xworm | a5728f8fd33c77818782d3eef567b77d1586b1927696affced63d494691edbe6

Analysis

max time kernel
799s
max time network
804s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
01-07-2024 08:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sv.exe
Size

63KB
MD5

c095a62b525e62244cad230e696028cf
SHA1

67232c186d3efe248b540f1f2fe3382770b5074a
SHA256

a5728f8fd33c77818782d3eef567b77d1586b1927696affced63d494691edbe6
SHA512

5ba859d89a9277d9b6243f461991cc6472d001cdea52d9fcfba3cbead88fbc69d9dfce076b1fdeaf0d1cd21fe4cace54f1cefe1c352d70cc8fa2898fe1b61fb0
SSDEEP

1536:unjFXblMp3wgDkbivVSm16KTOKjLIJXc:unrAwgDkbicmbOKj0JM

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

amount-acceptance.gl.at.ply.gg:7420

Attributes

Install_directory
%ProgramData%
install_file
svhost.exe

Signatures

Detect Xworm Payload 2 IoCs

Processes:

resource yara_rule

behavioral3/memory/5028-0-0x0000000000160000-0x0000000000176000-memory.dmp family_xworm
C:\ProgramData\svhost.exe family_xworm
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

1564 powershell.exe
3924 powershell.exe
1392 powershell.exe
4372 powershell.exe

resource	yara_rule
behavioral3/memory/5028-0-0x0000000000160000-0x0000000000176000-memory.dmp	family_xworm
C:\ProgramData\svhost.exe	family_xworm

pid	process
1564	powershell.exe
3924	powershell.exe
1392	powershell.exe
4372	powershell.exe

Drops startup file 2 IoCs

Processes:

sv.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk	sv.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk	sv.exe

Executes dropped EXE 13 IoCs

Processes:

svhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exe

pid process

3012 svhost.exe
5696 svhost.exe
5912 svhost.exe
6108 svhost.exe
4548 svhost.exe
5488 svhost.exe
5628 svhost.exe
5432 svhost.exe
5700 svhost.exe
404 svhost.exe
3608 svhost.exe
1840 svhost.exe
2144 svhost.exe
Adds Run key to start application 2 TTPs 1 IoCs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Processes:

sv.exe

description ioc process

Set value (str) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Run\svhost = "C:\\ProgramData\\svhost.exe" sv.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
3012	svhost.exe
5696	svhost.exe
5912	svhost.exe
6108	svhost.exe
4548	svhost.exe
5488	svhost.exe
5628	svhost.exe
5432	svhost.exe
5700	svhost.exe
404	svhost.exe
3608	svhost.exe
1840	svhost.exe
2144	svhost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Run\svhost = "C:\\ProgramData\\svhost.exe"	sv.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings firefox.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

1984 schtasks.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings	firefox.exe

pid	process
1984	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid	process
1392	powershell.exe
1392	powershell.exe
1392	powershell.exe
4372	powershell.exe
4372	powershell.exe
4372	powershell.exe
1564	powershell.exe
1564	powershell.exe
1564	powershell.exe
3924	powershell.exe
3924	powershell.exe
3924	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

