xworm | abaa271934dad28dddcc5e065d4202b1bdc3ac18df824f4f770caa0bc80f8f2e

Analysis

max time kernel
149s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20250217-en
resource tags

arch:x64arch:x86image:win11-20250217-enlocale:en-usos:windows11-21h2-x64system
submitted
06/03/2025, 14:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XClient.exe
Size

42KB
MD5

f706e0fe7af5adbc7f6c8dc5d76f01ad
SHA1

5d6612d70c227c72af49771ed2d197a427f413ec
SHA256

abaa271934dad28dddcc5e065d4202b1bdc3ac18df824f4f770caa0bc80f8f2e
SHA512

8ce649ae66f9fa32294ca7d67320034df598d07f5f10d9e6fbe2163f8e3419c3d78400b4c27adf5dd9662ac9da46e85db0955b10311f5fd3d1ea7a109a027d11
SSDEEP

768:nTafJRPSlKImUO2DXFyp9ORM6YOjhAPyVGb:nTKJqI2TF09MM6YOjyJb

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

Idlerkik-51025.portmap.host:51025

Mutex

KUgHFqP88n6895bj

Attributes

Install_directory
%AppData%
install_file
svhost.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/2008-1-0x0000000000170000-0x0000000000180000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Modifies registry class 4 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-501547156-4130638328-323075719-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-501547156-4130638328-323075719-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-501547156-4130638328-323075719-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-501547156-4130638328-323075719-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2008	XClient.exe
Token: SeDebugPrivilege	2960	firefox.exe
Token: SeDebugPrivilege	2960	firefox.exe

