xenorat | f5bbc5fd1993c00aad0e04cf674216b3eb317aee7a1208aa99e3b311f60624c7

Analysis

max time kernel
361s
max time network
362s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
08-01-2025 22:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Notepad.txt
Size

339B
MD5

0f278ef649c5620e8c7def1f71069864
SHA1

a8743791baed7c850bda2df340730c806fdcf66b
SHA256

f5bbc5fd1993c00aad0e04cf674216b3eb317aee7a1208aa99e3b311f60624c7
SHA512

fc8077702c179f4b909a67e7f0b59d91a621c70d66ca81a587d64a100d8508e1fdd7835b3a25a157b823e0710f81928981b27c96f6b5e27e89b1ddb8e5aedd3a

Score

10^/10

xenorat discovery rat trojan

Malware Config

Extracted

Family

xenorat

localhost

Mutex

testing 123123

Attributes

delay
1000
install_path
nothingset
port
1234
startup_name
nothingset

Signatures

Detect XenoRat Payload 1 IoCs

resource	yara_rule
behavioral1/memory/3796-1976-0x0000000000010000-0x0000000000022000-memory.dmp	family_xenorat

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat
Xenorat family
xenorat

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
234	raw.githubusercontent.com

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\1f1fdc0a-7295-446c-bc95-11d5008b55c2.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20250108225708.pma	setup.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xeno rat client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xeno rat server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xeno rat server.exe

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133808504739630987"	chrome.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2366345620-3342093254-3461191856-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2366345620-3342093254-3461191856-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2366345620-3342093254-3461191856-1000_Classes\Local Settings	OpenWith.exe

Opens file in notepad (likely ransom note) 2 IoCs

ransomware

pid	Process
2708	NOTEPAD.EXE
5688	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4296	chrome.exe
4296	chrome.exe
3304	msedge.exe
3304	msedge.exe
3240	msedge.exe
3240	msedge.exe
5452	identity_helper.exe
5452	identity_helper.exe
3248	msedge.exe
3248	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
472	xeno rat server.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs

pid	Process
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
2708	NOTEPAD.EXE
1976	firefox.exe
1976	firefox.exe
1976	firefox.exe
1976	firefox.exe
1976	firefox.exe
1976	firefox.exe
1976	firefox.exe
1976	firefox.exe
1976	firefox.exe
1976	firefox.exe
1976	firefox.exe
1976	firefox.exe
1976	firefox.exe
1976	firefox.exe
1976	firefox.exe
1976	firefox.exe
1976	firefox.exe
1976	firefox.exe
1976	firefox.exe
1976	firefox.exe
1976	firefox.exe
1976	firefox.exe
1976	firefox.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe

Suspicious use of SendNotifyMessage 46 IoCs

pid	Process
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
1976	firefox.exe
1976	firefox.exe
1976	firefox.exe
1976	firefox.exe
1976	firefox.exe
1976	firefox.exe
1976	firefox.exe
1976	firefox.exe
1976	firefox.exe
1976	firefox.exe
1976	firefox.exe
1976	firefox.exe
1976	firefox.exe
1976	firefox.exe
1976	firefox.exe
1976	firefox.exe
1976	firefox.exe
1976	firefox.exe
1976	firefox.exe
1976	firefox.exe
1976	firefox.exe
1976	firefox.exe

Suspicious use of SetWindowsHookEx 18 IoCs

pid	Process
1976	firefox.exe
5856	OpenWith.exe
5856	OpenWith.exe
5856	OpenWith.exe
5856	OpenWith.exe
5856	OpenWith.exe
5856	OpenWith.exe
5856	OpenWith.exe
5856	OpenWith.exe
5856	OpenWith.exe
5856	OpenWith.exe
5856	OpenWith.exe
5856	OpenWith.exe
5856	OpenWith.exe
5856	OpenWith.exe
5856	OpenWith.exe
5856	OpenWith.exe
5856	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4296 wrote to memory of 1804	4296	chrome.exe	89
PID 4296 wrote to memory of 1804	4296	chrome.exe	89
PID 4296 wrote to memory of 408	4296	chrome.exe	90
PID 4296 wrote to memory of 408	4296	chrome.exe	90
PID 4296 wrote to memory of 408	4296	chrome.exe	90
PID 4296 wrote to memory of 408	4296	chrome.exe	90
PID 4296 wrote to memory of 408	4296	chrome.exe	90
PID 4296 wrote to memory of 408	4296	chrome.exe	90
PID 4296 wrote to memory of 408	4296	chrome.exe	90
PID 4296 wrote to memory of 408	4296	chrome.exe	90
PID 4296 wrote to memory of 408	4296	chrome.exe	90
PID 4296 wrote to memory of 408	4296	chrome.exe	90
PID 4296 wrote to memory of 408	4296	chrome.exe	90
PID 4296 wrote to memory of 408	4296	chrome.exe	90
PID 4296 wrote to memory of 408	4296	chrome.exe	90
PID 4296 wrote to memory of 408	4296	chrome.exe	90
PID 4296 wrote to memory of 408	4296	chrome.exe	90
PID 4296 wrote to memory of 408	4296	chrome.exe	90
PID 4296 wrote to memory of 408	4296	chrome.exe	90
PID 4296 wrote to memory of 408	4296	chrome.exe	90
PID 4296 wrote to memory of 408	4296	chrome.exe	90
PID 4296 wrote to memory of 408	4296	chrome.exe	90
PID 4296 wrote to memory of 408	4296	chrome.exe	90
PID 4296 wrote to memory of 408	4296	chrome.exe	90
PID 4296 wrote to memory of 408	4296	chrome.exe	90
PID 4296 wrote to memory of 408	4296	chrome.exe	90
PID 4296 wrote to memory of 408	4296	chrome.exe	90
PID 4296 wrote to memory of 408	4296	chrome.exe	90
PID 4296 wrote to memory of 408	4296	chrome.exe	90
PID 4296 wrote to memory of 408	4296	chrome.exe	90
PID 4296 wrote to memory of 408	4296	chrome.exe	90
PID 4296 wrote to memory of 408	4296	chrome.exe	90
PID 4296 wrote to memory of 3892	4296	chrome.exe	91
PID 4296 wrote to memory of 3892	4296	chrome.exe	91
PID 4296 wrote to memory of 2536	4296	chrome.exe	92
PID 4296 wrote to memory of 2536	4296	chrome.exe	92
PID 4296 wrote to memory of 2536	4296	chrome.exe	92
PID 4296 wrote to memory of 2536	4296	chrome.exe	92
PID 4296 wrote to memory of 2536	4296	chrome.exe	92
PID 4296 wrote to memory of 2536	4296	chrome.exe	92
PID 4296 wrote to memory of 2536	4296	chrome.exe	92
PID 4296 wrote to memory of 2536	4296	chrome.exe	92
PID 4296 wrote to memory of 2536	4296	chrome.exe	92
PID 4296 wrote to memory of 2536	4296	chrome.exe	92
PID 4296 wrote to memory of 2536	4296	chrome.exe	92
PID 4296 wrote to memory of 2536	4296	chrome.exe	92
PID 4296 wrote to memory of 2536	4296	chrome.exe	92
PID 4296 wrote to memory of 2536	4296	chrome.exe	92
PID 4296 wrote to memory of 2536	4296	chrome.exe	92
PID 4296 wrote to memory of 2536	4296	chrome.exe	92
PID 4296 wrote to memory of 2536	4296	chrome.exe	92
PID 4296 wrote to memory of 2536	4296	chrome.exe	92
PID 4296 wrote to memory of 2536	4296	chrome.exe	92
PID 4296 wrote to memory of 2536	4296	chrome.exe	92
PID 4296 wrote to memory of 2536	4296	chrome.exe	92
PID 4296 wrote to memory of 2536	4296	chrome.exe	92
PID 4296 wrote to memory of 2536	4296	chrome.exe	92
PID 4296 wrote to memory of 2536	4296	chrome.exe	92
PID 4296 wrote to memory of 2536	4296	chrome.exe	92
PID 4296 wrote to memory of 2536	4296	chrome.exe	92
PID 4296 wrote to memory of 2536	4296	chrome.exe	92
PID 4296 wrote to memory of 2536	4296	chrome.exe	92
PID 4296 wrote to memory of 2536	4296	chrome.exe	92
PID 4296 wrote to memory of 2536	4296	chrome.exe	92

