skuld | hxxps://gofile[.]io/d/lkw1cL

Resubmissions

20-12-2024 01:58

241220-cdx7mawmex 10

19-12-2024 23:39

241219-3nsm1atnbq 10

19-12-2024 23:39

241219-3nnztatkcz 3

19-12-2024 23:31

241219-3h5elstmbj 4

Analysis

max time kernel
1050s
max time network
1029s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
19-12-2024 23:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/lkw1cL

Score

10^/10

skuld xenarmor xworm agilenet collection discovery evasion password persistence privilege_escalation rat recovery spyware stealer trojan upx

Malware Config

Extracted

Family

skuld

https://discord.com/api/webhooks/1314414095461777419/8hYVVlssdJOsLuwWhq5QQqRTlg-3pzMhiKB5tYVl8wS1FN6rDNu-iZ34u_-J5bahL4e7

Extracted

Family

xworm

Version

5.0

127.0.0.1:7000

127.0.0.1:80

Mutex

0ePRF07hAchWriNo

Attributes

install_file
USB.exe

aes.plain

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral1/memory/4644-2225-0x000000001AC20000-0x000000001AC2E000-memory.dmp	disable_win_def

Detect Xworm Payload 3 IoCs

resource	yara_rule
behavioral1/files/0x002c0000000461bb-722.dat	family_xworm
behavioral1/memory/4644-1255-0x0000000000040000-0x0000000000050000-memory.dmp	family_xworm
behavioral1/memory/700-1287-0x0000000000C30000-0x0000000000C82000-memory.dmp	family_xworm

Skuld family
skuld
Skuld stealer
An info stealer written in Go lang.
stealer skuld
XenArmor Suite
XenArmor is as suite of password recovery tools for various application.
recovery password xenarmor
Xenarmor family
xenarmor
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4108	netsh.exe

ACProtect 1.3x - 1.4x DLL software 5 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x00280000000463cb-2464.dat	acprotect
behavioral1/files/0x00280000000463ca-2459.dat	acprotect
behavioral1/files/0x00280000000463c9-2454.dat	acprotect
behavioral1/files/0x00280000000463c8-2449.dat	acprotect
behavioral1/files/0x00280000000463cc-2469.dat	acprotect

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000\Control Panel\International\Geo\Nation	XClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000\Control Panel\International\Geo\Nation	XClient.exe

Executes dropped EXE 10 IoCs

pid	Process
5192	start.exe
5380	XWorm V5.2.exe
5572	XWormLoader 5.2 x32.exe
4644	XClient.exe
2484	XClient.exe
4380	XClient.exe
2652	XClient.exe
700	stem.exe
2372	XClient.exe
828	All-In-One.exe

Loads dropped DLL 33 IoCs

pid	Process
5380	XWorm V5.2.exe
5572	XWormLoader 5.2 x32.exe
5572	XWormLoader 5.2 x32.exe
5572	XWormLoader 5.2 x32.exe
5572	XWormLoader 5.2 x32.exe
5572	XWormLoader 5.2 x32.exe
5572	XWormLoader 5.2 x32.exe
5572	XWormLoader 5.2 x32.exe
5572	XWormLoader 5.2 x32.exe
5572	XWormLoader 5.2 x32.exe
5572	XWormLoader 5.2 x32.exe
5572	XWormLoader 5.2 x32.exe
5572	XWormLoader 5.2 x32.exe
5572	XWormLoader 5.2 x32.exe
5572	XWormLoader 5.2 x32.exe
5572	XWormLoader 5.2 x32.exe
5572	XWormLoader 5.2 x32.exe
5572	XWormLoader 5.2 x32.exe
5572	XWormLoader 5.2 x32.exe
5572	XWormLoader 5.2 x32.exe
5572	XWormLoader 5.2 x32.exe
5572	XWormLoader 5.2 x32.exe
5572	XWormLoader 5.2 x32.exe
5572	XWormLoader 5.2 x32.exe
5572	XWormLoader 5.2 x32.exe
5572	XWormLoader 5.2 x32.exe
5572	XWormLoader 5.2 x32.exe
5572	XWormLoader 5.2 x32.exe
2372	XClient.exe
5572	XWormLoader 5.2 x32.exe
5572	XWormLoader 5.2 x32.exe
5572	XWormLoader 5.2 x32.exe
828	All-In-One.exe

Obfuscated with Agile.Net obfuscator 3 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral1/files/0x00280000000462c9-419.dat	agile_net
behavioral1/memory/5380-422-0x000002673BD60000-0x000002673C998000-memory.dmp	agile_net
behavioral1/memory/5572-470-0x0000000006650000-0x0000000007288000-memory.dmp	agile_net

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	All-In-One.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	start.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
168	ip-api.com
173	ip-api.com
289	ip-api.com

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00280000000462c8-413.dat	upx
behavioral1/memory/5192-414-0x0000000000420000-0x000000000135C000-memory.dmp	upx
behavioral1/memory/5192-418-0x0000000000420000-0x000000000135C000-memory.dmp	upx
behavioral1/files/0x00280000000463cb-2464.dat	upx
behavioral1/files/0x00280000000463ca-2459.dat	upx
behavioral1/files/0x00280000000463c9-2454.dat	upx
behavioral1/files/0x00280000000463c8-2449.dat	upx
behavioral1/files/0x00280000000463cc-2469.dat	upx

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\6f5e1a39-3dec-43c0-b20c-4f08a72b690c.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20241219234012.pma	setup.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	All-In-One.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XWormLoader 5.2 x32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 28 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	XClient.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	XWormLoader 5.2 x32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	XWormLoader 5.2 x32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	XClient.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe

Enumerates system info in registry 2 TTPs 19 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	XWormLoader 5.2 x32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	XWorm V5.2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	XWormLoader 5.2 x32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSReleaseDate	XClient.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	XClient.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	XWorm V5.2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	XWormLoader 5.2 x32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	XClient.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion	XClient.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	XWorm V5.2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000\Software\Microsoft\Internet Explorer\TypedURLs	XWormLoader 5.2 x32.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133791257611302179"	chrome.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0000000001000000ffffffff	XWormLoader 5.2 x32.exe
Key created	\REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0	XWormLoader 5.2 x32.exe
Key created	\REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell	XWormLoader 5.2 x32.exe
Key created	\REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12	XWormLoader 5.2 x32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic"	XWormLoader 5.2 x32.exe
Key created	\REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg	XWormLoader 5.2 x32.exe
Key created	\REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	XWormLoader 5.2 x32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\MRUListEx = ffffffff	XWormLoader 5.2 x32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 010000000200000000000000ffffffff	XWormLoader 5.2 x32.exe
Key created	\REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0	XWormLoader 5.2 x32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	XWormLoader 5.2 x32.exe
Key created	\REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	XWormLoader 5.2 x32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\FFlags = "1092616257"	XWormLoader 5.2 x32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupByKey:PID = "0"	XWormLoader 5.2 x32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	XWormLoader 5.2 x32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	XWormLoader 5.2 x32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\SniffedFolderType = "Pictures"	XWormLoader 5.2 x32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\FFlags = "1"	XWormLoader 5.2 x32.exe
Key created	\REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	XWormLoader 5.2 x32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	XWormLoader 5.2 x32.exe
Key created	\REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0	XWormLoader 5.2 x32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\NodeSlot = "4"	XWormLoader 5.2 x32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	XWormLoader 5.2 x32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	XWormLoader 5.2 x32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\SniffedFolderType = "Generic"	XWormLoader 5.2 x32.exe
Key created	\REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	XWormLoader 5.2 x32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	XWormLoader 5.2 x32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	XWormLoader 5.2 x32.exe
Key created	\REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	XWormLoader 5.2 x32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\MRUListEx = 00000000ffffffff	XWormLoader 5.2 x32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0\NodeSlot = "12"	XWormLoader 5.2 x32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\IconSize = "96"	XWormLoader 5.2 x32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	XWormLoader 5.2 x32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	XWormLoader 5.2 x32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202020202020202	XWormLoader 5.2 x32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupView = "0"	XWormLoader 5.2 x32.exe
Key created	\REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	XWormLoader 5.2 x32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0100000000000000ffffffff	XWormLoader 5.2 x32.exe
Key created	\REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell	XWormLoader 5.2 x32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	XWormLoader 5.2 x32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	XWormLoader 5.2 x32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	XWormLoader 5.2 x32.exe
Key created	\REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	XWormLoader 5.2 x32.exe
Key created	\REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0	XWormLoader 5.2 x32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0 = 50003100000000006b57dc73100049636f6e73003c0009000400efbe935910bd935912bd2e0000005c620400000026000000000000000000000000000000eb5e0a01490063006f006e007300000014000000	XWormLoader 5.2 x32.exe
Key created	\REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg	XWormLoader 5.2 x32.exe
Key created	\REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0	XWormLoader 5.2 x32.exe
Key created	\REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0	XWormLoader 5.2 x32.exe
Key created	\REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1	XWormLoader 5.2 x32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0 = 60003100000000009259f2b4100058574f524d567e312e320000460009000400efbe935910bd935913bd2e0000003561040000002900000000000000000000000000000094cb2a00580057006f0072006d002000560035002e00320000001a000000	XWormLoader 5.2 x32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = 00000000ffffffff	XWormLoader 5.2 x32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	XWormLoader 5.2 x32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\Mode = "1"	XWormLoader 5.2 x32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	XWormLoader 5.2 x32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	XWormLoader 5.2 x32.exe
Key created	\REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000_Classes\Local Settings	XWormLoader 5.2 x32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	XWormLoader 5.2 x32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	XWormLoader 5.2 x32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	XWormLoader 5.2 x32.exe
Key created	\REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000_Classes\Local Settings	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	XWormLoader 5.2 x32.exe
Key created	\REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	XWormLoader 5.2 x32.exe
Key created	\REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg	XWormLoader 5.2 x32.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2372	XClient.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3832	msedge.exe
3832	msedge.exe
4384	msedge.exe
4384	msedge.exe
1092	identity_helper.exe
1092	identity_helper.exe
4224	msedge.exe
4224	msedge.exe
5572	XWormLoader 5.2 x32.exe
5572	XWormLoader 5.2 x32.exe
5572	XWormLoader 5.2 x32.exe
5572	XWormLoader 5.2 x32.exe
5572	XWormLoader 5.2 x32.exe
5572	XWormLoader 5.2 x32.exe
5572	XWormLoader 5.2 x32.exe
5572	XWormLoader 5.2 x32.exe
5572	XWormLoader 5.2 x32.exe
5572	XWormLoader 5.2 x32.exe
5572	XWormLoader 5.2 x32.exe
5572	XWormLoader 5.2 x32.exe
5572	XWormLoader 5.2 x32.exe
5572	XWormLoader 5.2 x32.exe
5572	XWormLoader 5.2 x32.exe
5572	XWormLoader 5.2 x32.exe
5572	XWormLoader 5.2 x32.exe
5572	XWormLoader 5.2 x32.exe
5572	XWormLoader 5.2 x32.exe
5572	XWormLoader 5.2 x32.exe
5572	XWormLoader 5.2 x32.exe
5572	XWormLoader 5.2 x32.exe
5572	XWormLoader 5.2 x32.exe
5572	XWormLoader 5.2 x32.exe
5572	XWormLoader 5.2 x32.exe
5572	XWormLoader 5.2 x32.exe
5572	XWormLoader 5.2 x32.exe
5572	XWormLoader 5.2 x32.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
5572	XWormLoader 5.2 x32.exe
2372	XClient.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 24 IoCs

pid	Process
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
3192	chrome.exe
6096	msedge.exe
6096	msedge.exe
6096	msedge.exe
6096	msedge.exe
6096	msedge.exe
6096	msedge.exe
6096	msedge.exe
6096	msedge.exe

