xenorat | d21d4ed60c7c91365c7717e573c0b9849a170b3b66604367755470e0201debfd

Analysis

max time kernel
95s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-11-2024 11:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Pangya56.exe
Size

45KB
MD5

37e143ec80feaeef29e906bb0ca6f7bf
SHA1

603fd25c94f0030186250472d8e74ebc85d1abdb
SHA256

d21d4ed60c7c91365c7717e573c0b9849a170b3b66604367755470e0201debfd
SHA512

e59874b7eef2964740e17167b25ddccaec17b8214fc5191bf6f641c6c7f176b6c08f1c1314c1b058a94e774d40e1e6c0e9a7874bd897b3e823974d73168bdad0
SSDEEP

768:vdhO/poiiUcjlJIngQuH9Xqk5nWEZ5SbTDafWI7CPW5C:lw+jjgnYH9XqcnW85SbTGWIa

Score

10^/10

xenorat discovery rat trojan

Malware Config

Extracted

Family

xenorat

127.0.0.1

Mutex

PC-1

Attributes

delay
5000
install_path
temp
port
4444
startup_name
Pangya56

Signatures

Detect XenoRat Payload 2 IoCs

resource	yara_rule
behavioral2/memory/3808-1-0x0000000000D10000-0x0000000000D22000-memory.dmp	family_xenorat
behavioral2/files/0x0008000000023c82-6.dat	family_xenorat

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat
Xenorat family
xenorat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Pangya56.exe

Executes dropped EXE 1 IoCs

pid	Process
1220	Pangya56.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pangya56.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pangya56.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1444	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3576	msedge.exe
3576	msedge.exe
364	msedge.exe
364	msedge.exe
4004	identity_helper.exe
4004	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