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\Notepad.txt
1⤵
- Opens file in notepad (likely ransom note)
- Suspicious use of FindShellTrayWindow
PID:2708

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x21c,0x220,0x224,0x1f8,0x228,0x7ffa95a1cc40,0x7ffa95a1cc4c,0x7ffa95a1cc58
  2⤵
  PID:1804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1996,i,1452105344861755820,12031957119000713179,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=1992 /prefetch:2
  2⤵
  PID:408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1908,i,1452105344861755820,12031957119000713179,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=2148 /prefetch:3
  2⤵
  PID:3892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2344,i,1452105344861755820,12031957119000713179,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=2532 /prefetch:8
  2⤵
  PID:2536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3132,i,1452105344861755820,12031957119000713179,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=3144 /prefetch:1
  2⤵
  PID:900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3164,i,1452105344861755820,12031957119000713179,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=3152 /prefetch:1
  2⤵
  PID:1588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4560,i,1452105344861755820,12031957119000713179,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=4584 /prefetch:1
  2⤵
  PID:4796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4784,i,1452105344861755820,12031957119000713179,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=4788 /prefetch:8
  2⤵
  PID:3424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4860,i,1452105344861755820,12031957119000713179,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=4868 /prefetch:8
  2⤵
  PID:4636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4968,i,1452105344861755820,12031957119000713179,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=5048 /prefetch:8
  2⤵
  PID:980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4868,i,1452105344861755820,12031957119000713179,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=5116 /prefetch:8
  2⤵
  PID:2824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5292,i,1452105344861755820,12031957119000713179,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=5304 /prefetch:8
  2⤵
  PID:2760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5180,i,1452105344861755820,12031957119000713179,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=5112 /prefetch:8
  2⤵
  PID:1116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5556,i,1452105344861755820,12031957119000713179,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=5584 /prefetch:2
  2⤵
  PID:5004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=4036,i,1452105344861755820,12031957119000713179,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=5552 /prefetch:1
  2⤵
  PID:2004

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4064

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3976

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:3940
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:1976
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1988 -parentBuildID 20240401114208 -prefsHandle 1916 -prefMapHandle 1908 -prefsLen 23839 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {aab9836e-2b35-4133-b60d-44197b242399} 1976 "\\.\pipe\gecko-crash-server-pipe.1976" gpu
    3⤵
    PID:2828
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2396 -parentBuildID 20240401114208 -prefsHandle 2388 -prefMapHandle 2384 -prefsLen 23717 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d690bf21-9f72-4427-95e2-41682692e026} 1976 "\\.\pipe\gecko-crash-server-pipe.1976" socket
    3⤵
    - Checks processor information in registry
    PID:3704
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3020 -childID 1 -isForBrowser -prefsHandle 2996 -prefMapHandle 3028 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1244 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4bd4bb94-f134-4751-8761-2701da4d12d0} 1976 "\\.\pipe\gecko-crash-server-pipe.1976" tab
    3⤵
    PID:2080
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4256 -childID 2 -isForBrowser -prefsHandle 4244 -prefMapHandle 4240 -prefsLen 29091 -prefMapSize 244658 -jsInitHandle 1244 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aa5a0700-1890-47bb-8fd3-522829197a20} 1976 "\\.\pipe\gecko-crash-server-pipe.1976" tab
    3⤵
    PID:4564
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5032 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4828 -prefMapHandle 4184 -prefsLen 33305 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f0418372-dd83-4b47-b509-c1c454fc0e83} 1976 "\\.\pipe\gecko-crash-server-pipe.1976" utility
    3⤵
    - Checks processor information in registry
    PID:5804
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4832 -childID 3 -isForBrowser -prefsHandle 4816 -prefMapHandle 5204 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1244 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {de941c08-34f3-45a4-a6bd-b92f02f496f4} 1976 "\\.\pipe\gecko-crash-server-pipe.1976" tab
    3⤵
    PID:6120
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5160 -childID 4 -isForBrowser -prefsHandle 5168 -prefMapHandle 5184 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1244 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4562d5c7-840a-4e08-8b91-321af270f745} 1976 "\\.\pipe\gecko-crash-server-pipe.1976" tab
    3⤵
    PID:6128
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5560 -childID 5 -isForBrowser -prefsHandle 5452 -prefMapHandle 5356 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1244 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {36837c35-2c88-4305-a4ef-d17157ea8f90} 1976 "\\.\pipe\gecko-crash-server-pipe.1976" tab
    3⤵
    PID:1264
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6096 -childID 6 -isForBrowser -prefsHandle 6124 -prefMapHandle 6100 -prefsLen 27257 -prefMapSize 244658 -jsInitHandle 1244 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {035be582-a099-45d6-b14b-30c6d6caffeb} 1976 "\\.\pipe\gecko-crash-server-pipe.1976" tab
    3⤵
    PID:5216

