61bad8d96f17bc5e303a42e6fb63aa90dacec97a90aa2bf7bfebdee5d7f969eb

Analysis

max time kernel
1134s
max time network
1137s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
03-12-2024 12:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

X-Worm-V5-main/XWorm V5.0/XWorm V5.0.exe.xml
Size

183B
MD5

66f09a3993dcae94acfe39d45b553f58
SHA1

9d09f8e22d464f7021d7f713269b8169aed98682
SHA256

7ea08548c23bd7fd7c75ca720ac5a0e8ca94cb51d06cd45ebf5f412e4bbdd7d7
SHA512

c8ea53ab187a720080bd8d879704e035f7e632afe1ee93e7637fad6bb7e40d33a5fe7e5c3d69134209487d225e72d8d944a43a28dc32922e946023e89abc93ed

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

IEXPLORE.EXEIEXPLORE.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exefirefox.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXE

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000080278dcfebcec64b9bf3cb1a59348f1c0000000002000000000010660000000100002000000051300427829ae728d4f8918b1d51a4ed627c2a788dca269033873970e6292b9d000000000e8000000002000020000000493af17443480d061110be1840b9c6a1ba64dc35631d3000ac3d8215af95406320000000e55f07f74aa7d92fc7af15e7a0d976be5b5811daf062157fa99afd74d4e2e11d4000000007abf5d0b03f184142afa77d7f8cf3fc31559c6b20062ba194c600b773114706d1f9827413b4f87b49c426250bf5e2708ec44425640566a775eff597cc1a095a	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\url6 = "https://twitter.com/"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31147388"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\msn.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.msn.com\ = "157"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLsTime\url5 = 0000000000000000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLsTime\url6 = 0000000000000000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "439992685"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\Software\Microsoft\Internet Explorer\DOMStorage\msn.com	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000080278dcfebcec64b9bf3cb1a59348f1c00000000020000000000106600000001000020000000f4132859f9059b468bb1c9daec1d271d46131ee7ee4379d9f8472f757b01594f000000000e8000000002000020000000e761a43020b3a8238e740c87d62b60ef77077e964a58f78bae7e7b196467717f200000000e0af943b6e0ed7a13fdc45d2ba2f114c9b2a2fc7764591a98752a66ab72b7b940000000a5766310c7422b04ff837ab5be2ed57b15e20e714065092d15b35d24aedae421de48779bc9c890ab27fde80e99a54ad062c3941b9428898be77e7590c7226c0d	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0249e8b7c45db01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 604670907c45db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\SOFTWARE\Microsoft\Internet Explorer\Main\News Feed First Run Experience = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31147388"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31147388"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\msn.com\Total = "55"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\url5 = "https://login.live.com/"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\doxbin.org\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000080278dcfebcec64b9bf3cb1a59348f1c00000000020000000000106600000001000020000000c17df922ca5e8ab1067c5b069acf0597ea41fc2c61518e7a475bab02944fe2bd000000000e80000000020000200000005a4dc37227c319c4cf125b0415bf8881d9de7a7f410170bd42b9be8db7b70b842000000053a000d69b63d4069e5b5eb4c7ec8b266c1c860158f4f7f016a9d70548c50d0f400000004ce7f66a9b279bdd486238e6769ac148b235ece45bca5cc6f861ba291f7e67c3b06587c330d31ad9a0eaeb39effa43ddf735ba4eb5f234abb70063816132f4dd	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{4EF9F20A-B16F-11EF-8CBB-D2E6B09CCA5E} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000080278dcfebcec64b9bf3cb1a59348f1c00000000020000000000106600000001000020000000bd615a44ece0f5e9918fa488d9618e078180763a7cb312a9928290a3b3fd55b0000000000e80000000020000200000009b8de10e90117111fb8ddb73a18309b77230573213295a086361852fd68f1f3d20000000352a5c5120570a9416ce2fd5a9aba1891053670ef0d108b6aa194cfea1d2f9ef40000000584ce979947d17380cbdb8db5d6543e238c01ba5619d3cf8523c3865d256a9d297bd5426b8415bb697be6803d0ae3c05628e259862af26d5309f803b458abcef	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\msn.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f024dc247c45db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\msn.com\Total = "33"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.4355\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "595441835"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\Software\Microsoft\Internet Explorer\TypedURLsTime	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLsTime\url3 = 0000000000000000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLsTime\url4 = 0000000000000000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.msn.com\ = "33"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\Software\Microsoft\Internet Explorer\TypedURLs	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "55"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "157"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "33"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLsTime\url1 = 467a3e977c45db01	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\url4 = "https://signin.ebay.com/ws/ebayisapi.dll"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\Software\Microsoft\Internet Explorer\DOMStorage\doxbin.org	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "595441835"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000080278dcfebcec64b9bf3cb1a59348f1c00000000020000000000106600000001000020000000689ac9f295d19688becdef8479febf28065c57a97e9a5941fa05ba65d59f1e79000000000e800000000200002000000063d0c1c3d9a6d1e6655100fd71dfcaed557cc6706f5a5d6b42afe9dace08b88a20000000949683ec62466ce502b752fb03a1f933c1981336111a277850f5c9c9d12c48d84000000041a6a0cc2384968c90b7fdc00acb224126c04123fffb060ddd54a63fe060e3321bbd7ebf8f9f4ade5efae610fedd10ecbf691f56765f16f4a42154e0c8ca8342	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\url3 = "https://login.aliexpress.com/"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\msn.com\Total = "157"	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

