Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-07-2024 03:22

General

  • Target

    XClient.exe

  • Size

    38KB

  • MD5

    40fd7f5d00604ab1cc3abf3125acce25

  • SHA1

    7c5e873cdc6cc1441f35e3eb5359b90adf2b6312

  • SHA256

    a43ffa9b770fee9756cb922845498e312a0c46db2bd050808c437f2015901a7c

  • SHA512

    494b8492dedc35d27c42b5131c076c792ebdcf72514a540c9905edb4796e92ee8dc94f43dd8b8968c83128d0c6d2f31e7f3ee9ece6950935db165c08a8b1c4dc

  • SSDEEP

    768:IKpWF9zkAoWaLtTxnbSXFyw9BHs1Ff6rO/hbPyEnlX:IKpWvQAozBbEFr91UFf6rO/xplX

Malware Config

Extracted

Family

xworm

Version

5.0

C2

t-protecting.gl.at.ply.gg:24735

Mutex

1EuBk7bTbdnZc8s4

Attributes
  • Install_directory

    %AppData%

  • install_file

    GtagCosmeticGiver.exe

aes.plain

Signatures

  • Detect Xworm Payload 2 IoCs
  • StormKitty

    StormKitty is an open source info stealer written in C#.

  • StormKitty payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 24 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\XClient.exe
    "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1576
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:548
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2152
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\GtagCosmeticGiver.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1136
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'GtagCosmeticGiver.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1476
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "GtagCosmeticGiver" /tr "C:\Users\Admin\AppData\Roaming\GtagCosmeticGiver.exe"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:1740
    • C:\Users\Admin\AppData\Local\Temp\bbplsq.exe
      "C:\Users\Admin\AppData\Local\Temp\bbplsq.exe"
      2⤵
      • Executes dropped EXE
      PID:4496
  • C:\Users\Admin\AppData\Roaming\GtagCosmeticGiver.exe
    C:\Users\Admin\AppData\Roaming\GtagCosmeticGiver.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:4144
  • C:\Program Files\VideoLAN\VLC\vlc.exe
    "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\SavePublish.M2TS"
    1⤵
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    PID:452
  • C:\Program Files\VideoLAN\VLC\vlc.exe
    "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\SavePublish.M2TS"
    1⤵
      PID:740
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:2200
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        2⤵
        • Checks processor information in registry
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4304
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1980 -parentBuildID 20240401114208 -prefsHandle 1908 -prefMapHandle 1900 -prefsLen 25753 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {33d9751f-61f3-45a4-a862-bb6d9d781816} 4304 "\\.\pipe\gecko-crash-server-pipe.4304" gpu
          3⤵
            PID:4520
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2392 -parentBuildID 20240401114208 -prefsHandle 2360 -prefMapHandle 2356 -prefsLen 25789 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {95ee5af6-abf0-49bd-849f-d543d0f9656c} 4304 "\\.\pipe\gecko-crash-server-pipe.4304" socket
            3⤵
            • Checks processor information in registry
            PID:1100
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3284 -childID 1 -isForBrowser -prefsHandle 3004 -prefMapHandle 2956 -prefsLen 25930 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ad4d01f2-94cf-4302-8ed4-aea216e4014b} 4304 "\\.\pipe\gecko-crash-server-pipe.4304" tab
            3⤵
              PID:1520
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3772 -childID 2 -isForBrowser -prefsHandle 3784 -prefMapHandle 3832 -prefsLen 31163 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3769bf2b-5f21-4002-b1d2-c528c94ea00e} 4304 "\\.\pipe\gecko-crash-server-pipe.4304" tab
              3⤵
                PID:912
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4460 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4488 -prefMapHandle 4484 -prefsLen 31163 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1c10fcce-2ac7-424d-87a3-93d6d1324ab3} 4304 "\\.\pipe\gecko-crash-server-pipe.4304" utility
                3⤵
                • Checks processor information in registry
                PID:2672
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5524 -childID 3 -isForBrowser -prefsHandle 5536 -prefMapHandle 5472 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c81a411c-b6b6-47f0-9881-07a89743c01b} 4304 "\\.\pipe\gecko-crash-server-pipe.4304" tab
                3⤵
                  PID:1952
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5796 -childID 4 -isForBrowser -prefsHandle 5616 -prefMapHandle 5720 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {44fd90b4-7520-4e05-982c-4b223cc8f417} 4304 "\\.\pipe\gecko-crash-server-pipe.4304" tab
                  3⤵
                    PID:2960
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5592 -childID 5 -isForBrowser -prefsHandle 5940 -prefMapHandle 5948 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {15a70e42-60eb-4ac7-bd6d-ac98ce43b7e7} 4304 "\\.\pipe\gecko-crash-server-pipe.4304" tab
                    3⤵
                      PID:2912
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe"
                  1⤵
                    PID:436
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe"
                      2⤵
                      • Checks processor information in registry
                      PID:2776
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe"
                    1⤵
                      PID:2948
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe"
                        2⤵
                        • Checks processor information in registry
                        PID:3872
                    • C:\Users\Admin\AppData\Roaming\GtagCosmeticGiver.exe
                      C:\Users\Admin\AppData\Roaming\GtagCosmeticGiver.exe
                      1⤵
                      • Executes dropped EXE
                      • Suspicious use of AdjustPrivilegeToken
                      PID:468
                    • C:\Windows\system32\AUDIODG.EXE
                      C:\Windows\system32\AUDIODG.EXE 0x408 0x520
                      1⤵
                      • Suspicious use of AdjustPrivilegeToken
                      PID:4828

