Malware Analysis Report

2024-10-19 07:53

Sample ID 240322-dbe4psfe64
Target Xeno.exe
SHA256 590e4e7e66f6f8e4d0838420cdba4ea3d756e644b77c433c1822a04ef455c4f9
Tags
xenorat rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

590e4e7e66f6f8e4d0838420cdba4ea3d756e644b77c433c1822a04ef455c4f9

Threat Level: Known bad

The file Xeno.exe was found to be: Known bad.

Malicious Activity Summary

xenorat rat trojan

XenorRat

Xenorat family

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

NTFS ADS

Creates scheduled task(s)

Uses Task Scheduler COM API

Suspicious use of SetWindowsHookEx

Checks processor information in registry

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-22 02:49

Signatures

Xenorat family

xenorat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-22 02:49

Reported

2024-03-22 02:52

Platform

win10-20240214-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Xeno.exe"

Signatures

XenorRat

trojan rat xenorat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A 4.tcp.us-cal-1.ngrok.io N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

NTFS ADS

Description Indicator Process Target
File created C:\Users\Admin\Downloads\Xeno.zip:Zone.Identifier C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2520 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\Xeno.exe C:\Users\Admin\AppData\Roaming\XenoManager\Xeno.exe
PID 2520 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\Xeno.exe C:\Users\Admin\AppData\Roaming\XenoManager\Xeno.exe
PID 2520 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\Xeno.exe C:\Users\Admin\AppData\Roaming\XenoManager\Xeno.exe
PID 4312 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno.exe C:\Windows\SysWOW64\schtasks.exe
PID 4312 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno.exe C:\Windows\SysWOW64\schtasks.exe
PID 4312 wrote to memory of 4732 N/A C:\Users\Admin\AppData\Roaming\XenoManager\Xeno.exe C:\Windows\SysWOW64\schtasks.exe
PID 2088 wrote to memory of 4844 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2088 wrote to memory of 4844 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2088 wrote to memory of 4844 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2088 wrote to memory of 4844 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2088 wrote to memory of 4844 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2088 wrote to memory of 4844 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2088 wrote to memory of 4844 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2088 wrote to memory of 4844 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2088 wrote to memory of 4844 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2088 wrote to memory of 4844 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2088 wrote to memory of 4844 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4844 wrote to memory of 4120 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4844 wrote to memory of 4120 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4844 wrote to memory of 8 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4844 wrote to memory of 8 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4844 wrote to memory of 8 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4844 wrote to memory of 8 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4844 wrote to memory of 8 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4844 wrote to memory of 8 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4844 wrote to memory of 8 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4844 wrote to memory of 8 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4844 wrote to memory of 8 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4844 wrote to memory of 8 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4844 wrote to memory of 8 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4844 wrote to memory of 8 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4844 wrote to memory of 8 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4844 wrote to memory of 8 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4844 wrote to memory of 8 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4844 wrote to memory of 8 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4844 wrote to memory of 8 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4844 wrote to memory of 8 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4844 wrote to memory of 8 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4844 wrote to memory of 8 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4844 wrote to memory of 8 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4844 wrote to memory of 8 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4844 wrote to memory of 8 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4844 wrote to memory of 8 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4844 wrote to memory of 8 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4844 wrote to memory of 8 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4844 wrote to memory of 8 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4844 wrote to memory of 8 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4844 wrote to memory of 8 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4844 wrote to memory of 8 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4844 wrote to memory of 8 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4844 wrote to memory of 8 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4844 wrote to memory of 8 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4844 wrote to memory of 8 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4844 wrote to memory of 8 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4844 wrote to memory of 8 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4844 wrote to memory of 8 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4844 wrote to memory of 8 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4844 wrote to memory of 8 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4844 wrote to memory of 8 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4844 wrote to memory of 8 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4844 wrote to memory of 8 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4844 wrote to memory of 8 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4844 wrote to memory of 8 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4844 wrote to memory of 8 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Xeno.exe

"C:\Users\Admin\AppData\Local\Temp\Xeno.exe"

