b593394a96a6e8589c815eaae68a457cba927d8051505562da5d16726f4c0277

Resubmissions

12-10-2024 10:59

241012-m3mgja1frq 6

12-10-2024 10:54

241012-mzm9na1fjj 8

12-10-2024 10:51

241012-mx9pwawhjg 7

Analysis

max time kernel
120s
max time network
123s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
12-10-2024 10:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Xeno 1.18 FIXED.zip
Size

23.3MB
MD5

d9e7849984e3104859af0f032370693c
SHA1

6bf9f6c6c0b11615ab5c855144cfd7158ef7ae16
SHA256

b593394a96a6e8589c815eaae68a457cba927d8051505562da5d16726f4c0277
SHA512

605be5d92861f9e1382501cd195b9ef5ea5ca0d8099eef2b5db095c954883862445d56e2ecaed7c52efdca71ea35f828c8c8d04059131fee79b4fb4a34170a96
SSDEEP

393216:d+/pKFG+pd2Si/IiPD6cNaX54TUL7jhQA55mfp2O3JBeX54TxLgjhQA55mfruiI8:cRKUlZ6TX5lxshnGX5Aaszuixv

Score

8^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Downloads MZ/PE file
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 5 IoCs

pid	Process
2552	winrar-x64-701.exe
3064	uninstall.exe
1972	XenoUI.exe
2560	XenoUI.exe
2544	XenoUI.exe

Loads dropped DLL 40 IoCs

pid	Process
832	chrome.exe
2652	chrome.exe
1480	chrome.exe
1196	Process not Found
2552	winrar-x64-701.exe
1196	Process not Found
1196	Process not Found
3064	uninstall.exe
3064	uninstall.exe
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found

Modifies system executable filetype association 2 TTPs 8 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR	uninstall.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 60 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WinRAR\Uninstall.lst	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\Default32.SFX	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\__tmp_rar_sfx_access_check_259483077	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\Rar.txt	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\RarFiles.lst	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\Rar.txt	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\RarExtInstaller.exe	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\rarnew.dat	uninstall.exe
File opened for modification	C:\Program Files\WinRAR\Rar.exe	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\RarExt32.dll	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\Default.SFX	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\Zip32.SFX	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\ReadMe.txt	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\WhatsNew.txt	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\WhatsNew.txt	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\Order.htm	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\Uninstall.lst	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\Default.SFX	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\WinCon32.SFX	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\Zip.SFX	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\WinRAR.exe	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\RarExt32.dll	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\RarExtPackage.msix	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\WinRAR.chm	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\License.txt	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\zipnew.dat	uninstall.exe
File opened for modification	C:\Program Files\WinRAR\ReadMe.txt	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\RarExt.dll	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\Default32.SFX	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\Zip32.SFX	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\Descript.ion	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\Descript.ion	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\UnRAR.exe	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\RarExtPackage.msix	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\Resources.pri	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\Resources.pri	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\WinCon.SFX	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\Order.htm	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\Uninstall.exe	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\Uninstall.exe	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\RarExtInstaller.exe	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\UnRAR.exe	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\WinRAR.exe	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\Zip.SFX	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-32.png	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\RarFiles.lst	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\Rar.exe	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-64.png	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\7zxa.dll	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-32.png	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-64.png	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\WinCon32.SFX	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-48.png	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\WinRAR.chm	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\7zxa.dll	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\RarExt.dll	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\WinCon.SFX	winrar-x64-701.exe
File opened for modification	C:\Program Files\WinRAR\License.txt	winrar-x64-701.exe
File created	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-48.png	winrar-x64-701.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

System Time Discovery 1 TTPs 2 IoCs

Adversary may gather the system time and/or time zone settings from a local or remote system.

