hxxps://github[.]com/ItzMaro/Xeno/releases/download/source/Xeno-1[.]0[.]9-Release[.]zip

Analysis

max time kernel
299s
max time network
267s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250113-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
16-01-2025 15:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/ItzMaro/Xeno/releases/download/source/Xeno-1.0.9-Release.zip

Score

8^/10

microsoft defense_evasion discovery persistence phishing privilege_escalation

Malware Config

Signatures

Downloads MZ/PE file

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 2 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe\DisableExceptionChainValidation = "0"	MicrosoftEdgeUpdate.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2449540194-3226363261-2578591490-1000\Control Panel\International\Geo\Nation	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2449540194-3226363261-2578591490-1000\Control Panel\International\Geo\Nation	setup.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 15 IoCs

pid	Process
3096	MicrosoftEdgeWebView2RuntimeInstallerX64.exe
1524	MicrosoftEdgeUpdate.exe
2080	MicrosoftEdgeUpdate.exe
4676	MicrosoftEdgeUpdate.exe
1904	MicrosoftEdgeUpdateComRegisterShell64.exe
4688	MicrosoftEdgeUpdateComRegisterShell64.exe
4640	MicrosoftEdgeUpdateComRegisterShell64.exe
4868	MicrosoftEdgeUpdate.exe
1452	MicrosoftEdgeUpdate.exe
4936	MicrosoftEdgeUpdate.exe
3424	MicrosoftEdgeUpdate.exe
1928	MicrosoftEdgeWebview_X64_131.0.2903.146.exe
1588	setup.exe
5112	setup.exe
5324	MicrosoftEdgeUpdate.exe

Loads dropped DLL 18 IoCs

pid	Process
1524	MicrosoftEdgeUpdate.exe
2080	MicrosoftEdgeUpdate.exe
4676	MicrosoftEdgeUpdate.exe
1904	MicrosoftEdgeUpdateComRegisterShell64.exe
4676	MicrosoftEdgeUpdate.exe
4688	MicrosoftEdgeUpdateComRegisterShell64.exe
4676	MicrosoftEdgeUpdate.exe
4640	MicrosoftEdgeUpdateComRegisterShell64.exe
4676	MicrosoftEdgeUpdate.exe
4868	MicrosoftEdgeUpdate.exe
1452	MicrosoftEdgeUpdate.exe
4936	MicrosoftEdgeUpdate.exe
4936	MicrosoftEdgeUpdate.exe
1452	MicrosoftEdgeUpdate.exe
3424	MicrosoftEdgeUpdate.exe
5324	MicrosoftEdgeUpdate.exe
5472	XenoUI.exe
5720	XenoUI.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks system information in the registry 2 TTPs 10 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe

Detected potential entity reuse from brand MICROSOFT.
phishing microsoft

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\SetupMetrics\1588_13381516505569996_1588.pma	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU71FA.tmp\msedgeupdateres_sk.dll	MicrosoftEdgeWebView2RuntimeInstallerX64.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.146\Locales\gl.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.146\vulkan-1.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.146\Locales\pt-BR.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.146\Locales\ta.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate\Offline\{3A21E0A8-3F90-4655-8A0A-2DF103FE5FF9}\{F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}\MicrosoftEdge_X64_131.0.2903.146.exe	MicrosoftEdgeUpdate.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.146\edge_game_assist\EdgeGameAssist.msix	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.146\Locales\mt.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.146\Trust Protection Lists\Sigma\Cryptomining	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Temp\EU71FA.tmp\MicrosoftEdge_X64_131.0.2903.146.exe.{0D50BFEC-CD6A-4F9A-964C-C7416E3ACB10}	MicrosoftEdgeUpdate.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.146\Locales\tt.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.146\Trust Protection Lists\Mu\TransparentAdvertisers	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.146\dxil.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.146\Trust Protection Lists\Sigma\Advertising	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU71FA.tmp\msedgeupdateres_hu.dll	MicrosoftEdgeWebView2RuntimeInstallerX64.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU71FA.tmp\msedgeupdateres_pt-PT.dll	MicrosoftEdgeWebView2RuntimeInstallerX64.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU71FA.tmp\msedgeupdateres_sr-Cyrl-BA.dll	MicrosoftEdgeWebView2RuntimeInstallerX64.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.146\msedge_wer.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.146\VisualElements\SmallLogoCanary.png	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.146\Locales\ms.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.146\Trust Protection Lists\Sigma\Advertising	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.146\Locales\en-GB.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU71FA.tmp\msedgeupdateres_sr.dll	MicrosoftEdgeWebView2RuntimeInstallerX64.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU71FA.tmp\msedgeupdateres_tr.dll	MicrosoftEdgeWebView2RuntimeInstallerX64.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU71FA.tmp\msedgeupdateres_ga.dll	MicrosoftEdgeWebView2RuntimeInstallerX64.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.146\Locales\as.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.146\Locales\vi.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\SetupMetrics\691c39e3-f0e0-4f09-9f6e-35dab7f2fa0b.tmp	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.146\Installer\setup.exe	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.146\Locales\kk.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.146\Locales\or.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.146\EBWebView\x64\EmbeddedBrowserWebView.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.146\Trust Protection Lists\manifest.json	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.146\Trust Protection Lists\Mu\Social	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.146\Locales\pa.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU71FA.tmp\msedgeupdateres_es.dll	MicrosoftEdgeWebView2RuntimeInstallerX64.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU71FA.tmp\msedgeupdateres_es-419.dll	MicrosoftEdgeWebView2RuntimeInstallerX64.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.146\identity_proxy\win10\identity_helper.Sparse.Stable.msix	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.146\Locales\de.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.146\Locales\mi.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.146\msedge_100_percent.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.146\vccorlib140.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.146\edge_game_assist\VERSION	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU71FA.tmp\msedgeupdateres_zh-TW.dll	MicrosoftEdgeWebView2RuntimeInstallerX64.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.146\Locales\en-GB.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.146\Locales\es-419.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.146\mspdf.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.146\elevation_service.exe	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.146\edge_feedback\camera_mf_trace.wprp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.146\Locales\es.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.146\Locales\ko.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.146\Locales\gl.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.146\Trust Protection Lists\Mu\Entities	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.146\identity_proxy\internal.identity_helper.exe.manifest	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.146\learning_tools.dll	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.146\msedgewebview2.exe	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.146\WidevineCdm\manifest.json	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.146\oneds.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.146\msvcp140.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.146\Locales\af.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.146\Locales\en-US.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.146\Locales\ru.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.146\Locales\ne.pak	setup.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat	setup.exe
File created	C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\metadata	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp\msedge_installer.log	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat	setup.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File created	C:\Users\Admin\Downloads\MicrosoftEdgeWebView2RuntimeInstallerX64.exe:Zone.Identifier	firefox.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeWebView2RuntimeInstallerX64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4868	MicrosoftEdgeUpdate.exe
3424	MicrosoftEdgeUpdate.exe
5324	MicrosoftEdgeUpdate.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.CoreClass\CurVer\ = "MicrosoftEdgeUpdate.CoreClass.1"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4EE1FC-0A81-4F56-B0E2-248FB78051AF}\ProxyStubClsid32\ = "{A0B482A5-71D4-4395-857C-1F3B57FB8809}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{77857D02-7A25-4B67-9266-3E122A8F39E4}	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{177CAE89-4AD6-42F4-A458-00EC3389E3FE}\ = "ICurrentState"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{79E0C401-B7BC-4DE5-8104-71350F3A9B67}	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCE48F77-C677-4012-8A1A-54D2E2BC07BD}\NumMethods\ = "4"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7B3B7A69-7D88-4847-A6BC-90E246A41F69}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{99F8E195-1042-4F89-A28C-89CDB74A14AE}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FEA2518F-758F-4B95-A59F-97FCEEF1F5D0}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1B9063E4-3882-485E-8797-F28A0240782F}\ProxyStubClsid32\ = "{A0B482A5-71D4-4395-857C-1F3B57FB8809}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E421557C-0628-43FB-BF2B-7C9F8A4D067C}\ = "Microsoft Edge Update Update3Web"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.Update3WebMachineFallback.1.0\ = "Microsoft Edge Update Update3Web"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E421557C-0628-43FB-BF2B-7C9F8A4D067C}	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9F3F5F5D-721A-4B19-9B5D-69F664C1A591}\AppID = "{A6B716CB-028B-404D-B72C-50E153DD68DA}"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{450CF5FF-95C4-4679-BECA-22680389ECB9}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{79E0C401-B7BC-4DE5-8104-71350F3A9B67}\NumMethods	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E55B90F1-DA33-400B-B09E-3AFF7D46BD83}\ProxyStubClsid32	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1B9063E4-3882-485E-8797-F28A0240782F}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{492E1C30-A1A2-4695-87C8-7A8CAD6F936F}\VERSIONINDEPENDENTPROGID	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.Update3WebMachineFallback\CLSID\ = "{E421557C-0628-43FB-BF2B-7C9F8A4D067C}"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7E29BE61-5809-443F-9B5D-CF22156694EB}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9A6B447A-35E2-4F6B-A87B-5DEEBBFDAD17}	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FEA2518F-758F-4B95-A59F-97FCEEF1F5D0}\NumMethods\ = "16"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1B9063E4-3882-485E-8797-F28A0240782F}	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E55B90F1-DA33-400B-B09E-3AFF7D46BD83}\ = "IProgressWndEvents"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A5135E58-384F-4244-9A5F-30FA9259413C}\ = "IProcessLauncher"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1B9063E4-3882-485E-8797-F28A0240782F}\NumMethods\ = "4"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A0B482A5-71D4-4395-857C-1F3B57FB8809}\InProcServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4F4A7E-977C-4E23-AD8F-626A491715DF}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2EC826CB-5478-4533-9015-7580B3B5E03A}\ProxyStubClsid32\ = "{A0B482A5-71D4-4395-857C-1F3B57FB8809}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2603C88B-F971-4167-9DE1-871EE4A3DC84}\ProxyStubClsid32	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{492E1C30-A1A2-4695-87C8-7A8CAD6F936F}\ = "Microsoft Edge Update Broker Class Factory"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3A49F783-1C7D-4D35-8F63-5C1C206B9B6E}	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2603C88B-F971-4167-9DE1-871EE4A3DC84}\ProxyStubClsid32\ = "{A0B482A5-71D4-4395-857C-1F3B57FB8809}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C20433B3-0D4B-49F6-9B6C-6EE0FAE07837}\ = "ICoCreateAsync"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{FF419FF9-90BE-4D9F-B410-A789F90E5A7C}\LOCALSERVER32	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E4518371-7326-4865-87F8-D9D3F3B287A3}\NumMethods\ = "4"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A5135E58-384F-4244-9A5F-30FA9259413C}	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C06EE550-7248-488E-971E-B60C0AB3A6E4}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DDD4B5D4-FD54-497C-8789-0830F29A60EE}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2EC826CB-5478-4533-9015-7580B3B5E03A}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AB4F4A7E-977C-4E23-AD8F-626A491715DF}\ProxyStubClsid32\ = "{A0B482A5-71D4-4395-857C-1F3B57FB8809}"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60355531-5BFD-45AB-942C-7912628752C7}\ = "IPolicyStatus3"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60355531-5BFD-45AB-942C-7912628752C7}\NumMethods\ = "24"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A5135E58-384F-4244-9A5F-30FA9259413C}\NumMethods\ = "6"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.PolicyStatusSvc.1.0\CLSID\ = "{9F3F5F5D-721A-4B19-9B5D-69F664C1A591}"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AB4EE1FC-0A81-4F56-B0E2-248FB78051AF}\NumMethods\ = "23"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9AA3288-4EA7-4E67-AE60-D18EADCB923D}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C853632E-36CA-4999-B992-EC0D408CF5AB}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2E1DD7EF-C12D-4F8E-8AD8-CF8CC265BAD0}	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7584D24A-E056-4EB1-8E7B-632F2B0ADC69}\NumMethods\ = "12"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1B9063E4-3882-485E-8797-F28A0240782F}\ = "IGoogleUpdate3WebSecurity"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E4518371-7326-4865-87F8-D9D3F3B287A3}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2E1DD7EF-C12D-4F8E-8AD8-CF8CC265BAD0}\ProgID	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{79E0C401-B7BC-4DE5-8104-71350F3A9B67}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4F4A7E-977C-4E23-AD8F-626A491715DF}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9AA3288-4EA7-4E67-AE60-D18EADCB923D}\ProxyStubClsid32\ = "{A0B482A5-71D4-4395-857C-1F3B57FB8809}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A5135E58-384F-4244-9A5F-30FA9259413C}\NumMethods\ = "6"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FF419FF9-90BE-4D9F-B410-A789F90E5A7C}	MicrosoftEdgeUpdate.exe