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\PushUndo.htm
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
PID:3240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x140,0x144,0x148,0x11c,0x14c,0x7ffaad1946f8,0x7ffaad194708,0x7ffaad194718
  2⤵
  PID:1064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,6496616418292150721,14556100931455360562,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
  2⤵
  PID:4788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,6496616418292150721,14556100931455360562,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2332 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,6496616418292150721,14556100931455360562,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2840 /prefetch:8
  2⤵
  PID:5968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6496616418292150721,14556100931455360562,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3588 /prefetch:1
  2⤵
  PID:4704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6496616418292150721,14556100931455360562,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3600 /prefetch:1
  2⤵
  PID:2044
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,6496616418292150721,14556100931455360562,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5644 /prefetch:8
  2⤵
  PID:2896
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
  2⤵
  - Drops file in Program Files directory
  PID:4412
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x264,0x268,0x26c,0x240,0x270,0x7ff65b515460,0x7ff65b515470,0x7ff65b515480
    3⤵
    PID:3380
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,6496616418292150721,14556100931455360562,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5644 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6496616418292150721,14556100931455360562,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5804 /prefetch:1
  2⤵
  PID:548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6496616418292150721,14556100931455360562,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3848 /prefetch:1
  2⤵
  PID:1384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6496616418292150721,14556100931455360562,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3868 /prefetch:1
  2⤵
  PID:2460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6496616418292150721,14556100931455360562,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3924 /prefetch:1
  2⤵
  PID:3328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6496616418292150721,14556100931455360562,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5768 /prefetch:1
  2⤵
  PID:2712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6496616418292150721,14556100931455360562,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:1
  2⤵
  PID:5592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6496616418292150721,14556100931455360562,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6288 /prefetch:1
  2⤵
  PID:900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6496616418292150721,14556100931455360562,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5696 /prefetch:1
  2⤵
  PID:5280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6496616418292150721,14556100931455360562,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:1
  2⤵
  PID:5336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2132,6496616418292150721,14556100931455360562,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3752 /prefetch:8
  2⤵
  PID:4888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6496616418292150721,14556100931455360562,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6116 /prefetch:1
  2⤵
  PID:1296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2132,6496616418292150721,14556100931455360562,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6628 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,6496616418292150721,14556100931455360562,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6328 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4868

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2152

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5408

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2748

C:\Users\Admin\Downloads\Release\xeno rat server.exe
"C:\Users\Admin\Downloads\Release\xeno rat server.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
PID:472

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5856
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Release\Config.json
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:5688

C:\Users\Admin\Downloads\Release\stub\xeno rat client.exe
"C:\Users\Admin\Downloads\Release\stub\xeno rat client.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:3796

C:\Users\Admin\Downloads\Release\xeno rat server.exe
"C:\Users\Admin\Downloads\Release\xeno rat server.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:3780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
51df50ec78a7a144e9029310906515b5

SHA1
58309b29e2d1f74754853963aac3cdffc72709ae

SHA256
eed77d1f43fc6f67877facf84894a64281de2e7ee9b1c02937f376f1a4fd0208

SHA512
9490f421b7a3e5958d5bb6c516ed97b0aba9d41376992fdfbd1cb4f7a8c50677349f22d837afcedf58a0b44fce2b45be91d196ed48b285b17b3f71c8f0008ea4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
215KB

MD5
d79b35ccf8e6af6714eb612714349097

SHA1
eb3ccc9ed29830df42f3fd129951cb8b791aaf98

SHA256
c8459799169b81fdab64d028a9ebb058ea2d0ad5feb33a11f6a45a54a5ccc365

SHA512
f4be1c1e192a700139d7cff5059af81c0234ed5f032796036a1a4879b032ce4eedd16a121bbf776f17bc84a0012846f467ad48b46db4008841c25b779c7d8f5a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
8eef6d3f825eca8e14a954358c1c1204

SHA1
556c297643463b6cd7bca1368b67c3c2ae2b9bb2

SHA256
120b9f2e48f850fa23488935f3c69ee06b377ea60a2649b572b2a8a8d268db54

SHA512
5949b14282bd16d4837eb2eeab630ae4761de5fdee0db809b2a10e1b6be8691a0117142879a860948c78ea57e6e6611e766a740024c791a5cb836fb1f1df8b98

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\_locales\en\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
3d5050660d673f1565a4940c2f55270f

SHA1
1d11c6e2adbeac6dcf63c7975a4a951aff8dd78a

SHA256
6e147432d90faa70b632749213f90874d3fc0b3024d037946871e2861fcaeb4c

SHA512
ed3d516974231dbd4894e8c6f3337486a43b8d496483ced2681e2669e4f17362bdba572e2d5d26d8247625bb10459f884122bd903927f02f7823fabfa7dc3895

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
761d990671cff7f07851320366c36072

SHA1
791902a10e5e3a9dff818939f5070cbfcdc3e486

SHA256
2dfbb32c68723f86e7946ef22450fedf38f490f09b6c51e77088f3036cfd9d1c

SHA512
4e10087c9bb4df8451d9945c8659a83ed827a554cccfd8ec8dc031a387a38b705818c2f818c31c5885e9edd878440efa8e79cf1c8305bde3872b63e376623cd5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
41db1d0370bfa4cb9299c9474e7588de

