Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-1703_x64 -
resource
win10-20240214-en -
resource tags
arch:x64arch:x86image:win10-20240214-enlocale:en-usos:windows10-1703-x64system -
submitted
22-03-2024 02:49
General
-
Target
Xeno.exe
-
Size
46KB
-
MD5
b9ff857cd3e61769787d6c21b45bcc6c
-
SHA1
92aea3ec2bf2ca4f7127ef8581e1a79059774489
-
SHA256
590e4e7e66f6f8e4d0838420cdba4ea3d756e644b77c433c1822a04ef455c4f9
-
SHA512
d87caa6133e50141458d30915f400592f0b1e20b75457c51d2c8929987fd6cce1dc7ba4539fa5efcb18f7b5510b72273a0c7c076b4a991c3539aa5bbc46bdb0b
-
SSDEEP
768:QdhO/poiiUcjlJInWIH9Xqk5nWEZ5SbTDazHI7CPW5I:Cw+jjgn3H9XqcnW85SbTaHIQ
Malware Config
Extracted
xenorat
4.tcp.us-cal-1.ngrok.io
857928375
-
delay
5000
-
install_path
appdata
-
port
14628
-
startup_name
svchost.exe
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Xeno.exepid process 4312 Xeno.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 17 IoCs
Processes:
flow ioc 134 discord.com 162 discord.com 179 discord.com 177 discord.com 125 discord.com 127 discord.com 155 discord.com 35 discord.com 90 discord.com 1 4.tcp.us-cal-1.ngrok.io 30 discord.com 33 discord.com 133 discord.com 170 discord.com 34 discord.com 84 discord.com 126 discord.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\Local Settings firefox.exe -
NTFS ADS 1 IoCs
Processes:
firefox.exedescription ioc process File created C:\Users\Admin\Downloads\Xeno.zip:Zone.Identifier firefox.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Xeno.exepid process 4312 Xeno.exe 4312 Xeno.exe 4312 Xeno.exe 4312 Xeno.exe 4312 Xeno.exe 4312 Xeno.exe 4312 Xeno.exe 4312 Xeno.exe 4312 Xeno.exe 4312 Xeno.exe 4312 Xeno.exe 4312 Xeno.exe 4312 Xeno.exe 4312 Xeno.exe 4312 Xeno.exe 4312 Xeno.exe 4312 Xeno.exe 4312 Xeno.exe 4312 Xeno.exe 4312 Xeno.exe 4312 Xeno.exe 4312 Xeno.exe 4312 Xeno.exe 4312 Xeno.exe 4312 Xeno.exe 4312 Xeno.exe 4312 Xeno.exe 4312 Xeno.exe 4312 Xeno.exe 4312 Xeno.exe 4312 Xeno.exe 4312 Xeno.exe 4312 Xeno.exe 4312 Xeno.exe 4312 Xeno.exe 4312 Xeno.exe 4312 Xeno.exe 4312 Xeno.exe 4312 Xeno.exe 4312 Xeno.exe 4312 Xeno.exe 4312 Xeno.exe 4312 Xeno.exe 4312 Xeno.exe 4312 Xeno.exe 4312 Xeno.exe 4312 Xeno.exe 4312 Xeno.exe 4312 Xeno.exe 4312 Xeno.exe 4312 Xeno.exe 4312 Xeno.exe 4312 Xeno.exe 4312 Xeno.exe 4312 Xeno.exe 4312 Xeno.exe 4312 Xeno.exe 4312 Xeno.exe 4312 Xeno.exe 4312 Xeno.exe 4312 Xeno.exe 4312 Xeno.exe 4312 Xeno.exe 4312 Xeno.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
Processes:
firefox.exeXeno.exeAUDIODG.EXEdescription pid process Token: SeDebugPrivilege 4844 firefox.exe Token: SeDebugPrivilege 4844 firefox.exe Token: SeDebugPrivilege 4312 Xeno.exe Token: 33 3568 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 3568 AUDIODG.EXE Token: SeDebugPrivilege 4844 firefox.exe Token: SeDebugPrivilege 4844 firefox.exe Token: SeDebugPrivilege 4844 firefox.exe Token: SeDebugPrivilege 4844 firefox.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
firefox.exepid process 4844 firefox.exe 4844 firefox.exe 4844 firefox.exe 4844 firefox.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
firefox.exepid process 4844 firefox.exe 4844 firefox.exe 4844 firefox.exe -
