Overview

overview

10

Static

static

1

URLScan

urlscan

https://github.com/m...

windows10-2004-x64

10

Analysis

  • max time kernel
    305s
  • max time network
    303s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-01-2025 20:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://github.com/moom825/xeno-rat

Score
10/10
xenoratdiscoveryrattrojan

Malware Config

Extracted

Family

xenorat

C2

127.0.0.1

Mutex

nashypoop

Attributes
  • delay

    5000

  • install_path

    appdata

  • port

    4444

  • startup_name

    ball cancer

Signatures

  • Detect XenoRat Payload 2 IoCs
  • XenorRat

    XenorRat is a remote access trojan written in C#.

    trojanratxenorat
  • Xenorat family
    xenorat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 12 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 64 IoCs
  • NTFS ADS 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of FindShellTrayWindow 22 IoCs
  • Suspicious use of SendNotifyMessage 20 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://github.com/moom825/xeno-rat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4032
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://github.com/moom825/xeno-rat
      2⤵
      • Checks processor information in registry
      • NTFS ADS
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4232
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1968 -parentBuildID 20240401114208 -prefsHandle 1896 -prefMapHandle 1888 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bf167e06-9bc4-484e-9424-f09d4ff02c8b} 4232 "\\.\pipe\gecko-crash-server-pipe.4232" gpu
        3⤵
          PID:3668
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2404 -parentBuildID 20240401114208 -prefsHandle 2380 -prefMapHandle 2376 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c8b90309-8bfb-47d1-8a10-252cdaa5d17a} 4232 "\\.\pipe\gecko-crash-server-pipe.4232" socket
          3⤵
          • Checks processor information in registry
          PID:756
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2816 -childID 1 -isForBrowser -prefsHandle 3052 -prefMapHandle 3076 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {db9f01c3-6ea0-4eb3-ba71-f56db7019ce2} 4232 "\\.\pipe\gecko-crash-server-pipe.4232" tab
          3⤵
            PID:4548
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3420 -childID 2 -isForBrowser -prefsHandle 3432 -prefMapHandle 3036 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {588ff7be-e83b-4765-b1cc-2bafb4467000} 4232 "\\.\pipe\gecko-crash-server-pipe.4232" tab
            3⤵
              PID:2744
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4616 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4692 -prefMapHandle 4688 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4065af77-7f9c-4ac7-b7c4-251ae4ed7488} 4232 "\\.\pipe\gecko-crash-server-pipe.4232" utility
              3⤵
              • Checks processor information in registry
              PID:464
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5536 -childID 3 -isForBrowser -prefsHandle 5464 -prefMapHandle 5492 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {096ffdc2-955d-4b04-8aab-9c479bd7e2b0} 4232 "\\.\pipe\gecko-crash-server-pipe.4232" tab
              3⤵
                PID:2512
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5656 -childID 4 -isForBrowser -prefsHandle 5684 -prefMapHandle 5492 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ad9add46-44f8-4f2d-bc93-bac3f305f4a8} 4232 "\\.\pipe\gecko-crash-server-pipe.4232" tab
                3⤵
                  PID:2580
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5884 -childID 5 -isForBrowser -prefsHandle 5704 -prefMapHandle 5700 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {670ef556-491f-4875-bd40-2bf308951f68} 4232 "\\.\pipe\gecko-crash-server-pipe.4232" tab
                  3⤵
                    PID:2176
              • C:\Windows\System32\rundll32.exe
                C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                1⤵
                  PID:4412
                • C:\Users\Admin\Downloads\Release\xeno rat server.exe
                  "C:\Users\Admin\Downloads\Release\xeno rat server.exe"
                  1⤵
                  • System Location Discovery: System Language Discovery
                  • Modifies registry class
                  • Suspicious behavior: GetForegroundWindowSpam
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of FindShellTrayWindow
                  • Suspicious use of SetWindowsHookEx
                  PID:3360
                • C:\Users\Admin\Downloads\ball canc.exe
                  "C:\Users\Admin\Downloads\ball canc.exe"
                  1⤵
                  • Checks computer location settings
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  PID:996
                  • C:\Users\Admin\AppData\Roaming\XenoManager\ball canc.exe
                    "C:\Users\Admin\AppData\Roaming\XenoManager\ball canc.exe"
                    2⤵
                    • Executes dropped EXE
                    • System Location Discovery: System Language Discovery
                    PID:3316
                    • C:\Windows\SysWOW64\schtasks.exe
                      "schtasks.exe" /Create /TN "ball cancer" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDB5D.tmp" /F
                      3⤵
                      • System Location Discovery: System Language Discovery
                      • Scheduled Task/Job: Scheduled Task
                      PID:2380
                • C:\Users\Admin\Downloads\ball canc.exe
                  "C:\Users\Admin\Downloads\ball canc.exe"
                  1⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  PID:4948
                  • C:\Windows\SysWOW64\schtasks.exe
                    "schtasks.exe" /Create /TN "ball cancer" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3601.tmp" /F
                    2⤵
                    • System Location Discovery: System Language Discovery
                    • Scheduled Task/Job: Scheduled Task
                    PID:1316
                • C:\Users\Admin\Downloads\Release\xeno rat server.exe
                  "C:\Users\Admin\Downloads\Release\xeno rat server.exe"
                  1⤵
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: GetForegroundWindowSpam
                  • Suspicious use of AdjustPrivilegeToken
                  PID:784
                • C:\Users\Admin\Downloads\ball canc.exe
                  "C:\Users\Admin\Downloads\ball canc.exe"
                  1⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  PID:2832
                  • C:\Windows\SysWOW64\schtasks.exe
                    "schtasks.exe" /Create /TN "ball cancer" /XML "C:\Users\Admin\AppData\Local\Temp\tmpAFD4.tmp" /F
                    2⤵
                    • System Location Discovery: System Language Discovery
                    • Scheduled Task/Job: Scheduled Task
                    PID:4528

