Analysis

  • max time kernel
    57s
  • max time network
    55s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240221-en
  • resource tags

    arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    02-03-2024 21:58

General

  • Target

    Chernobyl.exe

  • Size

    343KB

  • MD5

    d576e0520faa40435d5bdc66304205f9

  • SHA1

    b99fce6ebd094e2cbc29e1ed4e47360781e86c47

  • SHA256

    2b6266f14d2ed46e921168fd2b4a5510f40c69cd591800d17ae8ca31fcde28c6

  • SHA512

    6b60a287f3eefbf2c0f2b0f205e88c4ce5a5aad050f59ff5fd1bc8017322039963f51bdd72b0922ec08880ae5da17286c04418c44dd996f0fb7b585f376f4c98

  • SSDEEP

    6144:ab+co0222222222222222222222222222222222222222222222222222222222w:jjkyOZzv4TatsNqaJg

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • UAC bypass 3 TTPs 1 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Disables Task Manager via registry modification
  • Possible privilege escalation attempt 18 IoCs
  • Modifies file permissions 1 TTPs 18 IoCs
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
  • Modifies WinLogon 2 TTPs 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 19 IoCs
  • Suspicious use of FindShellTrayWindow 30 IoCs
  • Suspicious use of SendNotifyMessage 15 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 3 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe
    "C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe"
    1⤵
    • Modifies WinLogon for persistence
    • UAC bypass
    • Disables RegEdit via registry modification
    • Checks whether UAC is enabled
    • Modifies WinLogon
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • System policy modification
    PID:236
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
      2⤵
        PID:2240
        • C:\Windows\SysWOW64\rundll32.exe
          RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
          3⤵
            PID:3704
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
          2⤵
            PID:2000
            • C:\Windows\SysWOW64\rundll32.exe
              RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
              3⤵
                PID:2784
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
              2⤵
                PID:4880
                • C:\Windows\SysWOW64\rundll32.exe
                  RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
                  3⤵
                    PID:1288
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
                  2⤵
                    PID:4812
                    • C:\Windows\SysWOW64\rundll32.exe
                      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
                      3⤵
                        PID:492
                    • C:\Windows\SysWOW64\cmd.exe
                      "C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
                      2⤵
                        PID:2444
                        • C:\Windows\SysWOW64\rundll32.exe
                          RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
                          3⤵
                            PID:2148
                        • C:\Windows\SysWOW64\cmd.exe
                          "C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
                          2⤵
                            PID:416
                            • C:\Windows\SysWOW64\rundll32.exe
                              RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
                              3⤵
                                PID:4048
                            • C:\Windows\SysWOW64\cmd.exe
                              "C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
                              2⤵
                                PID:5064
                                • C:\Windows\SysWOW64\rundll32.exe
                                  RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
                                  3⤵
                                    PID:4156
                                • C:\Windows\SysWOW64\cmd.exe
                                  "C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
                                  2⤵
                                    PID:4496
                                    • C:\Windows\SysWOW64\rundll32.exe
                                      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
                                      3⤵
                                        PID:4524
                                    • C:\Windows\SysWOW64\cmd.exe
                                      "C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
                                      2⤵
                                        PID:3112
                                        • C:\Windows\SysWOW64\rundll32.exe
                                          RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
                                          3⤵
                                            PID:1896
                                        • C:\Windows\SysWOW64\cmd.exe
                                          "C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
                                          2⤵
                                            PID:4672
                                            • C:\Windows\SysWOW64\rundll32.exe
                                              RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
                                              3⤵
                                                PID:2004
                                            • C:\Windows\SysWOW64\cmd.exe
                                              "C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
                                              2⤵
                                                PID:4352
                                                • C:\Windows\SysWOW64\rundll32.exe
                                                  RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
                                                  3⤵
                                                    PID:4840
                                                • C:\Windows\SysWOW64\cmd.exe
                                                  "C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
                                                  2⤵
                                                    PID:2012
                                                    • C:\Windows\SysWOW64\rundll32.exe
                                                      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
                                                      3⤵
                                                        PID:4292
                                                    • C:\Windows\SysWOW64\cmd.exe
                                                      "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\smss.exe && icacls C:\Windows\System32\smss.exe /grant "%username%:F" && exit
                                                      2⤵
                                                        PID:4064
                                                        • C:\Windows\SysWOW64\takeown.exe
                                                          takeown /f C:\Windows\System32\smss.exe
                                                          3⤵
                                                          • Possible privilege escalation attempt
                                                          • Modifies file permissions
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:4088
                                                      • C:\Windows\SysWOW64\cmd.exe
                                                        "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\csrss.exe && icacls C:\Windows\System32\csrss.exe /grant "%username%:F" && exit
                                                        2⤵
                                                          PID:4052
                                                          • C:\Windows\SysWOW64\takeown.exe
                                                            takeown /f C:\Windows\System32\csrss.exe
                                                            3⤵
                                                            • Possible privilege escalation attempt
                                                            • Modifies file permissions
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            PID:3528
                                                        • C:\Windows\SysWOW64\cmd.exe
                                                          "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\wininit.exe && icacls C:\Windows\System32\wininit.exe /grant "%username%:F" && exit
                                                          2⤵
                                                            PID:2572
                                                            • C:\Windows\SysWOW64\takeown.exe
                                                              takeown /f C:\Windows\System32\wininit.exe
                                                              3⤵
                                                              • Possible privilege escalation attempt
                                                              • Modifies file permissions
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:1936