NTFS ADS 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\Xeno-1.0.9-Release.zip:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\MicrosoftEdgeWebView2RuntimeInstallerX64.exe:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 57 IoCs

pid	Process
1524	MicrosoftEdgeUpdate.exe
1524	MicrosoftEdgeUpdate.exe
1524	MicrosoftEdgeUpdate.exe
1524	MicrosoftEdgeUpdate.exe
1524	MicrosoftEdgeUpdate.exe
1524	MicrosoftEdgeUpdate.exe
5472	XenoUI.exe
5472	XenoUI.exe
5472	XenoUI.exe
5472	XenoUI.exe
5472	XenoUI.exe
5472	XenoUI.exe
5720	XenoUI.exe
5720	XenoUI.exe
5720	XenoUI.exe
5720	XenoUI.exe
5720	XenoUI.exe
5720	XenoUI.exe
5356	taskmgr.exe
5356	taskmgr.exe
5356	taskmgr.exe
5356	taskmgr.exe
5356	taskmgr.exe
5356	taskmgr.exe
5356	taskmgr.exe
5356	taskmgr.exe
5356	taskmgr.exe
5356	taskmgr.exe
5356	taskmgr.exe
5356	taskmgr.exe
5356	taskmgr.exe
5356	taskmgr.exe
5356	taskmgr.exe
5356	taskmgr.exe
5356	taskmgr.exe
5356	taskmgr.exe
5356	taskmgr.exe
5356	taskmgr.exe
5356	taskmgr.exe
5356	taskmgr.exe
5356	taskmgr.exe
5356	taskmgr.exe
5356	taskmgr.exe
5356	taskmgr.exe
5356	taskmgr.exe
5356	taskmgr.exe
5356	taskmgr.exe
5356	taskmgr.exe
5356	taskmgr.exe
5356	taskmgr.exe
5356	taskmgr.exe
5356	taskmgr.exe
5356	taskmgr.exe
5356	taskmgr.exe
5356	taskmgr.exe
5356	taskmgr.exe
5356	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	4896	firefox.exe
Token: SeDebugPrivilege	4896	firefox.exe
Token: SeDebugPrivilege	4896	firefox.exe
Token: SeDebugPrivilege	4896	firefox.exe
Token: SeDebugPrivilege	4896	firefox.exe
Token: SeDebugPrivilege	4896	firefox.exe
Token: SeDebugPrivilege	1524	MicrosoftEdgeUpdate.exe
Token: SeDebugPrivilege	1524	MicrosoftEdgeUpdate.exe
Token: SeDebugPrivilege	4896	firefox.exe
Token: SeDebugPrivilege	5356	taskmgr.exe
Token: SeSystemProfilePrivilege	5356	taskmgr.exe
Token: SeCreateGlobalPrivilege	5356	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4896	firefox.exe
4896	firefox.exe
4896	firefox.exe
4896	firefox.exe
4896	firefox.exe
4896	firefox.exe
4896	firefox.exe
4896	firefox.exe
4896	firefox.exe
4896	firefox.exe
4896	firefox.exe
4896	firefox.exe
4896	firefox.exe
4896	firefox.exe
4896	firefox.exe
4896	firefox.exe
4896	firefox.exe
4896	firefox.exe
4896	firefox.exe
4896	firefox.exe
4896	firefox.exe
4896	firefox.exe
4896	firefox.exe
4896	firefox.exe
4896	firefox.exe
4896	firefox.exe
4896	firefox.exe
4896	firefox.exe
4896	firefox.exe
4896	firefox.exe
4896	firefox.exe
4896	firefox.exe
4896	firefox.exe
5356	taskmgr.exe
5356	taskmgr.exe
5356	taskmgr.exe
5356	taskmgr.exe
5356	taskmgr.exe
5356	taskmgr.exe
5356	taskmgr.exe
5356	taskmgr.exe
5356	taskmgr.exe
5356	taskmgr.exe
5356	taskmgr.exe
5356	taskmgr.exe
5356	taskmgr.exe
5356	taskmgr.exe
5356	taskmgr.exe
5356	taskmgr.exe
5356	taskmgr.exe
5356	taskmgr.exe
5356	taskmgr.exe
5356	taskmgr.exe
5356	taskmgr.exe
5356	taskmgr.exe
5356	taskmgr.exe
5356	taskmgr.exe
5356	taskmgr.exe
5356	taskmgr.exe
5356	taskmgr.exe
5356	taskmgr.exe
5356	taskmgr.exe
5356	taskmgr.exe
5356	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4896	firefox.exe
4896	firefox.exe
4896	firefox.exe
4896	firefox.exe
4896	firefox.exe
4896	firefox.exe
4896	firefox.exe
4896	firefox.exe
4896	firefox.exe
4896	firefox.exe
4896	firefox.exe
4896	firefox.exe
4896	firefox.exe
4896	firefox.exe
4896	firefox.exe
4896	firefox.exe
4896	firefox.exe
4896	firefox.exe
4896	firefox.exe
4896	firefox.exe
4896	firefox.exe
4896	firefox.exe
4896	firefox.exe
4896	firefox.exe
4896	firefox.exe
4896	firefox.exe
4896	firefox.exe
4896	firefox.exe
4896	firefox.exe
4896	firefox.exe
4896	firefox.exe
4896	firefox.exe
5356	taskmgr.exe
5356	taskmgr.exe
5356	taskmgr.exe
5356	taskmgr.exe
5356	taskmgr.exe
5356	taskmgr.exe
5356	taskmgr.exe
5356	taskmgr.exe
5356	taskmgr.exe
5356	taskmgr.exe
5356	taskmgr.exe
5356	taskmgr.exe
5356	taskmgr.exe
5356	taskmgr.exe
5356	taskmgr.exe
5356	taskmgr.exe
5356	taskmgr.exe
5356	taskmgr.exe
5356	taskmgr.exe
5356	taskmgr.exe
5356	taskmgr.exe
5356	taskmgr.exe
5356	taskmgr.exe
5356	taskmgr.exe
5356	taskmgr.exe
5356	taskmgr.exe
5356	taskmgr.exe
5356	taskmgr.exe
5356	taskmgr.exe
5356	taskmgr.exe
5356	taskmgr.exe
5356	taskmgr.exe

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
4896	firefox.exe
4896	firefox.exe
4896	firefox.exe
4896	firefox.exe
4896	firefox.exe
4896	firefox.exe
4896	firefox.exe
4896	firefox.exe
4896	firefox.exe
4896	firefox.exe
4896	firefox.exe
4896	firefox.exe
4896	firefox.exe
4896	firefox.exe
4896	firefox.exe
4896	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3360 wrote to memory of 4896	3360	firefox.exe	82
PID 3360 wrote to memory of 4896	3360	firefox.exe	82
PID 3360 wrote to memory of 4896	3360	firefox.exe	82
PID 3360 wrote to memory of 4896	3360	firefox.exe	82
PID 3360 wrote to memory of 4896	3360	firefox.exe	82
PID 3360 wrote to memory of 4896	3360	firefox.exe	82
PID 3360 wrote to memory of 4896	3360	firefox.exe	82
PID 3360 wrote to memory of 4896	3360	firefox.exe	82
PID 3360 wrote to memory of 4896	3360	firefox.exe	82
PID 3360 wrote to memory of 4896	3360	firefox.exe	82
PID 3360 wrote to memory of 4896	3360	firefox.exe	82
PID 4896 wrote to memory of 4244	4896	firefox.exe	83
PID 4896 wrote to memory of 4244	4896	firefox.exe	83
PID 4896 wrote to memory of 4244	4896	firefox.exe	83
PID 4896 wrote to memory of 4244	4896	firefox.exe	83
PID 4896 wrote to memory of 4244	4896	firefox.exe	83
PID 4896 wrote to memory of 4244	4896	firefox.exe	83
PID 4896 wrote to memory of 4244	4896	firefox.exe	83
PID 4896 wrote to memory of 4244	4896	firefox.exe	83
PID 4896 wrote to memory of 4244	4896	firefox.exe	83
PID 4896 wrote to memory of 4244	4896	firefox.exe	83
PID 4896 wrote to memory of 4244	4896	firefox.exe	83
PID 4896 wrote to memory of 4244	4896	firefox.exe	83
PID 4896 wrote to memory of 4244	4896	firefox.exe	83
PID 4896 wrote to memory of 4244	4896	firefox.exe	83
PID 4896 wrote to memory of 4244	4896	firefox.exe	83
PID 4896 wrote to memory of 4244	4896	firefox.exe	83
PID 4896 wrote to memory of 4244	4896	firefox.exe	83
PID 4896 wrote to memory of 4244	4896	firefox.exe	83
PID 4896 wrote to memory of 4244	4896	firefox.exe	83
PID 4896 wrote to memory of 4244	4896	firefox.exe	83
PID 4896 wrote to memory of 4244	4896	firefox.exe	83
PID 4896 wrote to memory of 4244	4896	firefox.exe	83
PID 4896 wrote to memory of 4244	4896	firefox.exe	83
PID 4896 wrote to memory of 4244	4896	firefox.exe	83
PID 4896 wrote to memory of 4244	4896	firefox.exe	83
PID 4896 wrote to memory of 4244	4896	firefox.exe	83
PID 4896 wrote to memory of 4244	4896	firefox.exe	83
PID 4896 wrote to memory of 4244	4896	firefox.exe	83
PID 4896 wrote to memory of 4244	4896	firefox.exe	83
PID 4896 wrote to memory of 4244	4896	firefox.exe	83
PID 4896 wrote to memory of 4244	4896	firefox.exe	83
PID 4896 wrote to memory of 4244	4896	firefox.exe	83
PID 4896 wrote to memory of 4244	4896	firefox.exe	83
PID 4896 wrote to memory of 4244	4896	firefox.exe	83
PID 4896 wrote to memory of 4244	4896	firefox.exe	83
PID 4896 wrote to memory of 4244	4896	firefox.exe	83
PID 4896 wrote to memory of 4244	4896	firefox.exe	83
PID 4896 wrote to memory of 4244	4896	firefox.exe	83
PID 4896 wrote to memory of 4244	4896	firefox.exe	83
PID 4896 wrote to memory of 4244	4896	firefox.exe	83
PID 4896 wrote to memory of 4244	4896	firefox.exe	83
PID 4896 wrote to memory of 4244	4896	firefox.exe	83
PID 4896 wrote to memory of 4244	4896	firefox.exe	83
PID 4896 wrote to memory of 4244	4896	firefox.exe	83
PID 4896 wrote to memory of 4244	4896	firefox.exe	83
PID 4896 wrote to memory of 1456	4896	firefox.exe	84
PID 4896 wrote to memory of 1456	4896	firefox.exe	84
PID 4896 wrote to memory of 1456	4896	firefox.exe	84
PID 4896 wrote to memory of 1456	4896	firefox.exe	84
PID 4896 wrote to memory of 1456	4896	firefox.exe	84
PID 4896 wrote to memory of 1456	4896	firefox.exe	84
PID 4896 wrote to memory of 1456	4896	firefox.exe	84
PID 4896 wrote to memory of 1456	4896	firefox.exe	84