Suspicious use of AdjustPrivilegeToken 34 IoCs

description	pid	Process
Token: SeRestorePrivilege	5292	7zG.exe
Token: 35	5292	7zG.exe
Token: SeSecurityPrivilege	5292	7zG.exe
Token: SeSecurityPrivilege	5292	7zG.exe
Token: SeDebugPrivilege	5192	start.exe
Token: SeDebugPrivilege	5380	XWorm V5.2.exe
Token: SeDebugPrivilege	5572	XWormLoader 5.2 x32.exe
Token: 33	1128	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1128	AUDIODG.EXE
Token: SeDebugPrivilege	4852	firefox.exe
Token: SeDebugPrivilege	4852	firefox.exe
Token: SeDebugPrivilege	4644	XClient.exe
Token: SeDebugPrivilege	4644	XClient.exe
Token: SeDebugPrivilege	1620	taskmgr.exe
Token: SeSystemProfilePrivilege	1620	taskmgr.exe
Token: SeCreateGlobalPrivilege	1620	taskmgr.exe
Token: SeDebugPrivilege	2484	XClient.exe
Token: 33	1620	taskmgr.exe
Token: SeIncBasePriorityPrivilege	1620	taskmgr.exe
Token: SeDebugPrivilege	4380	XClient.exe
Token: SeDebugPrivilege	2652	XClient.exe
Token: SeDebugPrivilege	700	stem.exe
Token: SeDebugPrivilege	700	stem.exe
Token: SeShutdownPrivilege	3192	chrome.exe
Token: SeCreatePagefilePrivilege	3192	chrome.exe
Token: SeShutdownPrivilege	3192	chrome.exe
Token: SeCreatePagefilePrivilege	3192	chrome.exe
Token: SeShutdownPrivilege	3192	chrome.exe
Token: SeCreatePagefilePrivilege	3192	chrome.exe
Token: SeDebugPrivilege	2016	firefox.exe
Token: SeDebugPrivilege	2016	firefox.exe
Token: SeDebugPrivilege	2372	XClient.exe
Token: SeDebugPrivilege	2372	XClient.exe
Token: SeDebugPrivilege	828	All-In-One.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
5292	7zG.exe
5572	XWormLoader 5.2 x32.exe
5572	XWormLoader 5.2 x32.exe
5572	XWormLoader 5.2 x32.exe
5380	XWorm V5.2.exe
5380	XWorm V5.2.exe
5380	XWorm V5.2.exe
5380	XWorm V5.2.exe
5380	XWorm V5.2.exe
5380	XWorm V5.2.exe
5380	XWorm V5.2.exe
5380	XWorm V5.2.exe
5380	XWorm V5.2.exe
5380	XWorm V5.2.exe
5380	XWorm V5.2.exe
5380	XWorm V5.2.exe
5380	XWorm V5.2.exe
5380	XWorm V5.2.exe
5380	XWorm V5.2.exe
5380	XWorm V5.2.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
5572	XWormLoader 5.2 x32.exe
5572	XWormLoader 5.2 x32.exe
5572	XWormLoader 5.2 x32.exe
4852	firefox.exe
4852	firefox.exe
4852	firefox.exe
4852	firefox.exe
4852	firefox.exe
4852	firefox.exe
4852	firefox.exe
4852	firefox.exe
4852	firefox.exe
4852	firefox.exe
4852	firefox.exe
4852	firefox.exe
4852	firefox.exe
4852	firefox.exe
4852	firefox.exe
4852	firefox.exe
4852	firefox.exe
4852	firefox.exe
4852	firefox.exe
4852	firefox.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe
1620	taskmgr.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
5572	XWormLoader 5.2 x32.exe
5572	XWormLoader 5.2 x32.exe
4852	firefox.exe
5572	XWormLoader 5.2 x32.exe
5572	XWormLoader 5.2 x32.exe
5572	XWormLoader 5.2 x32.exe
5572	XWormLoader 5.2 x32.exe
2016	firefox.exe
2372	XClient.exe
828	All-In-One.exe
828	All-In-One.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4384 wrote to memory of 380	4384	msedge.exe	82
PID 4384 wrote to memory of 380	4384	msedge.exe	82
PID 4384 wrote to memory of 2268	4384	msedge.exe	83
PID 4384 wrote to memory of 2268	4384	msedge.exe	83
PID 4384 wrote to memory of 2268	4384	msedge.exe	83
PID 4384 wrote to memory of 2268	4384	msedge.exe	83
PID 4384 wrote to memory of 2268	4384	msedge.exe	83
PID 4384 wrote to memory of 2268	4384	msedge.exe	83
PID 4384 wrote to memory of 2268	4384	msedge.exe	83
PID 4384 wrote to memory of 2268	4384	msedge.exe	83
PID 4384 wrote to memory of 2268	4384	msedge.exe	83
PID 4384 wrote to memory of 2268	4384	msedge.exe	83
PID 4384 wrote to memory of 2268	4384	msedge.exe	83
PID 4384 wrote to memory of 2268	4384	msedge.exe	83
PID 4384 wrote to memory of 2268	4384	msedge.exe	83
PID 4384 wrote to memory of 2268	4384	msedge.exe	83
PID 4384 wrote to memory of 2268	4384	msedge.exe	83
PID 4384 wrote to memory of 2268	4384	msedge.exe	83
PID 4384 wrote to memory of 2268	4384	msedge.exe	83
PID 4384 wrote to memory of 2268	4384	msedge.exe	83
PID 4384 wrote to memory of 2268	4384	msedge.exe	83
PID 4384 wrote to memory of 2268	4384	msedge.exe	83
PID 4384 wrote to memory of 2268	4384	msedge.exe	83
PID 4384 wrote to memory of 2268	4384	msedge.exe	83
PID 4384 wrote to memory of 2268	4384	msedge.exe	83
PID 4384 wrote to memory of 2268	4384	msedge.exe	83
PID 4384 wrote to memory of 2268	4384	msedge.exe	83
PID 4384 wrote to memory of 2268	4384	msedge.exe	83
PID 4384 wrote to memory of 2268	4384	msedge.exe	83
PID 4384 wrote to memory of 2268	4384	msedge.exe	83
PID 4384 wrote to memory of 2268	4384	msedge.exe	83
PID 4384 wrote to memory of 2268	4384	msedge.exe	83
PID 4384 wrote to memory of 2268	4384	msedge.exe	83
PID 4384 wrote to memory of 2268	4384	msedge.exe	83
PID 4384 wrote to memory of 2268	4384	msedge.exe	83
PID 4384 wrote to memory of 2268	4384	msedge.exe	83
PID 4384 wrote to memory of 2268	4384	msedge.exe	83
PID 4384 wrote to memory of 2268	4384	msedge.exe	83
PID 4384 wrote to memory of 2268	4384	msedge.exe	83
PID 4384 wrote to memory of 2268	4384	msedge.exe	83
PID 4384 wrote to memory of 2268	4384	msedge.exe	83
PID 4384 wrote to memory of 2268	4384	msedge.exe	83
PID 4384 wrote to memory of 3832	4384	msedge.exe	84
PID 4384 wrote to memory of 3832	4384	msedge.exe	84
PID 4384 wrote to memory of 536	4384	msedge.exe	85
PID 4384 wrote to memory of 536	4384	msedge.exe	85
PID 4384 wrote to memory of 536	4384	msedge.exe	85
PID 4384 wrote to memory of 536	4384	msedge.exe	85
PID 4384 wrote to memory of 536	4384	msedge.exe	85
PID 4384 wrote to memory of 536	4384	msedge.exe	85
PID 4384 wrote to memory of 536	4384	msedge.exe	85
PID 4384 wrote to memory of 536	4384	msedge.exe	85
PID 4384 wrote to memory of 536	4384	msedge.exe	85
PID 4384 wrote to memory of 536	4384	msedge.exe	85
PID 4384 wrote to memory of 536	4384	msedge.exe	85
PID 4384 wrote to memory of 536	4384	msedge.exe	85
PID 4384 wrote to memory of 536	4384	msedge.exe	85
PID 4384 wrote to memory of 536	4384	msedge.exe	85
PID 4384 wrote to memory of 536	4384	msedge.exe	85
PID 4384 wrote to memory of 536	4384	msedge.exe	85
PID 4384 wrote to memory of 536	4384	msedge.exe	85
PID 4384 wrote to memory of 536	4384	msedge.exe	85
PID 4384 wrote to memory of 536	4384	msedge.exe	85
PID 4384 wrote to memory of 536	4384	msedge.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
5364	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://gofile.io/d/lkw1cL
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x124,0x134,0x7ff8ae8146f8,0x7ff8ae814708,0x7ff8ae814718
  2⤵
  PID:380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,1554908922581222249,5977038301776921385,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
  2⤵
  PID:2268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,1554908922581222249,5977038301776921385,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2392 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,1554908922581222249,5977038301776921385,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2784 /prefetch:8
  2⤵
  PID:536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,1554908922581222249,5977038301776921385,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:1
  2⤵
  PID:1696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,1554908922581222249,5977038301776921385,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:1
  2⤵
  PID:1564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,1554908922581222249,5977038301776921385,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4864 /prefetch:1
  2⤵
  PID:2664
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,1554908922581222249,5977038301776921385,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3992 /prefetch:8
  2⤵
  PID:5036
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
  2⤵
  - Drops file in Program Files directory
  PID:4072
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x298,0x29c,0x2a0,0x274,0x2a4,0x7ff7ca145460,0x7ff7ca145470,0x7ff7ca145480
    3⤵
    PID:5072
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,1554908922581222249,5977038301776921385,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3992 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,1554908922581222249,5977038301776921385,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5708 /prefetch:1
  2⤵
  PID:3168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,1554908922581222249,5977038301776921385,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5724 /prefetch:1
  2⤵
  PID:1492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,1554908922581222249,5977038301776921385,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4740 /prefetch:1
  2⤵
  PID:1120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,1554908922581222249,5977038301776921385,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6212 /prefetch:1
  2⤵
  PID:4004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,1554908922581222249,5977038301776921385,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6240 /prefetch:1
  2⤵
  PID:4520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2084,1554908922581222249,5977038301776921385,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5844 /prefetch:8
  2⤵
  PID:1108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,1554908922581222249,5977038301776921385,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5984 /prefetch:1
  2⤵
  PID:3664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,1554908922581222249,5977038301776921385,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6660 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,1554908922581222249,5977038301776921385,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
  2⤵
  PID:5776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,1554908922581222249,5977038301776921385,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5204 /prefetch:1
  2⤵
  PID:5912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,1554908922581222249,5977038301776921385,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6924 /prefetch:1
  2⤵
  PID:4676

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:760

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2404

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5144

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap22431:80:7zEvent2815
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5292

C:\Users\Admin\Downloads\XWorm V5.2\start.exe
"C:\Users\Admin\Downloads\XWorm V5.2\start.exe"
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:5192
- C:\Windows\system32\attrib.exe
  attrib +h +s "C:\Users\Admin\Downloads\XWorm V5.2\start.exe"
  2⤵
  - Views/modifies file attributes
  PID:5364

C:\Users\Admin\Downloads\XWorm V5.2\XWorm V5.2.exe
"C:\Users\Admin\Downloads\XWorm V5.2\XWorm V5.2.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.me/XCoderTools
  2⤵
  PID:5688
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x144,0x148,0x14c,0x120,0x150,0x7ff8ae8146f8,0x7ff8ae814708,0x7ff8ae814718
    3⤵
    PID:5704

C:\Users\Admin\Downloads\XWorm V5.2\XWormLoader 5.2 x32.exe
"C:\Users\Admin\Downloads\XWorm V5.2\XWormLoader 5.2 x32.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:5572
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ddc3o25w\ddc3o25w.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3804
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES92A7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc36881F5222DB42ED93D57CE4AEF3AC4.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1644
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jiedt5ot\jiedt5ot.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5432
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8FE5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE8C00D6CCB0A49069270C799643ED11A.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5400

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:5388

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x304 0x4f8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1128

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:4388
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:4852
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2000 -parentBuildID 20240401114208 -prefsHandle 1928 -prefMapHandle 1920 -prefsLen 23839 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {680e37b3-142c-49ba-ba07-5940da77be9f} 4852 "\\.\pipe\gecko-crash-server-pipe.4852" gpu
    3⤵
    PID:1992
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2408 -parentBuildID 20240401114208 -prefsHandle 2336 -prefMapHandle 2332 -prefsLen 23717 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fdd5f6e5-29fd-4bac-a7a6-9aa2b7bed4f8} 4852 "\\.\pipe\gecko-crash-server-pipe.4852" socket
    3⤵
    - Checks processor information in registry
    PID:700
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2908 -childID 1 -isForBrowser -prefsHandle 2892 -prefMapHandle 2988 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1272 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5fdecfb3-d040-43cb-9967-20a6f8d64f8e} 4852 "\\.\pipe\gecko-crash-server-pipe.4852" tab
    3⤵
    PID:2324
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3912 -childID 2 -isForBrowser -prefsHandle 3908 -prefMapHandle 3904 -prefsLen 29091 -prefMapSize 244658 -jsInitHandle 1272 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4c84a5e6-3b13-43a7-bd22-8f50b6e642fc} 4852 "\\.\pipe\gecko-crash-server-pipe.4852" tab
    3⤵
    PID:2328
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4588 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4560 -prefMapHandle 4556 -prefsLen 29091 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b41c277f-ec65-4d12-8ead-4803cbe8e4a8} 4852 "\\.\pipe\gecko-crash-server-pipe.4852" utility
    3⤵
    - Checks processor information in registry
    PID:3640
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5312 -childID 3 -isForBrowser -prefsHandle 5324 -prefMapHandle 4744 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1272 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {74061e70-e7d9-4944-ad25-0318b956a4d7} 4852 "\\.\pipe\gecko-crash-server-pipe.4852" tab
    3⤵
    PID:5256
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5332 -childID 4 -isForBrowser -prefsHandle 5444 -prefMapHandle 5448 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1272 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {400552d4-8ca8-4889-9b3c-79db6b0003a3} 4852 "\\.\pipe\gecko-crash-server-pipe.4852" tab
    3⤵
    PID:2928
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5640 -childID 5 -isForBrowser -prefsHandle 5720 -prefMapHandle 5716 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1272 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d23b7d29-fba1-4b80-9238-af4a05b18d70} 4852 "\\.\pipe\gecko-crash-server-pipe.4852" tab
    3⤵
    PID:2984
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6128 -childID 6 -isForBrowser -prefsHandle 6120 -prefMapHandle 6100 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1272 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {71ed0726-37c2-4d18-b8e6-94743d13b6ea} 4852 "\\.\pipe\gecko-crash-server-pipe.4852" tab
    3⤵
    PID:3048

