xworm | d0730d3f813a15f20a7258b36c7ca34d83f97e06e4f57a31d4150ac1c7b90693

Analysis

max time kernel
47s
max time network
43s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250113-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
19-01-2025 01:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

alo.exe
Size

53KB
MD5

f4f2959fc4cb73f5c1897043156f2234
SHA1

b8ec706ea1d052180fa715d71873d6c8ee3642d8
SHA256

d0730d3f813a15f20a7258b36c7ca34d83f97e06e4f57a31d4150ac1c7b90693
SHA512

ca2de671aa171b99f372a00608f2286b28fbc5aa2c6cd227f2cfeaab6ad9f96a8cb7da9c4e10be15d5f2e5bda281809cbd8db4db004e83c717c675606690c8e4
SSDEEP

768:CeQ+Y5J4Z3LSPQVUPjXowhQ5g0xK4o2C+b9nz/QLSthOsBhxa6j:RLWMh+f+bhz/VXOkr1j

Score

10^/10

xworm persistence rat trojan

Malware Config

Extracted

Family

xworm

127.0.0.1:1312

147.185.221.25:1312

Attributes

Install_directory
%AppData%
install_file
Update.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/memory/4972-1-0x0000000000F70000-0x0000000000F84000-memory.dmp	family_xworm
behavioral1/files/0x0028000000046282-28.dat	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update.lnk	alo.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update.lnk	alo.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2826969134-2088669430-2680400721-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = "C:\\Users\\Admin\\AppData\\Roaming\\Update.exe"	alo.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2826969134-2088669430-2680400721-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 57 IoCs

