Analysis
-
max time kernel
57s -
max time network
55s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system -
submitted
02-03-2024 21:58
Static task
static1
Behavioral task
behavioral1
Sample
Chernobyl.exe
Resource
win11-20240221-en
General
-
Target
Chernobyl.exe
-
Size
343KB
-
MD5
d576e0520faa40435d5bdc66304205f9
-
SHA1
b99fce6ebd094e2cbc29e1ed4e47360781e86c47
-
SHA256
2b6266f14d2ed46e921168fd2b4a5510f40c69cd591800d17ae8ca31fcde28c6
-
SHA512
6b60a287f3eefbf2c0f2b0f205e88c4ce5a5aad050f59ff5fd1bc8017322039963f51bdd72b0922ec08880ae5da17286c04418c44dd996f0fb7b585f376f4c98
-
SSDEEP
6144:ab+co0222222222222222222222222222222222222222222222222222222222w:jjkyOZzv4TatsNqaJg
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
Chernobyl.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, cluttscape.exe" Chernobyl.exe -
Processes:
Chernobyl.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Chernobyl.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
Chernobyl.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Chernobyl.exe -
Disables Task Manager via registry modification
-
Possible privilege escalation attempt 18 IoCs
Processes:
takeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exepid process 1000 takeown.exe 360 takeown.exe 2172 takeown.exe 2172 icacls.exe 3528 takeown.exe 2004 takeown.exe 2032 takeown.exe 4620 takeown.exe 2164 takeown.exe 2148 icacls.exe 4088 takeown.exe 1936 takeown.exe 360 takeown.exe 4508 takeown.exe 1624 icacls.exe 1852 takeown.exe 2148 takeown.exe 3360 icacls.exe -
Modifies file permissions 1 TTPs 18 IoCs
Processes:
takeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exepid process 360 takeown.exe 2148 takeown.exe 2172 icacls.exe 2148 icacls.exe 2032 takeown.exe 1000 takeown.exe 4508 takeown.exe 2164 takeown.exe 3360 icacls.exe 4088 takeown.exe 3528 takeown.exe 1852 takeown.exe 2004 takeown.exe 2172 takeown.exe 1624 icacls.exe 1936 takeown.exe 360 takeown.exe 4620 takeown.exe -
Processes:
Chernobyl.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Chernobyl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Chernobyl.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
Chernobyl.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoRestartShell = "0" Chernobyl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\DisableCAD = "1" Chernobyl.exe -
Drops file in System32 directory 1 IoCs
Processes:
Chernobyl.exedescription ioc process File opened for modification C:\Windows\SysWOW64\kill.ico Chernobyl.exe -
Drops file in Windows directory 2 IoCs
Processes:
Chernobyl.exedescription ioc process File created C:\Windows\cluttscape.exe Chernobyl.exe File opened for modification C:\Windows\cluttscape.exe Chernobyl.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exefirefox.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 2 IoCs
Processes:
Chernobyl.exefirefox.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Unknown\DefaultIcon\ = "C:\\Windows\\SysWow64\\kill.ico" Chernobyl.exe Key created \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
msedge.exemsedge.exemsedge.exeidentity_helper.exepid process 4240 msedge.exe 4240 msedge.exe 1224 msedge.exe 1224 msedge.exe 1920 msedge.exe 1920 msedge.exe 4720 identity_helper.exe 4720 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
Processes:
msedge.exepid process 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe -
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
