Analysis

  • max time kernel
    45s
  • max time network
    34s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240221-en
  • resource tags

    arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    02-03-2024 22:10

General

  • Target

    Chernobyl.exe

  • Size

    343KB

  • MD5

    d576e0520faa40435d5bdc66304205f9

  • SHA1

    b99fce6ebd094e2cbc29e1ed4e47360781e86c47

  • SHA256

    2b6266f14d2ed46e921168fd2b4a5510f40c69cd591800d17ae8ca31fcde28c6

  • SHA512

    6b60a287f3eefbf2c0f2b0f205e88c4ce5a5aad050f59ff5fd1bc8017322039963f51bdd72b0922ec08880ae5da17286c04418c44dd996f0fb7b585f376f4c98

  • SSDEEP

    6144:ab+co0222222222222222222222222222222222222222222222222222222222w:jjkyOZzv4TatsNqaJg

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • UAC bypass 3 TTPs 1 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Disables Task Manager via registry modification
  • Possible privilege escalation attempt 18 IoCs
  • Modifies file permissions 1 TTPs 18 IoCs
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
  • Modifies WinLogon 2 TTPs 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 19 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 3 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe
    "C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe"
    1⤵
    • Modifies WinLogon for persistence
    • UAC bypass
    • Disables RegEdit via registry modification
    • Checks whether UAC is enabled
    • Modifies WinLogon
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:652
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3468
      • C:\Windows\SysWOW64\rundll32.exe
        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
        3⤵
          PID:3944
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4128
        • C:\Windows\SysWOW64\rundll32.exe
          RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
          3⤵
            PID:4660
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:3120
          • C:\Windows\SysWOW64\rundll32.exe
            RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
            3⤵
              PID:2568
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:1040
            • C:\Windows\SysWOW64\rundll32.exe
              RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
              3⤵
                PID:4524
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:2492
              • C:\Windows\SysWOW64\rundll32.exe
                RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
                3⤵
                  PID:4848
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:4668
                • C:\Windows\SysWOW64\rundll32.exe
                  RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
                  3⤵
                    PID:1980
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
                  2⤵
                  • Suspicious use of WriteProcessMemory
                  PID:4532
                  • C:\Windows\SysWOW64\rundll32.exe
                    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
                    3⤵
                      PID:3604
                  • C:\Windows\SysWOW64\cmd.exe
                    "C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
                    2⤵
                      PID:2676
                      • C:\Windows\SysWOW64\rundll32.exe
                        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
                        3⤵
                          PID:4748
                      • C:\Windows\SysWOW64\cmd.exe
                        "C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
                        2⤵
                        • Suspicious use of WriteProcessMemory
                        PID:756
                        • C:\Windows\SysWOW64\rundll32.exe
                          RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
                          3⤵
                            PID:4332
                        • C:\Windows\SysWOW64\cmd.exe
                          "C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
                          2⤵
                          • Suspicious use of WriteProcessMemory
                          PID:396
                          • C:\Windows\SysWOW64\rundll32.exe
                            RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
                            3⤵
                              PID:2008
                          • C:\Windows\SysWOW64\cmd.exe
                            "C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
                            2⤵
                              PID:4892
                              • C:\Windows\SysWOW64\rundll32.exe
                                RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
                                3⤵
                                  PID:4344
                              • C:\Windows\SysWOW64\cmd.exe
                                "C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
                                2⤵
                                • Suspicious use of WriteProcessMemory
                                PID:1452
                                • C:\Windows\SysWOW64\rundll32.exe
                                  RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
                                  3⤵
                                    PID:4940
                                • C:\Windows\SysWOW64\cmd.exe
                                  "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\smss.exe && icacls C:\Windows\System32\smss.exe /grant "%username%:F" && exit
                                  2⤵
                                    PID:1316
                                    • C:\Windows\SysWOW64\takeown.exe
                                      takeown /f C:\Windows\System32\smss.exe
                                      3⤵
                                      • Possible privilege escalation attempt
                                      • Modifies file permissions
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:3424
                                  • C:\Windows\SysWOW64\cmd.exe
                                    "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\csrss.exe && icacls C:\Windows\System32\csrss.exe /grant "%username%:F" && exit
                                    2⤵
                                      PID:1304
                                      • C:\Windows\SysWOW64\takeown.exe
                                        takeown /f C:\Windows\System32\csrss.exe
                                        3⤵
                                        • Possible privilege escalation attempt
                                        • Modifies file permissions
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:4940
                                    • C:\Windows\SysWOW64\cmd.exe
                                      "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\wininit.exe && icacls C:\Windows\System32\wininit.exe /grant "%username%:F" && exit
                                      2⤵
                                        PID:4536
                                        • C:\Windows\SysWOW64\takeown.exe
                                          takeown /f C:\Windows\System32\wininit.exe
                                          3⤵
                                          • Possible privilege escalation attempt
                                          • Modifies file permissions
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:3036
                                      • C:\Windows\SysWOW64\cmd.exe
                                        "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\LogonUI.exe && icacls C:\Windows\System32\LogonUI.exe /grant "%username%:F" && exit
                                        2⤵
                                          PID:4956
                                          • C:\Windows\SysWOW64\takeown.exe
                                            takeown /f C:\Windows\System32\LogonUI.exe
                                            3⤵
                                            • Possible privilege escalation attempt
                                            • Modifies file permissions