Suspicious use of SetWindowsHookEx 13 IoCs
Processes:
firefox.exepid process 4844 firefox.exe 4844 firefox.exe 4844 firefox.exe 4844 firefox.exe 4844 firefox.exe 4844 firefox.exe 4844 firefox.exe 4844 firefox.exe 4844 firefox.exe 4844 firefox.exe 4844 firefox.exe 4844 firefox.exe 4844 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Xeno.exeXeno.exefirefox.exefirefox.exedescription pid process target process PID 2520 wrote to memory of 4312 2520 Xeno.exe Xeno.exe PID 2520 wrote to memory of 4312 2520 Xeno.exe Xeno.exe PID 2520 wrote to memory of 4312 2520 Xeno.exe Xeno.exe PID 4312 wrote to memory of 4732 4312 Xeno.exe schtasks.exe PID 4312 wrote to memory of 4732 4312 Xeno.exe schtasks.exe PID 4312 wrote to memory of 4732 4312 Xeno.exe schtasks.exe PID 2088 wrote to memory of 4844 2088 firefox.exe firefox.exe PID 2088 wrote to memory of 4844 2088 firefox.exe firefox.exe PID 2088 wrote to memory of 4844 2088 firefox.exe firefox.exe PID 2088 wrote to memory of 4844 2088 firefox.exe firefox.exe PID 2088 wrote to memory of 4844 2088 firefox.exe firefox.exe PID 2088 wrote to memory of 4844 2088 firefox.exe firefox.exe PID 2088 wrote to memory of 4844 2088 firefox.exe firefox.exe PID 2088 wrote to memory of 4844 2088 firefox.exe firefox.exe PID 2088 wrote to memory of 4844 2088 firefox.exe firefox.exe PID 2088 wrote to memory of 4844 2088 firefox.exe firefox.exe PID 2088 wrote to memory of 4844 2088 firefox.exe firefox.exe PID 4844 wrote to memory of 4120 4844 firefox.exe firefox.exe PID 4844 wrote to memory of 4120 4844 firefox.exe firefox.exe PID 4844 wrote to memory of 8 4844 firefox.exe firefox.exe PID 4844 wrote to memory of 8 4844 firefox.exe firefox.exe PID 4844 wrote to memory of 8 4844 firefox.exe firefox.exe PID 4844 wrote to memory of 8 4844 firefox.exe firefox.exe PID 4844 wrote to memory of 8 4844 firefox.exe firefox.exe PID 4844 wrote to memory of 8 4844 firefox.exe firefox.exe PID 4844 wrote to memory of 8 4844 firefox.exe firefox.exe PID 4844 wrote to memory of 8 4844 firefox.exe firefox.exe PID 4844 wrote to memory of 8 4844 firefox.exe firefox.exe PID 4844 wrote to memory of 8 4844 firefox.exe firefox.exe PID 4844 wrote to memory of 8 4844 firefox.exe firefox.exe PID 4844 wrote to memory of 8 4844 firefox.exe firefox.exe PID 4844 wrote to memory of 8 4844 firefox.exe firefox.exe PID 4844 wrote to memory of 8 4844 firefox.exe firefox.exe PID 4844 wrote to memory of 8 4844 firefox.exe firefox.exe PID 4844 wrote to memory of 8 4844 firefox.exe firefox.exe PID 4844 wrote to memory of 8 4844 firefox.exe firefox.exe PID 4844 wrote to memory of 8 4844 firefox.exe firefox.exe PID 4844 wrote to memory of 8 4844 firefox.exe firefox.exe PID 4844 wrote to memory of 8 4844 firefox.exe firefox.exe PID 4844 wrote to memory of 8 4844 firefox.exe firefox.exe PID 4844 wrote to memory of 8 4844 firefox.exe firefox.exe PID 4844 wrote to memory of 8 4844 firefox.exe firefox.exe PID 4844 wrote to memory of 8 4844 firefox.exe firefox.exe PID 4844 wrote to memory of 8 4844 firefox.exe firefox.exe PID 4844 wrote to memory of 8 4844 firefox.exe firefox.exe PID 4844 