c608bdd745898e19de5dc85942912f2d61727017932fedb4328a4242e64a5521

Resubmissions

06/09/2024, 17:32

240906-v4je9szbqg 10

14/12/2023, 15:24

231214-stfwaaefgj 7

Analysis

max time kernel
213s
max time network
198s
platform
windows10-2004_x64
resource
win10v2004-20231130-en
resource tags

arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system
submitted
14/12/2023, 15:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Release/plugins/Chat.dll
Size

11KB
MD5

1dbfe9236bd915fc575d058ab026dbf5
SHA1

120368bed3da7852bb3f85112c845a51d9324af2
SHA256

16e4786dd7a245bce630be805c754ee104dfb932346c28f655c7559c36d368bc
SHA512

cec6fb91337e1d881b5c9ad3823678e29b530480acfe462abc267ed4883888282a5e8b976db6dbb954cb3810dfcceeb40e1beb71dd6e987f7890c1206765a3c4
SSDEEP

192:NKKZUEl+O7yduI9/SJuiCoxENny9+E8cr2a8Vk+C:gKZUm+N0IyCoxENng+Ed21Vk+C

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4428	xeno rat server.exe
2508	oh my god.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2 = 3a002e803accbfb42cdb4c42b0297fe99a87c641260001002600efbe110000004a8b15199923da017f9faf1a9923da01282fe31b9923da0114000000	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 = 19002f433a5c000000000000000000000000000000000000000000	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0 = 50003100000000007e577278100041646d696e003c0009000400efbe7e5735738e57307b2e00000079e10100000001000000000000000000000000000000503d5900410064006d0069006e00000014000000	xeno rat server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\SniffedFolderType = "Generic"	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000_Classes\Local Settings	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = 00000000ffffffff	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0100000000000000ffffffff	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\MRUListEx = 00000000ffffffff	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\MRUListEx = ffffffff	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\NodeSlot = "5"	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	xeno rat server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\SniffedFolderType = "Generic"	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	xeno rat server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0 = 7e003100000000007e574c7711004465736b746f7000680009000400efbe7e5735738e57327b2e00000083e101000000010000000000000000003e0000000000ca1f3f004400650073006b0074006f007000000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370036003900000016000000	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000_Classes\Local Settings	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\MRUListEx = 00000000ffffffff	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0 = 78003100000000007e5735731100557365727300640009000400efbe874f77488e57307b2e000000c70500000000010000000000000000003a0000000000e1cd160055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000	xeno rat server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\NodeSlot = "6"	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\MRUListEx = ffffffff	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 020000000100000000000000ffffffff	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6	xeno rat server.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\Release.zip:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
7144	msedge.exe
7144	msedge.exe
6596	msedge.exe
6596	msedge.exe
5568	msedge.exe
5568	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4428	xeno rat server.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	1696	firefox.exe
Token: SeDebugPrivilege	1696	firefox.exe
Token: SeDebugPrivilege	1696	firefox.exe
Token: SeRestorePrivilege	6412	7zG.exe
Token: 35	6412	7zG.exe
Token: SeSecurityPrivilege	6412	7zG.exe
Token: SeSecurityPrivilege	6412	7zG.exe
Token: SeRestorePrivilege	1528	7zG.exe
Token: 35	1528	7zG.exe
Token: SeSecurityPrivilege	1528	7zG.exe
Token: SeSecurityPrivilege	1528	7zG.exe
Token: SeManageVolumePrivilege	5236	svchost.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
