xenorat | hxxps://github[.]com/moom825/xeno-rat/releases/download/1[.]8[.]7/Release[.]zip

Analysis

max time kernel
1800s
max time network
1685s
platform
windows11-21h2_x64
resource
win11-20250217-en
resource tags

arch:x64arch:x86image:win11-20250217-enlocale:en-usos:windows11-21h2-x64system
submitted
18-02-2025 12:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/moom825/xeno-rat/releases/download/1.8.7/Release.zip

Score

10^/10

xenorat discovery rat trojan

Malware Config

Extracted

Family

xenorat

127.0.0.1

Mutex

Xeno_rat_nd8912d

Attributes

install_path
appdata
port
4444
startup_name
vir

Signatures

Detect XenoRat Payload 5 IoCs

resource	yara_rule
behavioral1/files/0x001b00000002af59-208.dat	family_xenorat
behavioral1/files/0x001f00000002ac97-218.dat	family_xenorat
behavioral1/memory/6036-220-0x0000000000DC0000-0x0000000000DD2000-memory.dmp	family_xenorat
behavioral1/files/0x002300000002af5e-387.dat	family_xenorat
behavioral1/memory/712-389-0x0000000000730000-0x0000000000742000-memory.dmp	family_xenorat

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat
Xenorat family
xenorat

Executes dropped EXE 7 IoCs

pid	Process
6036	vd.exe
3336	vd.exe
680	vd.exe
4528	vd.exe
712	gfh.exe
5640	gfh.exe
1928	gfh.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Config.json	xeno rat server.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gfh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gfh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xeno rat server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gfh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xeno rat server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xeno rat server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\NodeSlot = "4"	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.WindowsTerminal_8wekyb3d8bbwe\StartTerminalOnLoginTask	taskmgr.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000_Classes\Local Settings	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0	xeno rat server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 000000000100000002000000ffffffff	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 010000000000000002000000ffffffff	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2 = 3a002e803accbfb42cdb4c42b0297fe99a87c641260001002600efbe1100000065fc93b57a81db01a72649198181db016c884b198181db0114000000	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 020000000100000000000000ffffffff	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 010000000000000002000000ffffffff	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 19002f433a5c000000000000000000000000000000000000000000	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg	xeno rat server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\SniffedFolderType = "Generic"	xeno rat server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\MRUListEx = ffffffff	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	xeno rat server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0 = 7800310000000000515abda31100557365727300640009000400efbec5522d60525a13642e0000006c0500000000010000000000000000003a0000000000570d9c0055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Version = "1"	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000_Classes\Local Settings	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	xeno rat server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Generic"	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	xeno rat server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\MRUListEx = ffffffff	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	xeno rat server.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Release.zip:Zone.Identifier	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2020	schtasks.exe
872	schtasks.exe
2120	schtasks.exe
584	schtasks.exe
3288	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5028	chrome.exe
5028	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
3136	chrome.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 4 IoCs

pid	Process
4368	xeno rat server.exe
5864	xeno rat server.exe
5740	xeno rat server.exe
2976	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
5028	chrome.exe
5028	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5028	chrome.exe
Token: SeCreatePagefilePrivilege	5028	chrome.exe
Token: SeShutdownPrivilege	5028	chrome.exe
Token: SeCreatePagefilePrivilege	5028	chrome.exe
Token: SeShutdownPrivilege	5028	chrome.exe
Token: SeCreatePagefilePrivilege	5028	chrome.exe
Token: SeShutdownPrivilege	5028	chrome.exe
Token: SeCreatePagefilePrivilege	5028	chrome.exe
Token: SeShutdownPrivilege	5028	chrome.exe
Token: SeCreatePagefilePrivilege	5028	chrome.exe
Token: SeShutdownPrivilege	5028	chrome.exe
Token: SeCreatePagefilePrivilege	5028	chrome.exe
Token: SeShutdownPrivilege	5028	chrome.exe
Token: SeCreatePagefilePrivilege	5028	chrome.exe
Token: SeShutdownPrivilege	5028	chrome.exe
Token: SeCreatePagefilePrivilege	5028	chrome.exe
Token: SeShutdownPrivilege	5028	chrome.exe
Token: SeCreatePagefilePrivilege	5028	chrome.exe
Token: SeShutdownPrivilege	5028	chrome.exe
Token: SeCreatePagefilePrivilege	5028	chrome.exe
Token: SeShutdownPrivilege	5028	chrome.exe
Token: SeCreatePagefilePrivilege	5028	chrome.exe
Token: SeShutdownPrivilege	5028	chrome.exe
Token: SeCreatePagefilePrivilege	5028	chrome.exe
Token: SeShutdownPrivilege	5028	chrome.exe
Token: SeCreatePagefilePrivilege	5028	chrome.exe
Token: SeShutdownPrivilege	5028	chrome.exe
Token: SeCreatePagefilePrivilege	5028	chrome.exe
Token: SeShutdownPrivilege	5028	chrome.exe
Token: SeCreatePagefilePrivilege	5028	chrome.exe
Token: SeShutdownPrivilege	5028	chrome.exe
Token: SeCreatePagefilePrivilege	5028	chrome.exe
Token: SeShutdownPrivilege	5028	chrome.exe
Token: SeCreatePagefilePrivilege	5028	chrome.exe
Token: SeShutdownPrivilege	5028	chrome.exe
Token: SeCreatePagefilePrivilege	5028	chrome.exe
Token: SeShutdownPrivilege	5028	chrome.exe
Token: SeCreatePagefilePrivilege	5028	chrome.exe
Token: SeShutdownPrivilege	5028	chrome.exe
Token: SeCreatePagefilePrivilege	5028	chrome.exe
Token: SeShutdownPrivilege	5028	chrome.exe
Token: SeCreatePagefilePrivilege	5028	chrome.exe
Token: SeShutdownPrivilege	5028	chrome.exe
Token: SeCreatePagefilePrivilege	5028	chrome.exe
Token: SeShutdownPrivilege	5028	chrome.exe
Token: SeCreatePagefilePrivilege	5028	chrome.exe
Token: SeShutdownPrivilege	5028	chrome.exe
Token: SeCreatePagefilePrivilege	5028	chrome.exe
Token: SeShutdownPrivilege	5028	chrome.exe
Token: SeCreatePagefilePrivilege	5028	chrome.exe
Token: SeShutdownPrivilege	5028	chrome.exe
Token: SeCreatePagefilePrivilege	5028	chrome.exe
Token: SeShutdownPrivilege	5028	chrome.exe
Token: SeCreatePagefilePrivilege	5028	chrome.exe
Token: SeShutdownPrivilege	5028	chrome.exe
Token: SeCreatePagefilePrivilege	5028	chrome.exe
Token: SeShutdownPrivilege	5028	chrome.exe
Token: SeCreatePagefilePrivilege	5028	chrome.exe
Token: SeShutdownPrivilege	5028	chrome.exe
Token: SeCreatePagefilePrivilege	5028	chrome.exe
Token: SeShutdownPrivilege	5028	chrome.exe
Token: SeCreatePagefilePrivilege	5028	chrome.exe
Token: SeShutdownPrivilege	5028	chrome.exe
Token: SeCreatePagefilePrivilege	5028	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe
2976	taskmgr.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
5864	xeno rat server.exe
5864	xeno rat server.exe
5864	xeno rat server.exe
5864	xeno rat server.exe
5740	xeno rat server.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5028 wrote to memory of 4880	5028	chrome.exe	77
PID 5028 wrote to memory of 4880	5028	chrome.exe	77
PID 5028 wrote to memory of 4996	5028	chrome.exe	78
PID 5028 wrote to memory of 4996	5028	chrome.exe	78
PID 5028 wrote to memory of 4996	5028	chrome.exe	78
PID 5028 wrote to memory of 4996	5028	chrome.exe	78
PID 5028 wrote to memory of 4996	5028	chrome.exe	78
PID 5028 wrote to memory of 4996	5028	chrome.exe	78
PID 5028 wrote to memory of 4996	5028	chrome.exe	78
PID 5028 wrote to memory of 4996	5028	chrome.exe	78
PID 5028 wrote to memory of 4996	5028	chrome.exe	78
PID 5028 wrote to memory of 4996	5028	chrome.exe	78
PID 5028 wrote to memory of 4996	5028	chrome.exe	78
PID 5028 wrote to memory of 4996	5028	chrome.exe	78
PID 5028 wrote to memory of 4996	5028	chrome.exe	78
PID 5028 wrote to memory of 4996	5028	chrome.exe	78
PID 5028 wrote to memory of 4996	5028	chrome.exe	78
PID 5028 wrote to memory of 4996	5028	chrome.exe	78
PID 5028 wrote to memory of 4996	5028	chrome.exe	78
PID 5028 wrote to memory of 4996	5028	chrome.exe	78
PID 5028 wrote to memory of 4996	5028	chrome.exe	78
PID 5028 wrote to memory of 4996	5028	chrome.exe	78
PID 5028 wrote to memory of 4996	5028	chrome.exe	78
PID 5028 wrote to memory of 4996	5028	chrome.exe	78
PID 5028 wrote to memory of 4996	5028	chrome.exe	78
PID 5028 wrote to memory of 4996	5028	chrome.exe	78
PID 5028 wrote to memory of 4996	5028	chrome.exe	78
PID 5028 wrote to memory of 4996	5028	chrome.exe	78
PID 5028 wrote to memory of 4996	5028	chrome.exe	78
PID 5028 wrote to memory of 4996	5028	chrome.exe	78
PID 5028 wrote to memory of 4996	5028	chrome.exe	78
PID 5028 wrote to memory of 4996	5028	chrome.exe	78
PID 5028 wrote to memory of 3020	5028	chrome.exe	79
PID 5028 wrote to memory of 3020	5028	chrome.exe	79
PID 5028 wrote to memory of 4800	5028	chrome.exe	80
PID 5028 wrote to memory of 4800	5028	chrome.exe	80
PID 5028 wrote to memory of 4800	5028	chrome.exe	80
PID 5028 wrote to memory of 4800	5028	chrome.exe	80
PID 5028 wrote to memory of 4800	5028	chrome.exe	80
PID 5028 wrote to memory of 4800	5028	chrome.exe	80
PID 5028 wrote to memory of 4800	5028	chrome.exe	80
PID 5028 wrote to memory of 4800	5028	chrome.exe	80
PID 5028 wrote to memory of 4800	5028	chrome.exe	80
PID 5028 wrote to memory of 4800	5028	chrome.exe	80
PID 5028 wrote to memory of 4800	5028	chrome.exe	80
PID 5028 wrote to memory of 4800	5028	chrome.exe	80
PID 5028 wrote to memory of 4800	5028	chrome.exe	80
PID 5028 wrote to memory of 4800	5028	chrome.exe	80
PID 5028 wrote to memory of 4800	5028	chrome.exe	80
PID 5028 wrote to memory of 4800	5028	chrome.exe	80
PID 5028 wrote to memory of 4800	5028	chrome.exe	80
PID 5028 wrote to memory of 4800	5028	chrome.exe	80
PID 5028 wrote to memory of 4800	5028	chrome.exe	80
PID 5028 wrote to memory of 4800	5028	chrome.exe	80
PID 5028 wrote to memory of 4800	5028	chrome.exe	80
PID 5028 wrote to memory of 4800	5028	chrome.exe	80
PID 5028 wrote to memory of 4800	5028	chrome.exe	80
PID 5028 wrote to memory of 4800	5028	chrome.exe	80
PID 5028 wrote to memory of 4800	5028	chrome.exe	80
PID 5028 wrote to memory of 4800	5028	chrome.exe	80
PID 5028 wrote to memory of 4800	5028	chrome.exe	80
PID 5028 wrote to memory of 4800	5028	chrome.exe	80
PID 5028 wrote to memory of 4800	5028	chrome.exe	80
PID 5028 wrote to memory of 4800	5028	chrome.exe	80

