xworm | 58d433a331c64698a95d7bba2e28a5e1500a7b565bf322287941d6724906c3da

Analysis

max time kernel
943s
max time network
944s
platform
windows10-1703_x64
resource
win10-20240319-en
resource tags

arch:x64arch:x86image:win10-20240319-enlocale:en-usos:windows10-1703-x64system
submitted
08-04-2024 22:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Celex.exe
Size

58KB
MD5

af5ab8ec02735b226012b4ccc32f9538
SHA1

0aafb5e705eab466acd93c3326e7bbfbd42e99fa
SHA256

58d433a331c64698a95d7bba2e28a5e1500a7b565bf322287941d6724906c3da
SHA512

eb84c3c92d87a6f9b6e094fcaf3e3b843fab9616b47cb43e81b37196c028b57da0b4591210a6213742ce37c04913a6ff25b633e4c8f22a364946adda6f747cdc
SSDEEP

1536:Q2Piu1AyI4e+ImmjG9bDbVh7c6D1Oc+7NYE:QE5Z59bDH7vRO77NYE

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

come-devon.gl.at.ply.gg:22978

Attributes

Install_directory
%Temp%
install_file
USB.exe

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral1/memory/3552-2139-0x0000000001000000-0x000000000100E000-memory.dmp	disable_win_def

