xenorat | hxxps://github[.]com/moom825/xeno-rat

Resubmissions

16/03/2025, 09:02

250316-kzsg9szpz4 10

16/03/2025, 08:58

250316-kxfqpawzgt 10

Analysis

max time kernel
148s
max time network
148s
platform
windows11-21h2_x64
resource
win11-20250314-en
resource tags

arch:x64arch:x86image:win11-20250314-enlocale:en-usos:windows11-21h2-x64system
submitted
16/03/2025, 08:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/moom825/xeno-rat

Score

10^/10

xenorat discovery rat trojan

Malware Config

Extracted

Family

xenorat

localhost

Mutex

testing 123123

Attributes

delay
1000
install_path
nothingset
port
1234
startup_name
nothingset

Signatures

Detect XenoRat Payload 1 IoCs

resource	yara_rule
behavioral1/memory/4584-601-0x0000000000970000-0x0000000000982000-memory.dmp	family_xenorat

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat
Xenorat family
xenorat

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
37	raw.githubusercontent.com
38	raw.githubusercontent.com
39	raw.githubusercontent.com

Drops file in Windows directory 28 IoCs

description	ioc	Process
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4524_1475113699\manifest.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4524_1475113699\sets.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4524_867647642\manifest.fingerprint	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4524_1794569025\edge_checkout_page_validator.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4524_1794569025\manifest.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4524_1794569025\manifest.fingerprint	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4524_484743050\_metadata\verified_contents.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4524_484743050\_platform_specific\win_x64\widevinecdm.dll.sig	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4524_1475113699\manifest.fingerprint	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4524_867647642\manifest.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4524_867647642\typosquatting_list.pb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4524_1794569025\edge_driver.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4524_1794569025\edge_tracking_page_validator.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4524_1794569025\shopping.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4524_1794569025\shoppingfre.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4524_484743050\manifest.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4524_1475113699\LICENSE	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4524_1475113699\_metadata\verified_contents.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4524_1794569025\auto_open_controller.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4524_1794569025\shopping_fre.html	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4524_1794569025\shopping_iframe_driver.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4524_484743050\LICENSE	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4524_484743050\manifest.fingerprint	msedge.exe
File opened for modification	C:\Windows\SystemTemp	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4524_1794569025\edge_confirmation_page_validator.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4524_1794569025\product_page.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4524_1794569025\shopping.html	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4524_484743050\_platform_specific\win_x64\widevinecdm.dll	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xeno rat server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xeno rat client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xeno rat server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xeno rat client.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133865891676513506"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3920535620-1286624088-2946613906-1000\{FD4AE931-3F70-48CB-8D0E-D4D54ED25D69}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Release.zip:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1660	msedge.exe