                    Network

                    MITRE ATT&CK Matrix ATT&CK v13

                    Execution

                    Command and Scripting Interpreter

                    1
                    T1059

                    PowerShell

                    1
                    T1059.001

                    Scheduled Task/Job

                    1
                    T1053

                    Scheduled Task

                    1
                    T1053.005

                    Persistence

                    Boot or Logon Autostart Execution

                    1
                    T1547

                    Registry Run Keys / Startup Folder

                    1
                    T1547.001

                    Scheduled Task/Job

                    1
                    T1053

                    Scheduled Task

                    1
                    T1053.005

                    Privilege Escalation

                    Boot or Logon Autostart Execution

                    1
                    T1547

                    Registry Run Keys / Startup Folder

                    1
                    T1547.001

                    Scheduled Task/Job

                    1
                    T1053

                    Scheduled Task

                    1
                    T1053.005

                    Defense Evasion

                    Modify Registry

                    1
                    T1112

                    Credential Access

                    Unsecured Credentials

                    1
                    T1552

                    Credentials In Files

                    1
                    T1552.001

                    Discovery

                    Query Registry

                    3
                    T1012

                    System Information Discovery

                    3
                    T1082

                    Collection

                    Data from Local System

                    1
                    T1005

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\GtagCosmeticGiver.exe.log
                      Filesize

                      654B

                      MD5

                      2ff39f6c7249774be85fd60a8f9a245e

                      SHA1

                      684ff36b31aedc1e587c8496c02722c6698c1c4e

                      SHA256

                      e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

                      SHA512

                      1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

                    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                      Filesize

                      2KB

                      MD5

                      d85ba6ff808d9e5444a4b369f5bc2730

                      SHA1

                      31aa9d96590fff6981b315e0b391b575e4c0804a

                      SHA256

                      84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                      SHA512

                      8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                      Filesize

                      944B

                      MD5

                      77d622bb1a5b250869a3238b9bc1402b

                      SHA1

                      d47f4003c2554b9dfc4c16f22460b331886b191b

                      SHA256

                      f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

                      SHA512

                      d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                      Filesize