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/moom825/xeno-rat/releases/download/1.8.7/Release.zip
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdb6e4cc40,0x7ffdb6e4cc4c,0x7ffdb6e4cc58
  2⤵
  PID:4880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1820,i,12550862704589956412,18063500646548765214,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=1816 /prefetch:2
  2⤵
  PID:4996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1908,i,12550862704589956412,18063500646548765214,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2024 /prefetch:3
  2⤵
  PID:3020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2176,i,12550862704589956412,18063500646548765214,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2456 /prefetch:8
  2⤵
  PID:4800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3064,i,12550862704589956412,18063500646548765214,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3104 /prefetch:1
  2⤵
  PID:2740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3076,i,12550862704589956412,18063500646548765214,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3168 /prefetch:1
  2⤵
  PID:3636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4700,i,12550862704589956412,18063500646548765214,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4712 /prefetch:8
  2⤵
  PID:5728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4248,i,12550862704589956412,18063500646548765214,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4708 /prefetch:8
  2⤵
  - NTFS ADS
  PID:4548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4484,i,12550862704589956412,18063500646548765214,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5140 /prefetch:8
  2⤵
  PID:4172
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4884,i,12550862704589956412,18063500646548765214,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5144 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3136

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1736

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1252

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5296

C:\Users\Admin\AppData\Local\Temp\Temp1_Release.zip\xeno rat server.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_Release.zip\xeno rat server.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
PID:4368

C:\Users\Admin\Downloads\Release\xeno rat server.exe
"C:\Users\Admin\Downloads\Release\xeno rat server.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5864

C:\Users\Admin\Downloads\vd.exe
"C:\Users\Admin\Downloads\vd.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6036
- C:\Users\Admin\AppData\Roaming\XenoManager\vd.exe
  "C:\Users\Admin\AppData\Roaming\XenoManager\vd.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3336
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /Create /TN "vir" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1A7.tmp" /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:872

C:\Users\Admin\Downloads\vd.exe
"C:\Users\Admin\Downloads\vd.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:680
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks.exe" /Create /TN "vir" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3077.tmp" /F
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2120

C:\Users\Admin\Downloads\vd.exe
"C:\Users\Admin\Downloads\vd.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4528
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks.exe" /Create /TN "vir" /XML "C:\Users\Admin\AppData\Local\Temp\tmp193C.tmp" /F
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:584

C:\Users\Admin\Downloads\Release\xeno rat server.exe
"C:\Users\Admin\Downloads\Release\xeno rat server.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5740

C:\Users\Admin\Downloads\gfh.exe
"C:\Users\Admin\Downloads\gfh.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:712
- C:\Users\Admin\AppData\Roaming\XenoManager\gfh.exe
  "C:\Users\Admin\AppData\Roaming\XenoManager\gfh.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5640
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /Create /TN "vir" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5585.tmp" /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:3288

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:952

C:\Users\Admin\Downloads\gfh.exe
"C:\Users\Admin\Downloads\gfh.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1928
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks.exe" /Create /TN "vir" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE68A.tmp" /F
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2020

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:5872

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2976

C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.2104.12721.0_x64__8wekyb3d8bbwe\LocalBridge.exe
"C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.2104.12721.0_x64__8wekyb3d8bbwe\LocalBridge.exe" /InvokerPRAID: Microsoft.MicrosoftOfficeHub notifications
1⤵
PID:2340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
d0c3b80fde429f6ebba3f8b318ab2828

SHA1
060e4067bab3c9306f45fdce94f8dee8510336b4

SHA256
7e59882d4e208337542410f52769448e3d118cb0a94807111147634884cf76df

SHA512
e94225799cee930fa6a27a8d55008470dbde088370856e5fceef39843c1609d3dad3db14ee0a38afb2f64a7664706da283d2ce05ffacaeb8113118d7b10f76a1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
87989f53740501f19c95d416b82e8193

SHA1
4843e89c77350b54e0b1bcf1015a548d8dfd0532

SHA256
e392872c71f8cfa537c6d9d5883208673f4588f5cfccb903f448ffca08bbe734

SHA512
88cc85eece052c4c4e8ab96fc9c7ba668129ff1ed10043007293ad52564c139dc680478802d4e96e32e4843e108e45b73fbb152c8a593e6509600a484d13ab29

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
16e44d53c46d69765c02c60a18cb0bfc

SHA1
a2d58f153e712511effe2fb9632ebc6166581c6a

SHA256
6cacf3497e31c27002ab8a2c420c71e86cfb8b7800df9baad553266fe46e526e

SHA512
2be1e6408deb0ea6299b14eea57fcd4f06a44ddd566675ce0d65c1b464c76b2bdbda3417b0b0bc32d2aa61fac9267932b77c4daccf749b13c7f05689fd6d4cf0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
c4cef5b8032f91dda7f07c307c302652

SHA1
c8878195480ebd082770643ecbf56a1ebd586243

SHA256
5a3e6999ee93572060e3af89d1d5d8911c599ce918e6f2bc957d00d718a6c5b4

SHA512
e989ce41aaaa22e5d3038394fbc2714544feb1ea681a193615c05676a433d0e7d580bc656d231b7f62b6ff7cdd9011723f651e44d6de35ef90e8e3a9a7f90f8f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
ebc9a54bb062cdd434f82b3a822491e1