1660	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
712	xeno rat server.exe
3512	xeno rat server.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	712	xeno rat server.exe
Token: SeDebugPrivilege	3512	xeno rat server.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4524 wrote to memory of 5508	4524	msedge.exe	78
PID 4524 wrote to memory of 5508	4524	msedge.exe	78
PID 4524 wrote to memory of 2852	4524	msedge.exe	79
PID 4524 wrote to memory of 2852	4524	msedge.exe	79
PID 4524 wrote to memory of 3160	4524	msedge.exe	80
PID 4524 wrote to memory of 3160	4524	msedge.exe	80
PID 4524 wrote to memory of 3160	4524	msedge.exe	80
PID 4524 wrote to memory of 3160	4524	msedge.exe	80
PID 4524 wrote to memory of 3160	4524	msedge.exe	80
PID 4524 wrote to memory of 3160	4524	msedge.exe	80
PID 4524 wrote to memory of 3160	4524	msedge.exe	80
PID 4524 wrote to memory of 3160	4524	msedge.exe	80
PID 4524 wrote to memory of 3160	4524	msedge.exe	80
PID 4524 wrote to memory of 3160	4524	msedge.exe	80
PID 4524 wrote to memory of 3160	4524	msedge.exe	80
PID 4524 wrote to memory of 3160	4524	msedge.exe	80
PID 4524 wrote to memory of 3160	4524	msedge.exe	80
PID 4524 wrote to memory of 3160	4524	msedge.exe	80
PID 4524 wrote to memory of 3160	4524	msedge.exe	80
PID 4524 wrote to memory of 3160	4524	msedge.exe	80
PID 4524 wrote to memory of 3160	4524	msedge.exe	80
PID 4524 wrote to memory of 3160	4524	msedge.exe	80
PID 4524 wrote to memory of 3160	4524	msedge.exe	80
PID 4524 wrote to memory of 3160	4524	msedge.exe	80
PID 4524 wrote to memory of 3160	4524	msedge.exe	80
PID 4524 wrote to memory of 3160	4524	msedge.exe	80
PID 4524 wrote to memory of 3160	4524	msedge.exe	80
PID 4524 wrote to memory of 3160	4524	msedge.exe	80
PID 4524 wrote to memory of 3160	4524	msedge.exe	80
PID 4524 wrote to memory of 3160	4524	msedge.exe	80
PID 4524 wrote to memory of 3160	4524	msedge.exe	80
PID 4524 wrote to memory of 3160	4524	msedge.exe	80
PID 4524 wrote to memory of 3160	4524	msedge.exe	80
PID 4524 wrote to memory of 3160	4524	msedge.exe	80
PID 4524 wrote to memory of 3160	4524	msedge.exe	80
PID 4524 wrote to memory of 3160	4524	msedge.exe	80
PID 4524 wrote to memory of 3160	4524	msedge.exe	80
PID 4524 wrote to memory of 3160	4524	msedge.exe	80
PID 4524 wrote to memory of 3160	4524	msedge.exe	80
PID 4524 wrote to memory of 3160	4524	msedge.exe	80
PID 4524 wrote to memory of 3160	4524	msedge.exe	80
PID 4524 wrote to memory of 3160	4524	msedge.exe	80
PID 4524 wrote to memory of 3160	4524	msedge.exe	80
PID 4524 wrote to memory of 3160	4524	msedge.exe	80
PID 4524 wrote to memory of 3160	4524	msedge.exe	80
PID 4524 wrote to memory of 3160	4524	msedge.exe	80
PID 4524 wrote to memory of 3160	4524	msedge.exe	80
PID 4524 wrote to memory of 3160	4524	msedge.exe	80
PID 4524 wrote to memory of 3160	4524	msedge.exe	80
PID 4524 wrote to memory of 3160	4524	msedge.exe	80
PID 4524 wrote to memory of 3160	4524	msedge.exe	80
PID 4524 wrote to memory of 3160	4524	msedge.exe	80
PID 4524 wrote to memory of 3160	4524	msedge.exe	80
PID 4524 wrote to memory of 3160	4524	msedge.exe	80
PID 4524 wrote to memory of 3160	4524	msedge.exe	80
PID 4524 wrote to memory of 1248	4524	msedge.exe	81
PID 4524 wrote to memory of 1248	4524	msedge.exe	81
PID 4524 wrote to memory of 1248	4524	msedge.exe	81
PID 4524 wrote to memory of 1248	4524	msedge.exe	81
PID 4524 wrote to memory of 1248	4524	msedge.exe	81
PID 4524 wrote to memory of 1248	4524	msedge.exe	81
PID 4524 wrote to memory of 1248	4524	msedge.exe	81
PID 4524 wrote to memory of 1248	4524	msedge.exe	81
PID 4524 wrote to memory of 1248	4524	msedge.exe	81