                      944B

                      MD5

                      63aec5618613b4be6bd15b82345a971e

                      SHA1

                      cf3df18b2ed2b082a513dd53e55afb720cefe40e

                      SHA256

                      f67a667039290434cad954285ef9a93ab76b848158bb7fd1f698bd76b5bdd721

                      SHA512

                      a6c3b084ae6b41b2c3a9acb90a6f52a5acaff3bd94927389aa6698d1f2713e494b2e8f190cbbc963d56d8d30d5644df0e5c616c1f081d19275e0803dc576a033

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                      Filesize

                      944B

                      MD5

                      4165c906a376e655973cef247b5128f1

                      SHA1

                      c6299b6ab8b2db841900de376e9c4d676d61131e

                      SHA256

                      fb0b3c822d300abbb892e6f218d6b4b62b80bb26d9184d1f4c731600053a3fc4

                      SHA512

                      15783f2d3687388339c06423bd18c17a5704cd367bf1a1d08e436088984c0b5c52dc88d3b8455495a8051ba9f977aae34b69453e5ee252d928e74dcdebd4a11a

                    • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\vcc2x7ul.default-release\activity-stream.discovery_stream.json.tmp
                      Filesize

                      18KB

                      MD5

                      f058c0bfd3f016ff04af0fe62c279cad

                      SHA1

                      697a36f5059b623f236d94d705d8821bbf447720

                      SHA256

                      cd0c06c298eb0076ddc77d0292b29432bafffd09a23d14f1b15e992844a956ed

                      SHA512

                      f11bb8cd1e81c1b5f943bbc4e25615f5c7c2a33f288ed88971b3b8ea270690c254ef04766a862a4c62216e7f457d99bfc4d83592d0e65b52dda13f4d04a979d1

                    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hjlxof14.abo.ps1
                      Filesize

                      60B

                      MD5

                      d17fe0a3f47be24a6453e9ef58c94641

                      SHA1

                      6ab83620379fc69f80c0242105ddffd7d98d5d9d

                      SHA256

                      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                      SHA512

                      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                    • C:\Users\Admin\AppData\Local\Temp\bbplsq.exe
                      Filesize

                      131KB

                      MD5

                      bd65d387482def1fe00b50406f731763

                      SHA1

                      d06a2ba2e29228f443f97d1dd3a8da5dd7df5903

                      SHA256

                      1ab7375550516d7445c47fd9b551ed864f227401a14ff3f1ff0d70caca3bd997

                      SHA512

                      351ecd109c4d49bc822e8ade73a9516c4a531ebcda63546c155e677dcff19708068dc588b2fcf30cad086238e8b206fc5f349d37dda02d3c3a8d9b570d92e4d9

                    • C:\Users\Admin\AppData\Roaming\GtagCosmeticGiver.exe
                      Filesize

                      38KB

                      MD5

                      40fd7f5d00604ab1cc3abf3125acce25

                      SHA1

                      7c5e873cdc6cc1441f35e3eb5359b90adf2b6312

                      SHA256

                      a43ffa9b770fee9756cb922845498e312a0c46db2bd050808c437f2015901a7c

                      SHA512

                      494b8492dedc35d27c42b5131c076c792ebdcf72514a540c9905edb4796e92ee8dc94f43dd8b8968c83128d0c6d2f31e7f3ee9ece6950935db165c08a8b1c4dc

                    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GtagCosmeticGiver.lnk
                      Filesize

                      823B

                      MD5

                      714933964af9d9c57ab098ea2f766f67

                      SHA1

                      346594e15d730728754004067ef9253793707f3f

                      SHA256

                      32c935a9bcdc8ef95a8dd943f9834c70b9d519891008a9c5fa81ecd942a9b242

                      SHA512

                      14a9aedaabeed2ee45ec22d9870829b11ce99402619ec4b07542f21c54ede79c2a61643debdaa97a44458ad2f72d8d3c218a51b3e6114306b86a0bff6c697f2e

