xworm | 42a43122a976de6400853bcb4d91eb6fc01b33e323e9c44e9d4740c978180a8e

Resubmissions

06/03/2025, 13:15

250306-qhfd9szmt4 10

06/03/2025, 13:12

250306-qfzp5azlz8 10

Analysis

max time kernel
123s
max time network
125s
platform
windows11-21h2_x64
resource
win11-20250217-en
resource tags

arch:x64arch:x86image:win11-20250217-enlocale:en-usos:windows11-21h2-x64system
submitted
06/03/2025, 13:12

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

cheatengine.exe
Size

42KB
MD5

fe3ecd7a7068b85e5c1a1c8833e1b5ac
SHA1

ebbd9a0b9f54fe308f1a40bd737deeb812f34415
SHA256

42a43122a976de6400853bcb4d91eb6fc01b33e323e9c44e9d4740c978180a8e
SHA512

87f75872aa6630d5093b2065ab6fc0f80d981ddbbddaef339d99f5a6a3e18e4313f502b300d468ac248e4ad807852c3732c554541e6d83e63165108b12e04c76
SSDEEP

768:+RPD9OQhx/BZ3Tw4xKdVFE9jffOjhBbAds4S1EAd8II1:+d9OW/Z3U4xcFE9jffOjP0dS1EAd8II1

Score

10^/10

xworm rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

Version

5.0

Idlerkik-51025.portmap.host:51025

Mutex

a1yX5464i0yhChwC

Attributes

install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/668-1-0x0000000000010000-0x0000000000020000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "223"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe

Modifies registry class 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
4580	powershell.exe
4580	powershell.exe
4580	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	668	cheatengine.exe
Token: SeDebugPrivilege	1624	firefox.exe
Token: SeDebugPrivilege	1624	firefox.exe
Token: SeDebugPrivilege	4580	powershell.exe
Token: SeShutdownPrivilege	1980	shutdown.exe
Token: SeRemoteShutdownPrivilege	1980	shutdown.exe