C:\Users\Admin\Downloads\XWorm V5.2\XClient.exe
"C:\Users\Admin\Downloads\XWorm V5.2\XClient.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4644
- C:\Windows\SYSTEM32\CMD.EXE
  "CMD.EXE"
  2⤵
  PID:5304
- C:\Windows\System32\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall set allprofiles state off
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  PID:4108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http:/goflie.io
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  PID:6096
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x144,0x148,0x14c,0x120,0x150,0x7ff8ae8146f8,0x7ff8ae814708,0x7ff8ae814718
    3⤵
    PID:240
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,1096138590389212189,707884566637656525,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
    3⤵
    PID:3260
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,1096138590389212189,707884566637656525,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2308 /prefetch:3
    3⤵
    PID:4476
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2160,1096138590389212189,707884566637656525,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2188 /prefetch:8
    3⤵
    PID:4548
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,1096138590389212189,707884566637656525,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3676 /prefetch:1
    3⤵
    PID:2232
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,1096138590389212189,707884566637656525,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3724 /prefetch:1
    3⤵
    PID:2940
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,1096138590389212189,707884566637656525,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5284 /prefetch:1
    3⤵
    PID:5348
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,1096138590389212189,707884566637656525,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5352 /prefetch:1
    3⤵
    PID:860
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,1096138590389212189,707884566637656525,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5640 /prefetch:8
    3⤵
    PID:4252
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,1096138590389212189,707884566637656525,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5640 /prefetch:8
    3⤵
    PID:4220
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,1096138590389212189,707884566637656525,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:1
    3⤵
    PID:4856
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,1096138590389212189,707884566637656525,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5780 /prefetch:1
    3⤵
    PID:5684
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,1096138590389212189,707884566637656525,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
    3⤵
    PID:2368
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,1096138590389212189,707884566637656525,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5928 /prefetch:1
    3⤵
    PID:2472
- C:\Users\Admin\Downloads\XWorm V5.2\XClient.exe
  "C:\Users\Admin\Downloads\XWorm V5.2\XClient.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2372
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c Cd %temp% && All-In-One.exe OutPut.json
    3⤵
    PID:6112
  - - C:\Users\Admin\AppData\Local\Temp\All-In-One.exe
      All-In-One.exe OutPut.json
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Accesses Microsoft Outlook accounts
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:828

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:1620

C:\Users\Admin\Downloads\XWorm V5.2\XClient.exe
"C:\Users\Admin\Downloads\XWorm V5.2\XClient.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2484

C:\Users\Admin\Downloads\XWorm V5.2\XClient.exe
"C:\Users\Admin\Downloads\XWorm V5.2\XClient.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4380

C:\Users\Admin\Downloads\XWorm V5.2\XClient.exe
"C:\Users\Admin\Downloads\XWorm V5.2\XClient.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2652

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
- System Location Discovery: System Language Discovery
PID:704

C:\Users\Admin\Downloads\XWorm V5.2\stem.exe
"C:\Users\Admin\Downloads\XWorm V5.2\stem.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:700

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
PID:3192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff89ff7cc40,0x7ff89ff7cc4c,0x7ff89ff7cc58
  2⤵
  PID:1064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2096,i,969920615026273713,2903551326358402847,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=2092 /prefetch:2
  2⤵
  PID:1008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1924,i,969920615026273713,2903551326358402847,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=2128 /prefetch:3
  2⤵
  PID:1732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2256,i,969920615026273713,2903551326358402847,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=2388 /prefetch:8
  2⤵
  PID:4352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3152,i,969920615026273713,2903551326358402847,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=3164 /prefetch:1
  2⤵
  PID:4180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3184,i,969920615026273713,2903551326358402847,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=3200 /prefetch:1
  2⤵
  PID:4548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4068,i,969920615026273713,2903551326358402847,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=4540 /prefetch:1
  2⤵
  PID:3284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4724,i,969920615026273713,2903551326358402847,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=4756 /prefetch:8
  2⤵
  PID:4252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4936,i,969920615026273713,2903551326358402847,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=5004 /prefetch:8
  2⤵
  PID:552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4792,i,969920615026273713,2903551326358402847,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=4756 /prefetch:8
  2⤵
  PID:6048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4964,i,969920615026273713,2903551326358402847,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=5004 /prefetch:8
  2⤵
  PID:5352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5168,i,969920615026273713,2903551326358402847,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=5008 /prefetch:8
  2⤵
  PID:3676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5268,i,969920615026273713,2903551326358402847,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=4772 /prefetch:8
  2⤵
  PID:6124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=4876,i,969920615026273713,2903551326358402847,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=4788 /prefetch:2
  2⤵
  PID:1536

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3408

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:6032

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:5956

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:1144
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2016
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1976 -parentBuildID 20240401114208 -prefsHandle 1904 -prefMapHandle 1896 -prefsLen 23681 -prefMapSize 244705 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0bedb996-9fd4-4908-9a81-097be1bd9b03} 2016 "\\.\pipe\gecko-crash-server-pipe.2016" gpu
    3⤵
    PID:4720
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2380 -parentBuildID 20240401114208 -prefsHandle 2372 -prefMapHandle 2360 -prefsLen 23717 -prefMapSize 244705 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {53816bd5-081b-4bfe-827f-0e3239571312} 2016 "\\.\pipe\gecko-crash-server-pipe.2016" socket
    3⤵
    - Checks processor information in registry
    PID:732
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3260 -childID 1 -isForBrowser -prefsHandle 3080 -prefMapHandle 3240 -prefsLen 23858 -prefMapSize 244705 -jsInitHandle 1224 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fcdf2651-bda2-4191-bc50-839f4e9f4ea5} 2016 "\\.\pipe\gecko-crash-server-pipe.2016" tab
    3⤵
    PID:1184
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3484 -childID 2 -isForBrowser -prefsHandle 2864 -prefMapHandle 3060 -prefsLen 29091 -prefMapSize 244705 -jsInitHandle 1224 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {49fa0141-3b10-4289-ba2e-0a3385f4af53} 2016 "\\.\pipe\gecko-crash-server-pipe.2016" tab
    3⤵
    PID:3328
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4740 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4736 -prefMapHandle 4760 -prefsLen 29091 -prefMapSize 244705 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {24b70beb-c629-4c79-9715-a7c70cfd58ae} 2016 "\\.\pipe\gecko-crash-server-pipe.2016" utility
    3⤵
    - Checks processor information in registry
    PID:4796
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5248 -childID 3 -isForBrowser -prefsHandle 5276 -prefMapHandle 5272 -prefsLen 27051 -prefMapSize 244705 -jsInitHandle 1224 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9e8f9767-6d38-40f2-8097-de4578402cd6} 2016 "\\.\pipe\gecko-crash-server-pipe.2016" tab
    3⤵
    PID:2152
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5420 -childID 4 -isForBrowser -prefsHandle 5496 -prefMapHandle 5492 -prefsLen 27051 -prefMapSize 244705 -jsInitHandle 1224 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b893735c-4307-4884-bd84-42ba01515bf5} 2016 "\\.\pipe\gecko-crash-server-pipe.2016" tab
    3⤵
    PID:4596
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5648 -childID 5 -isForBrowser -prefsHandle 5392 -prefMapHandle 5396 -prefsLen 27051 -prefMapSize 244705 -jsInitHandle 1224 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d46df6fd-5a7b-49cc-b4c5-7b30da93f51f} 2016 "\\.\pipe\gecko-crash-server-pipe.2016" tab
    3⤵
    PID:4740
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6140 -childID 6 -isForBrowser -prefsHandle 5664 -prefMapHandle 5668 -prefsLen 27051 -prefMapSize 244705 -jsInitHandle 1224 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {62e9764e-92c5-4769-a017-8aa687dfd33e} 2016 "\\.\pipe\gecko-crash-server-pipe.2016" tab
    3⤵
    PID:2984

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6000

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\GMap.NET\DllCache\SQLite_v98_NET4_x86\System.Data.SQLite.DLL

Filesize
1.3MB

MD5
14393eb908e072fa3164597414bb0a75

SHA1
5e04e084ec44a0b29196d0c21213201240f11ba0

SHA256
59b9d95ae42e35525fc63f93168fe304409463ee070a3cf21a427a2833564b80

SHA512
f5fc3d9e98cca1fbbbe026707086a71f801016348d2355541d630879ad51a850f49eb4a5f7a94e12a844d7a7108d69fa6d762ee19f4805d6aafef16259b4330b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
d1ed93b999b9dafcd7df5d84c62f2184

SHA1
5ac48d6fb5b6861945435f77ad4f84db28373bc4

SHA256
67942ab6982d03b3b235c701741e0a3ad16d791a3dac4d0a4f0b47bd9efdf2b5

SHA512
5c3b1eb82c12b15089ada7ddac1980975f6b960a9f65101f6f38f1ee4cd25c26ba5478716774b595b0b4444351cf1e793f2a5c4e8577666f406e8eb044dcaae4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\_locales\en\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
e4dbd16e8e519e6ff872f15a9f8b467c

SHA1
efa47d19a36bc0099345cf4f96564e20d3326188

SHA256
a23e61286d4d70486de1f6e3f04a198306f9344340ac760dd692675ad75b4d4d

SHA512
8d3a8b4bedd4be20f2f65427b661266dfdd380ec23e3a21ba03a66e3dca852a7fbab2660e7685df4a1367103a27b754b3d0a8b396b5ad6b57391ad5bd52290d7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
4cbcf3bb19822c92b0fe543bc910d975

SHA1
92971d7128a9882fe6872e0aa32770084c318285

SHA256
bc2c713a6636d904bf519388cd708c251edad4ef30475bc347ae728088c8b8f0

SHA512
ea2c7ae5bd1efd9b9e69056298563d7923f6174426feebbd3a230d83d46ca494d7f05e7ea7de1e3682a8334e4d0300ca38addd340bb144e95e2953df90b6be11

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
f6af4331b4a607f55d24a830628d771f

SHA1
f10dc2005e815e153537325cb96fe073a629069e

SHA256
966263a7ccc532bc94abf23cd5385dc34bff05f57aab0e500fc3446fb4b6e5e4

SHA512
5facfd13430757a6caf5035a17ab13b2cb76c6f4c2c2a9b445df39b07099ccbc07f94b5376b02d6a4ab7513d778db6ac693d062f1edc489b7af79dcbb8a08e6a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
8a1db43ea3f855267f35aa941c9a81f2

SHA1
462ac8686151c21e68a20ff2803c9b7b7d981a28

SHA256
dc6df15628b294d6933c84b9d7a45309114f1d0fc8fdb8e355cc40c8e065eb43

SHA512
3d5ac6dcc7909443233ffebfeba2ac77b4e5ea64e17da7d681709880d572e02031278be14e1b6d27b8e6509c50e09b2a2d1a61f8e91a51ae9ddabf7cbe2fc25b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
08a19c219e3efc1eb6f4a1d1410db639

SHA1
ac25afc4cecaea4038925cc220d0745841ae76a5

SHA256
b0a46ff0de5ce122e9abe2b2d5dbca4e49f5402b8ed5245c8306110eb7d48a1b

SHA512
e294044a5a9f2e224f1277e904573569e044b3c2cac909c95af40c54df75d4abf84a116ea616cb2ccee3b1d772713d251ee5f1cf9aa867cc1f6868bb2c527174

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
233KB

MD5
aaf25f6d1765a0e47517294b5fb70200

SHA1
b33d7ac9395c1bda376a51593e3676fc26b65139

SHA256
d4e2f8ee8c3732421093d11ce6feeefab4f5f217930984763524e06d7208fcd3

SHA512
993d7265ed6b9293a7f9fe66adad88a484baccb5d583b52e35475654dfc310051a79fe1682d9f34b7c0ee4df0e0f10a59ce6dfbdc5bc447fa3397b6a1a9d648d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e15bde092994d93e1c69ecf1606fb3c5

SHA1
38cf66ca50b5759a5d61b06d9c548aa32386926b

SHA256
b9cda16b5469ba56f89bb24befcd316dd928137e5fbc0f4c68858bd13f5963d0

SHA512
e0717840e35dccd7246419144d90c5c5095a0d2d1e48bec48056ed7875bc74a21f5c51617da71f21f7356e1f2833dcc7f4bba67e1db3345e9a1c3c8ca0b9a339

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3b978286bf14830eb6934e7907a22b78

SHA1
483f74b9a7ede4a41695c5e04e785092f97a8f22

SHA256
e54541e724d61e6aaf354a82041798c377fff8a44031fe15030f1538922c01bd

SHA512
191ae9dd9221d8ce7f0d64f5cca70219cd648ab2081f1e2dfbbe2af701eac4196200bdea3766af7f7ac32e3905312e7f78f06e392db5b4959fc329337c78b8f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
24dada8956438ead89d9727022bac03a

SHA1
09b4fb1dba48ec8e47350131ae6113edd0fdecf0

SHA256
bf1e5c7828e4672982b16451b5a201e65e812e98a97b87c9f2f7c22677cb4ec1

SHA512
03f092a4b20a4d8cc111220b35fbf5470878b7723faeddee65b1d9cf327167053792c77864103b4530b9b9f819e32a5721b44189291dfdb5832769835ea5dd94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8b712a4c83dfb3c522d032cf900e863a

SHA1
4f5bec4be6f4ebfa959e899ceafc62309bb1f141

SHA256
31da2a41a051db11559c47feb923d4baad32a384f530013a435fa884dad64493

SHA512
03b24d9307623b3a341230805f3ea662b0107c314650a51ae7e89d901cb3ad212d4219bab4d763d0aa8d50831aa0e6d4e3379573cc2f724873804578e8642898