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/moom825/xeno-rat
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x240,0x244,0x248,0x23c,0x2ac,0x7ff9e9bef208,0x7ff9e9bef214,0x7ff9e9bef220
  2⤵
  PID:5508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1772,i,2172798216166860945,13540347677266123929,262144 --variations-seed-version --mojo-platform-channel-handle=1972 /prefetch:11
  2⤵
  PID:2852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=1928,i,2172798216166860945,13540347677266123929,262144 --variations-seed-version --mojo-platform-channel-handle=1924 /prefetch:2
  2⤵
  PID:3160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2472,i,2172798216166860945,13540347677266123929,262144 --variations-seed-version --mojo-platform-channel-handle=2500 /prefetch:13
  2⤵
  PID:1248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3448,i,2172798216166860945,13540347677266123929,262144 --variations-seed-version --mojo-platform-channel-handle=3512 /prefetch:1
  2⤵
  PID:5588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3456,i,2172798216166860945,13540347677266123929,262144 --variations-seed-version --mojo-platform-channel-handle=3516 /prefetch:1
  2⤵
  PID:5008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_xpay_wallet.mojom.EdgeXPayWalletService --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3432,i,2172798216166860945,13540347677266123929,262144 --variations-seed-version --mojo-platform-channel-handle=4980 /prefetch:14
  2⤵
  PID:2308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5476,i,2172798216166860945,13540347677266123929,262144 --variations-seed-version --mojo-platform-channel-handle=5504 /prefetch:14
  2⤵
  PID:4012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5480,i,2172798216166860945,13540347677266123929,262144 --variations-seed-version --mojo-platform-channel-handle=5524 /prefetch:14
  2⤵
  PID:2720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5852,i,2172798216166860945,13540347677266123929,262144 --variations-seed-version --mojo-platform-channel-handle=5860 /prefetch:14
  2⤵
  PID:992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.ProfileImport --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6016,i,2172798216166860945,13540347677266123929,262144 --variations-seed-version --mojo-platform-channel-handle=6024 /prefetch:14
  2⤵
  PID:1488
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\cookie_exporter.exe
    cookie_exporter.exe --cookie-json=1140
    3⤵
    PID:5544
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6140,i,2172798216166860945,13540347677266123929,262144 --variations-seed-version --mojo-platform-channel-handle=5164 /prefetch:14
  2⤵
  PID:72
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6140,i,2172798216166860945,13540347677266123929,262144 --variations-seed-version --mojo-platform-channel-handle=5164 /prefetch:14
  2⤵
  PID:2924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5192,i,2172798216166860945,13540347677266123929,262144 --variations-seed-version --mojo-platform-channel-handle=6420 /prefetch:14
  2⤵
  PID:1584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --always-read-main-dll --field-trial-handle=6488,i,2172798216166860945,13540347677266123929,262144 --variations-seed-version --mojo-platform-channel-handle=6428 /prefetch:1
  2⤵
  PID:1568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6224,i,2172798216166860945,13540347677266123929,262144 --variations-seed-version --mojo-platform-channel-handle=6912 /prefetch:14
  2⤵
  - NTFS ADS
  PID:3308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --always-read-main-dll --field-trial-handle=6736,i,2172798216166860945,13540347677266123929,262144 --variations-seed-version --mojo-platform-channel-handle=6932 /prefetch:1
  2⤵
  PID:2704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3508,i,2172798216166860945,13540347677266123929,262144 --variations-seed-version --mojo-platform-channel-handle=4464 /prefetch:14
  2⤵
  PID:3920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6964,i,2172798216166860945,13540347677266123929,262144 --variations-seed-version --mojo-platform-channel-handle=7024 /prefetch:14
  2⤵
  PID:4496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6644,i,2172798216166860945,13540347677266123929,262144 --variations-seed-version --mojo-platform-channel-handle=7200 /prefetch:14
  2⤵
  PID:4056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5312,i,2172798216166860945,13540347677266123929,262144 --variations-seed-version --mojo-platform-channel-handle=4464 /prefetch:14
  2⤵
  PID:3180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5796,i,2172798216166860945,13540347677266123929,262144 --variations-seed-version --mojo-platform-channel-handle=6332 /prefetch:14
  2⤵
  PID:5368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6684,i,2172798216166860945,13540347677266123929,262144 --variations-seed-version --mojo-platform-channel-handle=3844 /prefetch:14
  2⤵
  PID:4228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5356,i,2172798216166860945,13540347677266123929,262144 --variations-seed-version --mojo-platform-channel-handle=5236 /prefetch:14
  2⤵
  PID:1016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=5960,i,2172798216166860945,13540347677266123929,262144 --variations-seed-version --mojo-platform-channel-handle=5376 /prefetch:10
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6124,i,2172798216166860945,13540347677266123929,262144 --variations-seed-version --mojo-platform-channel-handle=3144 /prefetch:14
  2⤵
  PID:392