sv.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	5028	sv.exe
Token: SeDebugPrivilege	1392	powershell.exe
Token: SeIncreaseQuotaPrivilege	1392	powershell.exe
Token: SeSecurityPrivilege	1392	powershell.exe
Token: SeTakeOwnershipPrivilege	1392	powershell.exe
Token: SeLoadDriverPrivilege	1392	powershell.exe
Token: SeSystemProfilePrivilege	1392	powershell.exe
Token: SeSystemtimePrivilege	1392	powershell.exe
Token: SeProfSingleProcessPrivilege	1392	powershell.exe
Token: SeIncBasePriorityPrivilege	1392	powershell.exe
Token: SeCreatePagefilePrivilege	1392	powershell.exe
Token: SeBackupPrivilege	1392	powershell.exe
Token: SeRestorePrivilege	1392	powershell.exe
Token: SeShutdownPrivilege	1392	powershell.exe
Token: SeDebugPrivilege	1392	powershell.exe
Token: SeSystemEnvironmentPrivilege	1392	powershell.exe
Token: SeRemoteShutdownPrivilege	1392	powershell.exe
Token: SeUndockPrivilege	1392	powershell.exe
Token: SeManageVolumePrivilege	1392	powershell.exe
Token: 33	1392	powershell.exe
Token: 34	1392	powershell.exe
Token: 35	1392	powershell.exe
Token: 36	1392	powershell.exe
Token: SeDebugPrivilege	4372	powershell.exe
Token: SeIncreaseQuotaPrivilege	4372	powershell.exe
Token: SeSecurityPrivilege	4372	powershell.exe
Token: SeTakeOwnershipPrivilege	4372	powershell.exe
Token: SeLoadDriverPrivilege	4372	powershell.exe
Token: SeSystemProfilePrivilege	4372	powershell.exe
Token: SeSystemtimePrivilege	4372	powershell.exe
Token: SeProfSingleProcessPrivilege	4372	powershell.exe
Token: SeIncBasePriorityPrivilege	4372	powershell.exe
Token: SeCreatePagefilePrivilege	4372	powershell.exe
Token: SeBackupPrivilege	4372	powershell.exe
Token: SeRestorePrivilege	4372	powershell.exe
Token: SeShutdownPrivilege	4372	powershell.exe
Token: SeDebugPrivilege	4372	powershell.exe
Token: SeSystemEnvironmentPrivilege	4372	powershell.exe
Token: SeRemoteShutdownPrivilege	4372	powershell.exe
Token: SeUndockPrivilege	4372	powershell.exe
Token: SeManageVolumePrivilege	4372	powershell.exe
Token: 33	4372	powershell.exe
Token: 34	4372	powershell.exe
Token: 35	4372	powershell.exe
Token: 36	4372	powershell.exe
Token: SeDebugPrivilege	1564	powershell.exe
Token: SeIncreaseQuotaPrivilege	1564	powershell.exe
Token: SeSecurityPrivilege	1564	powershell.exe
Token: SeTakeOwnershipPrivilege	1564	powershell.exe
Token: SeLoadDriverPrivilege	1564	powershell.exe
Token: SeSystemProfilePrivilege	1564	powershell.exe
Token: SeSystemtimePrivilege	1564	powershell.exe
Token: SeProfSingleProcessPrivilege	1564	powershell.exe
Token: SeIncBasePriorityPrivilege	1564	powershell.exe
Token: SeCreatePagefilePrivilege	1564	powershell.exe
Token: SeBackupPrivilege	1564	powershell.exe
Token: SeRestorePrivilege	1564	powershell.exe
Token: SeShutdownPrivilege	1564	powershell.exe
Token: SeDebugPrivilege	1564	powershell.exe
Token: SeSystemEnvironmentPrivilege	1564	powershell.exe
Token: SeRemoteShutdownPrivilege	1564	powershell.exe
Token: SeUndockPrivilege	1564	powershell.exe
Token: SeManageVolumePrivilege	1564	powershell.exe
Token: 33	1564	powershell.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

firefox.exe

pid process

4668 firefox.exe
4668 firefox.exe
4668 firefox.exe
4668 firefox.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

firefox.exe

pid process

4668 firefox.exe
4668 firefox.exe
4668 firefox.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

