xworm | 5ff4f83bdff8f9edbe12a206afe6e9cec130462e42582181b7084f47714bdb87

Analysis

max time kernel
147s
max time network
148s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
25/01/2025, 20:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Sceet crack.dll(1).exe
Size

237KB
MD5

d80cf9d4594b6517813ad887bcd9df4a
SHA1

53f4e025d721c2aea3ef5b7fc59264e19cc3dac3
SHA256

e9f13171bfd91a86ed53ac962dc382c975ec6f9287e5a0388f9a5e9df4476e8f
SHA512

7eeedf423dbcf3a4107b271de339d9c825f703464fb88303ddaff2f4afeeb687330d8abd62e077fb79c58cd167a326783e6050e1b11ba1a7cc93e01272dbddf0
SSDEEP

6144:udbSbGGqRPOUhcX7elbKTua9bfF/H9d9n:UbRGsO3X3u+

Score

10^/10

xworm persistence rat trojan

Malware Config

Extracted

Family

xworm

127.0.0.1:7676

Attributes

Install_directory
%Userprofile%
install_file
Startup.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/3596-1-0x0000000000DF0000-0x0000000000E30000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Startup.lnk	Sceet crack.dll(1).exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Startup.lnk	Sceet crack.dll(1).exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\Software\Microsoft\Windows\CurrentVersion\Run\Startup = "C:\\Users\\Admin\\Startup.exe"	Sceet crack.dll(1).exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings	firefox.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\cokesense.zip:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3596	Sceet crack.dll(1).exe
3596	Sceet crack.dll(1).exe
3596	Sceet crack.dll(1).exe
3596	Sceet crack.dll(1).exe
3596	Sceet crack.dll(1).exe
3596	Sceet crack.dll(1).exe
3596	Sceet crack.dll(1).exe
3596	Sceet crack.dll(1).exe
3596	Sceet crack.dll(1).exe
3596	Sceet crack.dll(1).exe
3596	Sceet crack.dll(1).exe
3596	Sceet crack.dll(1).exe
3596	Sceet crack.dll(1).exe
3596	Sceet crack.dll(1).exe
3596	Sceet crack.dll(1).exe
3596	Sceet crack.dll(1).exe
3596	Sceet crack.dll(1).exe
3596	Sceet crack.dll(1).exe
3596	Sceet crack.dll(1).exe
3596	Sceet crack.dll(1).exe
3596	Sceet crack.dll(1).exe
3596	Sceet crack.dll(1).exe
3596	Sceet crack.dll(1).exe
3596	Sceet crack.dll(1).exe
3596	Sceet crack.dll(1).exe
3596	Sceet crack.dll(1).exe
3596	Sceet crack.dll(1).exe
3596	Sceet crack.dll(1).exe
3596	Sceet crack.dll(1).exe
3596	Sceet crack.dll(1).exe
3596	Sceet crack.dll(1).exe
3596	Sceet crack.dll(1).exe
3596	Sceet crack.dll(1).exe
3596	Sceet crack.dll(1).exe
3596	Sceet crack.dll(1).exe
3596	Sceet crack.dll(1).exe
3596	Sceet crack.dll(1).exe
3596	Sceet crack.dll(1).exe
3596	Sceet crack.dll(1).exe
3596	Sceet crack.dll(1).exe
3596	Sceet crack.dll(1).exe
3596	Sceet crack.dll(1).exe
3596	Sceet crack.dll(1).exe
3596	Sceet crack.dll(1).exe
3596	Sceet crack.dll(1).exe
3596	Sceet crack.dll(1).exe
3596	Sceet crack.dll(1).exe
3596	Sceet crack.dll(1).exe
3596	Sceet crack.dll(1).exe
3596	Sceet crack.dll(1).exe
3596	Sceet crack.dll(1).exe
3596	Sceet crack.dll(1).exe
3596	Sceet crack.dll(1).exe
3596	Sceet crack.dll(1).exe
3596	Sceet crack.dll(1).exe
3596	Sceet crack.dll(1).exe
3596	Sceet crack.dll(1).exe
3596	Sceet crack.dll(1).exe
3596	Sceet crack.dll(1).exe
3596	Sceet crack.dll(1).exe
3596	Sceet crack.dll(1).exe
3596	Sceet crack.dll(1).exe
3596	Sceet crack.dll(1).exe
3596	Sceet crack.dll(1).exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3596	Sceet crack.dll(1).exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	3596	Sceet crack.dll(1).exe
Token: SeDebugPrivilege	3596	Sceet crack.dll(1).exe
Token: SeDebugPrivilege	2684	firefox.exe
Token: SeDebugPrivilege	2684	firefox.exe
Token: SeDebugPrivilege	2684	firefox.exe
Token: SeDebugPrivilege	2684	firefox.exe
Token: SeDebugPrivilege	2684	firefox.exe
Token: SeDebugPrivilege	2684	firefox.exe