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:5028

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2112

C:\Users\Admin\Downloads\Release\xeno rat server.exe
"C:\Users\Admin\Downloads\Release\xeno rat server.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:712

C:\Users\Admin\Downloads\Release\stub\xeno rat client.exe
"C:\Users\Admin\Downloads\Release\stub\xeno rat client.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:4584

C:\Users\Admin\Downloads\Release\xeno rat server.exe
"C:\Users\Admin\Downloads\Release\xeno rat server.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3512

C:\Users\Admin\Downloads\Release\stub\xeno rat client.exe
"C:\Users\Admin\Downloads\Release\stub\xeno rat client.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
509e630f2aea0919b6158790ecedff06

SHA1
ba9a6adff6f624a938f6ac99ece90fdeadcb47e7

SHA256
067308f8a68703d3069336cb4231478addc400f1b5cbb95a5948e87d9dc4f78b

SHA512
1cb2680d3b8ddef287547c26f32be407feae3346a8664288de38fe6157fb4aeceb72f780fd21522417298e1639b721b96846d381da34a5eb1f3695e8e6ef7264

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
2f223998a7f365b0de8bb3572d3f6d6f

SHA1
eaed1a556a58eeb8e53a9a6cf545e2b50c07dabf

SHA256
9ab1fe39c76de6602ccf02bbfeb3401e6e4c72a410a7f4a9bda94b191494d12f

SHA512
82d140a310751c6d8571a4ec74b2c4fbc12f461f30fa1c8ddbd3b345db760ac96f47f7e7deb58bb0220b487beb96223dd974a96402b7f99d887b0169566ce0df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe57a410.TMP

Filesize
3KB

MD5
aed8568ae577d3fbb2d1fc29b2703eb0

SHA1
f4445349ae9067b00e1d5a91cb7f5934270afc83

SHA256
e582ad75adf005f9b5e2680d183bb4fedf60411e26e249f0bc6fea14432dae60

SHA512
2d0523caef95d74c6ae3fa2ae4289877b6fc06dbd1a773901151bd29700b5bdea767fe46f441803e7075874383e07443e439610ea983d1a1d2aba862526a92bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps

Filesize
107KB

MD5
40e2018187b61af5be8caf035fb72882

SHA1
72a0b7bcb454b6b727bf90da35879b3e9a70621e

SHA256
b3efd9d75856016510dd0bdb5e22359925cee7f2056b3cde6411c55ae8ae8ee5

SHA512
a21b8f3f7d646909d6aed605ad5823269f52fda1255aa9bb4d4643e165a7b11935572bf9e0a6a324874f99c20a6f3b6d1e457c7ccd30adcac83c15febc063d12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
3704932a97d7378eaf5183ba97fc270a

SHA1
66346a412488010818447f0ba81ed0fffec8bbce

SHA256
2a50a0202ea6fb626a0b57c6751e88dc7d7c3df7ec1def475364f45cdab1d6ba

SHA512
44c628c60b2d3af1ba3a07b2c8cb735bea95735efb8a207748807c210e7b2fca293792061f1f6de728c0969effbdd841ecac8af9dfa4f5af5068b6cf41aa01d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
411KB