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://github.com/ItzMaro/Xeno/releases/download/source/Xeno-1.0.9-Release.zip"
1⤵
- Suspicious use of WriteProcessMemory
PID:3360
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://github.com/ItzMaro/Xeno/releases/download/source/Xeno-1.0.9-Release.zip
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - Checks processor information in registry
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4896
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1964 -parentBuildID 20240401114208 -prefsHandle 1880 -prefMapHandle 1872 -prefsLen 27137 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {26ee4a81-99a4-455a-ae9e-1c508c754351} 4896 "\\.\pipe\gecko-crash-server-pipe.4896" gpu
    3⤵
    PID:4244
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2408 -parentBuildID 20240401114208 -prefsHandle 2384 -prefMapHandle 2380 -prefsLen 28057 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e3429534-cc39-408b-ada3-b8d8b3361290} 4896 "\\.\pipe\gecko-crash-server-pipe.4896" socket
    3⤵
    PID:1456
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3352 -childID 1 -isForBrowser -prefsHandle 3168 -prefMapHandle 3140 -prefsLen 22746 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e3525ddd-572e-47b2-bbfd-1da59eef83a7} 4896 "\\.\pipe\gecko-crash-server-pipe.4896" tab
    3⤵
    PID:1192
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3656 -childID 2 -isForBrowser -prefsHandle 3568 -prefMapHandle 2804 -prefsLen 32547 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b942f984-28d8-456d-8f3d-37a3d30e8a9f} 4896 "\\.\pipe\gecko-crash-server-pipe.4896" tab
    3⤵
    PID:4848
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4220 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4216 -prefMapHandle 4212 -prefsLen 32547 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e1f56ca4-4a3a-45ea-a5ed-f5e6038dba2e} 4896 "\\.\pipe\gecko-crash-server-pipe.4896" utility
    3⤵
    - Checks processor information in registry
    PID:2088
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5420 -childID 3 -isForBrowser -prefsHandle 5412 -prefMapHandle 5100 -prefsLen 27145 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5d32b33e-e84e-4f1a-a048-61510c80acf0} 4896 "\\.\pipe\gecko-crash-server-pipe.4896" tab
    3⤵
    PID:560
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5564 -childID 4 -isForBrowser -prefsHandle 5644 -prefMapHandle 5640 -prefsLen 27145 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0d9e6234-2f5f-4e82-b7d5-44dcc3cc9a1e} 4896 "\\.\pipe\gecko-crash-server-pipe.4896" tab
    3⤵
    PID:4384
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5548 -childID 5 -isForBrowser -prefsHandle 5788 -prefMapHandle 5796 -prefsLen 27145 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0c7f2cdf-a0a5-4b38-a780-abe812a36d81} 4896 "\\.\pipe\gecko-crash-server-pipe.4896" tab
    3⤵
    PID:1652
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6224 -childID 6 -isForBrowser -prefsHandle 6216 -prefMapHandle 6212 -prefsLen 32755 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d4175191-49fa-421c-84fc-86761fd49ccc} 4896 "\\.\pipe\gecko-crash-server-pipe.4896" tab
    3⤵
    PID:4388
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4952 -childID 7 -isForBrowser -prefsHandle 3604 -prefMapHandle 3600 -prefsLen 28132 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {93530dd0-9ca8-4141-9cce-30ad53619f89} 4896 "\\.\pipe\gecko-crash-server-pipe.4896" tab
    3⤵
    PID:1080
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6656 -childID 8 -isForBrowser -prefsHandle 6636 -prefMapHandle 6668 -prefsLen 28132 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0ad1df2a-7588-4dfc-825a-454bec856d25} 4896 "\\.\pipe\gecko-crash-server-pipe.4896" tab
    3⤵
    PID:3752
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6956 -childID 9 -isForBrowser -prefsHandle 6892 -prefMapHandle 3112 -prefsLen 28132 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {91513276-37e2-4676-acba-f572a520bd7e} 4896 "\\.\pipe\gecko-crash-server-pipe.4896" tab
    3⤵
    PID:2072
- - C:\Users\Admin\Downloads\MicrosoftEdgeWebView2RuntimeInstallerX64.exe
    "C:\Users\Admin\Downloads\MicrosoftEdgeWebView2RuntimeInstallerX64.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:3096
  - - C:\Program Files (x86)\Microsoft\Temp\EU71FA.tmp\MicrosoftEdgeUpdate.exe
      "C:\Program Files (x86)\Microsoft\Temp\EU71FA.tmp\MicrosoftEdgeUpdate.exe" /installsource taggedmi /install "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20WebView2%20Runtime&needsadmin=Prefers"
      4⤵
      Event Triggered Execution: Image File Execution Options Injection
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      Checks system information in the registry
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1524
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regsvc
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2080
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserver
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4676
      - C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.43\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.43\MicrosoftEdgeUpdateComRegisterShell64.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:1904
      - C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.43\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.43\MicrosoftEdgeUpdateComRegisterShell64.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:4688
      - C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.43\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.43\MicrosoftEdgeUpdateComRegisterShell64.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:4640
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QzQ2OUZDRDgtREJEMy00RjIzLUJCQkEtNTBCQkY4QTMzRjY5fSIgdXNlcmlkPSJ7N0FDQ0I0RjEtNkMwRC00RUJCLUJENkQtRDBGOTEzNkM4REU4fSIgaW5zdGFsbHNvdXJjZT0idGFnZ2VkbWkiIHJlcXVlc3RpZD0iezYwODE5MEExLTkxMEUtNEZEQS1BODEzLUEzQzVFMDA4NzNGMH0iIGRlZHVwPSJjciIgZG9tYWluam9pbmVkPSIwIj48aHcgbG9naWNhbF9jcHVzPSI4IiBwaHlzbWVtb3J5PSI4IiBkaXNrX3R5cGU9IjIiIHNzZT0iMSIgc3NlMj0iMSIgc3NlMz0iMSIgc3NzZTM9IjEiIHNzZTQxPSIxIiBzc2U0Mj0iMSIgYXZ4PSIxIi8-PG9zIHBsYXRmb3JtPSJ3aW4iIHZlcnNpb249IjEwLjAuMTkwNDQuNDUyOSIgc3A9IiIgYXJjaD0ieDY0IiBwcm9kdWN0X3R5cGU9IjEyNSIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iIi8-PGFwcCBhcHBpZD0ie0YzQzRGRTAwLUVGRDUtNDAzQi05NTY5LTM5OEEyMEYxQkE0QX0iIHZlcnNpb249IjEuMy4xNDcuMzciIG5leHR2ZXJzaW9uPSIxLjMuMTk1LjQzIiBsYW5nPSIiIGJyYW5kPSIiIGNsaWVudD0iIj48ZXZlbnQgZXZlbnR0eXBlPSIyIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI2MDk1MjU4NTExIiBpbnN0YWxsX3RpbWVfbXM9IjQ4NyIvPjwvYXBwPjwvcmVxdWVzdD4
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks system information in the registry
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4868
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /handoff "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20WebView2%20Runtime&needsadmin=Prefers" /installsource offline /sessionid "{C469FCD8-DBD3-4F23-BBBA-50BBF8A33F69}" /offlinedir "{3A21E0A8-3F90-4655-8A0A-2DF103FE5FF9}"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1452

