	96
PID 2332 wrote to memory of 4288	2332	msedge.exe	96
PID 2332 wrote to memory of 4288	2332	msedge.exe	96
PID 2332 wrote to memory of 4288	2332	msedge.exe	96
PID 2332 wrote to memory of 4288	2332	msedge.exe	96
PID 2332 wrote to memory of 4288	2332	msedge.exe	96
PID 2332 wrote to memory of 4288	2332	msedge.exe	96
PID 2332 wrote to memory of 4288	2332	msedge.exe	96
PID 2332 wrote to memory of 4288	2332	msedge.exe	96
PID 2332 wrote to memory of 4288	2332	msedge.exe	96
PID 2332 wrote to memory of 4288	2332	msedge.exe	96
PID 2332 wrote to memory of 4288	2332	msedge.exe	96
PID 2332 wrote to memory of 4288	2332	msedge.exe	96
PID 2332 wrote to memory of 4288	2332	msedge.exe	96
PID 2332 wrote to memory of 4288	2332	msedge.exe	96
PID 2332 wrote to memory of 4288	2332	msedge.exe	96
PID 2332 wrote to memory of 4288	2332	msedge.exe	96
PID 2332 wrote to memory of 4288	2332	msedge.exe	96
PID 2332 wrote to memory of 4288	2332	msedge.exe	96
PID 2332 wrote to memory of 4288	2332	msedge.exe	96
PID 2332 wrote to memory of 4288	2332	msedge.exe	96
PID 2332 wrote to memory of 4288	2332	msedge.exe	96
PID 2332 wrote to memory of 4288	2332	msedge.exe	96
PID 2332 wrote to memory of 4288	2332	msedge.exe	96
PID 2332 wrote to memory of 4288	2332	msedge.exe	96
PID 2332 wrote to memory of 4288	2332	msedge.exe	96
PID 2332 wrote to memory of 4288	2332	msedge.exe	96
PID 2332 wrote to memory of 4288	2332	msedge.exe	96
PID 2332 wrote to memory of 4288	2332	msedge.exe	96
PID 2332 wrote to memory of 4288	2332	msedge.exe	96
PID 2332 wrote to memory of 4288	2332	msedge.exe	96
PID 2332 wrote to memory of 4288	2332	msedge.exe	96
PID 2332 wrote to memory of 4288	2332	msedge.exe	96
PID 2332 wrote to memory of 4288	2332	msedge.exe	96
PID 2332 wrote to memory of 4288	2332	msedge.exe	96
PID 2332 wrote to memory of 4288	2332	msedge.exe	96
PID 2332 wrote to memory of 4288	2332	msedge.exe	96
PID 2332 wrote to memory of 4288	2332	msedge.exe	96
PID 2332 wrote to memory of 4288	2332	msedge.exe	96
PID 2332 wrote to memory of 4288	2332	msedge.exe	96
PID 2332 wrote to memory of 4868	2332	msedge.exe	97
PID 2332 wrote to memory of 4868	2332	msedge.exe	97
PID 2332 wrote to memory of 2276	2332	msedge.exe	98
PID 2332 wrote to memory of 2276	2332	msedge.exe	98
PID 2332 wrote to memory of 2276	2332	msedge.exe	98
PID 2332 wrote to memory of 2276	2332	msedge.exe	98
PID 2332 wrote to memory of 2276	2332	msedge.exe	98
PID 2332 wrote to memory of 2276	2332	msedge.exe	98
PID 2332 wrote to memory of 2276	2332	msedge.exe	98
PID 2332 wrote to memory of 2276	2332	msedge.exe	98
PID 2332 wrote to memory of 2276	2332	msedge.exe	98
PID 2332 wrote to memory of 2276	2332	msedge.exe	98
PID 2332 wrote to memory of 2276	2332	msedge.exe	98
PID 2332 wrote to memory of 2276	2332	msedge.exe	98
PID 2332 wrote to memory of 2276	2332	msedge.exe	98
PID 2332 wrote to memory of 2276	2332	msedge.exe	98
PID 2332 wrote to memory of 2276	2332	msedge.exe	98
PID 2332 wrote to memory of 2276	2332	msedge.exe	98
PID 2332 wrote to memory of 2276	2332	msedge.exe	98
PID 2332 wrote to memory of 2276	2332	msedge.exe	98
PID 2332 wrote to memory of 2276	2332	msedge.exe	98
PID 2332 wrote to memory of 2276	2332	msedge.exe	98