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f073249d4ef50b5bce7717df9540456f

SHA1
b2590ec97c263094e13591c8d6f13cd48cbcf1d6

SHA256
7d8768f953493198d4308e7e3024991fb46ed6ae6a9d1adb4a0ea511767ec802

SHA512
0e81f27050b7f4c9540c8252d90b624b413bb8ea61d0752a09f377237d76ddd5062c012a0b9e00b32b709098696948bbe9712b72ba0f53672ed6b1f2910b0609

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000c

Filesize
41KB

MD5
ca9e4686e278b752e1dec522d6830b1f

SHA1
1129a37b84ee4708492f51323c90804bb0dfed64

SHA256
b36086821f07e11041fc44b05d2cafe3fb756633e72b07da453c28bd4735ed26

SHA512
600e5d6e1df68423976b1dcfa99e56cb8b8f5cd008d52482fefb086546256a9822025d75f5b286996b19ee1c7cd254f476abf4de0cf8c6205d9f7d5e49b80671

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
5e04c7259c63378174fe85cf6fa910a1

SHA1
b5bfc8eb4e6e91451ac9b31ecc1e322601265972

SHA256
aec743534f10015260527277ff6be86ab05bb6299bdc8531fafe3d4d88412b30

SHA512
314624e36ed0153daeb95455d8a21c5bcb4663d7f246e8367ed0c41066792ef84bd57469be775adf4f3e5b0fbe2112be678899bc25e3dd6f7c1b292bbb6a34de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
70804cb055d1988419d11f7e304f8979

SHA1
24a3d5d7ecd0ddd238c5db29731588f850aa8c20

SHA256
963e2c95bf9511a0fe3a9669beb58d0b605bc5a014dfc7ae27f031a75fdce17f

SHA512
bc6110cff886d7dcd35d40c5c0359fdf4846f9af15bc30e8430e1b032eaaffc42dfe323d32d556ccd9bd28f2840cf8315846d101d99aa3ae21e4e94cd254128a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
87b4c8e974b1bc85e80734dd78d69d43

SHA1
5d85d27bf0236c9c7ec78cb2cf42e79cba281f76

SHA256
1b8f4ebaae468195997a38ae17214a0fe09f1da7af89b5dc56b4bf66851f8388

SHA512
9ef7c121912b476ea3e5d023163f494b7f9b88644d5d45c89e3c14507d590531d77615d182a391c6f2c85ec945d6c1a80106b34fe63f2e7adfb4d4e2143e1e0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
336B

MD5
6890c1766ec9ee7c8f845420d05eb762

SHA1
ed4bd20429d61aa592dcddeafdfe12ab1c0641ab

SHA256
9764f4c406ffd833eea5bef22bd7ae9e709fd7ab186aad948d3ac6d1dabc0b73

SHA512
c4e7e18725f5ef790327b0f727e691497d7d8c22ec58f751c1c9c389f40fd49003265f501a04fae94983b9b169fd42afb616fbcbe4931810dd46526e09cfc721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
723B

MD5
e6d7e65208532175268f26bc0aa8986e

SHA1
4915244cc66ccccf22ed2e183d74d98d41e5bc09

SHA256
397d0a4c6af8be59b39c0a37f169cae77f0b2c7702bdb3726f357a2debf737ec

SHA512
de62f46a65cc6fb4cb65420f8ccce903542193046a1f07b2f26e9ce7ceafb0bb7a950e739d39c860823766fa710ebfb437117db06258a5071ee02956670030e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
391B

MD5
7c0d79b95ae2cf3dfd2a4054af266439

SHA1
c632524bc5141e51619f1bbab0149e8c9ad7660e

SHA256
482f5001679264f5a3f2a293accc44b07e092ea861755a66428fadcb0ff43d6d

SHA512
e2f8cf3582f48b0886ae7299646b1029f36c0e081fad45445b4a99f04b5993106fe7a0288842c50eb4ee10ad2dd32c98a848849b52e190c869144d5701804411

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
b55ef5d4fbbf82f5ad8b3eed626a3f22

SHA1
b887fb8ed11a6505cfe4c0dd37276d492ec9ff09

SHA256
adb8c2de10b5e20f3bd59da57a6e97df5faa78140af40f550c385799eb00aad9

SHA512
153d55576db154a16d2ce0c3f41aa7ca5462d7f064cecbde656f4f11a75fa93764bbdadc4b6e099cbaf9bba52392e50a15118ec0dd776f21bf1dc701250e0d72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State~RFe5879de.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
550bed1b070bf06868519e06bfa229bb

SHA1
4776dbf2dbd8dd212f74a17f3d2ae230dd4e85c8

SHA256
7d0288d54aee9211637ad72cb2d97e5abf7dd41670bce21a850716d5626838d2

SHA512
e88786f176147f3a031efeca6bc9a3ee3501f4fa1d572f56b30eaddd477a9cc0ac91ba7f74292d5b75e9cffb78ff60277988d0681aef6e16df7174f6d9b59b1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
11e2e31c18cf80f556c84a3649c6e658

SHA1
d036b6838e93fb80f3c7e81c6e27327d7b488dcb

SHA256
8b084888c4f6adccf0e8c031aea568bc500b9c65b2b893df960ca36775d02144

SHA512
17c585c1285b51b286142efa9e0020d0283b6da5ca1b8e20e59a239b354a9103865d1fc0bb05317dc17a23956e2e02bfca1871c4170c5062d5aeb2ce4a446d9d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
2d0f66b1ccf625c015149b586beee9b4

SHA1
6e0cfdcb34a547ac4744efc8ad27eb884686446e

SHA256
4003d723f104587ba2aab0fe5cedc37041eaa6a6e8e151a340d39c8bd6d35183

SHA512
c84ec1967ffcf88fcd3a8478a85481b7df5ef40f62b887bb85e15a6e551bf14ddd90b4e2f4769fad9152e5fd478f7c1e9cd16b3e56390ff6da6030b125458140

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
331fc24790429af6254a5d6005f0d54a

SHA1
4180e42ee6475c5015c70bdcfe05ba96f51a8939

SHA256
9bf139e7567d79300b3abb38db97c0e0d8263a1ac360eb12a9d67454191921bd

SHA512
3014f531162cba70c74092bb69b03c91650521683331026b04f86be95bc2d9e1e39edb3dac233f95fb6e499c9ab47b4dc961a14e8bb88b7ec7509e1f0fe2ac72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
4ec90b86b28caad79f67c40040f6885b

SHA1
163371305dec123d9fa2665f89081e42b048a486

SHA256
74a92b2dbc6b6aa7badc8714241e565816718acb40305bb05129c6ce7e3b0926

SHA512
45feda5d02aec366d549b8e0a4a7957b6a6e0b3d186bb51c4ba5fd5bfea26a1ae36caa9bbab635e934c5d4e56f0d15fb440284a3300c5c5f7d1ea6b7720f93d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
5806433ba660936e1d0791b347c8bed8

SHA1
645cceba3aa6cd908c7222e8eef151b3e1c3a1ca

SHA256
30a5d3b29d99c7a50ea2bb766ee71e6dcd2e69bac6ee5fd3e839d84075f145b3

SHA512
68d96c46d70f99148ba506714b530f36fa8d206854a506f7a9b5b03577891215cb48e61471817b760d9d6542c9e45e89c6e84671d1a9aeca17bec2bb918b3a59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
d376ea06baddd280c13af84d19511425

SHA1
8d5443b0a3a94fa777db22b5a911a8ce0458f9d9

SHA256
87aa5267154c2d56c0b96b04940f17910ddb6bdde977b49677894bcef0170921

SHA512
a4a5f1a9aaa2ce9d498dbb86d5595f3f067e704653c7eebb0d2ddbefe20e508786c18be6e44f55d6176de497f80cfbb7804bdcfce615ffd0f9a0739b766516a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
85eca930a791cbcb1373f5fdaf17857b

SHA1
ffea7d54e9803374a484f1e4c124766e80024efc

SHA256
fbc990061790350f00dc28f2dda277aac81bb8385a6e92e90a20101436c3312c

SHA512
2ffe0de3f80ac60f2ffa55f334026979e6be328b7c69f4603aa3c5d1bfa6c3b3744d86ac2a34ecf904d0a41b36bc485392ece58f6cc89d7ffca293d02efe5bed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
99a7edf9124dba808b6d025b14aea278

SHA1
f1de2fdd81ea87ee78e8afdc1a7cdffcf62a92ef

SHA256
9d38a8d193a503b9be7b39be5d150bcf22038c84fbf3d53979e2f075a35b9089

SHA512
fc371b7ad5606a9948ba4a315e40a0a93592f57103be4a3712020977b43e4277d95d74ff35e490239dbce1cc475fe1d1746764f5970d2e9f04483c985268f5c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
872B

MD5
c203fa563a15f9b80a8e0aea8f2720ae

SHA1
1172193a4a5dca8cc92692cb2a13ede11f3eecde

SHA256
e2f5ac43018274478a3d052f6e970e9ca54702eb57e25ff4cc665c3e0f1bde19

SHA512
d1ebd95e4f8fc953df720478473b99e076e4f5a436aec736781d3245743f7e257548cca4b84e607595674e3eb47dfca17fcc17eeaa7a6c085883d3dfe5b747b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
bc84643012413feca3c396fe2bc1b498

SHA1
d842da847cfdca1a93695313b63ff3c944bd7638

SHA256
32cb01756bc5499f01a441ecd5eeefc2fad044f6443e7c281cfde9cbd3298f97

SHA512
94c18f5c1c72c3b3199c3f00a6db3c078eba0084252f2e65486b1cb51fefe6749166dbf7745cd7cabf38ab101561814ac034c3de169d0cb25de85087aaeaeef6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe591c19.TMP

Filesize
370B

MD5
c39da158871a9fccd012382071b278d6

SHA1
bd8542479d41f400e6c7fd46ebf05fd2445087af

SHA256
598e010ccb48ba15a82f8a7f23e0322e2b002953dcf98d14f5f39bf866fd45e0

SHA512
b90006e11b933d2d18dae5c72b208962153c597fe735fca51153dea5c94610282a2d415c0fedf8f26f6fd186154f12261451edeb6c76f6e5263d34409bec8bf2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
2202691af3f949344dd8e06023bb8657

SHA1
c041213d06e234230807b266d4f5e7f7f8f59fb2

SHA256
3efe5035fc6ad754f1ce81218ad98da1adebb3822f66c750a9b17f14d5a417e2

SHA512
53f24e3c7513b43145b44ffe16bdc210fc349baca9e3e33514d3d32758697fa15c5ef9c0ddccd0f97e7d41fd3a7161f267965ecff53b4965e06a93a882ed564a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
4142d84f057f9eec0ba575db287a243b

SHA1
1aca9c8ea3c5da28ceb3e5d9c16d3f0102c397d1

SHA256
935319b008dad6d3c9a32ae5674e2ffc6455d37063883b8b8d63edb079b0193d

SHA512
5812a1ec0a70b4fd9d9ea4bb69d1733e93c99e0753179e021c9c7ed4486c0c8b679ac23d2fe4109db88e5f51a10e5de0cdee85ef7ebdc71d54aa727d99d4d12f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
8c26e15627b93fe55cd9a3727096fc3a

SHA1
d53e9f6d2bbaa38dbc2adaf09b1518b8784e49bd

SHA256
9a1f8c584f9352ff0ebd6f67f3269dc9d303309af3eff22e2f24ccccc320b8c0

SHA512
23fe669caa4487e38a52b4241b7af49836061135149ff2a89580b315145f24d81b551d072462ff2cc2955fbb54d8230924948ac6d2175d7b9dd1f76a17f90a53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
d6c362db08ca17338770af52fa12e54c

SHA1
e9f9b2625325b5770ba39331354115a5863ff137

SHA256
e9cde46c723e4f9c86a84461c5c3227563f46ead7d6f6958b7d63976a955d2f8

SHA512
f39073ace9cc111e61e6e2ab69e990e1fda2dde16532780c64ed4e47d245b0a1b85793a6727f45e2817896f1e08fb80b4750c1ad03fd270253ba7225db320832

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
7bbced428a614d64ea1801d6a7682bf2

SHA1
f1898031cbb84ee134dcdce3e60969fcaa05c894

SHA256
17d1f361958e9cba8e41e1c5bc9ed66d0d144e40b6fe7477a6ce85eb5c8b4b59

SHA512
f49dfeeb30d51683446c3bfa2aab1482639b947a42b8338d4e2386dd161c470e3f253fc3624ab9f68f625338e6bd79d6957069fa2e87e87be6d3071ce37bcef2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
0e711d1a81d328336180b0895c619218

SHA1
e00adc2fba7159e547dc5943181071eb89a3be21

SHA256
1dff05aa448130691ae0a66e0c448d927b46af36789365f1d3cf2e31f6f8de37

SHA512
0d77d85fa06d30aa1a8e70c6d2d4d62446b6933856235546bf4706e4cc2cf5de6fa1e4ee79a71c060d186b0dd45179accb24512eab3e5e470900e93d710feb55

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\85na2j14.default-release\activity-stream.discovery_stream.json

