Analysis

  • max time kernel
    1794s
  • max time network
    1795s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    30-05-2024 20:07

General

  • Target

    XClient.exe

  • Size

    59KB

  • MD5

    d172c0a4ae3e8cef6a0a910bde62e195

  • SHA1

    51139fc633fe81a66c8ed55081f92ec5256bd0bd

  • SHA256

    94b65da2b5cc3728547f892a46e9c48c5d54477d10ea8e210304593acd3568e7

  • SHA512

    d82c930a42fd623aeee51007453d201e96110b546f1fb34080fc6d4c1488d71b3828f5f1833d347993444e4d332aa00fbb7b8922fce676d220375470ad0fa467

  • SSDEEP

    1536:9vv68xQQodoW8YTK6uDkbrfSVxwXSOqQ+k:1vjWQoGJYTK6CkbrfHSOqQ+k

Malware Config

Extracted

Family

xworm

C2

length-desert.gl.at.ply.gg:58023

%AppData%:9

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 31 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 7 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 42 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\XClient.exe
    "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4924
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "9" /tr "C:\Users\Admin\AppData\Roaming\9"
      2⤵
      • Creates scheduled task(s)
      PID:4588
    • C:\Users\Admin\AppData\Local\Temp\stnqqf.exe
      "C:\Users\Admin\AppData\Local\Temp\stnqqf.exe"
      2⤵
      • Executes dropped EXE
      PID:12012
  • C:\Users\Admin\AppData\Roaming\9
    C:\Users\Admin\AppData\Roaming\9
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:212
  • C:\Users\Admin\AppData\Roaming\9
    C:\Users\Admin\AppData\Roaming\9
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:4372
  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3592
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4188
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4188.0.818781048\1353417191" -parentBuildID 20221007134813 -prefsHandle 1700 -prefMapHandle 1676 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ea9ca815-ec1b-4eb7-859e-6323b522fd8a} 4188 "\\.\pipe\gecko-crash-server-pipe.4188" 1780 20c7dfec158 gpu
        3⤵
          PID:3940
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4188.1.1361113494\2025406105" -parentBuildID 20221007134813 -prefsHandle 2116 -prefMapHandle 2112 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {59898eb1-a6a9-4e39-8218-937b14449942} 4188 "\\.\pipe\gecko-crash-server-pipe.4188" 2136 20c73070a58 socket
          3⤵
            PID:2416
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4188.2.541735846\1769704188" -childID 1 -isForBrowser -prefsHandle 2944 -prefMapHandle 2920 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {777497a8-d36e-4259-a417-2f7bbb7ed55f} 4188 "\\.\pipe\gecko-crash-server-pipe.4188" 2956 20c02397958 tab
            3⤵
              PID:96
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4188.3.2011323863\664684091" -childID 2 -isForBrowser -prefsHandle 2876 -prefMapHandle 3480 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {35cb7f02-c623-463d-acf6-b3d97e3b1bf4} 4188 "\\.\pipe\gecko-crash-server-pipe.4188" 3492 20c00b95c58 tab
              3⤵
                PID:216
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4188.4.870827776\1252508252" -childID 3 -isForBrowser -prefsHandle 4208 -prefMapHandle 4204 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c423f1d2-825d-4264-b117-1c401d795f34} 4188 "\\.\pipe\gecko-crash-server-pipe.4188" 4216 20c03faa558 tab
                3⤵
                  PID:2232
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4188.5.1689002513\109970340" -childID 4 -isForBrowser -prefsHandle 4856 -prefMapHandle 4848 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bcda37e6-4e7a-4b7f-9eee-d498e07af091} 4188 "\\.\pipe\gecko-crash-server-pipe.4188" 4868 20c0459cb58 tab
                  3⤵
                    PID:2992