SHA1
273a883c36444db411b6a16fef3ff385dfc360ed

SHA256
da2adef19ccbb65939ad52ebf1bee72055fbd9da492b57f21abf25e9abc55d30

SHA512
2507a2ec5188758f93fb86ac2aed281f21e555a80b530f9de4364f10671cc5117e972838044c1a103f105833ab6c7ef68f1a59fb9d35fe1618533cda329b4fb8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
3635692f3e6053327078cea5773c5187

SHA1
ade61b6b8f9dbd4e26fb603c09272fd77b521f64

SHA256
d44ec19da4023a7fefcec03c08f09ad05ae688b5fc2972bae4d634df245ef9d8

SHA512
990a2317cabd81bfa5e6218df96479837de709649976a9ae46addb7dba3f6db48fbead77ab25f9943aea8a5a905f688e64e8cc000f7f6db2a4c52b9e4bd49367

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
aa50cdd575e3bfc931f17028150e3f75

SHA1
6785075608970bdeff3044959a10f0480c5dc20b

SHA256
5176fc585aaadfb57685e35dbcf3a3cf0caffdee7a3e15a431c908eaec01553d

SHA512
16777e7f85a1a460fa13e65fb52509c7756be0a8a01ef0d32c154932ab79314d2128eba0dbaf429b31b4217da3f7bab47a2afd261a85a4f9d4b9e4e54e579798

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
85906af2a4bbd8dc77cba93d6e603962

SHA1
7b4fa46276fa00a8af35cd80a0730cd4edf2ab17

SHA256
18a57ebbd6b0434d0e4ca1a3f93d5f13027b141b9feaba381d86905df7b23e4e

SHA512
8fc3b3f3e3ecda4e4087d0c2587d04b51d8174416098e81049580649025a2dc6fd7a99c73184fe5cbfbf98fa0fa71f87935506cb93e71ca11ae280d38585f985

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
0b2d3864a8e4b96597c84c6d53d57edb

SHA1
15438d6c78412b6fa5cfb4382335e902879af125

SHA256
06e881c6fd0be0eeadbac2536bbd5cfb5ffb79eb27d2ae53a14a00dce456c1a0

SHA512
6e37ac5577afb5a472c1fb4cf3c09ec29d42ccd50da54574f3e9bd6cc90545fe593d8531578210a8a2f4f3a238b1da0f1ea0dba08fd11faedb782d3d77c96220

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
8b5dde27cf96ddcfe39b869e88400316

SHA1
b2a3b7028446c49c4dd8e1385284a7e2bdcda2fa

SHA256
ab77489438501a7d390ec325e7dc0b55bc8647c833dfbf54674c6d57c48dbfc5

SHA512
749218dc2ceb563ace2a2524a1fd155dfe4f13f72252be7bc2b2e732a9bc78ad46c64b0453bb70c95e2608ce181037a068dda02efb04a9a827761baac34f3d6d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
6c396fd912690f757b1c86940cbb1f91

SHA1
ec10ebe98f7143a70fa5d6ac0633c82d5a1eb013

SHA256
19cdd3264543bc55eb3089171769e616ab841e14baa7c3e2acb94dc8a58dab86

SHA512
7057eef999b82eaa1ef653518a762f163898b478ef5470e1d2668501041a1905f7763f1b4214b24b8a69b48cf5e481277809e88feb4482a9fc58717732a8ef58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
5715ca51febd8df2db6ac9b2b74f8ef5

SHA1
17618c940c2767c806def462d5e77c3c7998f557

SHA256
a2c18e1fd26024eef3f35d83b4dcb1426a0b262ef70b1fe4a9705ad2d614e611

SHA512
3b8a11eee76ae63e5d6451986ed1ebcccb3bfc71ea4aeb558015528fc9782f1b2d0523166a9677c3867ce8f8d6b95ce811787fe8e7f639ae42a2b06ae5b44a65

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
41671ab959be4bb3687728e52e25f6ef

SHA1
45c91364e57e48c6c2eb4b84e22e21e2b73391bd

SHA256
efbecd1c5049b0a7da0864c494189048a4458312f18a5442f55bcea887b03511

SHA512
7b3d2e4e4447f9eb425d723c7eb6955bcbd882d90c91564312825f8d04187d329b9277bae4323bf8b9efaa2e0fd71956891c4f698c03a15f81c348ca1e6a6499

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
383b3c3a7c568690050a23289a03a3c3

SHA1
bbc9d4b297362f48ade863bf2375db5a052cf781

SHA256
c5f02d89da7de7431989005eb9e4a4b1f992bb4016bcc5d07b23dcdc657b2983

SHA512
1e3b9bc972ba8f77cc0c4ff5a8f9a18aaf7d22db8de6126789a274da0c217be9d75f122e448de37c3ee397aaf9af03d88f0e6a7260efe34fc1cae0971c9ffd27

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
36e6025528e7287238f4463a284d78f3

SHA1
3fd00ae69d1f2acebd05087655432398010399bb

SHA256
8958b8d9c26ebc50dc9bff1b746834d2754a31817bdfd0afca73d3303ce82f17

SHA512
7de3366682fe179c023cbaeaf0fc701d74ac8dc7d33eb04bed9fdba829fdb593cfbc420b69070da3cd49ddac72911e84eea0fad1cf060f29392921cc5528e6fa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
ba189435eb1bae41716e8302b6038c25

SHA1
bc3d56e54d8da7826c19ebe22466f2290110c7a1

SHA256
4283990f7154ed14355622b732b9634c24c3d7b6d74ae777710fb5128f42e1f6

SHA512
e36c90bffae81e782302c683a239985fc162f92975f2379c0f0dd3199a4eee5ba38a6bc8052ad6b0a208e35d5975bf29da5d5b3aeff770addf1734f58a377240

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
95b891af62d161b1dfa5a13689b78f3c

SHA1
54b065b108a51d89961474879854eca87f520166

SHA256
ab608961e5143debacd9be8fa757171ec1d72098036328e378ed306055034efa

SHA512
3aa799da76a6633580ee61f0fe0f5d8bb56ee26803cbde01dfc5fc083d198e9c6e2722c8e2ccb335820a031ad70e572a11ec7d8300d573b2728749850b6411de

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
64cdfc35359a90e3b55205e84952b714

SHA1
03cac8b4095cf0a5994ecae942f99d0a5e2c5864

SHA256
4cab3e4b27b51f3ac1a54fc8e207759f4e0a0fcfeb22c66bd83d4c881c1dd2d2

SHA512
8b38384193014bf99b7fec444ebb79727aec52cf71ec8dc594d2705162caec2eb8ecd681800ff86fec7a307caa3d957792578bbc8e9ca0ea2c193a3908d80812

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
e101901675f87d704bfbc2a39e2a00d7

SHA1
8a0d060609d07697f2bb195e9f102ebdb28d60c3

SHA256
e199ba21898f17ceba10dd214d62bec91039b311233273d5c8245dd2275b1d2d

SHA512
26dc2b525f73d30c1fb5547e2b6c933188a74ccbffec738425ad22fe762dd79cad65a93864f8c97e188205e8da2fc41248b061866d6e71d05565e0ecedd4a837

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
20d95ecea11762d0273694d786ae0dc7

SHA1
b89c9ad9019db33a89cdebc5587963e0fac99f57

SHA256
8c6028d3ada6bddd057083e82108ed8886b8f43cb13823dcadf119aa43abf3cb

SHA512
57d5d94736564ae785216a3df24bda1fa1b8ab8f4aee08f7c9c163395889e483b531c70a05ef151cab0ab68b8b455a8a4b8160cefb1842d969b584f2fdfe7e54

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
6e7b01ed5c097097e2151dde4e23f0a9

SHA1
3ecf0bda5c7400d4719be1f155c859d188e01be7

SHA256
d11c40307ced9b2f3a34a9688d9bc9fbf6b93ac6ac1314f9dc316f0dd7e4295b

SHA512
68c6fdb227fe1e776d8116232dcbfd8a785dc0a077befa337faa53aef5863fa003a2cae973cf6d019734987edfd34e4a28245b47492ab188196a1d618a118271

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
135b2311bcda0728ac7fc7139dca1f99

SHA1
a4c1c0688209cdd1dbc414a9054e73c38c1020ac

SHA256
1f93632c2392567d884593d755a2cec9a27969c1ec94d4cb951c243758a668e3

SHA512
65241a9fc6bac6ac2fd9593128b528c611b1b744047d5792198e84c9043a867ba856dd365acb423b6672033534cf371de45929e891977f88dd729b0dc7ee4138

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
cf81606d280cfd5de1ad7cfbe096b1c4

SHA1
3f558fab9860802778d26259a875a2d175281a58

SHA256
def100a73ecc5bb640e54bfb1f0efc0ec77b2c4c1d5b38083ac7aae34f01ab4a

SHA512
0b1c7a46d024d25ad296f90616b986f19e0961846cf53f44cff4c9e3f53799a62408e8eb373e4eac110329217894c00c5d8a914ac7e866e339425de27afb9375