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:4844
                                        • C:\Windows\SysWOW64\cmd.exe
                                          "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\lsass.exe && icacls C:\Windows\System32\lsass.exe /grant "%username%:F" && exit
                                          2⤵
                                            PID:4848
                                            • C:\Windows\SysWOW64\takeown.exe
                                              takeown /f C:\Windows\System32\lsass.exe
                                              3⤵
                                              • Possible privilege escalation attempt
                                              • Modifies file permissions
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:3852
                                          • C:\Windows\SysWOW64\cmd.exe
                                            "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\services.exe && icacls C:\Windows\System32\services.exe /grant "%username%:F" && exit
                                            2⤵
                                              PID:2112
                                              • C:\Windows\SysWOW64\takeown.exe
                                                takeown /f C:\Windows\System32\services.exe
                                                3⤵
                                                • Possible privilege escalation attempt
                                                • Modifies file permissions
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:3964
                                            • C:\Windows\SysWOW64\cmd.exe
                                              "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\winlogon.exe && icacls C:\Windows\System32\winlogon.exe /grant "%username%:F" && exit
                                              2⤵
                                                PID:3172
                                                • C:\Windows\SysWOW64\takeown.exe
                                                  takeown /f C:\Windows\System32\winlogon.exe
                                                  3⤵
                                                  • Possible privilege escalation attempt
                                                  • Modifies file permissions
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:4100
                                              • C:\Windows\SysWOW64\cmd.exe
                                                "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\winload.efi && icacls C:\Windows\System32\winload.efi /grant "%username%:F" && exit
                                                2⤵
                                                  PID:764
                                                  • C:\Windows\SysWOW64\takeown.exe
                                                    takeown /f C:\Windows\System32\winload.efi
                                                    3⤵
                                                    • Possible privilege escalation attempt
                                                    • Modifies file permissions
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:1524
                                                • C:\Windows\SysWOW64\cmd.exe
                                                  "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\winload.exe && icacls C:\Windows\System32\winload.exe /grant "%username%:F" && exit
                                                  2⤵
                                                    PID:1072
                                                    • C:\Windows\SysWOW64\takeown.exe
                                                      takeown /f C:\Windows\System32\winload.exe
                                                      3⤵
                                                      • Possible privilege escalation attempt
                                                      • Modifies file permissions
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:4788
                                                  • C:\Windows\SysWOW64\cmd.exe
                                                    "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\ntoskrnl.exe && icacls C:\Windows\System32\ntoskrnl.exe /grant "%username%:F" && exit
                                                    2⤵
                                                      PID:3244
                                                      • C:\Windows\SysWOW64\takeown.exe
                                                        takeown /f C:\Windows\System32\ntoskrnl.exe
                                                        3⤵
                                                        • Possible privilege escalation attempt
                                                        • Modifies file permissions
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:1212
                                                    • C:\Windows\SysWOW64\cmd.exe
                                                      "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\svchost.exe && icacls C:\Windows\System32\svchost.exe /grant "%username%:F" && exit
                                                      2⤵
                                                        PID:1724
                                                        • C:\Windows\SysWOW64\takeown.exe
                                                          takeown /f C:\Windows\System32\svchost.exe
                                                          3⤵
                                                          • Possible privilege escalation attempt
                                                          • Modifies file permissions
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:2660
                                                        • C:\Windows\SysWOW64\icacls.exe
                                                          icacls C:\Windows\System32\svchost.exe /grant "Admin:F"
                                                          3⤵
                                                          • Possible privilege escalation attempt
                                                          • Modifies file permissions
                                                          PID:3220
                                                      • C:\Windows\SysWOW64\cmd.exe
                                                        "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\afunix.sys && icacls C:\Windows\System32\drivers\afunix.sys /grant "%username%:F" && exit
                                                        2⤵
                                                          PID:4920
                                                          • C:\Windows\SysWOW64\takeown.exe
                                                            takeown /f C:\Windows\System32\drivers\afunix.sys
                                                            3⤵
                                                            • Possible privilege escalation attempt
                                                            • Modifies file permissions
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            PID:2644
                                                          • C:\Windows\SysWOW64\icacls.exe
                                                            icacls C:\Windows\System32\drivers\afunix.sys /grant "Admin:F"
                                                            3⤵
                                                            • Possible privilege escalation attempt
                                                            • Modifies file permissions
                                                            PID:4868
                                                        • C:\Windows\SysWOW64\cmd.exe
                                                          "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\gm.dls && icacls C:\Windows\System32\drivers\gm.dls /grant "%username%:F" && exit
                                                          2⤵