Suspicious use of FindShellTrayWindow 21 IoCs

pid	Process
2684	firefox.exe
2684	firefox.exe
2684	firefox.exe
2684	firefox.exe
2684	firefox.exe
2684	firefox.exe
2684	firefox.exe
2684	firefox.exe
2684	firefox.exe
2684	firefox.exe
2684	firefox.exe
2684	firefox.exe
2684	firefox.exe
2684	firefox.exe
2684	firefox.exe
2684	firefox.exe
2684	firefox.exe
2684	firefox.exe
2684	firefox.exe
2684	firefox.exe
2684	firefox.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
3596	Sceet crack.dll(1).exe
2684	firefox.exe
2684	firefox.exe
2684	firefox.exe
2684	firefox.exe
2684	firefox.exe
2684	firefox.exe
2684	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4176 wrote to memory of 2684	4176	firefox.exe	80
PID 4176 wrote to memory of 2684	4176	firefox.exe	80
PID 4176 wrote to memory of 2684	4176	firefox.exe	80
PID 4176 wrote to memory of 2684	4176	firefox.exe	80
PID 4176 wrote to memory of 2684	4176	firefox.exe	80
PID 4176 wrote to memory of 2684	4176	firefox.exe	80
PID 4176 wrote to memory of 2684	4176	firefox.exe	80
PID 4176 wrote to memory of 2684	4176	firefox.exe	80
PID 4176 wrote to memory of 2684	4176	firefox.exe	80
PID 4176 wrote to memory of 2684	4176	firefox.exe	80
PID 4176 wrote to memory of 2684	4176	firefox.exe	80
PID 2684 wrote to memory of 1944	2684	firefox.exe	81
PID 2684 wrote to memory of 1944	2684	firefox.exe	81
PID 2684 wrote to memory of 1944	2684	firefox.exe	81
PID 2684 wrote to memory of 1944	2684	firefox.exe	81
PID 2684 wrote to memory of 1944	2684	firefox.exe	81
PID 2684 wrote to memory of 1944	2684	firefox.exe	81
PID 2684 wrote to memory of 1944	2684	firefox.exe	81
PID 2684 wrote to memory of 1944	2684	firefox.exe	81
PID 2684 wrote to memory of 1944	2684	firefox.exe	81
PID 2684 wrote to memory of 1944	2684	firefox.exe	81
PID 2684 wrote to memory of 1944	2684	firefox.exe	81
PID 2684 wrote to memory of 1944	2684	firefox.exe	81
PID 2684 wrote to memory of 1944	2684	firefox.exe	81
PID 2684 wrote to memory of 1944	2684	firefox.exe	81
PID 2684 wrote to memory of 1944	2684	firefox.exe	81
PID 2684 wrote to memory of 1944	2684	firefox.exe	81
PID 2684 wrote to memory of 1944	2684	firefox.exe	81
PID 2684 wrote to memory of 1944	2684	firefox.exe	81
PID 2684 wrote to memory of 1944	2684	firefox.exe	81
PID 2684 wrote to memory of 1944	2684	firefox.exe	81
PID 2684 wrote to memory of 1944	2684	firefox.exe	81
PID 2684 wrote to memory of 1944	2684	firefox.exe	81
PID 2684 wrote to memory of 1944	2684	firefox.exe	81
PID 2684 wrote to memory of 1944	2684	firefox.exe	81
PID 2684 wrote to memory of 1944	2684	firefox.exe	81
PID 2684 wrote to memory of 1944	2684	firefox.exe	81
PID 2684 wrote to memory of 1944	2684	firefox.exe	81
PID 2684 wrote to memory of 1944	2684	firefox.exe	81
PID 2684 wrote to memory of 1944	2684	firefox.exe	81
PID 2684 wrote to memory of 1944	2684	firefox.exe	81
PID 2684 wrote to memory of 1944	2684	firefox.exe	81
PID 2684 wrote to memory of 1944	2684	firefox.exe	81
PID 2684 wrote to memory of 1944	2684	firefox.exe	81
PID 2684 wrote to memory of 1944	2684	firefox.exe	81
PID 2684 wrote to memory of 1944	2684	firefox.exe	81
PID 2684 wrote to memory of 1944	2684	firefox.exe	81
PID 2684 wrote to memory of 1944	2684	firefox.exe	81
PID 2684 wrote to memory of 1944	2684	firefox.exe	81
PID 2684 wrote to memory of 1944	2684	firefox.exe	81
PID 2684 wrote to memory of 1944	2684	firefox.exe	81
PID 2684 wrote to memory of 1944	2684	firefox.exe	81
PID 2684 wrote to memory of 1944	2684	firefox.exe	81
PID 2684 wrote to memory of 1944	2684	firefox.exe	81
PID 2684 wrote to memory of 1944	2684	firefox.exe	81
PID 2684 wrote to memory of 1944	2684	firefox.exe	81
PID 2684 wrote to memory of 3032	2684	firefox.exe	82
PID 2684 wrote to memory of 3032	2684	firefox.exe	82
PID 2684 wrote to memory of 3032	2684	firefox.exe	82
PID 2684 wrote to memory of 3032	2684	firefox.exe	82
PID 2684 wrote to memory of 3032	2684	firefox.exe	82
PID 2684 wrote to memory of 3032	2684	firefox.exe	82
PID 2684 wrote to memory of 3032	2684	firefox.exe	82
PID 2684 wrote to memory of 3032	2684	firefox.exe	82

