Malware Analysis Report

2024-08-06 18:18

Sample ID 240530-c591hace44
Target wavepublicbeta.exe
SHA256 de2c417b12a1868844093165b3f764e4c244d67097c16e658e7e7837889b4373
Tags
xenorat rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

de2c417b12a1868844093165b3f764e4c244d67097c16e658e7e7837889b4373

Threat Level: Known bad

The file wavepublicbeta.exe was found to be: Known bad.

Malicious Activity Summary

xenorat rat trojan

XenorRat

Xenorat family

Unsigned PE

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Modifies registry class

Suspicious use of SendNotifyMessage

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scheduled Task/Job
T1053
Persistence
TA0003
Scheduled Task/Job
T1053
Privilege Escalation
TA0004
Scheduled Task/Job
T1053
Defense Evasion
TA0005
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-05-30 02:40

Signatures

Xenorat family

xenorat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-30 02:40

Reported

2024-05-30 02:43

Platform

win10-20240404-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\wavepublicbeta.exe"

Signatures

XenorRat

trojan rat xenorat

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\wavepublicbeta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wavepublicbeta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wavepublicbeta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wavepublicbeta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wavepublicbeta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wavepublicbeta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wavepublicbeta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wavepublicbeta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wavepublicbeta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wavepublicbeta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wavepublicbeta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wavepublicbeta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wavepublicbeta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wavepublicbeta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wavepublicbeta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wavepublicbeta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wavepublicbeta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wavepublicbeta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wavepublicbeta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wavepublicbeta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wavepublicbeta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wavepublicbeta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wavepublicbeta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wavepublicbeta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wavepublicbeta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wavepublicbeta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wavepublicbeta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wavepublicbeta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wavepublicbeta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wavepublicbeta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wavepublicbeta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wavepublicbeta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wavepublicbeta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wavepublicbeta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wavepublicbeta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wavepublicbeta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wavepublicbeta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wavepublicbeta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wavepublicbeta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wavepublicbeta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wavepublicbeta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wavepublicbeta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wavepublicbeta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wavepublicbeta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wavepublicbeta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wavepublicbeta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wavepublicbeta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wavepublicbeta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wavepublicbeta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wavepublicbeta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wavepublicbeta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wavepublicbeta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wavepublicbeta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wavepublicbeta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wavepublicbeta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wavepublicbeta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wavepublicbeta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wavepublicbeta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wavepublicbeta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wavepublicbeta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wavepublicbeta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wavepublicbeta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wavepublicbeta.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wavepublicbeta.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\wavepublicbeta.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\wavepublicbeta.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2784 wrote to memory of 3984 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2784 wrote to memory of 3984 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2784 wrote to memory of 3984 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2784 wrote to memory of 3984 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2784 wrote to memory of 3984 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2784 wrote to memory of 3984 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2784 wrote to memory of 3984 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2784 wrote to memory of 3984 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2784 wrote to memory of 3984 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2784 wrote to memory of 3984 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2784 wrote to memory of 3984 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3984 wrote to memory of 2396 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3984 wrote to memory of 2396 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3984 wrote to memory of 484 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3984 wrote to memory of 484 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3984 wrote to memory of 484 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3984 wrote to memory of 484 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3984 wrote to memory of 484 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3984 wrote to memory of 484 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3984 wrote to memory of 484 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3984 wrote to memory of 484 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3984 wrote to memory of 484 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3984 wrote to memory of 484 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3984 wrote to memory of 484 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3984 wrote to memory of 484 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3984 wrote to memory of 484 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3984 wrote to memory of 484 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3984 wrote to memory of 484 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3984 wrote to memory of 484 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3984 wrote to memory of 484 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3984 wrote to memory of 484 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3984 wrote to memory of 484 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3984 wrote to memory of 484 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3984 wrote to memory of 484 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3984 wrote to memory of 484 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3984 wrote to memory of 484 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3984 wrote to memory of 484 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3984 wrote to memory of 484 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3984 wrote to memory of 484 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3984 wrote to memory of 484 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3984 wrote to memory of 484 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3984 wrote to memory of 484 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3984 wrote to memory of 484 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3984 wrote to memory of 484 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3984 wrote to memory of 484 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3984 wrote to memory of 484 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3984 wrote to memory of 484 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3984 wrote to memory of 484 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3984 wrote to memory of 484 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3984 wrote to memory of 484 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3984 wrote to memory of 484 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3984 wrote to memory of 484 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3984 wrote to memory of 484 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3984 wrote to memory of 484 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3984 wrote to memory of 484 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3984 wrote to memory of 484 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3984 wrote to memory of 484 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3984 wrote to memory of 484 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3984 wrote to memory of 484 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3984 wrote to memory of 484 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3984 wrote to memory of 484 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3984 wrote to memory of 1688 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3984 wrote to memory of 1688 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3984 wrote to memory of 1688 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\wavepublicbeta.exe