Detect Xworm Payload 3 IoCs

resource	yara_rule
behavioral1/memory/3552-0-0x00000000009C0000-0x00000000009D4000-memory.dmp	family_xworm
behavioral1/files/0x000700000001ac19-2177.dat	family_xworm
behavioral1/memory/3880-2186-0x000000001B520000-0x000000001B530000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Drops startup file 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Celex.lnk	Celex.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Celex.lnk	Celex.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Celex.lnk	Celex.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
5476	timeout.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3971934951-2222591486-1444465656-1000_Classes\Local Settings	firefox.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	3552	Celex.exe
Token: SeDebugPrivilege	3552	Celex.exe
Token: SeDebugPrivilege	4884	firefox.exe
Token: SeDebugPrivilege	4884	firefox.exe
Token: SeDebugPrivilege	3880	Celex.exe
Token: SeDebugPrivilege	4884	firefox.exe
Token: SeDebugPrivilege	4884	firefox.exe
Token: SeDebugPrivilege	4884	firefox.exe
Token: SeDebugPrivilege	3880	Celex.exe
Token: SeDebugPrivilege	4884	firefox.exe
Token: SeDebugPrivilege	4884	firefox.exe
Token: SeDebugPrivilege	4884	firefox.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4884	firefox.exe
4884	firefox.exe
4884	firefox.exe
4884	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4884	firefox.exe
4884	firefox.exe
4884	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4884	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4528 wrote to memory of 4884	4528	firefox.exe	76
PID 4528 wrote to memory of 4884	4528	firefox.exe	76
PID 4528 wrote to memory of 4884	4528	firefox.exe	76
PID 4528 wrote to memory of 4884	4528	firefox.exe	76
PID 4528 wrote to memory of 4884	4528	firefox.exe	76
PID 4528 wrote to memory of 4884	4528	firefox.exe	76
PID 4528 wrote to memory of 4884	4528	firefox.exe	76
PID 4528 wrote to memory of 4884	4528	firefox.exe	76
PID 4528 wrote to memory of 4884	4528	firefox.exe	76
PID 4528 wrote to memory of 4884	4528	firefox.exe	76
PID 4528 wrote to memory of 4884	4528	firefox.exe	76
PID 4884 wrote to memory of 2512	4884	firefox.exe	77
PID 4884 wrote to memory of 2512	4884	firefox.exe	77
PID 4884 wrote to memory of 1496	4884	firefox.exe	78
PID 4884 wrote to memory of 1496	4884	firefox.exe	78
PID 4884 wrote to memory of 1496	4884	firefox.exe	78
PID 4884 wrote to memory of 1496	4884	firefox.exe	78
PID 4884 wrote to memory of 1496	4884	firefox.exe	78
PID 4884 wrote to memory of 1496	4884	firefox.exe	78
PID 4884 wrote to memory of 1496	4884	firefox.exe	78
PID 4884 wrote to memory of 1496	4884	firefox.exe	78
PID 4884 wrote to memory of 1496	4884	firefox.exe	78
PID 4884 wrote to memory of 1496	4884	firefox.exe	78
PID 4884 wrote to memory of 1496	4884	firefox.exe	78
PID 4884 wrote to memory of 1496	4884	firefox.exe	78
PID 4884 wrote to memory of 1496	4884	firefox.exe	78
PID 4884 wrote to memory of 1496	4884	firefox.exe	78
PID 4884 wrote to memory of 1496	4884	firefox.exe	78
PID 4884 wrote to memory of 1496	4884	firefox.exe	78
PID 4884 wrote to memory of 1496	4884	firefox.exe	78
PID 4884 wrote to memory of 1496	4884	firefox.exe	78
PID 4884 wrote to memory of 1496	4884	firefox.exe	78
PID 4884 wrote to memory of 1496	4884	firefox.exe	78
PID 4884 wrote to memory of 1496	4884	firefox.exe	78
PID 4884 wrote to memory of 1496	4884	firefox.exe	78
PID 4884 wrote to memory of 1496	4884	firefox.exe	78
PID 4884 wrote to memory of 1496	4884	firefox.exe	78
PID 4884 wrote to memory of 1496	4884	firefox.exe	78
PID 4884 wrote to memory of 1496	4884	firefox.exe	78
PID 4884 wrote to memory of 1496	4884	firefox.exe	78
PID 4884 wrote to memory of 1496	4884	firefox.exe	78
PID 4884 wrote to memory of 1496	4884	firefox.exe	78
PID 4884 wrote to memory of 1496	4884	firefox.exe	78
PID 4884 wrote to memory of 1496	4884	firefox.exe	78
PID 4884 wrote to memory of 1496	4884	firefox.exe	78
PID 4884 wrote to memory of 1496	4884	firefox.exe	78
PID 4884 wrote to memory of 1496	4884	firefox.exe	78
PID 4884 wrote to memory of 1496	4884	firefox.exe	78
PID 4884 wrote to memory of 1496	4884	firefox.exe	78
PID 4884 wrote to memory of 1496	4884	firefox.exe	78
PID 4884 wrote to memory of 1496	4884	firefox.exe	78
PID 4884 wrote to memory of 1496	4884	firefox.exe	78
PID 4884 wrote to memory of 1496	4884	firefox.exe	78
PID 4884 wrote to memory of 1496	4884	firefox.exe	78
PID 4884 wrote to memory of 1496	4884	firefox.exe	78
PID 4884 wrote to memory of 1496	4884	firefox.exe	78
PID 4884 wrote to memory of 1496	4884	firefox.exe	78
PID 4884 wrote to memory of 1496	4884	firefox.exe	78
PID 4884 wrote to memory of 1496	4884	firefox.exe	78
PID 4884 wrote to memory of 1496	4884	firefox.exe	78
PID 4884 wrote to memory of 1496	4884	firefox.exe	78
PID 4884 wrote to memory of 3496	4884	firefox.exe	79
PID 4884 wrote to memory of 3496	4884	firefox.exe	79
PID 4884 wrote to memory of 3496	4884	firefox.exe	79

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Celex.exe
"C:\Users\Admin\AppData\Local\Temp\Celex.exe"
1⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
PID:3552
- C:\Users\Admin\AppData\Local\Temp\Celex.exe
  "C:\Users\Admin\AppData\Local\Temp\Celex.exe"
  2⤵
  - Drops startup file
  - Suspicious use of AdjustPrivilegeToken
  PID:3880
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp12D9.tmp.bat""
    3⤵
    PID:2448
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:5476