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Sceet crack.dll(1).exe
"C:\Users\Admin\AppData\Local\Temp\Sceet crack.dll(1).exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3596

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4176
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1948 -parentBuildID 20240401114208 -prefsHandle 1860 -prefMapHandle 1864 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a4acae57-a9fd-401c-86c7-878d23f7adb6} 2684 "\\.\pipe\gecko-crash-server-pipe.2684" gpu
    3⤵
    PID:1944
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2348 -parentBuildID 20240401114208 -prefsHandle 2324 -prefMapHandle 2320 -prefsLen 23714 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ff8ebe88-5c04-4241-a82e-5c5e65bde1d7} 2684 "\\.\pipe\gecko-crash-server-pipe.2684" socket
    3⤵
    PID:3032
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3332 -childID 1 -isForBrowser -prefsHandle 3236 -prefMapHandle 3312 -prefsLen 23855 -prefMapSize 244658 -jsInitHandle 1244 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {870b7854-5524-4450-8998-33bcc1b1327e} 2684 "\\.\pipe\gecko-crash-server-pipe.2684" tab
    3⤵
    PID:1204
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3848 -childID 2 -isForBrowser -prefsHandle 3844 -prefMapHandle 3840 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1244 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a624c4d6-710e-4bf1-bb21-8d5724ff9b83} 2684 "\\.\pipe\gecko-crash-server-pipe.2684" tab
    3⤵
    PID:3344
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4800 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4792 -prefMapHandle 4696 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5d02921b-5932-481b-bc34-dc2a5dff88ce} 2684 "\\.\pipe\gecko-crash-server-pipe.2684" utility
    3⤵
    - Checks processor information in registry
    PID:1308
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5640 -childID 3 -isForBrowser -prefsHandle 5644 -prefMapHandle 5616 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1244 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4a88a4ff-d219-4943-ae37-f2563d13fedd} 2684 "\\.\pipe\gecko-crash-server-pipe.2684" tab
    3⤵
    PID:436
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5864 -childID 4 -isForBrowser -prefsHandle 5784 -prefMapHandle 5788 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1244 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6893f0b2-643c-497e-922c-c92c7a8fd398} 2684 "\\.\pipe\gecko-crash-server-pipe.2684" tab
    3⤵
    PID:916
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5992 -childID 5 -isForBrowser -prefsHandle 6068 -prefMapHandle 6064 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1244 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4872c539-7c77-4517-9ed6-631972d69d78} 2684 "\\.\pipe\gecko-crash-server-pipe.2684" tab
    3⤵
    PID:4600
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1316 -childID 6 -isForBrowser -prefsHandle 5348 -prefMapHandle 2568 -prefsLen 28288 -prefMapSize 244658 -jsInitHandle 1244 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5783544f-a0ab-487f-8bf3-cb8a3938abe3} 2684 "\\.\pipe\gecko-crash-server-pipe.2684" tab
    3⤵
    PID:3888
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6716 -childID 7 -isForBrowser -prefsHandle 6752 -prefMapHandle 6756 -prefsLen 28288 -prefMapSize 244658 -jsInitHandle 1244 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {07c3134f-860a-4954-bc77-9ba710e20a13} 2684 "\\.\pipe\gecko-crash-server-pipe.2684" tab
    3⤵
    PID:3804
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5932 -childID 8 -isForBrowser -prefsHandle 6016 -prefMapHandle 5892 -prefsLen 28288 -prefMapSize 244658 -jsInitHandle 1244 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1eb0e564-7d6c-4cb5-8a44-4afac78f30a9} 2684 "\\.\pipe\gecko-crash-server-pipe.2684" tab
    3⤵
    PID:1956
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7080 -childID 9 -isForBrowser -prefsHandle 6932 -prefMapHandle 6936 -prefsLen 28288 -prefMapSize 244658 -jsInitHandle 1244 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6b98fa86-d537-4541-b59f-abbdc28750c4} 2684 "\\.\pipe\gecko-crash-server-pipe.2684" tab
    3⤵
    PID:3464
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7184 -childID 10 -isForBrowser -prefsHandle 7192 -prefMapHandle 7196 -prefsLen 28288 -prefMapSize 244658 -jsInitHandle 1244 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {643ea768-52e7-4068-9ebb-6a4ef06bae51} 2684 "\\.\pipe\gecko-crash-server-pipe.2684" tab
    3⤵
    PID:2004