Suspicious use of FindShellTrayWindow 22 IoCs

pid	Process
1624	firefox.exe
1624	firefox.exe
1624	firefox.exe
1624	firefox.exe
1624	firefox.exe
1624	firefox.exe
1624	firefox.exe
1624	firefox.exe
1624	firefox.exe
1624	firefox.exe
1624	firefox.exe
1624	firefox.exe
1624	firefox.exe
1624	firefox.exe
1624	firefox.exe
1624	firefox.exe
1624	firefox.exe
1624	firefox.exe
1624	firefox.exe
1624	firefox.exe
1624	firefox.exe
4792	WindowsTerminal.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1624	firefox.exe
4792	WindowsTerminal.exe
376	MiniSearchHost.exe
808	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3108 wrote to memory of 1624	3108	firefox.exe	94
PID 3108 wrote to memory of 1624	3108	firefox.exe	94
PID 3108 wrote to memory of 1624	3108	firefox.exe	94
PID 3108 wrote to memory of 1624	3108	firefox.exe	94
PID 3108 wrote to memory of 1624	3108	firefox.exe	94
PID 3108 wrote to memory of 1624	3108	firefox.exe	94
PID 3108 wrote to memory of 1624	3108	firefox.exe	94
PID 3108 wrote to memory of 1624	3108	firefox.exe	94
PID 3108 wrote to memory of 1624	3108	firefox.exe	94
PID 3108 wrote to memory of 1624	3108	firefox.exe	94
PID 3108 wrote to memory of 1624	3108	firefox.exe	94
PID 1624 wrote to memory of 4588	1624	firefox.exe	95
PID 1624 wrote to memory of 4588	1624	firefox.exe	95
PID 1624 wrote to memory of 4588	1624	firefox.exe	95
PID 1624 wrote to memory of 4588	1624	firefox.exe	95
PID 1624 wrote to memory of 4588	1624	firefox.exe	95
PID 1624 wrote to memory of 4588	1624	firefox.exe	95
PID 1624 wrote to memory of 4588	1624	firefox.exe	95
PID 1624 wrote to memory of 4588	1624	firefox.exe	95
PID 1624 wrote to memory of 4588	1624	firefox.exe	95
PID 1624 wrote to memory of 4588	1624	firefox.exe	95
PID 1624 wrote to memory of 4588	1624	firefox.exe	95
PID 1624 wrote to memory of 4588	1624	firefox.exe	95
PID 1624 wrote to memory of 4588	1624	firefox.exe	95
PID 1624 wrote to memory of 4588	1624	firefox.exe	95
PID 1624 wrote to memory of 4588	1624	firefox.exe	95
PID 1624 wrote to memory of 4588	1624	firefox.exe	95
PID 1624 wrote to memory of 4588	1624	firefox.exe	95
PID 1624 wrote to memory of 4588	1624	firefox.exe	95
PID 1624 wrote to memory of 4588	1624	firefox.exe	95
PID 1624 wrote to memory of 4588	1624	firefox.exe	95
PID 1624 wrote to memory of 4588	1624	firefox.exe	95
PID 1624 wrote to memory of 4588	1624	firefox.exe	95
PID 1624 wrote to memory of 4588	1624	firefox.exe	95
PID 1624 wrote to memory of 4588	1624	firefox.exe	95
PID 1624 wrote to memory of 4588	1624	firefox.exe	95
PID 1624 wrote to memory of 4588	1624	firefox.exe	95
PID 1624 wrote to memory of 4588	1624	firefox.exe	95
PID 1624 wrote to memory of 4588	1624	firefox.exe	95
PID 1624 wrote to memory of 4588	1624	firefox.exe	95
PID 1624 wrote to memory of 4588	1624	firefox.exe	95
PID 1624 wrote to memory of 4588	1624	firefox.exe	95
PID 1624 wrote to memory of 4588	1624	firefox.exe	95
PID 1624 wrote to memory of 4588	1624	firefox.exe	95
PID 1624 wrote to memory of 4588	1624	firefox.exe	95
PID 1624 wrote to memory of 4588	1624	firefox.exe	95
PID 1624 wrote to memory of 4588	1624	firefox.exe	95
PID 1624 wrote to memory of 4588	1624	firefox.exe	95
PID 1624 wrote to memory of 4588	1624	firefox.exe	95
PID 1624 wrote to memory of 4588	1624	firefox.exe	95
PID 1624 wrote to memory of 4588	1624	firefox.exe	95
PID 1624 wrote to memory of 4588	1624	firefox.exe	95
PID 1624 wrote to memory of 4588	1624	firefox.exe	95
PID 1624 wrote to memory of 4588	1624	firefox.exe	95
PID 1624 wrote to memory of 4588	1624	firefox.exe	95
PID 1624 wrote to memory of 4588	1624	firefox.exe	95
PID 1624 wrote to memory of 3024	1624	firefox.exe	96
PID 1624 wrote to memory of 3024	1624	firefox.exe	96
PID 1624 wrote to memory of 3024	1624	firefox.exe	96
PID 1624 wrote to memory of 3024	1624	firefox.exe	96
PID 1624 wrote to memory of 3024	1624	firefox.exe	96
PID 1624 wrote to memory of 3024	1624	firefox.exe	96
PID 1624 wrote to memory of 3024	1624	firefox.exe	96
PID 1624 wrote to memory of 3024	1624	firefox.exe	96

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\cheatengine.exe
"C:\Users\Admin\AppData\Local\Temp\cheatengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:668
- C:\Windows\SYSTEM32\shutdown.exe
  shutdown.exe /f /r /t 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1980