1696	firefox.exe
1696	firefox.exe
1696	firefox.exe
1696	firefox.exe
6412	7zG.exe
1528	7zG.exe
4428	xeno rat server.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1696	firefox.exe
1696	firefox.exe
1696	firefox.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1696	firefox.exe
1696	firefox.exe
1696	firefox.exe
1696	firefox.exe
4428	xeno rat server.exe
4428	xeno rat server.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4352 wrote to memory of 1696	4352	firefox.exe	104
PID 4352 wrote to memory of 1696	4352	firefox.exe	104
PID 4352 wrote to memory of 1696	4352	firefox.exe	104
PID 4352 wrote to memory of 1696	4352	firefox.exe	104
PID 4352 wrote to memory of 1696	4352	firefox.exe	104
PID 4352 wrote to memory of 1696	4352	firefox.exe	104
PID 4352 wrote to memory of 1696	4352	firefox.exe	104
PID 4352 wrote to memory of 1696	4352	firefox.exe	104
PID 4352 wrote to memory of 1696	4352	firefox.exe	104
PID 4352 wrote to memory of 1696	4352	firefox.exe	104
PID 4352 wrote to memory of 1696	4352	firefox.exe	104
PID 1696 wrote to memory of 1480	1696	firefox.exe	105
PID 1696 wrote to memory of 1480	1696	firefox.exe	105
PID 1696 wrote to memory of 2220	1696	firefox.exe	106
PID 1696 wrote to memory of 2220	1696	firefox.exe	106
PID 1696 wrote to memory of 2220	1696	firefox.exe	106
PID 1696 wrote to memory of 2220	1696	firefox.exe	106
PID 1696 wrote to memory of 2220	1696	firefox.exe	106
PID 1696 wrote to memory of 2220	1696	firefox.exe	106
PID 1696 wrote to memory of 2220	1696	firefox.exe	106
PID 1696 wrote to memory of 2220	1696	firefox.exe	106
PID 1696 wrote to memory of 2220	1696	firefox.exe	106
PID 1696 wrote to memory of 2220	1696	firefox.exe	106
PID 1696 wrote to memory of 2220	1696	firefox.exe	106
PID 1696 wrote to memory of 2220	1696	firefox.exe	106
PID 1696 wrote to memory of 2220	1696	firefox.exe	106
PID 1696 wrote to memory of 2220	1696	firefox.exe	106
PID 1696 wrote to memory of 2220	1696	firefox.exe	106
PID 1696 wrote to memory of 2220	1696	firefox.exe	106
PID 1696 wrote to memory of 2220	1696	firefox.exe	106
PID 1696 wrote to memory of 2220	1696	firefox.exe	106
PID 1696 wrote to memory of 2220	1696	firefox.exe	106
PID 1696 wrote to memory of 2220	1696	firefox.exe	106
PID 1696 wrote to memory of 2220	1696	firefox.exe	106
PID 1696 wrote to memory of 2220	1696	firefox.exe	106
PID 1696 wrote to memory of 2220	1696	firefox.exe	106
PID 1696 wrote to memory of 2220	1696	firefox.exe	106
PID 1696 wrote to memory of 2220	1696	firefox.exe	106
PID 1696 wrote to memory of 2220	1696	firefox.exe	106
PID 1696 wrote to memory of 2220	1696	firefox.exe	106
PID 1696 wrote to memory of 2220	1696	firefox.exe	106
PID 1696 wrote to memory of 2220	1696	firefox.exe	106
PID 1696 wrote to memory of 2220	1696	firefox.exe	106
PID 1696 wrote to memory of 2220	1696	firefox.exe	106
PID 1696 wrote to memory of 2220	1696	firefox.exe	106
PID 1696 wrote to memory of 2220	1696	firefox.exe	106
PID 1696 wrote to memory of 2220	1696	firefox.exe	106
PID 1696 wrote to memory of 2220	1696	firefox.exe	106
PID 1696 wrote to memory of 2220	1696	firefox.exe	106
PID 1696 wrote to memory of 2220	1696	firefox.exe	106
PID 1696 wrote to memory of 2220	1696	firefox.exe	106
PID 1696 wrote to memory of 2220	1696	firefox.exe	106
PID 1696 wrote to memory of 2220	1696	firefox.exe	106
PID 1696 wrote to memory of 2220	1696	firefox.exe	106
PID 1696 wrote to memory of 2220	1696	firefox.exe	106
PID 1696 wrote to memory of 2220	1696	firefox.exe	106
PID 1696 wrote to memory of 2220	1696	firefox.exe	106
PID 1696 wrote to memory of 2220	1696	firefox.exe	106
PID 1696 wrote to memory of 2220	1696	firefox.exe	106
PID 1696 wrote to memory of 2220	1696	firefox.exe	106
PID 1696 wrote to memory of 2220	1696	firefox.exe	106
PID 1696 wrote to memory of 4332	1696	firefox.exe	107
PID 1696 wrote to memory of 4332	1696	firefox.exe	107
PID 1696 wrote to memory of 4332	1696	firefox.exe	107

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Release\plugins\Chat.dll,#1
1⤵
PID:508