Suspicious use of FindShellTrayWindow 22 IoCs

pid	Process
2960	firefox.exe
2960	firefox.exe
2960	firefox.exe
2960	firefox.exe
2960	firefox.exe
2960	firefox.exe
2960	firefox.exe
2960	firefox.exe
2960	firefox.exe
2960	firefox.exe
2960	firefox.exe
2960	firefox.exe
2960	firefox.exe
2960	firefox.exe
2960	firefox.exe
2960	firefox.exe
2960	firefox.exe
2960	firefox.exe
2960	firefox.exe
2960	firefox.exe
2960	firefox.exe
2960	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2960	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4832 wrote to memory of 2060	4832	private_browsing.exe	88
PID 4832 wrote to memory of 2060	4832	private_browsing.exe	88
PID 2060 wrote to memory of 2960	2060	firefox.exe	89
PID 2060 wrote to memory of 2960	2060	firefox.exe	89
PID 2060 wrote to memory of 2960	2060	firefox.exe	89
PID 2060 wrote to memory of 2960	2060	firefox.exe	89
PID 2060 wrote to memory of 2960	2060	firefox.exe	89
PID 2060 wrote to memory of 2960	2060	firefox.exe	89
PID 2060 wrote to memory of 2960	2060	firefox.exe	89
PID 2060 wrote to memory of 2960	2060	firefox.exe	89
PID 2060 wrote to memory of 2960	2060	firefox.exe	89
PID 2060 wrote to memory of 2960	2060	firefox.exe	89
PID 2060 wrote to memory of 2960	2060	firefox.exe	89
PID 2960 wrote to memory of 1604	2960	firefox.exe	90
PID 2960 wrote to memory of 1604	2960	firefox.exe	90
PID 2960 wrote to memory of 1604	2960	firefox.exe	90
PID 2960 wrote to memory of 1604	2960	firefox.exe	90
PID 2960 wrote to memory of 1604	2960	firefox.exe	90
PID 2960 wrote to memory of 1604	2960	firefox.exe	90
PID 2960 wrote to memory of 1604	2960	firefox.exe	90
PID 2960 wrote to memory of 1604	2960	firefox.exe	90
PID 2960 wrote to memory of 1604	2960	firefox.exe	90
PID 2960 wrote to memory of 1604	2960	firefox.exe	90
PID 2960 wrote to memory of 1604	2960	firefox.exe	90
PID 2960 wrote to memory of 1604	2960	firefox.exe	90
PID 2960 wrote to memory of 1604	2960	firefox.exe	90
PID 2960 wrote to memory of 1604	2960	firefox.exe	90
PID 2960 wrote to memory of 1604	2960	firefox.exe	90
PID 2960 wrote to memory of 1604	2960	firefox.exe	90
PID 2960 wrote to memory of 1604	2960	firefox.exe	90
PID 2960 wrote to memory of 1604	2960	firefox.exe	90
PID 2960 wrote to memory of 1604	2960	firefox.exe	90
PID 2960 wrote to memory of 1604	2960	firefox.exe	90
PID 2960 wrote to memory of 1604	2960	firefox.exe	90
PID 2960 wrote to memory of 1604	2960	firefox.exe	90
PID 2960 wrote to memory of 1604	2960	firefox.exe	90
PID 2960 wrote to memory of 1604	2960	firefox.exe	90
PID 2960 wrote to memory of 1604	2960	firefox.exe	90
PID 2960 wrote to memory of 1604	2960	firefox.exe	90
PID 2960 wrote to memory of 1604	2960	firefox.exe	90
PID 2960 wrote to memory of 1604	2960	firefox.exe	90
PID 2960 wrote to memory of 1604	2960	firefox.exe	90
PID 2960 wrote to memory of 1604	2960	firefox.exe	90
PID 2960 wrote to memory of 1604	2960	firefox.exe	90
PID 2960 wrote to memory of 1604	2960	firefox.exe	90
PID 2960 wrote to memory of 1604	2960	firefox.exe	90
PID 2960 wrote to memory of 1604	2960	firefox.exe	90
PID 2960 wrote to memory of 1604	2960	firefox.exe	90
PID 2960 wrote to memory of 1604	2960	firefox.exe	90
PID 2960 wrote to memory of 1604	2960	firefox.exe	90
PID 2960 wrote to memory of 1604	2960	firefox.exe	90
PID 2960 wrote to memory of 1604	2960	firefox.exe	90
PID 2960 wrote to memory of 1604	2960	firefox.exe	90
PID 2960 wrote to memory of 1604	2960	firefox.exe	90
PID 2960 wrote to memory of 1604	2960	firefox.exe	90
PID 2960 wrote to memory of 1604	2960	firefox.exe	90
PID 2960 wrote to memory of 1604	2960	firefox.exe	90
PID 2960 wrote to memory of 1604	2960	firefox.exe	90
PID 2960 wrote to memory of 1872	2960	firefox.exe	91
PID 2960 wrote to memory of 1872	2960	firefox.exe	91
PID 2960 wrote to memory of 1872	2960	firefox.exe	91
PID 2960 wrote to memory of 1872	2960	firefox.exe	91
PID 2960 wrote to memory of 1872	2960	firefox.exe	91
PID 2960 wrote to memory of 1872	2960	firefox.exe	91