firefox.exe

pid process

4668 firefox.exe

pid	process
4668	firefox.exe
4668	firefox.exe
4668	firefox.exe
4668	firefox.exe

pid	process
4668	firefox.exe
4668	firefox.exe
4668	firefox.exe

pid	process
4668	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

sv.exefirefox.exefirefox.exe

description	pid	process	target process
PID 5028 wrote to memory of 1392	5028	sv.exe	powershell.exe
PID 5028 wrote to memory of 1392	5028	sv.exe	powershell.exe
PID 5028 wrote to memory of 4372	5028	sv.exe	powershell.exe
PID 5028 wrote to memory of 4372	5028	sv.exe	powershell.exe
PID 5028 wrote to memory of 1564	5028	sv.exe	powershell.exe
PID 5028 wrote to memory of 1564	5028	sv.exe	powershell.exe
PID 5028 wrote to memory of 3924	5028	sv.exe	powershell.exe
PID 5028 wrote to memory of 3924	5028	sv.exe	powershell.exe
PID 5028 wrote to memory of 1984	5028	sv.exe	schtasks.exe
PID 5028 wrote to memory of 1984	5028	sv.exe	schtasks.exe
PID 1348 wrote to memory of 4668	1348	firefox.exe	firefox.exe
PID 1348 wrote to memory of 4668	1348	firefox.exe	firefox.exe
PID 1348 wrote to memory of 4668	1348	firefox.exe	firefox.exe
PID 1348 wrote to memory of 4668	1348	firefox.exe	firefox.exe
PID 1348 wrote to memory of 4668	1348	firefox.exe	firefox.exe
PID 1348 wrote to memory of 4668	1348	firefox.exe	firefox.exe
PID 1348 wrote to memory of 4668	1348	firefox.exe	firefox.exe
PID 1348 wrote to memory of 4668	1348	firefox.exe	firefox.exe
PID 1348 wrote to memory of 4668	1348	firefox.exe	firefox.exe
PID 1348 wrote to memory of 4668	1348	firefox.exe	firefox.exe
PID 1348 wrote to memory of 4668	1348	firefox.exe	firefox.exe
PID 4668 wrote to memory of 3156	4668	firefox.exe	firefox.exe
PID 4668 wrote to memory of 3156	4668	firefox.exe	firefox.exe
PID 4668 wrote to memory of 3152	4668	firefox.exe	firefox.exe
PID 4668 wrote to memory of 3152	4668	firefox.exe	firefox.exe
PID 4668 wrote to memory of 3152	4668	firefox.exe	firefox.exe
PID 4668 wrote to memory of 3152	4668	firefox.exe	firefox.exe
PID 4668 wrote to memory of 3152	4668	firefox.exe	firefox.exe
PID 4668 wrote to memory of 3152	4668	firefox.exe	firefox.exe
PID 4668 wrote to memory of 3152	4668	firefox.exe	firefox.exe
PID 4668 wrote to memory of 3152	4668	firefox.exe	firefox.exe
PID 4668 wrote to memory of 3152	4668	firefox.exe	firefox.exe
PID 4668 wrote to memory of 3152	4668	firefox.exe	firefox.exe
PID 4668 wrote to memory of 3152	4668	firefox.exe	firefox.exe
PID 4668 wrote to memory of 3152	4668	firefox.exe	firefox.exe
PID 4668 wrote to memory of 3152	4668	firefox.exe	firefox.exe
PID 4668 wrote to memory of 3152	4668	firefox.exe	firefox.exe
PID 4668 wrote to memory of 3152	4668	firefox.exe	firefox.exe
PID 4668 wrote to memory of 3152	4668	firefox.exe	firefox.exe
PID 4668 wrote to memory of 3152	4668	firefox.exe	firefox.exe
PID 4668 wrote to memory of 3152	4668	firefox.exe	firefox.exe
PID 4668 wrote to memory of 3152	4668	firefox.exe	firefox.exe
PID 4668 wrote to memory of 3152	4668	firefox.exe	firefox.exe
PID 4668 wrote to memory of 3152	4668	firefox.exe	firefox.exe
PID 4668 wrote to memory of 3152	4668	firefox.exe	firefox.exe
PID 4668 wrote to memory of 3152	4668	firefox.exe	firefox.exe
PID 4668 wrote to memory of 3152	4668	firefox.exe	firefox.exe
PID 4668 wrote to memory of 3152	4668	firefox.exe	firefox.exe
PID 4668 wrote to memory of 3152	4668	firefox.exe	firefox.exe
PID 4668 wrote to memory of 3152	4668	firefox.exe	firefox.exe
PID 4668 wrote to memory of 3152	4668	firefox.exe	firefox.exe
PID 4668 wrote to memory of 3152	4668	firefox.exe	firefox.exe
PID 4668 wrote to memory of 3152	4668	firefox.exe	firefox.exe
PID 4668 wrote to memory of 3152	4668	firefox.exe	firefox.exe
PID 4668 wrote to memory of 3152	4668	firefox.exe	firefox.exe
PID 4668 wrote to memory of 3152	4668	firefox.exe	firefox.exe
PID 4668 wrote to memory of 3152	4668	firefox.exe	firefox.exe
PID 4668 wrote to memory of 3152	4668	firefox.exe	firefox.exe
PID 4668 wrote to memory of 3152	4668	firefox.exe	firefox.exe
PID 4668 wrote to memory of 3152	4668	firefox.exe	firefox.exe
PID 4668 wrote to memory of 3152	4668	firefox.exe	firefox.exe
PID 4668 wrote to memory of 3152	4668	firefox.exe	firefox.exe
PID 4668 wrote to memory of 3152	4668	firefox.exe	firefox.exe
PID 4668 wrote to memory of 3152	4668	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\sv.exe
"C:\Users\Admin\AppData\Local\Temp\sv.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5028

