xworm | cdecf958e0953e75493c8cf7ba2e347e34abb57a59baa659e1dc4aa61abcdb94

Analysis

max time kernel
79s
max time network
81s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
16-11-2024 17:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Galleon.exe
Size

114KB
MD5

732ad9a401dd2af8e78a23618312a5b1
SHA1

e0efd569e5cf9ed522c8dc8e2e15fe30aaf17de8
SHA256

cdecf958e0953e75493c8cf7ba2e347e34abb57a59baa659e1dc4aa61abcdb94
SHA512

082d717b8f30849516e15d267f564bd3d285e031d8f6dec8d3943b15192b983f7acff96f7ccd19ba18fcb70b4502633d0f30a89ef8d0af53ad692ddb3f8596d0
SSDEEP

3072:0kMOToQm4taqybIYUQXpchK35Qs6pMrzA7IoFO:PToQmrfpXprph1zk

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

left-noon.gl.at.ply.gg:60705

Attributes

Install_directory
%AppData%
install_file
US11B.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x001c00000002aa71-7.dat	family_xworm
behavioral1/memory/4272-10-0x0000000000120000-0x000000000013A000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
104	powershell.exe
4960	powershell.exe
4888	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sms877F.lnk	sms877F.tmp
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sms877F.lnk	sms877F.tmp

Executes dropped EXE 1 IoCs

pid	Process
4272	sms877F.tmp

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Windows\CurrentVersion\Run\sms877F = "C:\\Users\\Admin\\AppData\\Roaming\\sms877F.tmp"	sms877F.tmp

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3500 set thread context of 1804	3500	Galleon.exe	80

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings	firefox.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1492	schtasks.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
104	powershell.exe
104	powershell.exe
4960	powershell.exe
4960	powershell.exe
4888	powershell.exe
4888	powershell.exe
4272	sms877F.tmp

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	4272	sms877F.tmp
Token: SeDebugPrivilege	104	powershell.exe
Token: SeDebugPrivilege	4960	powershell.exe
Token: SeDebugPrivilege	4888	powershell.exe
Token: SeDebugPrivilege	4272	sms877F.tmp
Token: SeDebugPrivilege	952	firefox.exe
Token: SeDebugPrivilege	952	firefox.exe
Token: SeDebugPrivilege	952	firefox.exe