pid	Process
4972	alo.exe
4972	alo.exe
4972	alo.exe
4972	alo.exe
4972	alo.exe
4972	alo.exe
4972	alo.exe
4972	alo.exe
4972	alo.exe
4972	alo.exe
4972	alo.exe
4972	alo.exe
4972	alo.exe
4972	alo.exe
4972	alo.exe
4972	alo.exe
4972	alo.exe
4972	alo.exe
4972	alo.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	4972	alo.exe
Token: SeDebugPrivilege	4972	alo.exe
Token: SeDebugPrivilege	2992	taskmgr.exe
Token: SeSystemProfilePrivilege	2992	taskmgr.exe
Token: SeCreateGlobalPrivilege	2992	taskmgr.exe
Token: SeDebugPrivilege	1388	firefox.exe
Token: SeDebugPrivilege	1388	firefox.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
1388	firefox.exe
1388	firefox.exe
1388	firefox.exe
1388	firefox.exe
1388	firefox.exe
1388	firefox.exe
1388	firefox.exe
1388	firefox.exe
1388	firefox.exe
1388	firefox.exe
1388	firefox.exe
1388	firefox.exe
1388	firefox.exe
1388	firefox.exe
1388	firefox.exe
1388	firefox.exe
1388	firefox.exe
1388	firefox.exe
1388	firefox.exe
1388	firefox.exe
1388	firefox.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
1388	firefox.exe
1388	firefox.exe
1388	firefox.exe
1388	firefox.exe
1388	firefox.exe
1388	firefox.exe
1388	firefox.exe
1388	firefox.exe
1388	firefox.exe
1388	firefox.exe
1388	firefox.exe
1388	firefox.exe
1388	firefox.exe
1388	firefox.exe
1388	firefox.exe
1388	firefox.exe
1388	firefox.exe
1388	firefox.exe
1388	firefox.exe
1388	firefox.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe
2992	taskmgr.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4972	alo.exe
1388	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2476 wrote to memory of 1388	2476	firefox.exe	93
PID 2476 wrote to memory of 1388	2476	firefox.exe	93
PID 2476 wrote to memory of 1388	2476	firefox.exe	93
PID 2476 wrote to memory of 1388	2476	firefox.exe	93
PID 2476 wrote to memory of 1388	2476	firefox.exe	93
PID 2476 wrote to memory of 1388	2476	firefox.exe	93
PID 2476 wrote to memory of 1388	2476	firefox.exe	93
PID 2476 wrote to memory of 1388	2476	firefox.exe	93
PID 2476 wrote to memory of 1388	2476	firefox.exe	93
PID 2476 wrote to memory of 1388	2476	firefox.exe	93
PID 2476 wrote to memory of 1388	2476	firefox.exe	93
PID 1388 wrote to memory of 2904	1388	firefox.exe	94
PID 1388 wrote to memory of 2904	1388	firefox.exe	94
PID 1388 wrote to memory of 2904	1388	firefox.exe	94
PID 1388 wrote to memory of 2904	1388	firefox.exe	94
PID 1388 wrote to memory of 2904	1388	firefox.exe	94
PID 1388 wrote to memory of 2904	1388	firefox.exe	94
PID 1388 wrote to memory of 2904	1388	firefox.exe	94
PID 1388 wrote to memory of 2904	1388	firefox.exe	94
PID 1388 wrote to memory of 2904	1388	firefox.exe	94
PID 1388 wrote to memory of 2904	1388	firefox.exe	94
PID 1388 wrote to memory of 2904	1388	firefox.exe	94
PID 1388 wrote to memory of 2904	1388	firefox.exe	94
PID 1388 wrote to memory of 2904	1388	firefox.exe	94
PID 1388 wrote to memory of 2904	1388	firefox.exe	94
PID 1388 wrote to memory of 2904	1388	firefox.exe	94
PID 1388 wrote to memory of 2904	1388	firefox.exe	94
PID 1388 wrote to memory of 2904	1388	firefox.exe	94
PID 1388 wrote to memory of 2904	1388	firefox.exe	94
PID 1388 wrote to memory of 2904	1388	firefox.exe	94
PID 1388 wrote to memory of 2904	1388	firefox.exe	94
PID 1388 wrote to memory of 2904	1388	firefox.exe	94
PID 1388 wrote to memory of 2904	1388	firefox.exe	94
PID 1388 wrote to memory of 2904	1388	firefox.exe	94
PID 1388 wrote to memory of 2904	1388	firefox.exe	94
PID 1388 wrote to memory of 2904	1388	firefox.exe	94
PID 1388 wrote to memory of 2904	1388	firefox.exe	94
PID 1388 wrote to memory of 2904	1388	firefox.exe	94
PID 1388 wrote to memory of 2904	1388	firefox.exe	94
PID 1388 wrote to memory of 2904	1388	firefox.exe	94
PID 1388 wrote to memory of 2904	1388	firefox.exe	94
PID 1388 wrote to memory of 2904	1388	firefox.exe	94
PID 1388 wrote to memory of 2904	1388	firefox.exe	94
PID 1388 wrote to memory of 2904	1388	firefox.exe	94
PID 1388 wrote to memory of 2904	1388	firefox.exe	94
PID 1388 wrote to memory of 2904	1388	firefox.exe	94
PID 1388 wrote to memory of 2904	1388	firefox.exe	94
PID 1388 wrote to memory of 2904	1388	firefox.exe	94
PID 1388 wrote to memory of 2904	1388	firefox.exe	94
PID 1388 wrote to memory of 2904	1388	firefox.exe	94
PID 1388 wrote to memory of 2904	1388	firefox.exe	94
PID 1388 wrote to memory of 2904	1388	firefox.exe	94
PID 1388 wrote to memory of 2904	1388	firefox.exe	94
PID 1388 wrote to memory of 2904	1388	firefox.exe	94
PID 1388 wrote to memory of 2904	1388	firefox.exe	94
PID 1388 wrote to memory of 2904	1388	firefox.exe	94
PID 1388 wrote to memory of 3944	1388	firefox.exe	95
PID 1388 wrote to memory of 3944	1388	firefox.exe	95
PID 1388 wrote to memory of 3944	1388	firefox.exe	95
PID 1388 wrote to memory of 3944	1388	firefox.exe	95
PID 1388 wrote to memory of 3944	1388	firefox.exe	95
PID 1388 wrote to memory of 3944	1388	firefox.exe	95
PID 1388 wrote to memory of 3944	1388	firefox.exe	95
PID 1388 wrote to memory of 3944	1388	firefox.exe	95

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\alo.exe
"C:\Users\Admin\AppData\Local\Temp\alo.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4972