wrote to memory of 8 4844 firefox.exe firefox.exe PID 4844 wrote to memory of 8 4844 firefox.exe firefox.exe PID 4844 wrote to memory of 8 4844 firefox.exe firefox.exe PID 4844 wrote to memory of 8 4844 firefox.exe firefox.exe PID 4844 wrote to memory of 8 4844 firefox.exe firefox.exe PID 4844 wrote to memory of 8 4844 firefox.exe firefox.exe PID 4844 wrote to memory of 8 4844 firefox.exe firefox.exe PID 4844 wrote to memory of 8 4844 firefox.exe firefox.exe PID 4844 wrote to memory of 8 4844 firefox.exe firefox.exe PID 4844 wrote to memory of 8 4844 firefox.exe firefox.exe PID 4844 wrote to memory of 8 4844 firefox.exe firefox.exe PID 4844 wrote to memory of 8 4844 firefox.exe firefox.exe PID 4844 wrote to memory of 8 4844 firefox.exe firefox.exe PID 4844 wrote to memory of 8 4844 firefox.exe firefox.exe PID 4844 wrote to memory of 8 4844 firefox.exe firefox.exe PID 4844 wrote to memory of 8 4844 firefox.exe firefox.exe PID 4844 wrote to memory of 8 4844 firefox.exe firefox.exe PID 4844 wrote to memory of 8 4844 firefox.exe firefox.exe PID 4844 wrote to memory of 8 4844 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Xeno.exe"C:\Users\Admin\AppData\Local\Temp\Xeno.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Users\Admin\AppData\Roaming\XenoManager\Xeno.exe"C:\Users\Admin\AppData\Roaming\XenoManager\Xeno.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4312 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /Create /TN "svchost.exe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9D69.tmp" /F3⤵
- Creates scheduled task(s)
PID:4732 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /query /v /fo csv3⤵PID:5656
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /delete /tn "\svchost.exe" /f3⤵PID:5692
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\XenoManager\Xeno.exe"3⤵PID:5752
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 34⤵PID:5796
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3628
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4844 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4844.0.722155386\351557254" -parentBuildID 20221007134813 -prefsHandle 1700 -prefMapHandle 1692 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ee212f15-d933-4b6b-92ea-596a681999e5} 4844 "\\.\pipe\gecko-crash-server-pipe.4844" 1780 17f684d9858 gpu3⤵PID:4120
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4844.1.382530479\1948588739" -parentBuildID 20221007134813 -prefsHandle 2124 -prefMapHandle 2120 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fc925a74-4d55-4517-9176-5d855d313901} 4844 "\\.\pipe\gecko-crash-server-pipe.4844" 2136 17f67e30858 socket3⤵PID:8
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4844.2.1898821822\911982855" -childID 1 -isForBrowser -prefsHandle 3016 -prefMapHandle 2952 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bff982eb-bcf1-4fa7-a0b4-d804ba47d4bf} 4844 "\\.\pipe\gecko-crash-server-pipe.4844" 2804 17f6c49d158 tab3⤵PID:2072
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4844.3.854567232\802880332" -childID 2 -isForBrowser -prefsHandle 3424 -prefMapHandle 3420 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5db6454e-a4d1-48a6-9687-0cd1b5c43141} 4844 "\\.\pipe\gecko-crash-server-pipe.4844" 3436 17f6c584558 tab3⤵PID:4708