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4936
- C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QzQ2OUZDRDgtREJEMy00RjIzLUJCQkEtNTBCQkY4QTMzRjY5fSIgdXNlcmlkPSJ7N0FDQ0I0RjEtNkMwRC00RUJCLUJENkQtRDBGOTEzNkM4REU4fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7RDk4QzAxNzAtQjQ4Ni00NkMxLUFBQTUtMzhBNjk5MDUyMDEyfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjgiIHBoeXNtZW1vcnk9IjgiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0NC40NTI5IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iMTI1IiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtyNDUydDErazJUZ3EvSFh6anZGTkJSaG9wQldSOXNialh4cWVVREg5dVgwPSZxdW90OyIvPjxhcHAgYXBwaWQ9Ins4QTY5RDM0NS1ENTY0LTQ2M2MtQUZGMS1BNjlEOUU1MzBGOTZ9IiB2ZXJzaW9uPSIxMjMuMC42MzEyLjEyMyIgbmV4dHZlcnNpb249IiIgbGFuZz0iZW4iIGJyYW5kPSJHR0xTIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iMyIgaW5zdGFsbGRhdGV0aW1lPSIxNzM2Nzc2NTk1IiBvb2JlX2luc3RhbGxfdGltZT0iMTMzODEyNDkxNTk1MzUwMDAwIj48ZXZlbnQgZXZlbnR0eXBlPSIzMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMjE3OTg2MiIgc3lzdGVtX3VwdGltZV90aWNrcz0iNjA5OTQyOTM2MyIvPjwvYXBwPjwvcmVxdWVzdD4
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks system information in the registry
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:3424
- C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{ADD58FEC-AD87-4232-9991-9395F7F5EF2D}\MicrosoftEdgeWebview_X64_131.0.2903.146.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{ADD58FEC-AD87-4232-9991-9395F7F5EF2D}\MicrosoftEdgeWebview_X64_131.0.2903.146.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
  2⤵
  - Executes dropped EXE
  PID:1928
- - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{ADD58FEC-AD87-4232-9991-9395F7F5EF2D}\EDGEMITMP_2D77D.tmp\setup.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{ADD58FEC-AD87-4232-9991-9395F7F5EF2D}\EDGEMITMP_2D77D.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{ADD58FEC-AD87-4232-9991-9395F7F5EF2D}\MicrosoftEdgeWebview_X64_131.0.2903.146.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Drops file in Windows directory
    PID:1588
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{ADD58FEC-AD87-4232-9991-9395F7F5EF2D}\EDGEMITMP_2D77D.tmp\setup.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{ADD58FEC-AD87-4232-9991-9395F7F5EF2D}\EDGEMITMP_2D77D.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=131.0.6778.265 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{ADD58FEC-AD87-4232-9991-9395F7F5EF2D}\EDGEMITMP_2D77D.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=131.0.2903.146 --initial-client-data=0x9c,0x224,0x22c,0x12c,0x24c,0x7ff6430b2918,0x7ff6430b2924,0x7ff6430b2930
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      PID:5112
- C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QzQ2OUZDRDgtREJEMy00RjIzLUJCQkEtNTBCQkY4QTMzRjY5fSIgdXNlcmlkPSJ7N0FDQ0I0RjEtNkMwRC00RUJCLUJENkQtRDBGOTEzNkM4REU4fSIgaW5zdGFsbHNvdXJjZT0ib2ZmbGluZSIgcmVxdWVzdGlkPSJ7NDRGOTlGNTYtQzkwNC00QjAzLUFENEUtRTRFRDFBODdDNTY2fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjgiIHBoeXNtZW1vcnk9IjgiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0NC40NTI5IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iMTI1IiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtWUFFvUDFGK2ZxMTV3UnpoMWtQTDRQTXBXaDhPUk1CNWl6dnJPQy9jaGpRPSZxdW90OyIvPjxhcHAgYXBwaWQ9IntGMzAxNzIyNi1GRTJBLTQyOTUtOEJERi0wMEMzQTlBN0U0QzV9IiB2ZXJzaW9uPSIiIG5leHR2ZXJzaW9uPSIxMzEuMC4yOTAzLjE0NiIgbGFuZz0iIiBicmFuZD0iIiBjbGllbnQ9IiIgZXhwZXJpbWVudHM9ImNvbnNlbnQ9ZmFsc2UiIGluc3RhbGxhZ2U9Ii0xIiBpbnN0YWxsZGF0ZT0iLTEiPjx1cGRhdGVjaGVjay8-PGV2ZW50IGV2ZW50dHlwZT0iOSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNjEwMTU5Mjc4MCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjUiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjYxMDE1OTI3ODAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI2MTEwMjYwMDc1IiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iNiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNjEyMzg4ODEyNiIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjE5Njc1NyIgc3lzdGVtX3VwdGltZV90aWNrcz0iNjcxNTY5OTc0MCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIgZG93bmxvYWRlZD0iMTc2NzU0MjU2IiB0b3RhbD0iMTc2NzU0MjU2IiBwYWNrYWdlX2NhY2hlX3Jlc3VsdD0iMSIgaW5zdGFsbF90aW1lX21zPSI1OTE4MSIvPjwvYXBwPjwvcmVxdWVzdD4
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks system information in the registry
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:5324

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1916

C:\Users\Admin\Desktop\net8.0-windows\XenoUI.exe
"C:\Users\Admin\Desktop\net8.0-windows\XenoUI.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:5472

C:\Users\Admin\Desktop\net8.0-windows\XenoUI.exe
"C:\Users\Admin\Desktop\net8.0-windows\XenoUI.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:5720

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Image File Execution Options Injection

T1546.012

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Image File Execution Options Injection

T1546.012

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Temp\EU71FA.tmp\EdgeUpdate.dat

Filesize
12KB

MD5
369bbc37cff290adb8963dc5e518b9b8

SHA1
de0ef569f7ef55032e4b18d3a03542cc2bbac191

SHA256
3d7ec761bef1b1af418b909f1c81ce577c769722957713fdafbc8131b0a0c7d3

SHA512
4f8ec1fd4de8d373a4973513aa95e646dfc5b1069549fafe0d125614116c902bfc04b0e6afd12554cc13ca6c53e1f258a3b14e54ac811f6b06ed50c9ac9890b1

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU71FA.tmp\MicrosoftEdgeComRegisterShellARM64.exe

Filesize
182KB

MD5
8f7c44e937ecc243d05eab5bb218440b

SHA1
57cd89be48efe4cad975044315916cf5060bc096

SHA256
bc3cdd57a892ce1841787061e23e526ad46575460cd66c1dc6dcf0f811563d59

SHA512
9f0020b81d1945fea12efe1a0a5e59caae4a01432429e065e35c73b15db873253094b2ff1f8903a348446dfc9c9fb658f8bfed8c25bc56e8b546c16304a385a3

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU71FA.tmp\MicrosoftEdgeUpdate.exe

Filesize
201KB

MD5
70cc35c7fb88d650902e7a5611219931

SHA1
85a28c8f49e36583a2fa9969e616ec85da1345b8

SHA256
7eca199201273f0bcff1e26778cb535e69c74a69064e7759ff8dad86954d42b1

SHA512
3906ddb96b4b1b68b8c2acc940a62c856e8c3415a1b459f17cf2afc09e05751e0086f8e4e5e0ddd8e45cfb61f811bbe4dd96198db68072b45b6379c88d9ea055

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU71FA.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe

Filesize
215KB

MD5
714c34fe6098b45a3303c611c4323eae

SHA1
9dc52906814314cad35d3408427c28801b816203

SHA256
fbf495968c4a385ff0790e6b65d26610ef917a2b36a5387eff7ae79d7a980ac5

SHA512
68a65496275a1511b2d3bd98ac5592cb1c1eb9df0448471a8985cb2f458c66163e6d55545940de72dea80118ff8ec7ba0ad3276f51095f55c1243fb9f3311345

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU71FA.tmp\MicrosoftEdgeUpdateCore.exe

Filesize
262KB

MD5
c8b26176e536e1bce918ae8b1af951a2

SHA1
7d31be0c3398d3bad91d2b7c9bc410f4e45f37be

SHA256
be6ab7dd506e44a0a9eb0dd531929bd8aa0796d85a0353e6944bc6bf1630b717

SHA512
5a362cbabebbffbb0797646576b65e2934a3b0a30306d74078ef2448fea3940df14f0b8f149691a100cc170bd548c9b420dcc8aa41eb1ea0700c9f155626c565

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU71FA.tmp\NOTICE.TXT

Filesize
4KB

MD5
6dd5bf0743f2366a0bdd37e302783bcd

SHA1
e5ff6e044c40c02b1fc78304804fe1f993fed2e6

SHA256
91d3fc490565ded7621ff5198960e501b6db857d5dd45af2fe7c3ecd141145f5

SHA512
f546c1dff8902a3353c0b7c10ca9f69bb77ebd276e4d5217da9e0823a0d8d506a5267773f789343d8c56b41a0ee6a97d4470a44bbd81ceaa8529e5e818f4951e

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU71FA.tmp\msedgeupdate.dll

Filesize
2.1MB

MD5
40cd707dd3011a9845ff9c42256ea7e3

SHA1
4045ae709979f75b1cf32142c1137b4be2ab9908

SHA256
9f4c7072716e0be1be08207a7024a5e41162e288e677d805be8e5469a8bd4909

SHA512
bf1ada8a0d9c3d9f39fb739d05fc4a61f0a7e0e1bb5eb44e6f0f5f58381ee6d80aad89dbc3211b70a6294fc69d5820c70fa8488ef2f793a3710ecff5ee90422e

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU71FA.tmp\msedgeupdateres_af.dll

Filesize
29KB

MD5
e91e279752e741b25cf473338d5aac88

SHA1
2b8ea61868a26408cd1dd351cca5139a046bbb7b

SHA256
5635ecedd84330f070a9d6f4cea8b8b81e9dad8592d336ebfd236b7d67e58acc

SHA512
7404cdb82309351a21415b045fc7165137492aa262d00fd0f74bad4262ce10e86c3bde1718c38757b7133e41d044035e731c52cccea285d659c4a570776ae535

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU71FA.tmp\msedgeupdateres_am.dll

Filesize
24KB

MD5
bd175cb3dfc1d43944223bd5d7177539

SHA1
193623dc372937f31a545344d340360665b8d69a

SHA256
bf0d65cebe0c29f15a616a0dda2f1a414e3f96fe7a28ff7876e811855be6621b

SHA512
f5742352852837ce16f3cf1655e4d41e301f0351b68c7346457978aa310b95b69b1070741fc2ab8be5ff449f6fd44660df3b15811630efc1420ced1455fcaf5f

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU71FA.tmp\msedgeupdateres_ar.dll

Filesize
26KB

MD5
42015aafd53012b9c8afa009ee501fa0

SHA1
c1fc049feab4fb4b87faf96c31b3d1160f1c1d39

SHA256
86858a1807e6cf0b91565ed7a5a15db24720b0a7f60ae41e67dbf9faeb6ef2fa

SHA512
9ce323da000b51480ee35973872fc7d181e1f69e820ac737c62c36eaa81eb99965bae39fdd394459adfaf8f746f5dc3b768015e01d8724e2d0718f5286c29389

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU71FA.tmp\msedgeupdateres_as.dll

Filesize
29KB

MD5
8a54873d54a41442b62f9fea9492d3a6

SHA1
fb19af151b15f4bdb7a555924f1835b0337ff1d7

SHA256
af9bdd050b27b8883f72e3596179fe244a6a2e3545950c82889aac7198cf3c32

SHA512
7cc0a578586853afd027264c3898cb1460b23a47eab9c79e064b9f327fbdee6e3f9bc7043a5a76a710ada05edae4ac0b47529be3ae67ca9b5afaaa16151797c7

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU71FA.tmp\msedgeupdateres_az.dll