                                                          • C:\Windows\SysWOW64\cmd.exe
                                                            "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\LogonUI.exe && icacls C:\Windows\System32\LogonUI.exe /grant "%username%:F" && exit
                                                            2⤵
                                                              PID:4980
                                                              • C:\Windows\SysWOW64\takeown.exe
                                                                takeown /f C:\Windows\System32\LogonUI.exe
                                                                3⤵
                                                                • Possible privilege escalation attempt
                                                                • Modifies file permissions
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                PID:360
                                                            • C:\Windows\SysWOW64\cmd.exe
                                                              "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\lsass.exe && icacls C:\Windows\System32\lsass.exe /grant "%username%:F" && exit
                                                              2⤵
                                                                PID:1276
                                                                • C:\Windows\SysWOW64\takeown.exe
                                                                  takeown /f C:\Windows\System32\lsass.exe
                                                                  3⤵
                                                                  • Possible privilege escalation attempt
                                                                  • Modifies file permissions
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:2004
                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\services.exe && icacls C:\Windows\System32\services.exe /grant "%username%:F" && exit
                                                                2⤵
                                                                  PID:3404
                                                                  • C:\Windows\SysWOW64\takeown.exe
                                                                    takeown /f C:\Windows\System32\services.exe
                                                                    3⤵
                                                                    • Possible privilege escalation attempt
                                                                    • Modifies file permissions
                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                    PID:1852
                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                  "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\winlogon.exe && icacls C:\Windows\System32\winlogon.exe /grant "%username%:F" && exit
                                                                  2⤵
                                                                    PID:1044
                                                                    • C:\Windows\SysWOW64\takeown.exe
                                                                      takeown /f C:\Windows\System32\winlogon.exe
                                                                      3⤵
                                                                      • Possible privilege escalation attempt
                                                                      • Modifies file permissions
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      PID:1000
                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                    "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\winload.efi && icacls C:\Windows\System32\winload.efi /grant "%username%:F" && exit
                                                                    2⤵
                                                                      PID:5060
                                                                      • C:\Windows\SysWOW64\takeown.exe
                                                                        takeown /f C:\Windows\System32\winload.efi
                                                                        3⤵
                                                                        • Possible privilege escalation attempt
                                                                        • Modifies file permissions
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        PID:2032
                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                      "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\winload.exe && icacls C:\Windows\System32\winload.exe /grant "%username%:F" && exit
                                                                      2⤵
                                                                        PID:4260
                                                                        • C:\Windows\SysWOW64\takeown.exe
                                                                          takeown /f C:\Windows\System32\winload.exe
                                                                          3⤵
                                                                          • Possible privilege escalation attempt
                                                                          • Modifies file permissions
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          PID:4508
                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                        "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\ntoskrnl.exe && icacls C:\Windows\System32\ntoskrnl.exe /grant "%username%:F" && exit
                                                                        2⤵
                                                                          PID:2908
                                                                          • C:\Windows\SysWOW64\takeown.exe
                                                                            takeown /f C:\Windows\System32\ntoskrnl.exe
                                                                            3⤵
                                                                            • Possible privilege escalation attempt
                                                                            • Modifies file permissions
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:2172
                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                          "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\svchost.exe && icacls C:\Windows\System32\svchost.exe /grant "%username%:F" && exit
                                                                          2⤵
                                                                            PID:844
                                                                            • C:\Windows\SysWOW64\takeown.exe
                                                                              takeown /f C:\Windows\System32\svchost.exe
                                                                              3⤵
                                                                              • Possible privilege escalation attempt
                                                                              • Modifies file permissions
                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                              PID:360
                                                                            • C:\Windows\SysWOW64\icacls.exe
                                                                              icacls C:\Windows\System32\svchost.exe /grant "Admin:F"
                                                                              3⤵
                                                                              • Possible privilege escalation attempt
                                                                              • Modifies file permissions
                                                                              PID:1624
                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                            "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\afunix.sys && icacls C:\Windows\System32\drivers\afunix.sys /grant "%username%:F" && exit
                                                                            2⤵
                                                                              PID:1932
                                                                              • C:\Windows\SysWOW64\takeown.exe
                                                                                takeown /f C:\Windows\System32\drivers\afunix.sys
                                                                                3⤵
                                                                                • Possible privilege escalation attempt
                                                                                • Modifies file permissions
                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                PID:4620
                                                                              • C:\Windows\SysWOW64\icacls.exe