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:3704

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3108
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1624
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1992 -parentBuildID 20240401114208 -prefsHandle 1920 -prefMapHandle 1912 -prefsLen 27611 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1131da7d-2ca5-494b-8264-79b245e216d0} 1624 "\\.\pipe\gecko-crash-server-pipe.1624" gpu
    3⤵
    PID:4588
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2396 -parentBuildID 20240401114208 -prefsHandle 2388 -prefMapHandle 2376 -prefsLen 27489 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {21afaa53-fc7a-40ae-9ee0-4aeaed9cb1ca} 1624 "\\.\pipe\gecko-crash-server-pipe.1624" socket
    3⤵
    PID:3024
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3092 -childID 1 -isForBrowser -prefsHandle 3036 -prefMapHandle 3040 -prefsLen 22636 -prefMapSize 244628 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8f513346-5b4a-4221-b3be-9e64d5110051} 1624 "\\.\pipe\gecko-crash-server-pipe.1624" tab
    3⤵
    PID:1680
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4104 -childID 2 -isForBrowser -prefsHandle 4076 -prefMapHandle 4072 -prefsLen 32863 -prefMapSize 244628 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bd96729a-1366-4fd1-bb94-91843664ea4e} 1624 "\\.\pipe\gecko-crash-server-pipe.1624" tab
    3⤵
    PID:4124
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4876 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4756 -prefMapHandle 1744 -prefsLen 32863 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {082a6ff8-2fe9-43cb-8c0c-cc21f4b67078} 1624 "\\.\pipe\gecko-crash-server-pipe.1624" utility
    3⤵
    - Checks processor information in registry
    PID:2312
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5504 -childID 3 -isForBrowser -prefsHandle 5496 -prefMapHandle 5412 -prefsLen 27035 -prefMapSize 244628 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6b992eae-7832-4562-9eb4-ae6218db5481} 1624 "\\.\pipe\gecko-crash-server-pipe.1624" tab
    3⤵
    PID:1952
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5724 -childID 4 -isForBrowser -prefsHandle 5644 -prefMapHandle 5648 -prefsLen 27035 -prefMapSize 244628 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {837fce3e-9d8b-4c4b-bd75-4928937024a0} 1624 "\\.\pipe\gecko-crash-server-pipe.1624" tab
    3⤵
    PID:4120
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5852 -childID 5 -isForBrowser -prefsHandle 5928 -prefMapHandle 5924 -prefsLen 27035 -prefMapSize 244628 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {771061ee-8ca9-48a8-b66a-28b184a1fe13} 1624 "\\.\pipe\gecko-crash-server-pipe.1624" tab
    3⤵
    PID:3368
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5868 -childID 6 -isForBrowser -prefsHandle 6068 -prefMapHandle 5684 -prefsLen 32704 -prefMapSize 244628 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a2c41e2e-987a-42df-96f4-d655ac2c71bc} 1624 "\\.\pipe\gecko-crash-server-pipe.1624" tab
    3⤵
    PID:2328

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:1120

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5192

C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\wt.exe
"C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Microsoft.WindowsTerminal_8wekyb3d8bbwe\wt.exe" -d "C:\Users\Admin\Desktop\."
1⤵
PID:4368
- C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe
  wt.exe -d "C:\Users\Admin\Desktop\."
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:4792
- - C:\Windows\system32\wsl.exe
    C:\Windows\system32\wsl.exe --list
    3⤵
    PID:5216
- - C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\OpenConsole.exe
    "C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\OpenConsole.exe" --headless --win32input --resizeQuirk --width 120 --height 27 --signal 0xa08 --server 0xa04
    3⤵
    PID:448
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4580

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:376

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39cc855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2nimmy3l.default-release\activity-stream.discovery_stream.json

Filesize
21KB

MD5
5b18df61cf63f2ac21c8d1b0110ea27e

SHA1
8702aaf5377d9d188bf6aa09b3606dba4391d509

SHA256
5447704ca5da757aecb6f34cfc289d3e3ccf4cc3d444c6d6a3d4092b18ee6038

SHA512
3373659bbd13770c34e96f6db12712919b87a9a3b5b92b2723efd15f60e6ceede82a671d4517a09b6f81941cebfcb61b6bec04bb0c5c8d7e88fa0bb318fc86c1

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\f5863878-dc71-4854-bfb4-aa934cfe37ec.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
23KB

MD5
c9bcf62c3583c83bd89b539453ec5379

SHA1
205ec3512eb1814a49aab4c5532bb36b4bb9625b

SHA256
b255ee3805deddb25cd1a56eeb6386b38761ab0fb53dc58f83e974dc04ab5a64

SHA512
769479f4a0f1d75abdafaaa2ccb8ccfce1deb9861f1e49e8831d5ff315772f68e638eb8f57b5425a9cc0df0ad97260a4890eb9d4dda1f4f320a1cd599c5df9df

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_d5bamui5.tp1.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2nimmy3l.default-release\AlternateServices.bin

