vidar | hxxps://github[.]com/codeme-hue/xeno-executor

Analysis

max time kernel
93s
max time network
95s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250128-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250128-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
06-02-2025 22:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/codeme-hue/xeno-executor

Score

10^/10

vidar discovery stealer

Malware Config

Extracted

Family

vidar

https://t.me/sok33tn

https://steamcommunity.com/profiles/76561199824159981

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0

Signatures

Detect Vidar Stealer 2 IoCs

stealer

resource	yara_rule
behavioral1/memory/5744-1945-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7
behavioral1/memory/5744-1953-0x0000000000400000-0x0000000000422000-memory.dmp	family_vidar_v7

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 4852 created 3624	4852	Xeno.exe	57

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar

Executes dropped EXE 1 IoCs

pid	Process
4852	Xeno.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
67	camo.githubusercontent.com
69	camo.githubusercontent.com
74	raw.githubusercontent.com
97	camo.githubusercontent.com
98	camo.githubusercontent.com
66	camo.githubusercontent.com
68	camo.githubusercontent.com
73	raw.githubusercontent.com
75	raw.githubusercontent.com
76	raw.githubusercontent.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4852 set thread context of 5744	4852	Xeno.exe	107

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Xeno.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2580446533-3148764140-1073334258-1000_Classes\Local Settings	firefox.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\Xeno.zip:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4852	Xeno.exe
4852	Xeno.exe
4852	Xeno.exe
4852	Xeno.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	832	firefox.exe
Token: SeDebugPrivilege	832	firefox.exe
Token: SeDebugPrivilege	832	firefox.exe
Token: SeRestorePrivilege	3392	7zG.exe
Token: 35	3392	7zG.exe
Token: SeSecurityPrivilege	3392	7zG.exe
Token: SeSecurityPrivilege	3392	7zG.exe
Token: SeDebugPrivilege	4852	Xeno.exe
Token: SeDebugPrivilege	4852	Xeno.exe

Suspicious use of FindShellTrayWindow 22 IoCs

pid	Process
832	firefox.exe
832	firefox.exe
832	firefox.exe
832	firefox.exe
832	firefox.exe
832	firefox.exe
832	firefox.exe
832	firefox.exe
832	firefox.exe
832	firefox.exe
832	firefox.exe
832	firefox.exe
832	firefox.exe
832	firefox.exe
832	firefox.exe
832	firefox.exe
832	firefox.exe
832	firefox.exe
832	firefox.exe
832	firefox.exe
832	firefox.exe
3392	7zG.exe

