Malware Analysis Report

2024-11-16 12:45

Sample ID 240302-1xgkzsac56
Target Chernobyl.exe
SHA256 2b6266f14d2ed46e921168fd2b4a5510f40c69cd591800d17ae8ca31fcde28c6
Tags
discovery evasion exploit persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2b6266f14d2ed46e921168fd2b4a5510f40c69cd591800d17ae8ca31fcde28c6

Threat Level: Known bad

The file Chernobyl.exe was found to be: Known bad.

Malicious Activity Summary

discovery evasion exploit persistence trojan

UAC bypass

Modifies WinLogon for persistence

Disables Task Manager via registry modification

Disables RegEdit via registry modification

Possible privilege escalation attempt

Modifies file permissions

Checks whether UAC is enabled

Modifies WinLogon

Drops file in System32 directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Enumerates system info in registry

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

System policy modification

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of SetWindowsHookEx

Checks processor information in registry

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-02 22:01

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-02 22:01

Reported

2024-03-02 22:31

Platform

win11-20240221-en

Max time kernel

47s

Max time network

70s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, cluttscape.exe" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A

Disables Task Manager via registry modification

evasion

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoRestartShell = "0" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\DisableCAD = "1" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\kill.ico C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\cluttscape.exe C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
File opened for modification C:\Windows\cluttscape.exe C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Unknown\DefaultIcon\ = "C:\\Windows\\SysWow64\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 720 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\SysWOW64\cmd.exe
PID 720 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\SysWOW64\cmd.exe
PID 720 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\SysWOW64\cmd.exe
PID 720 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\SysWOW64\cmd.exe
PID 720 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\SysWOW64\cmd.exe
PID 720 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\SysWOW64\cmd.exe
PID 720 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\SysWOW64\cmd.exe
PID 720 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\SysWOW64\cmd.exe
PID 720 wrote to memory of 4324 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\SysWOW64\cmd.exe
PID 720 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\SysWOW64\cmd.exe
PID 720 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\SysWOW64\cmd.exe
PID 720 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 1724 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 2804 wrote to memory of 1724 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 2804 wrote to memory of 1724 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 720 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\SysWOW64\cmd.exe
PID 720 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\SysWOW64\cmd.exe
PID 720 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\SysWOW64\cmd.exe
PID 720 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\SysWOW64\cmd.exe
PID 720 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\SysWOW64\cmd.exe
PID 720 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\SysWOW64\cmd.exe
PID 1128 wrote to memory of 1092 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 1128 wrote to memory of 1092 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 1128 wrote to memory of 1092 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 720 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\SysWOW64\cmd.exe
PID 720 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\SysWOW64\cmd.exe
PID 720 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\SysWOW64\cmd.exe
PID 720 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\SysWOW64\cmd.exe
PID 720 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\SysWOW64\cmd.exe
PID 720 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\SysWOW64\cmd.exe
PID 1492 wrote to memory of 3036 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 1492 wrote to memory of 3036 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 1492 wrote to memory of 3036 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 3032 wrote to memory of 1280 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 3032 wrote to memory of 1280 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 3032 wrote to memory of 1280 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 720 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\SysWOW64\cmd.exe
PID 720 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\SysWOW64\cmd.exe
PID 720 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\SysWOW64\cmd.exe
PID 720 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\SysWOW64\cmd.exe
PID 720 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\SysWOW64\cmd.exe
PID 720 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\SysWOW64\cmd.exe
PID 4324 wrote to memory of 2344 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 4324 wrote to memory of 2344 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 4324 wrote to memory of 2344 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 3308 wrote to memory of 2916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 3308 wrote to memory of 2916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 3308 wrote to memory of 2916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 720 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\SysWOW64\cmd.exe
PID 720 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\SysWOW64\cmd.exe
PID 720 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\SysWOW64\cmd.exe
PID 4920 wrote to memory of 2684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 4920 wrote to memory of 2684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 4920 wrote to memory of 2684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 720 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\SysWOW64\cmd.exe
PID 720 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\SysWOW64\cmd.exe
PID 720 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\SysWOW64\cmd.exe
PID 652 wrote to memory of 2636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 652 wrote to memory of 2636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 652 wrote to memory of 2636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 1472 wrote to memory of 4172 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 1472 wrote to memory of 4172 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 1472 wrote to memory of 4172 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 8 wrote to memory of 3932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\UseDefaultTile = "1" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon = "0" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe

