Analysis
-
max time kernel
375s -
max time network
332s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system -
submitted
02-03-2024 22:03
Static task
static1
Behavioral task
behavioral1
Sample
Chernobyl.exe
Resource
win11-20240221-en
General
-
Target
Chernobyl.exe
-
Size
343KB
-
MD5
d576e0520faa40435d5bdc66304205f9
-
SHA1
b99fce6ebd094e2cbc29e1ed4e47360781e86c47
-
SHA256
2b6266f14d2ed46e921168fd2b4a5510f40c69cd591800d17ae8ca31fcde28c6
-
SHA512
6b60a287f3eefbf2c0f2b0f205e88c4ce5a5aad050f59ff5fd1bc8017322039963f51bdd72b0922ec08880ae5da17286c04418c44dd996f0fb7b585f376f4c98
-
SSDEEP
6144:ab+co0222222222222222222222222222222222222222222222222222222222w:jjkyOZzv4TatsNqaJg
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
Chernobyl.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, cluttscape.exe" Chernobyl.exe -
Processes:
Chernobyl.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Chernobyl.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
Chernobyl.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Chernobyl.exe -
Disables Task Manager via registry modification
-
Possible privilege escalation attempt 18 IoCs
Processes:
takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exepid process 5024 takeown.exe 396 takeown.exe 1464 takeown.exe 1788 takeown.exe 5004 takeown.exe 3524 takeown.exe 3996 takeown.exe 4480 takeown.exe 4896 takeown.exe 3220 takeown.exe 2696 icacls.exe 2612 icacls.exe 2292 takeown.exe 2928 takeown.exe 2868 icacls.exe 1672 icacls.exe 4512 takeown.exe 4468 takeown.exe -
Modifies file permissions 1 TTPs 18 IoCs
Processes:
icacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exepid process 2612 icacls.exe 4480 takeown.exe 3524 takeown.exe 1788 takeown.exe 3220 takeown.exe 4896 takeown.exe 2292 takeown.exe 5024 takeown.exe 396 takeown.exe 2868 icacls.exe 2696 icacls.exe 4512 takeown.exe 5004 takeown.exe 4468 takeown.exe 3996 takeown.exe 1672 icacls.exe 2928 takeown.exe 1464 takeown.exe -
Processes:
Chernobyl.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Chernobyl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Chernobyl.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
Chernobyl.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoRestartShell = "0" Chernobyl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\DisableCAD = "1" Chernobyl.exe -
Drops file in System32 directory 1 IoCs
Processes:
Chernobyl.exedescription ioc process File opened for modification C:\Windows\SysWOW64\kill.ico Chernobyl.exe -
Drops file in Windows directory 2 IoCs
Processes:
Chernobyl.exedescription ioc process File created C:\Windows\cluttscape.exe Chernobyl.exe File opened for modification C:\Windows\cluttscape.exe Chernobyl.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exefirefox.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 3 IoCs
Processes:
MiniSearchHost.exeChernobyl.exefirefox.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Local Settings\MuiCache MiniSearchHost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Unknown\DefaultIcon\ = "C:\\Windows\\SysWow64\\kill.ico" Chernobyl.exe Key created \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
msedge.exemsedge.exemsedge.exepid process 492 msedge.exe 492 msedge.exe 4516 msedge.exe 4516 msedge.exe 2668 msedge.exe 2668 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
Processes:
msedge.exepid process 492 msedge.exe 492 msedge.exe 492 msedge.exe 492 msedge.exe -
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
firefox.exeChernobyl.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exedescription pid process Token: SeDebugPrivilege 5068 firefox.exe Token: SeDebugPrivilege 5068 firefox.exe Token: SeDebugPrivilege 3144 Chernobyl.exe Token: SeDebugPrivilege 3144 Chernobyl.exe Token: SeTakeOwnershipPrivilege 4468 takeown.exe Token: SeTakeOwnershipPrivilege 2928 takeown.exe Token: SeTakeOwnershipPrivilege 3996 takeown.exe Token: SeTakeOwnershipPrivilege 5024 takeown.exe Token: SeTakeOwnershipPrivilege 396 takeown.exe Token: SeTakeOwnershipPrivilege 4480 takeown.exe Token: SeTakeOwnershipPrivilege 3524 takeown.exe Token: SeTakeOwnershipPrivilege 1464 takeown.exe Token: SeTakeOwnershipPrivilege 1788 takeown.exe Token: SeTakeOwnershipPrivilege 4896 takeown.exe Token: SeTakeOwnershipPrivilege 3220 takeown.exe Token: SeTakeOwnershipPrivilege 4512 takeown.exe Token: SeTakeOwnershipPrivilege 2292 takeown.exe Token: SeTakeOwnershipPrivilege 5004 takeown.exe Token: SeShutdownPrivilege 3144 Chernobyl.exe -