iexplore.exe

pid	Process
4472	iexplore.exe
4472	iexplore.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

firefox.exe

description	pid	Process
Token: SeDebugPrivilege	3844	firefox.exe
Token: SeDebugPrivilege	3844	firefox.exe
Token: SeDebugPrivilege	3844	firefox.exe
Token: SeDebugPrivilege	3844	firefox.exe
Token: SeDebugPrivilege	3844	firefox.exe
Token: SeDebugPrivilege	3844	firefox.exe
Token: SeDebugPrivilege	3844	firefox.exe

Suspicious use of FindShellTrayWindow 22 IoCs

Processes:

iexplore.exefirefox.exe

pid	Process
4472	iexplore.exe
3844	firefox.exe
3844	firefox.exe
3844	firefox.exe
3844	firefox.exe
3844	firefox.exe
3844	firefox.exe
3844	firefox.exe
3844	firefox.exe
3844	firefox.exe
3844	firefox.exe
3844	firefox.exe
3844	firefox.exe
3844	firefox.exe
3844	firefox.exe
3844	firefox.exe
3844	firefox.exe
3844	firefox.exe
3844	firefox.exe
3844	firefox.exe
3844	firefox.exe
3844	firefox.exe

Suspicious use of SendNotifyMessage 20 IoCs

Processes:

firefox.exe

pid	Process
3844	firefox.exe
3844	firefox.exe
3844	firefox.exe
3844	firefox.exe
3844	firefox.exe
3844	firefox.exe
3844	firefox.exe
3844	firefox.exe
3844	firefox.exe
3844	firefox.exe
3844	firefox.exe
3844	firefox.exe
3844	firefox.exe
3844	firefox.exe
3844	firefox.exe
3844	firefox.exe
3844	firefox.exe
3844	firefox.exe
3844	firefox.exe
3844	firefox.exe

Suspicious use of SetWindowsHookEx 14 IoCs

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEfirefox.exe

pid	Process
4472	iexplore.exe
4472	iexplore.exe
4144	IEXPLORE.EXE
4144	IEXPLORE.EXE
4144	IEXPLORE.EXE
4144	IEXPLORE.EXE
4516	IEXPLORE.EXE
4516	IEXPLORE.EXE
4516	IEXPLORE.EXE
4516	IEXPLORE.EXE
4472	iexplore.exe
4516	IEXPLORE.EXE
4516	IEXPLORE.EXE
3844	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