Chernobyl.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exefirefox.exedescription pid process Token: SeDebugPrivilege 236 Chernobyl.exe Token: SeDebugPrivilege 236 Chernobyl.exe Token: SeTakeOwnershipPrivilege 4088 takeown.exe Token: SeTakeOwnershipPrivilege 1936 takeown.exe Token: SeTakeOwnershipPrivilege 3528 takeown.exe Token: SeTakeOwnershipPrivilege 360 takeown.exe Token: SeTakeOwnershipPrivilege 2004 takeown.exe Token: SeTakeOwnershipPrivilege 2032 takeown.exe Token: SeTakeOwnershipPrivilege 1000 takeown.exe Token: SeTakeOwnershipPrivilege 1852 takeown.exe Token: SeTakeOwnershipPrivilege 4508 takeown.exe Token: SeTakeOwnershipPrivilege 2172 takeown.exe Token: SeTakeOwnershipPrivilege 360 takeown.exe Token: SeTakeOwnershipPrivilege 2148 takeown.exe Token: SeTakeOwnershipPrivilege 4620 takeown.exe Token: SeTakeOwnershipPrivilege 2164 takeown.exe Token: SeDebugPrivilege 4856 firefox.exe Token: SeDebugPrivilege 4856 firefox.exe Token: SeShutdownPrivilege 236 Chernobyl.exe -
Suspicious use of FindShellTrayWindow 30 IoCs
Processes:
msedge.exefirefox.exepid process 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe 4856 firefox.exe 4856 firefox.exe 4856 firefox.exe 4856 firefox.exe 1224 msedge.exe -
Suspicious use of SendNotifyMessage 15 IoCs
Processes:
msedge.exefirefox.exepid process 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe 1224 msedge.exe 4856 firefox.exe 4856 firefox.exe 4856 firefox.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
firefox.exepid process 4856 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 1224 wrote to memory of 4996 1224 msedge.exe msedge.exe PID 1224 wrote to memory of 4996 1224 msedge.exe msedge.exe PID 1224 wrote to memory of 4036 1224 msedge.exe msedge.exe PID 1224 wrote to memory of 4036 1224 msedge.exe msedge.exe PID 1224 wrote to memory of 4036 1224 msedge.exe msedge.exe PID 1224 wrote to memory of 4036 1224 msedge.exe msedge.exe PID 1224 wrote to memory of 4036 1224 msedge.exe msedge.exe PID 1224 wrote to memory of 4036 1224 msedge.exe msedge.exe PID 1224 wrote to memory of 4036 1224 msedge.exe msedge.exe PID 1224 wrote to memory of 4036 1224 msedge.exe msedge.exe PID 1224 wrote to memory of 4036 1224 msedge.exe msedge.exe PID 1224 wrote to memory of 4036 1224 msedge.exe msedge.exe PID 1224 wrote to memory of 4036 1224 msedge.exe msedge.exe PID 1224 wrote to memory of 4036 1224 msedge.exe msedge.exe PID 1224 wrote to memory of 4036 1224 msedge.exe msedge.exe PID 1224 wrote to memory of 4036 1224 msedge.exe msedge.exe PID 1224 wrote to memory of 4036 1224 msedge.exe msedge.exe PID 1224 wrote to memory of 4036 1224 msedge.exe msedge.exe PID 1224 wrote to memory of 4036 1224 msedge.exe msedge.exe PID 1224 wrote to memory of 4036 1224 msedge.exe msedge.exe PID 1224 wrote to memory of 4036 1224 msedge.exe msedge.exe PID 1224 wrote to memory of 4036 1224 msedge.exe msedge.exe PID 1224 wrote to memory of 4036 1224 msedge.exe msedge.exe PID 1224 wrote to memory of 4036 1224 msedge.exe msedge.exe PID 1224 wrote to memory of 4036 1224 msedge.exe msedge.exe PID 1224 wrote to memory of 4036 1224 msedge.exe msedge.exe PID 1224 wrote to memory of 4036 1224 msedge.exe msedge.exe PID 1224 wrote to memory of 4036 1224 msedge.exe msedge.exe PID 1224 wrote to memory of 4036 1224 msedge.exe msedge.exe PID 1224 wrote to memory of 4036 1224 msedge.exe msedge.exe PID 1224 wrote to memory of 4036 1224 msedge.exe msedge.exe PID 1224 wrote to memory of 4036 1224 msedge.exe msedge.exe PID 1224 wrote to memory of 4036 1224 msedge.exe msedge.exe PID 1224 wrote to memory of 4036 1224 msedge.exe msedge.exe PID 1224 wrote to memory of 4036 1224 msedge.exe msedge.exe PID 1224 wrote to memory of 4036 1224 msedge.exe msedge.exe PID 1224 wrote to memory of 4036 1224 msedge.exe msedge.exe PID 1224 wrote to memory of 4036 1224 msedge.exe msedge.exe PID 1224 wrote to memory of 4036 1224 msedge.exe msedge.exe PID 1224 wrote to memory of 4036 1224 msedge.exe msedge.exe PID 1224 wrote to memory of 4036 1224 msedge.exe msedge.exe PID 1224 wrote to memory of 4036 1224 msedge.exe msedge.exe PID 1224 wrote to memory of 4240 1224 msedge.exe msedge.exe PID 1224 wrote to memory of 4240 1224 msedge.exe msedge.exe