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\sv.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1392

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'sv.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4372

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\svhost.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1564

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svhost.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3924

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svhost" /tr "C:\ProgramData\svhost.exe"
2⤵
- Scheduled Task/Job: Scheduled Task
PID:1984

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:3012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1348

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4668

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4668.0.408759473\1338972801" -parentBuildID 20221007134813 -prefsHandle 1692 -prefMapHandle 1680 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f72e5c4a-9cc4-4a4c-8e9e-e9aa271fcf51} 4668 "\\.\pipe\gecko-crash-server-pipe.4668" 1776 29e2c2c8658 gpu
3⤵
PID:3156

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4668.1.108298681\1217990724" -parentBuildID 20221007134813 -prefsHandle 2104 -prefMapHandle 2100 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ef4da4b4-f5e2-4cd5-8cbb-5763e4718aa1} 4668 "\\.\pipe\gecko-crash-server-pipe.4668" 2132 29e2be30b58 socket
3⤵
PID:3152

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4668.2.1731143361\1082132633" -childID 1 -isForBrowser -prefsHandle 2868 -prefMapHandle 2840 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1104 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7209855a-183b-44a9-b7ae-e28b58a161d1} 4668 "\\.\pipe\gecko-crash-server-pipe.4668" 2804 29e2c259158 tab
3⤵
PID:5024

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4668.3.1977603857\1308229721" -childID 2 -isForBrowser -prefsHandle 3520 -prefMapHandle 3516 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1104 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fe57e908-6715-4351-b831-7073a06b4467} 4668 "\\.\pipe\gecko-crash-server-pipe.4668" 3500 29e2ea9e958 tab
3⤵
PID:2580

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4668.4.1831828789\504965788" -childID 3 -isForBrowser -prefsHandle 3880 -prefMapHandle 3876 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1104 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {be013718-9610-457a-be5f-737ec0f37759} 4668 "\\.\pipe\gecko-crash-server-pipe.4668" 3888 29e31b54958 tab
3⤵
PID:1284

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4668.5.1131426391\443067212" -childID 4 -isForBrowser -prefsHandle 4912 -prefMapHandle 4908 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1104 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1fa40b37-c233-4025-bc4e-e4ed1a4f28af} 4668 "\\.\pipe\gecko-crash-server-pipe.4668" 4920 29e21365658 tab
3⤵
PID:3020

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4668.6.1711958372\1212752272" -childID 5 -isForBrowser -prefsHandle 5036 -prefMapHandle 5040 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1104 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9e1e70b6-355f-408c-b1b1-b67daf299993} 4668 "\\.\pipe\gecko-crash-server-pipe.4668" 4948 29e32894658 tab
3⤵
PID:2500

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4668.7.196727342\1421520512" -childID 6 -isForBrowser -prefsHandle 5236 -prefMapHandle 5240 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1104 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f642468d-b8b8-4a69-8cb8-eca201a3bf51} 4668 "\\.\pipe\gecko-crash-server-pipe.4668" 5228 29e32895e58 tab
3⤵
PID:3268

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4668.8.226247839\997007775" -childID 7 -isForBrowser -prefsHandle 5628 -prefMapHandle 5624 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1104 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6d468672-2568-4696-ae98-7f06adcb29a1} 4668 "\\.\pipe\gecko-crash-server-pipe.4668" 5636 29e3458d458 tab
3⤵
PID:1344