                                                                                icacls C:\Windows\System32\drivers\afunix.sys /grant "Admin:F"
                                                                                3⤵
                                                                                • Possible privilege escalation attempt
                                                                                • Modifies file permissions
                                                                                PID:3360
                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                              "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\gm.dls && icacls C:\Windows\System32\drivers\gm.dls /grant "%username%:F" && exit
                                                                              2⤵
                                                                                PID:4460
                                                                                • C:\Windows\SysWOW64\takeown.exe
                                                                                  takeown /f C:\Windows\System32\drivers\gm.dls
                                                                                  3⤵
                                                                                  • Possible privilege escalation attempt
                                                                                  • Modifies file permissions
                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                  PID:2148
                                                                                • C:\Windows\SysWOW64\icacls.exe
                                                                                  icacls C:\Windows\System32\drivers\gm.dls /grant "Admin:F"
                                                                                  3⤵
                                                                                  • Possible privilege escalation attempt
                                                                                  • Modifies file permissions
                                                                                  PID:2172
                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\gmreadme.txt && icacls C:\Windows\System32\drivers\gmreadme.txt /grant "%username%:F" && exit
                                                                                2⤵
                                                                                  PID:4576
                                                                                  • C:\Windows\System32\Conhost.exe
                                                                                    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    3⤵
                                                                                      PID:4088
                                                                                    • C:\Windows\SysWOW64\takeown.exe
                                                                                      takeown /f C:\Windows\System32\drivers\gmreadme.txt
                                                                                      3⤵
                                                                                      • Possible privilege escalation attempt
                                                                                      • Modifies file permissions
                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                      PID:2164
                                                                                    • C:\Windows\SysWOW64\icacls.exe
                                                                                      icacls C:\Windows\System32\drivers\gmreadme.txt /grant "Admin:F"
                                                                                      3⤵
                                                                                      • Possible privilege escalation attempt
                                                                                      • Modifies file permissions
                                                                                      PID:2148
                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
                                                                                  1⤵
                                                                                  • Enumerates system info in registry
                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                                                                                  • Suspicious use of FindShellTrayWindow
                                                                                  • Suspicious use of SendNotifyMessage
                                                                                  • Suspicious use of WriteProcessMemory
                                                                                  PID:1224
                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff866623cb8,0x7ff866623cc8,0x7ff866623cd8
                                                                                    2⤵
                                                                                      PID:4996
                                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1872,6483631714394557305,17434276576172492361,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1860 /prefetch:2
                                                                                      2⤵
                                                                                        PID:4036
                                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1872,6483631714394557305,17434276576172492361,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2324 /prefetch:3
                                                                                        2⤵
                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                        PID:4240
                                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1872,6483631714394557305,17434276576172492361,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2560 /prefetch:8
                                                                                        2⤵
                                                                                          PID:2792
                                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,6483631714394557305,17434276576172492361,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3204 /prefetch:1
                                                                                          2⤵
                                                                                            PID:1992
                                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,6483631714394557305,17434276576172492361,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:1
                                                                                            2⤵
                                                                                              PID:2976
                                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,6483631714394557305,17434276576172492361,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4788 /prefetch:1
                                                                                              2⤵
                                                                                                PID:2256
                                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,6483631714394557305,17434276576172492361,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4848 /prefetch:1
                                                                                                2⤵
                                                                                                  PID:2648
                                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1872,6483631714394557305,17434276576172492361,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3408 /prefetch:8
                                                                                                  2⤵
                                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                                  PID:1920
                                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
                                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1872,6483631714394557305,17434276576172492361,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5256 /prefetch:8
                                                                                                  2⤵
                                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                                  PID:4720
                                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,6483631714394557305,17434276576172492361,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4476 /prefetch:1
                                                                                                  2⤵