MSOXMLED.EXEiexplore.exefirefox.exefirefox.exe

description	pid	Process	procid_target
PID 976 wrote to memory of 4472	976	MSOXMLED.EXE	80
PID 976 wrote to memory of 4472	976	MSOXMLED.EXE	80
PID 4472 wrote to memory of 4144	4472	iexplore.exe	82
PID 4472 wrote to memory of 4144	4472	iexplore.exe	82
PID 4472 wrote to memory of 4144	4472	iexplore.exe	82
PID 4472 wrote to memory of 4516	4472	iexplore.exe	91
PID 4472 wrote to memory of 4516	4472	iexplore.exe	91
PID 4472 wrote to memory of 4516	4472	iexplore.exe	91
PID 2556 wrote to memory of 3844	2556	firefox.exe	95
PID 2556 wrote to memory of 3844	2556	firefox.exe	95
PID 2556 wrote to memory of 3844	2556	firefox.exe	95
PID 2556 wrote to memory of 3844	2556	firefox.exe	95
PID 2556 wrote to memory of 3844	2556	firefox.exe	95
PID 2556 wrote to memory of 3844	2556	firefox.exe	95
PID 2556 wrote to memory of 3844	2556	firefox.exe	95
PID 2556 wrote to memory of 3844	2556	firefox.exe	95
PID 2556 wrote to memory of 3844	2556	firefox.exe	95
PID 2556 wrote to memory of 3844	2556	firefox.exe	95
PID 2556 wrote to memory of 3844	2556	firefox.exe	95
PID 3844 wrote to memory of 1828	3844	firefox.exe	96
PID 3844 wrote to memory of 1828	3844	firefox.exe	96
PID 3844 wrote to memory of 1828	3844	firefox.exe	96
PID 3844 wrote to memory of 1828	3844	firefox.exe	96
PID 3844 wrote to memory of 1828	3844	firefox.exe	96
PID 3844 wrote to memory of 1828	3844	firefox.exe	96
PID 3844 wrote to memory of 1828	3844	firefox.exe	96
PID 3844 wrote to memory of 1828	3844	firefox.exe	96
PID 3844 wrote to memory of 1828	3844	firefox.exe	96
PID 3844 wrote to memory of 1828	3844	firefox.exe	96
PID 3844 wrote to memory of 1828	3844	firefox.exe	96
PID 3844 wrote to memory of 1828	3844	firefox.exe	96
PID 3844 wrote to memory of 1828	3844	firefox.exe	96
PID 3844 wrote to memory of 1828	3844	firefox.exe	96
PID 3844 wrote to memory of 1828	3844	firefox.exe	96
PID 3844 wrote to memory of 1828	3844	firefox.exe	96
PID 3844 wrote to memory of 1828	3844	firefox.exe	96
PID 3844 wrote to memory of 1828	3844	firefox.exe	96
PID 3844 wrote to memory of 1828	3844	firefox.exe	96
PID 3844 wrote to memory of 1828	3844	firefox.exe	96
PID 3844 wrote to memory of 1828	3844	firefox.exe	96
PID 3844 wrote to memory of 1828	3844	firefox.exe	96
PID 3844 wrote to memory of 1828	3844	firefox.exe	96
PID 3844 wrote to memory of 1828	3844	firefox.exe	96
PID 3844 wrote to memory of 1828	3844	firefox.exe	96
PID 3844 wrote to memory of 1828	3844	firefox.exe	96
PID 3844 wrote to memory of 1828	3844	firefox.exe	96
PID 3844 wrote to memory of 1828	3844	firefox.exe	96
PID 3844 wrote to memory of 1828	3844	firefox.exe	96
PID 3844 wrote to memory of 1828	3844	firefox.exe	96
PID 3844 wrote to memory of 1828	3844	firefox.exe	96
PID 3844 wrote to memory of 1828	3844	firefox.exe	96
PID 3844 wrote to memory of 1828	3844	firefox.exe	96
PID 3844 wrote to memory of 1828	3844	firefox.exe	96
PID 3844 wrote to memory of 1828	3844	firefox.exe	96
PID 3844 wrote to memory of 1828	3844	firefox.exe	96
PID 3844 wrote to memory of 1828	3844	firefox.exe	96
PID 3844 wrote to memory of 1828	3844	firefox.exe	96
PID 3844 wrote to memory of 1828	3844	firefox.exe	96
PID 3844 wrote to memory of 1828	3844	firefox.exe	96
PID 3844 wrote to memory of 1828	3844	firefox.exe	96
PID 3844 wrote to memory of 1828	3844	firefox.exe	96
PID 3844 wrote to memory of 1828	3844	firefox.exe	96
PID 3844 wrote to memory of 1828	3844	firefox.exe	96
PID 3844 wrote to memory of 1828	3844	firefox.exe	96

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE
"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\X-Worm-V5-main\XWorm V5.0\XWorm V5.0.exe.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:976
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\X-Worm-V5-main\XWorm V5.0\XWorm V5.0.exe.xml
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4472
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4472 CREDAT:17410 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:4144
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4472 CREDAT:17414 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:4516

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2556
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3844
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1972 -parentBuildID 20240401114208 -prefsHandle 1900 -prefMapHandle 1880 -prefsLen 23681 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3be94c74-1424-48b3-82e3-e12aa99a60ed} 3844 "\\.\pipe\gecko-crash-server-pipe.3844" gpu
    3⤵
    PID:1828
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2380 -parentBuildID 20240401114208 -prefsHandle 2372 -prefMapHandle 2360 -prefsLen 23717 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {64f00762-52fa-4b5e-a74e-57d5c357c08f} 3844 "\\.\pipe\gecko-crash-server-pipe.3844" socket
    3⤵
    PID:3408
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3148 -childID 1 -isForBrowser -prefsHandle 3152 -prefMapHandle 3228 -prefsLen 23858 -prefMapSize 244658 -jsInitHandle 1256 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dae16e6c-3b40-43fc-b3dc-bf1e15a69223} 3844 "\\.\pipe\gecko-crash-server-pipe.3844" tab
    3⤵
    PID:4504
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4236 -childID 2 -isForBrowser -prefsHandle 4228 -prefMapHandle 4224 -prefsLen 29091 -prefMapSize 244658 -jsInitHandle 1256 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {33278a33-06da-42e0-b3ae-c243cdb65e6e} 3844 "\\.\pipe\gecko-crash-server-pipe.3844" tab
    3⤵
    PID:4116
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4816 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4780 -prefMapHandle 4772 -prefsLen 29091 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {efef375a-6c0d-4927-827b-72551f61a851} 3844 "\\.\pipe\gecko-crash-server-pipe.3844" utility
    3⤵
    - Checks processor information in registry
    PID:1540
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2760 -childID 3 -isForBrowser -prefsHandle 5156 -prefMapHandle 5116 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1256 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {775c7598-a7af-487d-8cb3-7cdb350d1ad2} 3844 "\\.\pipe\gecko-crash-server-pipe.3844" tab
    3⤵
    PID:4964
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5312 -childID 4 -isForBrowser -prefsHandle 5320 -prefMapHandle 5324 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1256 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0be4a726-8e8e-44ae-be3d-f53fa2f0d094} 3844 "\\.\pipe\gecko-crash-server-pipe.3844" tab
    3⤵
    PID:3760
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5592 -childID 5 -isForBrowser -prefsHandle 5512 -prefMapHandle 5520 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1256 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fcc14f70-3dac-4601-8b0c-25681b855f89} 3844 "\\.\pipe\gecko-crash-server-pipe.3844" tab
    3⤵
    PID:1120
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6136 -childID 6 -isForBrowser -prefsHandle 6120 -prefMapHandle 6116 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1256 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9591e0ec-fccd-41c2-ab19-8d966e19d8bd} 3844 "\\.\pipe\gecko-crash-server-pipe.3844" tab
    3⤵
    PID:648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
6f35d010be70338c65989d51b31c9b03