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4352
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1696
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1696.0.511816567\515813591" -parentBuildID 20221007134813 -prefsHandle 1816 -prefMapHandle 1808 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9fbc074f-104e-4c96-bbc7-f453d049b181} 1696 "\\.\pipe\gecko-crash-server-pipe.1696" 1908 1de18828458 gpu
    3⤵
    PID:1480
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1696.1.629964322\2098460918" -parentBuildID 20221007134813 -prefsHandle 2340 -prefMapHandle 2336 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3adeb9b0-813e-4671-aca1-3a48535076aa} 1696 "\\.\pipe\gecko-crash-server-pipe.1696" 2352 1de1760ae58 socket
    3⤵
    - Checks processor information in registry
    PID:2220
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1696.2.1069119008\1450228431" -childID 1 -isForBrowser -prefsHandle 3084 -prefMapHandle 3080 -prefsLen 20888 -prefMapSize 233444 -jsInitHandle 1376 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {586cb508-667c-49a2-8c68-60555b140e89} 1696 "\\.\pipe\gecko-crash-server-pipe.1696" 3096 1de1765c358 tab
    3⤵
    PID:4332
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1696.3.902055196\1421215217" -childID 2 -isForBrowser -prefsHandle 1072 -prefMapHandle 1068 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1376 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {90360b58-78a2-45b0-8c81-6623b673db5b} 1696 "\\.\pipe\gecko-crash-server-pipe.1696" 3488 1de0ad68158 tab
    3⤵
    PID:3848
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1696.4.879940852\242269860" -childID 3 -isForBrowser -prefsHandle 4388 -prefMapHandle 4404 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1376 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2a6d929e-459d-4c16-b0ca-344c3be1a18d} 1696 "\\.\pipe\gecko-crash-server-pipe.1696" 4352 1de1d2ef858 tab
    3⤵
    PID:5356
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1696.5.47592100\1741182158" -childID 4 -isForBrowser -prefsHandle 5040 -prefMapHandle 1584 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1376 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a7659553-1b69-4f32-a987-dbf4a65e2a8b} 1696 "\\.\pipe\gecko-crash-server-pipe.1696" 5060 1de1da6ba58 tab
    3⤵
    PID:5772
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1696.7.1150532138\882174345" -childID 6 -isForBrowser -prefsHandle 2816 -prefMapHandle 2820 -prefsLen 26204 -prefMapSize 233444 -jsInitHandle 1376 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {65780404-9087-489f-8d67-6bd484f5b7d4} 1696 "\\.\pipe\gecko-crash-server-pipe.1696" 5460 1de1daa4f58 tab
    3⤵
    PID:5860
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1696.6.912126187\1591688882" -childID 5 -isForBrowser -prefsHandle 5368 -prefMapHandle 5364 -prefsLen 26204 -prefMapSize 233444 -jsInitHandle 1376 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {caba1db2-b1bd-4ae5-8fa0-f7c1676deb3a} 1696 "\\.\pipe\gecko-crash-server-pipe.1696" 5352 1de0ad6d358 tab
    3⤵
    PID:5820
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1696.8.1754467565\1750938692" -childID 7 -isForBrowser -prefsHandle 5932 -prefMapHandle 5836 -prefsLen 26460 -prefMapSize 233444 -jsInitHandle 1376 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ca74ec74-eaae-4422-a355-0fe6456e083b} 1696 "\\.\pipe\gecko-crash-server-pipe.1696" 5924 1de1f6d5358 tab
    3⤵
    PID:5800
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1696.9.1058621315\380786264" -childID 8 -isForBrowser -prefsHandle 5048 -prefMapHandle 5144 -prefsLen 26725 -prefMapSize 233444 -jsInitHandle 1376 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {33a79e46-feba-40f6-95f2-1ea7397dd513} 1696 "\\.\pipe\gecko-crash-server-pipe.1696" 4044 1de0ad5fe58 tab
    3⤵
    PID:5384

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaultaf764f8ah4b31h4b58h8a3dhcc5b7e9011b3
1⤵
PID:6872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffebb2246f8,0x7ffebb224708,0x7ffebb224718
  2⤵
  PID:6904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,7415045439616674837,36213153598319004,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2452 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:7144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,7415045439616674837,36213153598319004,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2800 /prefetch:8
  2⤵
  PID:7156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,7415045439616674837,36213153598319004,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
  2⤵
  PID:7132

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6348

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6436

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaultc7be8e0ah446dh4e16h8b37hcc28ea597b7d
1⤵
PID:6888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffebb2246f8,0x7ffebb224708,0x7ffebb224718
  2⤵
  PID:5448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,14197046432808787954,9339261903249395604,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2548 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2168,14197046432808787954,9339261903249395604,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2928 /prefetch:8
  2⤵
  PID:5724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,14197046432808787954,9339261903249395604,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:2
  2⤵
  PID:6792

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:6744

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:5376

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:6332

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaultf942de95h9c8dh4023h94d4h929ad4e5c0ca
1⤵
PID:6204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffebb2246f8,0x7ffebb224708,0x7ffebb224718
  2⤵
  PID:1064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,4398693598479810806,16916323336954403629,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2348 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,4398693598479810806,16916323336954403629,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2792 /prefetch:8
  2⤵
  PID:6780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,4398693598479810806,16916323336954403629,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
  2⤵
  PID:1368

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:776

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1376

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4304

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" a -i#7zMap24143:76:7zEvent2977 -t7z -sae -- "C:\Users\Admin\Downloads\Release_2.7z"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:6412

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Release\" -spe -an -ai#7zMap17755:76:7zEvent26171
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1528