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ball canc.exe.log
                  Filesize

                  226B

                  MD5

                  916851e072fbabc4796d8916c5131092

                  SHA1

                  d48a602229a690c512d5fdaf4c8d77547a88e7a2

                  SHA256

                  7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

                  SHA512

                  07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

                  Download Submit

                • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qgf82dd5.default-release\activity-stream.discovery_stream.json
                  Filesize

                  21KB

                  MD5

                  a587b9044a347679082bc4cd910efea6

                  SHA1

                  cdfbfb8708309fb3b776e110ccb194ef1940f0dc

                  SHA256

                  60d4e68513bf154b2fefc70f7faee2458ee5dfd35f0ed17dfb72b07c36656ac3

                  SHA512

                  f6adc278aa91053c9e697f603a2e19d3f8f407fa907629bd3b138354850fc33aaf5eeb50ff62bb86f5af9a278f5e411e706027294b1901cdd55f5a75a9818095

                  Download Submit

                • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qgf82dd5.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
                  Filesize

                  15KB

                  MD5

                  96c542dec016d9ec1ecc4dddfcbaac66

                  SHA1

                  6199f7648bb744efa58acf7b96fee85d938389e4

                  SHA256

                  7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

                  SHA512

                  cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\tmp3601.tmp
                  Filesize

                  1KB

                  MD5

                  d2027af1f62b2538b47eb2c026c115aa

                  SHA1

                  a9a7de1182537e51bf66cc720e974c77a62cff68

                  SHA256

                  8736fe939966457e68abd5378f1b7f42729dbfa541ced463183e391bd96b1ee4

                  SHA512

                  5c98aa48ea499944f20cdf8ed9f436aaedc2c2038ab7d5e134e0d12e16446b1be937dd45c22b7d28d694028957a1dbc231668b099882f49a65ec69a7a1d365aa

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\tmpDB5D.tmp
                  Filesize