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:5696

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:5912

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:6108

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:4548

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:5488

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:5628

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:5432

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:5700

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:404

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:3608

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:1840

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
PID:2144

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\svhost.exe
Filesize
63KB

MD5
c095a62b525e62244cad230e696028cf

SHA1
67232c186d3efe248b540f1f2fe3382770b5074a

SHA256
a5728f8fd33c77818782d3eef567b77d1586b1927696affced63d494691edbe6

SHA512
5ba859d89a9277d9b6243f461991cc6472d001cdea52d9fcfba3cbead88fbc69d9dfce076b1fdeaf0d1cd21fe4cace54f1cefe1c352d70cc8fa2898fe1b61fb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svhost.exe.log
Filesize
654B

MD5
16c5fce5f7230eea11598ec11ed42862

SHA1
75392d4824706090f5e8907eee1059349c927600

SHA256
87ba77c13905298acbac72be90949c4fe0755b6eff9777615aa37f252515f151

SHA512
153edd6da59beea6cc411ed7383c32916425d6ebb65f04c65aab7c1d6b25443d143aa8449aa92149de0ad8a975f6ecaa60f9f7574536eec6b38fe5fd3a6c6adc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
102b58058e3199b453d50f4db8eb62e2

SHA1
5b18281ea0b295cebf35234aea3bedaea8cd1a44

SHA256
d03041c2808010651bd60c23a1db49384a77572bf113e105fe31a4a6bd47aa3a

SHA512
f6c210525bc4138884fcbeef2bd26e202e529122530759bce528d04f9c12ca087f596009cc72eaac52212eafa7772c3da34d5cb796a6f4bfd4e7f3ba639a9738

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
954380b6cbf1471e3575a6195175ab41

SHA1
2dad6922f4f8563ae0611b722e9ef1d560813845

SHA256
893d686ed9667e1b8fe881702811c184b4f942cd03fad2e36f0b9e45c1dd1ab1

SHA512
acda4dcb3845682318a293a2700cf2e4360e885d5872ba3be6e38f9d2a5cbad5e2678969cc9e6f40a59331c7db87f79740dce88098741fd0d9b42f1c6cc26c0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
d10debb287e9f2d0ac62dce086b67aa3

SHA1
19a2599309c36532afce2a6336ddf7516a0efa23

SHA256
56fd7a477c9cd3dd3e28d9fd7f0c9a780c0f3c5a4a1403ce78a80bb5de8282c8

SHA512
73ddd125c6218ca44e667ffe96f8cb581cf711b486970c5e5fb28cb4d99d4f56391585f6e1343fab96aba3dec944b4b8bedc8e5346cd613ddca6292ad144018f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\entries\6D89348819C8881868053197CA0754F36784BF5F
Filesize
11KB

MD5
2bd830e604450600a88be14488af87ed

SHA1
9f8021ad4b58e4d656915491ee524957272a599e

SHA256
a45e232852d4e95e7c7d885d3bbf5557d6965e758362747ac2a7ee49e46823fd

SHA512
a6c21c5eeb2ad57593509a74d1dab77cfd56822d9cc1e2ce758139b69a4ec01b22fb240b6f006098fba0ddba164516305b82cd64e9fd31d1c8c956a03a807fd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_f3qxgz1q.f2h.ps1
Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon
Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms
Filesize
7KB

MD5
8767af080d7b994272e7e74fe9cc1d90

SHA1
3b7c959760363a44f1d157bf974ba75440cf77aa

SHA256
67f44b96806a06a0d4ae479c51b24e8409aed7850a4772b7ea2a184a3575b72c

SHA512
968566f72130dbade4425147a060b96dac7118bfa5853bce208d8952a04b0a8e5d45c78f617537628935d37197ea3765689fa18006e1af725eec8287b9c918b1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\bookmarkbackups\bookmarks-2024-07-01_11_ScpUM-Ibb5LR1l4-7-Og+g==.jsonlz4
Filesize
950B

MD5
708d579bb783ed9e58c4e87173aa5028

SHA1
54dcdeb367c15a06aa620df1559de185668992a5

SHA256
3f7fa0f3a61236b17951ef95bd63347281c40abbbcce937e8fc787d31c8faa28

SHA512
1c7f8b921e5f32d67b1150e24092ab800ca4939993832cc46f43638bdcce380da1e74b44aa2f368a74e5ae29b76ca1e3a20b837517a4f0464b7af53098772e95