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4528
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4884
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4884.0.570647461\77769858" -parentBuildID 20221007134813 -prefsHandle 1700 -prefMapHandle 1688 -prefsLen 20748 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f32fe3bc-6a73-4979-94c4-6e49116db449} 4884 "\\.\pipe\gecko-crash-server-pipe.4884" 1792 165c43dbd58 gpu
    3⤵
    PID:2512
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4884.1.2111897118\2027894445" -parentBuildID 20221007134813 -prefsHandle 2136 -prefMapHandle 2128 -prefsLen 20829 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f6f1cb6e-c6ae-42bf-a1a0-7655b8526359} 4884 "\\.\pipe\gecko-crash-server-pipe.4884" 2148 165c3ee3e58 socket
    3⤵
    PID:1496
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4884.2.1228848937\916108044" -childID 1 -isForBrowser -prefsHandle 2852 -prefMapHandle 2752 -prefsLen 20912 -prefMapSize 233444 -jsInitHandle 1000 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9990dcd9-89f1-45ba-9ef8-4cee445a2909} 4884 "\\.\pipe\gecko-crash-server-pipe.4884" 2864 165c8260858 tab
    3⤵
    PID:3496
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4884.3.563207602\847719432" -childID 2 -isForBrowser -prefsHandle 3416 -prefMapHandle 3396 -prefsLen 26155 -prefMapSize 233444 -jsInitHandle 1000 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d98b00cf-08b1-4b3d-b851-6e9b62be6337} 4884 "\\.\pipe\gecko-crash-server-pipe.4884" 3432 165b8f61c58 tab
    3⤵
    PID:3592
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4884.4.1576944410\1220268371" -childID 3 -isForBrowser -prefsHandle 4204 -prefMapHandle 4200 -prefsLen 26214 -prefMapSize 233444 -jsInitHandle 1000 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d9e3d686-16dc-4aad-987e-52bfe1be27ce} 4884 "\\.\pipe\gecko-crash-server-pipe.4884" 4212 165c79ced58 tab
    3⤵
    PID:2308
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4884.5.1198425126\1327556582" -childID 4 -isForBrowser -prefsHandle 4568 -prefMapHandle 3732 -prefsLen 26374 -prefMapSize 233444 -jsInitHandle 1000 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0b6d229c-b08a-4e54-8f8a-dd5938b96461} 4884 "\\.\pipe\gecko-crash-server-pipe.4884" 2664 165ca03db58 tab
    3⤵
    PID:3432
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4884.6.215600691\1512650184" -childID 5 -isForBrowser -prefsHandle 5068 -prefMapHandle 5072 -prefsLen 26374 -prefMapSize 233444 -jsInitHandle 1000 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6a36e678-aa11-4649-bc69-42afdc3f5255} 4884 "\\.\pipe\gecko-crash-server-pipe.4884" 5056 165ca35bb58 tab
    3⤵
    PID:4068
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4884.7.66735255\936844274" -childID 6 -isForBrowser -prefsHandle 5252 -prefMapHandle 5256 -prefsLen 26374 -prefMapSize 233444 -jsInitHandle 1000 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {56c037df-6392-46f1-aad8-cf4c1a41c6de} 4884 "\\.\pipe\gecko-crash-server-pipe.4884" 5244 165ca35c158 tab
    3⤵
    PID:4688
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4884.8.214061960\44146400" -parentBuildID 20221007134813 -prefsHandle 5068 -prefMapHandle 5552 -prefsLen 26374 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6fa3711a-224a-4cf4-be88-82f509cc95f7} 4884 "\\.\pipe\gecko-crash-server-pipe.4884" 5072 165cb4b4a58 rdd
    3⤵
    PID:4904
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4884.9.1992745067\2077170131" -parentBuildID 20221007134813 -sandboxingKind 1 -prefsHandle 5624 -prefMapHandle 5620 -prefsLen 26374 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {75dd6dc8-f599-4b17-a455-495097247a4b} 4884 "\\.\pipe\gecko-crash-server-pipe.4884" 5632 165cb926f58 utility
    3⤵
    PID:4592
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4884.10.275547298\806942696" -childID 7 -isForBrowser -prefsHandle 5788 -prefMapHandle 5820 -prefsLen 26549 -prefMapSize 233444 -jsInitHandle 1000 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3bbc0e60-4b73-4f10-a370-3d61e0ed89f4} 4884 "\\.\pipe\gecko-crash-server-pipe.4884" 5832 165cb9d7f58 tab
    3⤵
    PID:2784
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4884.11.1050062437\634697616" -childID 8 -isForBrowser -prefsHandle 5080 -prefMapHandle 5296 -prefsLen 29801 -prefMapSize 233444 -jsInitHandle 1000 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {57ad04b9-987c-41a5-abf0-4121fc426976} 4884 "\\.\pipe\gecko-crash-server-pipe.4884" 5324 165c654af58 tab
    3⤵
    PID:5348
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4884.12.1114969659\157155141" -childID 9 -isForBrowser -prefsHandle 5436 -prefMapHandle 4304 -prefsLen 29801 -prefMapSize 233444 -jsInitHandle 1000 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {54e67b93-ede4-408d-94ac-3fb0a8be3dfd} 4884 "\\.\pipe\gecko-crash-server-pipe.4884" 3240 165c6549d58 tab
    3⤵
    PID:3440
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4884.13.1049043919\1838048482" -childID 10 -isForBrowser -prefsHandle 3476 -prefMapHandle 3488 -prefsLen 29801 -prefMapSize 233444 -jsInitHandle 1000 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b7ac1dfa-d3cc-41b3-b9a4-2db57d48ef22} 4884 "\\.\pipe\gecko-crash-server-pipe.4884" 4628 165b8f30b58 tab
    3⤵
    PID:3012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Celex.exe.log