SHA1
09e554e610f4524d56c0a76b627413843ea3a024

SHA256
38c27a355e85aceeccc8e138b05230e4a1283961960338b8c06f924f12c7b459

SHA512
6a124b90db9176154954de8c3ec6f39be0efa38ecc8cdf33ed45ef336d40467ff7286ac750f7adaba3e0b05ea79ab753be9686eee18155a9430691a371defdd3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
044634c5cdaac694928fa681f65e5e2f

SHA1
b77cb5b8be937e368a387441596aa049c758e9e5

SHA256
c1fe19de7f1855625898fbd41df3f261f6bb19eaee5499e25e7bac46d585b7bc

SHA512
325bfd6ec12aec2701c38983ae7ec6ec210501efaf89414be78bde172e41c1f04dbf82e98e9473a5f71b9ce41f14f0c510c59576ff609f336fe5f978553a46db

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e38f1de31dd723966258de3e0b6d79ef

SHA1
cc12f595b46e0bb574d81279d6ecc58e83663823

SHA256
cdae92a63b2627c3500fbe7464b3b6f01c163ad2b9ba3c0a657bc23dae3e5ccf

SHA512
44a4417088b072d04116f2497bbf6c041ac49e36c80c7bc598aefb2d028d7b0aca08c067d7731916843de619f9dc14e523a1a3e1d9cbad9fe1ff6ee26433972a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e15c326be9711996e478b64958b211db

SHA1
491e9df1a193111475034d6b999ad911c95b396a

SHA256
acdefbdc80be1216decec1f5896cbd7e09ba3f4b298b8bfb578bac76d5b76849

SHA512
80c40289b3a1fb7751ee3011ef3a83da626e590e67711aa2d03ecb6ba868df35878029b63ddd775b9100d87d316bcd534559ddedbc6d0367525f2da4ee460603

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
56fa02210c3776ac081a4a56843d91e1

SHA1
ae276b3fba377f8fdccdf12ef07b89f092fb3c53

SHA256
8daf1106983c153f638f4da1ebe5eb2f005a816cbb1a470bf9b01623af5b2b38

SHA512
c3c313be82274d06a07b402eca05898cc72dc2cf9f05f9b4869437fe460da821ff3ae0e2630b90cb0637d56705566cc0605152d99db3b4b95c77f1f2109ba635

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
2d42ae0da1b6ce131eef978902c6182d

SHA1
703ee01f05acf9add501cb1b14a413e107ceed7e

SHA256
3d26352534c6aec8765a96e8ba9ba691c847313dc88ca71980b8b8207b4cd1a1

SHA512
6b1508759d29a5db12b138d691e5f568de9681bad2448eaf116f9d054d3c510a6651659ddd5eb8b33d4eb51d72edf68943c589bb406abc790a441c210db758b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
279f75a23063f4a00b86e6d8c89fe91e

SHA1
88b015af6e265559c80f1b618a2ef4720752f79c

SHA256
fc369d177592ce1731ee34fa822e4ac14ada74f7a76b2a59aaa6bc19b93237bb

SHA512
13d8f0989087c8a9799c9c1992e11025de48d0550290014f3de23e1dfa56f6a29e5ea7a3d90e030ce1a62247174de95bd293913551323cffaa60d3e518aa99db

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
efe55811472f2df64dc38ff9decd3850

SHA1
bc52c10835e3268fc046d7e7b9cfe37228b3ab15

SHA256
4c32cfc2c56686c5e536c8138bc0222c377c841d9500115b76de714c4493bb47

SHA512
dc684bbe5a7861763709a22b3c48d18801cbe7b7cbee3b167a29f68a564da8cff230508679624cfcba8ba6fb0aa9da1e6cc42d2c51e9a2f6ef8108ddec6156cb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
cfae220b7d84a93b5939694c91c3fc92

SHA1
6556fd6def96b145a60a1f6b5902294fabf50181

SHA256
903510528cfda7f4bc5304d15f5785dddaa262ef4d324521dfe56178b58bf812

SHA512
e89264c3d0bc50ed7feb5713daedaa699fce3b832fa21d93d8deb886a8cc32cf363970d19a93db2bb1f069d075bccee4316f87b83baf2cd0ca5ccd16f83542a6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
378e86955fbe64a17d731da34713bc9a

SHA1
7960944fe39c96d3d98cedd6f5f9b8f391b0e680

SHA256
bdbab4cba2d6ff01cb2083e785b23e0ffeaafa975aa96a4fc983971051ebf13d

SHA512
fdae7cfefcf7972152c582f15f40c2172cbe660e159fe321e5e05c9630265c028dc3142d09efb4eea33bb8383b5eb84465997a16218325ab02d38cdaa2e4c7bc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
233KB

MD5
d6a73eed78ba6829e9f563867727dd94

SHA1
8e38c547297416f11a880013db99fdaead45ea5f

SHA256
273e22e1f7f7b9048f9b5082b77e3f2c5b9bb5c99814c87ab7a778bedf407371

SHA512
73d149f73cad6087f38211a5985db7c7b400f20f64eab15c48398c2b0addbc747135bb90f01e18d0976116be4b0f7bee6c4148032ec796785781be0b8f834710

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
233KB

MD5
b338bc1ee62e1ebb8c760d6be15a4819

SHA1
f5c6a6b38bf85e8b904b3fc2885c5cbf9b3b8d30

SHA256
25051b6485a64586ee6a1624c050e6483859a0443e02f289a2b79d0c5f3a0c07

SHA512
091dfc6285da920b97c0259e5cd44fa32ece8534464c126a3fccd702acc129a664f6bb82958c984ad577317ab2372bd1498f863156fbb4657c59502db2454d0c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
233KB

MD5
364a287c210f93490ced96ca66202d67

SHA1
fb296651af2c6ed97331de378a15c052d647abef

SHA256
7132f29c3cff049c74ab1d530d8b0baae8568ab379d4b8bf30f3d8ab7784d046

SHA512
9df635fc9c0c4be57efb22d82a5edc7084280b59309b87798a707c1d74da9b7bac4dfd9f90c52d83489612fab62fe0dccd4e179e1580ace0b000132932b487c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
8c00b95a76c981391a1770fd3b4466a3