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\broadcast-listeners.json
Filesize
204B

MD5
72c95709e1a3b27919e13d28bbe8e8a2

SHA1
00892decbee63d627057730bfc0c6a4f13099ee4

SHA256
9cf589357fceea2f37cd1a925e5d33fd517a44d22a16c357f7fb5d4d187034aa

SHA512
613ca9dd2d12afe31fb2c4a8d9337eeecfb58dabaeaaba11404b9a736a4073dfd9b473ba27c1183d3cc91d5a9233a83dce5a135a81f755d978cea9e198209182

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\datareporting\glean\db\data.safe.bin
Filesize
2KB

MD5
211f4e87eefc51e414e8a8c00a109f3b

SHA1
c83f430a657cec2f8f299fa1f3521fb4ee396887

SHA256
cc2258f3c4eee374c63d7f9560e9d096c1e80e29f316823e2c756d9808169390

SHA512
ff7384cadae278fa758f7683766d3edae3066fdd772b641048a186de8c17ae8f82c4666a702bbdbcdec974bcdb5102a09caad241a9822dd8f1469b4cfa61d553

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\datareporting\glean\pending_pings\76523cda-7aa4-4ce1-bf6d-83d190d1ecee
Filesize
10KB

MD5
b6ba4376c89a888caaf641ad553c5705

SHA1
ce8ae389a38b01f84cb1c265620d61921cbc3483

SHA256
3dc568e86ea41b53859b0e760afdd62ee36eb4abed904737143d48577cacc3bf

SHA512
de13f14b89c3d80e52a3341c0ebbe38db05ceae2d68877a16d6426f314c7e39a72156110abb26cacb72e67fba25bc21dcedb64197861fa5c2d2d3f98519c0ff3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\datareporting\glean\pending_pings\c22f2aca-2890-467e-94d4-7cd4749fd794
Filesize
746B

MD5
6d217b35ecb5d1f65b73f01279777cd0

SHA1
491bbf830bb88c3f6a4e93e5347582c99a1c6b18

SHA256
bbfca8a2338a01e03326c9c90820718e75d15e021f6d08435dc44e5129ca2389

SHA512
d0bdc191ca4e0b06cc982844d7f1cdcda68eb4570d3bb65d2cbbfffdb143200057212d2b39b579be88ab191405f1241c07007575381d541c5b29f6c2b4127e61

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\prefs-1.js
Filesize
6KB

MD5
d6f3b49bd198084d830b3720ac104913

SHA1
9d3963bcdbe63210568af68334470801bc46c917

SHA256
fe46ba402aabaa95f5fa0c8f5210ef061e15d9125296674f64a9f1aba2dd3a5b

SHA512
8ad8e00a2f06ed16806966c05342380c9599b7ed1942f4006b3748c665452671cf73333723c70e01546aebf2700553761eeb6b4db168a46d57d5daecf565fe6f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\prefs-1.js
Filesize
7KB

MD5
1024dd25efceeafcfd17b54575c3a033

SHA1
f8c858fef6c791b75b98ba0d178f4ea0337014cf

SHA256
ab80c3d9a184a3b1ecfaa23f22196802c3bde839af04bef2c2eb3c6c47bb5df7

SHA512
a075ce9498cfdcee5f785b101330631a27f67891f277877ea79f2bc439007770447096274b8acb3fb9cb9ee3dc63bd53b14dea7f270ba3a5d44fe1be8df5c86c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\prefs-1.js
Filesize
6KB

MD5
9eadb871baa847063da8d215251d8ee1

SHA1
4720d2cc5959c2e73eab756c0bc76cadcd74f314

SHA256
753dc6eae6670b111f5dad161ad6b6bcb5eef147435223c4d71e9f2401d5a962

SHA512
b4226a0ce60316a5f32afd085502801764438d171cd2ae2b27b384a9c6fa01ed3cd99ea70a8905bd6003d9210299ca939d344193e695a21b8ba223a1480072c7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\prefs-1.js
Filesize
7KB