C:\Users\Admin\AppData\Roaming\XenoManager\Xeno.exe

"C:\Users\Admin\AppData\Roaming\XenoManager\Xeno.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /Create /TN "svchost.exe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9D69.tmp" /F

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4844.0.722155386\351557254" -parentBuildID 20221007134813 -prefsHandle 1700 -prefMapHandle 1692 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ee212f15-d933-4b6b-92ea-596a681999e5} 4844 "\\.\pipe\gecko-crash-server-pipe.4844" 1780 17f684d9858 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4844.1.382530479\1948588739" -parentBuildID 20221007134813 -prefsHandle 2124 -prefMapHandle 2120 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fc925a74-4d55-4517-9176-5d855d313901} 4844 "\\.\pipe\gecko-crash-server-pipe.4844" 2136 17f67e30858 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4844.2.1898821822\911982855" -childID 1 -isForBrowser -prefsHandle 3016 -prefMapHandle 2952 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bff982eb-bcf1-4fa7-a0b4-d804ba47d4bf} 4844 "\\.\pipe\gecko-crash-server-pipe.4844" 2804 17f6c49d158 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4844.3.854567232\802880332" -childID 2 -isForBrowser -prefsHandle 3424 -prefMapHandle 3420 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5db6454e-a4d1-48a6-9687-0cd1b5c43141} 4844 "\\.\pipe\gecko-crash-server-pipe.4844" 3436 17f6c584558 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4844.4.77895738\508684408" -childID 3 -isForBrowser -prefsHandle 4324 -prefMapHandle 3568 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e613e0a2-e57e-44ea-a06d-04451117f935} 4844 "\\.\pipe\gecko-crash-server-pipe.4844" 4336 17f6e2dda58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4844.5.170163250\1905262631" -childID 4 -isForBrowser -prefsHandle 4752 -prefMapHandle 4756 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0fbe1cfb-3ff0-4619-85ba-78bcee1ed22e} 4844 "\\.\pipe\gecko-crash-server-pipe.4844" 4780 17f6e2dfb58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4844.6.1305677246\1412768607" -childID 5 -isForBrowser -prefsHandle 4920 -prefMapHandle 4924 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {512826a2-f9af-42c0-8237-eb75fbe47eb6} 4844 "\\.\pipe\gecko-crash-server-pipe.4844" 4912 17f6e696758 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4844.7.1904097089\770018109" -childID 6 -isForBrowser -prefsHandle 4800 -prefMapHandle 4780 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a946583d-4bd8-4d45-9ff1-02537432084b} 4844 "\\.\pipe\gecko-crash-server-pipe.4844" 5116 17f6e698558 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4844.8.183951979\269659101" -childID 7 -isForBrowser -prefsHandle 5640 -prefMapHandle 5148 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3308626f-1722-4c84-9c26-a78ee49e0207} 4844 "\\.\pipe\gecko-crash-server-pipe.4844" 5360 17f7084bb58 tab

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x410

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4844.9.1817828059\821772697" -childID 8 -isForBrowser -prefsHandle 4328 -prefMapHandle 4416 -prefsLen 26503 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1b061f79-3464-4b94-972e-452971560eb2} 4844 "\\.\pipe\gecko-crash-server-pipe.4844" 3856 17f6c41b058 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4844.10.1622674243\809256760" -childID 9 -isForBrowser -prefsHandle 5164 -prefMapHandle 5316 -prefsLen 26768 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {86053091-e28d-44c2-84ec-fa78c2b827f9} 4844 "\\.\pipe\gecko-crash-server-pipe.4844" 5188 17f7039b758 tab

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /query /v /fo csv

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /delete /tn "\svchost.exe" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\XenoManager\Xeno.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4844.11.454763800\350193782" -parentBuildID 20221007134813 -prefsHandle 4968 -prefMapHandle 4984 -prefsLen 26768 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {dcb996b9-91fd-4bd1-841e-28a9c1e869a6} 4844 "\\.\pipe\gecko-crash-server-pipe.4844" 5564 17f6e2dd758 rdd