PID 1224 wrote to memory of 2792 1224 msedge.exe msedge.exe PID 1224 wrote to memory of 2792 1224 msedge.exe msedge.exe PID 1224 wrote to memory of 2792 1224 msedge.exe msedge.exe PID 1224 wrote to memory of 2792 1224 msedge.exe msedge.exe PID 1224 wrote to memory of 2792 1224 msedge.exe msedge.exe PID 1224 wrote to memory of 2792 1224 msedge.exe msedge.exe PID 1224 wrote to memory of 2792 1224 msedge.exe msedge.exe PID 1224 wrote to memory of 2792 1224 msedge.exe msedge.exe PID 1224 wrote to memory of 2792 1224 msedge.exe msedge.exe PID 1224 wrote to memory of 2792 1224 msedge.exe msedge.exe PID 1224 wrote to memory of 2792 1224 msedge.exe msedge.exe PID 1224 wrote to memory of 2792 1224 msedge.exe msedge.exe PID 1224 wrote to memory of 2792 1224 msedge.exe msedge.exe PID 1224 wrote to memory of 2792 1224 msedge.exe msedge.exe PID 1224 wrote to memory of 2792 1224 msedge.exe msedge.exe PID 1224 wrote to memory of 2792 1224 msedge.exe msedge.exe PID 1224 wrote to memory of 2792 1224 msedge.exe msedge.exe PID 1224 wrote to memory of 2792 1224 msedge.exe msedge.exe PID 1224 wrote to memory of 2792 1224 msedge.exe msedge.exe PID 1224 wrote to memory of 2792 1224 msedge.exe msedge.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
Chernobyl.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon = "0" Chernobyl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\UseDefaultTile = "1" Chernobyl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Chernobyl.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe"C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Disables RegEdit via registry modification
- Checks whether UAC is enabled
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:236 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2240
-
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:3704
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2000
-
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2784
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:4880
-
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1288
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:4812
-
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:492
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2444
-
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2148
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:416
-
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:4048
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:5064
-
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:4156
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:4496
-
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:4524
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:3112
-
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:1896
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:4672
-
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2004
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:4352
-
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:4840
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:2012
-
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:4292
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\smss.exe && icacls C:\Windows\System32\smss.exe /grant "%username%:F" && exit2⤵PID:4064
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\smss.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4088
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\csrss.exe && icacls C:\Windows\System32\csrss.exe /grant "%username%:F" && exit2⤵PID:4052
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\csrss.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3528
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\wininit.exe && icacls C:\Windows\System32\wininit.exe /grant "%username%:F" && exit2⤵PID:2572