Filesize
1KB

MD5
ac21d958d1bc38fec37ea9958dd22f4f

SHA1
853adc0a6ff417ff6e4077815720c2b207fd8823

SHA256
b632e92b1d38b993d213aaf68a35f452d4d8e3ddd378ccdf808c8c9a9654f1e3

SHA512
f77b7f2882ea9a9010a82457311bcedb8354b934dc0228c88e4c61621e0bb03440ac4085a67bbd864ad0d406f646585ad211e88035823e3fceedc98ac9d79ebd

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\uwf0vdwt.default-release\cache2\entries\C72D4296C2EBC6FD41A9F780CD0C8F30F0FF937C

Filesize
13KB

MD5
fc803133e4feadf608e6ce3ebbe4bd42

SHA1
510ad9a83de2df54cb385e6417457393881428c3

SHA256
0d7bbdfea9db2f4fcfdc877ce291bc54eed645c8ca751dc36fb67d994b66cada

SHA512
8c19c6d0886454ac93023c8733aef425ac49f27f0ced792a3f3374a843f92cd364040f1d082cdfb765c8fcbbd24e92e51b939fd97adef8be9f0c2397bbb52a13

Download Submit
C:\Users\Admin\AppData\Local\Temp\Celex

Filesize
58KB

MD5
af5ab8ec02735b226012b4ccc32f9538

SHA1
0aafb5e705eab466acd93c3326e7bbfbd42e99fa

SHA256
58d433a331c64698a95d7bba2e28a5e1500a7b565bf322287941d6724906c3da

SHA512
eb84c3c92d87a6f9b6e094fcaf3e3b843fab9616b47cb43e81b37196c028b57da0b4591210a6213742ce37c04913a6ff25b633e4c8f22a364946adda6f747cdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp12D9.tmp.bat

Filesize
157B

MD5
d788b0f8d838d7ba96492188743a3cd8

SHA1
453675ad04c9adf5f1b051ca9e766308b1014e43

SHA256
926c388a70c24fea0819d73298dfa560cadc3b417ccee961ad7c59b187dbc0a6

SHA512
047a048d640b2172ed1a9b88fb38370ea1fa56d24c3bd2c01c679ef1c70e00b35aecccef83e06267a64f7ae80b8d5042b54c4c9ee1f23fd0b9cc3cbea42c5fc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
7KB

MD5
5107a78afd8dcd4924d1dba405022c85

SHA1
dc59369a26dd9f71979947140e65d3d698487564

SHA256
8f64ce11bc8c7a52210cf5e83db90c56469d8962c0265862d842f77ab8b5c5ed

SHA512
fbcfb2ac7766df9c7f9bdafe21a4f3616cc3c8465b05ea2c8ae49099339a9aec55f9bc22cdd1d00146f04d5ef90bd182dc2d626c393d1ff6b124ac7e121fe6fe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Celex.lnk

Filesize
1023B

MD5
ba48c310d1fcfb1444b9d14373decf99

SHA1
940d3c13e0eb66e0c2e6dcc42f2dca1a32f1c51c

SHA256
de43d55584a4ddae5bd359e647f136ff7abb49ccb8dd2c2ba87f9a318c5a3c2f

SHA512
2d0886c4a67536e679f58551783c4e2af319d0e261f652e57455896aeeae8eb0fc4541c615f1404d3eb3d3e42678304d726deccf21cbe35b1d8ab6c72b2357ab

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uwf0vdwt.default-release\SiteSecurityServiceState.txt