C:\Users\Admin\Downloads\Release\xeno rat server.exe
"C:\Users\Admin\Downloads\Release\xeno rat server.exe"
1⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4428

C:\Users\Admin\Desktop\oh my god.exe
"C:\Users\Admin\Desktop\oh my god.exe"
1⤵
- Executes dropped EXE
PID:2508

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:2584

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f5a4c6badd2d2e8a3304abb9a11472de

SHA1
e828b3d3ebdb7c9a0614a8ac841ab37ab02f43ff

SHA256
91565214f61d724e6cf0fc73439df2305bbed1fb0845c2df4e0bac7c6a9ab5e4

SHA512
5f1993419ead73faee9ab644bb8fe3c395e185d4c61e8e7fc89c675aa5a99debdad11415c1f0797f0af53598ab56d75dd934f395fdfdfe8a0646c67a20d99d46

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
037035308d7db3d2fca2a2b40730dc5b

SHA1
210b31a974dcabc14b0793f3c6e72c28c092ecaf

SHA256
de1518572f27067a5708efea364ea58f54061edd9fb866d09791e5891ec489db

SHA512
e8cfc6f72695162200b53318d95027c49d3f2def435b9886693fa65d5c1d368448c6efc73275750ffdecd0701efaeb354676e0301337daffeec0e3bab2c38fcf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
334B

MD5
93fe71dc264cb0f1e5c939a4a29c4146

SHA1
3c3c355a9fa2892e683e77de61d9667b9f2c0323

SHA256
90adbfcea622d65cf1af63306456bdf4f9b975255be7039a74f44571d81fe865

SHA512
b636548f00bc8ba712df4642c7eb547f5b68238c923ec8d74913de6e01e3181d967d10ac659d0b65feb869e31d8d919901fb8b8f2669314bab6c9fc3eff673ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
61B

MD5
4df4574bfbb7e0b0bc56c2c9b12b6c47

SHA1
81efcbd3e3da8221444a21f45305af6fa4b71907

SHA256
e1b77550222c2451772c958e44026abe518a2c8766862f331765788ddd196377

SHA512
78b14f60f2d80400fe50360cf303a961685396b7697775d078825a29b717081442d357c2039ad0984d4b622976b0314ede8f478cde320daec118da546cb0682a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
371a89c74498b24615067804fe940fbc

SHA1
aa05e5d054a22ea30ae68085dd3c24f7f961df72

SHA256
f30a335a246d8de9934c0a0b23a611e62784b52c5d3ac342d4256b531576478c

SHA512
faec41d32cbbd117e256930a7f2722b2a2c55807052e2bd5fcb3863aa20902519d1be96cc99bdbc79d0cdf3f4d71a962e66f33ec079d3997bd3f1c7d162e4fef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e057820acc2c319070a98e45013274f4

SHA1
a41ec53ff808984abde788a669b442c3e4f44ac8

SHA256
5e2b4b36375f2784b1889d5be3e9552ca8e0908f4922ed74f6db8971702cd446

SHA512
7255151b69d8dd51680c0df03598f5949b8908a086f07e1abae499434cef15762771a44e2972bbb3223fa4ccba9b875fb8316f61f9e86ffad46168ef1ff77b9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
350B

MD5
792d374f9383bff29e3f85f676793937

SHA1
1701533621dca911867697279a36a8b059a6bf38

SHA256
7469eb30fdf75986b4e8fe94ab95aff14d1de7700b7f66fbb76c1da381ca7cf3

SHA512
36e59ea5474821a4e99ae3390ddc80f763664789ab728a797c9f6174d148e5ec4a7a73b11d0ec61de471c856ecfe65159e0a944cec6270a4b78d9ef28d706a88

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
350B

MD5
5d4b2838fa42703c7c8ec212619b4d6c

SHA1
bfc796f93c1a0a18ba8bed763daa07d04a7ecc11

SHA256
2ecfa76c386d483ffc8a248db2e82ae036cef432713557687b92cfa96e2cf543

SHA512
f1278c39cdae329086a573b492a2338e3546a17bf8313d908630f2e945ad466f52f1be75bdbf49fa5176554ed9b8f4ce879d2cc846efce57ae5e641e77ca0d23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
326B

MD5
a83646d744a5386c5b0d4b9a47cc0ffb

SHA1
cea198c6122914929f9e046b3e7bcb7b0444c037

SHA256
54ffb7e56a9e482103f48943729109c38b5b46927740d7b81a4036c6e2df60be

SHA512
3817841a2cab2fc7af3afda90f3d63bcac1c46bef86ab4d2b6c867b10131d060324da7a6e5d34347c431e448b01518124b6d673d42e4dd2d7fb6ca5c74980b17