Suspicious use of SendNotifyMessage 20 IoCs

pid	Process
832	firefox.exe
832	firefox.exe
832	firefox.exe
832	firefox.exe
832	firefox.exe
832	firefox.exe
832	firefox.exe
832	firefox.exe
832	firefox.exe
832	firefox.exe
832	firefox.exe
832	firefox.exe
832	firefox.exe
832	firefox.exe
832	firefox.exe
832	firefox.exe
832	firefox.exe
832	firefox.exe
832	firefox.exe
832	firefox.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
832	firefox.exe
832	firefox.exe
832	firefox.exe
832	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3620 wrote to memory of 832	3620	firefox.exe	85
PID 3620 wrote to memory of 832	3620	firefox.exe	85
PID 3620 wrote to memory of 832	3620	firefox.exe	85
PID 3620 wrote to memory of 832	3620	firefox.exe	85
PID 3620 wrote to memory of 832	3620	firefox.exe	85
PID 3620 wrote to memory of 832	3620	firefox.exe	85
PID 3620 wrote to memory of 832	3620	firefox.exe	85
PID 3620 wrote to memory of 832	3620	firefox.exe	85
PID 3620 wrote to memory of 832	3620	firefox.exe	85
PID 3620 wrote to memory of 832	3620	firefox.exe	85
PID 3620 wrote to memory of 832	3620	firefox.exe	85
PID 832 wrote to memory of 4824	832	firefox.exe	86
PID 832 wrote to memory of 4824	832	firefox.exe	86
PID 832 wrote to memory of 4824	832	firefox.exe	86
PID 832 wrote to memory of 4824	832	firefox.exe	86
PID 832 wrote to memory of 4824	832	firefox.exe	86
PID 832 wrote to memory of 4824	832	firefox.exe	86
PID 832 wrote to memory of 4824	832	firefox.exe	86
PID 832 wrote to memory of 4824	832	firefox.exe	86
PID 832 wrote to memory of 4824	832	firefox.exe	86
PID 832 wrote to memory of 4824	832	firefox.exe	86
PID 832 wrote to memory of 4824	832	firefox.exe	86
PID 832 wrote to memory of 4824	832	firefox.exe	86
PID 832 wrote to memory of 4824	832	firefox.exe	86
PID 832 wrote to memory of 4824	832	firefox.exe	86
PID 832 wrote to memory of 4824	832	firefox.exe	86
PID 832 wrote to memory of 4824	832	firefox.exe	86
PID 832 wrote to memory of 4824	832	firefox.exe	86
PID 832 wrote to memory of 4824	832	firefox.exe	86
PID 832 wrote to memory of 4824	832	firefox.exe	86
PID 832 wrote to memory of 4824	832	firefox.exe	86
PID 832 wrote to memory of 4824	832	firefox.exe	86
PID 832 wrote to memory of 4824	832	firefox.exe	86
PID 832 wrote to memory of 4824	832	firefox.exe	86
PID 832 wrote to memory of 4824	832	firefox.exe	86
PID 832 wrote to memory of 4824	832	firefox.exe	86
PID 832 wrote to memory of 4824	832	firefox.exe	86
PID 832 wrote to memory of 4824	832	firefox.exe	86
PID 832 wrote to memory of 4824	832	firefox.exe	86
PID 832 wrote to memory of 4824	832	firefox.exe	86
PID 832 wrote to memory of 4824	832	firefox.exe	86
PID 832 wrote to memory of 4824	832	firefox.exe	86
PID 832 wrote to memory of 4824	832	firefox.exe	86
PID 832 wrote to memory of 4824	832	firefox.exe	86
PID 832 wrote to memory of 4824	832	firefox.exe	86
PID 832 wrote to memory of 4824	832	firefox.exe	86
PID 832 wrote to memory of 4824	832	firefox.exe	86
PID 832 wrote to memory of 4824	832	firefox.exe	86
PID 832 wrote to memory of 4824	832	firefox.exe	86
PID 832 wrote to memory of 4824	832	firefox.exe	86
PID 832 wrote to memory of 4824	832	firefox.exe	86
PID 832 wrote to memory of 4824	832	firefox.exe	86
PID 832 wrote to memory of 4824	832	firefox.exe	86
PID 832 wrote to memory of 4824	832	firefox.exe	86
PID 832 wrote to memory of 4824	832	firefox.exe	86
PID 832 wrote to memory of 4824	832	firefox.exe	86
PID 832 wrote to memory of 4444	832	firefox.exe	87
PID 832 wrote to memory of 4444	832	firefox.exe	87
PID 832 wrote to memory of 4444	832	firefox.exe	87
PID 832 wrote to memory of 4444	832	firefox.exe	87
PID 832 wrote to memory of 4444	832	firefox.exe	87
PID 832 wrote to memory of 4444	832	firefox.exe	87
PID 832 wrote to memory of 4444	832	firefox.exe	87
PID 832 wrote to memory of 4444	832	firefox.exe	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3624
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://github.com/codeme-hue/xeno-executor"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3620
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://github.com/codeme-hue/xeno-executor
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - NTFS ADS
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:832
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1952 -parentBuildID 20240401114208 -prefsHandle 1868 -prefMapHandle 1860 -prefsLen 27205 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8a74b356-2f9c-4faf-8b27-784ee40adc40} 832 "\\.\pipe\gecko-crash-server-pipe.832" gpu
      4⤵
      PID:4824
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2208 -parentBuildID 20240401114208 -prefsHandle 2400 -prefMapHandle 2396 -prefsLen 28125 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2e2c6314-f4d0-4b16-99af-934b12b2c53e} 832 "\\.\pipe\gecko-crash-server-pipe.832" socket
      4⤵
      PID:4444
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3232 -childID 1 -isForBrowser -prefsHandle 3212 -prefMapHandle 3056 -prefsLen 22746 -prefMapSize 244658 -jsInitHandle 1136 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {054e94b1-5c31-4db5-9e10-68b5b474a7cf} 832 "\\.\pipe\gecko-crash-server-pipe.832" tab
      4⤵
      PID:1508
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3912 -childID 2 -isForBrowser -prefsHandle 3904 -prefMapHandle 3208 -prefsLen 32615 -prefMapSize 244658 -jsInitHandle 1136 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6c17b294-a665-4c2e-aafd-5d688431cfba} 832 "\\.\pipe\gecko-crash-server-pipe.832" tab
      4⤵
      PID:1716
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4756 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4836 -prefMapHandle 4832 -prefsLen 32615 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9df29961-cd3a-4a96-8d8f-5c6809ffdd53} 832 "\\.\pipe\gecko-crash-server-pipe.832" utility
      4⤵
      Checks processor information in registry
      PID:4008
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5596 -childID 3 -isForBrowser -prefsHandle 5588 -prefMapHandle 5584 -prefsLen 27226 -prefMapSize 244658 -jsInitHandle 1136 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3e49552b-3cea-46de-8d97-efdfdedb885b} 832 "\\.\pipe\gecko-crash-server-pipe.832" tab
      4⤵
      PID:4776
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5808 -childID 4 -isForBrowser -prefsHandle 5728 -prefMapHandle 5732 -prefsLen 27226 -prefMapSize 244658 -jsInitHandle 1136 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4f9418b2-f323-4016-b067-b19fd952b5f6} 832 "\\.\pipe\gecko-crash-server-pipe.832" tab
      4⤵
      PID:3516
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5940 -childID 5 -isForBrowser -prefsHandle 5928 -prefMapHandle 5924 -prefsLen 27226 -prefMapSize 244658 -jsInitHandle 1136 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {527233ba-15b3-4384-b671-55673a18ef89} 832 "\\.\pipe\gecko-crash-server-pipe.832" tab
      4⤵
      PID:1076
- C:\Program Files\7-Zip\7zG.exe
  "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Xeno\" -spe -an -ai#7zMap6193:70:7zEvent16368
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:3392
- C:\Users\Admin\Downloads\Xeno\Xeno.exe
  "C:\Users\Admin\Downloads\Xeno\Xeno.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4852
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5744

