Analysis
-
max time kernel
143s -
max time network
146s -
platform
windows11-21h2_x64 -
resource
win11-20250217-en -
resource tags
arch:x64arch:x86image:win11-20250217-enlocale:en-usos:windows11-21h2-x64system -
submitted
07/03/2025, 02:42
Behavioral task
behavioral1
Sample
unbannedgg val cl3aner.exe
Resource
win10v2004-20250217-en
Behavioral task
behavioral2
Sample
unbannedgg val cl3aner.exe
Resource
win11-20250217-en
General
-
Target
unbannedgg val cl3aner.exe
-
Size
42KB
-
MD5
ddaca7ade8d5d4f1f2c1b8effa9e2e08
-
SHA1
109429140514f86626d9307f2b3a988737030411
-
SHA256
fefbb7e062fec0292c8c99654aae9b865f6d53742e39e7db1279b637feb1619d
-
SHA512
14fd4aff9363afa5480095852304885ebfdfc60d6874cd647dd84846ce11c00868e94fad9b45fd8891619657b8a39a1c39f5bee6f73db19ccac58e011e430c29
-
SSDEEP
768:h4Mrj8n817YkWgHi6uZbLQSTj9KZKfgm3Eh0o:dVtHinLQSTJF7EKo
Malware Config
Extracted
mercurialgrabber
https://discord.com/api/webhooks/1347394180963635261/3yeSB0XzUxLp12KVb8L8cV-gibC8yJbxfQ_guUp41CqeAlFe5LHGeWui0W7HJVdU33Ot
Signatures
-
Mercurial Grabber Stealer
Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
-
Mercurialgrabber family
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions unbannedgg val cl3aner.exe -
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools unbannedgg val cl3aner.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion unbannedgg val cl3aner.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
flow ioc 1 discord.com 5 discord.com 6 discord.com 42 discord.com -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 3 ip-api.com 1 ip4.seeip.org -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum unbannedgg val cl3aner.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 unbannedgg val cl3aner.exe -
Checks SCSI registry key(s) 3 TTPs 1 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S unbannedgg val cl3aner.exe -
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 unbannedgg val cl3aner.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString unbannedgg val cl3aner.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer unbannedgg val cl3aner.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName unbannedgg val cl3aner.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0 unbannedgg val cl3aner.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation unbannedgg val cl3aner.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 4440 vlc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4440 vlc.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 5016 unbannedgg val cl3aner.exe Token: SeDebugPrivilege 2196 firefox.exe Token: SeDebugPrivilege 2196 firefox.exe -
Suspicious use of FindShellTrayWindow 24 IoCs
pid Process 4440 vlc.exe 4440 vlc.exe 4440 vlc.exe 2196 firefox.exe 2196 firefox.exe 2196 firefox.exe 2196 firefox.exe 2196 firefox.exe 2196 firefox.exe 2196 firefox.exe 2196 firefox.exe 2196 firefox.exe 2196 firefox.exe 2196 firefox.exe 2196 firefox.exe 2196 firefox.exe 2196 firefox.exe 2196 firefox.exe 2196 firefox.exe 2196 firefox.exe 2196 firefox.exe 2196 firefox.exe 2196 firefox.exe 2196 firefox.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 4440 vlc.exe 4440 vlc.