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
326B

MD5
b8b0188a8afdff0a08f036087dc19810

SHA1
4f7368ae42a5eee2f608750a5fffe12ab196888e

SHA256
ea8e2807920d2d279d595e80628a69d5bba275b7b00baf9ac380a6e297f29ad8

SHA512
7c364d3cdf6c309a4f872296514bdc1ee261bba78483e8f87c133c1ca296c069d2cad6f27d49a515260f3ce97e46080634272eec9f9905b491bed205643ccd66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\f4ce8779-92cf-43ef-851c-cfdd9a3f1e5f.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
3KB

MD5
4aa2bbcda34ee473545bdf34d4fd962f

SHA1
3b34b4275d7982dc8a515d0905602a7e52216491

SHA256
7d23239ddd789d09f5b3af2c81ba136826737ffe2269f6f62b9c3ec8e7e3b0e2

SHA512
407a61804ab919ba07ed341f733c987a1983c3021b9413f5d564e4dd271e23823c6517d9eb86183674cfeca645f08843c3be4cf651a0bf454205660951b793fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
3KB

MD5
4b56cc61c67e0c8d792791598dca0507

SHA1
f1e05ed60090f2de25e32b4cb28a6789c697ed98

SHA256
fcf75b6bc07643764efb357da1264c3ac4d64497c786fddc573c451e8e5bb806

SHA512
b13de6a46326f12191636a336448397f61953eaab8a08f41781a8c7f1aae7456e29139008956121a6ca9c641f4f8e7fe71fbf036081b06d97abb09f8f2262d59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
3KB

MD5
aa1b9eed1b729bc8c538927c8793d308

SHA1
99956c301b5299cd1a5cd9c9032c533f9e1bd938

SHA256
018ab7e32e4d4551a1d1a965ed428c86f6036fd43da119b9cdc6a507a32cf62a

SHA512
ba9c8ff0723628bd05740e39c181b07b268796a0a737c683696fac0060f90cca7c28440b13927afce5b85311a8824a8a689e6f2d638c59ebaf79766fa311dbed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\33esezky.default-release\cache2\doomed\5155

Filesize
40KB

MD5
cbe4adea30e8cccb9e38bbeb98dfa9f3

SHA1
058e4db20de521f9c9ac01e5b9651a5b5f247491

SHA256
ccd82ba0eb82281fa3fc55ba5df9bfca8f401f746ef85e75d0ce335ecf880303

SHA512
ba485054aa04bb279713f675c7db70eb4d63cdbb04df3628e722058ef3930eb1f79ac0fafb42aaa098da722de45937d493caac19979a1d6c057be9388db7f515

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\33esezky.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
90297638b1e87e3a8d555da4815518a6

SHA1
d9cf8f110c09e9127d761568b64420e3af191578

SHA256
7c1224297b613a6c91d46f854c6da70db98eb5e51740835eddc85f593abd4ac8

SHA512
922d1154ddc559b93effdaa8a2bade3c3f8088d7342d1755c4266320701f854397bb744e794a11229de9d81266ff4c2fdb744814de86f52e8c5e6e33f12a9335

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\33esezky.default-release\datareporting\glean\pending_pings\6403983a-3f8f-4f63-9fff-2dfd442b3768

Filesize
10KB

MD5
b43a6bce5398ab2bd5a7f81f95d8f89e

SHA1
9c0990e5f52db4cc1fb7fdae8a0a402fa786ba9e

SHA256
7942f7f30e71ebf36530547dd64be2f9933d0ae92b24d0741e9ba488deb00f18

SHA512
ff6b43a0501b47d815d1d382191268e1bf47b1f54ee3d1fdb869603423da59653eaf66404422c386d67b274f0f18de6719ee9f24f8a3a76a095a21f91af8ce82

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\33esezky.default-release\datareporting\glean\pending_pings\ffd7205a-b478-49c4-810d-d44ec2a18d61

Filesize
746B

MD5
35fe0d9bbeee666829b2c5494a86a06a

SHA1
334562a74e29eb5a6fd34ee258dba4850bf72273

SHA256
3336483f008822d80c273505af1aea15dd7148bae4b2da3d56e5e3efeecdb28e

SHA512
852cfbb5301c6e5e857244f1975ea88bf50f3884878129ac9a591c4cb37cf75e0a82883e253ff0b610c7d532fd6dc829970b5e4a422da07469e20e891e650a50

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\33esezky.default-release\prefs-1.js

Filesize
6KB

MD5
ed3e7738cedb68cf2c6eb63279e43af8

SHA1
dd1c23b93ec69741be0a933cd8061b58a904661e

SHA256
f0174c72ea43cad046bd5cae955b5148bcdda52e82f94a629e55900786715955

SHA512
83e97227a1b99ff84629d8613950abccf7c2a5bff82ca378d59272e1f5e653dd2179a18858ae7267cb9e0ebdabf41c8fa29b22bae398f59a14fc9afb069db45c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\33esezky.default-release\prefs-1.js