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\w69s77rt.default-release\activity-stream.discovery_stream.json

Filesize
21KB

MD5
3eb34330a4ce84be19d019f5efe61b85

SHA1
e44a49369bf5b0ffd8f399b1f328cb725c17af32

SHA256
30a660c40d08beac9bff34a3a49d1886c7882a1b207001f64f8d9a73e3f84b71

SHA512
9bc38a41d2c0a0a66def0169f16f6b3347f640f9bb17c7407d460aab803f6c8ca53b4d7d53512f0e547a2c9ed1d69e84e158f86defd20e46b2eb682a1b8cd08b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w69s77rt.default-release\AlternateServices.bin

Filesize
8KB

MD5
788c09b5907a89e32164b0ac3fa6861d

SHA1
7b5325749120a1a1169a31bf7ff1256636804433

SHA256
508b1a573629b26349f867aedfb4fad1fa88573b3a12f25a21c82b60bb478577

SHA512
e95d82d39e8183f1947e218ed87c6e7d3d732126c7e98005de33d545982982e96091b35eac6e59ce8df95fa09a99a3cd54c4a653944c147a57a3325f17730683

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w69s77rt.default-release\datareporting\glean\db\data.safe.tmp

Filesize
7KB

MD5
30eb1147b4d919b260970e731c8059bb

SHA1
cb7f9fda56f55e086fada8de656a583fcaf434d5

SHA256
8a044a3e0338f854cc775aaec9d68f5c46baabd736bff7592aa1ade69dcb9a75

SHA512
b0d4526d450b1fbd8f83a64fd66321bcdc9566b2a98f3554cf8f2e2d17d9ec00e7ddfb23ff120abd7090937e8c30aaaf8e1e2ca8839ad086197cf17b01314fbf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w69s77rt.default-release\datareporting\glean\db\data.safe.tmp