SHA1
838272dfdd7425348c451c156e82bb309062a76d

SHA256
da3753824d37ffe4043647974d2ec8e7d0b9448a94800eb949d55f51885061e6

SHA512
7d9519f5547a38574489d2a8de76014069be2e912f817b5b735e704ee8f12a9b25f419a6fe7e27391fb739baedabc2f817fc418b707567716a5b8ab2868907bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
77fe0ce7e1f9c9ec2f198ad2536bf753

SHA1
2a366472f227a24f3c0fba0af544676ea58438d7

SHA256
c69ca7653724e1e9e52518de8f4f030813e1431223d5b6ad3270531d8df89f00

SHA512
e8d4e17b93fb19364eeeffc5b1016fdbe566a8b8d702005291ff263367840b8ccc76290d8a3ad457d40fb5d1c2204bdaa5acba9374236c77935ebb0fe597a095

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0d57a449c855203411a38d5ae80bc24c

SHA1
b361032efa556fc4557bbad595ce89c4b0c13dba

SHA256
bb59bab10e406cd91bdfe4fc0e8ce2817a6ca32fc731ccb3f90b6b79c1a46c21

SHA512
8d4244dc9c0e9518cd71aacaa54d43c1e2d74519e3e692160b2b040d00aac25c4ba7a5705391e50957d46c8c711dc07604effea3bc06c8956ecf717f61008da3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000b

Filesize
20KB

MD5
68c3883e9befb215e08c7e65406d6402

SHA1
ef52bba902734d9dfe6757a2775f791e575fe7de

SHA256
ec2192bb6f27c0dee96e75b6d03707941f17166d52b4e2d590fe67025ee99477

SHA512
142bfd2efc3f458b96f073421701ecba2ed73340d0a8d283989c188cea439cee556859fc50bec5f1e35f10ea8d47a7fa335844b48f2163d43cd31b947cc8db83

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
946b38c5677879d700f437fc9eac67f2

SHA1
81faef44ef93aa0dfaf6868028308f9f9ffba20c

SHA256
35739b2f1438965478a6ddf810499adab6b094f204425a20e04c309c1b5d047b

SHA512
3959da36fd15e2f581f75fe83796774fa9c37799e83dd2b2ba6143f141b2a62c0f6bdfeecfd05b992ece1026ae0ed42aa740fc053c8ffda309c31b358837b65b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
a6d8ebb8b405a77fd4612e6f31402c68

SHA1
4c8511f6fa9a1372cb73a2844f341b7c29d2cebc

SHA256
c492c5ea407c9aa7887b2eaf80466e46ecbfef104b977b540ebe1d0142182ad0

SHA512
691cd93023713f83c96fb0c8fc15250a42a1b7929acb21a89ce1ab7bc7fb1b9c86804317a8a7a29c26a2ce59ff253bb71737953248952a97a08cd58508cdcda1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
765104dd5bcc135ae8b16b67319ead42

SHA1
ff70e391bc456c09ff34169ebfb754e1578aef6c

SHA256
717d87d84c84b6cc138412f32d0272fa2e77cdd9ef33de106218e9bc96e23058

SHA512
d5096d36317d72748492dd9a05a025cfb9fec646b08ac43e61fa7516f107714f1d2b2d0ea784048b6ecb78d6f4f103ad26c1291aac837f1569f127421c95c0b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
8164a4f5c19eb0e8ddc39570403f0fa7

SHA1
d73ffef65a022ae4bd0e5181260d9b6d266ecfb8

SHA256
49366e56f28455afee78360d46d1e4c43dacecc1d79aba0b95bdd99f46ae4374

SHA512
a1cee44a2e9d063f439b0440387762eba4575497ffd64dd3f1de9ff97cc25d56d4e263604d964673b1a539528bde64e54301e2e76a9297500b2efc70892de1bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State~RFe5b2d46.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7dc043996564758fe0f649aa91105ae3

SHA1
941bb40e70a81b0d9d3021b125b39f1a9e4f6f71

SHA256
520ccedddeba1f10cae80ebb30f8d6c76bcba4a3cfe8c19c907aa856efbcf823

SHA512
ebb3b55771dac94a012a5a12d9fcbe15aa593e027f9c8da1ddff954811f9d32ac9cbcc5b8f841388384848dc8e3778a3814e24fa9dc21d198d50f32e8ef675f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
6b0d134517e02cd56ed930d7e43fc3ab

SHA1
0bc876ca14ce5b53f9aa12a50ac8a84b27cf7e5c

SHA256
5f5a9a07565ed6c3de6d1d9a8d06a1d821b029ae12fb3cc2b6837034eda26271

SHA512
b7028f9fcf71a7ad2c8116f8b416c8eea432ed8be108a8bd610fb2704203c3a7cc7837ceace99ecc24c57b43ade1d3f69caa938b29a0d74af6f306c24d31d738

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d23d9922057703c8fe36f74e44cef0d4

SHA1
c2a06dd4970d40b24e8b8a72111e86508c675e5a

SHA256
dcd9c6221eb0b93c596843f1b6254d533cfb8c7486f70038cb4bb4af60c38e0e

SHA512
e534c91bfe8afc15382240e8b415aaca253d8170436ba5ba184c78280fb575bcaa85d281836f3e7517c8028fad4df14dca615ef35ccd4fff8e777d1813ad4eaf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8537b3dbcc4603e6a2b0d4917092d5d9

SHA1
280b345e99e427b0daad60fdcff8a39482bbe65f

SHA256
daf7121ec14ff84e5c0fd454c00a15e4b14d1b5e4354ca52465437f5639e7a87

SHA512
eefeb3ea8cfeb11fa897a192ba76527a70051bb14456616ab9cab189b41fb0838a452abfdc5ad419e2608f1546cec5b1ee843b6b7792da9a5e8e3bd0048c96e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
4KB