Filesize
18KB

MD5
b71eb05d887c828423fd8880e43f58c9

SHA1
2ff674705e6548bc1ee95b60690dfb3b93310b30

SHA256
1e14056c255d2fbeea268b5b11e13960c9ed77c648d188dc3586fb4471f86a18

SHA512
aa1ee2785058942ef740dd1b3d9b58aa781e0af89fc4eaa26d906e8b774d6c6cae48f6019544a4d1fc3d88997ec8d32c14c45a845dde133b79fd04b3b7149b49

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\85na2j14.default-release\cache2\entries\0496E33B07BB9340090B6FF9A653DA5443DBD403

Filesize
224KB

MD5
e23e09c845b8c8e9ed12c8df2710bca8

SHA1
d63fc2aa64fda0f81183836b1330f560ada0f92d

SHA256
2af07d05b5307a3ebfbb0e703f5a707975130d8e2e80a4edc93cfcca2716b67d

SHA512
550bd26763b916c8c223181a7847faf4a9035c525d5fad001616173b8de0d6dc0aca517847e11201abb7b406669731ed25ff2314d6e0bfb988c5564f0aaf3946

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\85na2j14.default-release\cache2\entries\183E2680605B56F24D804B991A30FEF1163A9594

Filesize
61KB

MD5
4b6e9987a550caf3117fd3e14c36b51a

SHA1
26b347ba533c497aa8746dc2ed656fb44a23f1db

SHA256
8ae38df46dd4e26affd860935f982cb2e6d3f71b990986ca04fca6c3790688c4

SHA512
360ea98d8fd63b31cebc2ff782fbf7ee93c3b46a38e6c75f5d3bf29e5a0c03509d9fde1838677307551df44a9b5bcf691e97accafd7a03eb8f9d9a0c8a69419a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\85na2j14.default-release\startupCache\webext.sc.lz4

Filesize
107KB

MD5
a68c11d7143394aac1421a32af46edde

SHA1
464d58a8d0cbd92a28a0651a982818f7c395061a

SHA256
0c35d785daeeb18d4a60e31e0a1eb4bc418eee7ae4e429ad8760f1421a8120ac

SHA512
696796d96343d5c8399ebf8b07a518c494f77b40265663fe35826ea7ddbb44d51fc97cebcfc05cd8b0655aa33d2bb23dd9703b8344ea68443c2a348bef929701

Download Submit
C:\Users\Admin\AppData\Local\Temp\8b87aa73-a9a2-4239-9d2e-3baa9053ce9d.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Temp\All-In-One.exe

Filesize
5.1MB

MD5
a48e3197ab0f64c4684f0828f742165c

SHA1
f935c3d6f9601c795f2211e34b3778fad14442b4

SHA256
baecc747370a4c396ef5403a3a2b286465d8fe4677bf1bfd23b8164ef5c22bbb

SHA512
e0b0b73c39850a30aac89f84f721c79f863612f596d6ff3df0860a9faf743a81364656773c99708e9c0656c74b6a278b6bf7e648f7ff1b9080f9a21e10515a59

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-conio-l1-1-0_not.dll

Filesize
18KB

MD5
6ea692f862bdeb446e649e4b2893e36f

SHA1
84fceae03d28ff1907048acee7eae7e45baaf2bd

SHA256
9ca21763c528584bdb4efebe914faaf792c9d7360677c87e93bd7ba7bb4367f2

SHA512
9661c135f50000e0018b3e5c119515cfe977b2f5f88b0f5715e29df10517b196c81694d074398c99a572a971ec843b3676d6a831714ab632645ed25959d5e3e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-convert-l1-1-0.dll

Filesize
21KB

MD5
72e28c902cd947f9a3425b19ac5a64bd

SHA1
9b97f7a43d43cb0f1b87fc75fef7d9eeea11e6f7

SHA256
3cc1377d495260c380e8d225e5ee889cbb2ed22e79862d4278cfa898e58e44d1

SHA512
58ab6fedce2f8ee0970894273886cb20b10d92979b21cda97ae0c41d0676cc0cd90691c58b223bce5f338e0718d1716e6ce59a106901fe9706f85c3acf7855ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-environment-l1-1-0.dll

Filesize
18KB

MD5
ac290dad7cb4ca2d93516580452eda1c

SHA1
fa949453557d0049d723f9615e4f390010520eda

SHA256
c0d75d1887c32a1b1006b3cffc29df84a0d73c435cdcb404b6964be176a61382

SHA512
b5e2b9f5a9dd8a482169c7fc05f018ad8fe6ae27cb6540e67679272698bfca24b2ca5a377fa61897f328b3deac10237cafbd73bc965bf9055765923aba9478f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-filesystem-l1-1-0.dll

Filesize
19KB

MD5
aec2268601470050e62cb8066dd41a59

SHA1
363ed259905442c4e3b89901bfd8a43b96bf25e4

SHA256
7633774effe7c0add6752ffe90104d633fc8262c87871d096c2fc07c20018ed2

SHA512
0c14d160bfa3ac52c35ff2f2813b85f8212c5f3afbcfe71a60ccc2b9e61e51736f0bf37ca1f9975b28968790ea62ed5924fae4654182f67114bd20d8466c4b8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-heap-l1-1-0.dll

Filesize
18KB

MD5
93d3da06bf894f4fa21007bee06b5e7d

SHA1
1e47230a7ebcfaf643087a1929a385e0d554ad15

SHA256
f5cf623ba14b017af4aec6c15eee446c647ab6d2a5dee9d6975adc69994a113d

SHA512
72bd6d46a464de74a8dac4c346c52d068116910587b1c7b97978df888925216958ce77be1ae049c3dccf5bf3fffb21bc41a0ac329622bc9bbc190df63abb25c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-locale-l1-1-0.dll

Filesize
18KB

MD5
a2f2258c32e3ba9abf9e9e38ef7da8c9

SHA1
116846ca871114b7c54148ab2d968f364da6142f

SHA256
565a2eec5449eeeed68b430f2e9b92507f979174f9c9a71d0c36d58b96051c33

SHA512
e98cbc8d958e604effa614a3964b3d66b6fc646bdca9aa679ea5e4eb92ec0497b91485a40742f3471f4ff10de83122331699edc56a50f06ae86f21fad70953fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-math-l1-1-0.dll

Filesize
28KB

MD5
8b0ba750e7b15300482ce6c961a932f0

SHA1
71a2f5d76d23e48cef8f258eaad63e586cfc0e19

SHA256
bece7bab83a5d0ec5c35f0841cbbf413e01ac878550fbdb34816ed55185dcfed

SHA512
fb646cdcdb462a347ed843312418f037f3212b2481f3897a16c22446824149ee96eb4a4b47a903ca27b1f4d7a352605d4930df73092c380e3d4d77ce4e972c5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-multibyte-l1-1-0.dll

Filesize
25KB

MD5
35fc66bd813d0f126883e695664e7b83

SHA1
2fd63c18cc5dc4defc7ea82f421050e668f68548

SHA256
66abf3a1147751c95689f5bc6a259e55281ec3d06d3332dd0ba464effa716735

SHA512
65f8397de5c48d3df8ad79baf46c1d3a0761f727e918ae63612ea37d96adf16cc76d70d454a599f37f9ba9b4e2e38ebc845df4c74fc1e1131720fd0dcb881431

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
22KB

MD5
41a348f9bedc8681fb30fa78e45edb24

SHA1
66e76c0574a549f293323dd6f863a8a5b54f3f9b

SHA256
c9bbc07a033bab6a828ecc30648b501121586f6f53346b1cd0649d7b648ea60b

SHA512
8c2cb53ccf9719de87ee65ed2e1947e266ec7e8343246def6429c6df0dc514079f5171acd1aa637276256c607f1063144494b992d4635b01e09ddea6f5eef204

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-stdio-l1-1-0.dll

Filesize
23KB

MD5
fefb98394cb9ef4368da798deab00e21

SHA1
316d86926b558c9f3f6133739c1a8477b9e60740

SHA256
b1e702b840aebe2e9244cd41512d158a43e6e9516cd2015a84eb962fa3ff0df7

SHA512
57476fe9b546e4cafb1ef4fd1cbd757385ba2d445d1785987afb46298acbe4b05266a0c4325868bc4245c2f41e7e2553585bfb5c70910e687f57dac6a8e911e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-string-l1-1-0.dll

Filesize
22KB

MD5
404604cd100a1e60dfdaf6ecf5ba14c0

SHA1
58469835ab4b916927b3cabf54aee4f380ff6748

SHA256
73cc56f20268bfb329ccd891822e2e70dd70fe21fc7101deb3fa30c34a08450c

SHA512
da024ccb50d4a2a5355b7712ba896df850cee57aa4ada33aad0bae6960bcd1e5e3cee9488371ab6e19a2073508fbb3f0b257382713a31bc0947a4bf1f7a20be4

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-time-l1-1-0.dll

Filesize
20KB

MD5
849f2c3ebf1fcba33d16153692d5810f

SHA1
1f8eda52d31512ebfdd546be60990b95c8e28bfb

SHA256
69885fd581641b4a680846f93c2dd21e5dd8e3ba37409783bc5b3160a919cb5d

SHA512
44dc4200a653363c9a1cb2bdd3da5f371f7d1fb644d1ce2ff5fe57d939b35130ac8ae27a3f07b82b3428233f07f974628027b0e6b6f70f7b2a8d259be95222f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\api-ms-win-crt-utility-l1-1-0.dll

Filesize
18KB

MD5
b52a0ca52c9c207874639b62b6082242

SHA1
6fb845d6a82102ff74bd35f42a2844d8c450413b

SHA256
a1d1d6b0cb0a8421d7c0d1297c4c389c95514493cd0a386b49dc517ac1b9a2b0

SHA512
18834d89376d703bd461edf7738eb723ad8d54cb92acc9b6f10cbb55d63db22c2a0f2f3067fe2cc6feb775db397030606608ff791a46bf048016a1333028d0a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\freebl3.dll

Filesize
324KB

MD5
04a2ba08eb17206b7426cb941f39250b

SHA1
731ac2b533724d9f540759d84b3e36910278edba

SHA256
8e5110ce03826f680f30013985be49ebd8fc672de113fc1d9a566eced149b8c4

SHA512
e6e90b4becf472b2e8f716dbb962cd7de61676fcce342c735fccdc01268b5a221139bc9be0e0c9722e9978aefaae79c10bc49c43392aa05dd12244b3147aeffc

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\mozglue.dll

Filesize
135KB

MD5
591533ca4655646981f759d95f75ae3d

SHA1
b4a02f18e505a1273f7090a9d246bc953a2cb792

SHA256
4434f4223d24fb6e2f5840dd6c1eedef2875e11abe24e4b0e9bc1507f8f6fd47

SHA512
915b124ad595ee78feab8f3c9be7e80155445e58ed4c88b89665df5fb7e0a04e973374a01f97bb67aaa733a8ce2e91a9f92605ec96251906e0fb2750a719b579

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\msvcp140.dll

Filesize
429KB

MD5
109f0f02fd37c84bfc7508d4227d7ed5

SHA1
ef7420141bb15ac334d3964082361a460bfdb975

SHA256
334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4

SHA512
46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\nss3.dll

Filesize
1.2MB

MD5
fc57d044bfd635997415c5f655b5fffa

SHA1
1b5162443d985648ef64e4aab42089ad4c25f856

SHA256
17f8c55eba797bbc80c8c32ca1a3a7588415984386be56f4b4cdefd4176fb4c3

SHA512
f5a944230000730bc0aad10e6607e3389d9d82a0a4ab1b72a19d32e94e8572789d46fb4acd75ad48f17e2bbc27389d432086696f2ccc899850ff9177d6823efb

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\softokn3.dll

Filesize
140KB

MD5
1b304dad157edc24e397629c0b688a3e

SHA1
ae151af384675125dfbdc96147094cff7179b7da

SHA256
8f0c9ac7134773d11d402e49daa90958fe00205e83a7389f7a58da03892d20cb

SHA512
2dc625dbdf2aae4ade600cca688eb5280200e8d7c2dfc359590435afe0926b3a7446cc56a66023ee834366132a68ae68da51a5079e4f107201e2050f5c5512ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\ComponentsExt\vcruntime140.dll

Filesize
81KB

MD5
7587bf9cb4147022cd5681b015183046

SHA1
f2106306a8f6f0da5afb7fc765cfa0757ad5a628

SHA256
c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d

SHA512
0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\Components\nspr4.dll

Filesize
72KB

MD5
72414dfb0b112c664d2c8d1215674e09

SHA1
50a1e61309741e92fe3931d8eb606f8ada582c0a

SHA256
69e73fea2210adc2ae0837ac98b46980a09fe91c07f181a28fda195e2b9e6b71

SHA512
41428624573b4a191b33657ed9ad760b500c5640f3d62b758869a17857edc68f90bc10d7a5e720029519c0d49b5ca0fa8579743e80b200ef331e41efde1dc8c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\Components\nss3.dll

Filesize
172KB

MD5
7ddbd64d87c94fd0b5914688093dd5c2

SHA1
d49d1f79efae8a5f58e6f713e43360117589efeb

SHA256
769703fb1ba6c95fb6c889e8a9baaea309e62d0f3ca444d01cc6b495c0f722d1

SHA512
60eaad58c3c4894f1673723eb28ddb42b681ff7aafe7a29ff8bf87a2da6595c16d1f8449096accdb89bd6cda6454eb90470e71dde7c5bd16abd0f80e115cfa2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\Components\plc4.dll