pid	Process
364	msedge.exe
364	msedge.exe
364	msedge.exe
364	msedge.exe
364	msedge.exe
364	msedge.exe
364	msedge.exe
364	msedge.exe
364	msedge.exe
364	msedge.exe
364	msedge.exe
364	msedge.exe
364	msedge.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
364	msedge.exe
364	msedge.exe
364	msedge.exe
364	msedge.exe
364	msedge.exe
364	msedge.exe
364	msedge.exe
364	msedge.exe
364	msedge.exe
364	msedge.exe
364	msedge.exe
364	msedge.exe
364	msedge.exe
364	msedge.exe
364	msedge.exe
364	msedge.exe
364	msedge.exe
364	msedge.exe
364	msedge.exe
364	msedge.exe
364	msedge.exe
364	msedge.exe
364	msedge.exe
364	msedge.exe
364	msedge.exe
364	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
364	msedge.exe
364	msedge.exe
364	msedge.exe
364	msedge.exe
364	msedge.exe
364	msedge.exe
364	msedge.exe
364	msedge.exe
364	msedge.exe
364	msedge.exe
364	msedge.exe
364	msedge.exe
364	msedge.exe
364	msedge.exe
364	msedge.exe
364	msedge.exe
364	msedge.exe
364	msedge.exe
364	msedge.exe
364	msedge.exe
364	msedge.exe
364	msedge.exe
364	msedge.exe
364	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3808 wrote to memory of 1220	3808	Pangya56.exe	84
PID 3808 wrote to memory of 1220	3808	Pangya56.exe	84
PID 3808 wrote to memory of 1220	3808	Pangya56.exe	84
PID 1220 wrote to memory of 1444	1220	Pangya56.exe	95
PID 1220 wrote to memory of 1444	1220	Pangya56.exe	95
PID 1220 wrote to memory of 1444	1220	Pangya56.exe	95
PID 364 wrote to memory of 3796	364	msedge.exe	111
PID 364 wrote to memory of 3796	364	msedge.exe	111
PID 364 wrote to memory of 2744	364	msedge.exe	112
PID 364 wrote to memory of 2744	364	msedge.exe	112
PID 364 wrote to memory of 2744	364	msedge.exe	112
PID 364 wrote to memory of 2744	364	msedge.exe	112
PID 364 wrote to memory of 2744	364	msedge.exe	112
PID 364 wrote to memory of 2744	364	msedge.exe	112
PID 364 wrote to memory of 2744	364	msedge.exe	112
PID 364 wrote to memory of 2744	364	msedge.exe	112
PID 364 wrote to memory of 2744	364	msedge.exe	112
PID 364 wrote to memory of 2744	364	msedge.exe	112
PID 364 wrote to memory of 2744	364	msedge.exe	112
PID 364 wrote to memory of 2744	364	msedge.exe	112
PID 364 wrote to memory of 2744	364	msedge.exe	112
PID 364 wrote to memory of 2744	364	msedge.exe	112
PID 364 wrote to memory of 2744	364	msedge.exe	112
PID 364 wrote to memory of 2744	364	msedge.exe	112
PID 364 wrote to memory of 2744	364	msedge.exe	112
PID 364 wrote to memory of 2744	364	msedge.exe	112
PID 364 wrote to memory of 2744	364	msedge.exe	112
PID 364 wrote to memory of 2744	364	msedge.exe	112
PID 364 wrote to memory of 2744	364	msedge.exe	112
PID 364 wrote to memory of 2744	364	msedge.exe	112
PID 364 wrote to memory of 2744	364	msedge.exe	112
PID 364 wrote to memory of 2744	364	msedge.exe	112
PID 364 wrote to memory of 2744	364	msedge.exe	112
PID 364 wrote to memory of 2744	364	msedge.exe	112
PID 364 wrote to memory of 2744	364	msedge.exe	112
PID 364 wrote to memory of 2744	364	msedge.exe	112
PID 364 wrote to memory of 2744	364	msedge.exe	112
PID 364 wrote to memory of 2744	364	msedge.exe	112
PID 364 wrote to memory of 2744	364	msedge.exe	112
PID 364 wrote to memory of 2744	364	msedge.exe	112
PID 364 wrote to memory of 2744	364	msedge.exe	112
PID 364 wrote to memory of 2744	364	msedge.exe	112
PID 364 wrote to memory of 2744	364	msedge.exe	112
PID 364 wrote to memory of 2744	364	msedge.exe	112
PID 364 wrote to memory of 2744	364	msedge.exe	112
PID 364 wrote to memory of 2744	364	msedge.exe	112
PID 364 wrote to memory of 2744	364	msedge.exe	112
PID 364 wrote to memory of 2744	364	msedge.exe	112
PID 364 wrote to memory of 3576	364	msedge.exe	113
PID 364 wrote to memory of 3576	364	msedge.exe	113
PID 364 wrote to memory of 3772	364	msedge.exe	114
PID 364 wrote to memory of 3772	364	msedge.exe	114
PID 364 wrote to memory of 3772	364	msedge.exe	114
PID 364 wrote to memory of 3772	364	msedge.exe	114
PID 364 wrote to memory of 3772	364	msedge.exe	114
PID 364 wrote to memory of 3772	364	msedge.exe	114
PID 364 wrote to memory of 3772	364	msedge.exe	114
PID 364 wrote to memory of 3772	364	msedge.exe	114
PID 364 wrote to memory of 3772	364	msedge.exe	114
PID 364 wrote to memory of 3772	364	msedge.exe	114
PID 364 wrote to memory of 3772	364	msedge.exe	114
PID 364 wrote to memory of 3772	364	msedge.exe	114
PID 364 wrote to memory of 3772	364	msedge.exe	114
PID 364 wrote to memory of 3772	364	msedge.exe	114

C:\Users\Admin\AppData\Local\Temp\Pangya56.exe
"C:\Users\Admin\AppData\Local\Temp\Pangya56.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3808
- C:\Users\Admin\AppData\Local\Temp\XenoManager\Pangya56.exe
  "C:\Users\Admin\AppData\Local\Temp\XenoManager\Pangya56.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1220
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /Create /TN "Pangya56" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB873.tmp" /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1444

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fffa1e046f8,0x7fffa1e04708,0x7fffa1e04718
  2⤵
  PID:3796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,7021908065076110366,18270557442831587973,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2
  2⤵
  PID:2744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,7021908065076110366,18270557442831587973,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,7021908065076110366,18270557442831587973,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2644 /prefetch:8
  2⤵
  PID:3772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,7021908065076110366,18270557442831587973,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
  2⤵
  PID:3568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,7021908065076110366,18270557442831587973,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:2432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,7021908065076110366,18270557442831587973,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5056 /prefetch:1
  2⤵
  PID:4924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,7021908065076110366,18270557442831587973,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5088 /prefetch:1
  2⤵
  PID:2484
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,7021908065076110366,18270557442831587973,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5396 /prefetch:8
  2⤵
  PID:2112
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,7021908065076110366,18270557442831587973,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5396 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,7021908065076110366,18270557442831587973,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4060 /prefetch:1
  2⤵
  PID:636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,7021908065076110366,18270557442831587973,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5064 /prefetch:1
  2⤵
  PID:3948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,7021908065076110366,18270557442831587973,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4940 /prefetch:1
  2⤵
  PID:1504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,7021908065076110366,18270557442831587973,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5572 /prefetch:1
  2⤵
  PID:1372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,7021908065076110366,18270557442831587973,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5788 /prefetch:1
  2⤵
  PID:4008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,7021908065076110366,18270557442831587973,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6124 /prefetch:1
  2⤵
  PID:2984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,7021908065076110366,18270557442831587973,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5576 /prefetch:1
  2⤵
  PID:2348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,7021908065076110366,18270557442831587973,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5852 /prefetch:1
  2⤵
  PID:3488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,7021908065076110366,18270557442831587973,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5804 /prefetch:1
  2⤵
  PID:4512

