Analysis Overview
SHA256
590e4e7e66f6f8e4d0838420cdba4ea3d756e644b77c433c1822a04ef455c4f9
Threat Level: Known bad
The file Xeno.exe was found to be: Known bad.
Malicious Activity Summary
XenorRat
Xenorat family
Executes dropped EXE
Legitimate hosting services abused for malware hosting/C2
Unsigned PE
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious behavior: EnumeratesProcesses
NTFS ADS
Creates scheduled task(s)
Uses Task Scheduler COM API
Suspicious use of SetWindowsHookEx
Checks processor information in registry
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-22 02:49
Signatures
Xenorat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-22 02:49
Reported
2024-03-22 02:52
Platform
win10-20240214-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
XenorRat
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\XenoManager\Xeno.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | 4.tcp.us-cal-1.ngrok.io | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\Downloads\Xeno.zip:Zone.Identifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\XenoManager\Xeno.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\Xeno.exe
"C:\Users\Admin\AppData\Local\Temp\Xeno.exe"
C:\Users\Admin\AppData\Roaming\XenoManager\Xeno.exe
"C:\Users\Admin\AppData\Roaming\XenoManager\Xeno.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /Create /TN "svchost.exe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9D69.tmp" /F
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4844.0.722155386\351557254" -parentBuildID 20221007134813 -prefsHandle 1700 -prefMapHandle 1692 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ee212f15-d933-4b6b-92ea-596a681999e5} 4844 "\\.\pipe\gecko-crash-server-pipe.4844" 1780 17f684d9858 gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4844.1.382530479\1948588739" -parentBuildID 20221007134813 -prefsHandle 2124 -prefMapHandle 2120 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fc925a74-4d55-4517-9176-5d855d313901} 4844 "\\.\pipe\gecko-crash-server-pipe.4844" 2136 17f67e30858 socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4844.2.1898821822\911982855" -childID 1 -isForBrowser -prefsHandle 3016 -prefMapHandle 2952 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bff982eb-bcf1-4fa7-a0b4-d804ba47d4bf} 4844 "\\.\pipe\gecko-crash-server-pipe.4844" 2804 17f6c49d158 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4844.3.854567232\802880332" -childID 2 -isForBrowser -prefsHandle 3424 -prefMapHandle 3420 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5db6454e-a4d1-48a6-9687-0cd1b5c43141} 4844 "\\.\pipe\gecko-crash-server-pipe.4844" 3436 17f6c584558 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4844.4.77895738\508684408" -childID 3 -isForBrowser -prefsHandle 4324 -prefMapHandle 3568 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e613e0a2-e57e-44ea-a06d-04451117f935} 4844 "\\.\pipe\gecko-crash-server-pipe.4844" 4336 17f6e2dda58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4844.5.170163250\1905262631" -childID 4 -isForBrowser -prefsHandle 4752 -prefMapHandle 4756 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0fbe1cfb-3ff0-4619-85ba-78bcee1ed22e} 4844 "\\.\pipe\gecko-crash-server-pipe.4844" 4780 17f6e2dfb58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4844.6.1305677246\1412768607" -childID 5 -isForBrowser -prefsHandle 4920 -prefMapHandle 4924 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {512826a2-f9af-42c0-8237-eb75fbe47eb6} 4844 "\\.