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2008

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:1200

C:\Program Files\Mozilla Firefox\private_browsing.exe
"C:\Program Files\Mozilla Firefox\private_browsing.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4832
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -private-window
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2060
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -private-window
    3⤵
    - Checks processor information in registry
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2960
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1992 -parentBuildID 20240401114208 -prefsHandle 1908 -prefMapHandle 1900 -prefsLen 27661 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {391569c4-7d39-4785-a305-96781d0dafa8} 2960 "\\.\pipe\gecko-crash-server-pipe.2960" gpu
      4⤵
      PID:1604
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2392 -parentBuildID 20240401114208 -prefsHandle 2384 -prefMapHandle 2380 -prefsLen 27697 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {af2f9559-806c-404d-b77d-da53dee5a555} 2960 "\\.\pipe\gecko-crash-server-pipe.2960" socket
      4⤵
      PID:1872
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2740 -childID 1 -isForBrowser -prefsHandle 3300 -prefMapHandle 3176 -prefsLen 28646 -prefMapSize 244658 -jsInitHandle 1144 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {31f2f61b-1c63-41c8-acc0-a6944666d531} 2960 "\\.\pipe\gecko-crash-server-pipe.2960" tab
      4⤵
      PID:4864
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3708 -childID 2 -isForBrowser -prefsHandle 3636 -prefMapHandle 3632 -prefsLen 32995 -prefMapSize 244658 -jsInitHandle 1144 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b3e90347-bfeb-48dd-95c1-b33f156c9854} 2960 "\\.\pipe\gecko-crash-server-pipe.2960" tab
      4⤵
      PID:4784
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4784 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4748 -prefMapHandle 4708 -prefsLen 33051 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2fe8173c-431b-436d-8369-d0efae336aae} 2960 "\\.\pipe\gecko-crash-server-pipe.2960" utility
      4⤵
      Checks processor information in registry
      PID:3744
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5344 -childID 3 -isForBrowser -prefsHandle 5388 -prefMapHandle 4736 -prefsLen 27117 -prefMapSize 244658 -jsInitHandle 1144 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b4572c0e-baca-41d4-b032-ed6a40d917b1} 2960 "\\.\pipe\gecko-crash-server-pipe.2960" tab
      4⤵
      PID:1040
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5588 -childID 4 -isForBrowser -prefsHandle 5392 -prefMapHandle 5428 -prefsLen 27117 -prefMapSize 244658 -jsInitHandle 1144 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b0637952-9e56-4ed8-8599-65c4453bf338} 2960 "\\.\pipe\gecko-crash-server-pipe.2960" tab
      4⤵
      PID:2516
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5748 -childID 5 -isForBrowser -prefsHandle 5752 -prefMapHandle 5756 -prefsLen 27117 -prefMapSize 244658 -jsInitHandle 1144 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9e2da9dd-3913-4190-901f-82f5d349de02} 2960 "\\.\pipe\gecko-crash-server-pipe.2960" tab
      4⤵
      PID:3976
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2724 -childID 6 -isForBrowser -prefsHandle 5788 -prefMapHandle 5424 -prefsLen 27277 -prefMapSize 244658 -jsInitHandle 1144 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {de6a450f-e51d-4b0b-9064-1080df9c7c0f} 2960 "\\.\pipe\gecko-crash-server-pipe.2960" tab
      4⤵
      PID:2724
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6380 -parentBuildID 20240401114208 -prefsHandle 2700 -prefMapHandle 3552 -prefsLen 34641 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {57c63e14-28d5-404d-b5a1-8c6943aadeea} 2960 "\\.\pipe\gecko-crash-server-pipe.2960" rdd
      4⤵
      PID:2320
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6388 -parentBuildID 20240401114208 -sandboxingKind 1 -prefsHandle 4960 -prefMapHandle 4764 -prefsLen 34641 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {07a78b84-adf0-4c21-b28e-93c877480fa3} 2960 "\\.\pipe\gecko-crash-server-pipe.2960" utility
      4⤵
      PID:3040
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5320 -childID 7 -isForBrowser -prefsHandle 5316 -prefMapHandle 4068 -prefsLen 28308 -prefMapSize 244658 -jsInitHandle 1144 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {57b970a6-a67f-439c-97e2-6d6d6f36332c} 2960 "\\.\pipe\gecko-crash-server-pipe.2960" tab
      4⤵
      PID:1768
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6584 -childID 8 -isForBrowser -prefsHandle 6576 -prefMapHandle 6572 -prefsLen 28308 -prefMapSize 244658 -jsInitHandle 1144 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b2028386-1738-450f-b4cf-e04be8fd5d2e} 2960 "\\.\pipe\gecko-crash-server-pipe.2960" tab
      4⤵
      PID:1924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ebb956d0.default-release\activity-stream.discovery_stream.json