discovery

System Time Discovery

T1124

pid	Process
1424	iexplore.exe
788	iexplore.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main	winrar-x64-701.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7DB15471-8888-11EF-962F-CA3CF52169FD} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{94A1B491-8888-11EF-962F-CA3CF52169FD} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e78a69453f00554b9c7935775bae7b9600000000020000000000106600000001000020000000b0a555b6d51b5800f8885da1799deed5d4025a64b366854d94bbb0d0966d00e3000000000e80000000020000200000008d95e93c772ef94e845b6d5c5473585e1840777f719bcb8b723b0d59220a448880020000ba5fd1df7c6603812d9fb87b97f4d6168f5e066ca8a59a85d17a0f56b729a04c764ce24f6ebdce0d5191708a96d2adfbd1153ec483ba4c24b051fe9d40589276d2377e937cce79fe69cf9cc1f278d5e916c83e4311feb92ca315f5c8d4c4c033a6d45c9344d03c5246eccafee65ae419836633df27b8e41930c02e0eef476e3b0ccff3a937edadcfe0a7664abeaf79259b1aa212eb2c5a050bd256fe4535e3263ca94a15914633331c400896b8c27583d71b17f29a185330d016a9b535e780a2438e033a172b20d395d271a92a6bbcd0a526f4a7cc4af11e4d0e92a2687da2a5c3c378f7a1ed7a2a4507bbe22c7de6790eabc63a12cf03a063bc28c4c1572195b3e6dcf0255468c924741b95f41cb64a34f95ec9f3ec1b923a5358b1e99ab3ac45eb51b6364d030c8d72aafe03f4c92ce5067b480fa0da65afdcc39c50dda021b9a0a124b0b4be1c4aead9f087e41071f778c2cc21e282e9ccdda95098585c2ed83aca2d6262ccad70292552a412f4a861b0adb1f7308776ad050b72c8f48e4f1eae2971c12e96c497f0d1cf05e05576b18e47f21a67245d4154aab4506ce4d5e1ba3bd068bc72a9f682c59c9733b72a93cf0da0abd69bddda8bb23dae76941616a1d8c158f774a40541cddf9a869a0769fcee709bbc16828604da282f0e5c6028feb71003a95fcab966f8c03a1505ea0db48bd9e02e6d11c3f63119bc811b0be900b841b440aaf0ba6ca9e8fe8d8d67ea89b3bfca0a9049f520117ce94e2aad7360bcd94d28b6e0b4d7cebc8750cbb3643ded170c030aeff1b5501ace5527923963c8b436416da89234a95ee26045997d4262771166d8c1a95dba47391d5bf0d8b9dc6ae0093dc474e7667e60ea5be13de0acdf7b0aa3ec21e24d60c739ff534000000093d4a2b9b105fb1ae5358189300e95d4b7e1d01735100049b46cb1c0340918a5f8a6c4db20a7a17ee63a6dfc832db0c9e4f02e3cb0cc90a946f27ca985332ae5	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e78a69453f00554b9c7935775bae7b9600000000020000000000106600000001000020000000f1a00c9226d189578c17e4ee4db891378dc73e0c15357e2df933db02e47e6eb3000000000e800000000200002000000092aef4b58d88d62ff01f97b28cd4d301a4aa16ad318573b496600b47dbd1dcfa200000008391a6ff5b8ca257c1afd8bd2c859d1f40ea511807c7e87211ae8c8a6e9f9736400000008b12f9b02299f7e17e7c46c5e99c588ba24b9442f532628795a58c3375d4f33d03e3132c9ee7aa9dce93d04cf23de6123be20ed408927808a3c4c7700539577b	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e78a69453f00554b9c7935775bae7b96000000000200000000001066000000010000200000004105b005dec581d0bc4c75e27659740dca75497037d6f2c58eab20a0bd4f299f000000000e800000000200002000000027593e537acbb57f528e5a68248b58c45a588f0660a625cdc33c88595c07bb4f800200009e76a88a78158c46fa769cfb14fd818240efc0d7a19c995566c497e0226bfcf634e1f13d64e0e566575208e484f0a1875d7fb1ba33c9709aec88b7735af8f4042d29cd1f1a3b42ab5f168cfb4ea0b96cb148e5ad99e71031963be6f7ef2a98c6ebccb9863a59caa7b72c982b80e11c3bffce6f44b8f201b8dcf8f9ff95884b3666825486368f376ed1bc6f8b9ab8e910546d0b8e8d4fa114fa157c5e82212a9173e1a63752bfd381cb80b28ca9dc097963e387f35fbda746fa15be019230046bb6f7d0e04336aea7258ff449b1a67c760cae909f39fc259c430572388cd95d10263c466f678b0d5d046bf86146387f47cfd457e9e8cfc031a6308cf234568f620cbbaad8ad819a7e062c8f99b40a9467d8801f5bc84aa6f376f824efee82d1e567ba70233d7fca7ef5985b21f4fec24c48113f8972cd59650da0ab63bbac3ec7c363ff69790379038ec25ea70d15f7a097095f53c786ff4fc68cfc44b9036a535530a303bd73a70e715d3a229fe796979789d0d44849de6ed5f30a4930db298faba8c848d52a20c11d4c875ecf3bd26c5c67ebc9f9736894e6737d30e869c4a0421f1619d5ebf1aa7f7f7bf6013545427395641d8ce53013162dc821aa7428b4208cc0aef68dc887693d606ccd8bf611be3f540cb8f29d2e9d4cba1510e793b7052505147c25f1dc025a2795b9b740fa7a73dd7691f05a43e00c5713fa13ec32859898f62f744b646c2f3d66f80e31e05a87e7028f35cca2f72725b20cead0e833c4473dfb86744bb2136abf59d1e32a5bb11937abad6117ef04156ae79bd3664d4c80fb38112ed1abc46d22a34dcd9d023db6df197d1e06522e3ebb0a15ea179bc1d680e2ebf679a3f441e53b3b47870722ed18a466a41958c00e69dd2b859640000000e336ab76310579e3c4f24924f16e19dd31c512e241e296c97c1d94faefa52449798b8b9355f7441974da797da8aca7ec4f9bdc07f80dd0c97de8494b2f204975	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10111248951cdb01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e78a69453f00554b9c7935775bae7b96000000000200000000001066000000010000200000005e7d1be52e7a7658d1659be874c8c10a29fa0fb7630799caa539cbe489cf8dee000000000e80000000020000200000006c31d870c6e9fa8af6ad754a95022903b769103dc275e8dd5b1c1b11c64eac789000000075132a8c26da90ed34f8cf3ab968524bf0e4c011b2975c7f5b77339a81a51796095cd2f95aa6922156698c2ceaf0429c5e5755908fde31381632fb2e96e16f8f9c536e33e834ebc896da649e0e536fb2d9011c328016e3189ee2c81c072a1b396036396e9dd5628d75efadca29f095d5c88ca98203fd1f6b4e01ac5471a16ffc8a1387c3651bfc8b6227b5a696828b044000000061577fe8d4657a375765ef52380a3347edda0a0086afb43c47aefb12b602b5fbc8d3b38c1449d51681a66c230a4f3680a3178516c03c036f38cb2c5d8ecab6a4	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e78a69453f00554b9c7935775bae7b9600000000020000000000106600000001000020000000108186f83d96f3a370211b3b38ad5251030574d92e90db37f8d74a056ffd0d91000000000e80000000020000200000006cf4897cc42463f43337b828d06c303f0ed7b5c8c1732366c12511bf99c179d2800200007447c317a457724e465a7aaf0f7c9ee04aa9cd28e054a94497e252bc83a52489b9773391e83e3be7e85d6c42d158382114416e17dbf460513e2fe875af0b330670e1a265d233f2b218a0eebc267bef5c8e8864500f353c6455091a30909f662bb0897ca5cf7a107f01d1d5e43b8128e654bdcbaaa759cfe7369ff295c7fac82444ecdd9f4a518cf1a054f16c093b7613e19838d006f6689d56a63fa75e6a185e565d972b1da8777af249c87ac3fac5dd2bf1887337607b3c174c7e254d8840b21cda44cd7415a5e6d5ce35602617b2338f13153e055671d7bc413a44e43ae790e7dd0b589fa6ec0ebb1221d980743bb10c200435fe07d7e85168d2e6f12a5a7149d67fa621a5b0d3bb1b92432a9ef6f7686c0b89bd7bb3f89e97c93abd1dc454adc7dd2b181f65c7dbf272697d3dc028d60cfad94bb78fdf0953bea152f3642064d24e1c3c3c68795c421a54f8c5916382c25a6f22ee66bbde8c399ad30c3651d44dc39b7d5b751eff5c4fc187a22d01a1e8e9d067c6fb0dbee02f86c8775797012f5f02c2bb9dc74afb55fc9471deece9c43e9fcf5af3b15edfaf3a2fa89d7d1ca0e45627d0c07ab2b9b324f8f3e0ffe5da82797889029a22bd3a306c53e4124c75210ed0d9461b79867f1ffb699b2e939a509330fb9f0947835c7ec3d2ae3bca6b29a7a353905ac0ccacbde6dd93ba5d37a28f5709fdce3849d2f3f3ac0c0480870c2f12b39ae9198580f73d56d06d8ef51f0b9f486e60fb12d78e20601b533481344d9727c0c5f88242eb01ea923741241009a460fb7ce0e9a69eaed2c8907ba4b2031174d8ab7137d7f7aa887b3ebdeaa24b759ec0819e4e2bce55c8a70c6f42dfce57c1be52d4251494b484571fd68ff90ab2dbe49c74a4d3bf36754fb8400000000a4d54490e06a3f2734e33931b465704ad5c4e04476d1a039e864547339bccc2caebdbdefe35587d616fdb0308d6a1fe279fd5948e5a425c1e133252c49e6088	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\DropHandler\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.txz	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.zst\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.001\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell\open	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.lha\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shell\open\command\ = "\"C:\\Program Files\\WinRAR\\WinRAR.exe\" \"%1\""	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.rev\ = "WinRAR.REV"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\DropHandler\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.lz\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.zip\ShellNew	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.lha	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\shell	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bz	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.txz\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.lzh\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.uue\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.uue	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.001	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\shell\open\command	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.zip\ = "WinRAR.ZIP"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.zip\ShellNew\FileName = "C:\\Program Files\\WinRAR\\zipnew.dat"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\shell\open	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\WinRAR	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.arj\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.tgz\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.zipx	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell\open\command	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell\open\command\ = "\"C:\\Program Files\\WinRAR\\WinRAR.exe\" \"%1\""	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR32	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.gz	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32\ = "C:\\Program Files\\WinRAR\\rarext.dll"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.tar\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.taz\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.rar\ShellNew\FileName = "C:\\Program Files\\WinRAR\\rarnew.dat"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.arj	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\DefaultIcon	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\DropHandler\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\DragDropHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.tbz2	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\DefaultIcon\ = "C:\\Program Files\\WinRAR\\WinRAR.exe,0"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\InProcServer32\ThreadingModel = "Apartment"	uninstall.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1480	chrome.exe
1480	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
692	7zFM.exe