Filesize
8KB

MD5
4305443d6b424e438f26e3873baeba6e

SHA1
1d863e3a90ab9e3aa0b1e3c249b7ecf688ac8b0b

SHA256
a25cc998d23b184fd979b4b5e0821a814f03940f2efa6ad3f76f8a90a91a113c

SHA512
805751b2ec241bd7cfe3ce89b026defe4fb2a10b723c37e1d3be3bd6b31649694b6f9ae2566e35cdce1c6c16fef5a18784004a7d7ec54154556e06775ced0743

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2nimmy3l.default-release\datareporting\glean\db\data.safe.tmp

Filesize
21KB

MD5
030c7f9a725d8053df4431a0a47fed76

SHA1
8a48ed864a65b9fd0c5fad47c9d1e8984ec906a7

SHA256
5c9dbd378a9b96b6be6e84edaee503bfef7ea3ad450add208bb049ecc1b6856a

SHA512
d55f36caf1c927cf7d8735be80b2da66a81e7c4dcff7827d7e4cb44e270ea431c6851596ddc0f448c9f95f48edcba296acebd9ee76c03417cdce409b1f3e9453

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2nimmy3l.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
ffae90e0e52750d7c8e61e14af5d5a83

SHA1
efdb77537a15695b97ae2c8d7d1678cff0735e7a

SHA256
121e19edfeea3aac0b211b4d2be4cbfc7ee2636601f12daf050e1a8bc2e4a79d

SHA512
fb359d00057d13e5bc72de9246b8f14646c87cce038d38d6c7290039b93a3f636c5291eac860d9400640302d4b5efd7aafb78503c4d84a4ca8f69808139afab9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2nimmy3l.default-release\datareporting\glean\db\data.safe.tmp

Filesize
40KB

MD5
6611118c8d86c4db96edf6ab2da96fec

SHA1
076b283a8ef2ac51a0e5b0c356ebf6ab9b3533ff

SHA256
57e90e9752a13b9de97e983aeb9f3a00e2bbe3a0dc0500ec043538f313b5ed70

SHA512
fb70b18493a7614c6c430165c5efdb78053dd1e7f3c0e7e41d4b2a8abe3ff612d8ccb1dd36c81219d2238da8c288fb2b98a16c840d6450924e08ab01f77441a1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2nimmy3l.default-release\datareporting\glean\pending_pings\6f11394e-29c0-4422-8c29-c40d7c10be8c

Filesize
982B

MD5
27a2b6386323c311a808e111e57138b3

SHA1
6d402f0e12e17841a7108b4493ecaef8a88bb4e0

SHA256
fcbb2924ee3ba0ec65bef91c15696ff58ab252b837e648b7b553ba84046bdab0

SHA512
4b8687461acf613dd29b13e53ed49822fa367878d55a468983cfe9831f9cf54272c457bcd3ad89188aaaa87c36f7daf9b318d068099fe2028cca79ff8ab0df53

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2nimmy3l.default-release\datareporting\glean\pending_pings\a6e7a5ed-5bb5-451e-a744-9bc4d6e3816a

Filesize
671B

MD5
bceb2cb6ab2c88112e916fdbf2b12d0c

SHA1
1134938ad8e8462e4637b19612a4417cb276baae

SHA256
eb828fdbfcfb847f15dcd5d56e9df46b3a5ea0069ba92f469f4749333e992408

SHA512
dec59bb689c43fb2e51abf071fa85fd5050a8b989afcf75b508c4d191a7f5dcfcaecba0f51edaaf28d25978b411674ec73bfcd65c1b5b7385363828aefdf720b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2nimmy3l.default-release\datareporting\glean\pending_pings\fc9a5899-ec90-4e06-9563-964952eca962

Filesize
25KB

MD5
d8b6eadb57824abf1d30818951d62f48

SHA1
8d4c778de2dc3627b1d6c37593eecd45ec556b9c

SHA256
d3d89232af7e16f916317ef25339ac9e581ccf60dd654c4baf9553eb603f0df1

SHA512
6eb2e48f0dd349254787708b9e304b952c39acaa8465f9bc1a4a876310a950a26bc9b89b48fa9886d0a0699bead3f31b421a90ab0a22737a867d16454f5dd28e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2nimmy3l.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2nimmy3l.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2nimmy3l.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2nimmy3l.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2nimmy3l.default-release\prefs-1.js