                  1KB

                  MD5

                  f55f79af05abb737f74c62523f318659

                  SHA1

                  ec0e6d2ce348e870201349b88c252e308140fd67

                  SHA256

                  85adf4ca07289d55696a2542b8739937addecbc0964756dc2689e8f9424c12aa

                  SHA512

                  6b11ee1f803aa04892deec51c875e337984003340c18c5786477778f9487738a8be860f70aa0da3dbe3e30f3bb282c0923aa3ef385932769e0ffe1891ff0ae5a

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\tmpaddon
                  Filesize

                  479KB

                  MD5

                  09372174e83dbbf696ee732fd2e875bb

                  SHA1

                  ba360186ba650a769f9303f48b7200fb5eaccee1

                  SHA256

                  c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

                  SHA512

                  b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
                  Filesize

                  13.8MB

                  MD5

                  0a8747a2ac9ac08ae9508f36c6d75692

                  SHA1

                  b287a96fd6cc12433adb42193dfe06111c38eaf0

                  SHA256

                  32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

                  SHA512

                  59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Z6FY32R2D3NBOUAJJ9Y6.temp
                  Filesize

                  13KB

                  MD5

                  dd7f81d5a3ef6b257009943bdf92ac93

                  SHA1

                  90e6a716351ef4b3a66ab914d19bb013bce67a40

                  SHA256

                  b39ef2763c3de0104ae9737eee8f7b97e137764190549b819cd46e763e10972e

                  SHA512

                  eeb250c37aa72ed138b2b16416813b5a50a2addfa27c6079d8f7d987a55e64bae2ad5d94b81df5e709c545f463d51261f0e5a891779b3aedbb3da4a26919ff17

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\AlternateServices.bin
                  Filesize

                  6KB

                  MD5

                  615cf62239d66b17a78a9af680f30b3d

                  SHA1

                  a384d094aaa5102f356603fecf1e4c37dd9784b3

                  SHA256

                  8dfa0870d3f2f6289b02865775fa8ab17ca7ffdc526512fc3777e6ed0ff5473b

                  SHA512

                  c4fcfcc3d273fd671bfbf31cc04bbe6767a78d89d876c3cde387891a8253626de3b10d2a148cc58df063e1e11b4a4b73f6f6d1cb449c22dff688b3169b2b6f33

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\AlternateServices.bin
                  Filesize

                  8KB

                  MD5

                  76a5a4077ab24cae6dc478aa6bdc61bc

                  SHA1

                  74133bc71784e7293911df63bf0ad09da75a31cc

                  SHA256

                  f1e40e6a6f6c5343ed0c97d15270db0abc97166c94e872b8565859b49fc51517

                  SHA512

                  5686b708720e3d9c547c84b117229a4290835c70d9f4132303385a1367fe00503c0eb04f40d0a27ef8e3d157965821321d5e1c2faf93dc490f499cc6b23f9185

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\db\data.safe.tmp
                  Filesize

                  5KB

                  MD5

                  e0eeb7c21fadaa83267f985c7ec34777

                  SHA1

                  34d9a638dde9c999db0788c396584a01c0332ea4

                  SHA256

                  fadc6b0dc1b4157a64417de253ad021f142ad43aab8195767ecf080167bb0b42

                  SHA512

                  a8c69c2319b611f85896461592f87890e759cb4ded0b80a73340fd822c2b710d80ec3da6e5fe67fa11c5eeeae1bee5d5c21483fadcf3321ba55e1eb149a25edc

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\db\data.safe.tmp
                  Filesize

                  16KB

                  MD5

                  c6f07087116393073b84ffe3009885c2

                  SHA1

                  3261578c8acf390ecf562d0cd045861eafb3effc

                  SHA256

                  71aded51a61cd7b3ee694ab1337e064d6e423eeba1462acfa9ccfafe6c9ddfe3

                  SHA512

                  4c2ca86760ce69d2ad1a22d77910af76fbc5128662a048bd73a2abd30d5386655faec2e5ccdf0459b4ef413027fd38d0c9e11c689153639921f7ad53406a7ff0

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\db\data.safe.tmp
                  Filesize