Filesize
29KB

MD5
e47db9afb646fb31cc8650837f487134

SHA1
f304204c908ea1fe2bcaf76040d5d1f13f1e99e0

SHA256
4e03ed7a538793fdcd4c646c62ddd278c46911099e6485bb2644a17ad3a8ecf6

SHA512
b2b01c86c78ec3450635c0fdef9666ce302600956e8def3bb02d205ba2a11b3d422520a64361c6f666998bd82b5557ec96cbcaba9e1b712c756e75128c8f9bc0

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU71FA.tmp\msedgeupdateres_bg.dll

Filesize
29KB

MD5
5887cd452245dc7bd0389a0ad5db98e0

SHA1
6486d0ae59ba338e8bce87b438f86691e955840d

SHA256
922a102cae4e74bfc0b402bbb136116eddc71a8adcf7f1268d48006c858d1d60

SHA512
0720aaebca04e84d8af2d7b153b0fc51e5651cf664051b8c4b44159ed4c6328eb237ba4f4c97bebedbb1a45ca5c1d0f249cdccac76c6d5619e0e761d12aaaba1

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU71FA.tmp\msedgeupdateres_bn-IN.dll

Filesize
29KB

MD5
6aab6d42c7b7a90523a3272ad3916096

SHA1
cc638bd6ec6478734b243de2daa4a80f03f37564

SHA256
67180722f255985e849ec3ab313dcdc0bf2834bad7b6163a0b14587fdf4b4c66

SHA512
ebc17e0ef86b8e5bb938040ad78b299e33d1228c730666526aab27e464626b71ea900cb6dbe074bda5e42e77cd569b083637e233d757b8b0bdee2df2e0c509f2

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU71FA.tmp\msedgeupdateres_bn.dll

Filesize
29KB

MD5
abc20df0545611a835dcd895d2832cca

SHA1
39e90363156c461e5aef64a714ba43cc61617ee5

SHA256
75d8c2e259b4d113c0967615af61e8f54eafb49c498767291627faae9fcf504b

SHA512
732f31d175f08c5c69b9cf540e2b0e72b8986b44d1ebfdf0e56eb56b68bea64e6446932a546f1fc30dbbbad4ccaf6bc935177a6348c5280ef786d6d8dfa7b325

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU71FA.tmp\msedgeupdateres_bs.dll

Filesize
29KB

MD5
327e92c7a55ec996ce09dfcf8c89e753

SHA1
2a51c99519257ddebf0d8280d46e0c0fd416e7a5

SHA256
2b61608a7aca43b7ea4374b79acc6e15deb382eef0fa8751c8e57e03e061cab0

SHA512
ac3ca0f66b899759f0d23ba64ff291486edb1e1d3bb626ad3efe3e3a6fd2aa4081411546e4849ff1645dcd26161f35defbd8442278e6d6f66311780c60474296

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU71FA.tmp\msedgeupdateres_ca-Es-VALENCIA.dll

Filesize
30KB

MD5
e0d2675c6de1b8d4e5e463246529a304

SHA1
132dace535b9cdc7a4e5f6137407d5becb23c4c6

SHA256
4af082aa0193b9b15622eba1f6165d0b6032b4dab17ba16a8a9affb267ebec34

SHA512
afafc1ca5abc636066ee98a6c68356d68f506fe3734a4b3e68073eed1f2ddc51840464e91d3cd3b28648fcc26b9457ef6484100f9543739220ad75a9eecb1e90

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU71FA.tmp\msedgeupdateres_ca.dll

Filesize
30KB

MD5
bfac1c3869df5375aedb24458cf321b7

SHA1
848232c155c7dca65f6cb22d27a72f2c78e964d8

SHA256
a9f5cf25b9512e1d30ecb769a5eeb694888b72b7f05b78c417814802c5aedbd7

SHA512
732270e8e8036f8ec59c214ca3804c6c67420bcf5fd633347c764f90b06b25fd73a0c7aa75ec42461ae3d3570fbfec5c5a7eee10e8d494b805b7c7e0d4aa227e

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU71FA.tmp\msedgeupdateres_cs.dll

Filesize
28KB

MD5
c5681c3b4a8145d3b6cbf51e3f0b12fb

SHA1
908a0546ce091906aa5e7728660b838bf1e619e4

SHA256
2b47a6c19ec492149eca6afb03ca82ac1418a727f35cb641bce9f22136dd3459

SHA512
06c850119b5199bfcec41abe2b5e6929e0a960b69337c6048e0dbdd37ca56401885785de96cec235093a4d6536d9de55178a4c739a6ebd5e34514e12635b6d31

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU71FA.tmp\msedgeupdateres_cy.dll

Filesize
28KB

MD5
3206ad1fbe5c53d278607da7767b1996

SHA1
6964da8787c299e71f8428b22ed8ff6909912034

SHA256
9ea2727ca92f74c7c35ea22287f13ef262241a905567b908e2860f19e044a848

SHA512
38281ab3590a2e6210d1d9c0d1f5a4a3ef19772065f87d94570bb448fb83ea0579aa8bac9e94b05ba2b6bb2bb882f1be6d45c921c52ca2f0608056512fb3338c

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU71FA.tmp\msedgeupdateres_da.dll

Filesize
29KB

MD5
7f0ce1bf90bc88d5fb4d32d359063868

SHA1
59d8ba8397c325ed7b2dcd6a262906795549af6c

SHA256
1147a2cac674209b9087f7c81c09000a2177bb7d42d0d518e3c93d8a9ee2d7fb

SHA512
5cd723cad43388c7e2db4452caa20c07e73a676c82bfaca27a293ab70acdbb115fd82c7a65dee3e6c6d8969c4b99e90ce832760b6f7ab47e9a4f631ce53813d7

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU71FA.tmp\msedgeupdateres_de.dll

Filesize
31KB

MD5
d9eb30f1811161a6903901f1ff316ebd

SHA1
7ce5e34af30e821a0bbb7074da57636c1be15d6f

SHA256
73b4fab09f7f224b2527dffdb617b7f852c78eca8989d493ba2fa2201b1becf3

SHA512
9d2e2a44fd027c30836254de1ec99fdff4bad2d3488f25d88a9f80f5f994dd5c660903dd3586dca85fa9e1a269ac8c51b5a060156fa65dc1df0d8137bf878c82

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU71FA.tmp\msedgeupdateres_el.dll

Filesize
31KB

MD5
85dadb4cac0d76fd821346c411d5c3d0

SHA1
999dc0bd7250f71465f5098dde263a7a82ba7b3c

SHA256
1392f864c486e4b4b6859d900b12182f5ad5ec90e183808ab7ed0049aedd807d

SHA512
649833bf473139db879c2c7218567c49ad6436e3af1efdc7d9e9d48b8d3347e2bfacd6140a59d7973fa9df9cc9cab0e042bdaa7dbf32846bdf6b812b7ecaef07

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU71FA.tmp\msedgeupdateres_en-GB.dll

Filesize
27KB

MD5
5d4f7ab307f71d761a7f0e193f4b2ca1

SHA1
a3580268a98ad5242c7c56fa759f39276b6149de

SHA256
e2f0a11b5269b08261397e2ba8e2a5e44d5bf2e042a1cb91ad395d7c274b44d8

SHA512
307c489db833e4f2c74ab5201909ad2c53c691e0409f5abc29540a84d1c5ae146a072fecaa0ac886c83e4521fecc58ae5b0ff4331f3b37f39114d1fdea731021

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU71FA.tmp\msedgeupdateres_en.dll

Filesize
27KB

MD5
cfb71031c56d9e8b9490d01fbe86302c

SHA1
9e11ecf5efc88e0beee1db46620bebc73f86dd21

SHA256
b18e14d0e24546193822b83996c5b311500ca213beb4d497cbd1dda9dac9db2f

SHA512
9cf993ea53673e416eead78d45a6d700b74001b69b1b987d479e77348ea8dc151f4ba6d6b1220db21ce792f9da51b9c83f33663621f9350b848a766ceae92370

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU71FA.tmp\msedgeupdateres_es-419.dll

Filesize
29KB

MD5
b25a10d8b739ac2eac10b7b7fc7a61d5

SHA1
ec993d8113e4c0a4a1b36920a8991521e4f7eb57

SHA256
cad0cef66ad1097dc11e6396d0a0fb11ec1734acfde15e9eae402ba0d068615f

SHA512
315971e819d2c3dc5fc30ffe2275c3608125f1e4f14dbeb39aa0fd014291dec0c5efb3e02628bf345c92ea0faaa38e30d4ed5c3793995afff9cb9c933f234513

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU71FA.tmp\msedgeupdateres_es.dll

Filesize
29KB

MD5
6c3d219e2169f5566a8bed031b21bdc4

SHA1
073a61c02b87e37e87fd3c8e609a56828ec49a47

SHA256
3a841555813f21928fdd45003a3f694a87074869b001b3e063eb97ad35d8fe17

SHA512
2b57d8325ada86a1ea01df0c7d0122875450f913bc8c21d8a7dd44ac7037a170e2f4fc92c13c58980aa9371a7bdfdfee34b9e188e16ad0b89181f7f901467152

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU71FA.tmp\msedgeupdateres_et.dll

Filesize
28KB

MD5
27d45a84e2b94a60d5a821597fdad6dc

SHA1
2125fe5fbaa2db280a859ef3a7d27ba21efec036

SHA256
65f3cd75a7121dc3d417a9c3180bb52b485b5e7d0ac3b483fa355d13515f970a

SHA512
eddccfeee69b7a53adf32e72724ec8ba1668d1927322ce61429a4c663cf3d17e3f6f59fe1930b96f78faa70d30edfd7845ba53cc161f06a4e67ad43d11cd576e

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU71FA.tmp\msedgeupdateres_eu.dll

Filesize
29KB

MD5
d8323f3db20d104441f548decfd022ba

SHA1
de7f58b9ee7cbcad73433a17ff55385fd7e91035

SHA256
d07d8eb066e953af02a6e3a160232a73c1b66bb54d93d6b2ebc1557d1d322358

SHA512
7de3a803131086c3368d4acada0b6a29ef4ed4102a151eb000056c233da4853c97e394c98d6fd856714758ee17a0cc4c3df061a1b5d2b2b3e3bf95447bb729a5

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU71FA.tmp\msedgeupdateres_fa.dll

Filesize
28KB

MD5
6ba182cbb744541288629a2464ba99e6

SHA1
366751e425128654514dc82112238a7d6f4c9908

SHA256
cca362dd297b8d8e20893cf4da8cf9efc9848f97a04a9d69cabff67ae947607d

SHA512
ab3da91d7ab7150100b580d7b25a5fe9cea67affb1c4ac9e479b70e2d17ebb14a0745bf62ffb3792b8ce4cbea130cbd0012053a5dba7930252e2c09b763ea658