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4844.12.2041912934\2100494657" -parentBuildID 20221007134813 -sandboxingKind 1 -prefsHandle 5012 -prefMapHandle 5084 -prefsLen 26768 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {80224598-3f14-4f18-bed2-ea5faa066de7} 4844 "\\.\pipe\gecko-crash-server-pipe.4844" 5240 17f6e2dda58 utility

Network

Country Destination Domain Proto
US 8.8.8.8:53 4.tcp.us-cal-1.ngrok.io udp
US 54.219.150.182:14628 4.tcp.us-cal-1.ngrok.io tcp
US 8.8.8.8:53 182.150.219.54.in-addr.arpa udp
US 54.219.150.182:14628 4.tcp.us-cal-1.ngrok.io tcp
US 54.219.150.182:14628 4.tcp.us-cal-1.ngrok.io tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
N/A 127.0.0.1:49792 tcp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 8.8.8.8:53 shavar.services.mozilla.com udp
US 8.8.8.8:53 push.services.mozilla.com udp
US 34.117.237.239:443 contile.services.mozilla.com tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 52.13.152.141:443 shavar.services.mozilla.com tcp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 34.149.100.209:443 firefox.settings.services.mozilla.com tcp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 141.152.13.52.in-addr.arpa udp
N/A 127.0.0.1:49798 tcp
US 8.8.8.8:53 discord.com udp
US 162.159.128.233:80 discord.com tcp
US 162.159.128.233:80 discord.com tcp
US 8.8.8.8:53 discord.com udp
US 8.8.8.8:53 discord.com udp
US 162.159.128.233:443 discord.com tcp
US 162.159.128.233:443 discord.com udp
US 8.8.8.8:53 assets-global.website-files.com udp
US 8.8.8.8:53 ajax.googleapis.com udp
US 8.8.8.8:53 global.localizecdn.com udp
US 8.8.8.8:53 d3e54v103j8qbb.cloudfront.net udp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 ajax.googleapis.com udp
NL 142.250.179.138:443 ajax.googleapis.com tcp
NL 142.250.179.138:443 ajax.googleapis.com tcp
US 104.18.4.175:443 global.localizecdn.com tcp
US 8.8.8.8:53 global.localizecdn.com udp
GB 13.224.81.8:443 assets-global.website-files.com tcp
GB 13.224.81.8:443 assets-global.website-files.com tcp
US 8.8.8.8:53 d3vmvmej3wjbxn.cloudfront.net udp
GB 18.165.158.198:443 d3e54v103j8qbb.cloudfront.net tcp
US 8.8.8.8:53 ajax.googleapis.com udp
US 8.8.8.8:53 global.localizecdn.com udp
US 8.8.8.8:53 d3vmvmej3wjbxn.cloudfront.net udp
US 8.8.8.8:53 d3e54v103j8qbb.cloudfront.net udp
US 8.8.8.8:53 233.128.159.162.in-addr.arpa udp
US 8.8.8.8:53 175.4.18.104.in-addr.arpa udp
US 8.8.8.8:53 138.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 8.81.224.13.in-addr.arpa udp
US 8.8.8.8:53 198.158.165.18.in-addr.arpa udp
US 8.8.8.8:53 d3e54v103j8qbb.cloudfront.net udp
US 104.18.4.175:443 global.localizecdn.com udp
NL 142.250.179.138:443 ajax.googleapis.com udp
US 8.8.8.8:53 assets.website-files.com udp
GB 13.224.81.122:443 assets.website-files.com tcp
GB 13.224.81.122:443 assets.website-files.com tcp
GB 13.224.81.122:443 assets.website-files.com tcp
GB 13.224.81.122:443 assets.website-files.com tcp
GB 13.224.81.122:443 assets.website-files.com tcp
US 8.8.8.8:53 d1r5qv5z4elg7c.cloudfront.net udp
GB 13.224.81.122:443 d1r5qv5z4elg7c.cloudfront.net tcp
US 8.8.8.8:53 d1r5qv5z4elg7c.cloudfront.net udp
US 8.8.8.8:53 122.81.224.13.in-addr.arpa udp
US 8.8.8.8:53 geolocation.onetrust.com udp
US 104.18.32.137:443 geolocation.onetrust.com tcp
US 8.8.8.8:53 geolocation.onetrust.com udp
US 8.8.8.8:53 geolocation.onetrust.com udp
US 8.8.8.8:53 www.youtube.com udp
NL 142.250.179.142:443 www.youtube.com tcp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
NL 142.250.179.142:443 youtube-ui.l.google.com udp