                                                            PID:1000
                                                            • C:\Windows\SysWOW64\takeown.exe
                                                              takeown /f C:\Windows\System32\drivers\gm.dls
                                                              3⤵
                                                              • Possible privilege escalation attempt
                                                              • Modifies file permissions
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:2144
                                                            • C:\Windows\SysWOW64\icacls.exe
                                                              icacls C:\Windows\System32\drivers\gm.dls /grant "Admin:F"
                                                              3⤵
                                                              • Possible privilege escalation attempt
                                                              • Modifies file permissions
                                                              PID:3336
                                                          • C:\Windows\SysWOW64\cmd.exe
                                                            "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\gmreadme.txt && icacls C:\Windows\System32\drivers\gmreadme.txt /grant "%username%:F" && exit
                                                            2⤵
                                                              PID:1328
                                                              • C:\Windows\SysWOW64\takeown.exe
                                                                takeown /f C:\Windows\System32\drivers\gmreadme.txt
                                                                3⤵
                                                                • Possible privilege escalation attempt
                                                                • Modifies file permissions
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                PID:3648
                                                              • C:\Windows\SysWOW64\icacls.exe
                                                                icacls C:\Windows\System32\drivers\gmreadme.txt /grant "Admin:F"
                                                                3⤵
                                                                • Possible privilege escalation attempt
                                                                • Modifies file permissions
                                                                PID:2420
                                                          • C:\Program Files\Mozilla Firefox\firefox.exe
                                                            "C:\Program Files\Mozilla Firefox\firefox.exe"
                                                            1⤵
                                                              PID:1600
                                                              • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                "C:\Program Files\Mozilla Firefox\firefox.exe"
                                                                2⤵
                                                                • Checks processor information in registry
                                                                • Modifies registry class
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                • Suspicious use of FindShellTrayWindow
                                                                • Suspicious use of SendNotifyMessage
                                                                • Suspicious use of SetWindowsHookEx
                                                                PID:772
                                                                • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="772.0.804939911\2058502957" -parentBuildID 20221007134813 -prefsHandle 1776 -prefMapHandle 1768 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e8093f46-6531-49ad-86f2-0d29754f9515} 772 "\\.\pipe\gecko-crash-server-pipe.772" 1868 1bb5e5ece58 gpu
                                                                  3⤵
                                                                    PID:1988
                                                                  • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="772.1.389972522\610862226" -parentBuildID 20221007134813 -prefsHandle 2236 -prefMapHandle 2232 -prefsLen 20783 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {df4e5375-e6bf-47a5-ac0d-fb85d66c8738} 772 "\\.\pipe\gecko-crash-server-pipe.772" 2248 1bb5e3fdb58 socket
                                                                    3⤵
                                                                    • Checks processor information in registry
                                                                    PID:3360
                                                                  • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="772.2.564337861\375763627" -childID 1 -isForBrowser -prefsHandle 1516 -prefMapHandle 1596 -prefsLen 20821 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {04a0e4ba-3d64-40d5-af1e-51e6ef17b45e} 772 "\\.\pipe\gecko-crash-server-pipe.772" 3044 1bb5e564858 tab
                                                                    3⤵
                                                                      PID:4928
                                                                    • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="772.3.1510392747\1306846195" -childID 2 -isForBrowser -prefsHandle 3440 -prefMapHandle 3436 -prefsLen 26064 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7992c1b0-6164-4952-86e1-40dd362b5bfd} 772 "\\.\pipe\gecko-crash-server-pipe.772" 3448 1bb63e59958 tab
                                                                      3⤵
                                                                        PID:3180
                                                                      • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="772.4.2050973242\177984452" -childID 3 -isForBrowser -prefsHandle 4544 -prefMapHandle 4540 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b5680a3e-ad1b-4245-a022-686df4788ef3} 772 "\\.\pipe\gecko-crash-server-pipe.772" 4480 1bb653cfa58 tab
                                                                        3⤵
                                                                          PID:3116
                                                                        • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="772.5.272637884\1124764959" -childID 4 -isForBrowser -prefsHandle 5040 -prefMapHandle 5076 -prefsLen 26204 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {adcf3a11-09ae-46d6-82ae-8052fae42d75} 772 "\\.\pipe\gecko-crash-server-pipe.772" 5108 1bb65d31f58 tab
                                                                          3⤵
                                                                            PID:4776
                                                                          • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="772.6.1575036043\1578531317" -childID 5 -isForBrowser -prefsHandle 5228 -prefMapHandle 5232 -prefsLen 26204 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7125f588-1a40-430a-82e0-a5285bea3990} 772 "\\.\pipe\gecko-crash-server-pipe.772" 5220 1bb65d32b58 tab
                                                                            3⤵
                                                                              PID:1660
                                                                            • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="772.7.210850769\675639257" -childID 6 -isForBrowser -prefsHandle 5416 -prefMapHandle 5420 -prefsLen 26204 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4c6bcbee-5eae-453b-bbc9-83b06a60f83d} 772 "\\.\pipe\gecko-crash-server-pipe.772" 5500 1bb65d32e58 tab
                                                                              3⤵
                                                                                PID:2288