                                                                                                    PID:1244
                                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,6483631714394557305,17434276576172492361,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5232 /prefetch:1
                                                                                                    2⤵
                                                                                                      PID:3448
                                                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,6483631714394557305,17434276576172492361,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5508 /prefetch:1
                                                                                                      2⤵
                                                                                                        PID:3152
                                                                                                    • C:\Windows\System32\CompPkgSrv.exe
                                                                                                      C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                                                                      1⤵
                                                                                                        PID:4720
                                                                                                      • C:\Windows\System32\CompPkgSrv.exe
                                                                                                        C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                                                                        1⤵
                                                                                                          PID:4048
                                                                                                        • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                          "C:\Program Files\Mozilla Firefox\firefox.exe"
                                                                                                          1⤵
                                                                                                            PID:3204
                                                                                                            • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                              "C:\Program Files\Mozilla Firefox\firefox.exe"
                                                                                                              2⤵
                                                                                                              • Checks processor information in registry
                                                                                                              • Modifies registry class
                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                              • Suspicious use of FindShellTrayWindow
                                                                                                              • Suspicious use of SendNotifyMessage
                                                                                                              • Suspicious use of SetWindowsHookEx
                                                                                                              PID:4856
                                                                                                              • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4856.0.1689005995\580394863" -parentBuildID 20221007134813 -prefsHandle 1836 -prefMapHandle 1728 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1d6d9bf5-3848-4575-8eac-1521c4445348} 4856 "\\.\pipe\gecko-crash-server-pipe.4856" 1916 1b3b5dd0d58 gpu
                                                                                                                3⤵
                                                                                                                  PID:1656
                                                                                                                • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4856.1.1116556757\2130748850" -parentBuildID 20221007134813 -prefsHandle 2264 -prefMapHandle 2260 -prefsLen 20783 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e902fc2f-7be0-4da8-870f-038a71fded79} 4856 "\\.\pipe\gecko-crash-server-pipe.4856" 2288 1b3b5535858 socket
                                                                                                                  3⤵
                                                                                                                  • Checks processor information in registry
                                                                                                                  PID:4600
                                                                                                                • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4856.2.1352877293\1179078735" -childID 1 -isForBrowser -prefsHandle 2904 -prefMapHandle 3004 -prefsLen 20886 -prefMapSize 233444 -jsInitHandle 1008 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {02d4ef7f-d36c-48a8-90aa-78fa0a693857} 4856 "\\.\pipe\gecko-crash-server-pipe.4856" 2880 1b3bad0d258 tab
                                                                                                                  3⤵
                                                                                                                    PID:5472
                                                                                                                  • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4856.3.1921512779\1662043993" -childID 2 -isForBrowser -prefsHandle 3436 -prefMapHandle 3432 -prefsLen 26064 -prefMapSize 233444 -jsInitHandle 1008 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c0a53f87-fa23-4d2c-b19c-0b4342444281} 4856 "\\.\pipe\gecko-crash-server-pipe.4856" 3448 1b3b81a3b58 tab
                                                                                                                    3⤵
                                                                                                                      PID:5584
                                                                                                                    • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4856.4.2059208561\1358413395" -childID 3 -isForBrowser -prefsHandle 4540 -prefMapHandle 4536 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1008 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dc5c7c88-5292-4a35-aee9-c057b1e890df} 4856 "\\.\pipe\gecko-crash-server-pipe.4856" 4552 1b3bc8e8b58 tab
                                                                                                                      3⤵
                                                                                                                        PID:5976
                                                                                                                      • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4856.5.1858833296\391796547" -childID 4 -isForBrowser -prefsHandle 4916 -prefMapHandle 4912 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1008 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7b5aabba-001d-4f78-99d6-910f2a329a5c} 4856 "\\.\pipe\gecko-crash-server-pipe.4856" 4920 1b3bb27d358 tab
                                                                                                                        3⤵
                                                                                                                          PID:5376
                                                                                                                        • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4856.6.1881628467\523363881" -childID 5 -isForBrowser -prefsHandle 5076 -prefMapHandle 5080 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1008 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6c2bab70-a865-40cb-82c8-d35237054246} 4856 "\\.\pipe\gecko-crash-server-pipe.4856" 5064 1b3bd224458 tab
                                                                                                                          3⤵
                                                                                                                            PID:5384
                                                                                                                          • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4856.7.937829047\1034852740" -childID 6 -isForBrowser -prefsHandle 5256 -prefMapHandle 5260 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1008 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a0516741-4342-4067-906c-093f3a2046e9} 4856 "\\.\pipe\gecko-crash-server-pipe.4856" 5248 1b3bd225f58 tab
                                                                                                                            3⤵
                                                                                                                              PID:1060