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\wininit.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1936
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\LogonUI.exe && icacls C:\Windows\System32\LogonUI.exe /grant "%username%:F" && exit2⤵PID:4980
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\LogonUI.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:360
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\lsass.exe && icacls C:\Windows\System32\lsass.exe /grant "%username%:F" && exit2⤵PID:1276
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\lsass.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2004
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\services.exe && icacls C:\Windows\System32\services.exe /grant "%username%:F" && exit2⤵PID:3404
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\services.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1852
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\winlogon.exe && icacls C:\Windows\System32\winlogon.exe /grant "%username%:F" && exit2⤵PID:1044
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\winlogon.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1000
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\winload.efi && icacls C:\Windows\System32\winload.efi /grant "%username%:F" && exit2⤵PID:5060
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\winload.efi3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2032
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\winload.exe && icacls C:\Windows\System32\winload.exe /grant "%username%:F" && exit2⤵PID:4260
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\winload.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4508
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\ntoskrnl.exe && icacls C:\Windows\System32\ntoskrnl.exe /grant "%username%:F" && exit2⤵PID:2908
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\ntoskrnl.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2172
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\svchost.exe && icacls C:\Windows\System32\svchost.exe /grant "%username%:F" && exit2⤵PID:844
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\svchost.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:360
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32\svchost.exe /grant "Admin:F"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1624
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\afunix.sys && icacls C:\Windows\System32\drivers\afunix.sys /grant "%username%:F" && exit2⤵PID:1932
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\drivers\afunix.sys3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4620
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32\drivers\afunix.sys /grant "Admin:F"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3360
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\gm.dls && icacls C:\Windows\System32\drivers\gm.dls /grant "%username%:F" && exit2⤵PID:4460
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\drivers\gm.dls3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2148
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32\drivers\gm.dls /grant "Admin:F"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2172
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\gmreadme.txt && icacls C:\Windows\System32\drivers\gmreadme.txt /grant "%username%:F" && exit2⤵PID:4576
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:4088
-
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\drivers\gmreadme.txt3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2164
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32\drivers\gmreadme.txt /grant "Admin:F"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2148