\pipe\gecko-crash-server-pipe.4844" 4912 17f6e696758 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4844.7.1904097089\770018109" -childID 6 -isForBrowser -prefsHandle 4800 -prefMapHandle 4780 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a946583d-4bd8-4d45-9ff1-02537432084b} 4844 "\\.\pipe\gecko-crash-server-pipe.4844" 5116 17f6e698558 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4844.8.183951979\269659101" -childID 7 -isForBrowser -prefsHandle 5640 -prefMapHandle 5148 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3308626f-1722-4c84-9c26-a78ee49e0207} 4844 "\\.\pipe\gecko-crash-server-pipe.4844" 5360 17f7084bb58 tab
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x410
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4844.9.1817828059\821772697" -childID 8 -isForBrowser -prefsHandle 4328 -prefMapHandle 4416 -prefsLen 26503 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1b061f79-3464-4b94-972e-452971560eb2} 4844 "\\.\pipe\gecko-crash-server-pipe.4844" 3856 17f6c41b058 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4844.10.1622674243\809256760" -childID 9 -isForBrowser -prefsHandle 5164 -prefMapHandle 5316 -prefsLen 26768 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {86053091-e28d-44c2-84ec-fa78c2b827f9} 4844 "\\.\pipe\gecko-crash-server-pipe.4844" 5188 17f7039b758 tab
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /query /v /fo csv
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /delete /tn "\svchost.exe" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\XenoManager\Xeno.exe"
C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4844.11.454763800\350193782" -parentBuildID 20221007134813 -prefsHandle 4968 -prefMapHandle 4984 -prefsLen 26768 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {dcb996b9-91fd-4bd1-841e-28a9c1e869a6} 4844 "\\.\pipe\gecko-crash-server-pipe.4844" 5564 17f6e2dd758 rdd
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4844.12.2041912934\2100494657" -parentBuildID 20221007134813 -sandboxingKind 1 -prefsHandle 5012 -prefMapHandle 5084 -prefsLen 26768 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {80224598-3f14-4f18-bed2-ea5faa066de7} 4844 "\\.\pipe\gecko-crash-server-pipe.4844" 5240 17f6e2dda58 utility
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 4.tcp.us-cal-1.ngrok.io | udp |
| US | 54.219.150.182:14628 | 4.tcp.us-cal-1.ngrok.io | tcp |
| US | 8.8.8.8:53 | 182.150.219.54.in-addr.arpa | udp |
| US | 54.219.150.182:14628 | 4.tcp.us-cal-1.ngrok.io | tcp |
| US | 54.219.150.182:14628 | 4.tcp.us-cal-1.ngrok.io | tcp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| N/A | 127.0.0.1:49792 | tcp | |
| US | 8.8.8.8:53 | content-signature-2.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | shavar.services.mozilla.com | udp |
| US | 8.8.8.8:53 | push.services.mozilla.com | udp |
| US | 34.117.237.239:443 | contile.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| US | 34.160.144.191:443 | content-signature-2.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 52.13.152.141:443 | shavar.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | firefox.settings.services.mozilla.com | udp |
| US | 34.107.243.93:443 | autopush.prod.mozaws.net | tcp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 34.149.100.209:443 | firefox.settings.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | 141.152.13.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:49798 | tcp | |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.128.233:80 | discord.com | tcp |
| US | 162.159.128.233:80 | discord.com | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 162.159.128.233:443 | discord.com | udp |
| US | 8.8.8.8:53 | assets-global.website-files.com | udp |