Filesize
7KB

MD5
3e9fe98c3c9e27c22d3c2898228d671b

SHA1
37f18471e90c94a055a5f572f411c712369b550e

SHA256
92cf2c2c32f5b83169aa57af26ec7e3f38842c7c8beeba94b3887ddb3f597173

SHA512
1bc8dbcd2b21cfdbb500689ed2a194b38f5720af0187dcf4a7e71c0dfc7f690a4c1e5018a643d3d6f55863736123be1ce3dfaaa48e36ed3f61ebfd000e8db5fd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w69s77rt.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
7c7d405523094a01a62b28d7a9601486

SHA1
755e24179102ad6b42a0de99eade3bcbc0f49e11

SHA256
9c1331dc35b1a27883b3a2cbf1a6506f71abec25860c23031522adaac7251359

SHA512
5eac314652d651ea3c088db0e0d367e6685500700f1184c4860be603d01647cdc7962eb6e1090c5babab6ea92717f5396a2e5f0733f85ca636195cb06f6e69f3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w69s77rt.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
ca7cb2d655fa0154da23bda150c2f7a3

SHA1
67606ff445e9bc21fb3d2fc4c98e22c073c18baf

SHA256
e8427573c99dea4067588b9f2b8874544bdd8fe06cbbb58caff84478b4b77b2d

SHA512
9df1ee5565a9ae5b90e993c9a8091714527a64067bf8d9feec6c077b6f36f91690cc2d01c40cd5efec781e931c23923bee6b7b31b40af5abe0ab79e808834cb9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w69s77rt.default-release\datareporting\glean\pending_pings\5bc9d793-0f76-4951-9216-fa3bef58e499

Filesize
26KB

MD5
fc3c17b243ee9a393cee32533aa288d8

SHA1
7d044dd6910818252e51ecb675ce87286e285035

SHA256
0c42125c237897ac66028b47e36e4f557cd6866fc25191eb4d5c303bfcdf9917

SHA512
eeac509cf2d179b89ea21a1ab545eb66dc1689d2d429753b735ca1cd9e30de6f3a42140b462a1692afc102d61c64b5e9fce67b77e6b9ee5ae5ebb6359c904e03

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w69s77rt.default-release\datareporting\glean\pending_pings\b6f4f441-3cc4-4466-86f1-523399a5793d

Filesize
982B

MD5
b0f866dc71516fef75c5b6ff09c4b29b

SHA1
8c4342079f59aed088034d3ae2e8ae77b32044d6

SHA256
914e63796ebbe0bb258dd424607ea829e0cdb28206bb171d727ee8ce9ac95462

SHA512
356b520f0676b7ea00544033dd3914f1ea44a30227f3c8884034a17d4983256c5f301ffb090e07db813404bd01a2e7b4c8afe6a246a078e0ca9182e44e2a72ca

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w69s77rt.default-release\datareporting\glean\pending_pings\ceb31b38-1e78-4dc1-a56f-f4b3ae9a9fed

Filesize
671B

MD5
4213f0fd8587b3070abbf244701b8612

SHA1
19a433b38bb358efd9eae3c82692560670aa56a3

SHA256
7829e9d76f1db0bd96ab0dfff5cf75752b0713b1bfdd782a7047f8003fe88eb4

SHA512
fed7fbb4300cb0fa605f32b915f82b2952197cc114384b7b6edef6c80686d1b04f4d30d97a30b2a49473159c67e0168b6c278dcee637b9f3c0ec17b84c687a3d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w69s77rt.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w69s77rt.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w69s77rt.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w69s77rt.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w69s77rt.default-release\prefs-1.js

Filesize
10KB

MD5
07cc0f526d57928aec9d358301e79ac5

SHA1
c89138d2b6acb11b5c0d3358887db12d5c971277

SHA256
d51308c987901ae05318bd9d25291b25d4c43ee13150e822562758aaf66f8aba

SHA512
74be6081912cd145720995749dce2fab0f1b834151a15b1f84bc9033e18ae2689d2e81b711d73a05ca8e7270c14212ec9b88219ae9e991190e053d1b719ff316

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w69s77rt.default-release\prefs-1.js

Filesize
10KB

MD5
9b0dd1efc66854f3feb4d71f58a821a8

SHA1
2bc8c277d71e0c2b2d952517187e3d8ac0b8eb11

SHA256
0a920873671b05db69dfde812c61e6757fc648a59bd3a472b5de54e253be834f

SHA512
6dd37e99facfba74a7b06e6267c18da9f1c54843a97269bb2f9c645fc329e2f152730842c06b47ed008020d05d42eb646fd22dc04975dd6da1ae5f2292f050f7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w69s77rt.default-release\sessionstore-backups\recovery.baklz4

