xenorat | 10a806b3b91bce876937c1f705b91153f5fdc91c88fe442dfd0ae6f06e26a9cb

Resubmissions

13-07-2024 02:33

240713-c188easakp 10

13-07-2024 02:29

240713-cyqchsthke 10

13-07-2024 02:23

240713-cvk9ds1glm 10

Analysis

max time kernel
147s
max time network
149s
platform
windows11-21h2_x64
resource
win11-20240709-en
resource tags

arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
submitted
13-07-2024 02:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5oP2ak.html
Size

508B
MD5

db55c0a45c78e31108711e01515a26d0
SHA1

667d59c73d995076e9e3566ad0acab62b81ebde8
SHA256

10a806b3b91bce876937c1f705b91153f5fdc91c88fe442dfd0ae6f06e26a9cb
SHA512

35e4645768d3534a5f9cd845b5d78718dc19e62aa2edaf53041d6d3408b22e6e8d0071dc27e3eab3b64a8df79a12dee72a7aeef81a24ac83d292bafabf78bbb4

Score

10^/10

xenorat rat trojan

Malware Config

Extracted

Family

xenorat

192.168.0.15

Mutex

Xeno_rat_nd8912d

Attributes

delay
5000
install_path
appdata
port
4444
startup_name
nothingset

Signatures

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat
Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
2640	Xeno.exe
5116	Xeno.exe
4584	Xeno.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2087971895-212656400-463594913-1000_Classes\Local Settings	msedge.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 701308.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Xeno.exe:Zone.Identifier	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1364	schtasks.exe
2748	schtasks.exe
3556	schtasks.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4548	msedge.exe
4548	msedge.exe
2816	msedge.exe
2816	msedge.exe
2860	msedge.exe
2860	msedge.exe
2260	identity_helper.exe
2260	identity_helper.exe
244	msedge.exe
244	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe
2816	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2816 wrote to memory of 3096	2816	msedge.exe	81
PID 2816 wrote to memory of 3096	2816	msedge.exe	81
PID 2816 wrote to memory of 3516	2816	msedge.exe	82
PID 2816 wrote to memory of 3516	2816	msedge.exe	82
PID 2816 wrote to memory of 3516	2816	msedge.exe	82
PID 2816 wrote to memory of 3516	2816	msedge.exe	82
PID 2816 wrote to memory of 3516	2816	msedge.exe	82
PID 2816 wrote to memory of 3516	2816	msedge.exe	82
PID 2816 wrote to memory of 3516	2816	msedge.exe	82
PID 2816 wrote to memory of 3516	2816	msedge.exe	82
PID 2816 wrote to memory of 3516	2816	msedge.exe	82
PID 2816 wrote to memory of 3516	2816	msedge.exe	82
PID 2816 wrote to memory of 3516	2816	msedge.exe	82
PID 2816 wrote to memory of 3516	2816	msedge.exe	82
PID 2816 wrote to memory of 3516	2816	msedge.exe	82
PID 2816 wrote to memory of 3516	2816	msedge.exe	82
PID 2816 wrote to memory of 3516	2816	msedge.exe	82
PID 2816 wrote to memory of 3516	2816	msedge.exe	82
PID 2816 wrote to memory of 3516	2816	msedge.exe	82
PID 2816 wrote to memory of 3516	2816	msedge.exe	82
PID 2816 wrote to memory of 3516	2816	msedge.exe	82
PID 2816 wrote to memory of 3516	2816	msedge.exe	82
PID 2816 wrote to memory of 3516	2816	msedge.exe	82
PID 2816 wrote to memory of 3516	2816	msedge.exe	82
PID 2816 wrote to memory of 3516	2816	msedge.exe	82
PID 2816 wrote to memory of 3516	2816	msedge.exe	82
PID 2816 wrote to memory of 3516	2816	msedge.exe	82
PID 2816 wrote to memory of 3516	2816	msedge.exe	82
PID 2816 wrote to memory of 3516	2816	msedge.exe	82
PID 2816 wrote to memory of 3516	2816	msedge.exe	82
PID 2816 wrote to memory of 3516	2816	msedge.exe	82
PID 2816 wrote to memory of 3516	2816	msedge.exe	82
PID 2816 wrote to memory of 3516	2816	msedge.exe	82
PID 2816 wrote to memory of 3516	2816	msedge.exe	82
PID 2816 wrote to memory of 3516	2816	msedge.exe	82
PID 2816 wrote to memory of 3516	2816	msedge.exe	82
PID 2816 wrote to memory of 3516	2816	msedge.exe	82
PID 2816 wrote to memory of 3516	2816	msedge.exe	82
PID 2816 wrote to memory of 3516	2816	msedge.exe	82
PID 2816 wrote to memory of 3516	2816	msedge.exe	82
PID 2816 wrote to memory of 3516	2816	msedge.exe	82
PID 2816 wrote to memory of 3516	2816	msedge.exe	82
PID 2816 wrote to memory of 4548	2816	msedge.exe	83
PID 2816 wrote to memory of 4548	2816	msedge.exe	83
PID 2816 wrote to memory of 1524	2816	msedge.exe	84
PID 2816 wrote to memory of 1524	2816	msedge.exe	84
PID 2816 wrote to memory of 1524	2816	msedge.exe	84
PID 2816 wrote to memory of 1524	2816	msedge.exe	84
PID 2816 wrote to memory of 1524	2816	msedge.exe	84
PID 2816 wrote to memory of 1524	2816	msedge.exe	84
PID 2816 wrote to memory of 1524	2816	msedge.exe	84
PID 2816 wrote to memory of 1524	2816	msedge.exe	84
PID 2816 wrote to memory of 1524	2816	msedge.exe	84
PID 2816 wrote to memory of 1524	2816	msedge.exe	84
PID 2816 wrote to memory of 1524	2816	msedge.exe	84
PID 2816 wrote to memory of 1524	2816	msedge.exe	84
PID 2816 wrote to memory of 1524	2816	msedge.exe	84
PID 2816 wrote to memory of 1524	2816	msedge.exe	84
PID 2816 wrote to memory of 1524	2816	msedge.exe	84
PID 2816 wrote to memory of 1524	2816	msedge.exe	84
PID 2816 wrote to memory of 1524	2816	msedge.exe	84
PID 2816 wrote to memory of 1524	2816	msedge.exe	84
PID 2816 wrote to memory of 1524	2816	msedge.exe	84
PID 2816 wrote to memory of 1524	2816	msedge.exe	84