| US | 8.8.8.8:53 | ajax.googleapis.com | udp |
| US | 8.8.8.8:53 | global.localizecdn.com | udp |
| US | 8.8.8.8:53 | d3e54v103j8qbb.cloudfront.net | udp |
| US | 34.149.100.209:443 | prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 8.8.8.8:53 | ajax.googleapis.com | udp |
| NL | 142.250.179.138:443 | ajax.googleapis.com | tcp |
| NL | 142.250.179.138:443 | ajax.googleapis.com | tcp |
| US | 104.18.4.175:443 | global.localizecdn.com | tcp |
| US | 8.8.8.8:53 | global.localizecdn.com | udp |
| GB | 13.224.81.8:443 | assets-global.website-files.com | tcp |
| GB | 13.224.81.8:443 | assets-global.website-files.com | tcp |
| US | 8.8.8.8:53 | d3vmvmej3wjbxn.cloudfront.net | udp |
| GB | 18.165.158.198:443 | d3e54v103j8qbb.cloudfront.net | tcp |
| US | 8.8.8.8:53 | ajax.googleapis.com | udp |
| US | 8.8.8.8:53 | global.localizecdn.com | udp |
| US | 8.8.8.8:53 | d3vmvmej3wjbxn.cloudfront.net | udp |
| US | 8.8.8.8:53 | d3e54v103j8qbb.cloudfront.net | udp |
| US | 8.8.8.8:53 | 233.128.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 175.4.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.81.224.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.158.165.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | d3e54v103j8qbb.cloudfront.net | udp |
| US | 104.18.4.175:443 | global.localizecdn.com | udp |
| NL | 142.250.179.138:443 | ajax.googleapis.com | udp |
| US | 8.8.8.8:53 | assets.website-files.com | udp |
| GB | 13.224.81.122:443 | assets.website-files.com | tcp |
| GB | 13.224.81.122:443 | assets.website-files.com | tcp |
| GB | 13.224.81.122:443 | assets.website-files.com | tcp |
| GB | 13.224.81.122:443 | assets.website-files.com | tcp |
| GB | 13.224.81.122:443 | assets.website-files.com | tcp |
| US | 8.8.8.8:53 | d1r5qv5z4elg7c.cloudfront.net | udp |
| GB | 13.224.81.122:443 | d1r5qv5z4elg7c.cloudfront.net | tcp |
| US | 8.8.8.8:53 | d1r5qv5z4elg7c.cloudfront.net | udp |
| US | 8.8.8.8:53 | 122.81.224.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | geolocation.onetrust.com | udp |
| US | 104.18.32.137:443 | geolocation.onetrust.com | tcp |
| US | 8.8.8.8:53 | geolocation.onetrust.com | udp |
| US | 8.8.8.8:53 | geolocation.onetrust.com | udp |
| US | 8.8.8.8:53 | www.youtube.com | udp |
| NL | 142.250.179.142:443 | www.youtube.com | tcp |
| US | 8.8.8.8:53 | youtube-ui.l.google.com | udp |
| US | 8.8.8.8:53 | youtube-ui.l.google.com | udp |
| NL | 142.250.179.142:443 | youtube-ui.l.google.com | udp |
| US | 8.8.8.8:53 | 137.32.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 142.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 8.8.8.8:53 | remote-auth-gateway.discord.gg | udp |
| US | 8.8.8.8:53 | remote-auth-gateway.discord.gg | udp |
| US | 162.159.134.234:443 | remote-auth-gateway.discord.gg | tcp |
| US | 8.8.8.8:53 | remote-auth-gateway.discord.gg | udp |
| US | 8.8.8.8:53 | 234.134.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 8.8.8.8:53 | js.hcaptcha.com | udp |
| US | 104.18.125.91:443 | js.hcaptcha.com | tcp |
| US | 8.8.8.8:53 | js.hcaptcha.com | udp |
| US | 8.8.8.8:53 | js.hcaptcha.com | udp |
| US | 104.18.125.91:443 | js.hcaptcha.com | udp |
| US | 8.8.8.8:53 | newassets.hcaptcha.com | udp |
| US | 104.18.124.91:443 | newassets.hcaptcha.com | tcp |
| US | 8.8.8.8:53 | newassets.hcaptcha.com | udp |
| US | 104.18.124.91:443 | newassets.hcaptcha.com | tcp |
| US | 8.8.8.8:53 | newassets.hcaptcha.com | udp |
| US | 104.18.124.91:443 | newassets.hcaptcha.com | udp |
| US | 8.8.8.8:53 | api2.hcaptcha.com | udp |