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2992

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2476
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1388
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1972 -parentBuildID 20240401114208 -prefsHandle 1888 -prefMapHandle 1880 -prefsLen 26929 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7d15fa8f-ad8b-474d-a8e6-8fc14935e98f} 1388 "\\.\pipe\gecko-crash-server-pipe.1388" gpu
    3⤵
    PID:2904
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2380 -parentBuildID 20240401114208 -prefsHandle 2372 -prefMapHandle 2360 -prefsLen 26807 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {de683a6b-67e0-41e5-aeb6-6563c3fb3ba7} 1388 "\\.\pipe\gecko-crash-server-pipe.1388" socket
    3⤵
    - Checks processor information in registry
    PID:3944
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2952 -childID 1 -isForBrowser -prefsHandle 3016 -prefMapHandle 3012 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {49191fb2-5d23-48cc-b205-defdf2b78f57} 1388 "\\.\pipe\gecko-crash-server-pipe.1388" tab
    3⤵
    PID:4344
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3696 -childID 2 -isForBrowser -prefsHandle 3688 -prefMapHandle 3684 -prefsLen 32181 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d482394b-2289-4a8e-9e7c-c31825202a2d} 1388 "\\.\pipe\gecko-crash-server-pipe.1388" tab
    3⤵
    PID:6136
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4816 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4808 -prefMapHandle 4804 -prefsLen 32181 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6a86f752-c8c8-4bd7-a697-7b21f62b5f1e} 1388 "\\.\pipe\gecko-crash-server-pipe.1388" utility
    3⤵
    - Checks processor information in registry
    PID:4020
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5468 -childID 3 -isForBrowser -prefsHandle 5452 -prefMapHandle 5460 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8898e34e-16ca-4f02-a909-2f9faae17c0f} 1388 "\\.\pipe\gecko-crash-server-pipe.1388" tab
    3⤵
    PID:4144
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5496 -childID 4 -isForBrowser -prefsHandle 5652 -prefMapHandle 5648 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1fe655ac-c970-40ae-bd44-3a5234232e48} 1388 "\\.\pipe\gecko-crash-server-pipe.1388" tab
    3⤵
    PID:460
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5796 -childID 5 -isForBrowser -prefsHandle 5652 -prefMapHandle 5648 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8f1c2f51-9bb7-49f0-ae2d-8105af1e78b8} 1388 "\\.\pipe\gecko-crash-server-pipe.1388" tab
    3⤵
    PID:5456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\vwhe4aqp.default-release\activity-stream.discovery_stream.json.tmp

Filesize
22KB

MD5
e4cf0d8b51f123a3ecee17dacf81ed72

SHA1
0194cb7260bc3950050536ac96503e1f8275281a

SHA256
249e690f1b4134135687624b26b72824c2e50fe51364595b80fd3c42c9a41210

SHA512
51305339c048545b7e8021bc8e552054411b3ae4adaceb980d1c334294195c2586c82670d9470282db9f8ab7a31f8e5a0bced03714258b43dec11268b91c13ee

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update.lnk

Filesize
766B

MD5
aea428bb2c4a383168f6f24eb331a106

SHA1
0249145176da9f37a672f5c48cd2c27fc2bfa242

SHA256
5c0352ed8d67d358723de6bdaa7a7fd4bfad136bfccbf490931e6d8c4dc5f978

SHA512
a9bc10045e9c985786a02a05d53b81da98db6cd6d4fd31492307f47bfc2c21979873ca8f24965bbc5c7fea2e3f2b9ee883f530ff38ad26e7d737c6f35353dd56

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vwhe4aqp.default-release\datareporting\glean\db\data.safe.tmp

Filesize
21KB

MD5
1069c89db8698ad6c876dcfb2019e280

SHA1
d510cc9b01968576f0cced5320753f26f9cf683a

SHA256
daef75507f1f94cbbf5704a204ddfd9bb8d1da67f1271d40bcfc573e2b9c0089

SHA512
47dc8815878631d4d8cc4fc6fd48241f876030d334560caa41e5321fded8b866af7703b0deca3405dc409569f69c34ad02403d0431b404419d664a23fa94de78

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vwhe4aqp.default-release\datareporting\glean\db\data.safe.tmp

Filesize
22KB

MD5
6460c9814c5dbcc9d598291edd2a6e4d

SHA1
8ec543e3e553eab2df534a9bec1b0c6a15993b41

SHA256
ce9ec404a28cb6f1c5c71941e24dae7f9c9c326cd8ff6b13328f1ae1f6a7deaf

SHA512
677d80d3a85c1d6fb39732f73f3e58365c67d3e8406de609ef4e509d98d12a4b3ede727913cdf95608c777ffd0e8987efee8ff29391902cd0fafc6d1640c8fe8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vwhe4aqp.default-release\datareporting\glean\db\data.safe.tmp

Filesize
21KB

MD5
ee1a107d0db3bb611c35024c27f1a845

SHA1
0c456cb9e2eab6a7d39613e8293d215e0d148f78

SHA256
04f26ce4f93ef40b9d4a9e15a9002656ab3f46e41998577d7e766e5d55fadc62

SHA512
41e9595f5d63862532f91e54339d3167a27e06009d42fa0cfae63328224b95ad13103e49acfc4dc7010ae700d1a7f28a1cedd9c8c9f0bb815268b30e05ec38c8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vwhe4aqp.default-release\datareporting\glean\pending_pings\bc07a8f7-2956-444e-862a-05e87b2bd079