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\5oP2ak.html
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffadefc3cb8,0x7ffadefc3cc8,0x7ffadefc3cd8
  2⤵
  PID:3096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1720,3565873468960280058,10116927283268260640,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1904 /prefetch:2
  2⤵
  PID:3516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1720,3565873468960280058,10116927283268260640,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2392 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1720,3565873468960280058,10116927283268260640,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2432 /prefetch:8
  2⤵
  PID:1524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,3565873468960280058,10116927283268260640,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3140 /prefetch:1
  2⤵
  PID:2244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,3565873468960280058,10116927283268260640,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3148 /prefetch:1
  2⤵
  PID:1236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1720,3565873468960280058,10116927283268260640,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4012 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2860
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1720,3565873468960280058,10116927283268260640,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5148 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,3565873468960280058,10116927283268260640,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2372 /prefetch:1
  2⤵
  PID:732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,3565873468960280058,10116927283268260640,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4656 /prefetch:1
  2⤵
  PID:1588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,3565873468960280058,10116927283268260640,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4068 /prefetch:1
  2⤵
  PID:4476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,3565873468960280058,10116927283268260640,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3192 /prefetch:1
  2⤵
  PID:1116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,3565873468960280058,10116927283268260640,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5456 /prefetch:1
  2⤵
  PID:5072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,3565873468960280058,10116927283268260640,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:1
  2⤵
  PID:4704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,3565873468960280058,10116927283268260640,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5296 /prefetch:1
  2⤵
  PID:876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,3565873468960280058,10116927283268260640,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3468 /prefetch:1
  2⤵
  PID:2252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1720,3565873468960280058,10116927283268260640,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3176 /prefetch:8
  2⤵
  PID:3948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1720,3565873468960280058,10116927283268260640,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5492 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:244
- C:\Users\Admin\Downloads\Xeno.exe
  "C:\Users\Admin\Downloads\Xeno.exe"
  2⤵
  - Executes dropped EXE
  PID:2640
- - C:\Users\Admin\AppData\Roaming\XenoManager\Xeno.exe
    "C:\Users\Admin\AppData\Roaming\XenoManager\Xeno.exe"
    3⤵
    PID:760
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks.exe" /Create /TN "XenoUpdateManager" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC05D.tmp" /F
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1720,3565873468960280058,10116927283268260640,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5392 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1420