| US | 8.8.8.8:53 | 91.125.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.124.18.104.in-addr.arpa | udp |
| US | 104.18.125.91:443 | api2.hcaptcha.com | tcp |
| US | 8.8.8.8:53 | api2.hcaptcha.com | udp |
| US | 8.8.8.8:53 | api2.hcaptcha.com | udp |
| US | 104.18.125.91:443 | api2.hcaptcha.com | udp |
| US | 8.8.8.8:53 | api.hcaptcha.com | udp |
| US | 8.8.8.8:53 | api.hcaptcha.com | udp |
| US | 104.18.124.91:443 | api.hcaptcha.com | tcp |
| US | 8.8.8.8:53 | api.hcaptcha.com | udp |
| US | 104.18.124.91:443 | api.hcaptcha.com | udp |
| US | 8.8.8.8:53 | imgs.hcaptcha.com | udp |
| US | 104.18.125.91:443 | imgs.hcaptcha.com | tcp |
| US | 8.8.8.8:53 | imgs.hcaptcha.com | udp |
| US | 8.8.8.8:53 | imgs.hcaptcha.com | udp |
| US | 104.18.125.91:443 | imgs.hcaptcha.com | udp |
| US | 8.8.8.8:53 | imgs3.hcaptcha.com | udp |
| US | 8.8.8.8:53 | imgs3.hcaptcha.com | udp |
| US | 104.18.125.91:443 | imgs3.hcaptcha.com | tcp |
| US | 8.8.8.8:53 | imgs3.hcaptcha.com | udp |
| US | 104.18.125.91:443 | imgs3.hcaptcha.com | udp |
| US | 8.8.8.8:53 | api.hcaptcha.com | udp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 8.8.8.8:53 | newassets.hcaptcha.com | udp |
| US | 8.8.8.8:53 | api.hcaptcha.com | udp |
| US | 8.8.8.8:53 | api.hcaptcha.com | udp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 8.8.8.8:53 | gateway.discord.gg | udp |
| US | 8.8.8.8:53 | gateway.discord.gg | udp |
| US | 162.159.134.234:443 | gateway.discord.gg | tcp |
| US | 8.8.8.8:53 | gateway.discord.gg | udp |
| US | 8.8.8.8:53 | status.discord.com | udp |
| US | 162.159.128.233:443 | status.discord.com | tcp |
| US | 8.8.8.8:53 | status.discord.com | udp |
| US | 8.8.8.8:53 | status.discord.com | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| US | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| US | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| US | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| US | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| US | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.128.233:443 | status.discord.com | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.133.233:443 | cdn.discordapp.com | udp |
| US | 8.8.8.8:53 | 233.133.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 8.8.8.8:53 | media.discordapp.net | udp |
| US | 162.159.128.232:443 | media.discordapp.net | tcp |
| US | 162.159.128.232:443 | media.discordapp.net | tcp |
| US | 162.159.128.232:443 | media.discordapp.net | tcp |
| US | 8.8.8.8:53 | media.discordapp.net | udp |
| US | 8.8.8.8:53 | media.discordapp.net | udp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.128.232:443 | media.discordapp.net | udp |
| US | 8.8.8.8:53 | 232.128.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.246.116.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 8.8.8.8:53 | images-ext-1.discordapp.net | udp |
| US | 162.159.128.232:443 | images-ext-1.discordapp.net | tcp |
| US | 8.8.8.8:53 | images-ext-1.discordapp.net | udp |
| US | 162.159.128.232:443 | images-ext-1.discordapp.net | tcp |
| US | 162.159.128.232:443 | images-ext-1.discordapp.net | tcp |
| US | 8.8.8.8:53 | images-ext-1.discordapp.net | udp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.128.232:443 | images-ext-1.discordapp.net | udp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.133.233:443 | udp |
Files
memory/2520-0-0x0000000000CF0000-0x0000000000D02000-memory.dmp
memory/2520-1-0x0000000073620000-0x0000000073D0E000-memory.dmp
C:\Users\Admin\AppData\Roaming\XenoManager\Xeno.exe
| MD5 | b9ff857cd3e61769787d6c21b45bcc6c |
| SHA1 | 92aea3ec2bf2ca4f7127ef8581e1a79059774489 |