                                                                                                                        Network

                                                                                                                        MITRE ATT&CK Enterprise v15

                                                                                                                        Replay Monitor

                                                                                                                        Loading Replay Monitor...

                                                                                                                        Downloads

                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                                                                                          Filesize

                                                                                                                          152B

                                                                                                                          MD5

                                                                                                                          d4604cbec2768d84c36d8ab35dfed413

                                                                                                                          SHA1

                                                                                                                          a5b3db6d2a1fa5a8de9999966172239a9b1340c2

                                                                                                                          SHA256

                                                                                                                          4ea5e5f1ba02111bc2bc9320ae9a1ca7294d6b3afedc128717b4c6c9df70bde2

                                                                                                                          SHA512

                                                                                                                          c8004e23dc8a51948a2a582a8ce6ebe1d2546e4c1c60e40c6583f5de1e29c0df20650d5cb36e5d2db3fa6b29b958acc3afd307c66f48c168e68cbb6bcfc52855

                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                                                                                          Filesize

                                                                                                                          152B

                                                                                                                          MD5

                                                                                                                          577e1c0c1d7ab0053d280fcc67377478

                                                                                                                          SHA1

                                                                                                                          60032085bb950466bba9185ba965e228ec8915e5

                                                                                                                          SHA256

                                                                                                                          1d2022a0870c1a97ae10e8df444b8ba182536ed838a749ad1e972c0ded85e158

                                                                                                                          SHA512

                                                                                                                          39d3fd2d96aee014068f3fda389a40e3173c6ce5b200724c433c48ddffe864edfc6207bb0612b8a811ce41746b7771b81bce1b9cb71a28f07a251a607ce51ef5

                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                                                                                          Filesize

                                                                                                                          5KB

                                                                                                                          MD5

                                                                                                                          b903ad04d41db820d8936ad903c3c765

                                                                                                                          SHA1

                                                                                                                          0256c1eaa8e6274696c305213c7ca710ab65a9bd

                                                                                                                          SHA256

                                                                                                                          0a3777342a681a83ffa0fa66ec9c0c7ee81325f27fd08d61daa6d51a25bff4a1

                                                                                                                          SHA512

                                                                                                                          9499596f4e5355aa7e38c0eefa74f47447f0d63f11166f68472ceb3b06c7dd21de32c32d0680f6e27d248f96ded97d6427b640b0775892f4f44ba529389b924f

                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                                                                                          Filesize

                                                                                                                          5KB

                                                                                                                          MD5

                                                                                                                          c2d9145a013ebbc25cb1bfb1b054b54b

                                                                                                                          SHA1

                                                                                                                          59f234418cb788fcb2ba84a8a78521ba5956008d

                                                                                                                          SHA256

                                                                                                                          5c4a1991a478a05b8f3f75bdd8fb0057cf510a020663ca84e315adff0418ec71

                                                                                                                          SHA512

                                                                                                                          e4b2ad4e8a2c08846b23389c3ca5ba29e2875e51aad207655849c581045d81d3eed74f7a27f5ba2678b5e18b748a68cf8fdd9f5ca5bdf86e102fe05543653b8b