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3528

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1760

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3684

C:\Users\Admin\Downloads\Xeno.exe
"C:\Users\Admin\Downloads\Xeno.exe"
1⤵
- Executes dropped EXE
PID:5116
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks.exe" /Create /TN "XenoUpdateManager" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1330.tmp" /F
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2748

C:\Users\Admin\Downloads\Xeno.exe
"C:\Users\Admin\Downloads\Xeno.exe"
1⤵
- Executes dropped EXE
PID:4584
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks.exe" /Create /TN "XenoUpdateManager" /XML "C:\Users\Admin\AppData\Local\Temp\tmp97C2.tmp" /F
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\9a6f16f5-0741-4b5c-bd92-319e14e8b660.tmp

Filesize
11KB

MD5
2b4ab028185c0fafd1bd0c8f3f6191cd

SHA1
608a4ef10a3ea43ba128c07cbe1018dd30b791ce

SHA256
e8a2cb23614a6863a53ced18e9cc675a6b91e9fc8cc176b4c2418faa2cafc914

SHA512
d28b007b0f7cc3cd167026be0b52c0891e3080eeadc8ac793b9863dccc34757c8efd6715034b4c41f053322ccc24b1416c08152d2a049bdeb81f355c9f4a18b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
bb87c05bdde5672940b661f7cf6c188e

SHA1
476f902e4743e846c500423fb7e195151f22f3b5

SHA256
7b7f02109a9d1f4b5b57ca376fcacd34f894d2c80584630c3733f2a41dddf063

SHA512
c60d8b260d98ced6fe283ca6fed06e5f4640e9de2609bcfbfa176da1d0744b7f68acabfa66f35455e68cad8be1e2cfc9b5046463e13ae5f33bbbf87a005d1e0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5478498cbfa587d1d55a9ca5598bf6b9

SHA1
82fedfb941371c42f041f891ea8eb9fe4cf7dcc8

SHA256
a4e82ce07a482da1a3a3ba11fcceee197c6b2b42608320c4f3e67f1c6a6d6606

SHA512
7641a2f3cc7321b1277c58a47dfd71be087f67f8b57dca6e72bd4e1b664f36151cd723e03ea348835581bcb773eb97911f985d5ee770d4d1b8b6f7849ce74b44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
7d372ca73025b6ff31f55fb6acb12734

SHA1
069dd74d4d54b14a5ec9691ca9c58bb71e616b0e

SHA256
166dba25ae8f01f8f396a68d169deda2e76f028a475cb75f2518f052b0a5a97d

SHA512
0d6f646bebb0828f0203897981e9991376b760ca04d600748b47fa145bd4d88ab09051c4f75bfdabb6b2343a7e8d5e964e3ab6573b7be47f699693c80a8d7f6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
387B

MD5
a76d8ae9523bcf5bb2caa451121a0d91

SHA1
4867caa19f280aabdc4f85f6468335d70ad1d996

SHA256
515a528f05f0c708175813df2e149b0960d193bd4dac47a11a7641745c8a063b

SHA512
9dbab2a7c6ce09335a805a319399b95ad818c94153d57818cdf30cd26f825ab4517d15dca8bf4156a0aab5a24a6c06977ddb5f9d27f4be8f601a813dc88b9a57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
4c716a1dfeaa367193bb58da4b8e7c9e

SHA1
0bd028d45f4df8ee39e5ca3b796c64366fae3672

SHA256
6429f406f2568f9cec5eb036de808a853cfd74c790902c8e99e0402783cec2c8

SHA512
9ce4f0d18f9669adc0a61447ba6b5c80f3369dc03538ebe579a0830079021daae7ab81c55c5fd011032ed17280f2c8175b49a531fb58c3adc47cec3928d9b15d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
01c0c5c25d955c39ff41a5e5fd2c68ee