Filesize
372B

MD5
1e9ef44c9b531cad1a47bcd367608b41

SHA1
12fb2891e43f6c48f02ffd2910570ee66d57427d

SHA256
661a5985ea170baa2f0d02de452bff7b2f1691baeb1747e456863c2a8e130117

SHA512
a57e7772d2910e0cb2d4bcf14d286ca26d221c9aca0c43bf444354baed07f6e4edeef9448cf974d8a2877b2ba479e0cc7dcb6ba87836915341effdd87e06dd5b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uwf0vdwt.default-release\bookmarkbackups\bookmarks-2024-04-08_11_PqnheR3AiR2PsDwqR-n1uQ==.jsonlz4

Filesize
952B

MD5
8ed235341eb654b1d2dae3a428705aab

SHA1
d59577a85e0882e4ee4ade49f9e5fce37ba76eb7

SHA256
13e6b3afdac2a13a1f7a9cdcf54485316bfdc297ab80b0ca71f7073bce5a1051

SHA512
31efe8ca90239df8bc42effb073d7dffb8228c712e29fee247f603f6c718f5218a26517e42e7f1147f33c8d775010300491346e96eb890ed50a03379ea24bc76

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uwf0vdwt.default-release\broadcast-listeners.json

Filesize
216B

MD5
f831a415ddafef7c837a80396574d03c

SHA1
ac9bf0c6bf4dadd652b93252882ac2baf302980e

SHA256
fa586b3a7c1b0203338d59cf1b926e8e92409c1ba7bb83edf1174336b4d1b5eb

SHA512
fa44b4839d866a476f893a3d78500a368ce26641611b9372744d61b909a9f9757a67b449d0451b1e05330161f8507e77659d7aa5fd26c36dfcad00d3326cd991

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uwf0vdwt.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
cc00d8bc8fedc7c6cb4d87286c89c698

SHA1
efa9b0f0032a84827ebd164ca97f19a409ca00c5

SHA256
06e403c2ae44a8f489dd795f27f5ca7eae59ee050b61635045b8d9f8907ba13a

SHA512
c8294a0974f5935b2cb18eadd532099687a5a7b360480a2c15c94f952eafd5f9787b4687ddb5584f2e980da6a735d165940343c3fe8131a5d9e788ba2335b873

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uwf0vdwt.default-release\datareporting\glean\pending_pings\9b606a55-f755-4030-af94-499ecdf9f6bb

Filesize
746B

MD5
086cc11a200c4069b94270c82ff177fe

SHA1
798055ffedb7c99647585c9587f66092302b62a7

SHA256
af2af96f0d24d12f35814ee1dffe6cf659d4e6fb336cd878d7d35360ee2c6c3b

SHA512
6304fd7d2272c225de273565e512f8c99b194fa08f86a0d2ba74b1db42351c7b2dec7aeb9a23cda323b38c3f58e792c9cace8e5039b67385146ca4ec81835ac3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uwf0vdwt.default-release\datareporting\glean\pending_pings\df0eba73-3729-41dc-b66e-755e43fc4792

Filesize
10KB

MD5
96c4ca51deaea227e6ca19bf92d23510

SHA1
559a62b20107cb434ce638a961c6803ac7c93873

SHA256
f70c30a797f284f3f6e7880f529a25e2c35c4d95d5e9ffdfcaf3b92a67c2e39e

SHA512
6ebfec931fd0425b22266b73ffd2f7c9083d2b5fb37d0edb09ae495899a1e6296c4b7c2def1b03b3e8bdc5494f3d93313b0ecd23c1823d7a213b896704001439

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uwf0vdwt.default-release\extensions.json.tmp

Filesize
34KB

MD5
10b0f084ff956292be8925c970df745c

SHA1
e9cd23671b81c5d863dd8963cc88e04c3cf1136a

SHA256
065006683cd6e11debbc27859f53fb3895d9efd9d9071f63b75b2ab1c1100b9f

SHA512
f071e689d3ce1eb666a9dd9916a3287e15c044bb1af5af8a6502e495781d23eb1c5a17dd79be8da4205294df87d951b8bf664b07dd6c27de13421d05751374f7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uwf0vdwt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uwf0vdwt.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uwf0vdwt.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uwf0vdwt.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uwf0vdwt.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uwf0vdwt.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uwf0vdwt.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uwf0vdwt.default-release\prefs-1.js