US 8.8.8.8:53 137.32.18.104.in-addr.arpa udp
US 8.8.8.8:53 142.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 discord.com udp
US 8.8.8.8:53 remote-auth-gateway.discord.gg udp
US 8.8.8.8:53 remote-auth-gateway.discord.gg udp
US 162.159.134.234:443 remote-auth-gateway.discord.gg tcp
US 8.8.8.8:53 remote-auth-gateway.discord.gg udp
US 8.8.8.8:53 234.134.159.162.in-addr.arpa udp
US 8.8.8.8:53 discord.com udp
US 8.8.8.8:53 js.hcaptcha.com udp
US 104.18.125.91:443 js.hcaptcha.com tcp
US 8.8.8.8:53 js.hcaptcha.com udp
US 8.8.8.8:53 js.hcaptcha.com udp
US 104.18.125.91:443 js.hcaptcha.com udp
US 8.8.8.8:53 newassets.hcaptcha.com udp
US 104.18.124.91:443 newassets.hcaptcha.com tcp
US 8.8.8.8:53 newassets.hcaptcha.com udp
US 104.18.124.91:443 newassets.hcaptcha.com tcp
US 8.8.8.8:53 newassets.hcaptcha.com udp
US 104.18.124.91:443 newassets.hcaptcha.com udp
US 8.8.8.8:53 api2.hcaptcha.com udp
US 8.8.8.8:53 91.125.18.104.in-addr.arpa udp
US 8.8.8.8:53 91.124.18.104.in-addr.arpa udp
US 104.18.125.91:443 api2.hcaptcha.com tcp
US 8.8.8.8:53 api2.hcaptcha.com udp
US 8.8.8.8:53 api2.hcaptcha.com udp
US 104.18.125.91:443 api2.hcaptcha.com udp
US 8.8.8.8:53 api.hcaptcha.com udp
US 8.8.8.8:53 api.hcaptcha.com udp
US 104.18.124.91:443 api.hcaptcha.com tcp
US 8.8.8.8:53 api.hcaptcha.com udp
US 104.18.124.91:443 api.hcaptcha.com udp
US 8.8.8.8:53 imgs.hcaptcha.com udp
US 104.18.125.91:443 imgs.hcaptcha.com tcp
US 8.8.8.8:53 imgs.hcaptcha.com udp
US 8.8.8.8:53 imgs.hcaptcha.com udp
US 104.18.125.91:443 imgs.hcaptcha.com udp
US 8.8.8.8:53 imgs3.hcaptcha.com udp
US 8.8.8.8:53 imgs3.hcaptcha.com udp
US 104.18.125.91:443 imgs3.hcaptcha.com tcp
US 8.8.8.8:53 imgs3.hcaptcha.com udp
US 104.18.125.91:443 imgs3.hcaptcha.com udp
US 8.8.8.8:53 api.hcaptcha.com udp
US 8.8.8.8:53 discord.com udp
US 8.8.8.8:53 discord.com udp
US 8.8.8.8:53 discord.com udp
US 8.8.8.8:53 newassets.hcaptcha.com udp
US 8.8.8.8:53 api.hcaptcha.com udp
US 8.8.8.8:53 api.hcaptcha.com udp
US 8.8.8.8:53 discord.com udp
US 8.8.8.8:53 discord.com udp
US 8.8.8.8:53 gateway.discord.gg udp
US 8.8.8.8:53 gateway.discord.gg udp
US 162.159.134.234:443 gateway.discord.gg tcp
US 8.8.8.8:53 gateway.discord.gg udp
US 8.8.8.8:53 status.discord.com udp
US 162.159.128.233:443 status.discord.com tcp
US 8.8.8.8:53 status.discord.com udp
US 8.8.8.8:53 status.discord.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.128.233:443 status.discord.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.133.233:443 cdn.discordapp.com udp
US 8.8.8.8:53 233.133.159.162.in-addr.arpa udp
US 8.8.8.8:53 discord.com udp
US 8.8.8.8:53 media.discordapp.net udp
US 162.159.128.232:443 media.discordapp.net tcp
US 162.159.128.232:443 media.discordapp.net tcp
US 162.159.128.232:443 media.discordapp.net tcp
US 8.8.8.8:53 media.discordapp.net udp
US 8.8.8.8:53 media.discordapp.net udp
US 8.8.8.8:53 discord.com udp
US 162.159.128.232:443 media.discordapp.net udp
US 8.8.8.8:53 232.128.159.162.in-addr.arpa udp
US 8.8.8.8:53 104.246.116.51.in-addr.arpa udp
US 8.8.8.8:53 discord.com udp
US 8.8.8.8:53 images-ext-1.discordapp.net udp
US 162.159.128.232:443 images-ext-1.discordapp.net tcp
US 8.8.8.8:53 images-ext-1.discordapp.net udp
US 162.159.128.232:443 images-ext-1.discordapp.net tcp
US 162.159.128.232:443 images-ext-1.discordapp.net tcp
US 8.8.8.8:53 images-ext-1.discordapp.net udp
US 8.8.8.8:53 discord.com udp
US 162.159.128.232:443 images-ext-1.discordapp.net udp
US 8.8.8.8:53 discord.com udp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.133.233:443 udp