Suspicious use of AdjustPrivilegeToken 57 IoCs

description	pid	Process
Token: SeRestorePrivilege	692	7zFM.exe
Token: 35	692	7zFM.exe
Token: SeSecurityPrivilege	692	7zFM.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe
Token: SeShutdownPrivilege	1480	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
692	7zFM.exe
692	7zFM.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1424	iexplore.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe
1480	chrome.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
2552	winrar-x64-701.exe
2552	winrar-x64-701.exe
1424	iexplore.exe
1424	iexplore.exe
1536	IEXPLORE.EXE
1536	IEXPLORE.EXE
1536	IEXPLORE.EXE
1536	IEXPLORE.EXE
788	iexplore.exe
788	iexplore.exe
1548	IEXPLORE.EXE
1548	IEXPLORE.EXE
1548	IEXPLORE.EXE
1548	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1480 wrote to memory of 2884	1480	chrome.exe	33
PID 1480 wrote to memory of 2884	1480	chrome.exe	33
PID 1480 wrote to memory of 2884	1480	chrome.exe	33
PID 1480 wrote to memory of 2420	1480	chrome.exe	35
PID 1480 wrote to memory of 2420	1480	chrome.exe	35
PID 1480 wrote to memory of 2420	1480	chrome.exe	35
PID 1480 wrote to memory of 2420	1480	chrome.exe	35
PID 1480 wrote to memory of 2420	1480	chrome.exe	35
PID 1480 wrote to memory of 2420	1480	chrome.exe	35
PID 1480 wrote to memory of 2420	1480	chrome.exe	35
PID 1480 wrote to memory of 2420	1480	chrome.exe	35
PID 1480 wrote to memory of 2420	1480	chrome.exe	35
PID 1480 wrote to memory of 2420	1480	chrome.exe	35
PID 1480 wrote to memory of 2420	1480	chrome.exe	35
PID 1480 wrote to memory of 2420	1480	chrome.exe	35
PID 1480 wrote to memory of 2420	1480	chrome.exe	35
PID 1480 wrote to memory of 2420	1480	chrome.exe	35
PID 1480 wrote to memory of 2420	1480	chrome.exe	35
PID 1480 wrote to memory of 2420	1480	chrome.exe	35
PID 1480 wrote to memory of 2420	1480	chrome.exe	35
PID 1480 wrote to memory of 2420	1480	chrome.exe	35
PID 1480 wrote to memory of 2420	1480	chrome.exe	35
PID 1480 wrote to memory of 2420	1480	chrome.exe	35
PID 1480 wrote to memory of 2420	1480	chrome.exe	35
PID 1480 wrote to memory of 2420	1480	chrome.exe	35
PID 1480 wrote to memory of 2420	1480	chrome.exe	35
PID 1480 wrote to memory of 2420	1480	chrome.exe	35
PID 1480 wrote to memory of 2420	1480	chrome.exe	35
PID 1480 wrote to memory of 2420	1480	chrome.exe	35
PID 1480 wrote to memory of 2420	1480	chrome.exe	35
PID 1480 wrote to memory of 2420	1480	chrome.exe	35
PID 1480 wrote to memory of 2420	1480	chrome.exe	35
PID 1480 wrote to memory of 2420	1480	chrome.exe	35
PID 1480 wrote to memory of 2420	1480	chrome.exe	35
PID 1480 wrote to memory of 2420	1480	chrome.exe	35
PID 1480 wrote to memory of 2420	1480	chrome.exe	35
PID 1480 wrote to memory of 2420	1480	chrome.exe	35
PID 1480 wrote to memory of 2420	1480	chrome.exe	35
PID 1480 wrote to memory of 2420	1480	chrome.exe	35
PID 1480 wrote to memory of 2420	1480	chrome.exe	35
PID 1480 wrote to memory of 2420	1480	chrome.exe	35
PID 1480 wrote to memory of 2420	1480	chrome.exe	35
PID 1480 wrote to memory of 2268	1480	chrome.exe	36
PID 1480 wrote to memory of 2268	1480	chrome.exe	36
PID 1480 wrote to memory of 2268	1480	chrome.exe	36
PID 1480 wrote to memory of 2080	1480	chrome.exe	37
PID 1480 wrote to memory of 2080	1480	chrome.exe	37
PID 1480 wrote to memory of 2080	1480	chrome.exe	37
PID 1480 wrote to memory of 2080	1480	chrome.exe	37
PID 1480 wrote to memory of 2080	1480	chrome.exe	37
PID 1480 wrote to memory of 2080	1480	chrome.exe	37
PID 1480 wrote to memory of 2080	1480	chrome.exe	37
PID 1480 wrote to memory of 2080	1480	chrome.exe	37
PID 1480 wrote to memory of 2080	1480	chrome.exe	37
PID 1480 wrote to memory of 2080	1480	chrome.exe	37
PID 1480 wrote to memory of 2080	1480	chrome.exe	37
PID 1480 wrote to memory of 2080	1480	chrome.exe	37
PID 1480 wrote to memory of 2080	1480	chrome.exe	37
PID 1480 wrote to memory of 2080	1480	chrome.exe	37
PID 1480 wrote to memory of 2080	1480	chrome.exe	37
PID 1480 wrote to memory of 2080	1480	chrome.exe	37
PID 1480 wrote to memory of 2080	1480	chrome.exe	37
PID 1480 wrote to memory of 2080	1480	chrome.exe	37
PID 1480 wrote to memory of 2080	1480	chrome.exe	37

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Xeno 1.18 FIXED.zip"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:692

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6a49758,0x7fef6a49768,0x7fef6a49778
  2⤵
  PID:2884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1204 --field-trial-handle=1388,i,14024794881655035301,3592085913440073176,131072 /prefetch:2
  2⤵
  PID:2420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1568 --field-trial-handle=1388,i,14024794881655035301,3592085913440073176,131072 /prefetch:8
  2⤵
  PID:2268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1644 --field-trial-handle=1388,i,14024794881655035301,3592085913440073176,131072 /prefetch:8
  2⤵
  PID:2080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2316 --field-trial-handle=1388,i,14024794881655035301,3592085913440073176,131072 /prefetch:1
  2⤵
  PID:852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2340 --field-trial-handle=1388,i,14024794881655035301,3592085913440073176,131072 /prefetch:1
  2⤵
  PID:1536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1428 --field-trial-handle=1388,i,14024794881655035301,3592085913440073176,131072 /prefetch:2
  2⤵
  PID:2144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3216 --field-trial-handle=1388,i,14024794881655035301,3592085913440073176,131072 /prefetch:1
  2⤵
  PID:1516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3448 --field-trial-handle=1388,i,14024794881655035301,3592085913440073176,131072 /prefetch:8
  2⤵
  PID:2820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3464 --field-trial-handle=1388,i,14024794881655035301,3592085913440073176,131072 /prefetch:8
  2⤵
  PID:2756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3700 --field-trial-handle=1388,i,14024794881655035301,3592085913440073176,131072 /prefetch:8
  2⤵
  PID:2952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3772 --field-trial-handle=1388,i,14024794881655035301,3592085913440073176,131072 /prefetch:1
  2⤵
  PID:2672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=2820 --field-trial-handle=1388,i,14024794881655035301,3592085913440073176,131072 /prefetch:1
  2⤵
  PID:2044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4044 --field-trial-handle=1388,i,14024794881655035301,3592085913440073176,131072 /prefetch:8
  2⤵
  PID:1964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3736 --field-trial-handle=1388,i,14024794881655035301,3592085913440073176,131072 /prefetch:8
  2⤵
  PID:1948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3720 --field-trial-handle=1388,i,14024794881655035301,3592085913440073176,131072 /prefetch:8
  2⤵
  PID:2180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3928 --field-trial-handle=1388,i,14024794881655035301,3592085913440073176,131072 /prefetch:8
  2⤵
  - Loads dropped DLL
  PID:2652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4084 --field-trial-handle=1388,i,14024794881655035301,3592085913440073176,131072 /prefetch:8
  2⤵
  - Loads dropped DLL
  PID:832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4216 --field-trial-handle=1388,i,14024794881655035301,3592085913440073176,131072 /prefetch:8
  2⤵
  PID:348
- C:\Users\Admin\Downloads\winrar-x64-701.exe
  "C:\Users\Admin\Downloads\winrar-x64-701.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2552
- - C:\Program Files\WinRAR\uninstall.exe
    "C:\Program Files\WinRAR\uninstall.exe" /setup
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies system executable filetype association
    - Drops file in Program Files directory
    - Modifies registry class
    PID:3064