                  6KB

                  MD5

                  afcc71f3efc452fbf34ed8b009712cd0

                  SHA1

                  16be07036276397fc049bb42948895855eddf7b0

                  SHA256

                  3350e2fe940ec7b998d73698a6fea259b4aa2855cf9ced5510345705fbbc5020

                  SHA512

                  ba3a49ad7d0bd7be2a73e4959725bb1baa81eef91dd0b2cc6e152fb254798da82eeaabaea5e66fd1bc78107af9232808bf08a6b56525f993c55770cb10fa4905

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\db\data.safe.tmp
                  Filesize

                  15KB

                  MD5

                  2cfed73ccbe4e9be45a6356ccb16807d

                  SHA1

                  d6d6030b6ff12e3bef2966b5131735df2faf61dc

                  SHA256

                  43f5b3bd68a0905e89f08de3005fe3127cf55c9709257a16f468d41903e5708e

                  SHA512

                  379ebe439353ca43ff5762f7f6e8c2cc6e2a111b328847e45215f3825f210c547fedb9a529dc345cd0f942552c1b62b953900afe7be173f0b13dfb55332cb3df

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\pending_pings\068e8c9c-f853-464a-bc42-0388f6b1e54e
                  Filesize

                  25KB

                  MD5

                  08fddea7060adeb2910f09663c640e6b

                  SHA1

                  a3d34df6988915cae4c075ba79acf95c7a25718d

                  SHA256

                  e282234576ff5de45fd2274d15fb6b752b6b23e21bcf380c1b69a03ba6de3310

                  SHA512

                  92a64678d2b544becd2eb4726e43b0bea61dab6163b25a3fcaa4ee85896b7e8a9327839a31d117bde6f2f9f89b5c3f5b3e06964226e57fea3e7804844241e755

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\pending_pings\21ef284e-3bd0-4774-9f46-3c47def78379
                  Filesize

                  982B

                  MD5

                  2220d7aeff3f0b7487f835aeed1517c9

                  SHA1

                  dbccb47ee20a934b26f1fc9ad8026b06368b6483

                  SHA256

                  c5e11194b38d1dd101fab1e0eba298d30a4165bcdd0e209d384cc06299ef56b4

                  SHA512

                  d45b103f025b5f031c39a5177967afeae05d1d73eeeb11a91741dd36885c5355a9fe5177951d1b66249de5064c46b52fffded2eb59e79d1e7d791fdc0a2166f7

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\pending_pings\3d37de0b-f4ba-4bd7-ba5a-e5de7a6da8db
                  Filesize

                  671B

                  MD5

                  4d725daa4331ca78d17d023b5c1c91ef

                  SHA1

                  5715277219d143f34a6152418a0bd578992beb15

                  SHA256

                  45a53fe2917c9ce244493eaab42713f8f982507dad9e0f3d676ab4a6c71fd6e0

                  SHA512

                  c01e2cd2a4489ba569467ed6dd3ff5e76ec29c7af30d29dd2c4e4797a004a199ec1d6fb3b19351cce7ee78f33dc4b5fde6b8f7a0e254c4df508b243a09fe0cd2

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\datareporting\glean\pending_pings\a26f1c08-a586-4315-ad64-2424e4af8f2f
                  Filesize

                  10KB

                  MD5

                  a9828061ed191183429e946004dfab02

                  SHA1

                  f75cbce5f416b77298f7f4ffaa6a658e3437bb19

                  SHA256

                  7e63382a410361493aa32e51e12129f2604e9051d0a03724fe0c9c43adb246a8

                  SHA512

                  b8ba3b32706ec16be2581e5d85675c9eb72a503040051849d86f47ee19abd27c8ebdd9d07c513f6f3914b7f9ecc17c1158c0bff1d4a0666382afa8236e341773

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
                  Filesize

                  1.1MB

                  MD5

                  842039753bf41fa5e11b3a1383061a87

                  SHA1

                  3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

                  SHA256

                  d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

                  SHA512

                  d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
                  Filesize

                  116B

                  MD5

                  2a461e9eb87fd1955cea740a3444ee7a

                  SHA1

                  b10755914c713f5a4677494dbe8a686ed458c3c5

                  SHA256

                  4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

                  SHA512

                  34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
                  Filesize