SHA1
7eadef3fabcc64478c0a30177d8d319ed2a2f517

SHA256
dc0ee12dff3945b983bb20e8a829aaa65f31b840e1f5ce8d57d4ff610067f7f2

SHA512
ce923e1847be216335674004825b44c83b01e61c324871f57d974ec3b4ee92d732a8b0d324bfc2b1defd879be8459b4babc2c9cb601711f31944c9c8809663a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
212d0a3ab59ceff68b239b2c59b53baa

SHA1
3746d50bada76433076969ea18581ae36479d7be

SHA256
d520d193aae449e039348402ef32e4b0c1edfb9f5c600af5efd1db105ccdc593

SHA512
29ac99eaf0772d7394e3afc96d255eb1780247b9400219d294108fabcd038a99ff56bbd7e272896c867d0bbf88a6de082579044f364abecd53a532818b50c5ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
926feb06faac901a37c17903ec5bd960

SHA1
00f151271aa79a78959276ef4b15c09315e2ac16

SHA256
1abc073351a0c9ec97e59f23c1a7eb8263a4d5d2db6dfd69e5bfaadb82d612af

SHA512
40c74a30e64a05fc676d0a6dd1e5b2909b3a61766e12215d773d177a1e1c7abc5d28d90abdb9be8ae38fadb91dc88c585972b66ff1296f5d6374fd458b202469

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
86992e86fbc483b2661962e0f2327da6

SHA1
03239a4b5875f802f694197b46a34054903e7e69

SHA256
7029cb78449beca953893b9eea3ba5204c2814c8361d05d39e8ddc85199ffde6

SHA512
c8e82b53facb99d8716c0ba72cb3b0a72cbe27ac0aa50fa50e14f800e149e636f82f1d8550da639de15af4b7ec94609d64e9f6a0e5106c355bc90dc5865280a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
2ce235bd6edf32b301d9873de1a7b1fc

SHA1
74ddd47b23bf25259279b3ce297bfda6c46eebf4

SHA256
ae60851b2d2c25de326a2a32c10e704c181fae6825451432f0800eb23451ea55

SHA512
bed59a99bf77aa7c107314037fb519ca831b000666716786b4c0aa587145221bd1adfe5abc2670a549b16941adb2bd3322109a950acc938c87a823d95157e282

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1330.tmp

Filesize
1KB

MD5
b923f5b80bab6ae4947fd855494dd1c2

SHA1
5a5e04859ab57a77bb1b08b834a854b31a506f7c

SHA256
8f8adc07489cc927ecb0e28b516cacf73506fd9721282e650695be28ce34ebf4

SHA512
34ff792ad4d0ed58da090418d36d18250bf21b6a328c22fd6a8b3be1110ca450fedd7ef679465d78b425c8b8324548d21ebe502db3715b5691727c9193322da8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC05D.tmp

Filesize
1KB

MD5
589637079f13d5055b29c3aca9987b21

SHA1
6e48750d0c13e1b6e3db2505fcdfadbcca764339

SHA256
fbf8df93941e49f1b2d65db79e80c8043267773384bd524cbd369dea598c3044

SHA512
41d4c32275da18824ac0901f8bbba81a091dc230cdf715d2f2442b10699534fb793f84895986d8d079c30212fb497d83793949ac33749fba151e86236a7fbf3d

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 701308.crdownload

Filesize
45KB

MD5
5189de3eef9eb1c785990555c2bdbef2

SHA1
c6e87ed0d76548b34d91a3188d699f47397bb3fd

SHA256
c85b6c4898067c9777172b1c0e02c8bbd8227c5ea29b1fb215ff418df956e891

SHA512
ec712492dcd2508035db4435e129c7ffa644ed1dbb6e4b9d35f416c0ed98da27ab088a2287193a82fa482bb55261d62542cf07a977a8b903857ff1ca9ba46477

Download Submit
C:\Users\Admin\Downloads\Xeno.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
memory/760-169-0x00000000004A0000-0x00000000004B2000-memory.dmp

Filesize
72KB

Download
memory/2640-158-0x0000000071FC0000-0x0000000071FF7000-memory.dmp

Filesize
220KB

Download