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU71FA.tmp\msedgeupdateres_fi.dll

Filesize
28KB

MD5
e7a774a7b404ab800efbdf7ea52e7ead

SHA1
3f0476821281614b9ee32faa5c534de5f6dc21f9

SHA256
1e1f09beed91a6a84535a1cf2b4df5e416cbbf785546f798d736009e31f95691

SHA512
85091f8bf809e88e248f4a899682f15586a083d1bb94cb5674da0e463716fa927ebef578519b653ac4ced381f98c4cf7a409c1ed52927dcf7fce4813008ce900

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU71FA.tmp\msedgeupdateres_fil.dll

Filesize
29KB

MD5
1223e486deb013055cb0b7729681b9ed

SHA1
b5b43fa89f066a9b6ceb47389c05b69ea6a784ba

SHA256
fae283a78757cdc548c728a38cb041db4ffe538c5ee7d2aa2f55e3469f95fa25

SHA512
8862d2f4778bfd0659dcf9dfb992072767af30dea46b34d626580ab8183a765d0c0f95a7070f0aa36e694d9e559f843672000aeaa4d8abdca60ff83da5a2b857

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU71FA.tmp\msedgeupdateres_fr-CA.dll

Filesize
30KB

MD5
9fea64a22d045d8edc38a9b8480a9c12

SHA1
e3342e26166a43a21729b8aadeca653c03dc0528

SHA256
2f324851f0ccd101884b78fe1eb07c2da2932a68015eb8cfb4c801e288c8771b

SHA512
a3601640cf961c88efa476125a71786a109d23355922eda45b5be8824ccce650d703546c5c8c281308dce208edabbeea5cbc3b44ed678d9d36970c4e5f236c0f

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU71FA.tmp\msedgeupdateres_fr.dll

Filesize
30KB

MD5
498dddf273f0f2973b1c4581e820f10c

SHA1
aa048015a3ed6ebf9b4848a9cc54beb5e39eedd7

SHA256
9ec8cec72404794a2b2a738502c7f531d976d8c99a57d2b5d2f0f2e818e35e04

SHA512
3596b20469daece28496a13b02ae0c1cd9265fc0046e1fffc384b8a16a4869402831386679c3e9cdfe03903df0b191d2fdc04cc531104c9c0d84bef24eb4d60e

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU71FA.tmp\msedgeupdateres_ga.dll

Filesize
29KB

MD5
81d35302b31bef2a99e154eb64abbaa0

SHA1
ea72f2aa526ea299d5515921fa0ac8f502ce3cde

SHA256
0133af05b669f957174a22b0b568a17a9bef1e387f52ae157766fae42d4e647d

SHA512
4d1df9684e7247ec0d8fbfdcfdb6ac5b2811de649c5b7ee4a20e5733307cdf5855ff767ebcb12ba15b33be58d82bacf9a02522126d927304e11f8e64261b46bc

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU71FA.tmp\msedgeupdateres_gd.dll

Filesize
30KB

MD5
2e88f4aec46a293b3ec9bca2d7d2fe73

SHA1
ba34b9635832b2704942d7cd8578c8d70f0ffd2e

SHA256
f7278ba46204bfa387eff0e72fb2a8dd32ccea154fb268a8c39b03ad5334cf38

SHA512
b7f655cdaa3a34a8e0e00186cc49986cf283785a133af87ae47c3a3614f0d15d5b51b4091ff33bd0fc445815665edd37d378a9665d3831d2281b0bf6cc933c87

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU71FA.tmp\msedgeupdateres_gl.dll

Filesize
29KB

MD5
2dcb17e8da6ed1a62a53029940592cbc

SHA1
b12941091cd1a554cd23d38dffbf75ec8ff57848

SHA256
a6770040c2f93ffc5c542dcdb1e7ea529d6036920957a9709153d80d360b178d

SHA512
0c82b39c7128d81739f64346948784c60d2cc409b637d5ca79825ef12766c10861ac3c119a5f232b12f52e50d3ba6818532968c75fbf455e75bd3be83c931f10

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU71FA.tmp\msedgeupdateres_gu.dll

Filesize
29KB

MD5
571b69e1a8f9cac5eca53ba624aae924

SHA1
89798cdf858a4ee42ab4ffc01055c0463b6c4c0a

SHA256
37e67d7511d261ba1e022c9019d1b223d6d092260f97b471fbe2259ac5af6d3b

SHA512
961834f77c2683332b7a650360c09fb08e7efedf4249e48662b9a4fb9534bdba687eb9320da1a3aafe6a9c30d624c4bb94b55e1bf086a970354df61f2065e181

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU71FA.tmp\msedgeupdateres_hi.dll

Filesize
29KB

MD5
4e8b170283c3f3d182eca7ce97e71a08

SHA1
93d86d961014b12c1a376effb3c568318db1ecc6

SHA256
0eb7739ad2863ccc13fa5cdb805189634728a7613918cd54bfe53a06d9c26cf9

SHA512
76a384ede88986c03e659c61e5409446bb472fa50c2e2e6f6e907f74e675ef0c5e932d950733ee6dc0c167881bc948d7ba9771bb77f31db3fb540277afb829fc

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU71FA.tmp\msedgeupdateres_hr.dll

Filesize
29KB

MD5
54df61c0431c61851d8b61427f2cd68e

SHA1
84c99b724a2a5f321fd161d3beceb894e377a121

SHA256
6e96de38195de0095c6ab16696ccde2577a65e8c23d07f31e9f3c9f52d76c7ab

SHA512
46bea4f17fb327bce8bc6cb5329b7086a772a6eae07a8f2f34309a42acbb9f3dadd675d9c8d9f9e72c85149b48419fb5807acebbcee5bee150c754f94e98d7c4

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU71FA.tmp\msedgeupdateres_hu.dll

Filesize
29KB

MD5
6b201af2eae546c9b638e38cabd9676d

SHA1
626b2029d573f371dbeb7b7878779383adc6253d

SHA256
c849d765c73a969ac10acff6195edd9339054b93a15152e5d1eb1fd1b5017b06

SHA512
1c35c169cf16a37a5537d0911af7da64ce9a0f999e76464f3410ebb224b9e65bc71deaa253e549b196c52409127b55cbb2e4a39bf9731b3ee76dae560b74fc2c

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU71FA.tmp\msedgeupdateres_id.dll

Filesize
28KB

MD5
17162657113e9d8d7c1763bfc0ec991d

SHA1
f2507d9d1516bbcfbe408186894474c592f141a3

SHA256
60d759405a83ec4bb64144ed61b0e9a704bfb3b74e8f956277df71a38b19fc9e

SHA512
450e90b4c8ee384994cd6f56677dcacff258eb12442af3fea3a977d7d00b943a1b1f6b12769d4a02aeadc4f4c3b82a06cf8a667ce6691ace5d479d1261a1a629

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU71FA.tmp\msedgeupdateres_is.dll

Filesize
28KB

MD5
625060f019c3bb8f1d49a9b128e1e4e6

SHA1
0e22bd7e23fed0e856a09bfaf5ee105a3dd27edd

SHA256
6117fb49f06f4d8e7268de9e41862a940fd36600e23f670f3c77ec0adb27257b

SHA512
962910c5a438b0289eea0402a262b8b7920255a1dabafdcc477cbebcc36a1c31b69784947c794bf720e16c0798cd958616a763e67c42327a94f7e66daa63a07c

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU71FA.tmp\msedgeupdateres_it.dll

Filesize
30KB

MD5
258b52e60a1e353b6117917154c7b24d

SHA1
c109ef8d1382991b02fe953679bf3fed063e9e82

SHA256
2362d8f1e8f2c92e43659d73052f2a43dabf95121f852d6d04471710f2c7109c

SHA512
fdaf605922e728f87d7d916f75a83f78f4549dbb35f9d2e7717d369cd658075655a1b903e705b5cb609880033c080e4b3135902fcaba7a8a96c2904f05d53164

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU71FA.tmp\msedgeupdateres_iw.dll

Filesize
25KB

MD5
973e14a5557248bdc2cd3a5fa3540a77

SHA1
66818135e202fc53711053ceba04ecc8b9b28506

SHA256
0af05d8af74609c9436ed0dcd3df52f7ef3dea8b786c85376c57c0cf128b3045

SHA512
e8c271f52fee4f249c27c4c344b5ecbab796227aabeb36b0b7a7d82d5463bcaa707b1f8ea47b863f2d87b35fe9b361ae2e2b7d1c16a4eed0ce0d530e1e34b26a

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU71FA.tmp\msedgeupdateres_ja.dll

Filesize
24KB

MD5
dd5aa26cf2d67f50540da8e552f792a7

SHA1
0b14b06a2beb63fde2c1bc86c49a5117287de2c7

SHA256
b11af70867ab588c412cb5d5cc36ec888e74a50f508eb31a28db559aa00f8a35

SHA512
9bc1d7965a66ddbe7dc3fefbf2eb445a0857f83a28b2b3e120de80b03b51e87e6acd20569f2b002bb7adc41cbfe147572306094d83c8ffceb44f7a8417d89e0b

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU71FA.tmp\msedgeupdateres_ka.dll

Filesize
29KB

MD5
3cba4b52b099039d2fbed395a3bc7568

SHA1
1a5204510d2c02d02ce361c7a3295498a60efabe

SHA256
79d4684d4d365b2c89f16fa0522f66031a1037cb4ad2a33050ed97a1df825990

SHA512
6ea41e61e4fa8cbd73e693db860a84bb4c6389b0aa5aace965a9567f6c16ae23fd51c018c6d96a1c08500a3cfe6327cc4c9ca9aa6bf9ad0b2f0d0c71e8922e05

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU71FA.tmp\msedgeupdateres_kk.dll

Filesize
28KB

MD5
6543ba7290488f5e3f68675a598255fb

SHA1
7359895f909776c5f14f6e5ed0fa11cd50853cd5

SHA256
df016969fc3ae57abbe8fa9f811364cd84612af0e819284b4d1acce981f6c21e

SHA512
90f376c59d67d89bcd646895209c0fca92866f9866e1cee7a51745077ad05f730cea2624837baf1e5ba92365ff46955ece98938849b87ed7f89a92897949d0f1

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU71FA.tmp\msedgeupdateres_km.dll

Filesize
27KB

MD5
4d101ce3ce6be285845e8f8bae548097

SHA1
195f314bcbee9cc373136334b5089e855e71286c

SHA256
3f11a2020839f5993e6e3cb9b5e7c5c659753cfa49257d3ebc015da6a8ead94a

SHA512
c31214e9aacfe7056be1f7ca6399270e644acef060d208d805b59bc6635772592ae166b06d038e2eb74218c451ef0fdbb09dc7e2ef6d23b751cbd6ae935cdf6d