                  372B

                  MD5

                  bf957ad58b55f64219ab3f793e374316

                  SHA1

                  a11adc9d7f2c28e04d9b35e23b7616d0527118a1

                  SHA256

                  bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

                  SHA512

                  79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
                  Filesize

                  17.8MB

                  MD5

                  daf7ef3acccab478aaa7d6dc1c60f865

                  SHA1

                  f8246162b97ce4a945feced27b6ea114366ff2ad

                  SHA256

                  bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

                  SHA512

                  5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\prefs-1.js
                  Filesize

                  9KB

                  MD5

                  61b31ce7b59d7b499e86556f053fe2eb

                  SHA1

                  7ac0cba7bcfcb730271d315d4c73a066518725d1

                  SHA256

                  c63b765b6395a5b3b38daf77c6a432347d3e05a80559e8fa2b5dc94b3935cbb4

                  SHA512

                  c2e79f26e7673ef037e6f9d553bdf5d555e955be2f965ecd3eaa8b36235b743daedccaa960d20f8c08cf8ece7ea78d4af5d7bc57f4bd6a298832228a67a6ec52

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\prefs.js
                  Filesize

                  10KB

                  MD5

                  cf369b116f0f1987b706d4fa0dcc6001

                  SHA1

                  a4da5edd25acb05b0bde8411cba6dd5efb0874ed

                  SHA256

                  8d49508023896f7adb39ecd74e7544d15c21eabe7f925e96fbe30426d31897af

                  SHA512

                  516b0fe7efe6470aa2a756ddc7d2ebf0d714b260ad0862b7f233af0058e03ad5ff54d99ff269609fb27e19ec8bd43fd57f0288842bb4bd22ca353a1d06da1d4a

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\sessionstore-backups\recovery.baklz4
                  Filesize

                  3KB

                  MD5

                  b758774874df3876abd274f60deee212

                  SHA1

                  db9a16ae88e36dd8e8cee9327fdb2f93e5c6a571

                  SHA256

                  270c7c6020891af78faa53662518d9e8b051e2a7f77bd5f408673a57cd76a5bd

                  SHA512

                  9e85c24b1fee99d545486c492426ee6efd1ac3b572875f9fc409339ec604b1792ffa982b0d6bd85ab33ae0c0877ffc52c532fa5f0af819c3467536a3b79eeca3

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qgf82dd5.default-release\sessionstore-backups\recovery.baklz4
                  Filesize

                  3KB

                  MD5

                  548bba0b69e812f3bac8503e9a055c23

                  SHA1

                  114143e55113d92f6a866ed890551daccf4861ed

                  SHA256

                  5eafd20585a4d4fcc58eea4867ca56ca5f774e245922974b3294e0ccb1196924

                  SHA512

                  c433ee9e48b59337de0867607efdc12c0f9fab7588cf10c177614372cd84bc9ddd51ec7d7cdc336eb1aa25ac5d21624a66f6979561249e6449db27cbe5461722

                  Download Submit

                • C:\Users\Admin\Downloads\Release.H-FgtwQo.zip.part
                  Filesize

                  6.4MB

                  MD5

                  89661a9ff6de529497fec56a112bf75e

                  SHA1

                  2dd31a19489f4d7c562b647f69117e31b894b5c3

                  SHA256

                  e7b275d70655db9cb43fa606bbe2e4f22478ca4962bbf9f299d66eda567d63cd

                  SHA512

                  33c765bf85fbec0e58924ece948b80a7d73b7577557eaac8865e481c61ad6b71f8b5b846026103239b3bd21f438ff0d7c1430a51a4a149f16a215faad6dab68f

                  Download Submit

                • C:\Users\Admin\Downloads\Release\Config.json
                  Filesize

                  428B

                  MD5

                  5fa6c3993c3b6e3e73c641f80437d643

                  SHA1

                  7935974b47e136329e8e1dc2bef1a5e015770f63

                  SHA256

                  7bc92b35eeea5b189cabeaf8bf04c7b1600cadbbfacef65172d9d5a2243fa287

                  SHA512

                  38bdb4239ff5f2f72cbeb9185a805c2dc1efa8d33e045157ee4589b0f8896c51663a5ae167dd9becee005771691c646ac42e1c085384d73cc1da9e7b5b02395c