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
e61b302122979fa88ad67710cc8acee4

SHA1
07aa3e7cc9a9030da78ef0d2be4fe314e097e500

SHA256
62d9fbff1c8a3b28151d7e681933e0b9dc8c966e58faf570ca8218e58b16472f

SHA512
138d5c47872af634bfb75733ec4c4342239b9039ed8d98c6708111f02e01fe73494055ad7d3dc61ed01175225c31e6e064ad9c0d7da1dfbc27f6a7e61c31d6c2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
7bccd776191ab1a214914a52f4e63803

SHA1
dc08c501f062c0684fdffd3db83e270a0e8f8c58

SHA256
e28590e3b76f5807f2d1cf3c136a865c02950031dbb8f920a77a359c1df3ff86

SHA512
9d4c2c90a9d9007a721f058608d6ddecf1e5918af45b232b98a4def62311a20be0264dabd85a454e40e4ff73e48f93f7a6501caedb5696641000dd34930b2fc4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
e225a1812aa441c56672108be956a5de

SHA1
c276d473abb0c7ea044f98efe67ed135e12220cf

SHA256
b5691d018ff00aed6a3673ab3c167b6dc7e50189f53a9be09af7dec6315072ad

SHA512
d61881a040b41f88427fbbd448b2b35372c0387742e3c20f37ddcb7a37f6fb84e77806a43912ba7f0a8a72ce2b4c4e3bd1bd83da6a900779284d9073fe21f578

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
db8b50a828cf29a7c067e897b6552eb8

SHA1
6fd465840e0b96da4240c9ccaa3dcca74f465ca6

SHA256
cb42f18e94d393790e56910a2065934c9d4b088e01b0fdc560afe8675cd2c779

SHA512
245c7e955fd12b44900bef91a593bf66d63b8b5e138af8e440ad2bc5ccde46f9cfd437647ac35f1ccd8275178045a5710ae21b11c2f39d542e4be9562f676feb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
400362b2b8e9dd1a64ddc7ea45114721

SHA1
439dc13b8fdda1558abd58112be18718cd0955c6

SHA256
560d7b6bf7b28d5e45d7996dc8345b598ec6ce095e56945b6b81c3662c0c000a

SHA512
1f50ac1e2a3773aa6182d871db4fd5c4c2f9f549af6ada47dc9a35ac151b7af7996d29e9d4836695a25dd707e1d6edebeae2373dcfa6ac90e104a116f52de70a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
0dbc6d732ac0b26ca2e7acce88d79845

SHA1
58d7de8e75513710c4aae9b16a8352fe256dc863

SHA256
07d6e0409411a89eb678f11f9f9ab355afe3bbb95082e3ec6e3e95f412500e26

SHA512
7e6418b306330fba8ef426e2c22d0b28b24284d23078516b229db8e2782aaf6e0fe55607659efcdb7342b7d89c89406ed81a7e753001243358b3b9b0c41599a8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
46aefab3dbc89b70eb4865a74c68ba9f

SHA1
c8b2378585d78d2da68213e6d1d6dc4c72f19c20

SHA256
cf6319b0d0c5df405bcccc8102bd751961c583911ba4f56478b9516adde6061b

SHA512
7fe4136a073052ab14845b69a1850426ea726a392c552b7e06b0828cd9b817de828c9c1c01ff414d69b6ba9218063f609a0c823e8145d3ddaf411eb8ba422509

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
2cff87c802a3293c736f57a0f92913e8

SHA1
29b75bf9ce1bdbbeaeabcca6384ba1324803e2d9

SHA256
17b20768d0eff0d8b136fbef82d15aee6a55e3ea36b6b6e4764f312fc6339367

SHA512
f3e6dd426975ebb3ef88639c66333b356bf9f96d6bd71f2883f694c0647be26bb9673c3f0290a7d2596e0b23c7b38dc9fbd876ed58f5f00f3fc2b4d9e330a482

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
4fdb1ebbbea8deca2ba35d9dda08345a

SHA1
e5b391f50b8dddea243cfc599947ecc098a88085

SHA256
464008fe92baadb574f278f731c9592ca76fef10b949a8567e31a2a66fe8eb1d

SHA512
1e7d58778435b318de5804e81f437f414ae2ce09f07fc5912f0dfd928f085ad6f979022618081d419c38212071d8e6044871792854dba11a2b017b3d4d8822d5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
aabe8235a32a31b8f4c8e68648129b3f

SHA1
98ddca75040e3ccaa8559eeef5b8723198a4e2a7

SHA256
dbb41c270ed0124c37fd7a96fa4ceb01c14f0bd56c0c71d79944d47572bce653

SHA512
c997822155b871337b7fb61e89097d669dbda0dfb26cb797a32dada828e4fe721d5454eb82f511c1cdf8f0c908fbdf3f45a1947e436f69b3463c7c23d65b768e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
608dd950a46877bf43916d4a61215a50

SHA1
5e82b00888362a4743b50a0ab00001919a19547d

SHA256
0a68db35f51b83eded1f4c8b48cea92c899c9ff68fea5fb3abf06f3383a50f14

SHA512
d168f3b9d117cb1bd24dd20ffbdba39e23591c72c4bcd0ad8d2e59791bd7c91893fb02b363a8c4aaabc0a1f7d85ccbee9a4b2ab6556a6a08b728d5b29aab33ea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
0c0e71c784b161ef1db2cffaa61a6256

SHA1
c7a7db793e3dab4e612a18493ca03b90d2a2488d

SHA256
58fb7a62a634f8766ed0dc83b37fd07ca14423d8abf3ecb04ba8280b39a07133

SHA512
de8c3572a07dbf4ceb69459c5e954db21be12eb79479458fe75bb25ba03834823237f59a5103729d5eb5ee2f481f86b506db515f0463a1d6b96615a11b64bd9b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
e6bde3b013f96096703550c34f2c8411

SHA1
0bc1d718b1d42cfd490e3fd886455d683c566ea0

SHA256
5b5f443755967336fba1082849bda2a764ef26e4fbd068d02c6fa66f1420fde5

SHA512
1e8e7b45d724ae115724246ee1d7a7dbbb28ad2a1548095d2ab2df00d3d797524808d3d11eff3fbd797b9ff32bb8578db3fa62acd8716886919d2abd43da81ea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
8884de948fbe9157253965e56cace10c

SHA1
900e20e3d57240f5b1664e6814cfabaa73474065

SHA256
c27bef7b4c239d0150ffdcd38252d19bffd75dbc3c68b69e6963050bbb23bdd2

SHA512
1df2acb003bb9a9128ce1c9d3ae68f9a70caf69fc018cb4371c475488fd7bd02d073381dff8e9af17202590cd5165d2c49b931cac26e877aff6bb1d1ddba144c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
b20868cef8cb0841c1a54e8c5bba99ad

SHA1
dc119bddec3e9c7152e3ac7d481de3acc3b9fc8d

SHA256
38e9116e22ca6412679969c2c262a8632152ce8cab22ba0c1fc18066a07ffd52

SHA512
1dd946af734ec95ec680e5c6a327f5343f779639d0c5fba452070ad91458aef588f13ea74b5f27be78ffd6f14c3ed4cfa4d9a77208e9feabb42010d2722b7c85

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
b9ac9f15e0377ea46476ac50adc6a76b

SHA1
92b694557d2592381b539fd4e43c43335223c3b8

SHA256
9581bf20656fb8e5f98da97f55436711ff2a7f5b11358289444ca8c1bdc9bfb7

SHA512
7a2c4f40d93e258c600669b515a63bbc805af9a6ef47cb8aa11aadb93396bbb4b9179f1ccd6a8f30cce7a6da52121b206bfb9cd0002de67ab848c90d3c5d290d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
a1ff9b4a9876c73d2a411bea668821f6

SHA1
d28580e812a3a8db925722bdfee7c52d4b9dc1e0

SHA256
707e11d62dd9227c582c43a0b218b243df286a8c4857e7ee167f5038af17946a

SHA512
f916383c7e4d293bde206a4ba99421e5a5f9d9743fc9366d40b764b4394ed16b5dd475f7b742c14400530e3a6f03b33f642290896992e79cacbd099dfddcdc7d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
0fef14de61314e882db4c888334fec36

SHA1
1129f385b5463a58fa9e426503c4c8368caa9ecf

SHA256
01601323328f0d4e8fbe2c9f848c7ec24a872878b89374b8a88052af76704537

SHA512
7af8c94fee7062d31f2c71addb5d966e60da602cba8b1e800bd1df24b1782113f633dc426dbad12d053c3ba270c0fe7e2f56cdb784b27c4a8a6a9b9d16ef5985