Filesize
3KB

MD5
b2372a4730dbc70544cf8184d3512d17

SHA1
8c08f9107a3c5df6884cd4cd64030eada50fc98b

SHA256
843b9b33a624502951aeeb5f568bb8f219fea9a8dde3496ba4cfbdd2b5815136

SHA512
e9e84459a42efd14e1a68e7ff4cc1269c47d4c45937278c028012e1dc19d2e9321184f06fcec01c83986647c059bc82d47df2d0cc865eb851f7674e84740351e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w69s77rt.default-release\sessionstore-backups\recovery.baklz4

Filesize
3KB

MD5
643da349eee06905c8985d00be4082b1

SHA1
f38f4e89b4c157c181ec1108b624da28874a48ca

SHA256
6ea2bfa029aef359ef0965cc9109fb1f8e26179ff71513a49331aba5f6a2e2b1

SHA512
2c43fa8ad0ac0812503a973469de651d7e4dc7b52db5a36632022e5966cda97a24c454f986f1a84d9cad2486766ac240b70b8f4fe23cccd1f6b0bff60bf53692

Download Submit
C:\Users\Admin\Downloads\Xeno.-QfFL0_N.zip.part

Filesize
6.6MB

MD5
dede98655bc46e8aeab74487c9bb1ecc

SHA1
3b0238a3d1b05fa61ce7714e877cf8cbd5803b70

SHA256
41ab7796d0aad3cf6a8b7a045db1b5801867fd7c089a7b0648d46bdb368ced76

SHA512
61d4e00cb44dca4fdc0470172e6cce4cd6ddc30822faea38a15eb76b4c555ea6af902f8e1f85c1ba5fc10cc3a39b5a790e1f45ccae6204ce527086d54ea9e94d

Download Submit
C:\Users\Admin\Downloads\Xeno\Xeno.exe

Filesize
11.5MB

MD5
3e1edf981ca6e7939d6e31ae70734240

SHA1
76b5698a31314c433b73e89e1800cc1bc6b8a00c

SHA256
b0d99638f89532528b1c77662303d51cea8f09cb4cd6440fd01f5128b5ecaeb2

SHA512
781c84789e8de1a1655f40f4996057c42e662284967daf49a826a617feb0a5c53cd8d431ce8b669befe538b79e0f3ac615f44172fe0bcbc2817c244dd9f8fdbb