"C:\Users\Admin\AppData\Local\Temp\wavepublicbeta.exe"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3984.0.153246496\739819434" -parentBuildID 20221007134813 -prefsHandle 1680 -prefMapHandle 1672 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d1902e6c-1847-4262-8c85-d91897283851} 3984 "\\.\pipe\gecko-crash-server-pipe.3984" 1760 2337fc05658 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3984.1.1988010980\996376036" -parentBuildID 20221007134813 -prefsHandle 2104 -prefMapHandle 2100 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ffa34ada-d60c-4608-9cea-a93d75bf2ecd} 3984 "\\.\pipe\gecko-crash-server-pipe.3984" 2116 2337e63f158 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3984.2.1779161057\1893823732" -childID 1 -isForBrowser -prefsHandle 2636 -prefMapHandle 2740 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1080 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bbf8c78f-e14f-40af-815a-d44d45eb1deb} 3984 "\\.\pipe\gecko-crash-server-pipe.3984" 2944 2330c496258 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3984.3.200189947\2062920680" -childID 2 -isForBrowser -prefsHandle 3388 -prefMapHandle 3384 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1080 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a9e8d931-f4ae-4948-9fe8-f2dd56862975} 3984 "\\.\pipe\gecko-crash-server-pipe.3984" 3400 23375e69658 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3984.4.96412497\315112256" -childID 3 -isForBrowser -prefsHandle 4436 -prefMapHandle 4432 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1080 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4b19af26-d9fc-4a7a-84b9-2cfdfb3e6845} 3984 "\\.\pipe\gecko-crash-server-pipe.3984" 4448 2330e224e58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3984.5.1178752016\1872602243" -childID 4 -isForBrowser -prefsHandle 4932 -prefMapHandle 4928 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1080 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {609bb069-bd68-47ae-89e2-8885254c26c8} 3984 "\\.\pipe\gecko-crash-server-pipe.3984" 4940 2330e589958 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3984.6.2017594752\874604100" -childID 5 -isForBrowser -prefsHandle 3608 -prefMapHandle 4820 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1080 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fcae9bd6-d97d-4e8a-9e11-a0a85d72edb3} 3984 "\\.\pipe\gecko-crash-server-pipe.3984" 4956 2330e589658 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3984.7.482039004\581236093" -childID 6 -isForBrowser -prefsHandle 5164 -prefMapHandle 5168 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1080 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2ca371c8-e238-4b34-b980-70f998897db2} 3984 "\\.\pipe\gecko-crash-server-pipe.3984" 5156 2330e589f58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3984.8.1245781838\2130296915" -childID 7 -isForBrowser -prefsHandle 5512 -prefMapHandle 2952 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1080 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b9cdac03-df20-4535-b5f5-32304ee82100} 3984 "\\.\pipe\gecko-crash-server-pipe.3984" 5528 2330b121658 tab

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /Create /TN "XenoUpdateManager" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2ADF.tmp" /F

Network

Country Destination Domain Proto
US 8.8.8.8:53 david-login.gl.at.ply.gg udp
US 147.185.221.19:54479 david-login.gl.at.ply.gg tcp
US 8.8.8.8:53 19.221.185.147.in-addr.arpa udp
US 147.185.221.19:54479 david-login.gl.at.ply.gg tcp
US 147.185.221.19:54479 david-login.gl.at.ply.gg tcp
US 147.185.221.19:54479 david-login.gl.at.ply.gg tcp
US 147.185.221.19:54479 david-login.gl.at.ply.gg tcp
US 147.185.221.19:54479 david-login.gl.at.ply.gg tcp
US 147.185.221.19:54479 david-login.gl.at.ply.gg tcp
N/A 127.0.0.1:49776 tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 34.117.188.166:443 contile.services.mozilla.com tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 push.services.mozilla.com udp
US 8.8.8.8:53 shavar.services.mozilla.com udp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 44.230.111.112:443 shavar.services.mozilla.com tcp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 34.149.100.209:443 firefox.settings.services.mozilla.com tcp
US 8.8.8.8:53 166.188.117.34.in-addr.arpa udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.services.mozilla.com udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 44.237.98.207:443 shavar.services.mozilla.com tcp
US 34.117.188.166:443 contile.services.mozilla.com udp
N/A 127.0.0.1:49782 tcp
US 8.8.8.8:53 207.98.237.44.in-addr.arpa udp
US 8.8.8.8:53 112.111.230.44.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:443 www.google.com udp
US 8.8.8.8:53 196.187.250.142.in-addr.arpa udp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 195.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 99.201.58.216.in-addr.arpa udp
US 147.185.221.19:54479 david-login.gl.at.ply.gg tcp
US 8.8.8.8:53 122.10.44.20.in-addr.arpa udp
US 147.185.221.19:54479 david-login.gl.at.ply.gg tcp