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1224 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff866623cb8,0x7ff866623cc8,0x7ff866623cd82⤵PID:4996
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1872,6483631714394557305,17434276576172492361,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1860 /prefetch:22⤵PID:4036
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1872,6483631714394557305,17434276576172492361,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2324 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4240
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1872,6483631714394557305,17434276576172492361,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2560 /prefetch:82⤵PID:2792
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,6483631714394557305,17434276576172492361,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3204 /prefetch:12⤵PID:1992
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,6483631714394557305,17434276576172492361,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:12⤵PID:2976
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,6483631714394557305,17434276576172492361,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4788 /prefetch:12⤵PID:2256
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,6483631714394557305,17434276576172492361,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4848 /prefetch:12⤵PID:2648
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1872,6483631714394557305,17434276576172492361,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3408 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1920
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1872,6483631714394557305,17434276576172492361,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5256 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4720
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,6483631714394557305,17434276576172492361,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4476 /prefetch:12⤵PID:1244
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,6483631714394557305,17434276576172492361,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5232 /prefetch:12⤵PID:3448
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,6483631714394557305,17434276576172492361,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5508 /prefetch:12⤵PID:3152
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4720
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4048
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵PID:3204
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4856 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4856.0.1689005995\580394863" -parentBuildID 20221007134813 -prefsHandle 1836 -prefMapHandle 1728 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1d6d9bf5-3848-4575-8eac-1521c4445348} 4856 "\\.\pipe\gecko-crash-server-pipe.4856" 1916 1b3b5dd0d58 gpu3⤵PID:1656
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4856.1.1116556757\2130748850" -parentBuildID 20221007134813 -prefsHandle 2264 -prefMapHandle 2260 -prefsLen 20783 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e902fc2f-7be0-4da8-870f-038a71fded79} 4856 "\\.\pipe\gecko-crash-server-pipe.4856" 2288 1b3b5535858 socket3⤵
- Checks processor information in registry
PID:4600
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4856.2.1352877293\1179078735" -childID 1 -isForBrowser -prefsHandle 2904 -prefMapHandle 3004 -prefsLen 20886 -prefMapSize 233444 -jsInitHandle 1008 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {02d4ef7f-d36c-48a8-90aa-78fa0a693857} 4856 "\\.\pipe\gecko-crash-server-pipe.4856" 2880 1b3bad0d258 tab3⤵PID:5472
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4856.3.1921512779\1662043993" -childID 2 -isForBrowser -prefsHandle 3436 -prefMapHandle 3432 -prefsLen 26064 -prefMapSize 233444 -jsInitHandle 1008 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c0a53f87-fa23-4d2c-b19c-0b4342444281} 4856 "\\.\pipe\gecko-crash-server-pipe.4856" 3448 1b3b81a3b58 tab3⤵PID:5584