                                                                          Network

                                                                          MITRE ATT&CK Enterprise v15

                                                                          Replay Monitor

                                                                          Loading Replay Monitor...

                                                                          Downloads

                                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vkmkrhdv.default-release\datareporting\glean\db\data.safe.bin

                                                                            Filesize

                                                                            2KB

                                                                            MD5

                                                                            1a219a35746a8af91ee769d9a718ebd3

                                                                            SHA1

                                                                            cb1b4e8278b4e4323ca6569474c5783421f9b8ce

                                                                            SHA256

                                                                            25bae03d926c05280c40db7dda9733a5404b6c83ea1a742a6f36cc04bc051aa4

                                                                            SHA512

                                                                            651a454d65918cf7e5d8c55e5f3538b685fda91de1e715a35768b8efda59fc935982bdf68a306eea253191df3c1505c4cfa7bdac45fbdf78acb38edcd8765adf

                                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vkmkrhdv.default-release\datareporting\glean\pending_pings\092f32ea-8f48-4e64-9b90-08c7128dd40f

                                                                            Filesize

                                                                            11KB

                                                                            MD5

                                                                            842543c3cc9657902b9d4c57f8133b8b

                                                                            SHA1

                                                                            e3f34359d6b3ba524fdac1567314446066d579c8

                                                                            SHA256

                                                                            727b501dcf5c74b0ee9a74b3da64b07b8f09dd71da2e071470a303677f6f832f

                                                                            SHA512

                                                                            5dbe80ea5f84a9c2bdea88715da6381f000e68c3ee7f2dc3ad7adb13be69ec82fc543273568fcbdaf043f4cdc22feab8bd42c289793aa2c08f137fea06974788

                                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vkmkrhdv.default-release\datareporting\glean\pending_pings\1f9a717a-cb03-4524-ac0b-42df16e91d11

                                                                            Filesize

                                                                            746B

                                                                            MD5

                                                                            31c9c9506b8c3e8eba0eba29878e0cb6

                                                                            SHA1

                                                                            bf66d23ad98836c2423072d0c86352656fa8e5f2

                                                                            SHA256

                                                                            99a9542852053713f239ba652546e89f9f57fe9745ffa3013fd10ed6dff26dcb

                                                                            SHA512

                                                                            03d042c0565c1d421f857b7c01ca85850f32ee4cd97b145f486fbbbe7de5746c712247dc20d486e277e7c0ce71e9bf684aafc0d928e12eea7660d9907eb7d0ae

                                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vkmkrhdv.default-release\prefs-1.js