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4188.6.995046989\860672092" -childID 5 -isForBrowser -prefsHandle 5036 -prefMapHandle 5040 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0f0a81f3-a31a-4e10-8d3e-fb50912b453a} 4188 "\\.\pipe\gecko-crash-server-pipe.4188" 5028 20c0459c258 tab
                    3⤵
                      PID:4696
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4188.7.1688104317\461682386" -childID 6 -isForBrowser -prefsHandle 5220 -prefMapHandle 5224 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e71766a0-8e0e-4f03-8270-9b3b37377940} 4188 "\\.\pipe\gecko-crash-server-pipe.4188" 5212 20c0459a758 tab
                      3⤵
                        PID:3028
                  • C:\Users\Admin\AppData\Roaming\9
                    C:\Users\Admin\AppData\Roaming\9
                    1⤵
                    • Executes dropped EXE
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2108
                  • C:\Users\Admin\AppData\Roaming\9
                    C:\Users\Admin\AppData\Roaming\9
                    1⤵
                    • Executes dropped EXE
                    • Suspicious use of AdjustPrivilegeToken
                    PID:3896
                  • C:\Users\Admin\AppData\Roaming\9
                    C:\Users\Admin\AppData\Roaming\9
                    1⤵
                    • Executes dropped EXE
                    • Suspicious use of AdjustPrivilegeToken
                    PID:4108
                  • C:\Users\Admin\AppData\Roaming\9
                    C:\Users\Admin\AppData\Roaming\9
                    1⤵
                    • Executes dropped EXE
                    • Suspicious use of AdjustPrivilegeToken
                    PID:3544
                  • C:\Users\Admin\AppData\Roaming\9
                    C:\Users\Admin\AppData\Roaming\9
                    1⤵
                    • Executes dropped EXE
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1092
                  • C:\Users\Admin\AppData\Roaming\9
                    C:\Users\Admin\AppData\Roaming\9
                    1⤵
                    • Executes dropped EXE
                    • Suspicious use of AdjustPrivilegeToken
                    PID:5068
                  • C:\Users\Admin\AppData\Roaming\9
                    C:\Users\Admin\AppData\Roaming\9
                    1⤵
                    • Executes dropped EXE
                    • Suspicious use of AdjustPrivilegeToken
                    PID:3508
                  • C:\Users\Admin\AppData\Roaming\9
                    C:\Users\Admin\AppData\Roaming\9
                    1⤵
                    • Executes dropped EXE
                    • Suspicious use of AdjustPrivilegeToken
                    PID:3652
                  • C:\Users\Admin\AppData\Roaming\9
                    C:\Users\Admin\AppData\Roaming\9
                    1⤵
                    • Executes dropped EXE
                    • Suspicious use of AdjustPrivilegeToken
                    PID:11492
                  • C:\Users\Admin\AppData\Roaming\9
                    C:\Users\Admin\AppData\Roaming\9
                    1⤵
                    • Executes dropped EXE
                    • Suspicious use of AdjustPrivilegeToken
                    PID:11568
                  • C:\Users\Admin\AppData\Roaming\9
                    C:\Users\Admin\AppData\Roaming\9
                    1⤵
                    • Executes dropped EXE
                    • Suspicious use of AdjustPrivilegeToken
                    PID:11736
                  • C:\Users\Admin\AppData\Roaming\9
                    C:\Users\Admin\AppData\Roaming\9
                    1⤵
                    • Executes dropped EXE
                    • Suspicious use of AdjustPrivilegeToken
                    PID:11820
                  • C:\Users\Admin\AppData\Roaming\9
                    C:\Users\Admin\AppData\Roaming\9
                    1⤵
                    • Executes dropped EXE
                    • Suspicious use of AdjustPrivilegeToken