C:\Users\Admin\AppData\Local\Temp\xeno rat client.exe
"C:\Users\Admin\AppData\Local\Temp\xeno rat client.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:3992

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RestartConnect.mht
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffc451a46f8,0x7ffc451a4708,0x7ffc451a4718
  2⤵
  PID:4892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2188,10421132134690257325,8112781674941817088,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:2
  2⤵
  PID:4288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2188,10421132134690257325,8112781674941817088,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2188,10421132134690257325,8112781674941817088,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2924 /prefetch:8
  2⤵
  PID:2276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,10421132134690257325,8112781674941817088,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
  2⤵
  PID:3676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,10421132134690257325,8112781674941817088,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
  2⤵
  PID:1740
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2188,10421132134690257325,8112781674941817088,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5184 /prefetch:8
  2⤵
  PID:740
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2188,10421132134690257325,8112781674941817088,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5184 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,10421132134690257325,8112781674941817088,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4768 /prefetch:1
  2⤵
  PID:2016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,10421132134690257325,8112781674941817088,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1
  2⤵
  PID:5040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,10421132134690257325,8112781674941817088,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1
  2⤵
  PID:1972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,10421132134690257325,8112781674941817088,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5760 /prefetch:1
  2⤵
  PID:1316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,10421132134690257325,8112781674941817088,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5888 /prefetch:1
  2⤵
  PID:2916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2188,10421132134690257325,8112781674941817088,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5416 /prefetch:8
  2⤵
  PID:1892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2188,10421132134690257325,8112781674941817088,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5756 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:2420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,10421132134690257325,8112781674941817088,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5332 /prefetch:1
  2⤵
  PID:968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,10421132134690257325,8112781674941817088,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5904 /prefetch:1
  2⤵
  PID:5164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,10421132134690257325,8112781674941817088,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3820 /prefetch:1
  2⤵
  PID:5172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,10421132134690257325,8112781674941817088,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5840 /prefetch:1
  2⤵
  PID:5336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,10421132134690257325,8112781674941817088,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6084 /prefetch:1
  2⤵
  PID:5344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2188,10421132134690257325,8112781674941817088,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3308 /prefetch:8
  2⤵
  PID:5724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,10421132134690257325,8112781674941817088,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5592 /prefetch:1
  2⤵
  PID:5732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,10421132134690257325,8112781674941817088,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4664 /prefetch:1
  2⤵
  PID:5144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,10421132134690257325,8112781674941817088,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:1
  2⤵
  PID:3952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,10421132134690257325,8112781674941817088,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3112 /prefetch:1
  2⤵
  PID:5168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,10421132134690257325,8112781674941817088,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6032 /prefetch:1
  2⤵
  PID:5524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,10421132134690257325,8112781674941817088,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2008 /prefetch:1
  2⤵
  PID:2964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,10421132134690257325,8112781674941817088,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3732 /prefetch:1
  2⤵
  PID:5640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,10421132134690257325,8112781674941817088,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
  2⤵
  PID:5660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2188,10421132134690257325,8112781674941817088,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6324 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2188,10421132134690257325,8112781674941817088,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1428 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2408

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3668

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1072

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5248

C:\Users\Admin\Downloads\Release\stub\xeno rat client.exe
"C:\Users\Admin\Downloads\Release\stub\xeno rat client.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:5564