Suspicious use of FindShellTrayWindow 21 IoCs

pid	Process
952	firefox.exe
952	firefox.exe
952	firefox.exe
952	firefox.exe
952	firefox.exe
952	firefox.exe
952	firefox.exe
952	firefox.exe
952	firefox.exe
952	firefox.exe
952	firefox.exe
952	firefox.exe
952	firefox.exe
952	firefox.exe
952	firefox.exe
952	firefox.exe
952	firefox.exe
952	firefox.exe
952	firefox.exe
952	firefox.exe
952	firefox.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
4272	sms877F.tmp
4884	OpenWith.exe
4884	OpenWith.exe
4884	OpenWith.exe
4884	OpenWith.exe
4884	OpenWith.exe
4884	OpenWith.exe
4884	OpenWith.exe
952	firefox.exe
952	firefox.exe
952	firefox.exe
952	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3500 wrote to memory of 1804	3500	Galleon.exe	80
PID 3500 wrote to memory of 1804	3500	Galleon.exe	80
PID 3500 wrote to memory of 1804	3500	Galleon.exe	80
PID 3500 wrote to memory of 1804	3500	Galleon.exe	80
PID 3500 wrote to memory of 1804	3500	Galleon.exe	80
PID 3500 wrote to memory of 1804	3500	Galleon.exe	80
PID 3500 wrote to memory of 1804	3500	Galleon.exe	80
PID 3500 wrote to memory of 1804	3500	Galleon.exe	80
PID 3500 wrote to memory of 1804	3500	Galleon.exe	80
PID 1804 wrote to memory of 4272	1804	Galleon.exe	81
PID 1804 wrote to memory of 4272	1804	Galleon.exe	81
PID 4272 wrote to memory of 104	4272	sms877F.tmp	84
PID 4272 wrote to memory of 104	4272	sms877F.tmp	84
PID 4272 wrote to memory of 4960	4272	sms877F.tmp	86
PID 4272 wrote to memory of 4960	4272	sms877F.tmp	86
PID 4272 wrote to memory of 4888	4272	sms877F.tmp	88
PID 4272 wrote to memory of 4888	4272	sms877F.tmp	88
PID 4272 wrote to memory of 1492	4272	sms877F.tmp	90
PID 4272 wrote to memory of 1492	4272	sms877F.tmp	90
PID 4884 wrote to memory of 4748	4884	OpenWith.exe	98
PID 4884 wrote to memory of 4748	4884	OpenWith.exe	98
PID 4748 wrote to memory of 952	4748	firefox.exe	101
PID 4748 wrote to memory of 952	4748	firefox.exe	101
PID 4748 wrote to memory of 952	4748	firefox.exe	101
PID 4748 wrote to memory of 952	4748	firefox.exe	101
PID 4748 wrote to memory of 952	4748	firefox.exe	101
PID 4748 wrote to memory of 952	4748	firefox.exe	101
PID 4748 wrote to memory of 952	4748	firefox.exe	101
PID 4748 wrote to memory of 952	4748	firefox.exe	101
PID 4748 wrote to memory of 952	4748	firefox.exe	101
PID 4748 wrote to memory of 952	4748	firefox.exe	101
PID 4748 wrote to memory of 952	4748	firefox.exe	101
PID 952 wrote to memory of 228	952	firefox.exe	102
PID 952 wrote to memory of 228	952	firefox.exe	102
PID 952 wrote to memory of 228	952	firefox.exe	102
PID 952 wrote to memory of 228	952	firefox.exe	102
PID 952 wrote to memory of 228	952	firefox.exe	102
PID 952 wrote to memory of 228	952	firefox.exe	102
PID 952 wrote to memory of 228	952	firefox.exe	102
PID 952 wrote to memory of 228	952	firefox.exe	102
PID 952 wrote to memory of 228	952	firefox.exe	102
PID 952 wrote to memory of 228	952	firefox.exe	102
PID 952 wrote to memory of 228	952	firefox.exe	102
PID 952 wrote to memory of 228	952	firefox.exe	102
PID 952 wrote to memory of 228	952	firefox.exe	102
PID 952 wrote to memory of 228	952	firefox.exe	102
PID 952 wrote to memory of 228	952	firefox.exe	102
PID 952 wrote to memory of 228	952	firefox.exe	102
PID 952 wrote to memory of 228	952	firefox.exe	102
PID 952 wrote to memory of 228	952	firefox.exe	102
PID 952 wrote to memory of 228	952	firefox.exe	102
PID 952 wrote to memory of 228	952	firefox.exe	102
PID 952 wrote to memory of 228	952	firefox.exe	102
PID 952 wrote to memory of 228	952	firefox.exe	102
PID 952 wrote to memory of 228	952	firefox.exe	102
PID 952 wrote to memory of 228	952	firefox.exe	102
PID 952 wrote to memory of 228	952	firefox.exe	102
PID 952 wrote to memory of 228	952	firefox.exe	102
PID 952 wrote to memory of 228	952	firefox.exe	102
PID 952 wrote to memory of 228	952	firefox.exe	102
PID 952 wrote to memory of 228	952	firefox.exe	102
PID 952 wrote to memory of 228	952	firefox.exe	102
PID 952 wrote to memory of 228	952	firefox.exe	102
PID 952 wrote to memory of 228	952	firefox.exe	102

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Galleon.exe
"C:\Users\Admin\AppData\Local\Temp\Galleon.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3500
- C:\Users\Admin\AppData\Local\Temp\Galleon.exe
  "C:\Users\Admin\AppData\Local\Temp\Galleon.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1804
- - C:\Users\Admin\AppData\Local\Temp\sms877F.tmp
    "C:\Users\Admin\AppData\Local\Temp\sms877F.tmp"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4272
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\sms877F.tmp'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:104
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'sms877F.tmp'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4960
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\sms877F.tmp'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4888
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "sms877F" /tr "C:\Users\Admin\AppData\Roaming\sms877F.tmp"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1492

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:1924

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe "C:\Users\Admin\AppData\Roaming\sms877F.tmp"
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4884
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Roaming\sms877F.tmp"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4748
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\AppData\Roaming\sms877F.tmp
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:952
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1972 -parentBuildID 20240401114208 -prefsHandle 1888 -prefMapHandle 1880 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d55b724b-ba12-448d-96d4-200d84061a8e} 952 "\\.\pipe\gecko-crash-server-pipe.952" gpu
      4⤵
      PID:228
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2380 -parentBuildID 20240401114208 -prefsHandle 2372 -prefMapHandle 2368 -prefsLen 24598 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {86e12f7c-6331-4c51-ae02-30b10d50f437} 952 "\\.\pipe\gecko-crash-server-pipe.952" socket
      4⤵
      Checks processor information in registry
      PID:2536
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3236 -childID 1 -isForBrowser -prefsHandle 3228 -prefMapHandle 3224 -prefsLen 24739 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6e5a1aca-3677-454e-a483-858b52940306} 952 "\\.\pipe\gecko-crash-server-pipe.952" tab
      4⤵
      PID:4268
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3644 -childID 2 -isForBrowser -prefsHandle 3636 -prefMapHandle 2716 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2ac7a015-1a66-4407-929f-0cc49779286d} 952 "\\.\pipe\gecko-crash-server-pipe.952" tab
      4⤵
      PID:4564
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4728 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4848 -prefMapHandle 4840 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9c006eb1-3186-4372-b8f4-8513f7c6983f} 952 "\\.\pipe\gecko-crash-server-pipe.952" utility
      4⤵
      Checks processor information in registry
      PID:3088
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5388 -childID 3 -isForBrowser -prefsHandle 5192 -prefMapHandle 5384 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a864cd4d-de69-4b8c-b7b0-cfca03e3df10} 952 "\\.\pipe\gecko-crash-server-pipe.952" tab
      4⤵
      PID:2760
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5536 -childID 4 -isForBrowser -prefsHandle 5616 -prefMapHandle 5612 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9197ccb2-5c6f-4ba3-b447-249ac3e22a0c} 952 "\\.\pipe\gecko-crash-server-pipe.952" tab
      4⤵
      PID:716
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5756 -childID 5 -isForBrowser -prefsHandle 5516 -prefMapHandle 5520 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b8ba0812-a1d5-4be5-8176-7fb6fcfba84b} 952 "\\.\pipe\gecko-crash-server-pipe.952" tab
      4⤵
      PID:4092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1a9fa92a4f2e2ec9e244d43a6a4f8fb9