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1468

C:\Users\Admin\Desktop\net8.0-windows\XenoUI.exe
"C:\Users\Admin\Desktop\net8.0-windows\XenoUI.exe"
1⤵
- Executes dropped EXE
PID:1972
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" https://aka.ms/dotnet-core-applaunch?missing_runtime=true&arch=x64&rid=win-x64&os=win7&apphost_version=8.0.5&gui=true
  2⤵
  - System Time Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:1424
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1424 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1536

C:\Users\Admin\Desktop\net8.0-windows\XenoUI.exe
"C:\Users\Admin\Desktop\net8.0-windows\XenoUI.exe"
1⤵
- Executes dropped EXE
PID:2560
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" https://aka.ms/dotnet-core-applaunch?missing_runtime=true&arch=x64&rid=win-x64&os=win7&apphost_version=8.0.5&gui=true
  2⤵
  - System Time Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:788
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:788 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1548

C:\Users\Admin\Desktop\net8.0-windows\XenoUI.exe
"C:\Users\Admin\Desktop\net8.0-windows\XenoUI.exe"
1⤵
- Executes dropped EXE
PID:2544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Time Discovery

T1124

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\WinRAR\Rar.txt

Filesize
105KB

MD5
b954981a253f5e1ee25585037a0c5fee

SHA1
96566e5c591df1c740519371ee6953ac1dc6a13f

SHA256
59e40b34b09be2654b793576035639c459ad6e962f9f9cd000d556fa21b1c7cd

SHA512
6a7772c6b404cd7fee50110b894ff0c470e5813264e605852b8dcc06bfaeb62b8cc79adcb695b3da149e42d5372a0d730cc7e8ed893c0bd0edb015fc088b7531

Download Submit
C:\Program Files\WinRAR\Uninstall.exe

Filesize
477KB

MD5
4783f1a5f0bba7a6a40cb74bc8c41217

SHA1
a22b9dc8074296841a5a78ea41f0e2270f7b7ad7

SHA256
f376aaa0d4444d0727db5598e8377f9f1606400adbbb4772d39d1e4937d5f28c

SHA512
463dff17f06eca41ae76e3c0b2efc4ef36529aa2eaed5163eec0a912fe7802c9fb38c37acfe94b82972861aaf1acf02823a5948fbb3292bb4743641acb99841e

Download Submit
C:\Program Files\WinRAR\WhatsNew.txt

Filesize
45KB

MD5
1c44c85fdab8e9c663405cd8e4c3dbbd

SHA1
74d44e9cb2bf6f4c152aadb61b2ffc6b6ccd1c88

SHA256
33108dd40b4e07d60e96e1bcfa4ad877eb4906de2cc55844e40360e5d4dafb5d

SHA512
46d3fb4f2d084d51b6fd01845823100abc81913ebd1b0bcfeb52ef18e8222199d282aa45cae452f0716e0e2bf5520f7a6a254363d22b65f7ab6c10f11292ee2d

Download Submit
C:\Program Files\WinRAR\WinRAR.chm

Filesize
316KB

MD5
6ca1bc8bfe8b929f448e1742dacb8e7f

SHA1
eca3e637db230fa179dcd6c6499bd7d616f211e8

SHA256
997184b6f08d36dedc2cd12ee8dc5afb5e6e4bf77f7ab10f7ade9eefdb163344

SHA512
d823f2c960a4d92129b9bda0f4f9195d32e64b929082b5efb9149546b5053021255d1dd03cb443f0a03106314554f76b94173e280a553a81e4ac2ac282877973

Download Submit
C:\Program Files\WinRAR\WinRAR.exe

Filesize
3.1MB

MD5
53cf9bacc49c034e9e947d75ffab9224

SHA1
7db940c68d5d351e4948f26425cd9aee09b49b3f

SHA256
3b214fd9774c6d96332e50a501c5e467671b8b504070bbb17e497083b7e282c3

SHA512
44c9154b1fdbcf27ab7faee6be5b563a18b2baead3e68b3ea788c6c76cf582f52f3f87bd447a4f6e25ec7d4690761332211659d754fb4e0630c22a372e470bda

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
407df25ba00ec31934349ca8d5ceb861

SHA1
813b0df461c79ca0ee6410e8cb9d68085e609269

SHA256
84b99dedc5db24d9c4fd4efb418d25ecb48131d751b85c902c329ef381d7751e

SHA512
508a50e454f24a251c295d5c76777435e89e7f0e04475420e88a5e5f00c69e843a1601984fb458aefad89a7f8308d76adac4056a581bfbd66dd287bc44484515

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6e60988bdb07e6b26f601397ef273e61

SHA1
90f1ecd557f508e210191bbeeb14c42e5cf1af5b

SHA256
5d490818bb512035707be8b6059e877565379b6c4d88ff1073cf5821114f0f8d

SHA512
3ec188747634f39c3ea42cc9005d89e9ad7d5e66da1c9cc3d96a8b33564ca3490752d6726f9f72224604859aa053d15b8ca9d65959e154c587820b80b21a7153

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9f6f48e8fb99362fbd798685dfacf289

SHA1
99eb7deddc905b8cfe62f165244a9dcc54f1f919

SHA256
dccf58492d83264b9b167fee65eb4d44c6df531437d78c8f42a300f6ac47e38e

SHA512
82ff2be338507141fe06c12196456389e8db9221f2dbb3a473594415e402d5a191a7996064c037195e9712583e30f2b572bf85286f00bc94962cc0a46df79b56

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b86e7005f5b740f7743a2ebe86e0514d

SHA1
f30045b7614ee0a8877423db4854901282df1314

SHA256
55240c34d882bb724b83cfaa1f4273290c2d5ad50b3745b3a3eb5afc41cf72bd

SHA512
03e1161fb9eee0a64bc65508d6d1e6ec7b6a662fe07baf718b4049711d138b0ac22aedbab3d678712453785c3fc784fc58cb9a8e9312fc4bdb9df1b83faf647d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2ac8f555a383b24d9ef1a477f3df75dd