Filesize
8KB

MD5
c73ec58b42e66443fafc03f3a84dcef9

SHA1
5e91f467fe853da2c437f887162bccc6fd9d9dbe

SHA256
2dc0171b83c406db6ec9389b438828246b282862d2b8bdf2f5b75aec932a69f7

SHA512
6318e831d8f38525e2e49b5a1661440cd8b1f3d2afc6813bb862c21d88d213c4675a8ec2a413b14fbdca896c63b65a7da6ec9595893b352ade8979e7e86a7fcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\Components\plds4.dll

Filesize
6KB

MD5
ee44d5d780521816c906568a8798ed2f

SHA1
2da1b06d5de378cbfc7f2614a0f280f59f2b1224

SHA256
50b2735318233d6c87b6efccccc23a0e3216d2870c67f2f193cc1c83c7c879fc

SHA512
634a1cd2baaef29b4fe7c7583c04406bb2ea3a3c93294b31f621652844541e7c549da1a31619f657207327604c261976e15845571ee1efe5416f1b021d361da8

Download Submit
C:\Users\Admin\AppData\Local\Temp\External\Components\softokn3.dll

Filesize
155KB

MD5
e846285b19405b11c8f19c1ed0a57292

SHA1
2c20cf37394be48770cd6d396878a3ca70066fd0

SHA256
251f0094b6b6537df3d3ce7c2663726616f06cfb9b6de90efabd67de2179a477

SHA512
b622ff07ae2f77e886a93987a9a922e80032e9041ed41503f0e38abb8c344eb922d154ade29e52454d0a1ad31596c4085f4bd942e4412af9f0698183acd75db7

Download Submit
C:\Users\Admin\AppData\Local\Temp\License.XenArmor

Filesize
104B

MD5
774a9a7b72f7ed97905076523bdfe603

SHA1
946355308d2224694e0957f4ebf6cdba58327370

SHA256
76e56835b1ac5d7a8409b7333826a2353401cf67f3bd95c733adc6aa8d9fec81

SHA512
c5c77c6827c72901494b3a368593cb9a990451664b082761294a845c0cd9441d37e5e9ac0e82155cb4d97f29507ffc8e26d6ff74009666c3075578aa18b28675

Download Submit
C:\Users\Admin\AppData\Local\Temp\TMzpx\TMzpx.dll

Filesize
112KB

MD5
2f1a50031dcf5c87d92e8b2491fdcea6

SHA1
71e2aaa2d1bb7dbe32a00e1d01d744830ecce08f

SHA256
47578a37901c82f66e4dba47acd5c3cab6d09c9911d16f5ad0413275342147ed

SHA512
1c66dbe1320c1a84023bdf77686a2a7ab79a3e86ba5a4ea2cda9a37f8a916137d5cfec30b28ceae181355f6f279270465ef63ae90b7e8dcd4c1a8198a7fd36a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XenManager.dll

Filesize
2.0MB

MD5
7a5c53a889c4bf3f773f90b85af5449e

SHA1
25b2928c310b3068b629e9dca38c7f10f6adc5b6

SHA256
baa9c3a0d0524263c4f848056b3f1da3b4bb913162362cbcabe77ce76a39870c

SHA512
f5943687d7e098790581bf56ac6fec3b7e9b83d0e29301077a8bc48768c5a0e9f54f53d926f9847885f6035a2b31e456e4e45ccf1c70be27229c46e79876e2ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\aPjMR\aPjMR.dll

Filesize
84KB

MD5
0b0e63957367e620b8697c5341af35b9

SHA1
69361c2762b2d1cada80667cd55bc5082e60af86

SHA256
bd9cdcfaa0edecdb89a204965d20f4a896c6650d4840e28736d9bd832390e1c5

SHA512
07d0e52c863f52ecb3d12fab9e71c7a18d54cbedb47250bee7e4297ff72ed793c23a2735c48090c261fe4633d53d03e305c1338dfc881bb86874d1633ff6ecee

Download Submit
C:\Users\Admin\AppData\Local\Temp\ddc3o25w\ddc3o25w.0.vb

Filesize
77KB

MD5
a8dc61b1740384588ae176f5bd27e18c

SHA1
b099ee141a4f56eb31428b974fd5c5f1d97e6be4

SHA256
b684f9c3bc836796893f4bcb0aeabacb66ca736e9a6001e249e8ecb9179112bf

SHA512
2f733cc0a93c30ec882f579ebacee684bbae4a2505e0a46c7cf72962be8cdce19e867f2413a47dc95a792633fa3812daa1f47306583a3b8af5b899ccd776bcb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ddc3o25w\ddc3o25w.cmdline

Filesize
303B

MD5
e9120f638135bd5e9d5fbf74396a7672

SHA1
15b5105b37aef0e5717e7d54c86d549ecf129915

SHA256
1c0aed2ea022ec22c14f48a57888680bd1feafb9ceefe9fa16a9513605de6097

SHA512
230e2c16183201f7b9aef85ad81da7ea58359fe39bbbb4e48f3ad871307a9b274e56ab423772d8395a0aaf884c551ad95c81ce8b82817fa48751fa87851b16aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir3192_1701599775\CRX_INSTALL\_locales\en\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Local\Temp\settings.db

Filesize
20KB

MD5
56b941f65d270f2bf397be196fcf4406

SHA1
244f2e964da92f7ef7f809e5ce0b3191aeab084a

SHA256
00c020ba1cce022364976f164c575993cb3b811c61b5b4e05a8a0c3d1b560c0c

SHA512
52ad8c7ed497a5b8eed565b3abcbf544841f3c8c9ec3ca8f686846a2afd15ac4ac8b16abf1cb14aeca1a2fb31f3086ad17206ec4af28e77bae600dca15e8deab

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
573ca4cb3fce6d6a1e4557c8dff0c1f3

SHA1
b84971827ffaf135bb03540842e395b1714350bf

SHA256
5175ff53b27dfc9dcc5e03c7ec36efcaa0cd87f866bb14fdfd9f8e71020fafdc

SHA512
a47c94e320029eead1ff4b78b4700c77ff4c5d7e95d848331fc24dedd624dc8b402c0278e0bd3b525f9181d894f587abd7a0fccaa4f90596eafdd54c17672820

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
d74b47b0315261cdf752552a4053bd9d

SHA1
d9fa0e3dfa4feeba3272b209d7f630be3ca8a6f7

SHA256
ce3e3a29371a11a582f4c6d3253cc934d4c3a17d258779ff2c1af7f57cfcc632

SHA512
a8fb9e2f209dbda0c410a8fc1da1f9ae12be0c43612541121951c3806a547f51e64f717a57c6c804ba1fcdd9f3418e6f245a6e104c404d6f5edc6efb0d144fa4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85na2j14.default-release\AlternateServices.bin

Filesize
8KB

MD5
6b6f354b91c9d14b7f43c6648f23d5ac

SHA1
65bb5d48da8ac21f3842a456269fa8486133781c

SHA256
fd3e3389256c1f49e2f0f8c8d42f87fa7bf9b0c62b927bfa19f3c802d9331be3

SHA512
b929638b31482281a349e0a34d05bb5d0d302d7756761c35531a392178e7527f774bd3d7cbccbe56a065b8f2d550302601f51234e0fdd5b9dfdbd24393c6ccd1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85na2j14.default-release\AlternateServices.bin

Filesize
10KB

MD5
880e46f1f7e51e047be447363148a744

SHA1
27b2b16f2d1599eab26605fd3b416eb74da3049a

SHA256
9b68699c3e704bd78b10f3eb3ba936d113c878b9dcace32e96074629cf0dccd0

SHA512
e055aa1c382cb30702e2076157e4f19fdb36c21ca780bf06823e2f6b031bdefe21ff3a369cb3c182530c432ad6d09a4f75530476b1771879c027698706b35b58

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85na2j14.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
0cdfed015a158f597e3c6f0633cbf3ad

SHA1
6109e8aecc2cc3a297caf3a1f7dc6895c1a93568

SHA256
898a3ead56af81eba49207890c004f77c0fdd490068c04812ff6e79854a84a57

SHA512
21ed648b2b84041d571b527b00b3590d271a4ccf6594dc2fa411a937d69b789e729c5cd63f6502b4867c02aa83b4173db3f001676a9d36020d5d93afb5c6820a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85na2j14.default-release\datareporting\glean\db\data.safe.tmp

Filesize
32KB

MD5
7e07875f46bb2089d870e9a3da4e3551

SHA1
1af03f46560e7d4ea43a47d23106af848775526a

SHA256
a1102848f2d770e4db20efd440fa48f652fde3a6c9c2654f6c135ccafc1bd70d

SHA512
ac640fc76d52720c8d56080762957dcdae57e163b47595d424196f36e689e46384edd6d12ab87abdadfade0c06524a032a0f6de7be4c1b232c3fc2087280a76d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85na2j14.default-release\datareporting\glean\db\data.safe.tmp

Filesize
24KB

MD5
09d0e978e5042eadfc871e167e0b7fa9

SHA1
302034c7bddb0329cb85690f029e3a646cb5dd05

SHA256
a3c917f55652b266732a34ea46d5c3b73aafdbe13ad06fde20ef1a9e9873e08f

SHA512
7e284ca15f5af745c91e07e9482110c5d97bc6a70a360fb522d52a7a62dca3c32662b95323fa993e09cf54161dd97c9d998559f910367779fc5155a8621dc3c5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85na2j14.default-release\datareporting\glean\db\data.safe.tmp

Filesize
28KB

MD5
7e756e6ccab3343c9515dd28acab1a68

SHA1
6636abd98a9aa221f7bdd426c0ec0649e00dd5c4

SHA256
ef593a1110f1aec3437212667e0d258f3be92ea91da7b8ebb274f138be941f31

SHA512
61d9ca94bc9a42b24148aa2cd9ea6ad6f85334d39485bfb370433e38978f38e715ffdc37a6032f1b3ee7be236f4b7054c60a21c42aceccc0b4de52a2e4578c6b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85na2j14.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
fae869e4d84d2273576db3801877f983

SHA1
09f68b23c33b2a5dd9e5369c94b282747a690b64

SHA256
533aa520698357dbf86bcc816880307b5c4b67efb8981350f26301f36128f304

SHA512
8b525d696182198f422b2cbd7dec78aeaf574c9737e32a28b6fbc03a4dcdc805034ecf4675b7ec4c3c14e272054790ae10ffd788f2e8cbd65660b84e26fc36b0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85na2j14.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
57d547cc2b6359e7e69aceacd970f852

SHA1
ca2c770ea271a512eceab0383a78d177de820387

SHA256
472a1fe5a0163cef766e57ffdc69e42bfcf04e0df957f5952a4910d1045c924c

SHA512
b6df779ffe74932ea5304652bd4b8df573354d74207b3a7bb335688ddeb8f4bfd2d0fab3fb63395f180721533ac3bddde7a2181e849161d433f71057d72194c6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85na2j14.default-release\datareporting\glean\db\data.safe.tmp

Filesize
31KB

MD5
166a77671425e33e7aa3fb9e9efa2bd0

SHA1
4d308c64241bdc751cd1f6464163902e1060b93f

SHA256
0195fbf5dd5626d6566040ef141bba49e88637f397a6fa83ad7a4fb2c92f97f9

SHA512
fee99282927cc5942e5ee8a36b5ba4deec8bd510a6be0582cc429728375d6a0539ddb893fdefe6d1a22f870ff3dd8d599b815c3810decd57245fa0723229c735

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85na2j14.default-release\datareporting\glean\pending_pings\0c5a4562-4222-4c35-b6a5-56dfa551d480

Filesize
671B

MD5
5b6938f53fd1d821993417d8d7896c87

SHA1
488626b8c6c3853cd4abdc430a9a6e49c5e86f34

SHA256
273048786bc9a483ff10ebfc31af24323d38e2857fafa87f753e8d205d67feb2

SHA512
d5b5b473028cbbcba4b1030ef8d82698585c888a80089b914aa2b1c30b873f011d3a43a512e59e843e3c8dcae709dc350b7052d06efff4d067d4a794acfb8913

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85na2j14.default-release\datareporting\glean\pending_pings\1656080f-5e9d-4f8b-9707-73d0895c1814

Filesize
1KB

MD5
04308a5e7dca51ae81a7802dc2e16a70

SHA1
8e5b368b0553d0c5a8fcacdc7c5da794f438a884

SHA256
16c58dfa75653b87ba3e3df20fcbce0de48fa4ed112c145f45f4550755d5a982

SHA512
6300f9320953924dd18f4130340741f63f7dcaf672abf36842161fb532dc0c0f9ab355d5dd61c251520279858469d771902900b05291116d895f2fb4ec76860f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85na2j14.default-release\datareporting\glean\pending_pings\34bbc83e-9593-4936-b792-c83016db5773

Filesize
8KB

MD5
fa3ea008cb06d45b43ae3f6deca6a59d

SHA1
f17de314324a6e0238675e0f7b48a8e4e87529cb

SHA256
2f99191c1418ce241ab39a4d3ebd2e653f33eb497560c2c0942807707918f837

SHA512
7539b83e3b43b9f1d289e467e913cccc92c07fe23e5b9df81492b88522f31cbceaa6c22e504e43078be3af09db3c7536263009aee4221dca82bc8114a0054df0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85na2j14.default-release\datareporting\glean\pending_pings\4cd5dfb5-86d7-4120-b815-b44db26f2ca2