                    PID:11936
                  • C:\Users\Admin\AppData\Roaming\9
                    C:\Users\Admin\AppData\Roaming\9
                    1⤵
                    • Executes dropped EXE
                    • Suspicious use of AdjustPrivilegeToken
                    PID:12144
                  • C:\Users\Admin\AppData\Roaming\9
                    C:\Users\Admin\AppData\Roaming\9
                    1⤵
                    • Executes dropped EXE
                    • Suspicious use of AdjustPrivilegeToken
                    PID:12200
                  • C:\Users\Admin\AppData\Roaming\9
                    C:\Users\Admin\AppData\Roaming\9
                    1⤵
                    • Executes dropped EXE
                    • Suspicious use of AdjustPrivilegeToken
                    PID:3872
                  • C:\Users\Admin\AppData\Roaming\9
                    C:\Users\Admin\AppData\Roaming\9
                    1⤵
                    • Executes dropped EXE
                    • Suspicious use of AdjustPrivilegeToken
                    PID:4992
                  • C:\Users\Admin\AppData\Roaming\9
                    C:\Users\Admin\AppData\Roaming\9
                    1⤵
                    • Executes dropped EXE
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2292
                  • C:\Users\Admin\AppData\Roaming\9
                    C:\Users\Admin\AppData\Roaming\9
                    1⤵
                    • Executes dropped EXE
                    • Suspicious use of AdjustPrivilegeToken
                    PID:4376
                  • C:\Users\Admin\AppData\Roaming\9
                    C:\Users\Admin\AppData\Roaming\9
                    1⤵
                    • Executes dropped EXE
                    • Suspicious use of AdjustPrivilegeToken
                    PID:3572
                  • C:\Users\Admin\AppData\Roaming\9
                    C:\Users\Admin\AppData\Roaming\9
                    1⤵
                    • Executes dropped EXE
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2996
                  • C:\Users\Admin\AppData\Roaming\9
                    C:\Users\Admin\AppData\Roaming\9
                    1⤵
                    • Executes dropped EXE
                    • Suspicious use of AdjustPrivilegeToken
                    PID:4572
                  • C:\Users\Admin\AppData\Roaming\9
                    C:\Users\Admin\AppData\Roaming\9
                    1⤵
                    • Executes dropped EXE
                    • Suspicious use of AdjustPrivilegeToken
                    PID:5164
                  • C:\Users\Admin\AppData\Roaming\9
                    C:\Users\Admin\AppData\Roaming\9
                    1⤵
                    • Executes dropped EXE
                    • Suspicious use of AdjustPrivilegeToken
                    PID:5240
                  • C:\Users\Admin\AppData\Roaming\9
                    C:\Users\Admin\AppData\Roaming\9
                    1⤵
                    • Executes dropped EXE
                    • Suspicious use of AdjustPrivilegeToken
                    PID:5392
                  • C:\Users\Admin\AppData\Roaming\9
                    C:\Users\Admin\AppData\Roaming\9
                    1⤵
                    • Executes dropped EXE
                    • Suspicious use of AdjustPrivilegeToken
                    PID:5504
                  • C:\Users\Admin\AppData\Roaming\9
                    C:\Users\Admin\AppData\Roaming\9
                    1⤵
                    • Executes dropped EXE
                    • Suspicious use of AdjustPrivilegeToken
                    PID:5600
                  • C:\Users\Admin\AppData\Roaming\9
                    C:\Users\Admin\AppData\Roaming\9
                    1⤵
                    • Executes dropped EXE
                    • Suspicious use of AdjustPrivilegeToken
                    PID:5700