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4440

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:4856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\activity-stream.discovery_stream.json

Filesize
21KB

MD5
b081bf57caf4a484d742dcac5979a9ca

SHA1
042acefa66c80419d61409d32a243bacb13be3ab

SHA256
764ae4dbbd09cc5261c5f9a384b1bee3fefd2b2c1bd4141a07b7f0a7295533cf

SHA512
55d56290a0b723635116259e481ffe9221f3c10aa2a71012a860498a21ca64763f60741f9d646da983607b30ce1210621bcc2107ec12eee7d95d3247291aba16

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
15KB

MD5
96c542dec016d9ec1ecc4dddfcbaac66

SHA1
6199f7648bb744efa58acf7b96fee85d938389e4

SHA256
7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

SHA512
cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Startup.lnk

Filesize
780B

MD5
2d0f38f39f608f5486113b306766fbca

SHA1
a9f9276805ba3e560087504e904409ea17e88394

SHA256
7b91fd39d8b2b65434e047c272df021dcc12ab0ca14e14209aae35ca00a928f6

SHA512
81715abf1401174623ea9bf846d3c5aca21b56f99bbe1006bee8ecb35cfd7b57bb7e9219d8509b683d69c9755f87d72b823a00413c68c80609750b767ea3f864

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\AlternateServices.bin

Filesize
6KB

MD5
ebf2e71466f6051bd8ceb284eb6fd7bf

SHA1
20b9722c9f2979ced73917856ff0c11e18477c80

SHA256
a95f383dacfaea802d22ed7663798680cebafa17825ded8c10f68b074d4c89b2

SHA512
4a71e7191e2628a974840d0cc4d01b4061b41b1bdcde0b68318d52b93fdc73df43c090c608ba79d4d281991cb46fc8dd34d778507dedad378e8f5d96c7771a47

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\AlternateServices.bin

Filesize
8KB

MD5
70a335bab2b7fd6907f3f7bbaffbe7c3

SHA1
f7491c38de3a02d87b7d0e2529a211ca903ad2ec

SHA256
556055ed0bd0cfbafd726668f97c9cd5952c20c1d53be3772fd7f06c84e5f051

SHA512
63115f9b1796d5c624cd845bd64782508a46d722732da69782b78e55389f8ce077bb46c77699662c9abba6ff8c3b96659699ed16cb89772214240bfa0a79f92a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
62346a60193c976e820a89d185bb0f92