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4004

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Pangya56.exe.log

Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7de1bbdc1f9cf1a58ae1de4951ce8cb9

SHA1
010da169e15457c25bd80ef02d76a940c1210301

SHA256
6e390bbc0d03a652516705775e8e9a7b7936312a8a5bea407f9d7d9fa99d957e

SHA512
e4a33f2128883e71ab41e803e8b55d0ac17cbc51be3bde42bed157df24f10f34ad264f74ef3254dbe30d253aca03158fde21518c2b78aaa05dae8308b1c5f30c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
85ba073d7015b6ce7da19235a275f6da

SHA1
a23c8c2125e45a0788bac14423ae1f3eab92cf00

SHA256
5ad04b8c19bf43b550ad725202f79086168ecccabe791100fba203d9aa27e617

SHA512
eb4fd72d7030ea1a25af2b59769b671a5760735fb95d18145f036a8d9e6f42c903b34a7e606046c740c644fab0bb9f5b7335c1869b098f121579e71f10f5a9c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
3da29fa3bb6432f8efc36b7552c000bc

SHA1
688f5b28d9d1fe4366d4f1b456aef83ffdaab5b9

SHA256
1f42d2112296e92a59befc993021fb3e7f5b6e7ac74d6f6dff5c743f86f5fc7d

SHA512
caeca26d2cb6a01ec10829c68d8b140ee8e4fc08222017095cfd14a9260203ea04858213f224f806be731c52ae8c407c41c055e4d5cf7d1cf188e04f480a321d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
18e3c4267bfd29d1d023e287aefecee4

SHA1
6a1826a7a1879153659d180f33d944d072d3f05c

SHA256
912138f96d51dc156a2340317b908ffdb989ed2b47f6b7d3e670ec858fb4106b

SHA512
cdf38a5951f2ef1558e0071d3720b174d6f8c293d4f9fc4165c0dfb4215afbb6483ecae3b1003b5a4825f72bdc0a6f50958f695035da4f5d7194c70fe678d640

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
0ce1764dadf617a97746e02e79faabb9

SHA1
c3e1ff57266b3c1b6db48b07114b031d999d88d0

SHA256
2a43256fffb679be38e0b5f33262be294ff3e86a6a60b9c14493142be4a3c978

SHA512
c7f3ef76d833dfc422c4abd76071385cd5c98c9cde37d4e24dc822f640f1e85d73729a44c8d9f88386169135b2139b7f5fe58413315f27c63a9aae4380fb6f51

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
86f45d3b2e7e543d5e253f0e67d5d46b

SHA1
f0d23cb572cb3d6310146ef4f26339bad94aafda

SHA256
10899832032fdf4601090444c70f25ec5a58fd422ed602643acdfdb1bfbde862

SHA512
e4dafd921be63bdd0b9322e94732b58147ed411b21ae563cae1e03a16d6996bdf7be932e42ee5e54441271bc7fd45dcc63b69c1354573dc99e79db0e6b430cff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
8d661c580a28267ffcb8a1e38d9991d6

SHA1
a95ab7fe961220b871907becb19ba1b7b62a38e6

SHA256
b9a3a038247b0b75c1d550f32c0259e447c765bef214923aa42830ccba0c0540

SHA512
9e0179b611fc0d36cc6558499e5aa4e63d3930a13640f38a06f005fc494bc7c0dac618136099c5f57a7c27e3bb9a792ee956a003d0cd01d02cb0398c36d50193

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9333d92f988197deb9f4805ca00f6c54

SHA1
786ad63b39285de00b15ac80304e13fc406ff69f

SHA256
a59cafdbd889fbb24817e7cdeb3de1e8ef565c2040cc77a1a41f7daadcea9d94

SHA512
007243328b3e0a8b022aff2d2886d171ad18e04dd685c23ba5f197826b69dd6e0d6f1ce1129a7aa7ee23adb7d6e960ac71ce73995ad2320f043a8209013c31df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
e517035dfa43cd526ee65caab8b20001