Suspicious use of FindShellTrayWindow 30 IoCs
Processes:
msedge.exefirefox.exepid process 492 msedge.exe 492 msedge.exe 492 msedge.exe 492 msedge.exe 492 msedge.exe 492 msedge.exe 492 msedge.exe 492 msedge.exe 492 msedge.exe 492 msedge.exe 492 msedge.exe 492 msedge.exe 492 msedge.exe 492 msedge.exe 492 msedge.exe 492 msedge.exe 492 msedge.exe 492 msedge.exe 492 msedge.exe 492 msedge.exe 492 msedge.exe 492 msedge.exe 492 msedge.exe 492 msedge.exe 492 msedge.exe 492 msedge.exe 5068 firefox.exe 5068 firefox.exe 5068 firefox.exe 5068 firefox.exe -
Suspicious use of SendNotifyMessage 15 IoCs
Processes:
msedge.exefirefox.exepid process 492 msedge.exe 492 msedge.exe 492 msedge.exe 492 msedge.exe 492 msedge.exe 492 msedge.exe 492 msedge.exe 492 msedge.exe 492 msedge.exe 492 msedge.exe 492 msedge.exe 492 msedge.exe 5068 firefox.exe 5068 firefox.exe 5068 firefox.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
MiniSearchHost.exefirefox.exepid process 3836 MiniSearchHost.exe 5068 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Chernobyl.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 3144 wrote to memory of 1004 3144 Chernobyl.exe cmd.exe PID 3144 wrote to memory of 1004 3144 Chernobyl.exe cmd.exe PID 3144 wrote to memory of 1004 3144 Chernobyl.exe cmd.exe PID 3144 wrote to memory of 1424 3144 Chernobyl.exe cmd.exe PID 3144 wrote to memory of 1424 3144 Chernobyl.exe cmd.exe PID 3144 wrote to memory of 1424 3144 Chernobyl.exe cmd.exe PID 3144 wrote to memory of 3820 3144 Chernobyl.exe cmd.exe PID 3144 wrote to memory of 3820 3144 Chernobyl.exe cmd.exe PID 3144 wrote to memory of 3820 3144 Chernobyl.exe cmd.exe PID 3144 wrote to memory of 5112 3144 Chernobyl.exe cmd.exe PID 3144 wrote to memory of 5112 3144 Chernobyl.exe cmd.exe PID 3144 wrote to memory of 5112 3144 Chernobyl.exe cmd.exe PID 3144 wrote to memory of 2364 3144 Chernobyl.exe cmd.exe PID 3144 wrote to memory of 2364 3144 Chernobyl.exe cmd.exe PID 3144 wrote to memory of 2364 3144 Chernobyl.exe cmd.exe PID 1004 wrote to memory of 892 1004 cmd.exe rundll32.exe PID 1004 wrote to memory of 892 1004 cmd.exe rundll32.exe PID 1004 wrote to memory of 892 1004 cmd.exe rundll32.exe PID 3144 wrote to memory of 1812 3144 Chernobyl.exe cmd.exe PID 3144 wrote to memory of 1812 3144 Chernobyl.exe cmd.exe PID 3144 wrote to memory of 1812 3144 Chernobyl.exe cmd.exe PID 3144 wrote to memory of 4612 3144 Chernobyl.exe cmd.exe PID 3144 wrote to memory of 4612 3144 Chernobyl.exe cmd.exe PID 3144 wrote to memory of 4612 3144 Chernobyl.exe cmd.exe PID 3144 wrote to memory of 1464 3144 Chernobyl.exe cmd.exe PID 3144 wrote to memory of 1464 3144 Chernobyl.exe cmd.exe PID 3144 wrote to memory of 1464 3144 Chernobyl.exe cmd.exe PID 3144 wrote to memory of 2644 3144 Chernobyl.exe cmd.exe PID 3144 wrote to memory of 2644 3144 Chernobyl.exe cmd.exe PID 3144 wrote to memory of 2644 3144 Chernobyl.exe cmd.exe PID 3144 wrote to memory of 4196 3144 Chernobyl.exe cmd.exe PID 3144 wrote to memory of 4196 3144 Chernobyl.exe cmd.exe PID 3144 wrote to memory of 4196 3144 Chernobyl.exe cmd.exe PID 3144 wrote to memory of 5004 3144 Chernobyl.exe cmd.exe PID 3144 wrote to memory of 5004 3144 Chernobyl.exe cmd.exe PID 3144 wrote to memory of 5004 3144 Chernobyl.exe cmd.exe PID 1424 wrote to memory of 680 1424 cmd.exe rundll32.exe PID 1424 wrote to memory of 680 1424 cmd.exe rundll32.exe PID 1424 wrote to memory of 680 1424 cmd.exe rundll32.exe PID 5112 wrote to memory of 3760 5112 cmd.exe rundll32.exe PID 5112 wrote to memory of 3760 5112 cmd.exe rundll32.exe PID 5112 wrote to memory of 3760 5112 cmd.exe rundll32.exe PID 2364 wrote to memory of 3524 2364 cmd.exe rundll32.exe PID 2364 wrote to memory of 3524 2364 cmd.exe rundll32.exe PID 2364 wrote to memory of 3524 2364 cmd.exe rundll32.exe PID 3144 wrote to memory of 3128 3144 Chernobyl.exe cmd.exe PID 3144 wrote to memory of 3128 3144 Chernobyl.exe cmd.exe PID 3144 wrote to memory of 3128 3144 Chernobyl.exe cmd.exe PID 4612 wrote to memory of 4480 4612 cmd.exe rundll32.exe PID 4612 wrote to memory of 4480 4612 cmd.exe rundll32.exe PID 4612 wrote to memory of 4480 4612 cmd.exe rundll32.exe PID 3820 wrote to memory of 768 