SHA1
1856c3b4f263b41656d1e7ef5f98457fd5be5378

SHA256
8a7716b8f12fdf60b238d6dfea3d49008558bcb81864d60e014a64e72bdb3ece

SHA512
3c3bf46642e85fe593b66ed0609b62a09820aad92f3e5736da751cab568b45c574aeab59c0ace5aea562c77b24ddfc8f967ab26e38f251b2c628978aca36d25e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187

Filesize
471B

MD5
d0f9b87fe13fead7ad23066173f58ac4

SHA1
e95b8bc95327ce49027cd3b8f0cb223f2784f90b

SHA256
a22187b032ef261ede1c1d16b8e8765c6f9301b6ea19a456474bb79c41a45cac

SHA512
abea2bbf2e21ec32e49ba8b58f037d37d7c4db2e4750ff79133d11f2c009e1f55b59712a7cdd8ecb89ce80576d7cd596f52eef4e87e8b6b3d8476169052ccc46

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
9b609559b97178aeab8e7d50b2b0c9c9

SHA1
06e8c7e47beb8a079f431b4add98e5d80cd08d96

SHA256
39ce6045f302b542b03f71b8cd888f97928b97a8e44e1d59b331ecdc25e51f55

SHA512
0655d979c72a92d8859ffdd53bdeb7af63ddedc1ca57e02d9c63a7931027202c1981a627ae0a1a9e521f25f5e35424ec29ac21af76d138273c0b288ebe2673b6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187

Filesize
412B

MD5
cf020059a3871b73ec0652ec6496dd39

SHA1
e9f3e7951c983bf24e24528f2ba9e41592396c7a

SHA256
7bfb84809a046592ca56a5363d2dc31c924f3a16d9d694c1506f63ad9c589725

SHA512
c3d8b7442ea1087b791772253661cd8e9d3feeb4983f4afa38cc2750be8dbacd41396a0d29921edd7715fbaed44d9995627fba1796d193e80992d7f960787d37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\GOI4SJ9C\www.msn[1].xml

Filesize
127B

MD5
1563d3e5d986aede2c81637ccb1c9762

SHA1
49fa07280fb6a91e17523dddb1bf63f7ba76b5f9

SHA256
2d6612657c92d7d884337c7d2fabd619b475a5b91b06248adbcc538dbee24e88

SHA512
f95abc9b43d8f3384687bd12a949999a9585af1ea7718ca9fd9791e009883ffa44bd5975ab30a94abb78fff86f7864a0a5780ab86be2a0b223d1cc5acd0d41a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\bpb3hfu\imagestore.dat

Filesize
4KB

MD5
ef87f96bde6fa3407b5e17eda18deda0

SHA1
e4b6735d5ed39237be02b94aabc640cb3204a80e

SHA256
205be407a8318ba191a8d55205de92462c2109ee317e8a7134c93ad4d02798a7

SHA512
7c245a94848275a7942279c105f7ce04e8331f07d6d77bac614772e86b89f30878f5cf28486cc399bb1cca17130703aa2ef5178517c8ecb165114d0dd71b2146

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\D3F3LYYL\favicon[1].ico

Filesize
4KB

MD5
a73b8189e32d3a97ae2fbf1a57931d49

SHA1
560a8ea628a89a82233bf4288166b54789242966

SHA256
855f6b5eea22a22f5f4abcceeed4b8969efb3a99443036eb5eb64f5f46c8fd8e

SHA512
2b016e28a7e63de8fcad90ddb38ccd5d875a22cf53d723e055b7c7c9b7589cb818883234c6682ca25112af3cb4ba61a1aed384c1638c04905fc6fafdd37f79a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\D3F3LYYL\qsml[1].xml

Filesize
494B

MD5
078d42e7d5318ff36c56dd85bda2a8fa

SHA1
a5aef29862c242317f96181148ccfdab11e305ce

SHA256
be3b91d813b60f60254f94486ed42a933917755b86a540d5e533db55c7fcd4d1

SHA512
3462902ecfcd9162c84b1a1e2590fbb1ab78045f74a4e1db328f0005d01c89541d07ea5d2d5ad5b8a07b4c3422fd68ee91ae9c475f171ab1d1c9cf8381e4770d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\D3F3LYYL\qsml[2].xml