Filesize
6KB

MD5
ce4aa616b6c117155aa8d477ebe9ae26

SHA1
55d238df61b5a8dc08601565c5432a29a8560839

SHA256
91c428c8adc3dac628534e5f0bcccd5c675e17e9d72544a6e9d76a5ea95eb077

SHA512
1834887e028d6bce5d50ab5f3f98ea17b6254ca167d64b5391d9d8b06f665d3158c6071bca840d79d8a8c21e214a54f6555a1dc847653dbfcbbcb5f1d08e6ed8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\33esezky.default-release\prefs-1.js

Filesize
6KB

MD5
3fc1388417255323ebe68dfdc28eb174

SHA1
2e182a095205bae6479f5006e5b668815e9565f3

SHA256
29999185285a7538f5963a4c5f0b74dd86a806630e2019042736b464d538aeb3

SHA512
00b62b462bf7978bda85866658f066073c2fd0731782596e411f6503bafb7e34db99ffaa09e54d714faa7c511cb2c01ecd79e7948fbc4a1b089dbca3fe5e0304

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\33esezky.default-release\prefs.js

Filesize
6KB

MD5
b2f3caab9760e2769c1da1266284b079

SHA1
55bc5f675ea11bc0df5d77dfbd45d90f2e4bbebe

SHA256
e5edfaf950affe5fdcf540e79fc240c28e0a038ea4247dbaf89e85ad40caa0d4

SHA512
234deb244946bc453fb8387394764c38dfae4056b9bbff1c51d450285a9cdbf4c7d85fe07393cc9cfa3404fbd813b30f37d47046742cc26428255170885df45e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\33esezky.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
f5bb36dc298d3afd994a50a1170e8273

SHA1
210201a421c2a86c2ddfe40d392a35e5182ac867

SHA256
9eee07e8ea874e4705682afaee991cfa5aad0675a9288b951856cfa6f217e90c

SHA512
d1e8720bacf1c47005dc270deaab1df8246ab649f4f92f335fc2085f237a7aa8100c92961ccbd18a7d2c975f3a16ce7d97ddaa8cb370ba40f515a4c134ba244b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\33esezky.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
00ad83679180f6e3032933ca9d6b4bdf

SHA1
1e4bde4d674584bbf9a96f364c3c15955322901e

SHA256
e20b6e56715aeaaf2774fedaa74d609ecdef4064adef38a91adbf61dd7249038

SHA512
8e0eca2f3647a3a096d8bf360adb0ee6391a94dba44abc2ab9bddd72d1f2acfe0815d99a646d7c3c5e5f8441496f24547527bddfde88fe97886f95d4f4c2a071

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\33esezky.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
7KB

MD5
efaa80f13650f668b540e18060579c98

SHA1
3fa224f3d2473cb08b0769cb66e34a9221243d9a

SHA256
c3e0ccdda03e5f51922df8f6698a26bc5ae602eedea7c2be9afcf047e110cf27

SHA512
5fc656c76d5a807b7b2c7366543b9443b5dbd90c18fdc92a8b846537c75f9310bd1c3d0596ef971b6329ac9dcc4f1b7f4ed8f9e25f06749290bac6f814de0227

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\33esezky.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
2059a761447f6c4109ee08b419965755

SHA1
83d98db32199a408117650ac9d218c1f9053c25d

SHA256
ae213891f567b6148ab090e67aaa35b3d8f05a95c55ad50af4b5d874d6629d18

SHA512
2984595a14b0fc2743600aab5ded9ed57456e6f8cb48178ae6ff436f9301bb80fbb6692ac62910ceed333fe75da100767ec823ae4093a6643934ed2b4d1423b1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\33esezky.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
c12e1070a6228991c2b5ce1ebd521116

SHA1
0e509e5a1e6770d35f9eb0d061bdb6af36a3521c

SHA256
92c15f1c9548f5455564723b70abc5052b3482fce0e5d964f6e9a7f6cc9a7244

SHA512
64d1639906e6ab5d4699b282bfd5463e8fabbfc7f48eb296f59296fc33cce5fc7b99ffb9730b778c2b9b91719bca86f8d9e087d31703b2a94d02f7abb6fb1990

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\33esezky.default-release\sessionstore.jsonlz4

Filesize
7KB

MD5
cef52d94ef01b47dcfd18b17efdaa945

SHA1
a6b92564e1367f338dcb2ef1e3cc42e39ab28fa0

SHA256
ab88063508fec40d662981c096664ed2d9e43d76ac2c581aabf767bf19f83a34

SHA512
9cb1fdc0134f8149e21016b4a593dcfa05c58d6fc418a64c041ae9fa9816f40449dabfa66bc6f4a372a0e8b97c119d9fea2b8ad3e7dc7c0b45f3479bc472ccbd