SHA1
27bf86ce285c0c6ee9fb07e47f9ea110b9c02843

SHA256
010430ae0ae5ee4cdad39e04474036cafc28cc2e1ce6d7d17e6ec3a75b8be939

SHA512
2ca69bb18d25eb080621672b12392cac3534af24486c019fe134b216b28f143ac6f3560842d3869c888ec7d62a610a181dfbe2ee237b9e705098cb29a8f96bc0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e8ace0011a2c5b43d6d875c7ba093a71

SHA1
2b1d7387437bf57592df39d004424ac96ef55084

SHA256
9d27f2bedce34ecfb606588cc16c2ee715ede8c53b55fd1449e2f271ddfe07b9

SHA512
48838ac4f68cb065bc4adc8cbf54e5d7c78b2d1c03c56eddd94f1d7532bf5b6735212f8fda81982756e0bba7e38333807de67123efa533ca1d1259b63cce09d5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a0192e1efb31d4e5ea91d9acf104d5fa

SHA1
e92b439725f3556dc6fa88850743c9b5497875a0

SHA256
a3b90e63c2bae3cff0078a3fd1c6a03c8d44e0ad85312a94c5bc0d1b8fd22400

SHA512
afbca0a5597094116f231bff9525b566893c426a8805bb65e1de97dfd12dae3b94c6bed564aabde50e9763bc91a8c3e2f1881357a02c22d45226e90924c2ccaf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9ee104cd4a3ae9cd0da4d456d55efa97

SHA1
eb69ee0b653bd8350a235dff7f852514420f2b6f

SHA256
1524515255fa1575674855b0e5f11e6fa8d2f68096ced5a67abfe7d71d10be02

SHA512
f02148ba51d23902db871e2bf62fe7d3ab960bed80a61a380d82ca1c0c77ea5c282427fb8e796bb139dce28f90d6b2becbdfc898f49bb1fb9a22cb5fc3c3b573

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
afed896447137c12044baa0aa1538096

SHA1
35c38e337201e18ea568a06cc569eeaecaecdfee

SHA256
ac09f52e0e9a281159a4e6fbe74852eee5148a8c217440ab6d141d6ab8db167c

SHA512
30ea24c8cea3054489811f66a770853e7d07237e73bdfc65156271f88f96d89be53bf36d088cba05734068dc0fe5676dc691083768f51ac2c63a787c7f8644f1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e747d16e32e8a3e64119408a4851f85d

SHA1
8c688a73db3ebcd0c60aa5dd4a60a58c3865fc03

SHA256
2d597de81c94269ee7e07502f3ea38f96318c913fad89a644393543c79a2b34e

SHA512
48423b18f0f6c23dae5940bb5e2077c37f7a1b88e804f74dd3c6d29389da8d18e5e29f1e4e3f75f7259752f5774e0d21cdbbe1f10f3be62fd87d1a7b908ed967

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
046c36a39ee1f68ad325dc21079d4c68

SHA1
87f530b08207c42b2edb0e0170a7e1bae142eb9d

SHA256
0d993541fa4e9d6987b5ddbb26ef559cc4183b0519b1a0efdfc62240fbbd07de

SHA512
c8b94e59a203bcf82bd6fe6c36b9b95e48b994ff6653581f1547bfa961522950d1f0cd566b412baa3a3849c7121ab8145dddf9c56e387b7afd196a74496e38e2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ea5088dc10bd1b70448f2920f4f80aa7

SHA1
186e34bdcc00a29bc40cbcf42ba056c50a3ec220

SHA256
975fdcc2883e47a8d71a086c6ca513610de696f07a9ac26e7db390307055b230

SHA512
0efcf5bcc1835f643ce77e5c5a311288c8ab605f37970b11f16f69325de949c78da02c74e037a98f1aecba041da6ccadcd85c52f8203b4efe5259e0f0aa3ccd8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ebce8f38e2b94f1cface68453e3f14e2

SHA1
a6be07add3515294c1a5a8d4bea5db2ed6bc32ec

SHA256
f3d63cf07f1e972c56b11eb749d8fb8600e98b62c262d502e15bfee05d78e40d

SHA512
5dbdd8ff79f63effecc1a6d1b06d4be18d139e9fa08fcd35e8561ada1b8712fc8999f9a647ea60046a94fa937b1e6b0a475aa9207df89455a8b253fc3e827b3e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b9929c9ab5afcd4a93db3e6edb994744

SHA1
c1d97838aac3ab1a3b3c7d7c012489572d7e4b03

SHA256
936eb246b883af82f2579f8313389d08adbb2a94becae314ad8f899d116d0afb

SHA512
e6e4b6e3ea0e6e85551328dfa3347b9de40376705f56a7d62726cf881ebe57fa42172974ad31e85a79757a2214c24d20e71cc08d284254199af443d29e6bf5de

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
39ccc9af2818c465a0248b5901dcfa9e

SHA1
c9c31ba15e4ade04835e79af94539c7975f004c5

SHA256
cf4bfd34ea24a7ff81fd3ac3b2c97985aaec819f9fefd2155f379b55351b48f7

SHA512
373f919852ca4cb26b3b1f3d8c2c3b6e709a6df82bcd2b46e269d0cb9641b0d6ed38502a248422631082be97ddef33d14f2ff9676647ac7aaef86b1afe279fbe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
96158f37f08dcf09213aa97571d535b6

SHA1
9a7318955cdf2a30484033ee2c665582903e5a0d

SHA256
bf8f573a584691afbb817d992831d7412a39dd7ece98812996691a9394478d20

SHA512
b717513168b6129515bdc16f76f8b82411bcb93a9d9e048f792562e79ccc786340590e92cb56b72d268e7d61a8f0e45019ff9ed9edf075671efb1757a06dfdb2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
89460ac6c3eb0f7829b184c17d9a47b6

SHA1
7088f19ab389f945d709c7579c7df2e128308ab4

SHA256
639d4bafecde022a943a0210bc3b151c79a6c06757a8e808db4908b2d923cabf

SHA512
a1aec76d7a39a296ccc20b6451553f8720a9b1c19f384af73a1bd4d9a7082c6083da3532896760259b07dd243e5de386c646b2fad0ec4f7ec3e46a6832998b10

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bc3389f2f9052cf2310db5829d873606

SHA1
cebb8c8d9e132a26b697cc7e8351156afb186482

SHA256
4bf54ca5bb390b85adbb12d8324f57d6f053b2b2575ab27ca49857e2fb49d69c

SHA512
021a68f4e349ade3ede100d2741af9f800a4f30cda42368c31cea8989367f9061ded6db0050fa397fcdde33496714fad0d3cc2bf7e2802f96b8001e5fdada4d0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7915dc2f5bb25b83e7b36c1950f41c11

SHA1
4b51290b07980e8c991b3e9d3ca380cfa14678fd

SHA256
3e6124934bd97cd83baee82821d0a4be69672e90f92e865f487f71508d8e39d8

SHA512
9fb760531af88776819e2b8adc7781bd4c46fbd66c02067f960edf603a596757b9c2aade31f0329299b83ab27e215730bb2a0f521ab8dc1dd8cb035a3e4ebfb2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f06562b32b83488647858d4dc1db6c03

SHA1
09c8739302912f4079b07b2187a29837c4bcc5a6

SHA256
cd72b9620a472baf1223062d5f9b250824e5ada77a41f16b5e4b940e4512584f

SHA512
ba7133cc6ac87592ca8f5a5a4839b460dbc734c55b73e7036247db99494400d14cc88a5f6738370a58b81535c3fc301fe1c70bec657ac32c6f6d0c7742258760