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4856.4.2059208561\1358413395" -childID 3 -isForBrowser -prefsHandle 4540 -prefMapHandle 4536 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1008 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dc5c7c88-5292-4a35-aee9-c057b1e890df} 4856 "\\.\pipe\gecko-crash-server-pipe.4856" 4552 1b3bc8e8b58 tab3⤵PID:5976
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4856.5.1858833296\391796547" -childID 4 -isForBrowser -prefsHandle 4916 -prefMapHandle 4912 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1008 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7b5aabba-001d-4f78-99d6-910f2a329a5c} 4856 "\\.\pipe\gecko-crash-server-pipe.4856" 4920 1b3bb27d358 tab3⤵PID:5376
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4856.6.1881628467\523363881" -childID 5 -isForBrowser -prefsHandle 5076 -prefMapHandle 5080 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1008 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6c2bab70-a865-40cb-82c8-d35237054246} 4856 "\\.\pipe\gecko-crash-server-pipe.4856" 5064 1b3bd224458 tab3⤵PID:5384
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4856.7.937829047\1034852740" -childID 6 -isForBrowser -prefsHandle 5256 -prefMapHandle 5260 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1008 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a0516741-4342-4067-906c-093f3a2046e9} 4856 "\\.\pipe\gecko-crash-server-pipe.4856" 5248 1b3bd225f58 tab3⤵PID:1060
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Winlogon Helper DLL
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5d4604cbec2768d84c36d8ab35dfed413
SHA1a5b3db6d2a1fa5a8de9999966172239a9b1340c2
SHA2564ea5e5f1ba02111bc2bc9320ae9a1ca7294d6b3afedc128717b4c6c9df70bde2
SHA512c8004e23dc8a51948a2a582a8ce6ebe1d2546e4c1c60e40c6583f5de1e29c0df20650d5cb36e5d2db3fa6b29b958acc3afd307c66f48c168e68cbb6bcfc52855
-
Filesize
152B
MD5577e1c0c1d7ab0053d280fcc67377478
SHA160032085bb950466bba9185ba965e228ec8915e5
SHA2561d2022a0870c1a97ae10e8df444b8ba182536ed838a749ad1e972c0ded85e158
SHA51239d3fd2d96aee014068f3fda389a40e3173c6ce5b200724c433c48ddffe864edfc6207bb0612b8a811ce41746b7771b81bce1b9cb71a28f07a251a607ce51ef5
-
Filesize
5KB
MD5b903ad04d41db820d8936ad903c3c765
SHA10256c1eaa8e6274696c305213c7ca710ab65a9bd
SHA2560a3777342a681a83ffa0fa66ec9c0c7ee81325f27fd08d61daa6d51a25bff4a1
SHA5129499596f4e5355aa7e38c0eefa74f47447f0d63f11166f68472ceb3b06c7dd21de32c32d0680f6e27d248f96ded97d6427b640b0775892f4f44ba529389b924f
-
Filesize
5KB
MD5c2d9145a013ebbc25cb1bfb1b054b54b
SHA159f234418cb788fcb2ba84a8a78521ba5956008d
SHA2565c4a1991a478a05b8f3f75bdd8fb0057cf510a020663ca84e315adff0418ec71
SHA512e4b2ad4e8a2c08846b23389c3ca5ba29e2875e51aad207655849c581045d81d3eed74f7a27f5ba2678b5e18b748a68cf8fdd9f5ca5bdf86e102fe05543653b8b
-
Filesize
5KB
MD5fdc0deffa8d9ab298b9da627862a69dd
SHA1d4007784b3e8985580f7d7c0eb34545a367dd331
SHA256ac27d272728776720e7719d9b729b98d1af0d0e87b1b379f54f55f65f3e4db8f
SHA512177fdec546b14d2bf9a38b02489fc8dd64fb7ec0e45f36331caad835e2feaf0f958648bfe6e9f6a9a1cfb655df6b86c4548d6018d93a3ca3a33f5a4c20f183a1
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
11KB
MD5cfc3a2e541728549d6585a57951bd00c
SHA1176647269155cbe9db091e9ac999f2539252d8c6
SHA25643e6184da7820715e4a5b7727b304904f6a5e576094815226bb752570366f76e
SHA512611242978e09dd6b6efa27a33700ff88de324f7f8942ac898f2ec2c409f1beb07ee3de56604d1ded075720040820d5667245552ed669341dc1a50dfbb88d266c
-
Filesize
11KB
MD5cdb3ce882af5d91e11ee5d3ddf7b88c3
SHA1358d28de6912f9d7b51268607fb170b13092c220
SHA25695a543de0743ad09b308ec6252836d6c8f4b3a95692697429d123a1b96c31105