Filesize
499B

MD5
907910b26337e3e8bbe11bc809e514c3

SHA1
6b509deebece926ee033307d25d9216d6eecd9be

SHA256
05c17ee17414e8ac5fba74ccf58b37c3c6d90fff1fd8e6bc82afcfecc16d6aa8

SHA512
8672c0489c8e76753c1a8153503aad31e2bfcf3a593a8e3efc2b7a7bf75962f91fd704eaffe8e380b4fcb89b78c865b4a384fe708d71ffc102e6898572e7f0a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\D3F3LYYL\qsml[3].xml

Filesize
357B

MD5
a31ac96b2ec7188ca918f4f212831083

SHA1
dfd036b2aeb9d16aefbdf4acf0963e3c8f09a153

SHA256
13652cffecffc22d1d98e54221f96290123d77a3dcce1e160f66ab7bf5e349df

SHA512
0eae847501e1f1a7e83e2a5c671e9fe09821490864aa8921c1f41d89126578aa23265a59dd62d82a19917753dcbbc3c1cc82aa4d9cc758cbd3cf88a3ec803f68

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\QW3APMMX\qsml[1].xml

Filesize
502B

MD5
c7f73f2450189039abaca6ef45308104

SHA1
ff89114021f4c0469a4c34dfbd21513b7ce35ce5

SHA256
90469c8db3247ac8c1609df0ef51258330ad1fd98d9a9c9bb5961b46b9800048

SHA512
2124d087afedcdf0c146419c7cc4d3aa38ccebe701582a9b363756f86b8824a162d412d747b40d62cfddca14d9febb61b064c9e8e2f6c8dce9c48fc352d244bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\QW3APMMX\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\YGRQ0H1Z\qsml[1].xml

Filesize
487B

MD5
d0f3c78782d18f295dbe8a5ed2de78f7

SHA1
c29524bbe13320a83fed4e520901dda47be91253

SHA256
8b47477b703fb0165d9505ff12fed922a80a4af08b5104d13bb3037289bcd4b4

SHA512
117737938acd2e005e08b3d0e3a5fcfcb18e410c3bc667af0ea71a27d92c6a7c673c1348202c1fc2d797f9aa358b39e9df64f94b104fc583e82d14b6f36b3f1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\YGRQ0H1Z\qsml[2].xml

Filesize
500B

MD5
01acd06477614045d3ead8d9aeb66f38

SHA1
0c154d7dfd9a7314f608fcad6234c222ed482521

SHA256
f3c4d763c5d5fadc409424917a9524b3b37f28621c883498ba751d0971574773

SHA512
4f7a810dedc9ef26411980756ff125ff0c45d7fe4b094da66307748222dcb60815731c74820517d78414e95e94cc5616d2ccb02c85780860193b01a30ed86a16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\YGRQ0H1Z\qsml[3].xml

Filesize
323B

MD5
00b421f8dbd7ff99de93d15371c2b9a2

SHA1
687f848c0759858c1ec85d38ce334cc340c6bfd8

SHA256
1ad07ee7d4e135fbc512f51e0707eaf618ef2c168ce5e252b1b8d8d4299b5fa0

SHA512
a3ca63fbf50c6ba3f9ef184e7324687f1b6ed03970154cb825ee346f15c9a3f614aa1b24c9d81b03173d966047da44ded6cc114062f453e126cadd66a87e4e5f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hohja4eo.default-release\activity-stream.discovery_stream.json

Filesize
19KB

MD5
e40effd7904ed2e6427a0a75e065e9c1

SHA1
2e0700a80900c43e0ef6ae9635607f24490fb312

SHA256
c51e21d4cc4e4bd6a99c1c106001c18a8605a29d93fc1335b023f4912d4bb1f6

SHA512
63b8b0468f8a7c58f565f5a59e22a5e50d71124ca75a14fc96ea0c1955f2eebde06ff68123093876e79c37e4a44f7a7ace0fd5bd4e3857bad143ab54db11bcae

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hohja4eo.default-release\cache2\entries\F6AC07F99F5B73E7F7D8055F3F940277F10064BC

Filesize
20KB

MD5
0342c1ef9689491d3a0318118389a6f9

SHA1
b4698cf58394745725fb45f706e7334f197bb9d8

SHA256
e0fd0f764127cab8dce4f67b7feeff338331768081e4a550cc87bccc7e2fd542

SHA512
a33dd88153ae7f7fac9d80f47236cb914513fa56f6663e0fca544b3fb8a747c0899904c0baec45ec140658cde7a5bfbb7fe2b12b231d355613805eeac3ae0144

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\hohja4eo.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
15KB

MD5
96c542dec016d9ec1ecc4dddfcbaac66

SHA1
6199f7648bb744efa58acf7b96fee85d938389e4

SHA256
7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

SHA512
cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\46GGVZ84VB8KC5OXY8OL.temp

Filesize
7KB

MD5
d59d095067b09516ee3c37ce238aa1d5

SHA1
46b175dd01760c3546b33d7810ca8d457f335c5d

SHA256
c5743dd279fa2bff829aafd5f3d2ceb711507a79eeee06bc6f656664ae050fa9

SHA512
726dfceb7f045288545fca9f91ae46dbb9284cb3a7071c6687c81b2cf52e6ff75a02de66b86e9a7c2f5abdb0720170db3fd930a01a399a3c6dc66fc341a67f8a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hohja4eo.default-release\AlternateServices.bin