SHA1
5b858d98689e7a351160455b99f4d6d8c6d93ae3

SHA256
4d0fb81a3b0f268c0a66a0cb65f126a888117a5c19aa7aa1c8d6da99825833ae

SHA512
2e4b6978757d01cf8c0f9e789232bd33aa7b2a418b60e4b6d3b54f59b3a16fa3234f42e6cb1f17e58f6a757e48a1095378854a89d956a4304c12f3757862a53a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
b43a9cf71f6b2d3c71f5c3e0b9f84804

SHA1
92214551c63d93489ba28722fc5271993fca4c00

SHA256
be767bc94d298d48f211539395554adc76b14e1e9f598b9637867c1a8ebec6a7

SHA512
336ece04cc4813d1e28b61a6d2b4e2475eada4a88d91dd1030994b7d171ab666d9837dec11db008d2cbca512a3c46ea8fbc65807d947de33dd4413bf76009478

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\datareporting\glean\db\data.safe.tmp

Filesize
24KB

MD5
21e812cf31535003029e6e98ea7f1158

SHA1
52994a989d6783e1a1c9834571deb0d0567b26c9

SHA256
96395e42fc9b19125de323202db3ca25d572e6e03f6630b8f684ca70f725463d

SHA512
a2bb59c81d1ca166d5b33b9b5a61ef88882fd5c791418743be9d0439630d90b75ab5d5924deaded683f107a1b7f770f52a336214a0e3795ebbfd93c8fc544d27

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\datareporting\glean\pending_pings\48f926dc-3b01-48ba-881d-017453fd3295

Filesize
671B

MD5
27e5369a8a190f17a1e9c42bc869f391

SHA1
970762a594212c24e96d63abdc210766d7ec37e6

SHA256
52c53266ba89c527784b190f1061eb655d50e30652a8fb1d82c02c4fd9d95b8a

SHA512
b180a183a724576bb9c63b4a52cc4a65e830ce7874ea1dece44d72144ffd4c9ce4bcda7a7b0ba57a35cc52bf40fe11dea91bfc009c87afff8f9b20d765662474

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\datareporting\glean\pending_pings\4998f38b-e813-4cfb-8f37-5f7c29a5434a

Filesize
982B

MD5
75853d44ca7089d00d465d473274e7ee

SHA1
58404f64c06fd47e19120d4609693832e91b3685

SHA256
3fb8c6df79dc3ae6d291e0c8bd913bc489e40c58ab0aff8357f65921e8bfac68

SHA512
fe58792dd2388c2bfad76627e30b443d734e04d64944863bbb8dc761c057405203ad4e4ab1a79f6521d366731ecd3961e5a529d04e5afb402deee302bceb830b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\datareporting\glean\pending_pings\8ffdd351-8d39-4acd-ab99-ee0ed6d65416

Filesize
24KB

MD5
117b59f7b102260f8f99f3b807692785

SHA1
5b731120afff380c2cb6209f6e7d00070857f3f0

SHA256
d027d7e7b07602a58a5bb1a88ba2504811f204d6e98af4d44e8bbf858584178d

SHA512
c34423a2da0f089f326284d14965f643d97ff07d970867b4a86b8ca7a53480090a0afcb75007452a7cfc0cb6d00060aa1ea90f96b7d1ce8df99daff3daf3c4ec

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\prefs-1.js

Filesize
9KB

MD5
b611f4527633cccea03c747ba72f6ab1

SHA1
e8d53377ede27a6f104a017a3f3193f62b5b7e01

SHA256
14022cc174d5b3ae263dbb6e4de4394489b61cf48f554c023823b66c46479aa1

SHA512
f4ad4349b55ef40e16c48f699e41a3a2127145850e64ad5ea662e43d0c770a19fd9b0531b0202c489241df5d349e0ac174d2ece302b62f66823ffb2de439c9ad

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\prefs-1.js

Filesize
10KB

MD5
f518df19f53f511bcbe9d5286c691baf

SHA1
8ba578e572bb2e4df109e79289af36ca6f952058

SHA256
cb6dd2bf2fe629203583993ce0e8b88c977b7778fe7914110ab8ca998d9028c2

SHA512
0278f6a784c3994b689c9ade942a4dd4fb884a908cf1a36d5f6e8649efae6f0b7e7d2b8a462b72cc45a7455b05340fe6e17e9c858fb405de52b819b638103a3c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\prefs.js