Filesize
26KB

MD5
b7f3b4ad2d873f0660187affa9a142a4

SHA1
b658e9f61995727a4a2f498df8067cea178d4535

SHA256
d0c1fa429a4ba4941028fe8bac0b386b95673ff332ec9b83b59e68f77e76287a

SHA512
0ca2e50cc4eae6bcdfaafc997a3e6f0686d3be956a1f1ddc310067d8eedbc69fa913e6f599a8ff52dc0cc366442d1ad356b46341c9defa72b7bd137569d745b8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85na2j14.default-release\datareporting\glean\pending_pings\92c48933-ae6e-4795-9a3f-1472c2624633

Filesize
734B

MD5
014b27dbe17e786baf6ce5e387c98c58

SHA1
9cc83ee3403457f4458468283bd363bdb15c7896

SHA256
027fc5b33a7144ab227221c2f5c182971e0af8177b975f51e8945e96d6cd4fe8

SHA512
3a2dff54beffb3dbb48e87fa6b3bc47fb49835a16d0740aa61589f23ee3027e14d551b1a90e4dcc860bb2498351fc2ed1d012851807aad33b143db7b635b72ba

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85na2j14.default-release\datareporting\glean\pending_pings\aea941fa-d84c-4cf6-aa53-73d9f5be5545

Filesize
982B

MD5
0d27a19adeb80d673641d549d6362504

SHA1
85ae66287bae3238678f3aa779ced4d9c4c1923d

SHA256
33c57118b36d8ba8aa1fd3c4a3865174d1a842aa6141e13bf802acfbb712d90f

SHA512
5c12d65a8b876ae6e70cd0274300b0e714aea307b6db222a1a4c969005702e9d05db5722073a0ae3c11b128a57a586493452acd2aeccf3bcfcd0cca122dc3131

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85na2j14.default-release\datareporting\glean\pending_pings\d543b68e-32a2-4639-b75c-279c0542c3ba

Filesize
11KB

MD5
73cf79f4651863beb8d5ce8c4c91c99e

SHA1
ca9053b3b2a3308adcc0f8f448a60a8d29be515a

SHA256
24d3e7f06eddf2f868b7096a839100067872a9bafb6c8da1ae84805ba58e58f4

SHA512
7f9fee8db2b38e6d9dcd652aad710e7d158f9d13f06d2afb18d3b3386bc0c2cb19e625a3de4c0b51d570ee7e0d202a3e78551345daf0636f8fbcb53bff4ca065

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85na2j14.default-release\datareporting\glean\pending_pings\dc0c7c2e-3fbb-4074-81bd-c6e984a308f7

Filesize
979B

MD5
0de28a77234340597b16f36fd87f3682

SHA1
15c46fcd46d9f1311f17d437901ef0550efd6bfd

SHA256
2aae9caf9c8a046d940e867cfe6067bab4b958c3c5fc4e597740373bdd9598a2

SHA512
97a906e277558b296a23a8fa06b135b976ce482b1461cfd040338d21da91e549b4cbd5b1f8e7d3059285ca384d812922cb4b169cddee84c4a76ee7245a4a5fca

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85na2j14.default-release\prefs-1.js

Filesize
10KB

MD5
e40450653cf9f6cc3d1dd07cc44190ef

SHA1
b7a43542ef43523ea9064e0db86e95f706db5c14

SHA256
e722db26297d341a7b5b227597d9d2038157f9eed388837aaa6a3c532c460bf9

SHA512
370ce50cb3d602334005323191c403faddd128ab7b483e7f25b62e3cb1fbc8ce87f28ab3b087ba71667bdced6ed31444c6702fa1f41ecf0d75787314362eaafc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85na2j14.default-release\prefs.js

Filesize
10KB

MD5
eadb24bacab0884ed7a2ba9dd7ee3ec1

SHA1
0b4ba21dc6db1384411911784be92335f8bed199

SHA256
c7b2a45cd7b65154f14d72e66c4667cc197511f4e7a0ad199ce4a491342b1b28

SHA512
b7cd12cda8081b35961a6aaa6f71c380ed4414271b93890717cf7fc0f057777509ea5a528170509b938f39a9bc8bb0f601040b9775ffc271943874d62e6f30cf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85na2j14.default-release\prefs.js

Filesize
10KB

MD5
9cc6f28ba5867006001256435c93aca4

SHA1
c7e31e2a8e52ac9a9ec460e0d1e0022b67dae5d7

SHA256
1279cb2af8b17b57a2c7638a93bd8f0b61ad8c59e39a870b63915b2565054396

SHA512
74ee338293a80a6cff5952fe4a703992a21ecf1b38d930b5ae1df49dccd542ac0d3565b1975e9a4938584f4191e919403078554118624e3d2bc018aefb2d242e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85na2j14.default-release\prefs.js

Filesize
10KB

MD5
0e114b6218a24b723c3de6c9b8d2ee4e

SHA1
2eb636ccde9aa63d71c27a2de2f42c46050e84f8

SHA256
fd71e0fa28b1fbf63d75c8667738224acfd56af9071be0183f76ae0361cf7385

SHA512
80f7485286d78a70d86b197747af3e9c037b8aa428cc53026c60dfcefa61ffa4f043e7e19e532b944e264080aa409794ee86145c2979fe23bf96302ad7fcfe87

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85na2j14.default-release\sessionCheckpoints.json

Filesize
53B

MD5
ea8b62857dfdbd3d0be7d7e4a954ec9a

SHA1
b43bc4b3ea206a02ef8f63d5bfad0c96bf2a3b2a

SHA256
792955295ae9c382986222c6731c5870bd0e921e7f7e34cc4615f5cd67f225da

SHA512
076ee83534f42563046d25086166f82e1a3ec61840c113aec67abe2d8195daa247d827d0c54e7e8f8a1bbf2d082a3763577587e84342ec160ff97905243e6d19

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85na2j14.default-release\sessionCheckpoints.json

Filesize
146B

MD5
65690c43c42921410ec8043e34f09079

SHA1
362add4dbd0c978ae222a354a4e8d35563da14b4

SHA256
7343d5a46e2fca762305a4f85c45484a49c1607ede8e8c4bd12bedd2327edb8d

SHA512
c0208d51cf1586e75f22764b82c48ecbb42c1ff54aa412a85af13d686e0119b4e49e98450d25c70e3792d3b9c2cda0c5ab0c6931ebaf548693bb970a35ae62b9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85na2j14.default-release\sessionCheckpoints.json

Filesize
90B

MD5
c4ab2ee59ca41b6d6a6ea911f35bdc00

SHA1
5942cd6505fc8a9daba403b082067e1cdefdfbc4

SHA256
00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2

SHA512
71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85na2j14.default-release\sessionCheckpoints.json

Filesize
193B

MD5
2ad4fe43dc84c6adbdfd90aaba12703f

SHA1
28a6c7eff625a2da72b932aa00a63c31234f0e7f

SHA256
ecb4133a183cb6c533a1c4ded26b663e2232af77db1a379f9bd68840127c7933

SHA512
2ee947dcf3eb05258c7a8c45cb60082a697dbe6d683152fe7117d20f7d3eb2beaaf5656154b379193cdc763d7f2f3b114cf61b4dd0f8a65326e662165ccf89cc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85na2j14.default-release\sessionCheckpoints.json

Filesize
122B

MD5
99601438ae1349b653fcd00278943f90

SHA1
8958d05e9362f6f0f3b616f7bfd0aeb5d37967c9

SHA256
72d74b596f7fc079d15431b51ce565a6465a40f5897682a94a3f1dd19b07959a

SHA512
ffa863d5d6af4a48aadc5c92df4781d3aacbf5d91b43b5e68569952ffec513ff95655b3e54c2161fe27d2274dd4778bad517c7a3972f206381ef292808628c55

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85na2j14.default-release\sessionCheckpoints.json.tmp

Filesize
288B

MD5
948a7403e323297c6bb8a5c791b42866

SHA1
88a555717e8a4a33eccfb7d47a2a4aa31038f9c0

SHA256
2fca1f29b73dd5b4159fa1eb16e69276482f5224ba7d2219a547039129a51f0e

SHA512
17e2f65c33f47c8bb4beca31db2aff3d4bbb6c2d36924057f9f847e207bdcb85ffcbb32c80dd06862ffc9b7f0bd3f5e2e65b48bb1bc3363732751101d5596b1a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85na2j14.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
0edc04200795399b16ddb1e3172fadb8

SHA1
e2ca688de60163ef4adca07c9e529508c9801168

SHA256
21a578db75006ffde790e2447922d9fb95cdfea989afbbe76d81c95cc37873d8

SHA512
93de13592d868225ad549ca07b35ae4d9074a14d9f45fcdeba190c93eb7949ab01228249c476ca17f676e7dfd7455a4ab92295e518ae519e400cdfd4ad363700

Download Submit
C:\Users\Admin\Downloads\XWorm V5.2.7z

Filesize
36.3MB

MD5
8e391f6618b90ddcefb8048b768c20c8

SHA1
5ba1ee1aad993c5b76ba722706c146e3456e16d6

SHA256
5730c3bf3e6bc163dee6bab4660722c55eb1a4d878faa1f5b2a1c3e5929a0528

SHA512
b1358fc3f0694b84a12b1e50e049777ea2b89dc5ac3b12ac852b0e5929d8a51ed53479c2ea0e2e194faa570c370ed61bbc654cc4625d0aeb8514b44bbef08df9

Download Submit
C:\Users\Admin\Downloads\XWorm V5.2\GeoIP.dat

Filesize
1.2MB

MD5
8ef41798df108ce9bd41382c9721b1c9

SHA1
1e6227635a12039f4d380531b032bf773f0e6de0

SHA256
bc07ff22d4ee0b6fafcc12482ecf2981c172a672194c647cedf9b4d215ad9740

SHA512
4c62af04d4a141b94eb3e1b0dbf3669cb53fe9b942072ed7bea6a848d87d8994cff5a5f639ab70f424eb79a4b7adabdde4da6d2f02f995bd8d55db23ce99f01b

Download Submit
C:\Users\Admin\Downloads\XWorm V5.2\Guna.UI2.dll

Filesize
1.9MB

MD5
bcc0fe2b28edd2da651388f84599059b

SHA1
44d7756708aafa08730ca9dbdc01091790940a4f

SHA256
c6264665a882e73eb2262a74fea2c29b1921a9af33180126325fb67a851310ef

SHA512
3bfc3d27c095dde988f779021d0479c8c1de80a404454813c6cae663e3fe63dc636bffa7de1094e18594c9d608fa7420a0651509544722f2a00288f0b7719cc8

Download Submit
C:\Users\Admin\Downloads\XWorm V5.2\Icons\icon (15).ico

Filesize
361KB

MD5
e3143e8c70427a56dac73a808cba0c79

SHA1
63556c7ad9e778d5bd9092f834b5cc751e419d16

SHA256
b2f57a23ecc789c1bbf6037ac0825bf98babc7bf0c5d438af5e2767a27a79188

SHA512
74e0f4b55625df86a87b9315e4007be8e05bbecca4346a6ea06ef5b1528acb5a8bb636ef3e599a3820dbddcf69563a0a22e2c1062c965544fd75ec96fd9803fc

Download Submit
C:\Users\Admin\Downloads\XWorm V5.2\Mono.Cecil.dll

Filesize
350KB

MD5
de69bb29d6a9dfb615a90df3580d63b1

SHA1
74446b4dcc146ce61e5216bf7efac186adf7849b

SHA256
f66f97866433e688acc3e4cd1e6ef14505f81df6b26dd6215e376767f6f954bc

SHA512
6e96a510966a4acbca900773d4409720b0771fede37f24431bf0d8b9c611eaa152ba05ee588bb17f796d7b8caaccc10534e7cc1c907c28ddfa54ac4ce3952015

Download Submit
C:\Users\Admin\Downloads\XWorm V5.2\MonoMod.Backports.dll

Filesize
138KB

MD5
dd43356f07fc0ce082db4e2f102747a2

SHA1
aa0782732e2d60fa668b0aadbf3447ef70b6a619

SHA256
e375b83a3e242212a2ed9478e1f0b8383c1bf1fdfab5a1cf766df740b631afd6

SHA512
284d64b99931ed1f2e839a7b19ee8389eefaf6c72bac556468a01f3eb17000252613c01dbae88923e9a02f3c84bcab02296659648fad727123f63d0ac38d258e

Download Submit
C:\Users\Admin\Downloads\XWorm V5.2\MonoMod.Core.dll

Filesize
216KB

MD5
b808181453b17f3fc1ab153bf11be197

SHA1
bce86080b7eb76783940d1ff277e2b46f231efe9

SHA256
da00cdfab411f8f535f17258981ec51d1af9b0bfcee3a360cbd0cb6f692dbcdd

SHA512
a2d941c6e69972f99707ade5c5325eb50b0ec4c5abf6a189eb11a46606fed8076be44c839d83cf310b67e66471e0ea3f6597857a8e2c7e2a7ad6de60c314f7d3

Download Submit
C:\Users\Admin\Downloads\XWorm V5.2\MonoMod.ILHelpers.dll

Filesize
6KB

MD5
6512e89e0cb92514ef24be43f0bf4500

SHA1
a039c51f89656d9d5c584f063b2b675a9ff44b8e

SHA256
1411e4858412ded195f0e65544a4ec8e8249118b76375050a35c076940826cd0

SHA512
9ffb2ff050cce82dbfbbb0e85ab5f976fcd81086b3d8695502c5221c23d14080f0e494a33e0092b4feb2eda12e2130a2f02df3125733c2f5ec31356e92dea00b