Files

memory/4180-0-0x0000000073D6E000-0x0000000073D6F000-memory.dmp

memory/4180-1-0x00000000006E0000-0x00000000006F2000-memory.dmp

memory/4180-2-0x0000000073D60000-0x000000007444E000-memory.dmp

memory/4180-3-0x0000000005A90000-0x0000000005AF6000-memory.dmp

memory/4180-4-0x0000000073D6E000-0x0000000073D6F000-memory.dmp

memory/4180-5-0x0000000073D60000-0x000000007444E000-memory.dmp

memory/4180-6-0x0000000005460000-0x0000000005472000-memory.dmp

memory/4180-7-0x0000000005490000-0x000000000549A000-memory.dmp

memory/4180-8-0x0000000006A40000-0x0000000006F3E000-memory.dmp

memory/4180-9-0x00000000060C0000-0x0000000006152000-memory.dmp

memory/4180-10-0x0000000005880000-0x000000000588A000-memory.dmp

memory/4180-11-0x0000000005A40000-0x0000000005A4A000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\ae621759-fd96-4088-b64b-12ed88cb8d96

MD5 377fb8e8d455defa5acc19df996a59f6
SHA1 e2d5def78ee5bd9c5ab9d8c7e3e5b37046640f73
SHA256 bb6bacf32c78418b4cbb05a103584e0a498af31e777fd8cb0c9ccb1160c0aaf6
SHA512 cc9e9048f779c074d1b5e583e60e1dfad29c869825f91804a7ec1f1eb956ba21ab96b238293f0f6edb740cf4ed5026da4c748a83035a47ad0782f58c5431865d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\db\data.safe.bin

MD5 8f6ec2f03ff6c95d17db0d91be09d6f6
SHA1 ab4d2a3e49e0cea898362c0db658a693e77d6647
SHA256 565d013ec4924fe599e3306bdfe3bc9b7e33fe205dc58916f9e2f889fc3555b3
SHA512 bf628f8bd88b8297d13014b22e69db3c4747a16d92250698239c730821e196545ff9730c4579f4e073c58c1b09bf3b994dde33612b57d74c801768941520fd1a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 7f868e557b098795d645df9ea302427f
SHA1 001f3306144559b4049a8ab139b4139f51e59c0e
SHA256 b228e23ecfb7965e3badefcbb031de0b4bb887634bccb34a826ac8ac89124ac5
SHA512 56fd8aa514cc25db5a2c9191d665eaffe90182cc5e4f15317e0cfbc9adf7336d9ad937d20384b0504f784e5939b76b4c4b0020cb06e4a472c650355cc6c4c89a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs-1.js

MD5 91e8c79815c1f140ecf20675d0681ef8
SHA1 805c137fb16df2c9ba865e5a900efb8f6eb1cb62
SHA256 0f41ca8da5526b10ee4732e51bbe55891596f1fce5eedb76fe31eaf6a17a18d6
SHA512 cf4beb4366afe88a1a94d10c0f7a3eb92d59ad61e190c51e1634a5b04ddf8900e38c2d45323a1988f4ab21f95a68abeb0188401c64060464dfc69218098679b9

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4

MD5 b87440c63ad1ee63f6c2417469d99d0d
SHA1 c587afd4942ddbb79e4b9eef37bc9c8a69ce53b2
SHA256 e033b9446c27134f517dcba1846a8d2d9077ca10506c14820d3a3f5eabe580a7
SHA512 aa0e87672c4cc4e612df30cac7ac0e09e08df913205e4cf0de5a81bd56788de5bff57f68dfc6c4233829e2c120721863949b09d828fe75ed298f02b5554201a8

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore.jsonlz4

MD5 107752799302b34ae00d2b3a38086d20
SHA1 a9a344ffeb875ee663fb6004c1a00766be54d44b
SHA256 0cc53aa599eed0dd247893bedab4968a1000616793f922c8a969043e45bad9f5
SHA512 f1aeeaadc771e7dc0849a8581ef57fc96ac1fa4f5325ba322311ed66db72226775f195be0017824d9908d2515f4356271135032f8a66924b0da18d437459431a

memory/4180-211-0x0000000005A60000-0x0000000005A68000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp2ADF.tmp

MD5 000519ca8a4cd99742492f31c782bd21
SHA1 8b8546abf1c2480e68c02e42c9608b3881bba83b
SHA256 8a2096a786dd2d63fa072acac9460c9e2a4ce2c056c7ec4faa24b19284de7881
SHA512 7883e1a3ade0534f2b0c05c1ed7b7d3ff27b2b7dea7bf55e59e4b819bb502c685ce06444b013e7f35c5ee8315025eadacee2d0eecb7b643e0e8efee381c99b75