Filesize
982B

MD5
391d3c3c96b5e824306d91cb44d84bd6

SHA1
230f0432b8bba79cf287de936958ab0e25d56d19

SHA256
ef3bc891a529416441c2805e5607495e3c89e7985a40643d85b6cdaf55e2f410

SHA512
cf0279dbf25df03b49b40689257005b973f7140bc1a9d1bffa0a18aaadd08beeee035b7c9e2f9f4cdccdba0e5ab76ce9bc8f0672ea18d69937619747ed69c95a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vwhe4aqp.default-release\datareporting\glean\pending_pings\ff342a3e-55a2-466f-ac4b-147b01dab3db

Filesize
659B

MD5
25b411247f9e682970c176a2ee9a6d6e

SHA1
1c936bd8d56fb58013f0dd4d2fd0484ec94b2635

SHA256
169cc9b04583593ff0ce9be40ae36fc9c29b850bbb9eaa4ac97655a189ac886d

SHA512
50eda1d7b3c546b1a4734a2df10c290ecc08c912b72ba160c30a3d3f0fee3cb8092226da74e813eccd3d2a8a6538f3593d1a808de5ca13c411aab08311ce2e04

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vwhe4aqp.default-release\prefs-1.js

Filesize
9KB

MD5
edc1e21a0b0e0ed5234d7e00141accba

SHA1
2fb30071ddc989074dda9a18cbd41e42f4ed58d2

SHA256
10f1fc084678f06a50d60587a4761976adc9e6981f0738cd9d3f3d08933ea606

SHA512
c16bbee5e9cf436f6ee8aea8c268d36f9417fd6a5ea3ea91fb8f0d38a84ee75415102d20dc91b7f5bd75d39fac039fd4e4ed59f26fa7846030f7274b7918bd7d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vwhe4aqp.default-release\prefs.js

Filesize
9KB

MD5
f702a2fb4a4b0f1f3eb024c4bb638feb

SHA1
68021776c4ef8b542187c3eb5b40437aeb327bc1

SHA256
fd2974c4b5a679450ae5483a0ecc7ab79b4a061b8967319abb8ba7bf8f2252b1

SHA512
ac9471c6babe93fe5bf384013a2a9bd596848f4d2bd7696090c467a0d94b9f62e74898416782fefc9d20f164485f9f543bc5031ba06f47b1982fcdf622056219

Download Submit
C:\Users\Admin\AppData\Roaming\Update.exe

Filesize
53KB

MD5
f4f2959fc4cb73f5c1897043156f2234

SHA1
b8ec706ea1d052180fa715d71873d6c8ee3642d8

SHA256
d0730d3f813a15f20a7258b36c7ca34d83f97e06e4f57a31d4150ac1c7b90693

SHA512
ca2de671aa171b99f372a00608f2286b28fbc5aa2c6cd227f2cfeaab6ad9f96a8cb7da9c4e10be15d5f2e5bda281809cbd8db4db004e83c717c675606690c8e4

Download Submit
memory/2992-15-0x0000013D460F0000-0x0000013D460F1000-memory.dmp

Filesize
4KB

Download
memory/2992-22-0x0000013D460F0000-0x0000013D460F1000-memory.dmp

Filesize
4KB

Download
memory/2992-23-0x0000013D460F0000-0x0000013D460F1000-memory.dmp

Filesize
4KB

Download
memory/2992-21-0x0000013D460F0000-0x0000013D460F1000-memory.dmp

Filesize
4KB

Download
memory/2992-20-0x0000013D460F0000-0x0000013D460F1000-memory.dmp

Filesize
4KB

Download
memory/2992-24-0x0000013D460F0000-0x0000013D460F1000-memory.dmp

Filesize
4KB

Download
memory/2992-25-0x0000013D460F0000-0x0000013D460F1000-memory.dmp

Filesize
4KB

Download
memory/2992-26-0x0000013D460F0000-0x0000013D460F1000-memory.dmp

Filesize
4KB

Download
memory/2992-14-0x0000013D460F0000-0x0000013D460F1000-memory.dmp

Filesize
4KB

Download
memory/2992-16-0x0000013D460F0000-0x0000013D460F1000-memory.dmp

Filesize
4KB

Download
memory/4972-0-0x00007FFD10893000-0x00007FFD10895000-memory.dmp

Filesize
8KB

Download
memory/4972-9-0x00007FFD10890000-0x00007FFD11352000-memory.dmp

Filesize
10.8MB

Download
memory/4972-7-0x00007FFD10893000-0x00007FFD10895000-memory.dmp

Filesize
8KB

Download
memory/4972-6-0x00007FFD10890000-0x00007FFD11352000-memory.dmp

Filesize
10.8MB

Download
memory/4972-1-0x0000000000F70000-0x0000000000F84000-memory.dmp

Filesize
80KB

Download