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4440 vlc.exe 2196 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4092 wrote to memory of 2196 4092 firefox.exe 88 PID 4092 wrote to memory of 2196 4092 firefox.exe 88 PID 4092 wrote to memory of 2196 4092 firefox.exe 88 PID 4092 wrote to memory of 2196 4092 firefox.exe 88 PID 4092 wrote to memory of 2196 4092 firefox.exe 88 PID 4092 wrote to memory of 2196 4092 firefox.exe 88 PID 4092 wrote to memory of 2196 4092 firefox.exe 88 PID 4092 wrote to memory of 2196 4092 firefox.exe 88 PID 4092 wrote to memory of 2196 4092 firefox.exe 88 PID 4092 wrote to memory of 2196 4092 firefox.exe 88 PID 4092 wrote to memory of 2196 4092 firefox.exe 88 PID 2196 wrote to memory of 4636 2196 firefox.exe 89 PID 2196 wrote to memory of 4636 2196 firefox.exe 89 PID 2196 wrote to memory of 4636 2196 firefox.exe 89 PID 2196 wrote to memory of 4636 2196 firefox.exe 89 PID 2196 wrote to memory of 4636 2196 firefox.exe 89 PID 2196 wrote to memory of 4636 2196 firefox.exe 89 PID 2196 wrote to memory of 4636 2196 firefox.exe 89 PID 2196 wrote to memory of 4636 2196 firefox.exe 89 PID 2196 wrote to memory of 4636 2196 firefox.exe 89 PID 2196 wrote to memory of 4636 2196 firefox.exe 89 PID 2196 wrote to memory of 4636 2196 firefox.exe 89 PID 2196 wrote to memory of 4636 2196 firefox.exe 89 PID 2196 wrote to memory of 4636 2196 firefox.exe 89 PID 2196 wrote to memory of 4636 2196 firefox.exe 89 PID 2196 wrote to memory of 4636 2196 firefox.exe 89 PID 2196 wrote to memory of 4636 2196 firefox.exe 89 PID 2196 wrote to memory of 4636 2196 firefox.exe 89 PID 2196 wrote to memory of 4636 2196 firefox.exe 89 PID 2196 wrote to memory of 4636 2196 firefox.exe 89 PID 2196 wrote to memory of 4636 2196 firefox.exe 89 PID 2196 wrote to memory of 4636 2196 firefox.exe 89 PID 2196 wrote to memory of 4636 2196 firefox.exe 89 PID 2196 wrote to memory of 4636 2196 firefox.exe 89 PID 2196 wrote to memory of 4636 2196 firefox.exe 89 PID 2196 wrote to memory of 4636 2196 firefox.exe 89 PID 2196 wrote to memory of 4636 2196 firefox.exe 89 PID 2196 wrote to memory of 4636 2196 firefox.exe 89 PID 2196 wrote to memory of 4636 2196 firefox.exe 89 PID 2196 wrote to memory of 4636 2196 firefox.exe 89 PID 2196 wrote to memory of 4636 2196 firefox.exe 89 PID 2196 wrote to memory of 4636 2196 firefox.exe 89 PID 2196 wrote to memory of 4636 2196 firefox.exe 89 PID 2196 wrote to memory of 4636 2196 firefox.exe 89 PID 2196 wrote to memory of 4636 2196 firefox.exe 89 PID 2196 wrote to memory of 4636 2196 firefox.exe 89 PID 2196 wrote to memory of 4636 2196 firefox.exe 89 PID 2196 wrote to memory of 4636 2196 firefox.exe 89 PID 2196 wrote to memory of 4636 2196 firefox.exe 89 PID 2196 wrote to memory of 4636 2196 firefox.exe 89 PID 2196 wrote to memory of 4636 2196 firefox.exe 89 PID 2196 wrote to memory of 4636 2196 firefox.exe 89 PID 2196 wrote to memory of 4636 2196 firefox.exe 89 PID 2196 wrote to memory of 4636 2196 firefox.exe 89 PID 2196 wrote to memory of 4636 2196 firefox.exe 89 PID 2196 wrote to memory of 4636 2196 firefox.exe 89 PID 2196 wrote to memory of 1904 2196 firefox.exe 90 PID 2196 wrote to memory of 1904 2196 firefox.exe 90 PID 2196 wrote to memory of 1904 2196 firefox.exe 90 PID 2196 wrote to memory of 1904 2196 firefox.exe 90 PID 2196 wrote to memory of 1904 2196 firefox.exe 90 PID 2196 wrote to memory of 1904 2196 firefox.exe 90 PID 2196 wrote to memory of 1904 2196 firefox.exe 90 PID 2196 wrote to memory of 1904 2196 firefox.exe 90 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\unbannedgg val cl3aner.exe"C:\Users\Admin\AppData\Local\Temp\unbannedgg val cl3aner.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:5016