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\9.log

                    Filesize

                    654B

                    MD5

                    16c5fce5f7230eea11598ec11ed42862

                    SHA1

                    75392d4824706090f5e8907eee1059349c927600

                    SHA256

                    87ba77c13905298acbac72be90949c4fe0755b6eff9777615aa37f252515f151

                    SHA512

                    153edd6da59beea6cc411ed7383c32916425d6ebb65f04c65aab7c1d6b25443d143aa8449aa92149de0ad8a975f6ecaa60f9f7574536eec6b38fe5fd3a6c6adc

                  • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\doomed\17348

                    Filesize

                    11KB

                    MD5

                    ccf67232fe8301c1b547ad50715a8d5b

                    SHA1

                    b579df2bff656175248f6ec11d950f275ba0880b

                    SHA256

                    66ece82ff63f121fa6aba232f7b05d669318db628c6278567f1ae0743ef83a55

                    SHA512

                    61be8d14eaff322bd2ed7e9f986d4146ff52551c337e84e4493c6efb13f3e136ae967dee5d22e13ac9f118e9f619275fa3032293bfa3a2764d637d56d41f7ca2

                  • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\doomed\27442

                    Filesize

                    11KB

                    MD5

                    00cfdf389ce68f598d4ca46a5abf3773

                    SHA1

                    041aefc1c4c32f28b8eb786227e9a445e7d5a82f

                    SHA256

                    7b07cc4a6b4737f0e52a33f6dbf123b719d6180944564f2bdba62e0770885bee

                    SHA512

                    2ce12fcaecd66c3808e8ae8123e10039b1af6b71d7daccbd1686cfdac15d2f7e626b65588b5e12eff7f3c8efef0fca4f0ba9aa78e5feb3babe3c3af774e622ed

                  • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\entries\F4EFE37A30D0F14C6AC03FF7949A51CBC2EBC649

                    Filesize

                    13KB

                    MD5

                    aacd80a34dbfb37e0ed31a65ba87373b

                    SHA1

                    8241efc1164476df8e2c65e1a2343888c29fc35d

                    SHA256

                    50f9f1843a5f56d73416a3c6b7605aac4f6b4466fcc836ad1ece32dcf164e184

                    SHA512

                    3b42fcf28d0d6c5d7c0493e6e6d92459dc762bcb601985f991b6897392c2bd2747590a5f4dfb916d15db85f5533a1535868697d0d9c4763103e8735e02cdc225

                  • C:\Users\Admin\AppData\Local\Temp\stnqqf.exe

                    Filesize

                    95KB

                    MD5

                    90d4d1e028d8be79482699f0a23eca1e

                    SHA1

                    1bb39ea5ddf177aab34a990ade5bd316b85f4dda

                    SHA256

                    03c10771abb8cd2ad13402826d8f69dee1f2637063d75613ece28ac557a842c4

                    SHA512

                    f710d67ad1beb2f9fb4e5a61d8e2fba2b28c0f7a390ee907e1c47f9396501e60062ef66459dd6ec2962e517c642f29c323c08522e477afb7f616b062bfd31617

                  • C:\Users\Admin\AppData\Local\Temp\tmpaddon

                    Filesize

                    442KB

                    MD5

                    85430baed3398695717b0263807cf97c

                    SHA1

                    fffbee923cea216f50fce5d54219a188a5100f41

                    SHA256

                    a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

                    SHA512

                    06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

                  • C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

                    Filesize

                    8.0MB

                    MD5

                    a01c5ecd6108350ae23d2cddf0e77c17

                    SHA1

                    c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

                    SHA256

                    345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

                    SHA512

                    b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

                  • C:\Users\Admin\AppData\Roaming\9

                    Filesize

                    59KB

                    MD5

                    d172c0a4ae3e8cef6a0a910bde62e195

                    SHA1

                    51139fc633fe81a66c8ed55081f92ec5256bd0bd

                    SHA256

                    94b65da2b5cc3728547f892a46e9c48c5d54477d10ea8e210304593acd3568e7

                    SHA512

                    d82c930a42fd623aeee51007453d201e96110b546f1fb34080fc6d4c1488d71b3828f5f1833d347993444e4d332aa00fbb7b8922fce676d220375470ad0fa467

                  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

                    Filesize

                    5KB

                    MD5

                    318e299884b2b38273e1b9b17745be92

                    SHA1

                    27732ce01d50d445fec4f61b26ad58cc27039caf

                    SHA256

                    110be5104b83817b7e4c23ec3837b9fd4a1dcfc7af7a6915f3cb514792c598a6

                    SHA512

                    4c841c8a477acaba8634f5185c258d41c4fd99e5b55da039207915efb621aa754bd6c3b9f976dc5dc998df9e3fb71d6ea58f7f53a8a26045d54333d0254b4f26

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\SiteSecurityServiceState.txt

                    Filesize

                    372B

                    MD5

                    7aa4c37bcf97ee0332b5fe178cc5589c

                    SHA1

                    abbd30de394aaad91be807e2337735301d9e71c5

                    SHA256

                    4e65d75b32e1e2759d71c772a73dbe5f8d89ec730af9336e18566c172c873628

                    SHA512

                    f7627543609687dd5c164742f964907ed938fbd79ce03fc8a290c723062fd149340f8e7d7df4562f1f0202a2e5edae234f45af4e1e22636f2f548d38127c96f7

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\bookmarkbackups\bookmarks-2024-05-30_11_+ftwiIQfjYtrlniJNZ3V4g==.jsonlz4