"C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\SysWOW64\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\SysWOW64\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\SysWOW64\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\SysWOW64\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\SysWOW64\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\SysWOW64\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\SysWOW64\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\SysWOW64\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\SysWOW64\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\SysWOW64\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\SysWOW64\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\SysWOW64\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xe4,0x10c,0x7ffc6aa43cb8,0x7ffc6aa43cc8,0x7ffc6aa43cd8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1880,5879854314271243750,12426798476086236803,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1888 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1880,5879854314271243750,12426798476086236803,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2400 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1880,5879854314271243750,12426798476086236803,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2528 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,5879854314271243750,12426798476086236803,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,5879854314271243750,12426798476086236803,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,5879854314271243750,12426798476086236803,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4056 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,5879854314271243750,12426798476086236803,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4600 /prefetch:1

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3588.0.1499258282\342343607" -parentBuildID 20221007134813 -prefsHandle 1764 -prefMapHandle 1752 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fdaa99d8-b541-4981-b8b8-244d78a3a8d4} 3588 "\\.\pipe\gecko-crash-server-pipe.3588" 1856 2aa2e1f9e58 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3588.1.934596635\1160752142" -parentBuildID 20221007134813 -prefsHandle 2212 -prefMapHandle 2208 -prefsLen 20783 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {60e68214-0a69-4ac5-acc7-c4571bde9efa} 3588 "\\.\pipe\gecko-crash-server-pipe.3588" 2232 2aa22071958 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3588.2.1563585800\649669080" -childID 1 -isForBrowser -prefsHandle 2912 -prefMapHandle 3048 -prefsLen 20821 -prefMapSize 233444 -jsInitHandle 1356 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8215651f-3067-40c8-aca8-0fbae7f017df} 3588 "\\.\pipe\gecko-crash-server-pipe.3588" 3132 2aa336a3658 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3588.3.336752411\1474535523" -childID 2 -isForBrowser -prefsHandle 2796 -prefMapHandle 2896 -prefsLen 26064 -prefMapSize 233444 -jsInitHandle 1356 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ffcd645d-d736-4cba-9ad8-9a2d379c7aa1} 3588 "\\.\pipe\gecko-crash-server-pipe.3588" 3744 2aa2206ae58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3588.4.642955501\1686523303" -childID 3 -isForBrowser -prefsHandle 4124 -prefMapHandle 4120 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1356 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {89727082-bbb0-407e-8ffa-c96ed425a865} 3588 "\\.\pipe\gecko-crash-server-pipe.3588" 4136 2aa30cdca58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3588.5.1716515432\1852182303" -childID 4 -isForBrowser -prefsHandle 5060 -prefMapHandle 4660 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1356 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1cb8fec1-312f-46a2-9767-6cc6df219a1b} 3588 "\\.\pipe\gecko-crash-server-pipe.3588" 5072 2aa2202de58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3588.6.2030889354\1832722704" -childID 5 -isForBrowser -prefsHandle 5216 -prefMapHandle 5220 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1356 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1ff4d2c9-cd05-4259-9319-7d82592ac7a2} 3588 "\\.\pipe\gecko-crash-server-pipe.3588" 5208 2aa35899458 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3588.7.499854864\808228470" -childID 6 -isForBrowser -prefsHandle 5408 -prefMapHandle 5412 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1356 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6daa9349-af7f-4aef-aa1a-cccc69fff319} 3588 "\\.\pipe\gecko-crash-server-pipe.3588" 5400 2aa35899758 tab

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\smss.exe && icacls C:\Windows\System32\smss.exe /grant "%username%:F" && exit

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\csrss.exe && icacls C:\Windows\System32\csrss.exe /grant "%username%:F" && exit

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\wininit.exe && icacls C:\Windows\System32\wininit.exe /grant "%username%:F" && exit

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\LogonUI.exe && icacls C:\Windows\System32\LogonUI.exe /grant "%username%:F" && exit

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\lsass.exe && icacls C:\Windows\System32\lsass.exe /grant "%username%:F" && exit

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\services.exe && icacls C:\Windows\System32\services.exe /grant "%username%:F" && exit

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\winlogon.exe && icacls C:\Windows\System32\winlogon.exe /grant "%username%:F" && exit

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\winload.efi && icacls C:\Windows\System32\winload.efi /grant "%username%:F" && exit

C:\Windows\SysWOW64\takeown.exe

takeown /f C:\Windows\System32\smss.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\winload.exe && icacls C:\Windows\System32\winload.exe /grant "%username%:F" && exit

C:\Windows\SysWOW64\takeown.exe

takeown /f C:\Windows\System32\csrss.exe

C:\Windows\SysWOW64\takeown.exe

takeown /f C:\Windows\System32\wininit.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\ntoskrnl.exe && icacls C:\Windows\System32\ntoskrnl.exe /grant "%username%:F" && exit

C:\Windows\SysWOW64\takeown.exe

takeown /f C:\Windows\System32\LogonUI.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\svchost.exe && icacls C:\Windows\System32\svchost.exe /grant "%username%:F" && exit