C:\Users\Admin\Downloads\Release\stub\xeno rat client.exe
"C:\Users\Admin\Downloads\Release\stub\xeno rat client.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:2784

C:\Users\Admin\Downloads\Release\xeno rat server.exe
"C:\Users\Admin\Downloads\Release\xeno rat server.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:2000

C:\Users\Admin\Downloads\Release\stub\xeno rat client.exe
"C:\Users\Admin\Downloads\Release\stub\xeno rat client.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:4172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\8466cc1d-9d39-4b30-b4a9-d3ab13afcd6b.tmp

Filesize
11KB

MD5
8d603c84bb9f70ff285274dbfdffa780

SHA1
94b6ba00a4fda41f40d84a86b1e512ed437b73ed

SHA256
5b4af040811a30d7d410422195b9298db764b49f13796f32d9a1ee0dd16705d4

SHA512
66323da7a2a4c06873906259fe66999f4e87e356f431564f939bddedd17faefeb38bd60e1b8af460f0303a2144b3cec53ae6368fa00be7a45089e47534f9b43a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
60ead4145eb78b972baf6c6270ae6d72

SHA1
e71f4507bea5b518d9ee9fb2d523c5a11adea842

SHA256
b9e99e7387a915275e8fe4ac0b0c0cd330b4632814d5c9c446beb2755f1309a7

SHA512
8cdbafd2783048f5f54f22e13f6ef890936d5b986b0bb3fa86d2420a5bfecf7bedc56f46e6d5f126eae79f492315843c134c441084b912296e269f384a73ccde

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\974b2a80-4b79-4005-9ed4-7e49e8ebb63e.tmp

Filesize
5KB

MD5
107f4b53bf94e3f99f975d480982427b

SHA1
fd33482cbfc037af46bfc4ea181d1a3d28397a0d

SHA256
b6f8a4fb9f4a6c674b25fc76ba7348c7dae06650c88e2d4d15ea848008416c02

SHA512
0b300d8155c149da39069a4051a949fab57b1617f96fe6ef9397c7262732ecf640d13059395168b3ba2836c2141d93d0a0542409e75574524d769f69999fde0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
64KB

MD5
d6b36c7d4b06f140f860ddc91a4c659c

SHA1
ccf16571637b8d3e4c9423688c5bd06167bfb9e9

SHA256
34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92

SHA512
2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
67KB

MD5
1d9097f6fd8365c7ed19f621246587eb

SHA1
937676f80fd908adc63adb3deb7d0bf4b64ad30e

SHA256
a9dc0d556e1592de2aeef8eed47d099481cfb7f37ea3bf1736df764704f39ddf

SHA512
251bf8a2baf71cde89873b26ee77fe89586daf2a2a913bd8383b1b4eca391fdd28aea6396de3fdff029c6d188bf9bb5f169954e5445da2933664e70acd79f4e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
41KB

MD5
91be4e2bf6957e5b01200b15f83b9af1

SHA1
cb9b994eb27a6e41885e4b3dedc78fa1ea9324a9

SHA256
9951e1f58567cad50199fa9e5a1b380e3f0784da276fb2d5f859110d5832dd93

SHA512
c633e932eae25c5858ac035be15f99d273183306bdc1e296e9f0154219ec2da76126158c4a2e5f2af2d27473f6077f03f518d2edd0f1981f321079953f876c5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
63KB

MD5
710d7637cc7e21b62fd3efe6aba1fd27

SHA1
8645d6b137064c7b38e10c736724e17787db6cf3

SHA256
c0997474b99524325dfedb5c020436e7ea9f9c9a1a759ed6daf7bdd4890bdc2b

SHA512
19aa77bed3c441228789cf8f931ca6194cc8d4bc7bb85d892faf5eaeda67d22c8c3b066f8ceda8169177da95a1fe111bd3436ceeaf4c784bd2bf96617f4d0c44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
88KB