Download Submit
C:\Users\Admin\Desktop\oh my god.exe

Filesize
40KB

MD5
20372aa1759d47eca770160cc29e171c

SHA1
25f5e4d9b16c55e1c13ebd6ffdd7aaf141c5c7af

SHA256
cfb5d339c4c50ceed499b9e91ce173c8d90eb5a37e43bf1b02a4c4ac6a39013d

SHA512
4649fefca77972545f935656eef0be790ee68ad3190129de29256ea80c1b660d67e603e0c88df42208587950191caa3a3a866b31e60364d6a2c107bd89b1abd0

Download Submit
C:\Users\Admin\Downloads\Release.Z__gQafu.zip.part

Filesize
1KB

MD5
740b9a0d32a4d81a1b298476fbd0b45d

SHA1
a3383cf04e84f31b0a973e609ac6707672de23d7

SHA256
53b8ce58d018a00a79de30fb0bb8282251134706b94e6707381fa87da74b295d

SHA512
996041c788499463086e180f34e5ccbad9a6b29c417d1d267cdb93cee1ed437b843d5fbb3ea265cafc1fd6ec96e5b286060ec83977fb091a84f269876fc4076c

Download Submit
C:\Users\Admin\Downloads\Release.Z__gQafu.zip.part

Filesize
1.6MB

MD5
a4cfc75efd6dfc761250f862b435b16e

SHA1
57e9c021c3d6beb4bc2d7b91e8877afd17cef4cf

SHA256
96ef532b1b659cd27b0026224872cadc377bb9eb3c98b4b5b78cd136a2c49a53

SHA512
54fd5a9a2bf84805dba32dcc9b912d41151fe1e215172e4c1af81abf3e936c181e11c4cf3e593571d00ce1912bec3831d54e951d559ca88bb726800934b85b2b

Download Submit
C:\Users\Admin\Downloads\Release.zip

Filesize
2.5MB

MD5
eaee0ff03c04e223580b6d82c926de3c

SHA1
908871c8b35476444e0a0d95b517db62583a25a1

SHA256
c608bdd745898e19de5dc85942912f2d61727017932fedb4328a4242e64a5521

SHA512
162175a266fc11c3c9c6d58e89a4978f5ef88ffeeb28018e6eaf38320b3e1af6d2598c51f170ff7cd6929ac0d339e249e01e4196bad0340f254759dc34d94291

Download Submit
C:\Users\Admin\Downloads\Release\stub\xeno rat client.exe

Filesize
41KB

MD5
2fe8fac79ece15f356bc5822837c67fe

SHA1
ea55c7a7bc93ea43bc948541a84166d4034ef6a2

SHA256
d802c46c42c3af1e202d21532ab44c0159e6ca3832afedf2420d9ed1d35cb088

SHA512
5af0c243117e5d8f74f66205b79a53f7d268019fde9c5ef53b1cd50f5f33836466d422c93c96f484207540cb51ed85695ad7ed969945f89c9ef47f3107e4b495

Download Submit
C:\Users\Admin\Downloads\Release\xeno rat server.exe

Filesize
1.2MB

MD5
4dc5dd9f4a84aea0ee435e982d149df7

SHA1
e8c64ad72bc0dc9f6cbb404f997d0c6a0bc2bcab

SHA256
c58fdb4fc67d0edf7edca737f23530d74eb0912f9debbb74f06ac093bf84f670

SHA512
f5cfd29afc783ecba84799b36e47cf92604d7aae41e8af3a6810d6de7a40c5cb86013efbbdaf51e4bb9559d9d8145dedd9aa6bc5188417c8f6ef2524f5db9b92

Download Submit
C:\Users\Admin\Downloads\Release\xeno rat server.exe

Filesize
451KB

MD5
630902ab757de2f999402c3edb439e8a

SHA1
232f598fcb63ff4480a0f8ab30d9984aa15efe3c

SHA256
5112833640d43d3a8ebc086e75de7a35c6f2e2768e483397456c76b8d9603aae

SHA512
6eca83daad2fef8a934ab908bdacec884515d734bbf3eb6099c81551b599767dc823fc343bd68205b09d9024b5cfb2db0aa192e86387956a791d4ba7cbcfb280