                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                                                                                          Filesize

                                                                                                                          5KB

                                                                                                                          MD5

                                                                                                                          fdc0deffa8d9ab298b9da627862a69dd

                                                                                                                          SHA1

                                                                                                                          d4007784b3e8985580f7d7c0eb34545a367dd331

                                                                                                                          SHA256

                                                                                                                          ac27d272728776720e7719d9b729b98d1af0d0e87b1b379f54f55f65f3e4db8f

                                                                                                                          SHA512

                                                                                                                          177fdec546b14d2bf9a38b02489fc8dd64fb7ec0e45f36331caad835e2feaf0f958648bfe6e9f6a9a1cfb655df6b86c4548d6018d93a3ca3a33f5a4c20f183a1

                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                                                                                                          Filesize

                                                                                                                          16B

                                                                                                                          MD5

                                                                                                                          46295cac801e5d4857d09837238a6394

                                                                                                                          SHA1

                                                                                                                          44e0fa1b517dbf802b18faf0785eeea6ac51594b

                                                                                                                          SHA256

                                                                                                                          0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                                                                                                                          SHA512

                                                                                                                          8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                                                                                                          Filesize

                                                                                                                          16B

                                                                                                                          MD5

                                                                                                                          206702161f94c5cd39fadd03f4014d98

                                                                                                                          SHA1

                                                                                                                          bd8bfc144fb5326d21bd1531523d9fb50e1b600a

                                                                                                                          SHA256

                                                                                                                          1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

                                                                                                                          SHA512

                                                                                                                          0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                                                                                          Filesize

                                                                                                                          11KB

                                                                                                                          MD5

                                                                                                                          cfc3a2e541728549d6585a57951bd00c

                                                                                                                          SHA1

                                                                                                                          176647269155cbe9db091e9ac999f2539252d8c6

                                                                                                                          SHA256

                                                                                                                          43e6184da7820715e4a5b7727b304904f6a5e576094815226bb752570366f76e

                                                                                                                          SHA512

                                                                                                                          611242978e09dd6b6efa27a33700ff88de324f7f8942ac898f2ec2c409f1beb07ee3de56604d1ded075720040820d5667245552ed669341dc1a50dfbb88d266c

                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                                                                                          Filesize

                                                                                                                          11KB

                                                                                                                          MD5

                                                                                                                          cdb3ce882af5d91e11ee5d3ddf7b88c3

                                                                                                                          SHA1

                                                                                                                          358d28de6912f9d7b51268607fb170b13092c220

                                                                                                                          SHA256

                                                                                                                          95a543de0743ad09b308ec6252836d6c8f4b3a95692697429d123a1b96c31105

                                                                                                                          SHA512

                                                                                                                          ed90b99633924912b098b85bd0d75e6bab1f23ff74bda60e4841429dc373603fc852383560a0fb5b159b7893518c5a73801a23f8385b26febfad0ac3b46a3b86

                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                                                                                          Filesize

                                                                                                                          11KB

                                                                                                                          MD5

                                                                                                                          8635d1e13429658190ac4dd192284d31

                                                                                                                          SHA1

                                                                                                                          b5a04e384ab3a7d9fce783e6cbb5e153fabf8059

                                                                                                                          SHA256

                                                                                                                          4483aff4a1ea981d95d182c60e0595dd19dbc32d7322ee70887a542e2162122c

                                                                                                                          SHA512

                                                                                                                          6d601da43a83b3be29070d1f614942626ef63501024ba9418f71f32b301aba5a237b14634d8d4a22ae32a3d211c146f8fb5d67c0eb7d32b6f78cc8d8fe6fc5d2

                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                                                                                          Filesize