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
8f6356a78020c6ee9f09eef664364c61

SHA1
1d6467c660290dde3fb5bda4cb9de860b17793a9

SHA256
ea0e61aa08030b7e336d552da3186cef4b68370f1dfaa2b45cfd0f190c102b66

SHA512
6e667eab3f7d828cdd347bfc6bbfa0e8c86b0950342cc5ddabff6c019b5497bdd8db35120cb3df356febe6d048cb8cc52072bcf2990655a9d3dabe9fea5e9af1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
55d6b5c61f841d9d07c9b7c2421179a5

SHA1
d25db7526323ce15fb547757691ca3f2e994eddc

SHA256
917a27ba199fe9e3176f59827e79d408773f223104a7e83b692c31c9f7c8290f

SHA512
53bea57d5d74a1c7cd57e0b12c5916b57db29a23820c1fa1c09c4eae1bad9b131bbbfe88e85d89c1315098d284b9ae4e59e5c9e54c7461bc78a7e4bc5bd9fd71

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
93f3e1df34ad82f88840c9438928bde2

SHA1
ec91cefa5c846d72f2e4e486fcc69c986a76cd5f

SHA256
ab121fbabbb6863073fb1547c546b4589d7c84fc37c2b6e37c338e43de8fecbc

SHA512
33a2ab7a05772764f4883c980f2404a3668624dfd7077b15a5c33e0223d886e25ad8c67b84ad3ad8c80ca87bbe0e7d815d3c3649a5b65dc1a3bd6a2cc88edcf3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
86e4e6d340bf58dc7e494477361dd448

SHA1
0803f0335e7f90f814caec5f187ca9fb924d7a9f

SHA256
5bd19bb11c0ae4a1b49a6729d68a73dd0722181f447cc1fd74c0ab875a2cf5f2

SHA512
68c58443ea13c7a9bab57aea72be8e039341500cbb27122f75fb66a17166ba9f0c53789d5033716f29a2bf1769a7578466773461ac560257803de65f657cb488

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
9537f0a24d06f7f080f1b7e2405c7d4f

SHA1
3e003b862fb6cadfd6a5a26bbe1026597d92556b

SHA256
aaf8e8df655b6bbf71fd6e9bc3982f407fdf16e05a6580583130c5b39909e84f

SHA512
56b9b4d54c3d7cf750f7af577bba7cc6fa38e8bb830aa62d16cc5ff06e21fa82af041a9b89d3507435b00ee66796cc7965243206ec54faa8d479c2bd4d12ce42

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
58ff6269d1c1d9c1b983f77eeb5c40e8

SHA1
be017ccf588f37676f9d20696c512c5f8811dab7

SHA256
aea8cee9e7d99f53c3bb0d8d7061509a8db426231b4a29b720537de47c963b4e

SHA512
e97104ab3714ccb142a1fac0983663298549428499349f3149043bf3871d0eac2202ea1784e252e9f4ef752dde9cb27999b258a42d60d5151b077008f1e7f311

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
975b2739b2d4cb8e473489ab89130419

SHA1
b63599165c72148e04c33add90f9e53553088b67

SHA256
7d4f2e021a7c5a5ee54cb70d0fe4612bb9007e75d9f479933d429e59909c45fb

SHA512
d777e7f76fd63b16114d05576cfee0629ffe09b56f485a99f6e03f98fa99fab8b4377a66028db5c36b7a341226f6cf863a74628ba3ab9996a93c8f0a2e20fae6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
7c2bd69e8d5c672a9184121913aa07fb

SHA1
48d88f8990b7e94fe3eed7a2d8799a615a1aaa00

SHA256
199f1e6b7770fc98f104e154e058bf0f9f9798963a8f82210135149540cfffec

SHA512
056245a4cdd216e6fbdb72d39619c941494f76eae9b3e466fe66452cd2e2bf22b63087a7e2084f62062d6aa76d6298c52f1fac78d60afcb67fff1af729644543

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
4ea4a764ac6e24dd13858b1f8b1c2d97

SHA1
7b4d166085a462613e9bf0a82e0b8ef25a71c98d

SHA256
fae5f3320fb67eb0040ea3b4f723606b24f799b233f758cbe5c1be8b57a97e01

SHA512
1545f1ff562c1c2d03fb3d12ea4e8eff5deccef80c5a77dfae528b257964b496e28e64eff74ad44c9bc69699b3590eda66f65154064242c5f0b6c7a7b0d460c0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
e40641350779247f1d749f9027be9052

SHA1
a369c62b32297a029c7daa6063b2f33de7661989

SHA256
f8e759cc19920d43b8daded6c0f920cff713ef4901cc02d53525278ae9e2dd04

SHA512
ab872d709e7e16627fe9ced4a96e1e6a7bc9a357bb35a451252337e50e212d270928656190de9a88462f3fb4d3d8712b53dd224d039e32e192095f88682ec82e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
54d99898010c734b21316c81d7a7ab0f

SHA1
3a5527f2683a5283e60893af753b2011ec741693

SHA256
20f3028687ac72d921708a1f71a7908b00bb2783fd4c149d1c16ad5d94639e48

SHA512
b7712812e002d85365900d51aa78715ec2349e785f84578a2de324282398d7147d842549906013ef197cb5fbc722c3605b638f1cd3097c49ea63e94ae0a65f6f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
7cdcf1f066d84d9a510bafece1c05e86

SHA1
f68848d94d446125b539bb9b6999151cd6fac952

SHA256
daa14f38c8a0ec4d9d821a5d40fdfec13afddbd991ecc03f81666a250bd0f8d8

SHA512
d87b685d8d1b99ae474acc9c3824b8170e30db0e3b0fc7aea3e4c5f08056655013e4d759060844714b2b17acf7e6aedf7206db6125ea7c09e4a42a7b45cabb1b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
488145b624d662364e1af44413833d0a

SHA1
dceb633f4a66e465a1187fb47f785e2ffad97d18

SHA256
15696870e19cbe4373d33f3d4fd5c68d272d815047154edbe041fe999927b9d7

SHA512
d954b3c1f7de3733549d89232508d528be9274778926ae0b38d306c7f33f55a8a0ef5ce73671ef7f52599c99e78abf1c57088dd3b462d78c64338db1b955cb8a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
a6d6d8d925b1e351f64f52a3aa34e2c8

SHA1
ff906ea1df47606b278736027afaed4870fcbd95

SHA256
9e4dfa5486e2cf7195fe6ac8613d1eb072da40e8f2803ca5d3d36f80b2dfd10b

SHA512
4f3abd5ae717a73e8fc3778047b60635bc764bbacc0b42df09271a91a0b97a6f26b7930d726f45804d3307bb2267eaa012026374e5b011744a53c9ca0fc9c205

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
5860174fa998087640727141442f6934

SHA1
0cef826b73e881379139bd0b45a17a6d220f2793

SHA256
fb84d3570f888c7eea4f1b094bea9edc001077c12090d7309865ac042feef240

SHA512
8f0cccdfe8818cbb242df7cefcd012f91e757d7ec29ecda5f3a701ac72693fc521d49692c37090cd4f7ac35f9dfd03bae986c967e3cecd4db89825f9aa3413b5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
c6722e5e0648b3cf549038d737dbb2d9

SHA1
24e0175933c822032f2833345e2e47f482f3d5f4

SHA256
eabe19438b39890edc2572db7b9cb7514c41ba993e417095bc0553218cf0c58c

SHA512
f97992c5c9705e4f2c601ad544dfa11cd0537cc39451217c694c52118ad0f743015ac476823c14b5552c0073d6ba607e341353033579b55f30f4c15d25e5238c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
c027e6f05c2d9cd78419fc1bcbf0b806

SHA1
05b0b56aece84f724410efdfdc08b6a66a27ca1b

SHA256
e9f9809965b62444ce737805dcd05e043803f2e8efa633cb7881e78e8026cec5

SHA512
022e3bdc0fd4da07c09ac561645c1d6a8f82b827a77ace65d725d6f0d1a9860918c4af179fbb29082c7c3dd3be55bb38efdcae926fd9a82b4c8cac5d4d514a3a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
e1c78072572c172228de37d2041ffb61

SHA1
54656138f9e7111a13b0880e1d09ce4bafa04aab

SHA256
f54b3b3d93fa75bbe13a18d9308c335375a006e8a0526922073091951e486029

SHA512
13872f1148dd2530704cfbf681f0ff09edc81deca7d89508198e14be0b10d3fb8a9c0066b57a768842532a6d35c9c59a4845b6db523ed478e435ef4fe82dc583

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
d5ae9cb726553783951c9160760e4aa2