Filesize
10KB

MD5
cfe4b0c3aa4ca8ae9b751e9e4e51b2f2

SHA1
95efacbffaf9deee56c0954867f1b96eb68fc595

SHA256
a45ad2e3f254d1b16e11c045c27989383c0ae3f3b44188e1cad88ea11c9672e6

SHA512
87cd065a956189708b41dec3a9a5c4a8ba3060632c4334ea90bc035b05e3dfed94055d8051293da61da78cfaca8ffa03d78388104c261978320f2f12c4f62620

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
d76e8652297f1e179077fdc4cce52d0c

SHA1
40df7557e6a95d372b6c096691d0519af56a848e

SHA256
e4a98176337d6520b5a98014c00481fb7842cf76fa68df44d8e1c9586248ebd3

SHA512
ac8bc6873e85c95c576787ebaa15a73173076961c1254ae5bbc9e8ad3af6607fe89d1640f5211364b14fda23c31648628433cbb8e0a672d96444cce7895a9711

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\sessionstore-backups\recovery.baklz4

Filesize
4KB

MD5
05d92051403627584f83dcc3ed970a9f

SHA1
75ff845a3b31988b38bfc86702f810139c56ab63

SHA256
5fe566cdf1b0917ab85739ef8019adeaeaac8a3e42165a2c9a3824a2a5a1cbe2

SHA512
dcaee1f0277a598d5f29934c4a2946660915fc8fa73b01783576ce9770a14e18a93402d0a35526a2a2aaabee8bff13158a725404d92fed33950f0390c3b194e1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\storage\default\https+++www.googletagmanager.com^partitionKey=%28https%2Copera.com%29\cache\morgue\142\{ecb3f4f0-ba68-4213-9534-239eaf11928e}.final

Filesize
11KB

MD5
05c18239955961946a0e350a0aeb5c4d

SHA1
3f53dfdf9c6d62dbdf8fa6b21000bc5c6f11ba30

SHA256
9dfec5190a701ec16569eeef1024ee3cd8502ffc96ae484375df9c1d3dbf166e

SHA512
3b1363b17bea7e3c9095427ac65fbacb624e09d1ab3a37f7e4ee7abcf7fd1b8ac93c5050ae644ad404f5de01a414892aece1ae0132f2f4f8ce6856fdb5114e3d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
376KB

MD5
af317ebba7976fd71b3d868580ff2031

SHA1
038a2db48822976b600db096c4a75928fefd875b

SHA256
96ec654c1401aa446abc09a1d2c80f2ca61cf646f44a060a4678ca4dfbed43eb

SHA512
31fb2c380389e04b36d5df5664dae0151854f7444a9abf9a36bc8e239061dcecd5bacafc206c4aa28759e626b1999c491394b0a6bf3b030f86a5209c6a833ed7

Download Submit
C:\Users\Admin\Downloads\cokesense.mAez9UUp.zip.part

Filesize
156KB

MD5
ffdf1d333c045b215ef663f58acc5031

SHA1
fec8a8a9ea739b07d675d4399a9156d88c29f4bb

SHA256
5ff4f83bdff8f9edbe12a206afe6e9cec130462e42582181b7084f47714bdb87

SHA512
726866895eb63373f754ccedc5b8326f239e37f99e67d3ee789ea2e5eea884b2220064d2610b316bc2a101ff4fc3b92b8da533e762e04ac53ef57d590b22b332

Download Submit
memory/3596-469-0x00007FFF4BCD0000-0x00007FFF4C792000-memory.dmp

Filesize
10.8MB

Download
memory/3596-312-0x00007FFF4BCD0000-0x00007FFF4C792000-memory.dmp

Filesize
10.8MB

Download
memory/3596-452-0x00007FFF4BCD0000-0x00007FFF4C792000-memory.dmp

Filesize
10.8MB

Download
memory/3596-0-0x00007FFF4BCD3000-0x00007FFF4BCD5000-memory.dmp

Filesize
8KB

Download
memory/3596-6-0x00007FFF4BCD0000-0x00007FFF4C792000-memory.dmp

Filesize
10.8MB

Download
memory/3596-289-0x00007FFF4BCD3000-0x00007FFF4BCD5000-memory.dmp

Filesize
8KB

Download
memory/3596-1-0x0000000000DF0000-0x0000000000E30000-memory.dmp

Filesize
256KB

Download