Filesize
8KB

MD5
afa1fd0e8adea12605735c0e5c0b8291

SHA1
7348631672100e4b7a56c63b35cc2ef8ff4f7157

SHA256
b19512e39c6bd6756a23aaed11f5dc95b0068b67012281d13c609b0ac9bd2d9c

SHA512
3ebfce23df472b9357ec1a77141f24f671150f9b3538c56a86ded7f152ab918c9ebde68d0d0555c9be5a75fe69249c2788ef8aed4df0f23221a51b6cb00bc913

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hohja4eo.default-release\bookmarkbackups\bookmarks-2024-12-03_11_lfA1i+n6EsVk6QdOxBxTGw==.jsonlz4

Filesize
1016B

MD5
29279a042459171f270efe60e8a04899

SHA1
e5ff657c374b68b6488a7ad2e9d6e8adbbb67d8e

SHA256
d98c4d5c20645cdb8bbb2a48cbf2fd7e9dea3416d7408950935c888ac0ef5e11

SHA512
67e7d23b660cbd977f500c1855606784604d6e4133f780d8196a794d013076196efd6c3c4a7c1693b38ec32f18f56d294250c998c3a39696bfdcbe638b309964

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hohja4eo.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
b121cff274cef76c4f51f6f4a0078083

SHA1
e266e5c564bc11e254d1d9e76de7507ef1d14da6

SHA256
998b6133291bdb485c377293e3e2c86f9fac2bc63d6faef6e3cc1a369d9fb16e

SHA512
217bb79213dc1545212d0c1ac1540bf357d59680c839a86f3207157727436bb5743873ab0fb371825e56365e66fb6139e4f919ad365d06f4edbc0dd985517930

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hohja4eo.default-release\datareporting\glean\db\data.safe.tmp

Filesize
48KB

MD5
f988da2afe0e4c381cfc19e6d710d68b

SHA1
beb803f23ba5bf184ccbcbeaae69d0906d485645

SHA256
3cacaaf739ea9512649497f6abff623efdbd2ad5720809f5db8c1fb45948b5c8

SHA512
b42fd8c4ee2d6c618f7628ec64959a788ad935d7e9618da09c05aafc055c213b9e23c194a7849cdfffcc4115213363086e3a14c267526e27d6363b83069dd142

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hohja4eo.default-release\datareporting\glean\db\data.safe.tmp

Filesize
48KB

MD5
58dc838a0ddacf7f48cbafd73ea33fc2

SHA1
1428a010067bb64fdfd5baf992b61cd325c89d69

SHA256
5f8453d12d04bfd3a0e6fe2d6d73e462d97001ad3c5c2095aeb03d573affaf09

SHA512
7b25991f2fecea9fb497ae751743724ecdf4dc890900a61795165ff7231602af3b5ff9084ae24d480e814fb7a9b4a89b8919dcf1cc873ec2ff0e827bd7820e74

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hohja4eo.default-release\datareporting\glean\db\data.safe.tmp

Filesize
18KB

MD5
a52155e256556559ab53c99d6b2cacdf

SHA1
6a76cc2aa42c01e162328e2a7d73b8fee73fb396

SHA256
f00ff1308629e2f2f3dcee1e914971e5192810c71d585086c63c00d0054708c5

SHA512
431424b2826e0fb5915e996b43bbe3d47c376a0374b711e4b2043185ccccead3b6ddadbfb7a3d200a6c71544200d2d9aefd570bc9670b46953f019af3fc34715

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hohja4eo.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
ac4d60d33184fc58591b893043c76928

SHA1
0903ad621a6fc84fdaef7626ef2a5be25fa99f3e

SHA256
44437def6378e1d4893b47508744f9acb89971eefe5564790782eb7b277f1e2b

SHA512
3e7250a21cecb03b693daaa9376919b546e31926bff7773d7b390120648735d3f9a0c98712bdf2a4a759a4e09af726e4b5b961d1f649360c279abb91705b5904

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hohja4eo.default-release\datareporting\glean\pending_pings\28022375-190a-4d1e-ac39-18efb42a9e8d

Filesize
982B

MD5
33a8655ad93e0f237e1d8ae34ee0f431

SHA1
902d08a3c5fc2a7ba59f42548a319f43002952b5

SHA256
e6e9f5adef50b4574558999838b914ecdcbc748d19642bce4e67a95d7fccf13c

SHA512
f595f08f5444dea43eee285e496ee02ded867801eb3701b1e3f3ab73f5c4abf21be380bff4844e9fbbb81b0b64100b3b829ae4d1aa8e140b728d7d9070b20fe0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hohja4eo.default-release\datareporting\glean\pending_pings\7db4805d-dd7a-4cd9-9216-5a931ceacdac

Filesize
27KB

MD5
df32aa28a4f13544d31ac3c6990d735b

SHA1
145e3251cb470f4b60dce54e939bbb4053af22a1

SHA256
1ee930d6242ecdc31a497c6cc85b5294e61e331d461b5c278c958fd31ce57ba6

SHA512
9ccbf3169c8133625b59a23b866d5b87b57a515e3be0afc5aad114d54d2e9c416b9eedc09a3bbb6f109b8bc0b9d4bffa75aa928b7724959cfa88467dd27d1585