MD5
b38fbbd0b5c8e8b4452b33d6f85df7dc

SHA1
386ba241790252df01a6a028b3238de2f995a559

SHA256
b18b9eb934a5b3b81b16c66ec3ec8e8fecdb3d43550ce050eb2523aabc08b9cd

SHA512
546ca9fb302bf28e3a178e798dd6b80c91cba71d0467257b8ed42e4f845aa6ecb858f718aac1e0865b791d4ecf41f1239081847c75c6fb3e9afd242d3704ad16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
1.2MB

MD5
931d16be2adb03f2d5df4d249405d6e6

SHA1
7b7076fb55367b6c0b34667b54540aa722e2f55f

SHA256
b6aa0f7290e59637a70586303507208aca637b63f77b5ce1795dfe9b6a248ff3

SHA512
41d44eafc7ade079fc52553bc792dace0c3ed6ee0c30430b876b159868010b8676c5302790d49bed75fa7daa158d4285e236a4be3d13f51ff244c68ca6a479ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000a

Filesize
43KB

MD5
209af4da7e0c3b2a6471a968ba1fc992

SHA1
2240c2da3eba4f30b0c3ef2205ce7848ecff9e3f

SHA256
ecc145203f1c562cae7b733a807e9333c51d75726905a3af898154f3cefc9403

SHA512
09201e377e80a3d03616ff394d836c85712f39b65a3138924d62a1f3ede3eac192f1345761c012b0045393c501d48b5a774aeda7ab5d687e1d7971440dc1fc35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000b

Filesize
73KB

MD5
cf604c923aae437f0acb62820b25d0fd

SHA1
84db753fe8494a397246ccd18b3bb47a6830bc98

SHA256
e2b4325bb9a706cbfba8f39cca5bde9dae935cbb1d6c8a562c62e740f2208ab4

SHA512
754219b05f2d81d11f0b54e5c7dd687bd82aa59a357a3074bca60fefd3a88102577db8ae60a11eb25cc9538af1da39d25fa6f38997bdc8184924d0c5920e89c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
3b5e4121e7c68cdfcaa418d75a8344ed

SHA1
b9a737946b5871a3ecc12fc9f5a86da1baf01802

SHA256
00fdb36962f84578e6ca1a7dfb30d93c9cd2f89933b08978fce7db4494aa5e3a

SHA512
ddef3ac820e501ca121fda3ac3192b286b69c19dd2a067d8735da60edd8ceb6f3554bbbda41787283b70caf4fc5c223741c2a2a3578e907b87393c6477f90a3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
342767de04bb2e9da87340d3411de502

SHA1
e8052c9f4665b72a4cc030c9b0ee08b968c0120f

SHA256
69afcb4211883806bcd61feef2cf3b4b37f4ded936aade4e4e1170979c76a065

SHA512
f4b35bc14d02a3b162dedd885e5aa3cf0363bb9fa3bbf7590ab99d787f5d697e74c202003aec815a5543b7ade48389f9af67a3936583211021bec7ebb9708493

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
709B

MD5
d0f1eaf157272356a5c4e2e7471a4a54

SHA1
73e477209b9b9248b4f1f064f16d6ac0b124b38f

SHA256
b0fee6d315fea518a0cefad93bf4ddcbff64467bfe06fad438701bddd12f8ed3

SHA512
f7b3a3b4316825b01f7863202b88dee1b3a98670fc340dae258d81d9091d6499938b06c6fbf432606db0922eed38d1200e63bcacb4be369f25c1bb51d25413e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
35a2d88d922efa3ae1a9a37e6bd81947

SHA1
fd704f77d505636e0ef54d190b73c10bf3243e34

SHA256
e58b72f2c19c655c2cdfd156eb35969d2b694f85ebf2283875fa81d3db6defc0

SHA512
8699b48ea7b71bfd55f4b187374e527cb85926b806f5417fca934bc617b4902aed9b42d7aed0e2cb7f4f7d53a6b2bb64c9199366337e0bf6993d3a04c9975008