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\afunix.sys && icacls C:\Windows\System32\drivers\afunix.sys /grant "%username%:F" && exit

C:\Windows\SysWOW64\takeown.exe

takeown /f C:\Windows\System32\lsass.exe

C:\Windows\SysWOW64\takeown.exe

takeown /f C:\Windows\System32\services.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\gm.dls && icacls C:\Windows\System32\drivers\gm.dls /grant "%username%:F" && exit

C:\Windows\SysWOW64\takeown.exe

takeown /f C:\Windows\System32\winlogon.exe

C:\Windows\SysWOW64\takeown.exe

takeown /f C:\Windows\System32\winload.efi

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\gmreadme.txt && icacls C:\Windows\System32\drivers\gmreadme.txt /grant "%username%:F" && exit

C:\Windows\SysWOW64\takeown.exe

takeown /f C:\Windows\System32\winload.exe

C:\Windows\SysWOW64\takeown.exe

takeown /f C:\Windows\System32\ntoskrnl.exe

C:\Windows\SysWOW64\takeown.exe

takeown /f C:\Windows\System32\svchost.exe

C:\Windows\SysWOW64\takeown.exe

takeown /f C:\Windows\System32\drivers\afunix.sys

C:\Windows\SysWOW64\takeown.exe

takeown /f C:\Windows\System32\drivers\gm.dls

C:\Windows\SysWOW64\takeown.exe

takeown /f C:\Windows\System32\drivers\gmreadme.txt

C:\Windows\SysWOW64\icacls.exe

icacls C:\Windows\System32\svchost.exe /grant "Admin:F"

C:\Windows\SysWOW64\icacls.exe

icacls C:\Windows\System32\drivers\afunix.sys /grant "Admin:F"

C:\Windows\SysWOW64\icacls.exe

icacls C:\Windows\System32\drivers\gm.dls /grant "Admin:F"

C:\Windows\SysWOW64\icacls.exe

icacls C:\Windows\System32\drivers\gmreadme.txt /grant "Admin:F"

Network

Country Destination Domain Proto
US 8.8.8.8:53 178.178.17.96.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
GB 2.18.66.88:443 tcp
US 52.168.117.171:443 browser.pipe.aria.microsoft.com tcp
GB 92.123.128.171:443 r.bing.com tcp
GB 92.123.128.171:443 r.bing.com tcp
GB 92.123.128.171:443 r.bing.com tcp
GB 92.123.128.171:443 r.bing.com tcp
GB 92.123.128.171:443 r.bing.com tcp
GB 92.123.128.171:443 r.bing.com tcp
N/A 127.0.0.1:50182 tcp
US 34.117.237.239:443 contile.services.mozilla.com tcp
US 8.8.8.8:53 push.services.mozilla.com udp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
US 44.237.149.213:443 shavar.prod.mozaws.net tcp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 34.107.243.93:443 push.services.mozilla.com tcp
N/A 127.0.0.1:50189 tcp

Files

memory/720-1-0x0000000074D20000-0x00000000754D1000-memory.dmp

memory/720-0-0x0000000000520000-0x000000000057C000-memory.dmp

memory/720-2-0x0000000005000000-0x0000000005092000-memory.dmp

memory/720-3-0x0000000005650000-0x0000000005BF6000-memory.dmp

memory/720-4-0x0000000004FF0000-0x0000000005000000-memory.dmp

C:\Users\Admin\Desktop\í◄■ř¬π╬ñÇåõ╧ń╚ñí¥ß▄Â8☺—♠◙♥¼õ4Æ▬ě╚9▐☻215♥╚◘☼ž™¢6²▬š♀☻○ńÿ♣↕ížœš£í☼ń╧♪♫■Âñ•▼åä╚▬ø•šń£Â♠¤∩♥åíß♀▲řφ√®▀☼¾Ÿ

MD5 9e1e5883c74742a497cf5c272ccd2321
SHA1 2cf33e34d08b8e17743a60352baffef4b6f02dee
SHA256 ca687b6a7c3d29b566f3e1988b9f877b51d9a83ee25ffe0755a8dcd3eb5f434a
SHA512 f2284f0c624cc07a65c16f87865bb98aaa176b1d8b45cd4fbcc1143c9c2297fe6b1d4db55ef054be2bc151c8cc25ff4da7c997b7d38dae3dccd2ffe1c3c01a6b

memory/720-309-0x0000000005640000-0x000000000564A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 19a8bcb40a17253313345edd2a0da1e7
SHA1 86fac74b5bbc59e910248caebd1176a48a46d72e
SHA256 b8024fbed11683ef4b53f5afac0ff691025b7eecca0f6a95737da1585558227e
SHA512 9f8780f49d30aad01b28189804329aeca6ad2b7ffb6be505d40bb1af7802bb62622f518cb1c43a5815bbbb46638f6c52aead3d68f14fa957d18157edb42e95c0