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hohja4eo.default-release\datareporting\glean\pending_pings\995ccb5f-a932-49e4-b234-6d04a268c71e

Filesize
671B

MD5
6a2e9bc59bbcf1826491b68bfe0a3525

SHA1
096be4e34e9d32d45702b591866e118dce533129

SHA256
0de5f9b6333311dca22f65011421e7b34dc180baeb65a2ffc20b491273bc782f

SHA512
e59f132ad416ccce23ce8e98834bf7e8f4de6a4cdd90c0b89f13aa03e8de55792df50d1604ce5f1992b61a5fe23e5fa992519221b039b59c99a9b42a27844cb1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hohja4eo.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hohja4eo.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hohja4eo.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hohja4eo.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hohja4eo.default-release\prefs-1.js

Filesize
10KB

MD5
b570d8b654f8494d15376791866bbecb

SHA1
dad20e90f4b1a2ffe819266bd2fe7917ce70e8d7

SHA256
cf4d90fde68a235f64ece9f169425519032d11e0ad5a28038e73daa8e999e3e8

SHA512
9681397cb154c1aaa3be2d3c7d539fbbb1be7b90c1449c18cd1128b37420c6bdf4f8ec7fd35b3c3366997ff0d39c83ae857d6ceb154f0f87102add315dde02b7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hohja4eo.default-release\prefs-1.js

Filesize
11KB

MD5
dbb4eac4e54b09aad24445d89e02cc55

SHA1
ae5e250b78dbd0fdfed84176722c27f5aa5c983c

SHA256
7932eea247731d65497bda441e776af04e518787d01309b916a209302e87aaf5

SHA512
143197a98030da1d8b41b61aa5dc1a6221f95fa1bf7067a2a6cea4983668345560af8f96f27c3f480d3f51911adc59b0785c5fb21ec42456dbf4ddaafadff215

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hohja4eo.default-release\prefs-1.js

Filesize
10KB

MD5
286fdc1776c4d2558efe9ded3032d75a

SHA1
25b99cc642bc4490ba97457afdb4bdfd5340add7

SHA256
88288031f35a4311d05dae77dcc1a4b229b707a3ae3de99b988d8e0cdbd1e677

SHA512
f7f8241c727d31a2d6dbd533cb49ff438c693e2e00d8e32388bf79fc28ed69752c8aaab5c3bf9c411629f46e9e4fa1fb579e0f296fa72afbcedc7497be388582

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hohja4eo.default-release\prefs.js

Filesize
10KB

MD5
e2192697da0a3a0b103f92720a439b32

SHA1
c831001b47db003d5b8a18475dd4174e3e85c6f6

SHA256
3818b834253d3e58b8b60184d3a4e05f3e06c51f2aaa72e98a6f75201dc37902

SHA512
a752dbcb5c9684d28fe2210a61e80bd9d95b9abc7d0f6192d848c3daf6fecc3eeb7c0855c50aa291ac0c84abcfe5013ad47fa3a2effe9d4d9c6a4797eb125f26

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hohja4eo.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
9de4304bdbd613d09f7bea3b44224256

SHA1
6abf7ced385a18a71d4e6941b31781bd99747a27

SHA256
53f775d10d9c4f6e578f14cb3c124d628cb7f322ff009289311afa47548114ad

SHA512
75b8f7ce738b9c817d533803897346b0613464b0058e1ec1af7f152e76b6057e08fbc52d3e59345e07a870102bc1c6c7a773e527e015b59429215fc3bc3ac5d8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hohja4eo.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
f9bda3259984b713d40f26f480b6407c

SHA1
76723f88ec0092956a850ee2e159342868c1fcab

SHA256
3d5719054059f6fd6e95b3814cd49fd387c495b65533b94e5e2362c517742fee

SHA512
d998d7c4ce9b8145489410ddf3a2f0f24a62b58148d0ce3b2470a10e1d93c2d811d775dc99a6a966d16f58a1994490d5dac0c9c72091f9be98c350272cc08789

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hohja4eo.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
7b0741d27fd6874c98af16a9487b6727

SHA1
8bf386d660473d0df0d6b8afc9fc5107ce6c508f

SHA256
0c61c197cf938b7eb61c965e410a75d8fe9b1bcb3a24181e4162e0a8a56a0d4f

SHA512
1394b0206b6ba76e39fa5b593f8b30b83f3a6b6b36f3db2f62d88be3f3ec3aea045b90497acfc04d5a6cd62dd18d2e7f6749333a75e03fd8cee6f98d292acaa8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hohja4eo.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
31034a69160c410af9552b1cda53959e