Filesize
10KB

MD5
0a3de158e6f60ab04ea93049fa2de6b2

SHA1
d50af36935ef0ca73fe04747f2c67f160671d881

SHA256
9be238ffa1e4cbb285d2a54a7c9723058cf85adfd3332530c22848b9f1c612d7

SHA512
164616424386ad3434890ed729d9450426a252f935b7531cdde36c46065e73522ffd4722189f00ba474a15e3b6ff78d9521e0d9314bf52f36f713e26f1ff92c1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uwf0vdwt.default-release\prefs-1.js

Filesize
10KB

MD5
853b33e1c06e8d2dadcdc3132bb8c62a

SHA1
4ef6e6ec8df7d8dcb87c63f24ee54ccf09f9b138

SHA256
a7c1b2c207560bc606f76be2fe0e413e3a8a454709929e6acc5e1ef6f896258e

SHA512
d3a1e23b12b43ce26dd8c1eb765d0d680f8e15dff6ed313adf2722c3ccdb63f6d104b4ad126d68a7bb7bcdb49c12f88fff14cf0b38789fa915d32eb293e5f829

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uwf0vdwt.default-release\prefs-1.js

Filesize
7KB

MD5
24678ffe4ca49ebebc9ed5a99c994b1f

SHA1
da7fbc56bf8528b6faef98a6fe88e47468bde2f5

SHA256
09471496e698ae74c82a7e792dc9439186077999399620f1156a6cf15dfdc795

SHA512
4e1af57df88b90e62dc968ed00d35e613f7609bdd015f12faf85e28d4db5a5d6712f8d874c2a20a4751ade1274f55124c732e0fce637861100a9792aa0e1a6d1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uwf0vdwt.default-release\prefs-1.js

Filesize
6KB

MD5
a70330583fb720ec59efbe89d454340a

SHA1
c32773d75b2752c1c66ac17bd2780a87e8733066

SHA256
f575659942197789ab1cd0a8c9cb571e61bf91cd3b98f8e42615c7237710f1c7

SHA512
1af9c223f1f445fcdfcd57b3b754d084dc23b622cf080eca150e5f2ce5e8e9c8e0f3aa9d630face3cfa4919e8a2afb88a0e0924fca662457a414d50d508c392d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uwf0vdwt.default-release\prefs-1.js

Filesize
6KB

MD5
caf3c3750c45f502eda96da43d14c0a7

SHA1
229acb33542fe010a5c3e939b35f93b8f9ae4389

SHA256
cc714bd5776ab314b3458a4219d60b099873b34c620bf67fb7f4aff115ba8f08

SHA512
d999041177e79533e6b388a05c292eeec6486943eda6e7dfafd808ec9462999b6830c3a787a3619541034617c9ceb90eaf3ca1c1ff53cfbd9251f56cf74a73e8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uwf0vdwt.default-release\prefs.js

Filesize
6KB

MD5
82c0a33ddcc25a00a757d0f72fc57668

SHA1
e2cf291b540bd6311b4d54bd8fdb181b26a615e2

SHA256
38e89ea2a063d5d374e0503121a932fcbd748cb040256a0bcfb4484bf6e6b503

SHA512
ba4aba86fa6d5e7ba2595b93473957283c5354adb17d533154a1347572f51d703ba4729acc6fb8635e85234bf83c798b9b59cc1bbb186ba895b372ad34c27cc6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uwf0vdwt.default-release\sessionCheckpoints.json

Filesize
90B

MD5
c4ab2ee59ca41b6d6a6ea911f35bdc00

SHA1
5942cd6505fc8a9daba403b082067e1cdefdfbc4

SHA256
00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2

SHA512
71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uwf0vdwt.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
3bfe21e55a742ebc65699566db4681a2

SHA1
5ac63519da4a5d939179cc789d18986cd67565ed

SHA256
97f24f06491cb0ce6b581e235f45d786463061e38c3ee604fe993862c10c5fc3

SHA512
02cb6e76ab589aa1f13edfd170b0e89155721588a0a4610d2808a4fd417e25f3a6f51c012cb47cb1d76cc627a2eed8e4ddfd2239c9013c2ee56a08d69a5ac394

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uwf0vdwt.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
6c1c8004493f6885849562c45770a662