MD5
bb217d68afe30c5b5e7141ea38f4d164

SHA1
f271ce956508b37a660036b3d1f7f18e3f50044c

SHA256
e61f3cc5f0e7d20d59b677957b85fca1f6eef368684c4da580736ac05c70481c

SHA512
3ecc45335f0a7bf93532587cfb9342dca19bb2bfea9863884d79cb486a723c63492f3dc49d3173fe06a1e09f860e2a6bec08b8696870e024099b069dd20f5b88

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
411KB

MD5
61fc3be2d0787153b0e6aa4b46e845ed

SHA1
7cd33733e229a1e7e0735b66b339d32764d78f00

SHA256
6935f02eada27bbcf053ac92ed30d826e6a81ffc75cb1fae7e0092190670ed10

SHA512
b97e537f547f535b9178ce4ceac8512bd1092f16c85bffa8cd29b8169f67c7438465632cf018d8e2aaa36bda25b6aa62613e92c5498d6075a2418b94bbd67dde

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
411KB

MD5
4081e2c1d91a4292458ee2b515318230

SHA1
41b4f295b134d907a7bd5022b82a85d4c6f504c3

SHA256
406ff13222ccac4317177faf5cce7cbac1019af3107be3276647c9dadddeb670

SHA512
29453c2f9d895ab21863db6a7bc8458c40e9b1805e809c96bf416a7c81aab1374db2e8c95585eb237d12faf2bf28765643b7d88f7a8418994486a3073aff4189

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
37KB

MD5
55e33271fbb4e0b029f99a7cbb5a70a6

SHA1
8c878c86f9f1e6e524566c4a807b4d6d2ca2b51c

SHA256
53025f7cc8c079d0bd2c6cac61e54db6228fa0fe7b01269c22e24a1d15998402

SHA512
043f20bc305821121a3e995f662b3bb6911f50678ce654a98c4abfce660f62b1f7c34c14fe4df9f9b47019629656e7183720f73eddef7ae0b16418a687cdb8e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

Filesize
22KB

MD5
e2de699f786bb11ed9a47169fee4a758

SHA1
70e016d8c974b1a1889549f53afcd8b93835e998

SHA256
d17931649dfa628434354e92b4bd3b5517a2180928f6ddd3058dc1ef14934ba7

SHA512
8082b1538a47c49e54d716edc1de739006ddcf07bdd9586fb1a50d726103d3b9295ca2b4b24eec5d9d768235c2e2effb8d671a5f3670468121b24428b639f4e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
460B

MD5
79715210105db1a7f1e4ba611695af64

SHA1
10a7c7958c31651997bb352460a7f4318a34b650

SHA256
f5a25f4722b45c339229a3415b1ca79978f1116a87739b238cf0e5ac5e9f8183

SHA512
cdd57e9efcb40d6bf31464a8a51471fa848c8fd18e5b2c605ad3c0029b09420d5f112614fde2631a1a4a2460b5ee60d2f7145de22dbb16812132aecb493b18ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
50KB

MD5
45a1992ba4b3afbaa3e7ab0e735567ae

SHA1
de23e5425accfb433d725538c6613a39bfc491e7

SHA256
110757c0e3da94caf47a949e5228bb4e3038afaa4ac74d58b9b15689a3a6b347

SHA512
98771ca35fd3b2763251cc68c79d36688145a0849518741aa0b13141147f060b651035bb6ee22676e65b6e6d1ff3ca8a12f3d127f8ffcdfab8106764ffd79bd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
55KB

MD5
b73fcaaf93fef75aae613064d1474fd1

SHA1
ab25df569977183a3a86d6c1bbd9e989b71f4d9a

SHA256
952497255e89a33ad0a0e3ea95717a99d24cd3eabeca152953c8d41758573d50

SHA512
75cfb38cb04e4b79ee18fac49790be23e6057c29123dd0162daeb80cb217444dd2ba67c02d38b0864d6eff1d8cf57de6f27a4cf876017c6febd142d39f08f376