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4440
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4092 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1932 -parentBuildID 20240401114208 -prefsHandle 1872 -prefMapHandle 1864 -prefsLen 27689 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {79fe2111-b0c5-467f-ac5a-3ae38a9659de} 2196 "\\.\pipe\gecko-crash-server-pipe.2196" gpu3⤵PID:4636
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2344 -parentBuildID 20240401114208 -prefsHandle 2320 -prefMapHandle 2308 -prefsLen 27567 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c2acdc41-7c25-435f-b878-ab476e4f93dd} 2196 "\\.\pipe\gecko-crash-server-pipe.2196" socket3⤵PID:1904
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3276 -childID 1 -isForBrowser -prefsHandle 3248 -prefMapHandle 3272 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 996 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3c50a811-100c-4731-9990-47822f0b5be6} 2196 "\\.\pipe\gecko-crash-server-pipe.2196" tab3⤵PID:2508
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4024 -childID 2 -isForBrowser -prefsHandle 4008 -prefMapHandle 4004 -prefsLen 32941 -prefMapSize 244658 -jsInitHandle 996 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2553d12a-a955-41b0-a05b-92a22766e867} 2196 "\\.\pipe\gecko-crash-server-pipe.2196" tab3⤵PID:3728
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4996 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4012 -prefMapHandle 4972 -prefsLen 32776 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4b0995c5-19f0-4fb8-b9c5-43d79a9e186f} 2196 "\\.\pipe\gecko-crash-server-pipe.2196" utility3⤵
- Checks processor information in registry
PID:3196
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5388 -childID 3 -isForBrowser -prefsHandle 5384 -prefMapHandle 4796 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 996 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {15f3728a-8886-48fa-958e-f471b912d609} 2196 "\\.\pipe\gecko-crash-server-pipe.2196" tab3⤵PID:2124
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5636 -childID 4 -isForBrowser -prefsHandle 5608 -prefMapHandle 5612 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 996 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9e0d60fd-44be-40d3-a1d7-041eeeec0ecb} 2196 "\\.\pipe\gecko-crash-server-pipe.2196" tab3⤵PID:4932
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5648 -childID 5 -isForBrowser -prefsHandle 5596 -prefMapHandle 5600 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 996 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b8c84619-1bfb-4ed1-a87e-bcc21ee3f10d} 2196 "\\.\pipe\gecko-crash-server-pipe.2196" tab3⤵PID:2364
-
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\t35pww33.default-release\activity-stream.discovery_stream.json