| SHA256 | 590e4e7e66f6f8e4d0838420cdba4ea3d756e644b77c433c1822a04ef455c4f9 |
| SHA512 | d87caa6133e50141458d30915f400592f0b1e20b75457c51d2c8929987fd6cce1dc7ba4539fa5efcb18f7b5510b72273a0c7c076b4a991c3539aa5bbc46bdb0b |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Xeno.exe.log
| MD5 | 957779c42144282d8cd83192b8fbc7cf |
| SHA1 | de83d08d2cca06b9ff3d1ef239d6b60b705d25fe |
| SHA256 | 0d7ca7ba65e2b465e4878e324ceab8f8981f5ec06dcf5bc32559a4467a9c7d51 |
| SHA512 | f1549c61b4f2906d13b2aabb74772c2bc826cd42373d7bb6c48cbb125d5aa2ec17617e6b5e67e8aae3bb5790cc831cdba48a45008ed01df4fba8be448cce39fd |
memory/4312-10-0x0000000073620000-0x0000000073D0E000-memory.dmp
memory/2520-9-0x0000000073620000-0x0000000073D0E000-memory.dmp
memory/4312-11-0x00000000052A0000-0x00000000052B0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp9D69.tmp
| MD5 | c19b33268e74b9dfb678ebbe128db491 |
| SHA1 | 49dd45693580c198a87ba06464c362c7c993907b |
| SHA256 | 8ad22e22ad7494702655cea50b2228b602ed223c844148e2780610bb4bdba435 |
| SHA512 | baf521387a499412d8283f8733ced0e05aeab7e7a66e58c0110d857bfd07d68748e7805098e131fad954eb58761688dffd0c36359115d460155287ebb5ebb3e6 |
memory/4312-14-0x0000000005C00000-0x0000000005C66000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yq8h7er1.default-release\datareporting\glean\pending_pings\ca8e8edc-ff28-4c6b-8554-adb88be47f21
| MD5 | 4105ca5cb469540620af20bc7a5a3c73 |
| SHA1 | 998ecfb3291de2b8c23b5c4afac4e86b50c85da5 |
| SHA256 | 7427f7e0f09d49cd9e4faf261a91c524f166a3efb0d2ec5c54e0695e076cb9e3 |
| SHA512 | f5f9540d5683a3a2b2454d75736463fe112a7da36d38398d558fbec5e196f915d189c2a38e8e0d2601000065ff297408b6f07c21c9281b89daf1a284a616fdf0 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yq8h7er1.default-release\datareporting\glean\db\data.safe.bin
| MD5 | 3e177bc04612eb65b1bf0ede03124dde |
| SHA1 | faee6aac72683d77fc342dd8a972ec5f3c5a83e6 |
| SHA256 | a42330a44fe38ee87006d683a98b43c6fd121914e0a7719ea9452162cc812b37 |
| SHA512 | 07be77bf5d30e61071446e70467ff05610142e4ea21be2143ec75a94384b86a6c15ff9aeb61bb1d139bab3bf6c044f97ad0ab84e69d51f06e08075840f61d089 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yq8h7er1.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
| MD5 | 299f2a86bbdb81adc46f4eb19063412b |
| SHA1 | 1680f0fd49ab94009def260a85e2399e9d88b00a |
| SHA256 | aa171fd5f10dc2335282991d01246afd9dc78ad9106b5b45ecff24fd36102dd2 |
| SHA512 | a9d831b5512b0d29be447a1e934f42901401ed45ebfb29a4b353f630ebe3346690ff34e375348787cef8e5ca7575e6a628ffc18a143e3e86ebd3462495660dab |
memory/4312-84-0x0000000073620000-0x0000000073D0E000-memory.dmp
memory/4312-144-0x00000000052A0000-0x00000000052B0000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yq8h7er1.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | c92460c5dfd796f54dd18b8e6f32630f |
| SHA1 | c80fd73e3b8984be0f74fdc83ac417245be890cc |
| SHA256 | 81d7f273ec236db6777d9dab314a6d033867f3b224d0bfe517e647c54a399464 |
| SHA512 | 203815dd510f3c4b57b55987a6fefb7d85e25c2d71449cb2062ac0567375a26d584b8cac1a1d0acd147f0f68223ac59b13c93bc2162e09c47f2949805a057257 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yq8h7er1.default-release\prefs-1.js
| MD5 | 6e2389bdf6e61f49d93ef4c1379a387e |
| SHA1 | 36b8801dffd8aa47c87a975753a27741da5d3902 |
| SHA256 | 5190e03c8571322300336f3d3aa49a38e42e2df14e48df9e94647d88b97a2136 |
| SHA512 | d9fd3aa8fcb7316ce7b17c9a8e86f71e7a206df61fba47b1600d8fb76de23c47db11e26add8b646cab4ff7835b4fc299aa2d20d15b79bc4ca4beef2b6eaad68c |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yq8h7er1.default-release\cache2\doomed\13418
| MD5 | bb2ac1df9bb9e98fbacbdfb1d613cea5 |