SHA1
9910190edfaccece1dfcc1d92e357772f5dae8f7

SHA256
0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888

SHA512
5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
80707036df540b6657f9d443b449e3c3

SHA1
b3e7d5d97274942164bf93c8c4b8a9b68713f46f

SHA256
6651e5f976619cef991deef61776cf43d4c4b3d7c551dd2192b647df71586ab0

SHA512
65e41e9e730fed4f7a7d3f6f35875a16948b897f87c8c70b371fd0ac7f0951814f6a75e7698665194bbc65a3665a684e7be229e7e24193b50483ae7e55eebf4f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\vo8scey3.default-release\activity-stream.discovery_stream.json

Filesize
19KB

MD5
1af66565d3902de1dafe3d97de4e5f83

SHA1
9b839262dc7482b1003f9eb489681a50d89f4f60

SHA256
23fc2ff74ca2db00b058e7ce030a014348267c1ff89a4335b81b11c0f55c7029

SHA512
f51587c02df987f2cf6224a2fc21982326255c6e809713ab24709e3010b3c9709c7d50dd8102065502b549f126ccb2c367858b4052cbe97776dc1db03591b4aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hq4emrbs.ko4.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\sms877F.tmp

Filesize
76KB

MD5
c01f551edc26c87f9060358f75bf227d

SHA1
3755e4043a98bbe6efff60f2442c29373049052a

SHA256
6f588a5b0a111fb296e01c7633b65c3904acb094feafced2c8f174e7d3013c1f

SHA512
dc919d689b4965f8df64d63f64bb289bd82bee2a2ca273835d55765e8bd69046b130fa931efad54e46de4bd5508503e6d3fb3d2fa6e493dbf88787b56de0770a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sms877F.lnk

Filesize
771B

MD5
876581b2d43361354e4aa9579a83a169

SHA1
8988c5d10df27c9518e16a2a346115a9692e3ce7

SHA256
dbac4e8e0e38053ce6dcb4f332913b619735e6a2ce9867ab9f5f13410bbf6907

SHA512
2aedbbc18cea030fe9b6dd9104eb6c95a8a3300e1092f1c93a4d847fc989695fad67bd024561f43c4dff7fe580c7b9a2450d817d7d6663d7d3959da255d33e7b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\AlternateServices.bin

Filesize
6KB

MD5
ae2a90d4338e7d1af8da3e601e437ab3

SHA1
816e422583d7c2dc6221d3e85c384e86487d29e2

SHA256
80b291f0f70d00bd03d8f8c3f8b9726e443dbd1270dbbd9560340c1c61388d22

SHA512
15591f76988b22a48a76e11253f8d62094ef576fffcddacee8a1349bce2f10c79a15de5b00f2fffe1833dfe4259736e972c2c700fcd3f386991f87672a9440f6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
279ed5ada67e83cb0fef78f87d7bd172

SHA1
89a6a8bab876b0659108f3a48de0ab2ed2ecc52b

SHA256
6a3006cb8c77cbb737c297c2e35300b4d652f93cd4e8528a1d418b1c6b567a43

SHA512
c73016f24da15072ce2fe6c2de78346f65bafc584ad6180057c2bbea4e7ceef2808ad2e3b9d21b193f71d6487acc08f6b7976f043a5133c454fb9df6f5b0490d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
5b8c3b7c13f9e143c515c387aa629ec2