Files

memory/2520-0-0x0000000000CF0000-0x0000000000D02000-memory.dmp

memory/2520-1-0x0000000073620000-0x0000000073D0E000-memory.dmp

C:\Users\Admin\AppData\Roaming\XenoManager\Xeno.exe

MD5 b9ff857cd3e61769787d6c21b45bcc6c
SHA1 92aea3ec2bf2ca4f7127ef8581e1a79059774489
SHA256 590e4e7e66f6f8e4d0838420cdba4ea3d756e644b77c433c1822a04ef455c4f9
SHA512 d87caa6133e50141458d30915f400592f0b1e20b75457c51d2c8929987fd6cce1dc7ba4539fa5efcb18f7b5510b72273a0c7c076b4a991c3539aa5bbc46bdb0b

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Xeno.exe.log

MD5 957779c42144282d8cd83192b8fbc7cf
SHA1 de83d08d2cca06b9ff3d1ef239d6b60b705d25fe
SHA256 0d7ca7ba65e2b465e4878e324ceab8f8981f5ec06dcf5bc32559a4467a9c7d51
SHA512 f1549c61b4f2906d13b2aabb74772c2bc826cd42373d7bb6c48cbb125d5aa2ec17617e6b5e67e8aae3bb5790cc831cdba48a45008ed01df4fba8be448cce39fd

memory/4312-10-0x0000000073620000-0x0000000073D0E000-memory.dmp

memory/2520-9-0x0000000073620000-0x0000000073D0E000-memory.dmp

memory/4312-11-0x00000000052A0000-0x00000000052B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp9D69.tmp

MD5 c19b33268e74b9dfb678ebbe128db491
SHA1 49dd45693580c198a87ba06464c362c7c993907b
SHA256 8ad22e22ad7494702655cea50b2228b602ed223c844148e2780610bb4bdba435
SHA512 baf521387a499412d8283f8733ced0e05aeab7e7a66e58c0110d857bfd07d68748e7805098e131fad954eb58761688dffd0c36359115d460155287ebb5ebb3e6

memory/4312-14-0x0000000005C00000-0x0000000005C66000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yq8h7er1.default-release\datareporting\glean\pending_pings\ca8e8edc-ff28-4c6b-8554-adb88be47f21