SHA1
e5fbf3207d3d8e657904d2e9127cb9711409b2d8

SHA256
a3b3198bf5ea8efc25a76a88c803103106c7e74d4e4a23a3a1ad18c74d3ef36f

SHA512
7ba0d500ee39e9cd5330ec91242055830f9fd06eeab63d381c7e75869d68218c865732deee0847a60e1beb52da5e5432b88299eb40335c875b7c6a0f37f56663

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
1b8ae92a657d76c6d2e2fdde889ab1d4

SHA1
b850e613fccb93003385b5612e86803af406ca08

SHA256
0282190b7582d4e4149bd82614a1465100bed81ab36441c77aa962e5515adca2

SHA512
e336aad681ff9aab7b4d0ebc86550964aeb90d70e82c682c7e9a176d658bee7a3e2a42be42d6722db1e5b8d522df2765d09c7d867df93b1f734baa4230f6df24

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
8d0525927abe71f35cb63ba57cc87be8

SHA1
e5c0a4120913ec457611a396434dab056ca41c1e

SHA256
a5b9523533d96c4e72fd031142699344869b375d47fc5688da3734b69eecdff2

SHA512
5019b5c2f06262cba04a12323e0de7e94b9ce6fccabc0269503b6ea711a7231595245ddf19d99de8d119c581e69db67c59b0c4e817acbcf1c5c7aad8a2991302

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
c9566b292e3cecaeb28c041cbf44b332

SHA1
b5892910713531e7c78e30ecda8ed009d366ec9e

SHA256
8a56838d020cce2e6eba10f0cea9bb82a11c5a8a7b3c28263652486ea60c719a

SHA512
2fa9553b5b36c64b14345f0831d9b7a2371c9dcacb43273b6c0b62fa63f12fd274a94b0a7d8a405b26d0f98740fbb4415c5aa3b7eae6d9cd071ae79864988861

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
7e45187c568c66e3b80fbc09b1605d2d

SHA1
deaeb469ae66348aa5de0d38eb97acbbf73da3f8

SHA256
0cd15f8685600e9230329e3508ed43df1e161c1f12252df89edfbc24a063f422

SHA512
c364a8f3b287f360c03f19ee76d9816849be5598dad5980eb19730a479c026796a53ed92e45276892e72036efeae86f66f46e387f7d7bd2c3b01266ef891639a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
c7a49dd4047e1c52ccc78ee80aa453eb

SHA1
d4f4b6af3d94482ca415d1383ea64cce8a4b0f9c

SHA256
1dad1118f4025d2e8f3cb4897e6c8da7f0a5eeed5c61965485ded5831dc3ea48

SHA512
69ff52d9f4e6616a18a6707dff11c7ac4349dd58176e52db46c86650dce0db3fe19e04d539fb0a8a162612ed75fc9a6aa08746a95bb5d89b5753690dae0ba68c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
5bf0280393d6772f6dbf01e2e5f8c5c3

SHA1
9ec4095e1d6cc234e5577f5390d2a36932973243

SHA256
37a41c18400c692b3ada07ce8e979183acd5ea473ab98acfb7f582eeb5b22673

SHA512
01696965286225a739d4f91fbe47c1228e9117e8522e5c89cdc9a573b4430c76d9258b38420259998357895b0ee31a1527df036a97206a36c70f12a9acc65111

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
09deb4e607c054740affda0b3a11411a

SHA1
18626282da788f1bfdefd69bc3b89818e8eba07f

SHA256
76c5f1e433ab2b2aa8beae59ea5110c8802f632ce9e89752f7069e4c944c662c

SHA512
7dbbee92f3fcfd8706647413b73f8cc34136efad5070b775839f8b1b1ae6aa978fb45876829c900da29f49ec85590b813e49c9196459ead2cbfe6cf62ecf72da

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
5d6f9a20b918e38f20fd4de2d2dfdebf

SHA1
409227dac4e341975df02c08aa548621ca05d851

SHA256
f5ce59f4634841a2e9a91f4458711ca59a81d15f59d37ca2395161da53e71eef

SHA512
139bff5b536c403900a533cf8ad6b390fecc9cd65d0c3a95b2929629ddf62585d87796df8cb8cc58f4ecb6e04155d58aa865919a2905552ac9f489e5cf4d56ac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
f9d24b6f3a2b244911cfc59534be1fa6

SHA1
0e46727502cc4fafda57357d195d2e37dfa929b4

SHA256
ac1680e7f3771cbd0ba094457992b54db4a995014668497003d3a706992d2549

SHA512
f07c85eb453fc9b966fc28006e6904dae6e3b7fb0aae6c63cc95eaa7d7aa60bcf5ca0d6b2fcdf3c434575512b6f49ba22e154f53e0b88dde9cbf6de2168a48f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
529cdaa667ad5df1b2d37ebf5a5c9567

SHA1
bc189ad658f7b59ec505c3de0b7faf71ffa9dedf

SHA256
ff4996ddc6d9e79c8905d4dc2e6b1ca86e362c8c6e9711d63d612fcd897a081f

SHA512
67e1a97331455725a526cd19923302879b64e90ed5cb6f5d50e8a77187e9ce84c6c241324030462450cfb3d432cf2aae5497fa8b42d4b0a7aceb48d4951c6170

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
2093f52bb9e58da08dcca402b19ece9e

SHA1
97be839efc48723176f4a7405cd659c1b54f3603

SHA256
f3ca033ed8a026bb9878f1ef3f9c9ee9440f8a5871526a71f1d562f19ff6db57

SHA512
1474cc22231347c6c907270f8b0447ccab03109ec367c31b29198f3085352fb124b5be5ca4601dfbe831321cb6bf70aa8451b89bb94517fca3165819e9b9258f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
0456298f2a1604322c41ccc655313229

SHA1
2f9b526cc4477fa8211312271e49160046ad622d

SHA256
effb741dcb728be37733d6d7862f0df104b9fedfeb8a706b784f84fed124dc8a

SHA512
77885d19f54a930e500fb10a6ed02911e7122af19b97150fd93af072b41359d43c3823dae84a578df0b0311e8c0b2ae7ee41e07bdb1cd1febf42873149b9baa0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
5c92c24aaf47ad058abfc6d9d36603d3

SHA1
d5247f45d18301a41cabd4f114ee0e81c6bc5b2e

SHA256
e36a7643c9de89afc4bb74e50fcdb02c4f95f37be0bb0a6fc59c72dca743314d

SHA512
77b441539c8fc85a9ef167ad7bd62e8acd8f0356c2c8a8ad856f02233e70005e86aad2bdb87cd485abb2dca6854908298ba80747c90c6b1bcebccb7bf0f53205

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
4f78e8ea2512dc9f5eb81cc85f318e65

SHA1
514434b4e7243664d2ed3f45206e92256019707d

SHA256
6b4cd59a7ee1bcc627313ff88322560473472d44ef65ea08b946e45a46d5756f

SHA512
50dd71a175d61ad662e8b71b2349d19a1b204e156197c60eacb553c1d4480e8c36904dfebb25410bf5354d192b5293c98267038ac59cd3d1e72a88d9552a2161

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
cf836d3cb44575329f70d5b6b2c4d6a7

SHA1
2d2e9914a55f89b2d628f3eb46c2754d5e1e47e0

SHA256
59942d901770e76c59f0aeaf6b71f1cec5a3059006ef1b34999437dc7309610a

SHA512
bae92de4f16884f8f85d8bcbc22af7c40bfe91e23ee9573c740f840e97c6dde6e04424066838684a042dfd444c537d52a6dba4b8442cc36b6d87196ba3b38e09

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
b9df585f15ec58f72f42c6e855e9d253

SHA1
f7bb3bc9628bbb86e2b1e23e30d7904fbf31ffc1

SHA256
9b4ae2366d3076a45a2f14e6481d01cd2d4d23b36b91c6ed59ff160cfcf7e145

SHA512
420ce67bf00c0d5d68f3bae6a9ce2ea6eefc2907816a35d0f2798b5c9a0eb24d9af5605cd1554a750d593599be827782c832eae8204ee6872805b4b221f0ac35

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
f3907fd1a800b9cc9e03454338b3d8c0

SHA1
d3d9fa89a0b42ae01936b364a81fae6b4f9cea1e

SHA256
b043df6ee13e0c7675842e4ee55c87191241ee3a90d3a00d380dc781ca5f8cc8

SHA512
d93bc648fb8c0e556216bc4254db32d7d5936046f5e02a968e1f38eaf92669bf0b316662556dcf1537d08197475777799a92b95a9b8730d0dd7c29083281ec64

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
1f2b3c5c8e539e389c5157f3c5b7eb0b