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU71FA.tmp\msedgeupdateres_kn.dll

Filesize
29KB

MD5
cd6084bee91407a5bb932cad81ca0636

SHA1
c9e56e6d15b413a8061ba38d05ff402b30688684

SHA256
01551c5de82d4d9b262735ecdc39fd6c4ea5a94acb9cb1dc4cea0e3bcfe7ee9f

SHA512
4d1cfa478050c87ff0c7d0b17ab7c23fc6bc400214b121bc86fc217b7b8b764c8109bdb15a3790822295556a7d8706aaeb8ff642b24d2fbd582b2ede61a76a7f

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU71FA.tmp\msedgeupdateres_ko.dll

Filesize
23KB

MD5
e73046fc5427ed78ca02c7f50136efdc

SHA1
df58d20768edc25637ad8fa38f71d25a86633725

SHA256
49e0f43057c404a4ff5a2bc306f70c3728412b887e07870cdfd1f6eb3836ee88

SHA512
fce94d5a6b8f99a5af8f30314a0a7a5a3a557fefc630b907e5266c9f397bf6dd1a8211fa9d6535f75a0db7016ae20a3b295c4780383516d7a234225b798be584

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU71FA.tmp\msedgeupdateres_kok.dll

Filesize
28KB

MD5
735d775e6772b5072227a3efc91d6f5d

SHA1
b302aecc725b87d3b0402be8d5b30c35084f2d81

SHA256
11c257e800ef3021c2d6147999f5192b28e48a0ff9d486be5e47c181744c15a1

SHA512
8dcd0e07b90ceb6d6f39af9077bd85eba46506791491eda63b05471a7f984c2d1b67cc1335f788682ade2124b32e8b5b436bf717f6b5e2de8276dddbdab3fd34

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU71FA.tmp\msedgeupdateres_lb.dll

Filesize
30KB

MD5
8fc766f256ccd06f09106c10f9a20edb

SHA1
867c9da84a0e61a8b4787bd3618ed25aea80360b

SHA256
7cec1855457e12c2adcdc3790856f775fcac27bc4911258937f8b08ef0a0d1f8

SHA512
4f545d4914ab62743d2a0c6a461c03597d38b6a8ceff85b154629d2676f41b9cde7efe2e8131d2749321e56e7ac7d90e4f958917a989170bf505840bfba059d9

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU71FA.tmp\msedgeupdateres_lo.dll

Filesize
27KB

MD5
f59fdfea8b8be13fbf3ee855f0f840fc

SHA1
32743d1ccc6702bdcb8e4e1320c60ce3ae0c3a36

SHA256
ca296d434902c4146ad1828ab96679d937d8edb85adf0184de00732d86e49d08

SHA512
fbf31397247f434d67f1f02751a12ecce46253e43218dff701c86ef3990d8ec8cbe50dc94b32810ec665e42246277ca14846ecc77350d0fb4a706b5d03c1484c

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU71FA.tmp\msedgeupdateres_lt.dll

Filesize
28KB

MD5
f4bb4677d5baafb96c2489db597ef7ef

SHA1
ddb9566fa8f2206df5b2a6e71870b08a4ef3e418

SHA256
2a0e85a66fa811b55b5fda8dbb45b5db4ea01a32cfc927e22809ad5f3c8bebfd

SHA512
4beb5fa5ff8643622bb6c971a84f0af33328a98fc6caebc44f02d243c3aa5fb30f390dc65921fc1aabe7099b94a8c4e748c82543670053ff6d20a3c0a15a513c

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU71FA.tmp\msedgeupdateres_lv.dll

Filesize
29KB

MD5
f4d4b8ca1664b954595d872cd6ccccd7

SHA1
288231017312ede121141f94ba89051fb6f3c3f1

SHA256
ec7072699b9c3954d0eae183312d4041299a1f2cdccde2ed8de3fe96837745ed

SHA512
b1474c0c4e87f499d8f1b3a83b8b001c72a48656781e8c3df87cd0a5eb2a6d9fec5abdf56922eac3fade2df232322e804f315874d983fa256941d4e03ecb93d8

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU71FA.tmp\msedgeupdateres_mi.dll

Filesize
28KB

MD5
b112ac05613a1942f009db22c776170b

SHA1
3124e35610322ba8eec2779f4d4904a569e093ef

SHA256
9c1f34a7971ad37522136dfe3e9bb8c6939b69e9adc2ecea44ae495ade165419

SHA512
d47455653a9f1d69b0c63040eac6bbdbb8b3f72060862c1adc2bd589bbe20c04f25272e69324b0249a79eba4f089a3e68e787ee80a4d992df160597186d3ca89

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU71FA.tmp\msedgeupdateres_mk.dll

Filesize
29KB

MD5
3824b848b8d27996e03b77e47d683ad5

SHA1
2112959b86d3699f7748120e9ce704a4b1d3d85d

SHA256
42ddac6cb468b4d938fac198019dfcf36b33bb8b370755425a6a5950d226878b

SHA512
cdfb37d6ffb0f344dbfb95af7cee8f0d7f420a1a98f934ced93ee0c349b1f2661e8331f4ea373a7bd535df89b783ec662935c9dec8f86c31c91bc6383af01028

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU71FA.tmp\msedgeupdateres_ml.dll

Filesize
31KB

MD5
c48931cb10b1cc296f87e982d00f43bb

SHA1
c9a6574e4e31fdb73699561faac3608df9a846b3

SHA256
170cc518628e509b7121251e08894d2a865ac0ea1e4c96817938d677fb58f7bd

SHA512
05784711f1257fd0397eb324970d31c9807c6c2fadb084a89788dd33e73d7ea55d9cb96d42a2bf077db6720b8b5f330b113f035f82d1830d49de9296541962d8

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU71FA.tmp\msedgeupdateres_mr.dll

Filesize
28KB

MD5
d3f6ab6ae235e87080e5b4fe3510b937

SHA1
06a4c82db747fdfac0c1114248e40fbd024a9bc2

SHA256
ee83dd12d5a99faf762e5ca10182a9e4ba04044b6c4d04d482de09959fd76a49

SHA512
f5a64838bf8abfe9af4b1a6a25570d8b092babe09ceecdc2b26e5fbbd5e8ffa3ba87c95376972c589d01d9ff7c566d31106ddc46424961ce8062fd2bdf8ba075

Download Submit
C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log

Filesize
79KB

MD5
abc0f43edbca6017ae6bb30c4875170c

SHA1
e03e96b8043e5b9a0a18f9242eff7023d9671f45

SHA256
be1380067733cbc16b8216f0dbc9ea6c906da96a00cc86348a14cd2b35b1efe2

SHA512
5b84775c66e3d8b462e955e302ca73832d8be37a63f8712e9192ca067a92b3dee4ff78b80c9e8ca31f1fb34f3be2681e911c0dfeaf2c9882b9fd3e5374570065

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lojadwsr.default-release\activity-stream.discovery_stream.json.tmp

Filesize
22KB

MD5
aac8ee284470cf2cbb32ff534e69aa2e

SHA1
e3bee256dbade5c51a36e0db65b8685dd1706f7d

SHA256
8b878ef0796dda79253e13736ec885cc1eb2074a8683dca89f30e38a9d374872

SHA512
ffeaa0803398f32fbf6bd1bcb75de07c98ac6142f4471fdbab7d7ab011a259ad0c68455626455d25de4fc526c82b390abd93090f7f46fb896e7ee71d8b731669

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7H7WYLWV2JAINJ5P5UGS.temp

Filesize
21KB

MD5
7c8c48922c6f96ae867ef933ec66cedb

SHA1
bbe6347caf2438490f5bf500577720eda2db75ea

SHA256
56a7fcc4c1c5ae36374f701f71c4a1b300c9c0f43e6e201299644638c3780884

SHA512
dcc8fd4bde8968e1351da4a0604d9be50f6681d8de31b1f09385b8922049916a6d45a414bb02f47ccc250c0601839e71165e2c8ff07cfe1b1b26e8eacc34eed6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lojadwsr.default-release\AlternateServices.bin

Filesize
8KB

MD5
aed3107e904b4cb04bd9551a50181309

SHA1
d4a87a5e14ba4eaaabc2c0b42c64c267df0b8a04

SHA256
b99f65489d100577d9a89ce99e95c1b1716bfca3ab699941a8257be9dc12d50e

SHA512
a92a3011bf7337e10e06e47f4fea168f8e4a1802e9f3ffa660fb74fa2ddb5131cd119a27bfd5c0f1c6af99a4c7bc7f1e3860e0e8e0b0f82cb078f0501ee92d79

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lojadwsr.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
04ddb63e41dcf3bce55a6aafa04cce2f

SHA1
c3d1a6a033bc1b2e9d4b92a4beeb0e4647f49e73

SHA256
cea15ac35868e7da6a4921774f07c4bbb8fd657b2d2f4a68ff9bd89d8984f0d1

SHA512
bc247ff2749e0d80f5b327c45a1c00e8b34461f58a7adc5caf9c68bfc5198e736f97fe2fa3bb25306b0ca1eeebd46f7e921cd5d248686993267f5bc0b86cedc8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lojadwsr.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
10f626d43a3b06b3f8c682651dc411b4

SHA1
31ff5177a7aecd44c6dff421f4d9a0f7806dabee

SHA256
9b8c1bd7b91df005ffed77859ffa517dac0e3c9804f98bcb4e19ba133ed30971

SHA512
d967bb8f3ee16259ad8972a1d143e24054de86bc03ad875394585a4465bf94070f95a14492158ff30378ad44bce9f483eda3cc73822dca7497a28d24bdfdfa7e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lojadwsr.default-release\datareporting\glean\db\data.safe.tmp

Filesize
16KB

MD5
674a4ad1016eec23b8eedd828efa5f6c

SHA1
a19828931c903dd11ac89d83b165108f3093c4e6

SHA256
bd8347bdd5866671c07d7331f8ccf41bb50c463b4df4a1cb7fab72085ae2df05

SHA512
419802dc12071dac1ab046ad840510c5cc08b3ae2fb815ad18989a2dd8020498ca25ddcac0a280bd83e637a55a262eac2fde54af825f0c979f94248d9ae356ea

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lojadwsr.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
ff9523b33c639d1ed47a728ba69ee785

SHA1
2bb498eccfe0e49943eb8ce6e50a629f3cda3f32

SHA256
58ad4c0d9fc8e8b7cb783d0299982f23ca00d35ac1ead8bfbb2a101dd8e2681c

SHA512
89edca4482404f71c7ec1aa8ad0df9ff10a03bd2d60c3c17eeacd728895e9134cc7f04891130c9ce063000c2f23b12189a70e54d3c890b0def00d35ba31b1afa

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lojadwsr.default-release\datareporting\glean\pending_pings\0a3da06b-b6fd-4828-8c52-df4941139f37