SHA1
9f5292bee6bac3aa2880c895fbdfe91b31e5aad9

SHA256
63f27fae85020df67217cf62bb9cfa625b451ae6f24120d5a5ebb90deedaee2e

SHA512
8bf5888a667e6524ca502f273b5d69affe1aa1bf252f8332e3645b1bda2c8559ba8448768b276442a8312243a18ac6e32c1a9b4b5e4ac4a4245ea35603744978

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uwf0vdwt.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
65b5e988373d5a25a5a6e8d42d7cca5e

SHA1
f8e3cfe101e3775d744b58784b0561b8fefaad63

SHA256
7486aa719d9c89a4b0cea78e17451f1a598cbc80d7c3e6f3eaef131a47395433

SHA512
be1cae2c3e8184d58ae16eef235da12a3a2257e82c6c4480d2a7886e0c26bad005918bf16d3aff7911139cb55ed3a2e23b9b6a51d7f1014a53ea147ea85e5d28

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uwf0vdwt.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
7.7MB

MD5
89036e2dae14bc254c433b83e1400f76

SHA1
4080c59c57fbc13b1abd40fdf77e86977c1a816a

SHA256
f145297b6753a2c8518947db6517436ecd58abd712752b91e65367ae2ba8ebd9

SHA512
f4941ef1ff5dc460925428b97396d9e5277806ff649368bdf1ea32e67306a274d15aa3d781f6aeebc1f02910e797bd14a5095464817fd275af4fb7e2b750be5b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uwf0vdwt.default-release\targeting.snapshot.json

Filesize
3KB

MD5
9e756b2134754343e1a13bb642279367

SHA1
f070d4b33ea89055df14c72ec308ce1d4f9490b0

SHA256
e3dd68dc44fe47cc41c58c50e28ead671eb4171fc7d1dd05d68e6258fdf804f4

SHA512
22d81f6e011af545a85f735dc50f888d75a4f3783f7e37ba4b3cf220e531dee67e34866fe445bee7f638e64b85bb57ce57f669c6cbb6e5c4294d134b4918c4dd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uwf0vdwt.default-release\xulstore.json

Filesize
141B

MD5
1995825c748914809df775643764920f

SHA1
55c55d77bb712d2d831996344f0a1b3e0b7ff98a

SHA256
87835b1bd7d0934f997ef51c977349809551d47e32c3c9224899359ae0fce776

SHA512
c311970610d836550a07feb47bd0774fd728130d0660cbada2d2d68f2fcfbe84e85404d7f5b8ab0f71a6c947561dcffa95df2782a712f4dcb7230ea8ba01c34c

Download Submit
memory/3552-2139-0x0000000001000000-0x000000000100E000-memory.dmp

Filesize
56KB

Download
memory/3552-6-0x0000000002AE0000-0x0000000002AEC000-memory.dmp

Filesize
48KB

Download
memory/3552-5-0x000000001B660000-0x000000001B670000-memory.dmp

Filesize
64KB

Download
memory/3552-7-0x00007FF8D1110000-0x00007FF8D1AFC000-memory.dmp

Filesize
9.9MB

Download
memory/3552-2170-0x00007FF8D1110000-0x00007FF8D1AFC000-memory.dmp

Filesize
9.9MB

Download
memory/3552-0-0x00000000009C0000-0x00000000009D4000-memory.dmp

Filesize
80KB

Download
memory/3552-2165-0x000000001BEE0000-0x000000001BFB6000-memory.dmp

Filesize
856KB

Download
memory/3552-8-0x000000001B660000-0x000000001B670000-memory.dmp

Filesize
64KB

Download
memory/3552-1-0x00007FF8D1110000-0x00007FF8D1AFC000-memory.dmp

Filesize
9.9MB

Download
memory/3880-2186-0x000000001B520000-0x000000001B530000-memory.dmp

Filesize
64KB

Download
memory/3880-2253-0x00007FF8D1110000-0x00007FF8D1AFC000-memory.dmp

Filesize
9.9MB

Download
memory/3880-2206-0x000000001B520000-0x000000001B530000-memory.dmp

Filesize
64KB

Download
memory/3880-2202-0x00007FF8D1110000-0x00007FF8D1AFC000-memory.dmp

Filesize
9.9MB

Download
memory/3880-2169-0x00007FF8D1110000-0x00007FF8D1AFC000-memory.dmp

Filesize
9.9MB

Download