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
40fea686e6afb37355005d4eb227b1dc

SHA1
fe4d50da09f6bf42c6a4c4a7abba6f1683de9b90

SHA256
f45e614120e0b684a52483ef8c8669238253610608e601950b80b7c5d5887877

SHA512
4533718f2b11da7e11bc41187c118eae61f468f4e37837ef0c25172229acd6a38ce879eaa18c076cf0ec400c4ecdfbaeee2ea7c2bbade6bb10989292dcf1f0ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
aa7b1623075dd6e7042a9dc76a8a4c0d

SHA1
413f49087d162335c5a4f5417f855ddc940d44aa

SHA256
a2eedd8d3903dc34fc408bb2f835085726943918236240d37e6a9b7f6954a0fe

SHA512
77c080fb959c0f359891d93e1acf2e4b04f6b956204336de6487fc601522da20b804cff1b7fad224a01c65085e6090d42994f88b15fea5891a3f82fabcf609d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
04f97b7cb9cb0794502c712a48d7da0b

SHA1
502214d5986247dff3ea2feed96936afcf44206f

SHA256
22939aea2696fa24ee01c5bf0537003c7b4f9f2534808f182d19cf9989dbb1d9

SHA512
2aea1915b1892e0e05820190c9e806fab1a2083184e0780dbbd06e016a5dbf319e7cec8758e501605b88db9f4b1213f4abfcd35d7dc73d79057aaef8b499be3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f473df4220b1e9b85d660e78a0d84240

SHA1
d6b15099eb10d3f1861893be4a7d5045c0339443

SHA256
db9ad80417209620fb764c1d5e8330386cfa1083715e5321be2a8ed69efa4097

SHA512
1d1f494fb2bb1963db30f934bee26b0b39f508b3ec15e3c0a76cc2def39f60e1787bd02cead6b8083c51e890ef338619dd172077bb8181523cfbeed6f6605177

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
57b9e80176452bc21b297a488bd0707d

SHA1
e8ed0c585941ca202e038c5c0558c5056304f8f2

SHA256
72dd96f4a35c396b27ee15ce96df806c24e9341ef5657dbcfbc9b59a75a7a3d5

SHA512
f21ea37d6fb2b28eda16b78e258ce21c4d49b3fefb5b0e83809ae2865330895fc58da127c7364d4d84b847137dd896e804cffdead08f2800c5b6bbc9f723a2c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
538B

MD5
e59f8cb839922b4242a41839b0f914a8

SHA1
9c10123157df0811bbba3ecd3786742e256ace9b

SHA256
fe59525647cd3cf6217ce3661ce59fafd269ac3fc5b7dfe509dc2824fc235022

SHA512
208235d72345a33b65267385a5b81d0dc2c6915cc75313023ffe9a565c3c00ae62b9a21e41d16be52e4e3524db375944f5d3ac683a882210e73505706a2dd765

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
3ffa3bf19f42c4561b9d74ffe1c6ac18

SHA1
3813ddd82084391bf4912bec60ef99f573152073

SHA256
742db0486595fa1baf6d581fb607f5b6cee48b1dadc9fd6eb54f4f9784a32c56

SHA512
4dfbd7e2c1eff8982051dfe07a560f108aa6a23c3cf0f2dbd5a7684b080b5f68ea92350e5b3cb18b31bb51fcd4c2535f54fd088b02defd471ef3f3d42790501b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
bdd3575065ba75f42ff3320e3947156b

SHA1
d6f1761ad227740dcbb544bc0fea8ff81e843767

SHA256
47fe57a62c327142d556b56755bec0b60324718667421985c5e2f615d49845c5

SHA512
2456691e7b04e34524b072f80281aed615e3411483baa54c688fa41d941fd34549f74a0aa7bbaae3df4216472e51155ff4598cd502b75a0ceafd4f5a97d94780