\??\pipe\LOCAL\crashpad_4124_OFXTAFGXSWYLCXWR

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 96899614360333c9904499393c6e3d75
SHA1 bbfa17cf8df01c266323965735f00f0e9e04cd34
SHA256 486e4b4bb11f664c91c675e73cfeabe53b5009ae719459813be17814cd97e43c
SHA512 974735b40a9f92b40a37a698f7f333590f32ff45633c6e619500e74ec274bc20bf7dbc830b1685777b714d37a3ca103d741ee056f4ff45ef08c07b38a7895df7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 22629b5b3136d4435c3c36d37814aaaa
SHA1 503b96c2615d7c680f9b8c7845ad16c2fdf9a3f5
SHA256 1e03ce9661291ad0870a790eb795ec4ef7fb324890be4e4b786401357d904356
SHA512 046a0e56552f00c2cc1c5ac722446e7bceab1a1f1b8e59af9e6fab781ffc3669b696ea1eda08c61d9fa3db7d1cbd54afe05e0a489cf2d510e8baba4567791924

memory/720-332-0x0000000074D20000-0x00000000754D1000-memory.dmp

memory/720-339-0x0000000004FF0000-0x0000000005000000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 173cc00bc454f97dfe5836fc7a85fec7
SHA1 44e50ee37ff51a550c2be12f61018bd76e4b77d4
SHA256 8b2b2234fb085a38dd92cad6b9e1473b84947a0dfe33f3e47a9e0b886611eab7
SHA512 d83603363a00e8d4f79486086a5ce5343e4e7735315f324f8bdb05a3063c31f6c8f44785076d4419e68cb79c7a6a1878cdf6c72944574835a131874ed68d769c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 c9f9ef42efbe37d6dda484149f82efaa
SHA1 eb20a0a3a96cd90e79e86bcb75f5a62cc18fe50b
SHA256 8c663e9b0a9fbbb99455cc03bbea32238e3ed7867dec31ecf169bf89ebd52e6e
SHA512 64d07fe25fb17b58ac8274e05e1060d9881b88d1c4969c2e9ff193224064287fab4c969105311b782d6aa87bab5eb59720a3645b4387ad03ef7ec99a07ed5629

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d8xutbrp.default-release\datareporting\glean\pending_pings\c6f53fee-8099-4b80-8699-3e90582bf637

MD5 22ba7188fb3b812aa01f0c4166a671cc
SHA1 e1b2d40884f9ee048bf1ac4e8da4fdb44b7e1775
SHA256 cc54ebfaf54f9cf4c6ac67c4ebfc87039e76b196b37b5d35624b7d3f0f19700b
SHA512 27ab13f8c0384d4f5d251e754803efa06fd0416af798ab1fad61d5ffd9e15848d8a62dfb2bab6c5fbde587cbc2ad103fb719317aab1fb8c09198edd407e4822d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d8xutbrp.default-release\datareporting\glean\db\data.safe.bin

MD5 1d18f8dac16c3cc15bac22107c7d76be
SHA1 6cb6ea2291d29735a287b56c8caff3ee55f93002
SHA256 e7cd66f0381bc830726cb5928759fdbfbda6a583afa0389d8c631285eadcaf8b
SHA512 4e00d1c837c86afaa45f71a93130ee24f12c6956aae79b8bebd23632c249fa0f65a9d06694ed54035d424f1f8cb92b982d270af5b7c86478be0d3ca36d24e872

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d8xutbrp.default-release\sessionstore.jsonlz4

MD5 78141ac98872fc6f2cdf6f006fcebf83
SHA1 c1a5be472e6ecf529c1806c5eb729445efbe23b2
SHA256 65602e5f654814fc987a3980e132188beea8a985fd886f92b349dd93eafba7c3
SHA512 345f45ed3bea0e741d939bd9ec9e2f412ee6b9b62f9c29f2e437620686cd0be23d52608b42a95aac4f2ee33f3c62f8481f5dd6f0f10148a11f0e91aea60997a8

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\d8xutbrp.default-release\prefs-1.js

MD5 64835d24d580ba9acfc8597528b5042e
SHA1 1ffd11a17e6d8846be9706aac21a32697c4f1cf2
SHA256 2054fd9eae57ee7af6d87495843a49dbb31a34f472b9cdffef2f0bd6d98b200d
SHA512 f7c2a718d93f4b6a15d438d72d96953fe45993c1e55686bc2e9aa95a9dafb76baf084da891e875f531b0100a8c35aae3d82673897aff1d09f30eae235b95c5ac