Filesize24KB
MD5d2950f0a5c327afe776f37937002d608
SHA1dee08cacd973e64a64f4f775d541f246e0dc578e
SHA256b76f2705e154d98bdedbbc4547235817dc1795120e5da4950e6e3e1fd7d4ba97
SHA51284343fa0e9bfc84ede37ec8599981290aa6d1da0df9ed8e8f9cb2bd3c02dd0710499e57cc6bf39a7675088c34932ae2a253de299dba88bc1880d11c66e4d554d
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\t35pww33.default-release\cache2\entries\8DF0E9F84C5909278CF68CB55A683669F40995FB
Filesize13KB
MD5155bd35af1aa048ac34f161f930ac7df
SHA13774d75fd7a095c622d146f611840cf0b35f2ffc
SHA2569c64843f6e611419551c664b3e23e67e675e4e0ba14c05b357606dddcb1cb753
SHA51292d9c76e7df630adcc029426273dc448dbf35742e66de63de66711590fd043684db54ab4a75dbf1e4b0e138ca0d58a8369b6b19774a114da400bcc4345baf1e5
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\t35pww33.default-release\cache2\entries\ADF5BD09EB688DAB1F35EE02E8C35329D0E4AD89
Filesize13KB
MD586078f65b9de0219a720e708fc98f7b9
SHA1f432ff8ff65d409ecd9d810054f0365d6075be8b
SHA256b6ea9ad9a66a4a547f18e3274ae6d997ad9b810a5fbc03325f971e301b362038
SHA512f56f47dfff225cba0ebc0f12eda6fda71d4a1de51941e1625e1165dba9ebd4918da73097db32f926b4a542ce7b985cdbf5336df4f7ea2e1d984e30d2948aea74
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\t35pww33.default-release\AlternateServices.bin
Filesize8KB
MD5b8aa9496317778faaef6521c4c842ccc
SHA1afe04af5041b33393eac60fcacca6633a3985b0a
SHA2567144fd2a67e4e331be4ad4f7bfbb515faeff56c640563a4b15d59f1d3518a482
SHA51274087a4ccdcb023e2df3880e0daf8bfe128b898fd431a4cd10bf6f979a874f2df51e878a76bc52048522c2d7d4d3870c68df446fc0eec639160725922da5a45d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\t35pww33.default-release\datareporting\glean\db\data.safe.tmp
Filesize21KB
MD501990853f61ddab9ea5ff3b2e2ea1c32
SHA1d31077b93de57e544e65b1828fce713261ac9746
SHA256d54d8de6bf3e321cb7b344be0f91fd62bd779bf5d5a506f2d184e8bb63324cf6
SHA512e767cfd066d37d038095f84d28065633923bc7b7424554b8c03f760c3ab8565d027b813bb11e3c2c3d1adef041dc5624e6d34ed5b4daa39b11dd996d51810524
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\t35pww33.default-release\datareporting\glean\db\data.safe.tmp
Filesize22KB
MD52f539a2672d8c833933d504780cf3455
SHA169fa2709ea8caddb10de82f6dec9009ec217acb0
SHA2561d5a8309f8dccaca46972e0a966efcf3b672a0f51758876c9e300e75d2f3ca23
SHA512bf4707491bb0a1651b1a906a220ac876eedbf90d840d89fa21a3e0fb6578946421f6fdb3d93b36c43ec8893026f7d3cd9125984edae9c4d7560ea2ab420d947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\t35pww33.default-release\datareporting\glean\db\data.safe.tmp
Filesize23KB
MD5ba4ebd6bbf697b53c913f1e583d13955
SHA1b277a829216ce03c15cd55a4bd998507fa8c43bd
SHA256350c18ce4a1c921d7cd699c4df382042767bc00a70d2dad00786419b0ffeaaf5
SHA51225b6709ac80fb1296ab30fbd305235834d7be6101162783cac5edaf906a3d4556614f16dad6bb56024d0185c9a1333cd713becda7d36248d3ea83c499284b6ac
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\t35pww33.default-release\datareporting\glean\db\data.safe.tmp
Filesize25KB
MD5eb7476e972540cc2638d0fa9a2d6fe9a
SHA1f007a809eea18c35eb6d95ec7d76e1a0dbefb4c7
SHA2565e5e454b0db6c4a8f6debabaeaa30029fd705a7805316a682f3b5553d314aaf6
SHA51253084abc90444ed0b6be2ff3bdbc160c423c3ee2e9f10ce44ee8c1c6332bf6f9de6034f5eea1828100f7b56ecf545985b93394d60d6ca90c3fac845b179ea1fd