Download Submit
C:\Users\Admin\Downloads\XWorm V5.2\MonoMod.Utils.dll

Filesize
319KB

MD5
79f1c4c312fdbb9258c2cdde3772271f

SHA1
a143434883e4ef2c0190407602b030f5c4fdf96f

SHA256
f22a4fa1e8b1b70286ecf07effb15d2184454fa88325ce4c0f31ffadb4bef50a

SHA512
b28ed3c063ae3a15cd52e625a860bbb65f6cd38ccad458657a163cd927c74ebf498fb12f1e578e869bcea00c6cd3f47ede10866e34a48c133c5ac26b902ae5d9

Download Submit
C:\Users\Admin\Downloads\XWorm V5.2\RVGLib.dll

Filesize
241KB

MD5
d34c13128c6c7c93af2000a45196df81

SHA1
664c821c9d2ed234aea31d8b4f17d987e4b386f1

SHA256
aaf9fb0158bd40ab562a4212c2a795cb40ef6864042dc12f3a2415f2446ba1c7

SHA512
91f4e0e795f359b03595b01cbf29188a2a0b52ab9d64eadd8fb8b3508e417b8c7a70be439940975bf5bdf26493ea161aa45025beb83bc95076ed269e82d39689

Download Submit
C:\Users\Admin\Downloads\XWorm V5.2\SimpleObfuscator.dll

Filesize
1.4MB

MD5
9043d712208178c33ba8e942834ce457

SHA1
e0fa5c730bf127a33348f5d2a5673260ae3719d1

SHA256
b7a6eea19188b987dad97b32d774107e9a1beb4f461a654a00197d73f7fad54c

SHA512
dd6fa02ab70c58cde75fd4d4714e0ed0df5d3b18f737c68c93dba40c30376cc93957f8eef69fea86041489546ce4239b35a3b5d639472fd54b80f2f7260c8f65

Download Submit
C:\Users\Admin\Downloads\XWorm V5.2\Sounds\Intro.wav

Filesize
238KB

MD5
ad3b4fae17bcabc254df49f5e76b87a6

SHA1
1683ff029eebaffdc7a4827827da7bb361c8747e

SHA256
e3e5029bf5f29fa32d2f6cdda35697cd8e6035d5c78615f64d0b305d1bd926cf

SHA512
3d6ecc9040b5079402229c214cb5f9354315131a630c43d1da95248edc1b97627fb9ba032d006380a67409619763fb91976295f8d22ca91894c88f38bb610cd3

Download Submit
C:\Users\Admin\Downloads\XWorm V5.2\XWorm V5.2.exe

Filesize
12.2MB

MD5
8b7b015c1ea809f5c6ade7269bdc5610

SHA1
c67d5d83ca18731d17f79529cfdb3d3dcad36b96

SHA256
7fc9c7002b65bc1b33f72e019ed1e82008cc7b8e5b8eaf73fc41a3e6a246980e

SHA512
e652913f73326f9d8461ac2a631e1e413719df28c7938b38949c005fda501d9e159554c3e17a0d5826d279bb81efdef394f7fb6ff7289cf296c19e92fd924180

Download Submit
C:\Users\Admin\Downloads\XWorm V5.2\XWorm V5.2.exe.config

Filesize
183B

MD5
66f09a3993dcae94acfe39d45b553f58

SHA1
9d09f8e22d464f7021d7f713269b8169aed98682

SHA256
7ea08548c23bd7fd7c75ca720ac5a0e8ca94cb51d06cd45ebf5f412e4bbdd7d7

SHA512
c8ea53ab187a720080bd8d879704e035f7e632afe1ee93e7637fad6bb7e40d33a5fe7e5c3d69134209487d225e72d8d944a43a28dc32922e946023e89abc93ed

Download Submit
C:\Users\Admin\Downloads\XWorm V5.2\XWormLoader 5.2 x32.exe

Filesize
109KB

MD5
f3b2ec58b71ba6793adcc2729e2140b1

SHA1
d9e93a33ac617afe326421df4f05882a61e0a4f2

SHA256
2d74eb709aea89a181cf8dfcc7e551978889f0d875401a2f1140487407bf18ae

SHA512
473edcaba9cb8044e28e30fc502a08a648359b3ed0deba85e559fe76b484fc8db0fc2375f746851623e30be33da035cec1d6038e1fcf4842a2afb6f9cd397495

Download Submit
C:\Users\Admin\Downloads\XWorm V5.2\XWormLoader 5.2 x32.exe.config

Filesize
187B

MD5
15c8c4ba1aa574c0c00fd45bb9cce1ab

SHA1
0dad65a3d4e9080fa29c42aa485c6102d2fa8bc8

SHA256
f82338e8e9c746b5d95cd2ccc7bf94dd5de2b9b8982fffddf2118e475de50e15

SHA512
52baac63399340427b94bfdeb7a42186d5359ce439c3d775497f347089edfbf72a6637b23bb008ab55b8d4dd3b79a7b2eb7c7ef922ea23d0716d5c3536b359d4

Download Submit
C:\Users\Admin\Downloads\XWorm V5.2\XWormLoader 5.2 x64.exe

Filesize
109KB

MD5
e6a20535b636d6402164a8e2d871ef6d

SHA1
981cb1fd9361ca58f8985104e00132d1836a8736

SHA256
b461c985b53de4f6921d83925b3c2a62de3bbc5b8f9c02eecd27926f0197fae2

SHA512
35856a0268ed9d17b1570d5392833ed168c8515d73fac9f150cf63cc1aea61c096aa2e6b3c8e091a1058ba062f9333f6767e323a37dfb6f4fa7e508a2a138a30

Download Submit
C:\Users\Admin\Downloads\XWorm V5.2\start.exe

Filesize
7.5MB

MD5
2e62e776b7eeac3dd713f1a6da5f942d

SHA1
6516d9ef1212939a12a84a396b3c64ecea878c11

SHA256
68b1696d3c76eedc131349ecd65a23372082feb83bb66d9d9be296916910e7ea

SHA512
04c73c5505e56fd21f1a25c085c99a1c1cc19cbac8004ce3e974e05f9754c5d07051fdfa53f5a0f0b8a89c16412757b1a29cf487c552212531bcac42ead849bb

Download Submit
memory/700-1287-0x0000000000C30000-0x0000000000C82000-memory.dmp

Filesize
328KB

Download
memory/1620-1263-0x00000195AED70000-0x00000195AED71000-memory.dmp

Filesize
4KB

Download
memory/1620-1262-0x00000195AED70000-0x00000195AED71000-memory.dmp

Filesize
4KB

Download
memory/1620-1264-0x00000195AED70000-0x00000195AED71000-memory.dmp

Filesize
4KB

Download
memory/1620-1265-0x00000195AED70000-0x00000195AED71000-memory.dmp

Filesize
4KB

Download
memory/1620-1266-0x00000195AED70000-0x00000195AED71000-memory.dmp

Filesize
4KB

Download
memory/1620-1267-0x00000195AED70000-0x00000195AED71000-memory.dmp

Filesize
4KB

Download
memory/1620-1258-0x00000195AED70000-0x00000195AED71000-memory.dmp

Filesize
4KB

Download
memory/1620-1256-0x00000195AED70000-0x00000195AED71000-memory.dmp

Filesize
4KB

Download
memory/1620-1268-0x00000195AED70000-0x00000195AED71000-memory.dmp

Filesize
4KB

Download
memory/1620-1257-0x00000195AED70000-0x00000195AED71000-memory.dmp

Filesize
4KB

Download
memory/2372-2443-0x000000001E580000-0x000000001EA54000-memory.dmp

Filesize
4.8MB

Download
memory/2372-2614-0x000000001DF00000-0x000000001DF0A000-memory.dmp

Filesize
40KB

Download
memory/2372-2615-0x000000001CDC0000-0x000000001CDCC000-memory.dmp

Filesize
48KB

Download
memory/2372-2415-0x000000001D2C0000-0x000000001D2FA000-memory.dmp

Filesize
232KB

Download
memory/2372-2420-0x000000001D190000-0x000000001D19C000-memory.dmp

Filesize
48KB

Download
memory/2372-2421-0x000000001EAB0000-0x000000001EFD8000-memory.dmp

Filesize
5.2MB

Download
memory/2372-2422-0x000000001D1A0000-0x000000001D1AA000-memory.dmp

Filesize
40KB

Download
memory/2372-2442-0x0000000002820000-0x000000000282A000-memory.dmp

Filesize
40KB

Download
memory/2372-2441-0x000000001DF10000-0x000000001DF22000-memory.dmp

Filesize
72KB

Download
memory/4644-1255-0x0000000000040000-0x0000000000050000-memory.dmp

Filesize
64KB

Download
memory/4644-2224-0x000000001AC10000-0x000000001AC1A000-memory.dmp

Filesize
40KB

Download
memory/4644-2225-0x000000001AC20000-0x000000001AC2E000-memory.dmp

Filesize
56KB

Download
memory/4644-2414-0x000000001CF20000-0x000000001D0A8000-memory.dmp

Filesize
1.5MB

Download
memory/4644-1804-0x0000000000800000-0x000000000080C000-memory.dmp

Filesize
48KB

Download
memory/4644-1805-0x000000001AC00000-0x000000001AC0A000-memory.dmp

Filesize
40KB

Download
memory/4644-2226-0x000000001AC30000-0x000000001AC3A000-memory.dmp

Filesize
40KB

Download
memory/5192-414-0x0000000000420000-0x000000000135C000-memory.dmp

Filesize
15.2MB

Download
memory/5192-418-0x0000000000420000-0x000000000135C000-memory.dmp

Filesize
15.2MB

Download
memory/5380-432-0x00000267596F0000-0x00000267598E4000-memory.dmp

Filesize
2.0MB

Download
memory/5380-422-0x000002673BD60000-0x000002673C998000-memory.dmp

Filesize
12.2MB

Download
memory/5380-430-0x0000026757F00000-0x0000026758AEC000-memory.dmp

Filesize
11.9MB

Download
memory/5572-465-0x0000000005830000-0x0000000005840000-memory.dmp

Filesize
64KB

Download
memory/5572-453-0x0000000005580000-0x00000000055DE000-memory.dmp

Filesize
376KB

Download
memory/5572-480-0x0000000006360000-0x00000000063B6000-memory.dmp

Filesize
344KB

Download
memory/5572-479-0x0000000004B90000-0x0000000004B9A000-memory.dmp

Filesize
40KB

Download
memory/5572-472-0x0000000005C60000-0x0000000005CF2000-memory.dmp

Filesize
584KB

Download
memory/5572-471-0x0000000007290000-0x0000000007836000-memory.dmp

Filesize
5.6MB

Download
memory/5572-470-0x0000000006650000-0x0000000007288000-memory.dmp

Filesize
12.2MB

Download
memory/5572-1269-0x0000000009660000-0x00000000096E2000-memory.dmp

Filesize
520KB

Download
memory/5572-464-0x00000000058B0000-0x00000000058CA000-memory.dmp

Filesize
104KB

Download
memory/5572-463-0x0000000005840000-0x000000000587C000-memory.dmp

Filesize
240KB

Download
memory/5572-459-0x00000000056A0000-0x00000000056A6000-memory.dmp

Filesize
24KB

Download
memory/5572-458-0x00000000054D0000-0x00000000054D6000-memory.dmp

Filesize
24KB

Download
memory/5572-457-0x00000000055E0000-0x0000000005636000-memory.dmp

Filesize
344KB

Download
memory/5572-483-0x000000000C9C0000-0x000000000CBB4000-memory.dmp

Filesize
2.0MB

Download
memory/5572-449-0x0000000005100000-0x0000000005106000-memory.dmp

Filesize
24KB

Download
memory/5572-445-0x0000000005440000-0x0000000005468000-memory.dmp

Filesize
160KB

Download
memory/5572-441-0x00000000054E0000-0x000000000557C000-memory.dmp

Filesize
624KB

Download
memory/5572-440-0x0000000004FF0000-0x0000000005032000-memory.dmp

Filesize
264KB

Download
memory/5572-436-0x0000000000190000-0x00000000001B0000-memory.dmp

Filesize
128KB

Download
memory/5572-484-0x000000000F1D0000-0x000000000F236000-memory.dmp

Filesize
408KB

Download
memory/5572-717-0x0000000009930000-0x0000000009A98000-memory.dmp

Filesize
1.4MB

Download
memory/5572-1272-0x0000000010020000-0x00000000100D2000-memory.dmp

Filesize
712KB

Download
memory/5572-1271-0x000000001AA70000-0x000000001AD52000-memory.dmp

Filesize
2.9MB

Download
memory/5572-2440-0x00000000052C0000-0x000000000530C000-memory.dmp

Filesize
304KB

Download
memory/5572-2439-0x000000001C770000-0x000000001CAC7000-memory.dmp

Filesize
3.3MB

Download
memory/5572-1270-0x0000000009740000-0x000000000976C000-memory.dmp

Filesize
176KB

Download
memory/5572-2425-0x000000001BD70000-0x000000001BEBB000-memory.dmp

Filesize
1.3MB

Download