SHA1
024e0a143ae82d9dea805dcde185184c5cf16ac9

SHA256
5ad524324ae9dac1cf23352c0b73845f54f0a0553fbad66c03c310f3c844a092

SHA512
f987b81101be4ce045676d3dc71fef05f3abe5df446be34c0e3433b36db876764395517991dfa394d9830a86a52cd88bbed2d31e7c407d5b3dcc10b4e7f5463b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\datareporting\glean\pending_pings\037f31b8-c565-48cc-9562-8997e7000f48

Filesize
671B

MD5
b271a5d05987acde55d7f73890c28c42

SHA1
b5f1eb05ef17ff094c0bcf03884d4648efbf3fe5

SHA256
508ea8550be415dbaa41bf920eb092f6655a19199090dd3c486cabe127bddfad

SHA512
e5bd3573af4fae1712671f30ed01133c96a1878fc30c975f181db8c7c605d5deea4505bb37f1b8a6a77e27ff3f6f29ec3dd45f8b30d76ebbd916628ca154f4b2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\datareporting\glean\pending_pings\465237a1-3e3a-4951-82da-fe3b6dcb0821

Filesize
25KB

MD5
a567c7d871f5452a0898efda592c5b6b

SHA1
73235c8bec042d923049d92e806651c330115f4f

SHA256
6385597488bdcb63f403ad87b13feb36ccc8eeeb1c527fb903afc4ead632f034

SHA512
b7371c67409eb49ab6c650962c651d0e8f8f9fe87995c9d3cc90de146b654bd414a85e83a484b755ad476b580abea7875e2a8883f6da6db19b5a43c0a077ec6a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\datareporting\glean\pending_pings\bb0c11c0-25c4-4b2f-ac7b-7c6698fb7334

Filesize
982B

MD5
004705fe979b1a1318fd1749a62f3c7c

SHA1
13f8e294649d61dfb2bb8be454f02a27049a1da7

SHA256
d8153e9f1a20549ad0851d1b687b12273c7daf63ee13766b4b60e29df7550ce4

SHA512
6639602b5941f86d07d1f6f6f2bcbaeaa6242fc4aa7ad968c39621b0dfdb1d06cafe25ae803611358bb99772f6dfef44dfb20b48fe165a9642c68a2346fb8f0e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\prefs-1.js

Filesize
11KB

MD5
2eb067211ff07e50d4e25fa6b0bf5cee

SHA1
fbbb5f93a1ac064a22640bf94e3c17928c5807cb

SHA256
f364f406fc03a769e111730004c533c52a9fb2f8480710e6fac5c987a8a81892

SHA512
e0c8ea69745983eba1b62811cf2b00c4bd84f634a3f57ca0135e4b47824dcb0b56da663f3aba8685be1280847baab6843ec078702ff3fc498c7cd4cca219a7d0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vo8scey3.default-release\sessionCheckpoints.json

Filesize
228B

MD5
a0821bc1a142e3b5bca852e1090c9f2c

SHA1
e51beb8731e990129d965ddb60530d198c73825f

SHA256
db037b650f36ff45da5df59bc07b0c5948f9e9b7b148ead4454ab84cb04fd0e2

SHA512
997528e2ecd24a7e697d95cd1a2a7de46a3d80b37fd67fac4fb0da0db756b60a24648b7074255dc38f7651302f70894a53c3d789f3d7cd9f80fb91bd0cade4be

Download Submit
memory/104-23-0x00007FFE826F0000-0x00007FFE831B2000-memory.dmp

Filesize
10.8MB

Download
memory/104-22-0x00007FFE826F0000-0x00007FFE831B2000-memory.dmp

Filesize
10.8MB

Download
memory/104-12-0x00007FFE826F0000-0x00007FFE831B2000-memory.dmp

Filesize
10.8MB

Download
memory/104-21-0x0000026BA2A90000-0x0000026BA2AB2000-memory.dmp

Filesize
136KB

Download
memory/104-26-0x00007FFE826F0000-0x00007FFE831B2000-memory.dmp

Filesize
10.8MB

Download
memory/1804-4-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1804-3-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1804-0-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/3500-1-0x00007FF6D4210000-0x00007FF6D423A000-memory.dmp

Filesize
168KB

Download
memory/4272-57-0x000000001ADB0000-0x000000001ADBC000-memory.dmp

Filesize
48KB

Download
memory/4272-11-0x00007FFE826F0000-0x00007FFE831B2000-memory.dmp

Filesize
10.8MB

Download
memory/4272-9-0x00007FFE826F3000-0x00007FFE826F5000-memory.dmp

Filesize
8KB

Download
memory/4272-56-0x00007FFE826F0000-0x00007FFE831B2000-memory.dmp

Filesize
10.8MB

Download
memory/4272-10-0x0000000000120000-0x000000000013A000-memory.dmp

Filesize
104KB

Download
memory/4272-52-0x00007FFE826F3000-0x00007FFE826F5000-memory.dmp

Filesize
8KB

Download