MD5 4105ca5cb469540620af20bc7a5a3c73
SHA1 998ecfb3291de2b8c23b5c4afac4e86b50c85da5
SHA256 7427f7e0f09d49cd9e4faf261a91c524f166a3efb0d2ec5c54e0695e076cb9e3
SHA512 f5f9540d5683a3a2b2454d75736463fe112a7da36d38398d558fbec5e196f915d189c2a38e8e0d2601000065ff297408b6f07c21c9281b89daf1a284a616fdf0

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yq8h7er1.default-release\datareporting\glean\db\data.safe.bin

MD5 3e177bc04612eb65b1bf0ede03124dde
SHA1 faee6aac72683d77fc342dd8a972ec5f3c5a83e6
SHA256 a42330a44fe38ee87006d683a98b43c6fd121914e0a7719ea9452162cc812b37
SHA512 07be77bf5d30e61071446e70467ff05610142e4ea21be2143ec75a94384b86a6c15ff9aeb61bb1d139bab3bf6c044f97ad0ab84e69d51f06e08075840f61d089

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yq8h7er1.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 299f2a86bbdb81adc46f4eb19063412b
SHA1 1680f0fd49ab94009def260a85e2399e9d88b00a
SHA256 aa171fd5f10dc2335282991d01246afd9dc78ad9106b5b45ecff24fd36102dd2
SHA512 a9d831b5512b0d29be447a1e934f42901401ed45ebfb29a4b353f630ebe3346690ff34e375348787cef8e5ca7575e6a628ffc18a143e3e86ebd3462495660dab

memory/4312-84-0x0000000073620000-0x0000000073D0E000-memory.dmp

memory/4312-144-0x00000000052A0000-0x00000000052B0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yq8h7er1.default-release\sessionstore-backups\recovery.jsonlz4

MD5 c92460c5dfd796f54dd18b8e6f32630f
SHA1 c80fd73e3b8984be0f74fdc83ac417245be890cc
SHA256 81d7f273ec236db6777d9dab314a6d033867f3b224d0bfe517e647c54a399464
SHA512 203815dd510f3c4b57b55987a6fefb7d85e25c2d71449cb2062ac0567375a26d584b8cac1a1d0acd147f0f68223ac59b13c93bc2162e09c47f2949805a057257

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yq8h7er1.default-release\prefs-1.js

MD5 6e2389bdf6e61f49d93ef4c1379a387e
SHA1 36b8801dffd8aa47c87a975753a27741da5d3902
SHA256 5190e03c8571322300336f3d3aa49a38e42e2df14e48df9e94647d88b97a2136
SHA512 d9fd3aa8fcb7316ce7b17c9a8e86f71e7a206df61fba47b1600d8fb76de23c47db11e26add8b646cab4ff7835b4fc299aa2d20d15b79bc4ca4beef2b6eaad68c

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yq8h7er1.default-release\cache2\doomed\13418

MD5 bb2ac1df9bb9e98fbacbdfb1d613cea5
SHA1 9fc9c7922a1a867e75ee0b82da5a618a2fca7da1
SHA256 ee44f062654a208f025356c0fb28b8470cad06a917327dac8fc0a94fc3a3e4e8
SHA512 13eda88193c59bf44906ca655e48f8c3ab0ccaff76dc9f0191aad01b662dbaeea6708e9efc91d920dd994c5a981cfcf1406ab570a3042166f517fe9b9976f3d6

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yq8h7er1.default-release\sessionstore-backups\recovery.jsonlz4

MD5 fa10ff64de8a6b5951076de92c2e8447
SHA1 2cd16898d62c8da56739d98949098b91abf18e30
SHA256 62519332ffdc48ae23d07a5872cc903a3a162a7e25ec9d9858d9020610a2ef4d
SHA512 d40aff5e4b783014dfe3b9cc9b33e9fadb8b8bca213be0dda7783938f4ee599097e1149ff71056948c9e5c171b99ab9c9ef6c1aa6625edc550b002ab39cdb93d

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yq8h7er1.default-release\cache2\doomed\19830