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4b4ce873c9057b3b19a15e9e388ad903

SHA1
06d6e6471d93228ee2e25dddfd34ade9d78f2978

SHA256
2740a2d3aa3586d91bc3f1fd25b011b4eec1c3f7638e2a38a844c3efb8c688a3

SHA512
cf0fbefacd25b20c965a521bf20125f56476a0f2c7e2c16402d01fe42206408906bea32b3f467131127d1998afeee573d54d090ae1946e95cc83cee6be8006ec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ed1426a17ab29e7e56f13e6429ffb6bf

SHA1
55367c38e3c6481797c931ade38526b96c5ce9e0

SHA256
17b5c56f76ae708005485944efb7d682dc249e48b459daa2135beecd7f0118f6

SHA512
6379660126c1a306ae459637a96e6ebe08a4e6d7a36063651bbb5038516e1dc6fb9bd2574d9e72e8d86c32cafd51ed954a25ae7e79e2b646acbea188ac5af4cc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
10e39ad4bbfbf3ae64826e792d0cdbc9

SHA1
f94a9b2db8a05ea313fae6a3ad00e6ffdb205be6

SHA256
fa10e5f3166862d321b1e04669e6472dee16fb4ccbaa68f36413b94a9bf6d997

SHA512
519ffa8f2a5a0be46f1e23922899ad036b6f543315cc1a6929ba4c1f0ea40b0398f42819ef771c0d421e4791e3a5878175910c0e3175204a74123a926f81fca4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9f3ab4531ed94ae11e3f119f857a8d8a

SHA1
e3be08898fcc010ac353f4b6b857e5f535fd1e99

SHA256
0e1c923b50e8d381c6f173ffa80c94be9076b9a00bd4e607f5c0476081b895b0

SHA512
98b57bd6c4b74b6ab20dc783391bf68e478fef643568b0ed5a5252a8f69e77cb7d42a19110ddfc3078cecdfb81acfd81c2da6e6589d8bbb46d88669a13ce0f41

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eaf9f1706a21d776989592d030e4276c

SHA1
34bbc0fcef4f8617e8c8f3cea63b6014c62cf61b

SHA256
42d0583f4d06be51f9965aff549aeec47e1a5d367c8acc066ea88b0ecd7f9081

SHA512
250f123d454920b2340d3f6da2e8b1988734b51ad3acd921a1c13a6a4f30c7a62f96f18d87e272f4db94227b519db646b0f68a3f9886c600ae94a5751d937123

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
34d22ae4530fdb814d0abadeebaf1798

SHA1
63fd5df74410bb5a212de395c88b026b949312ea

SHA256
056640de05ddd5ae07e1e3182733c7796b26f269e6257243497a0cd5c549e2b5

SHA512
0ad70343961680923ba3de46bd2b96708d601d88647f990a45dc15a7eaf240312f784ed51270ab6754e7136523e342402b8ef67b0d07ccc738a021ccd070c3ba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
08c7ff6fbb81feb9cd3bb5cbf6aab548

SHA1
447500f64b3bcc429230f31ddb410b39aabbb260

SHA256
7b757d396fdf0854ae20655fdac3e20a3af552716ff4f040f497e041cc7edfd8

SHA512
93152e6ee33bef8bd0ce0528b1df2cf3322c40870bdaccdc625f2a3e851df408a4bbd1c674eb1c477fbc3a4d891b365a0476cb5359956bdd6c31621075f2a01d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a44a7a97fcc3121e4fefea3d147a1dbd

SHA1
b09b6d44419e34918f945427e9fd7fe218a5fdaf

SHA256
820ca1cee00fa89e2d09fd8b78edb68157c8e6c86d86f7472cbb6f87e8460c58

SHA512
268ce7f2111f22f86dde445688d867d3785835d04fe96099771ba99cfce3fe58e03fd55c995c0b8e2c838cc810dd4fd5c63192e737276f1ee21fc10acaaaf4fb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
15e9cf922a4319c78cbd96f6e3a7d87e

SHA1
51142d1fed800ec0f3ac932ce5a61eef45984d84

SHA256
f5c8ae9ca43b8e53072cee1f15846c195300dc2a8806aa0e9afbf9e1d705faaf

SHA512
d88f28b8532f0e5af8c8d151227c38aaec7560bade820f6cc16bb8b821cd1f1cd53309845e6b8f29737fd65845f6be237f91286bf42db7f3ce7c114d0710880a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1d5f3c25e86ecbb589d86d8e6f6499e0

SHA1
22297463671bfe9aafa026ea3e34117f0926e6c0

SHA256
1b9ed40cba15dda97e810ec38330878106b93b6b3d1d9f39cd6024003db0bf6e

SHA512
40a56cd051c479198e28b5a5d688a865bf53ad88911ec7d8ffd0c476fbdafa9f5092cb999d9e63d408d0e0488795353529f223990d9a8eddf6c750030a6b4c99

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9c6db671e203522320092c59e8a61903

SHA1
11c3323f63e57cde34cfc7e847df4d345247acb1

SHA256
43291f164bbcfe3a03e1091e86d39a592f304978938242e306bc41a44fb69a9d

SHA512
93ee7df376cb4858fbbe4857309f74ea8a9b03311c7dd23af5d0a84cb7d6a0ccd78268fac80628fbc3d36bc0f2336ae46feb376cb57c0e2ceb47d41c8ef9488e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
daaf53c3b80c92c3ea5b8ed1130735cf

SHA1
3fc73bffe6b5b2b6e26032503639264b3249bbcd

SHA256
fdf0a44ba3496729f830650a0afedddb590460b9d8f8cea308132e1c82579475

SHA512
100ee59691add102280ed19537f98221334041d9aae091c87026e8c1749bd5b2e996d9e55e6c0ad4e0f4d66f21920bcdc6f9fe0785a43dbd93cf7abd889ea427

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
d03f17037c35f067551ed44b5dd39cfa

SHA1
dfc734abcc2635a694bac7ccfea815a1173d94a9

SHA256
5cc9cb0f2333c9326c00d3be87e598a28d25c86cd6eb161053009e99c48b1275

SHA512
a44ae344a0597c09bbf4e3327aa22ac14c12bc80a28c3aacca68cb342d5f0cbc4dad72ed2d7cec02f44ec99dbfc1cef9790132c54880d33b14646d56318267c1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
1a409eeb1b349891f2421d8eb468862a

SHA1
decb40100a7e0a5f998c60022634593debcd1906

SHA256
149714fd5fd2997ed3331e79e61fd8b85a20ce2e21cd8d28d98cc4ddc3ee4b50

SHA512
26cb40aad87982a984052c3a42655ed51117796ecf21b76056c5c88a48a66fe4099b84445ba7396e26663d240fc7f4178c42d11631da0478536127844c1ac011

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
bb48a9764377fe6a2aaa9634c340a38d

SHA1
0e969bb08d2cb02af07ad3f0575cd935bf6e52c6

SHA256
12bcc6edb6042debe9f1a519b8cdd1811ec722d87750a7e1d4ee14eba5c72bf3

SHA512
e17165104998f6ab03630c66b5ac48bb48e9a38c66b94ab73d915ee499e4b40ea69af39d7978a3d4efc01e3c7d0d45efad962cafa2ea35d954eb7bffe98d4593