| SHA1 | 9fc9c7922a1a867e75ee0b82da5a618a2fca7da1 |
| SHA256 | ee44f062654a208f025356c0fb28b8470cad06a917327dac8fc0a94fc3a3e4e8 |
| SHA512 | 13eda88193c59bf44906ca655e48f8c3ab0ccaff76dc9f0191aad01b662dbaeea6708e9efc91d920dd994c5a981cfcf1406ab570a3042166f517fe9b9976f3d6 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yq8h7er1.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | fa10ff64de8a6b5951076de92c2e8447 |
| SHA1 | 2cd16898d62c8da56739d98949098b91abf18e30 |
| SHA256 | 62519332ffdc48ae23d07a5872cc903a3a162a7e25ec9d9858d9020610a2ef4d |
| SHA512 | d40aff5e4b783014dfe3b9cc9b33e9fadb8b8bca213be0dda7783938f4ee599097e1149ff71056948c9e5c171b99ab9c9ef6c1aa6625edc550b002ab39cdb93d |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yq8h7er1.default-release\cache2\doomed\19830
| MD5 | e0e968a22a3c25468a815b496878503c |
| SHA1 | fca55359bf0417b88aaaf7b9a4c7f48deadb9183 |
| SHA256 | 079c06e1ae241341d9f3e92c81f5d4300237344084ceb413fabc66b90a3950fd |
| SHA512 | 25ad8209cc4154d5f88a174c542272baa217a859eb2b249e8d68ae627703ed6810d6eac989bb437b53f216a0ec084f78df33bbe199479877c4125b328eb2e305 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yq8h7er1.default-release\prefs-1.js
| MD5 | f2d61f9c5694458cf9e86775619b27be |
| SHA1 | e4bade3a52d59a63671d7de79f9d1d6dd345e2a3 |
| SHA256 | 57c215802f500df4d689eed783499aa424a2cd358913f40326d87bde65baaad1 |
| SHA512 | cbcb14a796dcef464b8e165758d5c5ffb69b9272554ec29b1d632d0a39921cf6f7490a9d4f3fa7d6795ba907bcee83050a4534ca55a1b0c25f720e138678b64d |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yq8h7er1.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | bb0e3dbeb58c0456670362868f790973 |
| SHA1 | 0a5a63f4100239933e5647b5b30f6c74e7c63771 |
| SHA256 | 881502225a7f0b5cbde96c6a992468efc32021f0a3837f97e3b2db9d6e3ea9ae |
| SHA512 | 4b3ce8004cb863de3739dc9a169038b27cab0f063d5f5c5ba3b00abdc95b92d6b0c0c2dcd188c2c694c3c3bc3ea3f4feab91cd2dae5fb09a304cf1c5272a4024 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yq8h7er1.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 8eec369c7cc77489b3ee4d41b462f817 |
| SHA1 | 7f2d3222dba99e5152b4838d3a0ba832c672af11 |
| SHA256 | ea096ac73e5ac7b57a957af5bcffa10f0fa56caa210ea03c8c059c52a842bc47 |
| SHA512 | 1831bb8c1af6651ef8dfdfaaf10bcd97b8206ac6a8e3a850292a77292033ad5e1120b5efd87d2b784f4f7a8edd4973cbe255a47b2f82fc97917b866d3156b8ce |
memory/4312-467-0x0000000073620000-0x0000000073D0E000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yq8h7er1.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 94a3e06ac5db1c7a29e3ac675e47cecd |
| SHA1 | 96e86b0e5a233deaadcdec5d962767dc8e25d5bf |
| SHA256 | e81277ab4e2d3bdc075caa9649d70b9be68b50e268fee7c1de4ab9f37a81306e |
| SHA512 | 99d5b8f30c1555d63d3c3d2c5fae22418344c934707239577de8bd7757d9838cc52f029784970028c10a6d6c61987085b6394dbd7792fb91ae21550be0bb5714 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yq8h7er1.default-release\jumpListCache\auFXDdxedXF8QTyoQmMaSg==.ico
| MD5 | 6e62ae713951b6193d202ddc3d2152cf |
| SHA1 | abf75bd80bd84ed39792adf69dddb5a8b3b84bb4 |
| SHA256 | e5dc5320473de19e5255f32d0f9f352fcc23a03c254e82511999deac249d91cd |
| SHA512 | 8dff4541bb496449c0c0e93a1c60108dff8e8f7cea437b8027ce51bc22881a687597c511df4c32cabdd1c165aeb46b89c410e58563e18c449e84eddbbfa8725b |
C:\Users\Admin\Downloads\uKNPG2T9.zip.part
| MD5 | a877d6845cee78ea9f130e4450780920 |
| SHA1 | 009c5c2641748ce2c5d20410300c3cecf86e451b |
| SHA256 | 7dfeea625f42a6066c5fcd5cfc514b7b6dd59022466569c07dba8ee316ce3c0b |
| SHA512 | b034f5889c410bef8c4e176d8e04cd64c3e1ffbba2bac1ce451b4967b8527a0d127eba1ecd1ab0adef90ac01c5e493b6c0e210e9d9e2d5c2acb072aac664182e |