SHA512ed90b99633924912b098b85bd0d75e6bab1f23ff74bda60e4841429dc373603fc852383560a0fb5b159b7893518c5a73801a23f8385b26febfad0ac3b46a3b86
-
Filesize
11KB
MD58635d1e13429658190ac4dd192284d31
SHA1b5a04e384ab3a7d9fce783e6cbb5e153fabf8059
SHA2564483aff4a1ea981d95d182c60e0595dd19dbc32d7322ee70887a542e2162122c
SHA5126d601da43a83b3be29070d1f614942626ef63501024ba9418f71f32b301aba5a237b14634d8d4a22ae32a3d211c146f8fb5d67c0eb7d32b6f78cc8d8fe6fc5d2
-
Filesize
11KB
MD59534fec431a4459a7ba310697cf9c7f0
SHA1d1928ddfe08544394a9b1d950119c5cff5b21b5d
SHA256f8f42f5e56603359c6eafeff4c6b9b6246270555d169f92bc07c915074e555b7
SHA512615d173908df920479c29406198a2764d1f5ca9df3b10a469178a2b1cfad801f2ecc70632c33e9e11ed6e74a8c36d2e35b94769b17fa38bee69724fdb233bb97
-
Filesize
264KB
MD5435e1bdc5fcee685b0fbfc88edeccbd2
SHA13612fe14bfd1d253ac0c531aa71c15e72456f7df
SHA256330e11c9eba7b5ab7451280865b49796d26edf80b50145f4bbe5377bd6cdf0ac
SHA512f9a8176bef38ec08bf5dbaf48b59d61454e9efb5951deba97baeb44b7c7a87820cccbc749dc10aebd28d89c330965da7fa317fdd078e5ce540d89dc0af52c76e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er0iywxg.default-release\datareporting\glean\db\data.safe.bin
Filesize2KB
MD5e9a999eb4c879de7900c50427f7f8c72
SHA11c5f598db20aca2f00c9ca7734da34d1770269ba
SHA256b612b3fbc177eaf0d48197382c990784ff586e235d1c330861b034c2a4c7df20
SHA51203aeae2110a68c8db2e53bc0c7865945af1960fec4b808c119b63cc5c66a364ba0940ee3e50616f3f1fffec01a952289986993ec57264ec7d22e5c5bc1ddbd44
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er0iywxg.default-release\datareporting\glean\pending_pings\3583d803-999b-4d92-b5ce-ebc89dc07170
Filesize746B
MD5098e54ae5af6a4ca27b0d967acd905f1
SHA177a60ff7f3edd7bdc8c3cff879eb85c63cb521b2
SHA256d81e3c925c375d70d8b12d3c2a6ee263a7fb6d24c54d6d696fb034d1f89b9936
SHA5126349923992c53800e4f6580fb1dec2a8fdd0c6b083966e7cf3e5f33c60408c26977156c084c4358c4fac091592d1f31ed71c0433fe7b3bc638d6a6cde61b042c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er0iywxg.default-release\datareporting\glean\pending_pings\db47e187-5609-47e4-9c1d-21c9c031044b
Filesize11KB
MD5b65db4e853a2de178dc7c9fa61436121
SHA1e70b5728f213893226e4f847511597242a47ef52
SHA256d5f3592339ace085469616b075f735f7abec6b2ba84f1d308633453d4a29b020
SHA5129d93090e5ab5243d9c3484abdba748e08cff76ddd681eba6eead3eb247de3310158f693501cc6d3932ea8bb9deda4b1944915150707b15899491edec21ff0f01
-
Filesize
6KB
MD507f4c364a16c47cdf672ecd1137ebe62
SHA1fd7765c82c6dfc6eeb8cc77703f3661b1bf982da
SHA256d546ec1f43f3f89a1a8a978dad292000ad113832031cc6024bd17e7fdfb95b50
SHA512b7dc01a01602db4122184f7d79bd341b52cde8a5e119474658bf483de0bcea7e3a510b92df5a487f7c739308bd3fe43938f6e758e73ed78c73e5322688a2370d
-
Filesize
6KB
MD592642caabdfffb7d18e16974d396adc9
SHA1b081e272d54c0d0b5eec3fcf3afc181dae3949a8
SHA25691ac29b96e13886e25b580de5c590f92553bd4e73f4e0428cd676178d3529b50
SHA51237088cedbef872f40398c2b0519249449b4a801a26a34f3de717279a7001993c1632b82ec022a3d44575b1921707cd31576a018fde26ff712fc9ee6ae22dee42
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\er0iywxg.default-release\sessionstore.jsonlz4
Filesize883B
MD5147f13c21c9e3548696b0e6524bbbbeb
SHA1146eacaac1ad2810d551759eccb4119d4b9a712d
SHA256723b72b64638ba1b8d580a900bb9de69a82d01d36138f04887f4a73f23bd15bc
SHA512546fef02907c1820edc5ef3fa2666f6e41ba00eda7cdd2736f787b79567e6ace69003f78ec4f1c56ca69281646cad76cf97c898ef46030a8b9241ad2aa63fd9e
-
C:\Users\Admin\Desktop\ßµ▌♫Σ₧õ☼↕∞↕5♣▄²↑►☼²œ◘¼—ńě£ř╠♣ï®♫▄1¥¤♀5♦•₧╥◙1ß7╩◄82▀▀•õ♣♦▄í«○¼╩Σñ◘♂£Ç▼ó╬9σñåøœ4▄εč♣Σ¢╠ε█☺ä4øõ√φ½■¼▼í¬
Filesize666B
MD59e1e5883c74742a497cf5c272ccd2321
SHA12cf33e34d08b8e17743a60352baffef4b6f02dee
SHA256ca687b6a7c3d29b566f3e1988b9f877b51d9a83ee25ffe0755a8dcd3eb5f434a
SHA512f2284f0c624cc07a65c16f87865bb98aaa176b1d8b45cd4fbcc1143c9c2297fe6b1d4db55ef054be2bc151c8cc25ff4da7c997b7d38dae3dccd2ffe1c3c01a6b
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e