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe589bdd.TMP

Filesize
538B

MD5
843c6156ef35b03dfd17a169dd2c39df

SHA1
93f32da64e4d120c710ab88effc8d83e16d96024

SHA256
a565e5bc8f7ce0b43c67dc418927b6f8f02d70e649fdf197b8ad1a24fecfe628

SHA512
a7d60f0bc6b6551ae9884bb6c74df40af1fcc310d64ba06f513312cf1d6cf11c1001dd5dc1e7723b57419045bd9be7a1344ced72891561f50502e40e7568b4da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
7fea72a57c5eaf355e9291080720da6b

SHA1
e7f8cc6f2c110d250ea3f13a907c3a96f8a7669c

SHA256
dee3e15a6b27cea0d3712e295e2455450e053b885262903acab653093565b932

SHA512
9fe181cc62ac936bf06d2f9c4cb0ecb960dfc52c4ecd6a8a11d9e7696b686538d7bf42e55b536adf1c777b95c3edbe1af761969e39f411d7fd79d3c29fab8e6f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
10KB

MD5
18b34881daf181cf38fb46690437a6fe

SHA1
f714e223e4ba4e7631a9678c93e5238491e0d5d2

SHA256
7dbb324299d071348cfd5613e76a537ed0a2abbc7e9c30899e2d976dbd76ce9b

SHA512
fcd87cacb78eea6a9f73d906178d98124973fc3b1ad610ba7a1df4e694ed457205777237f18306a8dc83d2a79ca23afbdd47c7e2b06eb83b33e62d0eb91c57b6

Download Submit
C:\Users\Admin\Downloads\Release.zip

Filesize
6.4MB

MD5
89661a9ff6de529497fec56a112bf75e

SHA1
2dd31a19489f4d7c562b647f69117e31b894b5c3

SHA256
e7b275d70655db9cb43fa606bbe2e4f22478ca4962bbf9f299d66eda567d63cd

SHA512
33c765bf85fbec0e58924ece948b80a7d73b7577557eaac8865e481c61ad6b71f8b5b846026103239b3bd21f438ff0d7c1430a51a4a149f16a215faad6dab68f

Download Submit
memory/2000-785-0x0000000000480000-0x0000000000682000-memory.dmp

Filesize
2.0MB

Download
memory/2000-791-0x0000000007A40000-0x0000000007A52000-memory.dmp

Filesize
72KB

Download
memory/2000-796-0x0000000007A90000-0x0000000007DE4000-memory.dmp

Filesize
3.3MB

Download
memory/2000-795-0x0000000006170000-0x0000000006222000-memory.dmp

Filesize
712KB

Download
memory/2000-792-0x0000000009940000-0x0000000009962000-memory.dmp

Filesize
136KB

Download
memory/2000-786-0x00000000054C0000-0x0000000005A64000-memory.dmp

Filesize
5.6MB

Download
memory/2000-787-0x0000000004FB0000-0x0000000005042000-memory.dmp

Filesize
584KB

Download
memory/2000-788-0x0000000004F70000-0x0000000004F7A000-memory.dmp

Filesize
40KB

Download
memory/2000-789-0x0000000007950000-0x0000000007964000-memory.dmp

Filesize
80KB

Download
memory/2000-790-0x0000000007A10000-0x0000000007A2A000-memory.dmp

Filesize
104KB

Download
memory/3992-167-0x0000000074B1E000-0x0000000074B1F000-memory.dmp

Filesize
4KB

Download
memory/3992-2-0x0000000074B10000-0x00000000752C0000-memory.dmp

Filesize
7.7MB

Download
memory/3992-0-0x0000000074B1E000-0x0000000074B1F000-memory.dmp

Filesize
4KB

Download
memory/3992-170-0x0000000074B10000-0x00000000752C0000-memory.dmp

Filesize
7.7MB

Download
memory/3992-1-0x0000000000B50000-0x0000000000B62000-memory.dmp

Filesize
72KB

Download