Download Submit
memory/2508-892-0x00000000750C0000-0x0000000075870000-memory.dmp

Filesize
7.7MB

Download
memory/2508-821-0x00000000750C0000-0x0000000075870000-memory.dmp

Filesize
7.7MB

Download
memory/2508-822-0x0000000004900000-0x0000000004910000-memory.dmp

Filesize
64KB

Download
memory/2508-820-0x00000000000B0000-0x00000000000C0000-memory.dmp

Filesize
64KB

Download
memory/4428-797-0x0000000005730000-0x00000000057C2000-memory.dmp

Filesize
584KB

Download
memory/4428-801-0x0000000008E00000-0x0000000008E22000-memory.dmp

Filesize
136KB

Download
memory/4428-802-0x0000000008E30000-0x0000000009184000-memory.dmp

Filesize
3.3MB

Download
memory/4428-804-0x00000000750C0000-0x0000000075870000-memory.dmp

Filesize
7.7MB

Download
memory/4428-805-0x0000000005720000-0x0000000005730000-memory.dmp

Filesize
64KB

Download
memory/4428-807-0x0000000005720000-0x0000000005730000-memory.dmp

Filesize
64KB

Download
memory/4428-808-0x0000000009400000-0x0000000009524000-memory.dmp

Filesize
1.1MB

Download
memory/4428-809-0x0000000009520000-0x000000000953A000-memory.dmp

Filesize
104KB

Download
memory/4428-810-0x0000000005720000-0x0000000005730000-memory.dmp

Filesize
64KB

Download
memory/4428-800-0x0000000008CF0000-0x0000000008DA2000-memory.dmp

Filesize
712KB

Download
memory/4428-799-0x0000000005710000-0x000000000571A000-memory.dmp

Filesize
40KB

Download
memory/4428-798-0x0000000005720000-0x0000000005730000-memory.dmp

Filesize
64KB

Download
memory/4428-796-0x0000000005CE0000-0x0000000006284000-memory.dmp

Filesize
5.6MB

Download
memory/4428-794-0x0000000000BE0000-0x0000000000D54000-memory.dmp

Filesize
1.5MB

Download
memory/4428-795-0x00000000750C0000-0x0000000075870000-memory.dmp

Filesize
7.7MB

Download
memory/5236-859-0x0000023D4F140000-0x0000023D4F141000-memory.dmp

Filesize
4KB

Download
memory/5236-865-0x0000023D4F140000-0x0000023D4F141000-memory.dmp

Filesize
4KB

Download
memory/5236-857-0x0000023D4F140000-0x0000023D4F141000-memory.dmp

Filesize
4KB

Download
memory/5236-858-0x0000023D4F140000-0x0000023D4F141000-memory.dmp

Filesize
4KB

Download
memory/5236-839-0x0000023D45B40000-0x0000023D45B50000-memory.dmp

Filesize
64KB

Download
memory/5236-861-0x0000023D4F140000-0x0000023D4F141000-memory.dmp

Filesize
4KB

Download
memory/5236-860-0x0000023D4F140000-0x0000023D4F141000-memory.dmp

Filesize
4KB

Download
memory/5236-863-0x0000023D4F140000-0x0000023D4F141000-memory.dmp

Filesize
4KB

Download
memory/5236-864-0x0000023D4F140000-0x0000023D4F141000-memory.dmp

Filesize
4KB

Download
memory/5236-862-0x0000023D4F140000-0x0000023D4F141000-memory.dmp

Filesize
4KB

Download
memory/5236-855-0x0000023D4F110000-0x0000023D4F111000-memory.dmp

Filesize
4KB

Download
memory/5236-856-0x0000023D4F140000-0x0000023D4F141000-memory.dmp

Filesize
4KB

Download
memory/5236-866-0x0000023D4DD60000-0x0000023D4DD61000-memory.dmp

Filesize
4KB

Download
memory/5236-867-0x0000023D4DD50000-0x0000023D4DD51000-memory.dmp

Filesize
4KB

Download
memory/5236-869-0x0000023D4DD60000-0x0000023D4DD61000-memory.dmp

Filesize
4KB

Download
memory/5236-891-0x0000023D4DFB0000-0x0000023D4DFB1000-memory.dmp

Filesize
4KB

Download
memory/5236-890-0x0000023D4DEA0000-0x0000023D4DEA1000-memory.dmp

Filesize
4KB

Download
memory/5236-889-0x0000023D4DEA0000-0x0000023D4DEA1000-memory.dmp

Filesize
4KB

Download
memory/5236-887-0x0000023D4DE90000-0x0000023D4DE91000-memory.dmp

Filesize
4KB

Download
memory/5236-875-0x0000023D4DC90000-0x0000023D4DC91000-memory.dmp

Filesize
4KB

Download
memory/5236-872-0x0000023D4DD50000-0x0000023D4DD51000-memory.dmp

Filesize
4KB

Download
memory/5236-823-0x0000023D45A40000-0x0000023D45A50000-memory.dmp

Filesize
64KB

Download