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4844.4.77895738\508684408" -childID 3 -isForBrowser -prefsHandle 4324 -prefMapHandle 3568 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e613e0a2-e57e-44ea-a06d-04451117f935} 4844 "\\.\pipe\gecko-crash-server-pipe.4844" 4336 17f6e2dda58 tab3⤵PID:3372
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4844.5.170163250\1905262631" -childID 4 -isForBrowser -prefsHandle 4752 -prefMapHandle 4756 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0fbe1cfb-3ff0-4619-85ba-78bcee1ed22e} 4844 "\\.\pipe\gecko-crash-server-pipe.4844" 4780 17f6e2dfb58 tab3⤵PID:2120
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4844.6.1305677246\1412768607" -childID 5 -isForBrowser -prefsHandle 4920 -prefMapHandle 4924 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {512826a2-f9af-42c0-8237-eb75fbe47eb6} 4844 "\\.\pipe\gecko-crash-server-pipe.4844" 4912 17f6e696758 tab3⤵PID:3192
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4844.7.1904097089\770018109" -childID 6 -isForBrowser -prefsHandle 4800 -prefMapHandle 4780 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a946583d-4bd8-4d45-9ff1-02537432084b} 4844 "\\.\pipe\gecko-crash-server-pipe.4844" 5116 17f6e698558 tab3⤵PID:4928
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4844.8.183951979\269659101" -childID 7 -isForBrowser -prefsHandle 5640 -prefMapHandle 5148 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3308626f-1722-4c84-9c26-a78ee49e0207} 4844 "\\.\pipe\gecko-crash-server-pipe.4844" 5360 17f7084bb58 tab3⤵PID:2732
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4844.9.1817828059\821772697" -childID 8 -isForBrowser -prefsHandle 4328 -prefMapHandle 4416 -prefsLen 26503 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1b061f79-3464-4b94-972e-452971560eb2} 4844 "\\.\pipe\gecko-crash-server-pipe.4844" 3856 17f6c41b058 tab3⤵PID:208
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4844.10.1622674243\809256760" -childID 9 -isForBrowser -prefsHandle 5164 -prefMapHandle 5316 -prefsLen 26768 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {86053091-e28d-44c2-84ec-fa78c2b827f9} 4844 "\\.\pipe\gecko-crash-server-pipe.4844" 5188 17f7039b758 tab3⤵PID:5472
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4844.11.454763800\350193782" -parentBuildID 20221007134813 -prefsHandle 4968 -prefMapHandle 4984 -prefsLen 26768 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {dcb996b9-91fd-4bd1-841e-28a9c1e869a6} 4844 "\\.\pipe\gecko-crash-server-pipe.4844" 5564 17f6e2dd758 rdd3⤵PID:5912
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4844.12.2041912934\2100494657" -parentBuildID 20221007134813 -sandboxingKind 1 -prefsHandle 5012 -prefMapHandle 5084 -prefsLen 26768 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {80224598-3f14-4f18-bed2-ea5faa066de7} 4844 "\\.\pipe\gecko-crash-server-pipe.4844" 5240 17f6e2dda58 utility3⤵PID:5920
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4101⤵