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\CURRENT

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
177KB

MD5
a6451074442db0d3a77b1b3a733be5a3

SHA1
28b673353fa971e0d92682ff85ea1f2f3700d785

SHA256
2de079bd053152b310d655946595fb9c9d0b8fe9dca732b1fb2bdc689dbd4b3d

SHA512
c4e9ad300e0225c7b36ee405e4bbf0ae69f299d42ac360cc416f277632bfc3628c436be416b051a15536194490bc28f104b6317ab97aabcf325101fd5ad8343d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
350KB

MD5
b21b905c4e605faab81274d449b77185

SHA1
d093fe0215969c4c87b09b76de33496f6dfe2955

SHA256
eca98aca381a161a3041dd361bb4c409dd85d2e54afeda1c8f7367521ef510a3

SHA512
f1a7b83c6585500586f2c602d75a55f768982be4dc01c86575a2c64fdf0c902c2e858dc92da18bd79f5342648d3df1c1291d0ee4533eb74e7f5df5d49c86e134

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\f1eb78a2-a10f-4c2d-87f9-f843186ba062.tmp

Filesize
350KB

MD5
35e37adf2d24a4f30554032305153a0d

SHA1
66abd4ff77ec8e3c3df9b4bc9c9cd276c560c271

SHA256
4c6e7ebc826d6a3daecc22c95ad3b8a60c8a9f1b4e98f3a9a7859437c8a95272

SHA512
5a661a982ad101436ce9fcb13068700c0082ed85b4dae58290bab4bdb94a298d14282721707e2de510e163283f2d91166a49edff3224434547a88af1cda7a878

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5GWW47WY\ErrorPageTemplate[1]

Filesize
2KB

MD5
f4fe1cb77e758e1ba56b8a8ec20417c5

SHA1
f4eda06901edb98633a686b11d02f4925f827bf0

SHA256
8d018639281b33da8eb3ce0b21d11e1d414e59024c3689f92be8904eb5779b5f

SHA512
62514ab345b6648c5442200a8e9530dfb88a0355e262069e0a694289c39a4a1c06c6143e5961074bfac219949102a416c09733f24e8468984b96843dc222b436

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5GWW47WY\down[1]

Filesize
748B

MD5
c4f558c4c8b56858f15c09037cd6625a

SHA1
ee497cc061d6a7a59bb66defea65f9a8145ba240

SHA256
39e7de847c9f731eaa72338ad9053217b957859de27b50b6474ec42971530781

SHA512
d60353d3fbea2992d96795ba30b20727b022b9164b2094b922921d33ca7ce1634713693ac191f8f5708954544f7648f4840bcd5b62cb6a032ef292a8b0e52a44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5GWW47WY\invalidcert[1]

Filesize
2KB

MD5
8ce0833cca8957bda3ad7e4fe051e1dc

SHA1
e5b9df3b327f52a9ed2d3821851e9fdd05a4b558

SHA256
f18e9671426708c65f999ca0fd11492e699cb13edc84a7d863fa9f83eb2178c3

SHA512
283b4c6b1035b070b98e7676054c8d52608a1c9682dfe138c569adfecf84b6c5b04fe1630eb13041ad43a231f83bf38680198acd8d5a76a47ec77829282a99fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K0PVW9XR\background_gradient_red[1]

Filesize
868B

MD5
337038e78cf3c521402fc7352bdd5ea6

SHA1
017eaf48983c31ae36b5de5de4db36bf953b3136

SHA256
fbc23311fb5eb53c73a7ca6bfc93e8fa3530b07100a128b4905f8fb7cb145b61

SHA512
0928d382338f467d0374cce3ff3c392833fe13ac595943e7c5f2aee4ddb3af3447531916dd5ddc716dd17aef14493754ed4c2a1ab7fe6e13386301e36ee98a7d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K0PVW9XR\errorPageStrings[1]

Filesize
2KB

MD5
e3e4a98353f119b80b323302f26b78fa

SHA1
20ee35a370cdd3a8a7d04b506410300fd0a6a864

SHA256
9466d620dc57835a2475f8f71e304f54aee7160e134ba160baae0f19e5e71e66

SHA512
d8e4d73c76804a5abebd5dbc3a86dcdb6e73107b873175a8de67332c113fb7c4899890bf7972e467866fa4cd100a7e2a10a770e5a9c41cbf23b54351b771dcee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K0PVW9XR\red_shield_48[1]

Filesize
4KB

MD5
7c588d6bb88d85c7040c6ffef8d753ec

SHA1
7fdd217323d2dcc4a25b024eafd09ae34da3bfef

SHA256
5e2cd0990d6d3b0b2345c75b890493b12763227a8104de59c5142369a826e3e0

SHA512
0a3add1ff681d5190075c59caffde98245592b9a0f85828ab751e59fdf24403a4ef87214366d158e6b8a4c59c5bdaf563535ff5f097f86923620ea19a9b0dc4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RLHRIIGD\invalidcert[1]

Filesize
4KB

MD5
a5d6ba8403d720f2085365c16cebebef

SHA1
487dcb1af9d7be778032159f5c0bc0d25a1bf683

SHA256
59e53005e12d5c200ad84aeb73b4745875973877bd7a2f5f80512fe507de02b7

SHA512
6341b8af2f9695bb64bbf86e3b7bfb158471aef0c1b45e8b78f6e4b28d5cb03e7b25f4f0823b503d7e9f386d33a7435e5133117778291a3c543cafa677cdc82d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RLHRIIGD\red_shield[1]

Filesize
810B

MD5
006def2acbd0d2487dffc287b27654d6

SHA1
c95647a113afc5241bdb313f911bf338b9aeffdc

SHA256
4bd9f96d6971c7d37d03d7dea4af922420bb7c6dd46446f05b8e917c33cf9e4e

SHA512
9dabf92ce2846d8d86e20550c749efbc4a1af23c2319e6ce65a00dc8cbc75ac95a2021020cab1536c3617043a8739b0495302d0ba562f48f4d3c25104b059a04

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VUUZQMCA\green_shield[1]

Filesize
810B

MD5
c6452b941907e0f0865ca7cf9e59b97d

SHA1
f9a2c03d1be04b53f2301d3d984d73bf27985081

SHA256
1ba122f4b39a33339fa9935bf656bb0b4b45cdded78afb16aafd73717d647439

SHA512
beb58c06c2c1016a7c7c8289d967eb7ffe5840417d9205a37c6d97bd51b153f4a053e661ad4145f23f56ce0aebda101932b8ed64b1cd4178d127c9e2a20a1f58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VUUZQMCA\httpErrorPagesScripts[1]

Filesize
8KB

MD5
3f57b781cb3ef114dd0b665151571b7b

SHA1
ce6a63f996df3a1cccb81720e21204b825e0238c

SHA256
46e019fa34465f4ed096a9665d1827b54553931ad82e98be01edb1ddbc94d3ad

SHA512
8cbf4ef582332ae7ea605f910ad6f8a4bc28513482409fa84f08943a72cac2cf0fa32b6af4c20c697e1fac2c5ba16b5a64a23af0c11eefbf69625b8f9f90c8fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zE4B264ED6\net8.0-windows\Xeno.exe.WebView2\EBWebView\Default\DawnWebGPUCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zE4B264ED6\net8.0-windows\Xeno.exe.WebView2\EBWebView\Default\Extension State\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zE4B264ED6\net8.0-windows\Xeno.exe.WebView2\EBWebView\Default\Extension State\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zE4B264ED6\net8.0-windows\Xeno.exe.WebView2\EBWebView\Default\GPUCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zE4B264ED6\net8.0-windows\Xeno.exe.WebView2\EBWebView\Default\GPUCache\data_1