                    Filesize

                    945B

                    MD5

                    5454384ec38638981ce5e67157b8f07d

                    SHA1

                    20da940d1b48d7c555b5f7d050fcc26b9fcaa217

                    SHA256

                    faa28431b2b70bce1f1552ef63266622ee731b9a30a3b314c9b6d6e0bdc07e11

                    SHA512

                    5526c70002b23f106dbb494742fce905cba27979f8bf8f2a92832232fb34b6bf873043f0b54f88567250f358e5fdd93438f5211318ee303ad71615ea85d1f2f6

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\broadcast-listeners.json

                    Filesize

                    216B

                    MD5

                    1670a00283d35686e596627157aa6bd9

                    SHA1

                    c44d13c52d780a6c6bbe5f54ad2651a700264791

                    SHA256

                    575baef038cd227b653b17e4a396812b2f287de922f6443b967a668f6a80fafc

                    SHA512

                    e1c1ad457dc6406012218946e3fd2a776cc9ec403885ba679e44ad42dc7f2ef839ddb07e6078b2426493e551cf8ce792c4e69c1917fe57b85f81de0a50d46b12

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\db\data.safe.bin

                    Filesize

                    2KB

                    MD5

                    57ac06e512c7eac07f0c6c7eb91d8491

                    SHA1

                    7fb5c99980e33efcf5673f5908638323c96db771

                    SHA256

                    42843d175ebb7de3c666d966d4fdcedb2815a69d2d7118e60882ed263ff95529

                    SHA512

                    4e08ce57525bfabae7e6dd3c263cab912a3babd1f1be1f79b7fb59a6c7ea6f5b4a08c7d1f9a823715c5dc1f80756522c86ecd8459a7e0d3ece7691937a2ef4b9

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\37ce38f0-4ce7-4910-b4f2-258a7d2ca6f5

                    Filesize

                    746B

                    MD5

                    f65f3923eca43d418a8d1d3e3f4fc213

                    SHA1

                    a1e92467a5041ff341a1d7045f4f3e159056cf67

                    SHA256

                    2cb0bbf485f30bcd7e8a7f2b06bbb6fdd03426c7983ef53299b22ee2dbd2963a

                    SHA512

                    e65354b32389bfb31508ebbafbfa985aeba5e9c0577088aeb37bdd021dd92bd94406ae1db9c4ed9f9684aa6f49578bf2e77750e62b79c254cba9430723d9337c

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\7a5e7c69-872e-47ad-88c1-f65866979aaf

                    Filesize

                    11KB

                    MD5

                    3ac961808a8161f92cff7d14c19cf836

                    SHA1

                    2e218f4a70716aa2276adad74ec81a65131dc907

                    SHA256

                    a15f0450b269c9394aaedec29e608f3032ddea029eedce559e83aa53e7500864

                    SHA512

                    e8d2c64c1c04f5b8ac28bca00f6449d0d21fa0a791351659edcf491f14c01c3ff07a23a33f2123a05c23c9a652a659fe2b5bc20a833fedc7f53c1045401b67e4

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\extensions.json.tmp

                    Filesize

                    34KB

                    MD5

                    5a7aeb959001e385367a9e24baabd158

                    SHA1

                    f9af7cd87f397728c04eb3448cdedc44421946bd

                    SHA256

                    0242df1fc3f9d535b2a59caf141c25f2a1d91843b988933070e86682b2d15df2

                    SHA512

                    77ba2e0e56eba85fe0b8936424e68704d5b186386ae9f12b0f1f4f7a9c2beea308ff5178c402f28ac61013317214a5a67dc7ebb698e735578dc35423c71b401b