- Suspicious use of AdjustPrivilegeToken
PID:3568
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
226B
MD5957779c42144282d8cd83192b8fbc7cf
SHA1de83d08d2cca06b9ff3d1ef239d6b60b705d25fe
SHA2560d7ca7ba65e2b465e4878e324ceab8f8981f5ec06dcf5bc32559a4467a9c7d51
SHA512f1549c61b4f2906d13b2aabb74772c2bc826cd42373d7bb6c48cbb125d5aa2ec17617e6b5e67e8aae3bb5790cc831cdba48a45008ed01df4fba8be448cce39fd
-
Filesize
8KB
MD5bb2ac1df9bb9e98fbacbdfb1d613cea5
SHA19fc9c7922a1a867e75ee0b82da5a618a2fca7da1
SHA256ee44f062654a208f025356c0fb28b8470cad06a917327dac8fc0a94fc3a3e4e8
SHA51213eda88193c59bf44906ca655e48f8c3ab0ccaff76dc9f0191aad01b662dbaeea6708e9efc91d920dd994c5a981cfcf1406ab570a3042166f517fe9b9976f3d6
-
Filesize
112KB
MD5e0e968a22a3c25468a815b496878503c
SHA1fca55359bf0417b88aaaf7b9a4c7f48deadb9183
SHA256079c06e1ae241341d9f3e92c81f5d4300237344084ceb413fabc66b90a3950fd
SHA51225ad8209cc4154d5f88a174c542272baa217a859eb2b249e8d68ae627703ed6810d6eac989bb437b53f216a0ec084f78df33bbe199479877c4125b328eb2e305
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yq8h7er1.default-release\jumpListCache\auFXDdxedXF8QTyoQmMaSg==.ico
Filesize609B
MD56e62ae713951b6193d202ddc3d2152cf
SHA1abf75bd80bd84ed39792adf69dddb5a8b3b84bb4
SHA256e5dc5320473de19e5255f32d0f9f352fcc23a03c254e82511999deac249d91cd
SHA5128dff4541bb496449c0c0e93a1c60108dff8e8f7cea437b8027ce51bc22881a687597c511df4c32cabdd1c165aeb46b89c410e58563e18c449e84eddbbfa8725b
-
Filesize
1KB
MD5c19b33268e74b9dfb678ebbe128db491
SHA149dd45693580c198a87ba06464c362c7c993907b
SHA2568ad22e22ad7494702655cea50b2228b602ed223c844148e2780610bb4bdba435
SHA512baf521387a499412d8283f8733ced0e05aeab7e7a66e58c0110d857bfd07d68748e7805098e131fad954eb58761688dffd0c36359115d460155287ebb5ebb3e6
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yq8h7er1.default-release\datareporting\glean\db\data.safe.bin
Filesize9KB
MD53e177bc04612eb65b1bf0ede03124dde
SHA1faee6aac72683d77fc342dd8a972ec5f3c5a83e6
SHA256a42330a44fe38ee87006d683a98b43c6fd121914e0a7719ea9452162cc812b37
SHA51207be77bf5d30e61071446e70467ff05610142e4ea21be2143ec75a94384b86a6c15ff9aeb61bb1d139bab3bf6c044f97ad0ab84e69d51f06e08075840f61d089
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yq8h7er1.default-release\datareporting\glean\pending_pings\ca8e8edc-ff28-4c6b-8554-adb88be47f21
Filesize734B
MD54105ca5cb469540620af20bc7a5a3c73
SHA1998ecfb3291de2b8c23b5c4afac4e86b50c85da5
SHA2567427f7e0f09d49cd9e4faf261a91c524f166a3efb0d2ec5c54e0695e076cb9e3
SHA512f5f9540d5683a3a2b2454d75736463fe112a7da36d38398d558fbec5e196f915d189c2a38e8e0d2601000065ff297408b6f07c21c9281b89daf1a284a616fdf0
-
Filesize
6KB
MD56e2389bdf6e61f49d93ef4c1379a387e
SHA136b8801dffd8aa47c87a975753a27741da5d3902
SHA2565190e03c8571322300336f3d3aa49a38e42e2df14e48df9e94647d88b97a2136
SHA512d9fd3aa8fcb7316ce7b17c9a8e86f71e7a206df61fba47b1600d8fb76de23c47db11e26add8b646cab4ff7835b4fc299aa2d20d15b79bc4ca4beef2b6eaad68c
-
Filesize
6KB
MD5f2d61f9c5694458cf9e86775619b27be
SHA1e4bade3a52d59a63671d7de79f9d1d6dd345e2a3
SHA25657c215802f500df4d689eed783499aa424a2cd358913f40326d87bde65baaad1