MD5 e0e968a22a3c25468a815b496878503c
SHA1 fca55359bf0417b88aaaf7b9a4c7f48deadb9183
SHA256 079c06e1ae241341d9f3e92c81f5d4300237344084ceb413fabc66b90a3950fd
SHA512 25ad8209cc4154d5f88a174c542272baa217a859eb2b249e8d68ae627703ed6810d6eac989bb437b53f216a0ec084f78df33bbe199479877c4125b328eb2e305

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yq8h7er1.default-release\prefs-1.js

MD5 f2d61f9c5694458cf9e86775619b27be
SHA1 e4bade3a52d59a63671d7de79f9d1d6dd345e2a3
SHA256 57c215802f500df4d689eed783499aa424a2cd358913f40326d87bde65baaad1
SHA512 cbcb14a796dcef464b8e165758d5c5ffb69b9272554ec29b1d632d0a39921cf6f7490a9d4f3fa7d6795ba907bcee83050a4534ca55a1b0c25f720e138678b64d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yq8h7er1.default-release\sessionstore-backups\recovery.jsonlz4

MD5 bb0e3dbeb58c0456670362868f790973
SHA1 0a5a63f4100239933e5647b5b30f6c74e7c63771
SHA256 881502225a7f0b5cbde96c6a992468efc32021f0a3837f97e3b2db9d6e3ea9ae
SHA512 4b3ce8004cb863de3739dc9a169038b27cab0f063d5f5c5ba3b00abdc95b92d6b0c0c2dcd188c2c694c3c3bc3ea3f4feab91cd2dae5fb09a304cf1c5272a4024

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yq8h7er1.default-release\sessionstore-backups\recovery.jsonlz4

MD5 8eec369c7cc77489b3ee4d41b462f817
SHA1 7f2d3222dba99e5152b4838d3a0ba832c672af11
SHA256 ea096ac73e5ac7b57a957af5bcffa10f0fa56caa210ea03c8c059c52a842bc47
SHA512 1831bb8c1af6651ef8dfdfaaf10bcd97b8206ac6a8e3a850292a77292033ad5e1120b5efd87d2b784f4f7a8edd4973cbe255a47b2f82fc97917b866d3156b8ce

memory/4312-467-0x0000000073620000-0x0000000073D0E000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yq8h7er1.default-release\sessionstore-backups\recovery.jsonlz4

MD5 94a3e06ac5db1c7a29e3ac675e47cecd
SHA1 96e86b0e5a233deaadcdec5d962767dc8e25d5bf
SHA256 e81277ab4e2d3bdc075caa9649d70b9be68b50e268fee7c1de4ab9f37a81306e
SHA512 99d5b8f30c1555d63d3c3d2c5fae22418344c934707239577de8bd7757d9838cc52f029784970028c10a6d6c61987085b6394dbd7792fb91ae21550be0bb5714

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yq8h7er1.default-release\jumpListCache\auFXDdxedXF8QTyoQmMaSg==.ico

MD5 6e62ae713951b6193d202ddc3d2152cf
SHA1 abf75bd80bd84ed39792adf69dddb5a8b3b84bb4
SHA256 e5dc5320473de19e5255f32d0f9f352fcc23a03c254e82511999deac249d91cd
SHA512 8dff4541bb496449c0c0e93a1c60108dff8e8f7cea437b8027ce51bc22881a687597c511df4c32cabdd1c165aeb46b89c410e58563e18c449e84eddbbfa8725b

C:\Users\Admin\Downloads\uKNPG2T9.zip.part

MD5 a877d6845cee78ea9f130e4450780920
SHA1 009c5c2641748ce2c5d20410300c3cecf86e451b
SHA256 7dfeea625f42a6066c5fcd5cfc514b7b6dd59022466569c07dba8ee316ce3c0b
SHA512 b034f5889c410bef8c4e176d8e04cd64c3e1ffbba2bac1ce451b4967b8527a0d127eba1ecd1ab0adef90ac01c5e493b6c0e210e9d9e2d5c2acb072aac664182e