Filesize
24KB

MD5
c538e5937bf93ca90c34c3888349959a

SHA1
de9d7e3558751722a8f2e922f407d72b12143de5

SHA256
efb19c0bda731a06d58ec7dd2b9e953c33186f301304c710df522166091f7e05

SHA512
a5ca5f8a09b9f22c84aa3a80b883d84f8fe18823ac7e26192b5a1267a377fd8f6e67c6aa9ef285be99ff53fb36b360c0fd79305080252fb4cc339904609ff953

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\825939ab-5aab-400b-88d8-79ba8c3a4a46.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ebb956d0.default-release\AlternateServices.bin

Filesize
8KB

MD5
86c197d3807f46d33d2600a51091f11a

SHA1
6472f634415357400d33af2d254b522c18ee6a62

SHA256
e125baf274876bbb1b60f43489cb748a982a9556209713b538a8ae7aa460ff46

SHA512
a6a1868078ec626bb5c9cbd3e51cda0def3d1dbbd342718482b20bad90c9be5933b876fb747d4f6363a88767c26b0a4fcf09efafc5d9d0d0cce04d0d1fdee501

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ebb956d0.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
021323e73d6c425b8d1977116702e74e

SHA1
1a0a69032ae2a9384b605d1e5f0d7b45068ad7f5

SHA256
d10b552b83d0f1628895628475bf5679cc9277e67ffd5d8864bf49376d32547d

SHA512
fd200d8574c37e2b90bf4c9c85e9646e3f5a1be589dc9ef773c517937e982e5b6c0a7cb52a29f08dec022c14ce1b808e85bbfe55a1bad2f82d8652bd15b2b653

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ebb956d0.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
0ea9b9353799faf868ebcbe0e0b775b0

SHA1
3eb502a7ecabe0866a2721ad0a0fc5879ab57ace

SHA256
e1cad5479bd999c14d78e94fb661fcb6c37002d168c00c71c562c60a19c91495

SHA512
9d700bfcc9901c848a7ac10f7b5e3b4776e4c2d5fe10cbd375b5cafe7c91fe2feb66541909fc12763516a9f491f894aa18f0a7022859c9598ba934c54cf23b72

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ebb956d0.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
78ba7d0660e96886e6fa56db6b7aa23f

SHA1
d95e5b474984f3d688f865a3278ebf7535793e70

SHA256
a0a9fb0425fd8193079de99a3737ecc1f2a097d96bd8db3d857b27c28efb3e38

SHA512
5dde03993547cd69f3a8de82d336bd3159373868d07ad166e27d009e8065a23312bde515c8da31e8edc7d43e823b06dae597ab4bae7ae21205e68f6c26f68066

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ebb956d0.default-release\datareporting\glean\pending_pings\20d70d6f-0e3f-4a88-945a-014c4c4d74a8

Filesize
982B

MD5
70bea15e1f6715ec6f9c5179fe00e9c0

SHA1
6f8ec4d4e62c93574353a2ce36099bb8d69c3a33

SHA256
c68e191debaf5fea861b460ca8083a476f23a6af98861d0f98958d54b2890a21

SHA512
58495729fb15851c73daa65755624a5d5ff0a184ff021f463741f19bdb108422a98b6a497273aa8a9c587debfbec63ddcc17656ae6823b0585293f8a1b0d6a1b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ebb956d0.default-release\datareporting\glean\pending_pings\9cd1c4e0-26d4-465f-a219-75ab698f82ba

Filesize
26KB

MD5
ef6af7b2496b0f61c32d6c58153fe722

SHA1
37df541574363f1c48ddc3b98be7180b0c28d4b0

SHA256
03ccf83eb4c7b2269d431f7f3227b9c9691b97c5458135b7c59b8f2677e5022e

SHA512
4b046dd3e84a1e184ca3cf459987f13ad6afcdc888ca957ff9bdbb3c87ccba9e66aa99b160acebcc6da2f00febdc78c234be6337c2d844e013cc32b8d6d3cd04