Filesize
264KB

MD5
1abb13aa1ef2d5155ac308b0f8fa0818

SHA1
73320c8d7e67a32efed23314d4b63a2e07b1aff1

SHA256
384ccba89ccc97c942028db5d07295a49d6013bf5a3efef49aa894914c64e4c1

SHA512
c26b145073192dcb3bba5173559e181939d0d4ef27641ba2ad4d130bd42906b628e83a9d8d3fbce82cec606c47c3100fc6a2fb93214880a570e01910f13240c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zE4B264ED6\net8.0-windows\Xeno.exe.WebView2\EBWebView\Default\GPUCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zE4B264ED6\net8.0-windows\Xeno.exe.WebView2\EBWebView\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zE4B264ED6\net8.0-windows\Xeno.exe.WebView2\EBWebView\Default\Shared Dictionary\cache\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zE4B264ED6\net8.0-windows\XenoUI.exe.WebView2\EBWebView\Default\Safe Browsing Network\Safe Browsing Cookies

Filesize
20KB

MD5
05627baf681d82e6dd4ccc8007be35be

SHA1
5f3115f020463a5817b96f0be132b3b5d9be9699

SHA256
859aeccc98381f561f6ab2e78aa9945c4324d19cdcd5cef6b0d41bed3d4042a4

SHA512
b837314cc8e0ad13390552f1d4e54e665052134045c1fa32b0d7788c15e3778c35c1bbd443b51ba0d2dc48b7e84ef194b1a0af66287ef59a36502631919e2bf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zE4B264ED6\net8.0-windows\XenoUI.exe.WebView2\EBWebView\GrShaderCache\f_000001

Filesize
16KB

MD5
110daab324087a2ebdd1527caf40e355

SHA1
11c6b55c0845c0db0cf7e29f76efe58a83190b20

SHA256
2cd5417323bb354496f302978b6bf38bc2125b70c5adf751aec79b3b2dd5e7bf

SHA512
f6699dbe39cd578b59b684d0a867b3f1bd55a99fd752740f1e420cc6d2b5ba9372157b1ea341e263b4c57882a251677050988506395609d9c5aeacc406b2f327

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zE4B264ED6\net8.0-windows\XenoUI.exe.WebView2\EBWebView\Subresource Filter\Indexed Rules\36\10.34.0.55\LICENSE

Filesize
24KB

MD5
aad9405766b20014ab3beb08b99536de

SHA1
486a379bdfeecdc99ed3f4617f35ae65babe9d47

SHA256
ed0f972d56566a96fb2f128a7b58091dfbf32dc365b975bc9318c9701677f44d

SHA512
bd9bf257306fdaff3f1e3e1fccb1f0d6a3181d436035124bd4953679d1af2cd5b4cc053b0e2ef17745ae44ae919cd8fd9663fbc0cd9ed36607e9b2472c206852

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zE4B264ED6\net8.0-windows\XenoUI.exe.WebView2\EBWebView\hyphen-data\101.0.4906.0\hyph-as.hyb

Filesize
703B

MD5
8961fdd3db036dd43002659a4e4a7365

SHA1
7b2fa321d50d5417e6c8d48145e86d15b7ff8321

SHA256
c2784e33158a807135850f7125a7eaabe472b3cfc7afb82c74f02da69ea250fe

SHA512
531ecec11d296a1ab3faeb2c7ac619da9d80c1054a2ccee8a5a0cd996346fea2a2fee159ac5a8d79b46a764a2aa8e542d6a79d86b3d7dda461e41b19c9bebe92

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zE4B264ED6\net8.0-windows\XenoUI.exe.WebView2\EBWebView\hyphen-data\101.0.4906.0\hyph-hi.hyb

Filesize
687B

MD5
0807cf29fc4c5d7d87c1689eb2e0baaa

SHA1
d0914fb069469d47a36d339ca70164253fccf022

SHA256
f4df224d459fd111698dd5a13613c5bbf0ed11f04278d60230d028010eac0c42

SHA512
5324fd47c94f5804bfa1aa6df952949915896a3fc77dccaed0eeffeafe995ce087faef035aecea6b4c864a16ad32de00055f55260af974f2c41afff14dce00f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zE4B264ED6\net8.0-windows\XenoUI.exe.WebView2\EBWebView\hyphen-data\101.0.4906.0\hyph-nb.hyb

Filesize
141KB

MD5
677edd1a17d50f0bd11783f58725d0e7

SHA1
98fedc5862c78f3b03daed1ff9efbe5e31c205ee

SHA256
c2771fbb1bfff7db5e267dc7a4505a9675c6b98cfe7a8f7ae5686d7a5a2b3dd0

SHA512
c368f6687fa8a2ef110fcb2b65df13f6a67feac7106014bd9ea9315f16e4d7f5cbc8b4a67ba2169c6909d49642d88ae2a0a9cd3f1eb889af326f29b379cfd3ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zE4B264ED6\net8.0-windows\workspace\.tests\isfile.txt

Filesize
7B

MD5
260ca9dd8a4577fc00b7bd5810298076

SHA1
53a5687cb26dc41f2ab4033e97e13adefd3740d6

SHA256
aee408847d35e44e99430f0979c3357b85fe8dbb4535a494301198adbee85f27

SHA512
51e85deb51c2b909a21ec5b8e83b1cb28da258b1be227620105a345a2bd4c6aea549cd5429670f2df33324667b9f623a420b3a0bdbbd03ad48602211e75478a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab9C13.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9CD3.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DF3B9B53C4C51481DB.TMP

Filesize
16KB

MD5
f5f0a70fe27a9af4e61d1ec43e0717d6

SHA1
cc1bdfd8501e15c422fd8a9f04517d75a946771b

SHA256
e72b33cc09a968e560159102d42cfdce516425da9af425e55adbaf87ba2715ed

SHA512
d1520e6031ecff4e42e29dec7b28ab87535925b9940f2f41f0aaafcbcd6ab435bebde786603a69a74ef53b7701e98ba487903a8d4dd245a9fe5ecff14ba3c4a4

Download Submit
\Users\Admin\Desktop\net8.0-windows\XenoUI.exe

Filesize
144KB

MD5
994a84c1c1712ac9b768ed11d71a9307

SHA1
819b76ba1585d9957a61d52ac31dc95de91694ca

SHA256
d1d5d27176b6cdd5fc0436c771ba51c78bfb50ed2d1a7db98d9ff704d2dff1e6

SHA512
1175d966cc7e3b5039dcd114290c41785cf9cebc5c544e76c1bbd9c0e8e9d9652a01e585b1defa9ad949faa7eb49168fb444c25c24c4c69084406c6f423b047d

Download Submit
\Users\Admin\Downloads\winrar-x64-701.exe

Filesize
3.8MB

MD5
46c17c999744470b689331f41eab7df1

SHA1
b8a63127df6a87d333061c622220d6d70ed80f7c

SHA256
c5b5def1c8882b702b6b25cbd94461c737bc151366d2d9eba5006c04886bfc9a

SHA512
4b02a3e85b699f62df1b4fe752c4dee08cfabc9b8bb316bc39b854bd5187fc602943a95788ec680c7d3dc2c26ad882e69c0740294bd6cb3b32cdcd165a9441b6

Download Submit