Filesize
671B

MD5
5dd5d902669120c0472bace4734ea16c

SHA1
ad367e432e1a66caaae096fc52cf9f4f7d6824d3

SHA256
79668f191989c803ccc900147d6f6dde157327336784900ea241fe23d2ce4897

SHA512
d91f72dd02076d3fa4dfe11d6f2048bcdae37fdbcae3b4d802945235038b7056d2d4dde3311a0be983ad71601b42c6369f3bf599bc2bf4faab1ec9ed343a983e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lojadwsr.default-release\datareporting\glean\pending_pings\8840e8e1-bebf-4dfd-ac85-2d205b4282d8

Filesize
982B

MD5
1b6245bba3aac0325811168dc7ddf6db

SHA1
1376f647b379bad3f5da5f86706c543a95ebe54f

SHA256
f52f6252a34695e6a5b414ab83aa44a97f3efcc02ff0cdc6833cfd1798274435

SHA512
be252855b6a682528ba6f8dad8f4f81cc5fd57f8ea154fa5db7cb8e8f5c23655f0cd594f23e8ba179619f1446dbe2882797925a383cb805e00319c452006d59c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lojadwsr.default-release\datareporting\glean\pending_pings\9bc8756c-93f4-44d2-8357-004c591a57d9

Filesize
24KB

MD5
0215c86f63cded34446abdbac38ba668

SHA1
8cdec9d46c04fdc5b006338132bdd8909ae97361

SHA256
7ebc07b8ec3085306fb69f5a46dd941b5e24dde796fe32b91c234e2f6965dd5f

SHA512
422a8c3faa35c6f2dc3ab7382f61ca98846a3521e1f80a4d440eccfbeb147764e93f4cd0df6ad6b15117f66dcbeea9203ceeb192e6e24f33c2743077deacc902

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lojadwsr.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lojadwsr.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lojadwsr.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lojadwsr.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lojadwsr.default-release\prefs-1.js

Filesize
11KB

MD5
37c4ef05377d8ddfc01112bda29c2b9f

SHA1
1d593b82914bbe5b41ba3e19ca9e84f80c4dacfe

SHA256
a1cb10f6d4f6aa77f2cfd6143b5cdda3500405b80fda62b703cda7e1d1b08ebe

SHA512
5007ee61ac9d86dc52ad70385f817e84d28c46b5c924c4cded8d7bc5ccb1108fb0eafa1a5330f374ae45bbcb2971b190210f3549bf135e164dd278a52dab4aa4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lojadwsr.default-release\prefs-1.js

Filesize
10KB

MD5
20f3a8b22d5344917151006fa59934ef

SHA1
335e0a43686ecbd739e54bb66fb0979339a27d51

SHA256
4c21e46526b5451fa4c7d87f8fb9f04bf7d77c291d248463a29c1bd50babe9de

SHA512
60ba9155d7e16aa822955b05ae60223f679c9e061a964a2b3384272c3ef1b93eacae46f7b3260b9c88459f5f4e7769abbab0cdf4245a8add7bf51be34ce85be0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lojadwsr.default-release\prefs-1.js

Filesize
9KB

MD5
2401b5d1a981bf7eb9ceef0289d0c832

SHA1
1b9c63609d9ee03edbd7072f8ddad368d3c860fa

SHA256
26159a6ca740ea18f29bfa69e32e68bca8c9fb05718b40117b9b1cdb231543df

SHA512
a82d7085358a14e6c017d20fc1978900c8b8281ca829a42e28d3853b16d8afc9279cca652fe01ed1629665287b6b0a3dfae5154170943790ce9fee263cbc744a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lojadwsr.default-release\prefs.js

Filesize
9KB

MD5
5127473fcb372140e25eb65884f84de9

SHA1
9001e192e20ae48bf14442502d4af9e0d6df0148

SHA256
fbf2228ce580703cbd2bc7a6d058ac6d62539978416f79bae47ed4edf6d1b9ec

SHA512
e12fd5f58da34617f09b5ade832bb3d40ade6d4e59cb00d4b085470e6eee8d3dbeab4e0adece39d679bab7453a3dfc00c1915378badc52010fee4c499ed0798b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lojadwsr.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
a909138492527a7d8d019258d68569b1

SHA1
78f173cc4a06d69c04987031668f691228ce54ac

SHA256
cd6630bfc82be75a01fc0e3afbc3ebd62dc363fd454e514f82d327a65720b66d

SHA512
5a589ff9f7cddb6bca64dd60236026de685bc891675b79fed1ccfe36fbca40290a2447679bd3942ba7b9ea7a2dc06d46e5fca56ca8c9260e7d1a44af42c3d959

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lojadwsr.default-release\sessionstore-backups\recovery.baklz4

Filesize
4KB

MD5
4c64503c73700207da7da92145b3e524

SHA1
2d34a9136ed062a81102e8b7109889773f916c60

SHA256
3a06e475c88b1851e7f63f8b32966cfa916bda13ff8bed47181f02213be37882

SHA512
6b2326da360a0efba005b81c93f5f9908ba6634c7bdfafe88507510efbace293afa53d0ea6aebf8a7d40a6dc27b171d178d25ea8e88a7822e824d89a53536aa5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lojadwsr.default-release\sessionstore-backups\recovery.baklz4

Filesize
6KB

MD5
7c4119ab546fd39672fd5ce1f4378177

SHA1
7edc5de29d276e63ffe2749153c6952f88770fa3

SHA256
b2d10546e541b1e4bac4f97c4e2c8dff4ab72ba2bfa4c1ca6b8d40811df82502

SHA512
8e2f51dd48cb30a66c855722b3680f43ab674155a290a6768bc9d723cd7ebf704ff800e7a00bec01dba3a29097874c7308fba40291f279443e5356c04dea4c5e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lojadwsr.default-release\sessionstore-backups\recovery.baklz4

Filesize
18KB

MD5
32bebe31552a35e91a3cb0f0213bd15a

SHA1
a2bda1d50b1dbefea63e8b3d64a4977732196f1a

SHA256
5daf0a367776f774520e0f8ab7abdc2b4e67103893d5ca64b07f1e306845d608

SHA512
8baa317125d596e1b453e513911b820faf7711b3142e4040984fde4076c489c8f83696f014df7609b529ccc53666a394512dca1b1b1b4a13090f7ce278dfcd65

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lojadwsr.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
f5e320bdcc182591a750905c11fd980d

SHA1
9783f47bfa89c7259ff6d226da8030b82d5cbf5a

SHA256
15b823773a555e732992c2fb1bd970160cd09a0213375f0518887a4fc390c70c

SHA512
70ad96bd0cf552a74fced25ba60f52f1b8002cca75981018bf3aecfd556a634d598943eb26713840f38983da85c271310ef5d97a5088357000d4137db3492b8c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lojadwsr.default-release\sessionstore-backups\recovery.baklz4

Filesize
9KB

MD5
fb5f7e7ef1ff67d44bc8eb5c392fd124

SHA1
50ff678c6bd643f773f51d0fb38f9c9718d646cf

SHA256
f50d7e6ba77ab42e4e7d5d004f999767f6957d6b4901c8d62fea7ae49f1e21ed

SHA512
b1cfb2a7e7d630f6d206c4b6d77a28bc31d2568efca4b59d3ce0bd7a13ad82ac30e9073c21733ecf315e80791c0a6807e6982492311b69ba6d7edaa6a008fd24

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lojadwsr.default-release\sessionstore-backups\recovery.baklz4

Filesize
18KB

MD5
ce833ed475bb6d99a23f7727574e130a

SHA1
ee052c3d551c1a9b88953f4db6d6597d8ce5dc3b

SHA256
01d41ab577493f8126bdc60885a424e3d8fd4c7397e0ad1de28230b255739cd7

SHA512
246b549a452aef0205d07661274b3a8489e314dc2123f63916d9f0607a998a7306c73145c6eb4a027f3908eec700d52f955a5cb1e195892b08f593e3af489f53

Download Submit
C:\Users\Admin\Downloads\Xeno-1.oedzWTPt.0.9-Release.zip.part

Filesize
40.6MB

MD5
9184c45367ca5c576afe96030a3d4035

SHA1
0adba18f2749e2cce5470bbda647c31c8068c174

SHA256
25edd3195a946c7c6005a1688abdfb2a6ae660a183073af06cd1dc6b4dc708b2

SHA512
5723609a64676adcfd0ab9013f1f93fb3524527668fc6c6e298c9982c328fb95ec80807725ad6043fa3cc8e43399d0904b36e6ae722127d234d7d3f715d0bdf7

Download Submit
C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat

Filesize
280B

MD5
ea7d96ce2531a523285e921dec20cfe1

SHA1
26380d54df6f0b4d15a996060f2c6bbe50eafdfc

SHA256
0c1b0e3deb6880f79412c9ee7e529939a01770e9376d30c48a1638580b1455cb

SHA512
e535b57aa4cc54cc2422dbe5496930d43b12e2afb249b80022f7374f802a1c002dad266bad1fd781c77adbecde68a6bfca98a098a092915e9f4865b720834a26

Download Submit
memory/1524-1009-0x0000000000EE0000-0x0000000000F15000-memory.dmp

Filesize
212KB

Download
memory/1524-1056-0x0000000074710000-0x0000000074936000-memory.dmp

Filesize
2.1MB

Download
memory/1524-1071-0x0000000000EE0000-0x0000000000F15000-memory.dmp

Filesize
212KB

Download
memory/1524-1010-0x0000000074710000-0x0000000074936000-memory.dmp

Filesize
2.1MB

Download
memory/5356-1093-0x000002396CE80000-0x000002396CE81000-memory.dmp

Filesize
4KB

Download
memory/5356-1087-0x000002396CE80000-0x000002396CE81000-memory.dmp

Filesize
4KB

Download
memory/5356-1086-0x000002396CE80000-0x000002396CE81000-memory.dmp

Filesize
4KB

Download
memory/5356-1085-0x000002396CE80000-0x000002396CE81000-memory.dmp

Filesize
4KB

Download
memory/5356-1097-0x000002396CE80000-0x000002396CE81000-memory.dmp

Filesize
4KB

Download
memory/5356-1096-0x000002396CE80000-0x000002396CE81000-memory.dmp

Filesize
4KB

Download
memory/5356-1095-0x000002396CE80000-0x000002396CE81000-memory.dmp

Filesize
4KB

Download
memory/5356-1094-0x000002396CE80000-0x000002396CE81000-memory.dmp

Filesize
4KB

Download
memory/5356-1092-0x000002396CE80000-0x000002396CE81000-memory.dmp

Filesize
4KB

Download
memory/5356-1091-0x000002396CE80000-0x000002396CE81000-memory.dmp

Filesize
4KB

Download