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\t35pww33.default-release\datareporting\glean\db\data.safe.tmp
Filesize25KB
MD59d95ca76fd727a6de179a603d1f6ea74
SHA10d090fe317a715848ed451343b1ee1f14bdd0ff5
SHA25631ba24e2753c680dab9d306b7df7ca2d8c7787aebfae5431b5f9187233f54ce7
SHA5121e5f9edc628a0a06d3bf3fba6cf0e1481f430ca0586898e4ee3643c1207fc8ff686c59ad307ede1c3cc4afc67d7b8e3c04d7c8602bfdef4bc1aa78a691f780a8
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\t35pww33.default-release\datareporting\glean\pending_pings\40720388-d30a-4a2d-bd90-0eaf8796e7bd
Filesize659B
MD5c07f75be333740dd68358ad51c8b428b
SHA1af7670966b69136614181fc2fa40938aebf1ab95
SHA2567a0131578c32598d9ebc29d4b5f43058f79faa9c1f6fd9269e31baad15d0c508
SHA5125dd11b18970022e7b454e30a8cc45354085073d2daf195781308d2b4bbd985593c0c38b78d3c79f52c2bddbe5177e3f756fce66679bbbab967bbabb86883df61
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\t35pww33.default-release\datareporting\glean\pending_pings\efbc8e49-12c0-4a8e-84e4-6164bdc4c6ab
Filesize982B
MD5fe7573649294c9eea13fd80180111677
SHA1004e35abb0bffb497400e021d763af2c3dc07a08
SHA256c045c82478237dc80eebe42af579cc75400eedf894e593a7c0427255f8fb0193
SHA5123507622f45e4cc02dc57834ec7576d5eb78bb089acaceb97a8659410b2860afe1a4b0e199b4021bb17bd92bc3c6d3286419f5a2c28db3ec0d417f92de2c0eeff
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\t35pww33.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\t35pww33.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\t35pww33.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\t35pww33.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
13KB
MD5fa2683c0531f295f44e6cb180f86710f
SHA12caa7d90aa0feccef44e6afb66d4db9313282932
SHA256dcf1007ea2080e883ab4ba6120483a7dc129d495be6f06504e56b8bb2d5492b7
SHA512616566d3317fb951d4279bf1f2ebe1412010c3ae7c479f7d47ebf6a802fd126c8e3f7aab5ce4d54fa36dcec411cfc3d0445536182814215e6d486e91820bd607
-
Filesize
9KB
MD52818309cb6eb087ff63763f0fd77c6d5
SHA1363497250824111fa3acf94a807a8611698c0e48
SHA2565de6fd04157da0d1b7e16fa8b41ba4bab2e26a2de99f4af11683e10c192696e5
SHA512d2b8db20a3b3aec3fc3d144e3cc9c54ef54decd6195034384f6fc3ebbe6eb7a58ed9a84063e48cb520b52c7f82fa97c0f7e554731c7cde14b6950b5d9de9f7be
-
Filesize
10KB
MD519941d98f146d11bad8f068e96d2c0b7
SHA1e1a845762f66e93d72a1eb09b496ba4da055cc10
SHA25667931216c90dbc5f316f6a6ebb657bced7916ae933255ce8311d56dbdbbadb01
SHA512ec88a544999e7aea42cb7a24abdcd10fff0a9bef75ee51cc8f840a6a211472c36a5582c505d56b6193ecdda8154ec5201465586a495d947de659bd6349b25e14
-
Filesize
10KB
MD5880c991ab0c6d4b225af445012344edd
SHA1d66a0259642d8df17d9601a2f873bcb575b83ae1
SHA256bec10e59183f704808ed4eccb345d9ccb275c0cbf6d6160cb720eb3c314e25a9
SHA512ad9548e3f9ea4399ffd5ddb9b157f9b86ce42095ff2d29880b70fb0c1d21ea8a8aa8ce5e38736c96760b0a6c794bc29915acb2726c213cafa7cb2d0ca41dfcd2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\t35pww33.default-release\sessionstore-backups\recovery.baklz4
Filesize1KB
MD5c273965d5ad698a9cb57df2f152e8052
SHA17c9079f7faeb14811ebf50aaab7590f17e53d364
SHA2560130625c311d5fde49254afbc90ca67259c845b9d695b125726c2125ccd2afb3
SHA512e84bae622f5cd19005a046f75e275a3547a0b30727c2a57846693093f06df17899b2c1900d4b561d737f9489e4c11da4b1d5574539321bf5a2a04a832649cdee