MD5
6ac5b0885a0ed8a2fa307cb48421adcc

SHA1
209cc5d53fa27b9ea121164d3a8247c3fcce03c6

SHA256
e56d06a32e52303fc6da03a2cff47cbcc1d1ece8a69c5e0b31a3e71f2b62b560

SHA512
112cc60962fd0291a1255e9a6f9dffea062a05f0666a29ea9778386ce476ad485a678ef72cd1742bfa5f7d0f911e8ddb6e4fe9ffff1044764c762418d40f716c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\prefs.js
Filesize
6KB

MD5
fe78be53c359b5d624331448600c53f3

SHA1
6a75007089e5fafd64ca1ee4f2e2425b6d640f72

SHA256
852d2faa75aae1f3eb0c893bc9d167a5d6a12ce67ebfb2f1c5eeddc54a08ebee

SHA512
45a2c6b07643cca2fadc51194771eef5fb25396ff500dfb04a44648cea364e942dfc15c44022493a755fdfa2ef42ef15e426e35be60ad8acd04800c5e8a5b72e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\prefs.js
Filesize
6KB

MD5
e3518b2d5e5daedc35c01f4b052884bd

SHA1
fd55827198b62d585dd8b480a0b2235cd8d3fbd0

SHA256
ee23e50f1d2e90c8031b888caae87f50a63d7b54026d5b3c226d4371439c890d

SHA512
a36700e465436d89c375a1a8a921575acbc041087dd5ecbe49a0368b1741e24ae3880e908c808f2ef3b0abfcd63391b08314652aba3481251bdce21cc13a62a1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionCheckpoints.json
Filesize
90B

MD5
c4ab2ee59ca41b6d6a6ea911f35bdc00

SHA1
5942cd6505fc8a9daba403b082067e1cdefdfbc4

SHA256
00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2

SHA512
71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
4KB

MD5
e0f291686daccf5dc9567d95e6332be6

SHA1
299c40e1166e9bd55f257820e62452b35a8e5b31

SHA256
2662ae9a17923ae2052c445fc3cbcc8bd25c1e599ca24634fe0c4e3c9d1003d9

SHA512
e602c3ded18cfaeca9286228776701219351693084c5aab19e46af2590171a3c1e8f9af211fb338642ab27a2c04a25216797ca33dec931c9400904a691a5deaf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
4KB

MD5
2dca3e788d259bd652c11279558ab75a

SHA1
654bd1e20abb69ca698deb79e7b8ef61f5ddb9e8

SHA256
d35925d9e33039d5baa39b47fb83176efed0d532b698b1b1829297b9637f360b

SHA512
ba85c37f93c9ef6d6a87fc1e33e5935443d9becf25b2896eb12cd93de54e7b04ce5e3e1ab076b06387b1827c540158cb62946fbac3765779e767a630f0d2a0f3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
3KB

MD5
6c8c19beff13bb112f4bf5f3050501a9

SHA1
26844cc4da03b91f75bf40bdd7fcdb9cc992b7c5

SHA256
e22efd60344d977c33d7d90fe7bbc0461fe757d92560530e676d0e0688ba451a

SHA512
36606a449e644147ae1ad9aa906a957e648a253afd9ebfae3ccc469b0e3b6b34baae4a2fa155187dfa7bba912d5f09f7f03bb4ca588dbdd295b84d6bdb004dd9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
4KB

MD5
978791f3381c0eec3e78c8295fd2beb9

SHA1
a0e3bd20284bd2d7ad1ec34f8f6fa29d11f9b6e4

SHA256
ccc250b38fc28d0a40c182331ede2044f3779edbab50e89f2593e9de0d6149ba

SHA512
f1d09e2649dca60cb07be2456fbc6610074de98d85b5b123752c2e4555ecf82e4509a5f7817f9f216369e331d98e5e3233f83bf3550415f0527ea0fdebff52fa

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
4KB

MD5
49de623e7240b5ca152388038fe194cf

SHA1
6586feaa46bbb5b861795332fe63c9c2845b5d8a

SHA256
7ef52f9332dec76d664481126aa2244a602719306ef3afb940c81fee8633041b

SHA512
bc01909a1848f4b5ba8d515e2494a1d298fbbfd9127af936e7abb86192565bc65ce430131c5623d7481ab72deb21afa228f5ca9494f73ad22e12e3d47386ad4d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
4KB