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
41KB

MD5
4500ae628c2d80babee50e46e03d9064

SHA1
1af1958c00deac014c3ae8750bbfff5bb1f1f222

SHA256
ec7398894f901c92c91934cedf71d24350eff6d3980b29d175a0db5c2a637521

SHA512
874b8c4afca45d1aa76a80cf939b7997a1e1e4879511adcf23ea87aeed4fb9527c4cbd919cf945be4ac124bac031e482dc30733ac97ba626e948eaaa3805f8ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
50KB

MD5
aeff4dce761d2800c418897eace759b8

SHA1
f2247c4785461f97cdb1ec20a07d7eae2351e711

SHA256
9e7652ce13a9863d27a1c439a96d1be2107982852e0017ae5f08015af4bf8af7

SHA512
930912a276ac1b0bc1ab4bca4ade440d72ec07a87942bd4ea846a676850d1e68ff0542819cf1eda8ee073c23de1cae2943283a71495be1f3f54b54a256fb1898

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Typosquatting\2025.3.16.1\typosquatting_list.pb

Filesize
631KB

MD5
c3ec8bf0a625c2583833a3340825f1cb

SHA1
582054710a312897117128ed59ddadc983525eb6

SHA256
7d10e035e0b2e152a1fe32a92b0b34295a979f7db2269cfba69d4aaf3401b77f

SHA512
175125259eb39225d0584fa4e3c5cbfc66bd22646cf32677f0eb7514a0abeb2c08118375210a69207be85e6e7ebdd9b6fa9a967d3c4ecd40ecd514e306873c6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\c86352a5-5f76-41ed-929d-ee745501f025.tmp

Filesize
50KB

MD5
bdee361f88ad15d04ae89ba8990d95fb

SHA1
6530ec1be5f243000878ecd97fc0e128aae94d72

SHA256
d04c7eaec973df3746bc4fa9d0c860c473aadc259807ff2566ebfd8932cf2e30

SHA512
f254f53f3966b92a90e8672fdd10dadd2458b4e467d9dfeb6d0022cca5745c7d13ca4ba438068f98c282721c695985a1dc00b04217143a2a2051da62511eb4bc

Download Submit
C:\Users\Admin\Downloads\Release.zip.crdownload

Filesize
6.4MB

MD5
89661a9ff6de529497fec56a112bf75e

SHA1
2dd31a19489f4d7c562b647f69117e31b894b5c3

SHA256
e7b275d70655db9cb43fa606bbe2e4f22478ca4962bbf9f299d66eda567d63cd

SHA512
33c765bf85fbec0e58924ece948b80a7d73b7577557eaac8865e481c61ad6b71f8b5b846026103239b3bd21f438ff0d7c1430a51a4a149f16a215faad6dab68f

Download Submit
C:\Users\Admin\Downloads\Release.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Release\Config.json

Filesize
462B

MD5
583a319b6dea1f675f81b83860aba123

SHA1
0a5cbc4241fad250c83bc86f38622a79757c7159

SHA256
596290a83136810084638abe18dfe86ee2a576360406e57c9836a5c7b6b5b70f

SHA512
ceda8a041134f6deccc6eda77c336263249c94c6df2f7f0f3ceb6aa08b05b7c77ec707c5005dbb9116a3236c3350d25f3a2df07b2f0fc0ad0fd8af71fa2bca04

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4524_1475113699\LICENSE

Filesize
1KB

MD5
ee002cb9e51bb8dfa89640a406a1090a

SHA1
49ee3ad535947d8821ffdeb67ffc9bc37d1ebbb2

SHA256
3dbd2c90050b652d63656481c3e5871c52261575292db77d4ea63419f187a55b

SHA512
d1fdcc436b8ca8c68d4dc7077f84f803a535bf2ce31d9eb5d0c466b62d6567b2c59974995060403ed757e92245db07e70c6bddbf1c3519fed300cc5b9bf9177c