SHA1
fec624111e7447a087667b3db67bfc48c6a21914

SHA256
4485282c64829bd5242c160fd5a010f95600b9268ef2e87fbb9be51a60ef9329

SHA512
8a61db2bf6a5d259435683b1d81b9bf810ae55e7385677401257b8a968337f29e59d839856e18c408a133d6ac799d777a9fb6628ab8c59c781fe6806d7aeb667

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
d520bec2a6204dbaa70b2e0b18285ffa

SHA1
04e8ee2b72ff870e60afc14aacf365f41743c091

SHA256
332e27b03cfa715a0823a289dd821216c3e6dd595f9ceba86091daaa64ba8991

SHA512
e6fad6263a34f336a238b548a40bb2b06f18b17fd7539fd9a432605c26457eb28db3fb5d5c303d944bc2ec29a4f2050aa27b11f80fcf3a22a0a8e965649855f2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
dea624becb2b809b690352a31381f0b8

SHA1
0efa1199d4f330ad4dc2c1fc701977e93dd8006a

SHA256
78f526fcead74668363f5ca59da1c0676bbd067e5a4e686f326dfbbbe133251a

SHA512
1020896d9252f3ba95157d3f82b0f991063a309a6eea0d2b8e74c1d6d321277a2edacc578daa76f93570d9cd271492074f3011d1e395a08146f4d8d5fd72b46e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
d0ad41414430aebe48062402c6437482

SHA1
a9491bba406d4a6f26fa549aedc1a57862baf20c

SHA256
4876ce93c1dce6f429b6ddd98f3ba219f3ea3dfa6d224637a46a8a8d2dac0740

SHA512
768e0a429b4ff99eeaa5841331a657b339da0cc11d791261d9edd76c7a4061c11e9ea734ce8b01847ec5c63ffe08c30ef1cbe3c13465fbdd61eb05e4934223ca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
e873ff3c314b02889fbd34f8a7dfa8e2

SHA1
c7172565e997075c7194cb7132ac0c3c319adedd

SHA256
4ac893c59b1ce87d839cf32a84f169528ed733615d1cdb9df85ea49745a0df58

SHA512
d631cc3b0dc17fab9d80d08021fc30f2ba5bdae11cee7b92ca2a9ca21aee8229b3948f675dc8ed18d104c60b56a04a4cb9defd571d341ef4b626f3fb9d3392f2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
6aa21fc6c2671bf654ef8367c8ff71fb

SHA1
a4679d468d69106cd586474bde93ea884abf98bc

SHA256
d3f682acb98a7a4fb4ffc9437080ca910a14bbbd69aa59f69305162ef0e6a3ab

SHA512
799dae97b192bdcdab30ba1c69db100c08b52f9fb3c77eccea9b6835b8929eb1c49c492b0396acaa82ca3136ba776a359617cf63a1edb537a4b41f238a25f6ab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
5c3c168324c32db65fa68317f52a74fb

SHA1
32215464a89732f0e30c150d27548af19495d12c

SHA256
c570400b890a1ce43585acf06089b7263cc6a1dee513f78324bf8db0e5d3aa8e

SHA512
ae24ea52cdb5ea38fa5e6e6a21ab739fa0299e6cc9e9e6e9f35f6140b00a8075954d1c997b7414681338840a050b02a9b3b13f9265802e61c629c65fcfba6b9b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
8baf0f39e8049ef8059465bad0d99b3d

SHA1
432e20aae278e23a6d3e9e39a5b4e8f4f3289419

SHA256
a3a071a2ab1d8b4f679f43db9edf9a98cae3ea6236ecdc464a448f4fb8dd447a

SHA512
e42b07b4ca9478f83c9a545b2cb77ff985f214c96ac5b3ce0d90dd073ec53cd65319f8bb9012202c6599684f656ab7f44b4c6b38249d4c6c5779d51e72d9c229

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
d3720481a4a91181368355cc77b6f240

SHA1
43c043a1ce4030959900a37f50ea1aca379b2664

SHA256
7f48566d2f40f1b4598d881d15b8508949f7627a421455f35b230fd08c841eaa

SHA512
2fc307a11fd25ee7e929b904dec0039ce5b50c80c9de8b288bc9f85da23e3bcad443a3ca5a41a2908d5c67534b8c6ed41437c8f4edc381a947596a9ab4a818ea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
95cdc33b05b263c229db2a912eb58d38

SHA1
8a0203f4ff3bbcdf6af9c789eebb3b0f28a35a49

SHA256
b626c637bdd207f160a33fe158f013ab47a1154b4382708f9bcf73c0f953deb1

SHA512
6bb797dcfcaa0524d4bc7c3cdbececeb763668bfc3ef9eb54dc9916ea73d9d302080c43d1ba56e1909683f6dc389c01c63079ccbf037c7a9a211a6bb85a1a46f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
c586a47ec605edc02cc34cd5b7586ddf

SHA1
df5daa3732f4086c2b359f8abaa8ea7668da7cd9

SHA256
5f249ecf5dff8c927083d416932190b9f65153a4a02ea089f2a62edbec496e0b

SHA512
d60fc8872f42fa7c270d7eec96065a2739ff3bf260a5f932c569cd3ae9abb9ce906be4817f9d147399ced989f0db95169e072eef0ef66fbb9b0bb81f6ba54ad7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\eb079fe2-d036-4567-b31f-b248f0601cb8.tmp

Filesize
7KB

MD5
5ffbf113e52d86a01b1b9e6d15ed3718

SHA1
af0e0f2682f8bfa0573994d0bd30229c83330888

SHA256
e6a3bf16a1eceb600784be94ee72e7439f37af7a9375432ce498cd9e0c62fae4

SHA512
ac573c2f559198173b35cce3bb775b5f02c1e2d47bcf7979f9e4fb356abb188f865760e63bbed4f4c5015ddd70e059ad39b04ec2a783c0a5cecd033e9e7cbdca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
122KB

MD5
58d6102d7744cda5e9870b9452ee2e1b

SHA1
250727a347adc948e6c3340a1b55a7937460fa6c

SHA256
7c7c891f987eb15187364333cd400585149f18e6e05995e320d353544841f860

SHA512
2699586dfaaa91643cbc58004577d1bb77b3510035ac37a6c868fb5172f0b5bedecc4975825767846441179b81355f65dfb14ada7b4ae5fcd7b8af03ab332c76

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
122KB

MD5
1abca574e484bb92d9d17e40826fa167

SHA1
400b0bad67a0fa0cf05c2af2ed080ced84ec2cb9

SHA256
e78e2450976633bd0f9c60727b2a6ac01dacdb10eadf317467d7e87cb1c2f439

SHA512
3b037e90d7b9b4ace737c34b6f726fa7fb2b83419b0b0416f16c33a7697ca42f0a90c66587c5c5c5907e02357f05e971115c322554070eedff4b3ee7f768ba21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\vd.exe.log

Filesize
226B

MD5
1294de804ea5400409324a82fdc7ec59

SHA1
9a39506bc6cadf99c1f2129265b610c69d1518f7

SHA256
494398ec6108c68573c366c96aae23d35e7f9bdbb440a4aab96e86fcad5871d0

SHA512
033905cc5b4d0c0ffab2138da47e3223765146fa751c9f84b199284b653a04874c32a23aae577d2e06ce6c6b34fec62331b5fc928e3baf68dc53263ecdfa10c1

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\2732baa6-5c57-426b-83f8-2ecb2bb1e127.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1A7.tmp

Filesize
1KB

MD5
87cb376de7cf4dc22b1de8585a7d806b

SHA1
264682516cd0aa16a1df22fe0a2d88430773e12b

SHA256
fa1f572d3b86cb8acaa0b31690c95dffcc81e806aa49497a198f7e5400516c00

SHA512
d2b294d8fbf033d8ac7130ab39b3226550bab0c3d482d26bfbb0a69c5128f8e27eaa29382f34675943861b022bc21c42ee7485325ddf051f61d3ea7ba36c6dfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3077.tmp

Filesize
1KB

MD5
b7e22332e691a3dd5b374d013fce0105

SHA1
d5eeae3a158a3e627db0cbe21a23623e82515f39

SHA256
73cd7e99ee242ad70568a4b4b3be2a80627d75c7cea899e9137765eecfdc3580

SHA512
2ff54c1b6154ba3fcd251c32f11d59286b8f81fb61bb191ff47e99f7a286ce88cfbcfcc9708cca4305031e9b3e78b79dde3c7c6796325936362766a67257c58d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5585.tmp