Filesize
9KB

MD5
1e233b4d1c347dd7cd62c63f41d99817

SHA1
672787b214206aaec75e5112205bf7a6324b6c54

SHA256
9bff8622a27453f4a19df37ab046db88fd593ee53387d9929f355b4521bc9396

SHA512
b3a56802bcbe12736944d0f91a8a77cd94d196af5ca94d4bf72b8554f445739e8723d68260ee139c56d28d8176745aa74bc415dfbcfdbaba6c54b75189084967

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2nimmy3l.default-release\prefs-1.js

Filesize
10KB

MD5
dd63672ad5c4c1ac294c8355ba070857

SHA1
89cc3a95b1417d93e0c8b9dc275a39d32754f632

SHA256
30e2af01c1ab6684b83878241fc484163a433c62c46a0e3687d9114cc0a5a612

SHA512
0a0eaebdad5c92348170447d27c5d2e65c5ae68a5ff67e3ced850ea56a2fb7662a62731c26b27856e81b46f8595e53ba7e322138e6a440ac14765e3e7df790ee

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2nimmy3l.default-release\sessionCheckpoints.json.tmp

Filesize
288B

MD5
362985746d24dbb2b166089f30cd1bb7

SHA1
6520fc33381879a120165ede6a0f8aadf9013d3b

SHA256
b779351c8c6b04cf1d260c5e76fb4ecf4b74454cc6215a43ea15a223bf5bdd7e

SHA512
0e85cd132c895b3bffce653aeac0b5645e9d1200eb21e23f4e574b079821a44514c1d4b036d29a7d2ea500065c7131aef81cfc38ff1750dbb0e8e0c57fdc2a61

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2nimmy3l.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
ef0efa2986479d738a130da43276f8ce

SHA1
984612b962b09465cb1c0cadef8c1dfab1f29936

SHA256
a57db10279588e6e97251e686d6cec9d4ebf0040e769f65290a982fea4eeb011

SHA512
bc08ff4e137c15cb0bb19612dd883f8034503d9aa2ced2b1aaf850b1937d0dd3a53b73c69acaf71a08b13ae3f3d8ab4abb3f243880d6d3859529ff97db466607

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2nimmy3l.default-release\sessionstore-backups\recovery.baklz4

Filesize
14KB

MD5
23d5cb9b891c2ac205f66d2da9520b1c

SHA1
92a92e2540c68e3a8100bcb957a7d6ccfb0836d6

SHA256
5e3e659d1d069b6bb3fef3c0d4573caa36b48ceec0314e55236fe3049a5012b4

SHA512
5f65670cd171755a1c49780c63b40fb98b25ba23994b6a5b1cd84c313d9da565f44b49d347f61e0aea76fe3206d7de7a424707f364382b31d9002ce644450247

Download Submit
memory/668-505-0x000000001AC50000-0x000000001AC5E000-memory.dmp

Filesize
56KB

Download
memory/668-0-0x00007FFC1B673000-0x00007FFC1B675000-memory.dmp

Filesize
8KB

Download
memory/668-3-0x00007FFC1B670000-0x00007FFC1C132000-memory.dmp

Filesize
10.8MB

Download
memory/668-519-0x000000001C060000-0x000000001C3B0000-memory.dmp

Filesize
3.3MB

Download
memory/668-2-0x00007FFC1B670000-0x00007FFC1C132000-memory.dmp

Filesize
10.8MB

Download
memory/668-1-0x0000000000010000-0x0000000000020000-memory.dmp

Filesize
64KB

Download
memory/668-4-0x000000001AC10000-0x000000001AC1C000-memory.dmp

Filesize
48KB

Download
memory/668-583-0x00007FFC1B670000-0x00007FFC1C132000-memory.dmp

Filesize
10.8MB

Download
memory/4580-517-0x0000015C7D880000-0x0000015C7D8A2000-memory.dmp

Filesize
136KB

Download
memory/4580-518-0x0000015C7E160000-0x0000015C7E1A6000-memory.dmp

Filesize
280KB

Download