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4524_1475113699\manifest.json

Filesize
85B

MD5
c3419069a1c30140b77045aba38f12cf

SHA1
11920f0c1e55cadc7d2893d1eebb268b3459762a

SHA256
db9a702209807ba039871e542e8356219f342a8d9c9ca34bcd9a86727f4a3a0f

SHA512
c5e95a4e9f5919cb14f4127539c4353a55c5f68062bf6f95e1843b6690cebed3c93170badb2412b7fb9f109a620385b0ae74783227d6813f26ff8c29074758a1

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4524_1794569025\manifest.json

Filesize
145B

MD5
0df2306638bd60162686e9c4bafbd505

SHA1
ef9e16bf867f7950d5a30172e1d34d38686b0e72

SHA256
fd7b554588c5e72506a0bfed89bc298911a5649b9f5168ad7c1804d1c75de42e

SHA512
73fca229097631104cf352061d62455b6c5520bf59777520165719d2368b0e77f3ce66f52873fec53ac60e35274bf397ba321bc62610f0b7b172a7c5c4975174

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4524_484743050\manifest.json

Filesize
1003B

MD5
578c9dbc62724b9d481ec9484a347b37

SHA1
a6f5a3884fd37b7f04f93147f9498c11ed5c2c2d

SHA256
005a2386e5da2e6a5975f1180fe9b325da57c61c0b4f1b853b8bcf66ec98f0a0

SHA512
2060eb35fb0015926915f603c8e1742b448a21c5a794f9ec2bebd04e170184c60a31cee0682f4fd48b65cff6ade70befd77ba0446cc42d6fe1de68d93b8ea640

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4524_867647642\manifest.json

Filesize
118B

MD5
ffa5fcfeb00002903f6cf667e9fe6a3c

SHA1
ad765ea344c8cfd95a591da8259fe412e52d13b0

SHA256
dd0679c622258bad2e2ddaec3470297259dc68b55b8c4f4d7f2f28a378826217

SHA512
8da9b780e9bc6785efbd56b51a4decc8703c9f1d41b33469153cc0aea8190c1b6a9001128c6022756a66ee539086ad6f787da84b6b7082dc51939077365e7beb

Download Submit
memory/712-500-0x00000000060B0000-0x0000000006656000-memory.dmp

Filesize
5.6MB

Download
memory/712-512-0x0000000008470000-0x00000000087C7000-memory.dmp

Filesize
3.3MB

Download
memory/712-511-0x0000000006F80000-0x0000000007032000-memory.dmp

Filesize
712KB

Download
memory/712-506-0x000000000A300000-0x000000000A322000-memory.dmp

Filesize
136KB

Download
memory/712-505-0x00000000060A0000-0x00000000060B2000-memory.dmp

Filesize
72KB

Download
memory/712-504-0x0000000006CC0000-0x0000000006CDA000-memory.dmp

Filesize
104KB

Download
memory/712-503-0x0000000006050000-0x0000000006064000-memory.dmp

Filesize
80KB

Download
memory/712-502-0x00000000059D0000-0x00000000059DA000-memory.dmp

Filesize
40KB

Download
memory/712-501-0x0000000005A10000-0x0000000005AA2000-memory.dmp

Filesize
584KB

Download
memory/712-499-0x0000000000E40000-0x0000000001042000-memory.dmp

Filesize
2.0MB

Download
memory/3512-671-0x00000000080A0000-0x00000000080B2000-memory.dmp

Filesize
72KB

Download
memory/3512-673-0x0000000008200000-0x0000000008557000-memory.dmp

Filesize
3.3MB

Download
memory/4584-601-0x0000000000970000-0x0000000000982000-memory.dmp

Filesize
72KB

Download