                                                                                                                          11KB

                                                                                                                          MD5

                                                                                                                          9534fec431a4459a7ba310697cf9c7f0

                                                                                                                          SHA1

                                                                                                                          d1928ddfe08544394a9b1d950119c5cff5b21b5d

                                                                                                                          SHA256

                                                                                                                          f8f42f5e56603359c6eafeff4c6b9b6246270555d169f92bc07c915074e555b7

                                                                                                                          SHA512

                                                                                                                          615d173908df920479c29406198a2764d1f5ca9df3b10a469178a2b1cfad801f2ecc70632c33e9e11ed6e74a8c36d2e35b94769b17fa38bee69724fdb233bb97

                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

                                                                                                                          Filesize

                                                                                                                          264KB

                                                                                                                          MD5

                                                                                                                          435e1bdc5fcee685b0fbfc88edeccbd2

                                                                                                                          SHA1

                                                                                                                          3612fe14bfd1d253ac0c531aa71c15e72456f7df

                                                                                                                          SHA256

                                                                                                                          330e11c9eba7b5ab7451280865b49796d26edf80b50145f4bbe5377bd6cdf0ac

                                                                                                                          SHA512

                                                                                                                          f9a8176bef38ec08bf5dbaf48b59d61454e9efb5951deba97baeb44b7c7a87820cccbc749dc10aebd28d89c330965da7fa317fdd078e5ce540d89dc0af52c76e

                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er0iywxg.default-release\datareporting\glean\db\data.safe.bin

                                                                                                                          Filesize

                                                                                                                          2KB

                                                                                                                          MD5

                                                                                                                          e9a999eb4c879de7900c50427f7f8c72

                                                                                                                          SHA1

                                                                                                                          1c5f598db20aca2f00c9ca7734da34d1770269ba

                                                                                                                          SHA256

                                                                                                                          b612b3fbc177eaf0d48197382c990784ff586e235d1c330861b034c2a4c7df20

                                                                                                                          SHA512

                                                                                                                          03aeae2110a68c8db2e53bc0c7865945af1960fec4b808c119b63cc5c66a364ba0940ee3e50616f3f1fffec01a952289986993ec57264ec7d22e5c5bc1ddbd44

                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er0iywxg.default-release\datareporting\glean\pending_pings\3583d803-999b-4d92-b5ce-ebc89dc07170

                                                                                                                          Filesize

                                                                                                                          746B

                                                                                                                          MD5

                                                                                                                          098e54ae5af6a4ca27b0d967acd905f1

                                                                                                                          SHA1

                                                                                                                          77a60ff7f3edd7bdc8c3cff879eb85c63cb521b2

                                                                                                                          SHA256

                                                                                                                          d81e3c925c375d70d8b12d3c2a6ee263a7fb6d24c54d6d696fb034d1f89b9936

                                                                                                                          SHA512

                                                                                                                          6349923992c53800e4f6580fb1dec2a8fdd0c6b083966e7cf3e5f33c60408c26977156c084c4358c4fac091592d1f31ed71c0433fe7b3bc638d6a6cde61b042c

                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er0iywxg.default-release\datareporting\glean\pending_pings\db47e187-5609-47e4-9c1d-21c9c031044b

                                                                                                                          Filesize

                                                                                                                          11KB

                                                                                                                          MD5

                                                                                                                          b65db4e853a2de178dc7c9fa61436121

                                                                                                                          SHA1

                                                                                                                          e70b5728f213893226e4f847511597242a47ef52

                                                                                                                          SHA256

                                                                                                                          d5f3592339ace085469616b075f735f7abec6b2ba84f1d308633453d4a29b020

                                                                                                                          SHA512

                                                                                                                          9d93090e5ab5243d9c3484abdba748e08cff76ddd681eba6eead3eb247de3310158f693501cc6d3932ea8bb9deda4b1944915150707b15899491edec21ff0f01

                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er0iywxg.default-release\prefs.js

                                                                                                                          Filesize

                                                                                                                          6KB

                                                                                                                          MD5

                                                                                                                          07f4c364a16c47cdf672ecd1137ebe62

                                                                                                                          SHA1

                                                                                                                          fd7765c82c6dfc6eeb8cc77703f3661b1bf982da

                                                                                                                          SHA256

                                                                                                                          d546ec1f43f3f89a1a8a978dad292000ad113832031cc6024bd17e7fdfb95b50

                                                                                                                          SHA512

                                                                                                                          b7dc01a01602db4122184f7d79bd341b52cde8a5e119474658bf483de0bcea7e3a510b92df5a487f7c739308bd3fe43938f6e758e73ed78c73e5322688a2370d