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ebb956d0.default-release\datareporting\glean\pending_pings\c36c9237-bb46-4b1b-8afc-f16fa2e3be8f

Filesize
671B

MD5
1dc1532058b15072ec30262896e232d1

SHA1
0aed1b076d04b99790994df34b708b24722df3ad

SHA256
989fde1f9a2836b7b006071152875ed93b6a6ce3459156420d23e2124a95cd2b

SHA512
ea0e83c2107f6dbb0d3e5b9f21ed1cf78c744aff5eb1494507d87aab36d5ea57ab0a2ff3b155b1c3fee92f4dd533d6aa060f516fb0676a5f17602ed36b72dc6c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ebb956d0.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ebb956d0.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ebb956d0.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ebb956d0.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ebb956d0.default-release\prefs-1.js

Filesize
10KB

MD5
3864aa0ec41c5b017ff44ee8a39e75fb

SHA1
07bab720c7613c039375c63e72cf03735371513b

SHA256
cbdfbd5aecdd13c35fcc04fb73bc55191bc9495fab22f31d84698808c0996a9a

SHA512
c8e96631e615518c34993935ad4c0d02c5175a7a8efcc61146433c8fea8ca05c346c104d3415f281cc435b06c558dc027a86d96b32758e6145992b85c09ce8a3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ebb956d0.default-release\prefs-1.js

Filesize
10KB

MD5
876440f457facf754c7c6bd650be7b7c

SHA1
2e99190d53ac8adb879f36dc18198ad340f0083e

SHA256
52732967d7a836d19a11edd70c527b3b9a057f68df45918504b3c0a3eb181bc1

SHA512
763d65674dc597292223e3af26a6eec26ad875a8e73e93839ab0a2e9fb30834074869d02f0a59db421e2faf56ece17cfc9bfc3006195dab71509f21559bd2188

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ebb956d0.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
a1d29d325a2f2045c7b8edca3f917212

SHA1
ab89ee7ae8d31952bab27fcc43fbaa238367a490

SHA256
7818f567a14198bbc7cf051047c081d39d6ab7abccbce83826534d28bff26f42

SHA512
d93d933bbc00e6d9e4e652d0dddddbeb06dc6bdc6926d60393eb417cdab6758519de9cfa935929474c14fdc0fb58076a849477a9fddf70b0959dd76a80d6d45c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ebb956d0.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
86f06b8bae2c5bf0e943384e99a4f548

SHA1
dd10aab1444135a585c785bc377d620ab9d1ab4e

SHA256
9eddf8561f6353eaae8a49cea84bc6ca82ee0f3a98a5a0d4197b92c97e18d259

SHA512
77ba9ec69ae1347f3c9366e973fe07bc8958f7656391160f0272d000f6d61fbc644bb522df32a21b28c0f3060c3e3b9fcb622de9cf99579a763243762c629811

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ebb956d0.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
2ea2723088491b425b9ceb832503f03c

SHA1
fd1a93d9a1ea30b74577519e418891b224dd0899

SHA256
ba754fdb07ed0a32273b5a20dc7ed539e6a01a0cad6a72274b7c609e706e723f

SHA512
6c68a888d328abb36c309e9b0cccd966a52c4e43bee6191046b1d313d1cbd1751154c5ad01de8e6c6d92a1f33ef3a02aa08b2e182db5966e0486c79dfe2d07f1

Download Submit
memory/2008-3-0x00007FFF1AB50000-0x00007FFF1B612000-memory.dmp

Filesize
10.8MB

Download
memory/2008-1-0x0000000000170000-0x0000000000180000-memory.dmp

Filesize
64KB

Download
memory/2008-2-0x00007FFF1AB50000-0x00007FFF1B612000-memory.dmp

Filesize
10.8MB

Download
memory/2008-0-0x00007FFF1AB53000-0x00007FFF1AB55000-memory.dmp

Filesize
8KB

Download