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vcc2x7ul.default-release\AlternateServices.bin
                      Filesize

                      6KB

                      MD5

                      8e12a86a8f85c892c9c5a7eb15671019

                      SHA1

                      930dda8e9ea2ce7e841e6e1b21481067e0dc04f2

                      SHA256

                      99f77159c3858c263c3665e1e8b1461759f3fe0674e1c1e4f8477cd780296f7b

                      SHA512

                      b1c6035a2f7d95e86cbcc3319d6c69b7fc27b1849064fe6235e4d253bbe97003ca7b4778599b45f2a5e2a330cfa2359f99f33c13f618a6b1595a16c5d44513a3

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vcc2x7ul.default-release\datareporting\glean\db\data.safe.tmp
                      Filesize

                      22KB

                      MD5

                      dd95d66db3410293e26f2d5733f0fa8e

                      SHA1

                      fe9860b7bbd5fb28069229efb716219f65ae51e9

                      SHA256

                      4ba4ca0e7a1864600b2cf0038878510845e9485af93c4367481b7dcd15c2ffc6

                      SHA512

                      3827f00819754e40e945b632c0a410b22539bfdf0c91c7a62e2d35623a65029d3674b575bab504f0f9ee599d2042df853b53475dd4fd72d4823b0745f98ec28b

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vcc2x7ul.default-release\datareporting\glean\db\data.safe.tmp
                      Filesize

                      21KB

                      MD5

                      37bba839c8b30d381eb797a46497e9ea

                      SHA1

                      b27d636af1557c706e8055ea395b86dcb431cd21

                      SHA256

                      fecfac36109a7a463571bb82edae75885d2f1c83ee754c652b80239511c4c5af

                      SHA512

                      1c36511600d3549641de74c5620bb8f731aef89e668a7b83e18223d90c9b44aaf0439d19c6669a4f84253cf3cdbc7541ae57548cbdaf9b42abe63d9ea1bfc2de

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vcc2x7ul.default-release\datareporting\glean\db\data.safe.tmp
                      Filesize

                      22KB

                      MD5

                      c2dabad1a62b63d9dbc902e9f6a573a0

                      SHA1

                      371609f590c447285b401aec0c3c1744461b2b50

                      SHA256

                      408c5af50a9cc4a705fcc0293283f27cb8b1571e4a578f15279b08478a92a140

                      SHA512

                      6bb0285d8f318e7e0e15325ea77a8efd8821e5e789de370c5d8f06dae2d1e7851955b4f98085e77dcc1841dffd652d2978a2c0b235e61d796296240845f47ab5

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vcc2x7ul.default-release\datareporting\glean\pending_pings\1507d9a3-c0d2-4af1-9c68-d2586fa35b64
                      Filesize

                      982B

                      MD5

                      761acf532df1ab6f0747ee606fcd454c

                      SHA1

                      6cbbaa8778b592b8b89bfd56a3c0d2bfd50501d7

                      SHA256

                      be3a52f2b2b0c85913ff5ddee0706a56cfb06f7b518d7bfb464f1c76d9726c4a

                      SHA512

                      6310b63719489e947aacca18266dde8ccc28e8eb9f87373e98b5a5d5773cdec2cec5790971465657a36d6899b55f0e31d80e3d876f05660b4af6eeb07e726acb

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vcc2x7ul.default-release\datareporting\glean\pending_pings\1cb04339-5421-40c0-a1ed-1dcb6bd908ef
                      Filesize

                      659B

                      MD5

                      5e31017e8e9e2f8afbf7b9624e9b01ac

                      SHA1

                      a528a935e7546cefc5258afd4dd6001a1b715441

                      SHA256

                      7c3f2acc3b4dc3811e054cb469127ac736427951cf1f7f9cb9b0e9234b3176da

                      SHA512

                      65b57dd14d7343c3ee3ac50689919255712a3ad4ec85dfaefd9eced743f0c5cec9c089741b5b3e45eec82bb8a051ffaf816262351b0861060cb7fe7bbb6d540e