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

                    Filesize

                    997KB

                    MD5

                    fe3355639648c417e8307c6d051e3e37

                    SHA1

                    f54602d4b4778da21bc97c7238fc66aa68c8ee34

                    SHA256

                    1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

                    SHA512

                    8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

                    Filesize

                    116B

                    MD5

                    3d33cdc0b3d281e67dd52e14435dd04f

                    SHA1

                    4db88689282fd4f9e9e6ab95fcbb23df6e6485db

                    SHA256

                    f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

                    SHA512

                    a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

                    Filesize

                    479B

                    MD5

                    49ddb419d96dceb9069018535fb2e2fc

                    SHA1

                    62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

                    SHA256

                    2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

                    SHA512

                    48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

                    Filesize

                    372B

                    MD5

                    8be33af717bb1b67fbd61c3f4b807e9e

                    SHA1

                    7cf17656d174d951957ff36810e874a134dd49e0

                    SHA256

                    e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

                    SHA512

                    6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

                    Filesize

                    11.8MB

                    MD5

                    33bf7b0439480effb9fb212efce87b13

                    SHA1

                    cee50f2745edc6dc291887b6075ca64d716f495a

                    SHA256

                    8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

                    SHA512

                    d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

                    Filesize

                    1KB

                    MD5

                    688bed3676d2104e7f17ae1cd2c59404

                    SHA1

                    952b2cdf783ac72fcb98338723e9afd38d47ad8e

                    SHA256

                    33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

                    SHA512

                    7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

                    Filesize

                    1KB

                    MD5

                    937326fead5fd401f6cca9118bd9ade9

                    SHA1

                    4526a57d4ae14ed29b37632c72aef3c408189d91

                    SHA256

                    68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

                    SHA512

                    b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs-1.js

                    Filesize

                    9KB

                    MD5

                    77b7ddc07ed4e5e47284dfec55a8b810

                    SHA1

                    599245404e1d6b692e6fd20b76e252ef5ecb20cb

                    SHA256

                    a0b3bb5e56f20625f4f1eb07296efff35b901106dd81da346de8b5855489be58

                    SHA512

                    523eaebd0a4ed6034b2adb5a8dc0c8721bf8428e1f281f2c2ba69a0a9425c5d60a0e2d82a95ed6e650c5470ec6781bf412e50798db659c34fcc27d075dd9754c

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs-1.js

                    Filesize

                    8KB

                    MD5

                    e34477ea7275b02d40d2942c031591a0

                    SHA1

                    249b47356013cfc8a4610832d17757283cf24532

                    SHA256

                    76c90df72c93f9f87fa41a38d6416436d798060a03a182c0b71435d14ecec356

                    SHA512

                    fdc727106b1d6e24b3358e1879536e7d9eb390ad320f5d83b90178af0a863d565a7491bca2f4d6016a02a6c76c4bffbc77eadecc7cca338bed1f87364785b4b3

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs-1.js

                    Filesize

                    6KB

                    MD5

                    3e870a17eec8cda72b08515fb90f9853

                    SHA1

                    ce1fa73aafbd758a33b78ffb5ac3dbc86b75a536

                    SHA256

                    0d8b44141e78812aad99023a519f7bbffd300c71ac397e41a1187df9f45adeb5

                    SHA512

                    6fb097b5b5dbcb0dc38b184a73ff0d415e97cd53e4fb2f4e4d6663b511ce875b52bdbd5a49a7dd6e2d4f85ac3c77e157946d76f23a5a0f2f66d8e0029e845362

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs-1.js

                    Filesize

                    9KB

                    MD5

                    05aa1c9ce9e3e90c300b06de2029bb63

                    SHA1

                    30e60219d27b7fc70c52bde50fed86e0237d156e

                    SHA256

                    3c05e111349b956c033bdeeba8d81b886e6883b2703067c22d0c0f2ce09b7c95

                    SHA512

                    af85e395ad164307d5ab100531c29eec930c4a77cc105839a3c0d3246f5340e38e116150aa92d30b8b0dee3f1807f4625e8f4c8b7805655f65ebf4002f63b297

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs-1.js

                    Filesize

                    10KB

                    MD5

                    fa7455b4c7db8035ea833e220e342615

                    SHA1

                    1d376c14baa2824c87738be5eaf210aef51ac2d3

                    SHA256

                    3ad9a7caa46fbfbcdfb3a37d6cd6ad8201c7ae6ae8aa7d48603fd27ad3cf0400

                    SHA512

                    b4bd90f5d3cf05eaaebd1b40c44c81e2e5f57795c71fdd15fc173500da6b326daafbd67e35bf8a073ff9828c7ded32ce9e2359d34b0e567215149a65438c97cf