                  Download Submit

                • C:\Users\Admin\Downloads\ball canc.exe
                  Filesize

                  45KB

                  MD5

                  043042480dc93fec7d9daf8cb5be6e76

                  SHA1

                  bc8467d71d3a51bbce1a2d55241796971199dc25

                  SHA256

                  06ba6c0d44806bdfc378c4a0445dedbd275b39cb3125ad40b91e91b132d4f345

                  SHA512

                  24a1d82c69a873de1e2083e9c47a2ef101367e7ae9db5b1330a6f4330f0ac148912cf35532d21dbbc487ff2dd0fc17905a30ed1d59f3f5a02f0d38cf342f2a1a

                  Download Submit

                • memory/784-685-0x0000000007AC0000-0x0000000007E14000-memory.dmp

                  Filesize

                  3.3MB

                  Download

                • memory/996-666-0x00000000745D0000-0x0000000074D80000-memory.dmp

                  Filesize

                  7.7MB

                  Download

                • memory/996-653-0x00000000745D0000-0x0000000074D80000-memory.dmp

                  Filesize

                  7.7MB

                  Download

                • memory/996-651-0x0000000000FF0000-0x0000000001002000-memory.dmp

                  Filesize

                  72KB

                  Download

                • memory/3360-610-0x00000000745D0000-0x0000000074D80000-memory.dmp

                  Filesize

                  7.7MB

                  Download

                • memory/3360-562-0x00000000008C0000-0x0000000000AC2000-memory.dmp

                  Filesize

                  2.0MB

                  Download

                • memory/3360-565-0x00000000745D0000-0x0000000074D80000-memory.dmp

                  Filesize

                  7.7MB

                  Download

                • memory/3360-607-0x0000000008010000-0x00000000080C2000-memory.dmp

                  Filesize

                  712KB

                  Download

                • memory/3360-639-0x000000000BA80000-0x000000000BBA4000-memory.dmp

                  Filesize

                  1.1MB

                  Download

                • memory/3360-640-0x0000000001040000-0x000000000105A000-memory.dmp

                  Filesize

                  104KB

                  Download

                • memory/3360-606-0x00000000745D0000-0x0000000074D80000-memory.dmp

                  Filesize

                  7.7MB

                  Download

                • memory/3360-605-0x00000000745D0000-0x0000000074D80000-memory.dmp

                  Filesize

                  7.7MB

                  Download

                • memory/3360-604-0x00000000745DE000-0x00000000745DF000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/3360-608-0x00000000080D0000-0x0000000008424000-memory.dmp

                  Filesize

                  3.3MB

                  Download

                • memory/3360-598-0x0000000009EC0000-0x0000000009EE2000-memory.dmp

                  Filesize

                  136KB

                  Download

                • memory/3360-561-0x00000000745DE000-0x00000000745DF000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/3360-563-0x0000000005BF0000-0x0000000006194000-memory.dmp

                  Filesize

                  5.6MB

                  Download

                • memory/3360-564-0x00000000054C0000-0x0000000005552000-memory.dmp

                  Filesize

                  584KB

                  Download

                • memory/3360-683-0x00000000745D0000-0x0000000074D80000-memory.dmp

                  Filesize

                  7.7MB

                  Download

                • memory/3360-573-0x0000000007FA0000-0x0000000007FBA000-memory.dmp

                  Filesize

                  104KB

                  Download

                • memory/3360-578-0x0000000007FC0000-0x0000000007FD2000-memory.dmp

                  Filesize

                  72KB

                  Download

                • memory/3360-572-0x0000000005BC0000-0x0000000005BD4000-memory.dmp

                  Filesize

                  80KB

                  Download

                • memory/3360-566-0x0000000005580000-0x000000000558A000-memory.dmp

                  Filesize

                  40KB

                  Download