                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er0iywxg.default-release\prefs.js

                                                                                                                          Filesize

                                                                                                                          6KB

                                                                                                                          MD5

                                                                                                                          92642caabdfffb7d18e16974d396adc9

                                                                                                                          SHA1

                                                                                                                          b081e272d54c0d0b5eec3fcf3afc181dae3949a8

                                                                                                                          SHA256

                                                                                                                          91ac29b96e13886e25b580de5c590f92553bd4e73f4e0428cd676178d3529b50

                                                                                                                          SHA512

                                                                                                                          37088cedbef872f40398c2b0519249449b4a801a26a34f3de717279a7001993c1632b82ec022a3d44575b1921707cd31576a018fde26ff712fc9ee6ae22dee42

                                                                                                                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er0iywxg.default-release\sessionstore.jsonlz4

                                                                                                                          Filesize

                                                                                                                          883B

                                                                                                                          MD5

                                                                                                                          147f13c21c9e3548696b0e6524bbbbeb

                                                                                                                          SHA1

                                                                                                                          146eacaac1ad2810d551759eccb4119d4b9a712d

                                                                                                                          SHA256

                                                                                                                          723b72b64638ba1b8d580a900bb9de69a82d01d36138f04887f4a73f23bd15bc

                                                                                                                          SHA512

                                                                                                                          546fef02907c1820edc5ef3fa2666f6e41ba00eda7cdd2736f787b79567e6ace69003f78ec4f1c56ca69281646cad76cf97c898ef46030a8b9241ad2aa63fd9e

                                                                                                                        • C:\Users\Admin\Desktop\ßµ▌♫Σ₧õ☼↕∞↕5♣▄²↑►☼²œ◘¼—ńě£ř╠♣ï®♫▄1¥¤♀5♦•₧╥◙1ß7╩◄82▀▀•õ♣♦▄í«○¼╩Σñ◘♂£Ç▼ó╬9σñåøœ4▄εč♣Σ¢╠ε█☺ä4øõ√φ½■¼▼í¬

                                                                                                                          Filesize

                                                                                                                          666B

                                                                                                                          MD5

                                                                                                                          9e1e5883c74742a497cf5c272ccd2321

                                                                                                                          SHA1

                                                                                                                          2cf33e34d08b8e17743a60352baffef4b6f02dee

                                                                                                                          SHA256

                                                                                                                          ca687b6a7c3d29b566f3e1988b9f877b51d9a83ee25ffe0755a8dcd3eb5f434a

                                                                                                                          SHA512

                                                                                                                          f2284f0c624cc07a65c16f87865bb98aaa176b1d8b45cd4fbcc1143c9c2297fe6b1d4db55ef054be2bc151c8cc25ff4da7c997b7d38dae3dccd2ffe1c3c01a6b

                                                                                                                        • \??\pipe\LOCAL\crashpad_1224_CPGCRTZFGGELWLEW

                                                                                                                          MD5

                                                                                                                          d41d8cd98f00b204e9800998ecf8427e

                                                                                                                          SHA1

                                                                                                                          da39a3ee5e6b4b0d3255bfef95601890afd80709

                                                                                                                          SHA256

                                                                                                                          e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                                                                                                          SHA512

                                                                                                                          cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                                                                                                        • memory/236-20-0x0000000005C30000-0x00000000061D6000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          5.6MB

                                                                                                                        • memory/236-398-0x00000000056F0000-0x0000000005700000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          64KB

                                                                                                                        • memory/236-397-0x0000000074F50000-0x0000000075701000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          7.7MB

                                                                                                                        • memory/236-374-0x00000000068F0000-0x00000000068FA000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          40KB

                                                                                                                        • memory/236-26-0x00000000056F0000-0x0000000005700000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          64KB

                                                                                                                        • memory/236-8-0x0000000074F50000-0x0000000075701000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          7.7MB

                                                                                                                        • memory/236-7-0x00000000055E0000-0x0000000005672000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          584KB

                                                                                                                        • memory/236-6-0x0000000000B50000-0x0000000000BAC000-memory.dmp

                                                                                                                          Filesize

                                                                                                                          368KB