Filesize
1KB

MD5
68424293c407b8981cc2542b3a8292e8

SHA1
85d3c91bab8ef76b723bc66aa37311a821264eb5

SHA256
8e956a9bf4bc5d485e0762d7ff977dce3f4b3b0f8b52bbda76a7e401c7b025b0

SHA512
c517d03cb0d2ed1be20da1f9ab010ec7cfbdd467ee7d1e78e10114c41471bc5b3588b857779ba94fc904651f32644e1af5fb8d53f98351fa9b453b951cbb867f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE68A.tmp

Filesize
1KB

MD5
7d5b4e1bcd2054d16242c897f343c5c4

SHA1
fbf56ec48a8e854911603c64830eec4f839812b3

SHA256
08fffa6ccc74ef9c7a8211fce1e004c24b5dc3e79d4da3ab9aa6e2973ca3505f

SHA512
cc24050f35f8f4b1575ed2078496223a188f9948c76cac3c82dc1791bf0fee11165c1232ec3154cb6c7bacb1b556648603913e84b770fa09af00c44dc3b75a28

Download Submit
C:\Users\Admin\Desktop\hg.exe

Filesize
45KB

MD5
e069304f72f1993e3a4227b5fb5337a1

SHA1
131c2b3eb9afb6a806610567fe846a09d60b5115

SHA256
5d00cfc66ae11f68bae4ac8e5a0f07158dae6bfd4ea34035b8c7c4e3be70f2c5

SHA512
26f18e40b1d4d97d997815fe3921af11f8e75e99a9386bbe39fb8820af1cbe4e9f41d3328b6a051f1d63a4dfff5b674a0abafae975f848df4272aa036771e2e9

Download Submit
C:\Users\Admin\Downloads\Release.zip

Filesize
6.4MB

MD5
89661a9ff6de529497fec56a112bf75e

SHA1
2dd31a19489f4d7c562b647f69117e31b894b5c3

SHA256
e7b275d70655db9cb43fa606bbe2e4f22478ca4962bbf9f299d66eda567d63cd

SHA512
33c765bf85fbec0e58924ece948b80a7d73b7577557eaac8865e481c61ad6b71f8b5b846026103239b3bd21f438ff0d7c1430a51a4a149f16a215faad6dab68f

Download Submit
C:\Users\Admin\Downloads\Release.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Release\Config.json

Filesize
473B

MD5
a32a7d031552e18bb81fa88aa18e5a9b

SHA1
b6a031bd1a7fb73b23ced26fd14db371721780c8

SHA256
f1fb1f956fcaa842d9d6aa3d140886082e726e76c64088036c67b7a97dfe18d0

SHA512
5e470cbe03cf2cbc55debe6558b330c4260a4af1384f716d47a1209ff12239fb1266971e725304e357a28d3e9e86576fd08b6a4bd04972f9d89f5b9bbc01b397

Download Submit
C:\Users\Admin\Downloads\gfh.exe

Filesize
45KB

MD5
59e55713358703d15fa1d28306cc7e0e

SHA1
6a1a69ce9ef5dfb10f6d6107195703df6c6c5691

SHA256
b1d2644e0705867a880c6035d9042edc842092a7abc6e2e121154aeddc4ae22d

SHA512
774232a38ad5c3f44e17e6fb9689afb801cdea3834fb60fa22c06297c77189a0ca2364f987a3c79e4fd3e4368a7b39486f5659693e841968e7e1bec709bc846c

Download Submit
C:\Users\Admin\Downloads\vd.exe

Filesize
45KB

MD5
6617cb48e5bd83402e0e115b6a053c7d

SHA1
3774d3c91829b25d244efb2bbeb33bc45a66d875

SHA256
c83ea891cf7146a41f0bc2f339e5e5e744475c8a37247b45f2bcfcdb3cacaf73

SHA512
ff7d141209fe41ca1c2c7beeb6bb1e5042ecc0a3751544189152139b9c524d13611dd17bc095a310e0225ac18af951655f674fcc0e17c184856ee092101a89d4

Download Submit
memory/712-389-0x0000000000730000-0x0000000000742000-memory.dmp

Filesize
72KB

Download
memory/2340-849-0x000001462BB80000-0x000001462BB94000-memory.dmp

Filesize
80KB

Download
memory/2340-848-0x000001462BBA0000-0x000001462BBC2000-memory.dmp

Filesize
136KB

Download
memory/2340-845-0x000001462BB20000-0x000001462BB28000-memory.dmp

Filesize
32KB

Download
memory/2340-847-0x000001462BEB0000-0x000001462BF58000-memory.dmp

Filesize
672KB

Download
memory/2340-843-0x0000014611540000-0x000001461156C000-memory.dmp

Filesize
176KB

Download
memory/2340-844-0x000001462BAF0000-0x000001462BAFA000-memory.dmp

Filesize
40KB

Download
memory/2976-485-0x0000020D53120000-0x0000020D53121000-memory.dmp

Filesize
4KB

Download
memory/2976-484-0x0000020D53120000-0x0000020D53121000-memory.dmp

Filesize
4KB

Download
memory/2976-478-0x0000020D53120000-0x0000020D53121000-memory.dmp

Filesize
4KB

Download
memory/2976-480-0x0000020D53120000-0x0000020D53121000-memory.dmp

Filesize
4KB

Download
memory/2976-479-0x0000020D53120000-0x0000020D53121000-memory.dmp

Filesize
4KB

Download
memory/2976-488-0x0000020D53120000-0x0000020D53121000-memory.dmp

Filesize
4KB

Download
memory/2976-490-0x0000020D53120000-0x0000020D53121000-memory.dmp

Filesize
4KB

Download
memory/2976-489-0x0000020D53120000-0x0000020D53121000-memory.dmp

Filesize
4KB

Download
memory/2976-487-0x0000020D53120000-0x0000020D53121000-memory.dmp

Filesize
4KB

Download
memory/2976-486-0x0000020D53120000-0x0000020D53121000-memory.dmp

Filesize
4KB

Download
memory/4368-83-0x00000000057F0000-0x00000000057FA000-memory.dmp

Filesize
40KB

Download
memory/4368-79-0x00000000748CE000-0x00000000748CF000-memory.dmp

Filesize
4KB

Download
memory/4368-93-0x0000000009420000-0x0000000009442000-memory.dmp

Filesize
136KB

Download
memory/4368-94-0x0000000009450000-0x00000000097A7000-memory.dmp

Filesize
3.3MB

Download
memory/4368-96-0x00000000748C0000-0x0000000075071000-memory.dmp

Filesize
7.7MB

Download
memory/4368-102-0x00000000748C0000-0x0000000075071000-memory.dmp

Filesize
7.7MB

Download
memory/4368-91-0x00000000748C0000-0x0000000075071000-memory.dmp

Filesize
7.7MB

Download
memory/4368-90-0x00000000748CE000-0x00000000748CF000-memory.dmp

Filesize
4KB

Download
memory/4368-80-0x0000000000C60000-0x0000000000E62000-memory.dmp

Filesize
2.0MB

Download
memory/4368-85-0x0000000005AF0000-0x0000000005B04000-memory.dmp

Filesize
80KB

Download
memory/4368-88-0x00000000748C0000-0x0000000075071000-memory.dmp

Filesize
7.7MB

Download
memory/4368-87-0x0000000005DC0000-0x0000000005DD2000-memory.dmp

Filesize
72KB

Download
memory/4368-86-0x0000000008210000-0x000000000822A000-memory.dmp

Filesize
104KB

Download
memory/4368-81-0x0000000005DD0000-0x0000000006376000-memory.dmp

Filesize
5.6MB

Download
memory/4368-82-0x0000000005820000-0x00000000058B2000-memory.dmp

Filesize
584KB

Download
memory/4368-92-0x0000000009340000-0x00000000093F2000-memory.dmp

Filesize
712KB

Download
memory/4368-84-0x00000000748C0000-0x0000000075071000-memory.dmp

Filesize
7.7MB

Download
memory/5740-337-0x00000000080D0000-0x00000000080E2000-memory.dmp

Filesize
72KB

Download
memory/5740-339-0x0000000008230000-0x0000000008587000-memory.dmp

Filesize
3.3MB

Download
memory/5740-360-0x0000000008DD0000-0x0000000008EF4000-memory.dmp

Filesize
1.1MB

Download
memory/5864-135-0x0000000006550000-0x000000000656A000-memory.dmp

Filesize
104KB

Download
memory/5864-134-0x0000000006410000-0x0000000006534000-memory.dmp

Filesize
1.1MB

Download
memory/5864-132-0x00000000084F0000-0x0000000008847000-memory.dmp

Filesize
3.3MB

Download
memory/5864-122-0x0000000005280000-0x0000000005294000-memory.dmp

Filesize
80KB

Download
memory/6036-220-0x0000000000DC0000-0x0000000000DD2000-memory.dmp

Filesize
72KB

Download