Download Submit
memory/4852-603-0x0000000004F50000-0x0000000005057000-memory.dmp

Filesize
1.0MB

Download
memory/4852-589-0x0000000004F50000-0x0000000005057000-memory.dmp

Filesize
1.0MB

Download
memory/4852-583-0x0000000004F50000-0x0000000005057000-memory.dmp

Filesize
1.0MB

Download
memory/4852-609-0x0000000004F50000-0x0000000005057000-memory.dmp

Filesize
1.0MB

Download
memory/4852-622-0x0000000004F50000-0x0000000005057000-memory.dmp

Filesize
1.0MB

Download
memory/4852-620-0x0000000004F50000-0x0000000005057000-memory.dmp

Filesize
1.0MB

Download
memory/4852-617-0x0000000004F50000-0x0000000005057000-memory.dmp

Filesize
1.0MB

Download
memory/4852-615-0x0000000004F50000-0x0000000005057000-memory.dmp

Filesize
1.0MB

Download
memory/4852-613-0x0000000004F50000-0x0000000005057000-memory.dmp

Filesize
1.0MB

Download
memory/4852-611-0x0000000004F50000-0x0000000005057000-memory.dmp

Filesize
1.0MB

Download
memory/4852-607-0x0000000004F50000-0x0000000005057000-memory.dmp

Filesize
1.0MB

Download
memory/4852-605-0x0000000004F50000-0x0000000005057000-memory.dmp

Filesize
1.0MB

Download
memory/4852-557-0x0000000004F50000-0x000000000505C000-memory.dmp

Filesize
1.0MB

Download
memory/4852-556-0x0000000004C60000-0x0000000004D6C000-memory.dmp

Filesize
1.0MB

Download
memory/4852-555-0x00000000751B0000-0x0000000075961000-memory.dmp

Filesize
7.7MB

Download
memory/4852-554-0x00000000001C0000-0x0000000000380000-memory.dmp

Filesize
1.8MB

Download
memory/4852-601-0x0000000004F50000-0x0000000005057000-memory.dmp

Filesize
1.0MB

Download
memory/4852-599-0x0000000004F50000-0x0000000005057000-memory.dmp

Filesize
1.0MB

Download
memory/4852-597-0x0000000004F50000-0x0000000005057000-memory.dmp

Filesize
1.0MB

Download
memory/4852-1924-0x00000000751B0000-0x0000000075961000-memory.dmp

Filesize
7.7MB

Download
memory/4852-596-0x0000000004F50000-0x0000000005057000-memory.dmp

Filesize
1.0MB

Download
memory/4852-593-0x0000000004F50000-0x0000000005057000-memory.dmp

Filesize
1.0MB

Download
memory/4852-1929-0x0000000005180000-0x00000000051E6000-memory.dmp

Filesize
408KB

Download
memory/4852-591-0x0000000004F50000-0x0000000005057000-memory.dmp

Filesize
1.0MB

Download
memory/4852-1930-0x00000000051F0000-0x0000000005254000-memory.dmp

Filesize
400KB

Download
memory/4852-571-0x0000000004F50000-0x0000000005057000-memory.dmp

Filesize
1.0MB

Download
memory/4852-587-0x0000000004F50000-0x0000000005057000-memory.dmp

Filesize
1.0MB

Download
memory/4852-585-0x0000000004F50000-0x0000000005057000-memory.dmp

Filesize
1.0MB

Download
memory/4852-581-0x0000000004F50000-0x0000000005057000-memory.dmp

Filesize
1.0MB

Download
memory/4852-1931-0x0000000005250000-0x000000000529C000-memory.dmp

Filesize
304KB

Download
memory/4852-579-0x0000000004F50000-0x0000000005057000-memory.dmp

Filesize
1.0MB

Download
memory/4852-577-0x0000000004F50000-0x0000000005057000-memory.dmp

Filesize
1.0MB

Download
memory/4852-575-0x0000000004F50000-0x0000000005057000-memory.dmp

Filesize
1.0MB

Download
memory/4852-573-0x0000000004F50000-0x0000000005057000-memory.dmp

Filesize
1.0MB

Download
memory/4852-569-0x0000000004F50000-0x0000000005057000-memory.dmp

Filesize
1.0MB

Download
memory/4852-567-0x0000000004F50000-0x0000000005057000-memory.dmp

Filesize
1.0MB

Download
memory/4852-565-0x0000000004F50000-0x0000000005057000-memory.dmp

Filesize
1.0MB

Download
memory/4852-563-0x0000000004F50000-0x0000000005057000-memory.dmp

Filesize
1.0MB

Download
memory/4852-561-0x0000000004F50000-0x0000000005057000-memory.dmp

Filesize
1.0MB

Download
memory/4852-559-0x0000000004F50000-0x0000000005057000-memory.dmp

Filesize
1.0MB

Download
memory/4852-558-0x0000000004F50000-0x0000000005057000-memory.dmp

Filesize
1.0MB

Download
memory/4852-1932-0x00000000751B0000-0x0000000075961000-memory.dmp

Filesize
7.7MB

Download
memory/4852-1934-0x0000000005340000-0x0000000005394000-memory.dmp

Filesize
336KB

Download
memory/4852-1933-0x0000000005B60000-0x0000000006106000-memory.dmp

Filesize
5.6MB

Download
memory/4852-1940-0x00000000751B0000-0x0000000075961000-memory.dmp

Filesize
7.7MB

Download
memory/4852-1939-0x00000000751B0000-0x0000000075961000-memory.dmp

Filesize
7.7MB

Download
memory/4852-1946-0x00000000029DE000-0x00000000029DF000-memory.dmp

Filesize
4KB

Download
memory/4852-1944-0x00000000751B0000-0x0000000075961000-memory.dmp

Filesize
7.7MB

Download
memory/4852-553-0x00000000751BE000-0x00000000751BF000-memory.dmp

Filesize
4KB

Download
memory/5744-1953-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/5744-1945-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download