SHA1
3ea3f2df8e7cf35e68d922d890a33b70c6e90d95

SHA256
7ac972d5c3e66d51db81af9c415373a935c1d40e6f195e041803fbf135691d03

SHA512
3bb199b786284a6efe71e32840b7a9dffb74cbba8925b521e2b2346c2c341f858d0b81e77f80ab04030919cb2a68cb1170837ea696fb1ad53ad031251342956f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe58f48c.TMP

Filesize
48B

MD5
44dbfe805812af6dfd720a0d4d101b61

SHA1
6c212d428c4f40bcbd32623ce133ae8885d7c535

SHA256
309217d116dac1625ae349953a827461c7d868b08420e4624d80deddf14774cd

SHA512
b695b20a35533d46fb172590506c39dc265653ec6238205a3b932ace1c352259cc72fc5f7756580c256c1df07713a0ed1b08504fa049b05d0d8e8aa29edfb1b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
872B

MD5
b913a3ad1d506230f4e4dedacc543b12

SHA1
fd872a76d303e5f59841db3fabd4d3463d329412

SHA256
60f1b6771bb6b94db84320af2efc20a21eaaa7ddfc9c1421c32851c892f21825

SHA512
291c145a456d76b216d55dd821d4c3d19683959c4c8ab830ed92fdf1006e2385c8adc2a53b1ebc55a94eb30200a3ca9c6f87e64a775023f0fe8af8c605dbc720

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58f5d5.TMP

Filesize
872B

MD5
f398b53aa394d0ba59e5d4b5b084dbef

SHA1
98fba5318375625e676ae058f9620e26f138dfc4

SHA256
a2c9464f84c13cb6d0ae0fc59a49930a316f81ae481e76d7181645aff10b252e

SHA512
a6a294dc14d9494ae72783fdb23acdd11a586d4fa00ce433fd46d85697f067c5a7f797adfb5b0c830076704789ecec40d80cde9b8fb98d404e87b8a7d9608df2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
86483d57e32a316840fe9f3dd5a574e7

SHA1
25dca209835e0726117f04cf5c32da79eda13af4

SHA256
4d8b003b61ff0bd039c478527837c30dd8e59a8360bbc9315bce33454f7576c4

SHA512
af57d72f3e42a15ec83f5ed6847850218ff365d8f57dc69d318c41827599d3b0d6cc49549d1735d1674df79144d17ba1dfafc0e28b538e4db9426f45a3c53190

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
9c197b5e1eeaa41700d6c29d8d3840c8

SHA1
a77c82b1494d6a8d4853c912df34ad159ea50cb4

SHA256
826c4b1cd82ca2866567f9da59d2f84a12b901c06a8fc78798c927794f11b73f

SHA512
972b613f7210e8ad0977caea8ebe102c9832045229d0f79a1ea1501deaa83983f4ee0c05720978f4fa27e8b32b23de6d97650d533be9ec765dac3659263494b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\XenoManager\Pangya56.exe

Filesize
45KB

MD5
37e143ec80feaeef29e906bb0ca6f7bf

SHA1
603fd25c94f0030186250472d8e74ebc85d1abdb

SHA256
d21d4ed60c7c91365c7717e573c0b9849a170b3b66604367755470e0201debfd

SHA512
e59874b7eef2964740e17167b25ddccaec17b8214fc5191bf6f641c6c7f176b6c08f1c1314c1b058a94e774d40e1e6c0e9a7874bd897b3e823974d73168bdad0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB873.tmp

Filesize
1KB

MD5
1a4b4864d6ce5f159ce15c2b62e8942c

SHA1
de915f250e0fefa527498353852c6f3d57c7c70b

SHA256
5d677b1f21a3e592b060ac208807f8fa85304b5c765297651d7414a8b0068585

SHA512
07440c844b46a794ffec761680451aca4ba948faf64e6a0397b1bcf0006fa3f14843b8e8968bc59d06cff04a8b5ddb9ed8c12da453035686a7741e967f742f35

Download Submit
memory/1220-16-0x0000000074EB0000-0x0000000075660000-memory.dmp

Filesize
7.7MB

Download
memory/1220-15-0x0000000074EB0000-0x0000000075660000-memory.dmp

Filesize
7.7MB

Download
memory/1220-20-0x0000000074EB0000-0x0000000075660000-memory.dmp

Filesize
7.7MB

Download
memory/1220-19-0x0000000074EB0000-0x0000000075660000-memory.dmp

Filesize
7.7MB

Download
memory/3808-0-0x0000000074EBE000-0x0000000074EBF000-memory.dmp

Filesize
4KB

Download
memory/3808-1-0x0000000000D10000-0x0000000000D22000-memory.dmp

Filesize
72KB

Download