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vcc2x7ul.default-release\prefs-1.js
                      Filesize

                      10KB

                      MD5

                      f6a766e4c70b2b22418b7ce43b01b10d

                      SHA1

                      dc0ff96917a1755f66204447ebe57aa471d4f1e8

                      SHA256

                      01d56a4fb96afce34ad83f1b2d799b59fb106ea2909e8704889fb77ef7106df4

                      SHA512

                      ac176cc9d0491b3cf0f535569d77ecd411e295b97414401e38c0b8fa4dc043ecfb3247210b5ec9c2c9d70b9baff647820338103e81a5ae4b90fd7a6dbaae4bc7

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vcc2x7ul.default-release\prefs.js
                      Filesize

                      8KB

                      MD5

                      b759a48a1f709035e74528cc6f47c5fb

                      SHA1

                      9c2a1c8bc069157d72ea76daf944a9b0c81b85f7

                      SHA256

                      14101a450a352e958a953da6579fa139d1171ccaa4c03dd4274970519d3fd296

                      SHA512

                      4b1647a2a27ccc4202fdd54ca856be5e484fb8191ae8aea13b095a8b4efbffee556985b5f15b97ac9fa9a7e8ade41351e0328546c073ae4bf900de3a071f4246

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vcc2x7ul.default-release\sessionCheckpoints.json
                      Filesize

                      288B

                      MD5

                      948a7403e323297c6bb8a5c791b42866

                      SHA1

                      88a555717e8a4a33eccfb7d47a2a4aa31038f9c0

                      SHA256

                      2fca1f29b73dd5b4159fa1eb16e69276482f5224ba7d2219a547039129a51f0e

                      SHA512

                      17e2f65c33f47c8bb4beca31db2aff3d4bbb6c2d36924057f9f847e207bdcb85ffcbb32c80dd06862ffc9b7f0bd3f5e2e65b48bb1bc3363732751101d5596b1a

                    • memory/452-417-0x00007FFCCD4B0000-0x00007FFCCD4C8000-memory.dmp
                      Filesize

                      96KB

                    • memory/452-429-0x00007FFCC08D0000-0x00007FFCC08E1000-memory.dmp
                      Filesize

                      68KB

                    • memory/452-527-0x00007FFCB00E0000-0x00007FFCB1190000-memory.dmp
                      Filesize

                      16.7MB

                    • memory/452-425-0x00007FFCB00E0000-0x00007FFCB1190000-memory.dmp
                      Filesize

                      16.7MB

                    • memory/452-426-0x00007FFCB6C90000-0x00007FFCB6CD1000-memory.dmp
                      Filesize

                      260KB

                    • memory/452-427-0x00007FFCC5650000-0x00007FFCC5671000-memory.dmp
                      Filesize

                      132KB

                    • memory/452-428-0x00007FFCC8110000-0x00007FFCC8128000-memory.dmp
                      Filesize

                      96KB

                    • memory/452-430-0x00007FFCC0210000-0x00007FFCC0221000-memory.dmp
                      Filesize

                      68KB

                    • memory/452-431-0x00007FFCBAFA0000-0x00007FFCBAFB1000-memory.dmp
                      Filesize

                      68KB

                    • memory/452-432-0x00007FFCB2AD0000-0x00007FFCB2B2C000-memory.dmp
                      Filesize

                      368KB

                    • memory/452-415-0x00007FFCC9A30000-0x00007FFCC9A64000-memory.dmp
                      Filesize

                      208KB

                    • memory/452-418-0x00007FFCCD3F0000-0x00007FFCCD407000-memory.dmp
                      Filesize

                      92KB

                    • memory/452-419-0x00007FFCCD340000-0x00007FFCCD351000-memory.dmp
                      Filesize