SHA1
03074266abbbb9e3b3362267dd6c9192ee77ab65

SHA256
453c02c9bf665908b2b49d6162d0bcea2ddd7e7951e93f7e77bfb6cc614c2ddf

SHA512
2142073c1a395dbfc715c474c7d5f7f6e1457e13d38b7c6d72eb9f7612a90b349cc926ff16b4f94b02383dfa4780d04d18dc9e07cfb2a30038feb0df8661736f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hohja4eo.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
ff737c9de679fe9a075cba4f0e1f9e05

SHA1
4b265841266be91dc3e8f6a8a679a50623c51823

SHA256
555ba4c335344b44e05eb9a39531dba88a21f4ba0a3f5db5d024b71cb2aa1246

SHA512
4175d723140492b50d1af65c80e6f20c2a99456a2abb9fdf0192e3db1ddd51df6ad3b859ea824584929c5cef584ce3b7d5443f37fb430f8cee4b5208818d8f35

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hohja4eo.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
384KB

MD5
a0858a0cbe6de75d776d7b2ecf0ef7df

SHA1
5d4ea28dce2cef4832ed449e8ec13ea7b70ecbfa

SHA256
cb4156acc6839765a1a43356a06a7368fc23cf180ebb27ef2e9a6ae2e69df1a8

SHA512
081789bbdcbbc2b5d87336bff6613b5518bcd498154a967f7c7a342a1801a4b225de10a1b61ff12da9e61271dc5ff2f425b077a0d6849b7a5ac5ba59ce3b13c0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hohja4eo.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
576KB

MD5
d0a78c76dea3ded5d920ee6df1ee0b73

SHA1
b6e2338712c2a6355993dd04ae32c820ba042afd

SHA256
1b257b2e65198729048a6eda0fb18693a42023454530d4c1836c6bcd4a5cb3a6

SHA512
78a1583545d2341b5e31b62c79977deb8a5767f4895b558c635db54a2221ab0fe5a4ee36e22acab7ab2ae136165bfb872608867dd9852c39bc6412de7b7073c0

Download Submit
memory/976-3-0x00007FFB15450000-0x00007FFB15460000-memory.dmp

Filesize
64KB

Download
memory/976-18-0x00007FFB553D0000-0x00007FFB555C8000-memory.dmp

Filesize
2.0MB

Download
memory/976-21-0x00007FFB15450000-0x00007FFB15460000-memory.dmp

Filesize
64KB

Download
memory/976-2-0x00007FFB15450000-0x00007FFB15460000-memory.dmp

Filesize
64KB

Download
memory/976-9-0x00007FFB553D0000-0x00007FFB555C8000-memory.dmp

Filesize
2.0MB

Download
memory/976-19-0x00007FFB553D0000-0x00007FFB555C8000-memory.dmp

Filesize
2.0MB

Download
memory/976-17-0x00007FFB553D0000-0x00007FFB555C8000-memory.dmp

Filesize
2.0MB

Download
memory/976-10-0x00007FFB553D0000-0x00007FFB555C8000-memory.dmp

Filesize
2.0MB

Download
memory/976-23-0x00007FFB15450000-0x00007FFB15460000-memory.dmp

Filesize
64KB

Download
memory/976-1-0x00007FFB5546D000-0x00007FFB5546E000-memory.dmp

Filesize
4KB

Download
memory/976-4-0x00007FFB15450000-0x00007FFB15460000-memory.dmp

Filesize
64KB

Download
memory/976-12-0x00007FFB553D0000-0x00007FFB555C8000-memory.dmp

Filesize
2.0MB

Download
memory/976-11-0x00007FFB553D0000-0x00007FFB555C8000-memory.dmp

Filesize
2.0MB

Download
memory/976-8-0x00007FFB553D0000-0x00007FFB555C8000-memory.dmp

Filesize
2.0MB

Download
memory/976-15-0x00007FFB553D0000-0x00007FFB555C8000-memory.dmp

Filesize
2.0MB

Download
memory/976-20-0x00007FFB15450000-0x00007FFB15460000-memory.dmp

Filesize
64KB

Download
memory/976-22-0x00007FFB15450000-0x00007FFB15460000-memory.dmp

Filesize
64KB

Download
memory/976-14-0x00007FFB553D0000-0x00007FFB555C8000-memory.dmp

Filesize
2.0MB

Download
memory/976-13-0x00007FFB553D0000-0x00007FFB555C8000-memory.dmp

Filesize
2.0MB

Download
memory/976-5-0x00007FFB15450000-0x00007FFB15460000-memory.dmp

Filesize
64KB

Download
memory/976-7-0x00007FFB553D0000-0x00007FFB555C8000-memory.dmp

Filesize
2.0MB

Download
memory/976-6-0x00007FFB553D0000-0x00007FFB555C8000-memory.dmp

Filesize
2.0MB

Download
memory/976-25-0x00007FFB553D0000-0x00007FFB555C8000-memory.dmp

Filesize
2.0MB

Download
memory/976-0-0x00007FFB15450000-0x00007FFB15460000-memory.dmp

Filesize
64KB

Download
memory/976-16-0x00007FFB553D0000-0x00007FFB555C8000-memory.dmp

Filesize
2.0MB

Download
memory/976-24-0x00007FFB553D0000-0x00007FFB555C8000-memory.dmp

Filesize
2.0MB

Download