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionCheckpoints.json

                    Filesize

                    90B

                    MD5

                    c4ab2ee59ca41b6d6a6ea911f35bdc00

                    SHA1

                    5942cd6505fc8a9daba403b082067e1cdefdfbc4

                    SHA256

                    00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2

                    SHA512

                    71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4

                    Filesize

                    1KB

                    MD5

                    c4ed9a4b643e0fbe2a92daf92a21b37a

                    SHA1

                    9ff9d9d38f2212ac336ad854035ebb661449e599

                    SHA256

                    e76e58b566e18b91a0368fa0020c03887a08a3fd73ef09171ad1bed262fd9218

                    SHA512

                    9daa22b64467a896b014ce520ae1a7c37b1f7e3a75a1e4b64c5b198c005118208dfbc6792be4989628cd52d108ca7dce40b86b8ead6fcd5aea1564cd74de6a43

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

                    Filesize

                    7.9MB

                    MD5

                    d13942cb02edd287d6b3015b05ed9dba

                    SHA1

                    f56eff6bd7a0fe7bd1e969a873851b8f85736447

                    SHA256

                    72ac5fdd955df2d4f541869fd4cb0d888f388ec58cd95b24664d728f9aeda19a

                    SHA512

                    533bc191584cb27c04e882219a9c62f57dbc5ff7d02401f45be60497f7f51d59f30ce32f5b87ae8e29835f035f00ec3f5ed0e390be9282a8bf5bdb3052aa5377

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\targeting.snapshot.json

                    Filesize

                    3KB

                    MD5

                    88fdbfbd7340b77a4da1e54ac7716e47

                    SHA1

                    751c69300c76c666795a154b0bfbd5b81340bc65

                    SHA256

                    6c16de1b99b355f8ac621ea3d56fc582d5803481e31190ae96df3a82c8e542ea

                    SHA512

                    a6fdd3404cf21d65d6f09d3bbdf60653b1fe2e7c843492829d2217127d6a14def99bed3894605dfe2e06f80412cd88005cf134f5cdec2d7945acf8f72126d15c

                  • memory/212-13-0x00007FFFABA40000-0x00007FFFAC42C000-memory.dmp

                    Filesize

                    9.9MB

                  • memory/212-10-0x00007FFFABA40000-0x00007FFFAC42C000-memory.dmp

                    Filesize

                    9.9MB

                  • memory/4924-1311-0x00000000011B0000-0x00000000011BA000-memory.dmp

                    Filesize

                    40KB

                  • memory/4924-103-0x0000000001150000-0x000000000115C000-memory.dmp

                    Filesize

                    48KB

                  • memory/4924-2093-0x0000000001370000-0x0000000001382000-memory.dmp

                    Filesize

                    72KB

                  • memory/4924-11-0x00007FFFABA40000-0x00007FFFAC42C000-memory.dmp

                    Filesize

                    9.9MB

                  • memory/4924-2124-0x000000001E2C0000-0x000000001E7E6000-memory.dmp

                    Filesize

                    5.1MB

                  • memory/4924-2123-0x0000000001330000-0x000000000133C000-memory.dmp

                    Filesize

                    48KB

                  • memory/4924-2090-0x00000000011C0000-0x00000000011CA000-memory.dmp

                    Filesize

                    40KB

                  • memory/4924-2105-0x00000000011D0000-0x00000000011DA000-memory.dmp

                    Filesize

                    40KB

                  • memory/4924-7-0x00007FFFABA43000-0x00007FFFABA44000-memory.dmp

                    Filesize

                    4KB

                  • memory/4924-6-0x000000001B8D0000-0x000000001B8DC000-memory.dmp

                    Filesize

                    48KB

                  • memory/4924-5-0x00007FFFABA40000-0x00007FFFAC42C000-memory.dmp

                    Filesize

                    9.9MB

                  • memory/4924-0-0x00007FFFABA43000-0x00007FFFABA44000-memory.dmp

                    Filesize

                    4KB

                  • memory/4924-1-0x0000000000B80000-0x0000000000B96000-memory.dmp

                    Filesize

                    88KB

                  • memory/12012-4268-0x00007FF724980000-0x00007FF7249AE000-memory.dmp

                    Filesize

                    184KB