SHA512cbcb14a796dcef464b8e165758d5c5ffb69b9272554ec29b1d632d0a39921cf6f7490a9d4f3fa7d6795ba907bcee83050a4534ca55a1b0c25f720e138678b64d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yq8h7er1.default-release\sessionstore-backups\recovery.jsonlz4
Filesize2KB
MD5c92460c5dfd796f54dd18b8e6f32630f
SHA1c80fd73e3b8984be0f74fdc83ac417245be890cc
SHA25681d7f273ec236db6777d9dab314a6d033867f3b224d0bfe517e647c54a399464
SHA512203815dd510f3c4b57b55987a6fefb7d85e25c2d71449cb2062ac0567375a26d584b8cac1a1d0acd147f0f68223ac59b13c93bc2162e09c47f2949805a057257
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yq8h7er1.default-release\sessionstore-backups\recovery.jsonlz4
Filesize22KB
MD5bb0e3dbeb58c0456670362868f790973
SHA10a5a63f4100239933e5647b5b30f6c74e7c63771
SHA256881502225a7f0b5cbde96c6a992468efc32021f0a3837f97e3b2db9d6e3ea9ae
SHA5124b3ce8004cb863de3739dc9a169038b27cab0f063d5f5c5ba3b00abdc95b92d6b0c0c2dcd188c2c694c3c3bc3ea3f4feab91cd2dae5fb09a304cf1c5272a4024
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yq8h7er1.default-release\sessionstore-backups\recovery.jsonlz4
Filesize22KB
MD58eec369c7cc77489b3ee4d41b462f817
SHA17f2d3222dba99e5152b4838d3a0ba832c672af11
SHA256ea096ac73e5ac7b57a957af5bcffa10f0fa56caa210ea03c8c059c52a842bc47
SHA5121831bb8c1af6651ef8dfdfaaf10bcd97b8206ac6a8e3a850292a77292033ad5e1120b5efd87d2b784f4f7a8edd4973cbe255a47b2f82fc97917b866d3156b8ce
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yq8h7er1.default-release\sessionstore-backups\recovery.jsonlz4
Filesize22KB
MD5fa10ff64de8a6b5951076de92c2e8447
SHA12cd16898d62c8da56739d98949098b91abf18e30
SHA25662519332ffdc48ae23d07a5872cc903a3a162a7e25ec9d9858d9020610a2ef4d
SHA512d40aff5e4b783014dfe3b9cc9b33e9fadb8b8bca213be0dda7783938f4ee599097e1149ff71056948c9e5c171b99ab9c9ef6c1aa6625edc550b002ab39cdb93d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yq8h7er1.default-release\sessionstore-backups\recovery.jsonlz4
Filesize32KB
MD594a3e06ac5db1c7a29e3ac675e47cecd
SHA196e86b0e5a233deaadcdec5d962767dc8e25d5bf
SHA256e81277ab4e2d3bdc075caa9649d70b9be68b50e268fee7c1de4ab9f37a81306e
SHA51299d5b8f30c1555d63d3c3d2c5fae22418344c934707239577de8bd7757d9838cc52f029784970028c10a6d6c61987085b6394dbd7792fb91ae21550be0bb5714
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yq8h7er1.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize184KB
MD5299f2a86bbdb81adc46f4eb19063412b
SHA11680f0fd49ab94009def260a85e2399e9d88b00a
SHA256aa171fd5f10dc2335282991d01246afd9dc78ad9106b5b45ecff24fd36102dd2
SHA512a9d831b5512b0d29be447a1e934f42901401ed45ebfb29a4b353f630ebe3346690ff34e375348787cef8e5ca7575e6a628ffc18a143e3e86ebd3462495660dab
-
Filesize
46KB
MD5b9ff857cd3e61769787d6c21b45bcc6c
SHA192aea3ec2bf2ca4f7127ef8581e1a79059774489
SHA256590e4e7e66f6f8e4d0838420cdba4ea3d756e644b77c433c1822a04ef455c4f9
SHA512d87caa6133e50141458d30915f400592f0b1e20b75457c51d2c8929987fd6cce1dc7ba4539fa5efcb18f7b5510b72273a0c7c076b4a991c3539aa5bbc46bdb0b
-
Filesize
20KB
MD5a877d6845cee78ea9f130e4450780920
SHA1009c5c2641748ce2c5d20410300c3cecf86e451b
SHA2567dfeea625f42a6066c5fcd5cfc514b7b6dd59022466569c07dba8ee316ce3c0b
SHA512b034f5889c410bef8c4e176d8e04cd64c3e1ffbba2bac1ce451b4967b8527a0d127eba1ecd1ab0adef90ac01c5e493b6c0e210e9d9e2d5c2acb072aac664182e