                                                                            Filesize

                                                                            6KB

                                                                            MD5

                                                                            97584a8da73c197d83c2539e4f05e65e

                                                                            SHA1

                                                                            68660d8a69cd5732c3682be7db6516a31a5cfed6

                                                                            SHA256

                                                                            a9dc4d7dc475adf8a0ad9670ac66a81fb0b03ce2a2f7de61e2378b3b86e1dcb6

                                                                            SHA512

                                                                            c3b76f62d8dd09edadb9576ce72380e90ede5724a2d9e9736c4d9f7697158c90dd81e06e48c89683472587f3cdd4d4c2e0447ee0ca0095bd7b3bbbd0fafdf733

                                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vkmkrhdv.default-release\sessionCheckpoints.json

                                                                            Filesize

                                                                            181B

                                                                            MD5

                                                                            2d87ba02e79c11351c1d478b06ca9b29

                                                                            SHA1

                                                                            4b0fb1927ca869256e9e2e2d480c3feb8e67e6f1

                                                                            SHA256

                                                                            16b7be97c92e0b75b9f8a3c22e90177941c7e6e3fbb97c8d46432554429f3524

                                                                            SHA512

                                                                            be7e128c140a88348c3676afc49a143227c013056007406c66a3cae16aae170543ca8a0749136702411f502f2c933891d7dcdde0db81c5733415c818f1668185

                                                                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vkmkrhdv.default-release\sessionstore.jsonlz4

                                                                            Filesize

                                                                            883B

                                                                            MD5

                                                                            cd9a559a673cdd68add6e37dfac24165

                                                                            SHA1

                                                                            e6e03441c58083237e426390d4f08d5fc9a8a334

                                                                            SHA256

                                                                            8549e0a16871100f22bc75712d59f6f01cb750fbfb33de98d6ceed953ab2a10a

                                                                            SHA512

                                                                            e423b2a064c6a419ef9e60c1d3a8ab042f01f8cc21d44ba3165d25c3520c0ca96ad7721f793236b10d8ad7bc4b07426bb64da746a92d669aacbce7168284ffad

                                                                          • C:\Users\Admin\Desktop\Âěí▌™╬ř♪↑™®☺╠◘╚↕♪åπå¾♠♫╚¶▌►▌«◄×■▲ńŸ◘®²ï◘æ8▲Ç7íσ≈5▄夜6å2ï▀ñ▬ó╚ě╔▼é▀õ¾♣╚◄╥ß≈♫φ╔₧₧♀☺╔₧š☻▄Ç▌¶▐ε♠•µ╥○σ±é

                                                                            Filesize

                                                                            666B

                                                                            MD5

                                                                            9e1e5883c74742a497cf5c272ccd2321

                                                                            SHA1

                                                                            2cf33e34d08b8e17743a60352baffef4b6f02dee

                                                                            SHA256

                                                                            ca687b6a7c3d29b566f3e1988b9f877b51d9a83ee25ffe0755a8dcd3eb5f434a

                                                                            SHA512

                                                                            f2284f0c624cc07a65c16f87865bb98aaa176b1d8b45cd4fbcc1143c9c2297fe6b1d4db55ef054be2bc151c8cc25ff4da7c997b7d38dae3dccd2ffe1c3c01a6b

                                                                          • memory/652-3-0x00000000055C0000-0x0000000005B66000-memory.dmp

                                                                            Filesize

                                                                            5.6MB

                                                                          • memory/652-310-0x00000000745D0000-0x0000000074D81000-memory.dmp

                                                                            Filesize

                                                                            7.7MB

                                                                          • memory/652-309-0x0000000006260000-0x000000000626A000-memory.dmp

                                                                            Filesize

                                                                            40KB

                                                                          • memory/652-4-0x0000000005310000-0x0000000005320000-memory.dmp

                                                                            Filesize

                                                                            64KB

                                                                          • memory/652-376-0x0000000005310000-0x0000000005320000-memory.dmp

                                                                            Filesize

                                                                            64KB

                                                                          • memory/652-1-0x00000000745D0000-0x0000000074D81000-memory.dmp

                                                                            Filesize

                                                                            7.7MB

                                                                          • memory/652-2-0x0000000004F70000-0x0000000005002000-memory.dmp

                                                                            Filesize

                                                                            584KB

                                                                          • memory/652-0-0x00000000004B0000-0x000000000050C000-memory.dmp

                                                                            Filesize

                                                                            368KB