MD5
f1350f3749475b81ea484dbe970fa2fe

SHA1
0988d475ff0a058b5f969fb89b357c3888b819ac

SHA256
f55e421f28c838f1a88f0c97ec72b2b3b8e6de558048f0274dfae3de318d8079

SHA512
f495f30b86bc2f807979437df0130c61a15af269ca11e52af915a9685532be5ed71459c67f625e1527238a7e51f7c43ca29ac132bf31da39df24c0a67ba966d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
9b2345e425acf05ffaa1dee20d4fdbe7

SHA1
aecf86c5a5d24b77aea68f6bc99e7f42c9048bc3

SHA256
1eb6cc0eab0b222c1111dba69db74281366b9f5dc9f8707ff215b09155c58d14

SHA512
647fc97d693b709ef3b0877b6de1d4f9f4e1085d35b809d27360ede1be52b37f9a967fb80ce43be35d60b52409c7e4036376d7d931c96f0660a2eeffa58a8208

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
77006dacd174a80aa9b867f95d5df337

SHA1
7078db638c72ee5cf4ede7911e4421cc4ae103c7

SHA256
5e22af33da2ed3f3197d9c899a8fec5e2716b54be019c484cd59960da8f143d9

SHA512
e8268ed24af38eaebda4cd864e5580ed1bb63e3e4b72a27fe3404baeb7c8c944a7e79282712ac9d0b33f0123654dedb1984633d6ae2a5b412d6536e2b0389bb2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
1e6e9fb4744baab9b7c62fe0c2280785

SHA1
25b7b85a319e948624854826452363710ea4022d

SHA256
ab462b3a53f524981d50b05e7ba9c2b049f6a74d78cb0c821a18119574f8497b

SHA512
bafb8264c3d18228a03913d6557c2d1727487b7defec409627147b3639cdf13734163d615b7d47657eeeebe8925ed152296018e8a63bab4f769f4f2f19b807a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
1e223e2d90339f4a32d53003eb30be7e

SHA1
23585689d8d3cfd9b7b6b376d4d9152c9173c796

SHA256
a8ec04ea4a306d581b6389cd7ef388f2c3fbdbe4420142f521cad9d6501eb7fc

SHA512
743d51bb89cdcfef9f7c86ca397ea491a0352b70c3c1c028792d88f57a04f4f12415f72888a2380d0f53f610b66b2a76a63d500d638cd4cb8d5fa4e8caa4fedb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
2a83e9332a381bbcc00633d370776c09

SHA1
b7d1d9dac7f654bfd2e2fddf265a327ca00e81b0

SHA256
02194dafae4d76d490ff207a81339f9fe348047a43e6622bb8717c126948646f

SHA512
85cd8574d096fd97e9ea232d977dc3dffb86352cbbc16163f231b01a62fdb049c67241d4a0831b9fba28fe70b9abc84dcf41cad10f5d0b405d5c25e51392078c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5a787d.TMP

Filesize
1KB

MD5
ddac9bad73978765d644933d076586b9

SHA1
0abb4c38e8c14f32f2c64679085a4693992a009c

SHA256
1111870698031415c3c22644c01f60de76310805cc7dddb5caf33b3760651215

SHA512
bca4591dd0c5cf801a63fe3c7ecec31c33937f5446a57f65e7b3db8b26fe4f9af8eb9e1b0489b0b65987c9a65e640a94a9b57bd4654b98b6c36d866db61fd2b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\da9c80ad-7f37-45f2-af31-214a1039752a.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
396ac5a0c9349f243d66d9242d8f36c9

SHA1
359d85529be487490ad86b3a018e6f4ec2747354

SHA256
a129a3d91d2a8d0f5e7035691e0c7d76bf8db8774b7ca2dd5dd0daa68cee5a16

SHA512
d10184ca072a38252e346839b64706184d89aac0cd5ed0e0ea161d7b8cff6e6dcaac6ea919c4bd5a01d24ce0d40520ec513d14fc5a016f928af5894e80bd48ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
4896ea768e4593c50de519d8ba25185e

SHA1
45de128403daaebb75dd8955f2f90cb4c6bce4c0

SHA256
21da73da1c5cd2a903d953e017b5a88cfdd72a23738e0df415b2642bd7a9bc07

SHA512
0b1413243520ec0e6d88aa6f1f863b123586ac0b751f5356044c3b530bf33f096ffd16495ca3a4f72eb06001fc8dcba8cf9c5e575024accebbe6d44e5989a3f4

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9enwga8g.default-release\activity-stream.discovery_stream.json

Filesize
22KB

MD5
66920272c27884e732ec19a3f8ad01e3

SHA1
67138d05c140be0a5e02eff1e74bd36271987691

SHA256
8642f8d7013dde6d591ed83e397dce1e7642e352c37c501010fb9c1af1f76f5e

SHA512
064afa6559c6896a3f2ea53c6721b901197992c410217c70db5a565aef50b675a9c390e29bc609a32aca6b375def927d699863e19bab8dc9a5d2ab97bad1bcdc

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\9enwga8g.default-release\cache2\entries\1028C0594A2905A51C9BE4B9198A912DA5F01823

Filesize
49KB

MD5
f77e98696302052da0c55932efff96b7

SHA1
7105d88906eb4be0b768ccc62dd36b3d06e52908

SHA256
00ab4e097265c00c6b3616d90af365f33b31f920daf5cb1ed097ddc2ccdc08ff

SHA512
320d13731b8ac165be7556d2ab829bdd22472a901dc55e45274301ea84e0e86054b2c910d180c83e07638c6adaa67737c878ce76bcd9a49d71c2c4950d7d8f79

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4296_778542117\CRX_INSTALL\_locales\en\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
5fced2190ccc9f3e50d7c67074e7d0c4

SHA1
c7f41978d31a53d1c6aeb0e0ee3a717be16b8c06

SHA256
f382facde9bf6458868c0c61e8c129795b2c38c52ab6b77a748e5e8953a67176

SHA512
9e07d8be400c0c11da22f2693de06a35bf4aaf036b7fe301f33e2453ba4758f61f367cebef99802482d14c14c8c659d660b87eff96712c0e988432ac5c72b0f9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
054ee8f93f5f94ececdf5b54cf77e79e