                      68KB

                    • memory/452-420-0x00007FFCCA050000-0x00007FFCCA067000-memory.dmp
                      Filesize

                      92KB

                    • memory/452-421-0x00007FFCC9340000-0x00007FFCC9351000-memory.dmp
                      Filesize

                      68KB

                    • memory/452-424-0x00007FFCB2490000-0x00007FFCB269B000-memory.dmp
                      Filesize

                      2.0MB

                    • memory/452-422-0x00007FFCC8F00000-0x00007FFCC8F1D000-memory.dmp
                      Filesize

                      116KB

                    • memory/452-414-0x00007FF77D020000-0x00007FF77D118000-memory.dmp
                      Filesize

                      992KB

                    • memory/452-423-0x00007FFCC8EE0000-0x00007FFCC8EF1000-memory.dmp
                      Filesize

                      68KB

                    • memory/452-416-0x00007FFCB18F0000-0x00007FFCB1BA6000-memory.dmp
                      Filesize

                      2.7MB

                    • memory/548-5-0x000002297F640000-0x000002297F662000-memory.dmp
                      Filesize

                      136KB

                    • memory/548-15-0x00007FFCB9F50000-0x00007FFCBAA11000-memory.dmp
                      Filesize

                      10.8MB

                    • memory/548-18-0x00007FFCB9F50000-0x00007FFCBAA11000-memory.dmp
                      Filesize

                      10.8MB

                    • memory/548-3-0x00007FFCB9F50000-0x00007FFCBAA11000-memory.dmp
                      Filesize

                      10.8MB

                    • memory/548-4-0x00007FFCB9F50000-0x00007FFCBAA11000-memory.dmp
                      Filesize

                      10.8MB

                    • memory/740-107-0x00007FFCC9A30000-0x00007FFCC9A64000-memory.dmp
                      Filesize

                      208KB

                    • memory/740-115-0x00007FFCCD3F0000-0x00007FFCCD407000-memory.dmp
                      Filesize

                      92KB

                    • memory/740-106-0x00007FF77D020000-0x00007FF77D118000-memory.dmp
                      Filesize

                      992KB

                    • memory/740-108-0x00007FFCB18F0000-0x00007FFCB1BA6000-memory.dmp
                      Filesize

                      2.7MB

                    • memory/740-116-0x00007FFCCD340000-0x00007FFCCD351000-memory.dmp
                      Filesize

                      68KB

                    • memory/740-114-0x00007FFCCD4B0000-0x00007FFCCD4C8000-memory.dmp
                      Filesize

                      96KB

                    • memory/1576-100-0x000000001C4D0000-0x000000001C4DC000-memory.dmp
                      Filesize

                      48KB

                    • memory/1576-101-0x000000001E4E0000-0x000000001E830000-memory.dmp
                      Filesize

                      3.3MB

                    • memory/1576-0-0x00007FFCB9F53000-0x00007FFCB9F55000-memory.dmp
                      Filesize

                      8KB

                    • memory/1576-99-0x000000001B480000-0x000000001B488000-memory.dmp
                      Filesize

                      32KB

                    • memory/1576-97-0x00007FFCB9F50000-0x00007FFCBAA11000-memory.dmp
                      Filesize

                      10.8MB

                    • memory/1576-96-0x00007FFCB9F53000-0x00007FFCB9F55000-memory.dmp
                      Filesize

                      8KB

                    • memory/1576-57-0x000000001DDC0000-0x000000001DEE0000-memory.dmp
                      Filesize

                      1.1MB

                    • memory/1576-98-0x0000000000F60000-0x0000000000F6E000-memory.dmp
                      Filesize

                      56KB

                    • memory/1576-2-0x00007FFCB9F50000-0x00007FFCBAA11000-memory.dmp
                      Filesize

                      10.8MB

                    • memory/1576-1-0x0000000000790000-0x00000000007A0000-memory.dmp
                      Filesize

                      64KB