MD5
d5fd7bc447f64cbbd698ec9afa2cc80c

SHA1
1a426f9dd29a292f143419f762da1928c6c48481

SHA256
de8292148197e4c48eefb1f05c1f373f087a14366b230515043b92da607449a5

SHA512
165b39f86547a78aa499c6376663d93b7845b6f29732edf8ce3c34954ab9e12d50067165fc6f108fc3aadb7e390d9cc01c80d5a5c4199c89c590115a029f665a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
4KB

MD5
29a6fe957a7739e85213adf2b691d4b5

SHA1
c7480ffca5d5b688208364957f0c98db7b8a7573

SHA256
b39a3a0badfe8984e9df85d9eb28c04724b1514b98b806b30146292bb1382d2f

SHA512
30cb88845e131c1be3139e598dda16373fbcb3231e34f9c59140da8bf0569b95dbfa186a32f76274dfe01fc46e082d1fa97c369aad04ae535f8a6241726cda5d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize
184KB

MD5
0ed2663971e8051b2bcb574926400fa8

SHA1
467756bf41c377bdb07c8be10d5391f1df1d80a7

SHA256
0c44c9887ebd30506041e4f483422673660df0b74c7468b0cab2c69bee1f4e8c

SHA512
e521f02d0a4dc70e3bb33747c5113c76f18f15b4370826ef13700c4f559c8b158ed1d8ef79d7d88794bfea61496a75d653237391f2f8b5e53d8574a21f113898

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize
192KB

MD5
e34232449ba45aa9ba40ed1717e342d2

SHA1
7d8ac8ac389f4871572dd9c6d43ae8f4d87e40dc

SHA256
da7365d5a59a6269cae3489c2d3dc8497ce32ee1b392486e163db5838304d01a

SHA512
265f1d5cf4584af4fb1c52520851cdf5d2db5c0fd63f879d7181f01ebfb07a2e9c7f2e53d756940434b7b83cdf5ad7adcd523eb20bbb1b9186ae973eff74df65

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\targeting.snapshot.json
Filesize
3KB

MD5
03b067be595e77690918fbda21944dc4

SHA1
1f7ad2aab6ea7e30e9fd5734ae037f96153c9aa3

SHA256
273e9d9d53c3fb79a4b0f7f3dbc8ffd936526d74a6807d6bd5f944977528ac0d

SHA512
31872972db369a10e0cafc189386f06ec31eeb3a292b81777e557d891d648eaa063c39a868018136a0e8370627e5867fbcc8ce7dad153b75e28671ad65e280a1

Download Submit
memory/1392-24-0x00007FFBDAEE0000-0x00007FFBDB0BB000-memory.dmp

Filesize
1.9MB

Download
memory/1392-47-0x00007FFBDAEE0000-0x00007FFBDB0BB000-memory.dmp

Filesize
1.9MB

Download
memory/1392-51-0x00007FFBDAEE0000-0x00007FFBDB0BB000-memory.dmp

Filesize
1.9MB

Download
memory/1392-8-0x000001804CEF0000-0x000001804CF12000-memory.dmp

Filesize
136KB

Download
memory/1392-7-0x00007FFBDAEE0000-0x00007FFBDB0BB000-memory.dmp

Filesize
1.9MB

Download
memory/1392-6-0x00007FFBDAEE0000-0x00007FFBDB0BB000-memory.dmp

Filesize
1.9MB

Download
memory/1392-11-0x000001804CFA0000-0x000001804D016000-memory.dmp

Filesize
472KB

Download
memory/5028-0-0x0000000000160000-0x0000000000176000-memory.dmp

Filesize
88KB

Download
memory/5028-185-0x00007FFBDAEE0000-0x00007FFBDB0BB000-memory.dmp

Filesize
1.9MB

Download
memory/5028-186-0x00007FFBDAEE0000-0x00007FFBDB0BB000-memory.dmp

Filesize
1.9MB

Download
memory/5028-1-0x00007FFBDAEE0000-0x00007FFBDB0BB000-memory.dmp

Filesize
1.9MB

Download