SHA1
cd2623d3c1c03b6b486fa44a9a2cd5ebef645d29

SHA256
54c014b317f135427a692ba19fc06132e988a8a3c9035dd50175cecf57ea2789

SHA512
67d31494455ab9db9022e6f4dea5ad7ea02ecc529c52835894364a141eeff62af5b180f13e86f5f20ff3f1e85f27a77d7c4f125e5efeb48519ec076917b171f4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9enwga8g.default-release\AlternateServices.bin

Filesize
7KB

MD5
bb3a4dc28b930915b00fd6308a90b5b7

SHA1
ef68fb1d9156d0a51d55e48c537f50aa9d22ca88

SHA256
24d7ba22389c02a816327af9907a6d164dcae9349ae0ce660e60b5a2a22aad84

SHA512
f1741906ac8592070c5ae0634a60a28591477ad3a9df84b4a2850552624be8fe925f76d84a55852c49514c98732c8fdbb33b54abd4dadfd803eb891f69cad9b3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9enwga8g.default-release\AlternateServices.bin

Filesize
12KB

MD5
91ec61239273ac3ca2b64bfdfa865398

SHA1
1d62fc47fa7020d7a1cd041d3d9eddd38655c9dd

SHA256
d42642dde462ef9791b955c9f6bdc9a75d4666b15279c46495c096ec3794377e

SHA512
cc6e3bf5b5c0c67512f49e426e84e98708db04d0b0b2c7576b13dade671c3a1a9454f94bf2fbf211b9905f02cf901de8d333cb6c9215cb600fd56d69636ae9ca

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9enwga8g.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
ed41acc3cbfa948429e2e432fa6ac6b1

SHA1
fee9367d5b8eb8969c0576b77b10785c149fd0d2

SHA256
d0e0a7332c74a4f92fdc8632389f5589e33e60dd53fd00d2c4054bcc2796237e

SHA512
51133f8410497e0b1a58afdf347bb1d85b07a2e76b81af436e9e163d59141ec200ef4c70dde5c4a129560f622b6e7ebd93a8716c919eb1d1f7958d8b5eba842b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9enwga8g.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
1fce0bbf7dd61d8675ae874a67d4810b

SHA1
de2a9b1a4bdad2a089f43abfcd30a7cc6be62368

SHA256
f653224f2475c08af829db14936a69ee768b1da880991896f8c0101a27929ec5

SHA512
2959e3e58fbff19e1e67126cdb9c5f893f6f9f6ad1f44d07ee1c7f33c383a676d5ebef116e71a0b4a62de917ce02930aa7279e1d5543aa459f7ac62749b2cd35

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9enwga8g.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
d664a9571aafe61603c4cb3486748883

SHA1
bdd69187950f2783d84b8e4cf076211de9996044

SHA256
4c08ec6486d42af42f803fa614c3d28192a490053f1c603bb52619c519304cb7

SHA512
473d1d5aeae9a06c14b47246474b21f16d4c16fe4358604c09c1a7567f4019173561159e529ae850e62a91ec67a63621ab2085cea818b189cc772c99032bcbbe

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9enwga8g.default-release\datareporting\glean\db\data.safe.tmp

Filesize
16KB

MD5
f93183ecc64e9fd8402e4b4cea080a9e

SHA1
e9e9ad84efb0772247cb9338d084800404a04af6

SHA256
29a1e2b8037dc45006af928f018ad8b479d63d1712da8cc5426ae6dbcaf4cb6a

SHA512
b1d59a423c910184ab07909c4f3b751cd7a857ae63f26e30ec3a1c4f1156dd49f6e49370e243a8b0ef02d696ce453f95654287b994015cc8ccd630675a402600

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9enwga8g.default-release\datareporting\glean\pending_pings\0fba5a53-71f3-4e5a-9c82-04c57855f9ab

Filesize
671B

MD5
f607b191a9cd57f5c0eeb6fc9e5f3de7

SHA1
7d546216d5af0cdb5f97f9d44dd0067b8409ad60

SHA256
e6b7def9291b37de81dba93d6ee4061a88e1064c3744e6821e81be8b24b367ac

SHA512
d2fa27d08ecf36de0282963d4d50a60069d69f3c0bbfcb4db502cb2e6966221bce0be91c7d796b833b5330aaef1dfccb8a8eae15bf7221e87bfe5fcd6ea14e36

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9enwga8g.default-release\datareporting\glean\pending_pings\2cc4d874-4458-45fb-b348-0c02dbc75daf

Filesize
982B

MD5
adf798752711ba5a5774340d0d7d2564

SHA1
cb9845dff5a1a0991fcd075783b78595c07f9550

SHA256
22f290b598c461d4f1dc74431db03a77a6bd39f596af2372ea1b3c54c7e277b7

SHA512
b7b267a1fd0b5070b218e4ebc2d4f417e13f3b33ae07cc05c95f19c6c77855d0c2766be3a0fd1855dadf52b9a4653c4817c62f4321755a1e5e44d2a3a0edd482

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9enwga8g.default-release\datareporting\glean\pending_pings\2d7b6bf4-89d9-45cd-ad7d-8f02ffc8dfff

Filesize
7KB

MD5
33525273ad6225861655f67286abc97c

SHA1
ccd1375917bd22ff6e7a7c52ab07a2eeae40b8d7

SHA256
6ade0f89ea623936c96a7f59ceca751af955463e411ca3ff312c28a414b51dc6

SHA512
692edb55a296a6a6bf7ac78f8991c1d6247b2b2895de6198b0e6f2eab3aa302753ac8156d68188c0c6d7dcbaeb1379758e21628fe61acee2bf3bf659123dab39

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9enwga8g.default-release\datareporting\glean\pending_pings\a483c2a5-efc9-4b63-94f7-a637dd889e8f

Filesize
27KB

MD5
ca319a83590fc95e2866c9357433326f

SHA1
d2f9e72c3ad8952bafbe55f83e480ec015fc9e9e

SHA256
5a9a76be31ec630a5ebd6f780e87cf28df2ba8e26b6955f2b0abf7afdaae3321

SHA512
bcb089abb4a9ea48cb0f4e30e07ac1c0ed5660913bbb21ca244b23e2085e0ca61a237c7f49d62c11bb3225389f42c30ef14d4a88ff2bb87448ae529a5190e7a3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9enwga8g.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9enwga8g.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9enwga8g.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9enwga8g.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9enwga8g.default-release\prefs-1.js

Filesize
11KB

MD5
ec553e297e595c6529bd33e6066e6666

SHA1
554ab1515f2667245c2d15430ad24ac3b558baae

SHA256
588731ced7a67f511d6f9a37b9eb2112cea66320b9b48837f0b6a6ff6b46d6ca

SHA512
607ad2cfc22b3e900b8446a4517cd4285aa82ce7c588b3b00edfb607ebd9ece74ba6ce1cddb66f6bb46ef9dd2b1ee64bddd4a4b1d874d319bc4f3e40866b405b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9enwga8g.default-release\prefs.js

Filesize
10KB

MD5
d7acb78ba93c31b04c9c96c2681329f6

SHA1
50199baf685fd3ff526e425a4e433de6b33754cc

SHA256
fa040933d95ab1e2aabbb2f3c722f942fbf92527ec1327b1456d2716626b7d2b

SHA512
c1daacb0d74d111ced02d3de69fdcdf89cb8f991abb52af295ac5497f8bb1bfc1599f824f8918c79ab7105426de417de143dc8a73a143a04fa7d69ed01949bf4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9enwga8g.default-release\prefs.js

Filesize
10KB

MD5
6d44e8568e16e16f26032645f5010c95

SHA1
feeb8950969640239231d2782011d9d8391cdb19

SHA256
f9848e964e88f129319f69f26a5e0146722259f024c621276af4e3b3f604edfc

SHA512
d5311aee355b3f4eb5de7b4ee27bac8b7d5d91e0a0377afe84da9340f3d5fec5ab8976fb35742f81f82b945c7399782cd317ce884ce6b2a3c8677cf5fcc910e5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9enwga8g.default-release\sessionCheckpoints.json

Filesize
259B

MD5
e6c20f53d6714067f2b49d0e9ba8030e

SHA1
f516dc1084cdd8302b3e7f7167b905e603b6f04f

SHA256
50a670fb78ff2712aae2c16d9499e01c15fddf24e229330d02a69b0527a38092

SHA512
462415b8295c1cdcac0a7cb16bb8a027ef36ae2ce0b061071074ac3209332a7eae71de843af4b96bbbd6158ca8fd5c18147bf9a79b8a7768a9a35edce8b784bf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9enwga8g.default-release\sessionstore-backups\recovery.baklz4

Filesize
4KB

MD5
8792d8c655640b643427b7421cb3ce08

SHA1
1b75cb156e01a274346ee8702a700302adaf505b

SHA256
a0084e0de07606f900c4b2fa2fa5a402b7a1090a8ac1f4fdfdec129e6f8ced3a

SHA512
9e40ae8047e832844d906ec50627cded3d0b5a2418e6919c35245a7663036588d82315e4a4abbfc81c8e3ec722b177419135fa7e864c8a2f4cdbe0454deaf404

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9enwga8g.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
701e300f7ec41b5243e96a1ce148b969

SHA1
a6313ad4defb67b7c8e97890fe6801ae388ad200

SHA256
1c7678caf8e9244b7ed48997ae8f9cbf6ea96e2256ae2a8139503516a7e3c2d3

SHA512
3272e7d0b6423c3f10b8825a3078ccd308ddef90a5dfe1ca77fc3c8fab8ae2aa4da3db4e1bd6a8e304247892685bafa4b6c44dc3b951c87ee9976f539a586e79

Download Submit
C:\Users\Admin\Downloads\Release\Config.json

Filesize
462B

MD5
a3668e782794474ac451b2ba92641963

SHA1
f8ae2fd8abfb1970567932697b5dd6fe3ad47844

SHA256
705171b92e779bd16e9b4285a683f61c6ce72484372fe21026b3c948ed8b9eed

SHA512
b43c0c5458e99804b49ce9646f72b982feb69f0508887251629311327af34b4ed59d264a156ffee2cab908a79d89a75f95bdffea1dd95234b9a1bf12496f540d

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 348601.crdownload

Filesize
6.4MB

MD5
89661a9ff6de529497fec56a112bf75e

SHA1
2dd31a19489f4d7c562b647f69117e31b894b5c3

SHA256
e7b275d70655db9cb43fa606bbe2e4f22478ca4962bbf9f299d66eda567d63cd

SHA512
33c765bf85fbec0e58924ece948b80a7d73b7577557eaac8865e481c61ad6b71f8b5b846026103239b3bd21f438ff0d7c1430a51a4a149f16a215faad6dab68f

Download Submit
memory/472-1944-0x00000000051A0000-0x00000000051B4000-memory.dmp

Filesize
80KB

Download
memory/472-1943-0x0000000004C20000-0x0000000004C2A000-memory.dmp

Filesize
40KB

Download
memory/472-1942-0x0000000004C50000-0x0000000004CE2000-memory.dmp

Filesize
584KB

Download
memory/472-1946-0x0000000008150000-0x0000000008162000-memory.dmp

Filesize
72KB

Download
memory/472-1945-0x0000000008130000-0x000000000814A000-memory.dmp

Filesize
104KB

Download
memory/472-1947-0x0000000009CC0000-0x0000000009CE2000-memory.dmp

Filesize
136KB

Download
memory/472-1948-0x00000000067D0000-0x0000000006882000-memory.dmp

Filesize
712KB

Download
memory/472-1949-0x00000000081A0000-0x00000000084F7000-memory.dmp

Filesize
3.3MB

Download
memory/472-1941-0x0000000005200000-0x00000000057A6000-memory.dmp

Filesize
5.6MB

Download
memory/472-1940-0x0000000000010000-0x0000000000212000-memory.dmp

Filesize
2.0MB

Download
memory/3780-1977-0x0000000008FB0000-0x0000000009307000-memory.dmp

Filesize
3.3MB

Download
memory/3796-1976-0x0000000000010000-0x0000000000022000-memory.dmp

Filesize
72KB

Download