3820 cmd.exe rundll32.exe PID 3820 wrote to memory of 768 3820 cmd.exe rundll32.exe PID 3820 wrote to memory of 768 3820 cmd.exe rundll32.exe PID 1812 wrote to memory of 4188 1812 cmd.exe rundll32.exe PID 1812 wrote to memory of 4188 1812 cmd.exe rundll32.exe PID 1812 wrote to memory of 4188 1812 cmd.exe rundll32.exe PID 1464 wrote to memory of 2944 1464 cmd.exe rundll32.exe PID 1464 wrote to memory of 2944 1464 cmd.exe rundll32.exe PID 1464 wrote to memory of 2944 1464 cmd.exe rundll32.exe PID 2644 wrote to memory of 5044 2644 cmd.exe rundll32.exe PID 2644 wrote to memory of 5044 2644 cmd.exe rundll32.exe PID 2644 wrote to memory of 5044 2644 cmd.exe rundll32.exe PID 4196 wrote to memory of 4796 4196 cmd.exe rundll32.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
Chernobyl.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon = "0" Chernobyl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\UseDefaultTile = "1" Chernobyl.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Chernobyl.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe"C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe"1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Disables RegEdit via registry modification
- Checks whether UAC is enabled
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3144 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵
- Suspicious use of WriteProcessMemory
PID:1004 -
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:892
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵
- Suspicious use of WriteProcessMemory
PID:1424 -
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:680
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵
- Suspicious use of WriteProcessMemory
PID:3820 -
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:768
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵
- Suspicious use of WriteProcessMemory
PID:5112 -
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:3760
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:3524
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:4188
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵
- Suspicious use of WriteProcessMemory
PID:4612 -
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:4480
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵
- Suspicious use of WriteProcessMemory
PID:1464 -
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2944
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:5044
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵
- Suspicious use of WriteProcessMemory
PID:4196 -
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:4796
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:5004
-
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2236
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit2⤵PID:3128
-
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters3⤵PID:2928
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\smss.exe && icacls C:\Windows\System32\smss.exe /grant "%username%:F" && exit2⤵PID:1220
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\smss.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4468
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\csrss.exe && icacls C:\Windows\System32\csrss.exe /grant "%username%:F" && exit2⤵PID:4488
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\csrss.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:5024
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\wininit.exe && icacls C:\Windows\System32\wininit.exe /grant "%username%:F" && exit2⤵PID:4492
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\wininit.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3996
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\LogonUI.exe && icacls C:\Windows\System32\LogonUI.exe /grant "%username%:F" && exit2⤵PID:1792
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\LogonUI.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2928
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\lsass.exe && icacls C:\Windows\System32\lsass.exe /grant "%username%:F" && exit2⤵PID:4120
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\lsass.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:396
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\services.exe && icacls C:\Windows\System32\services.exe /grant "%username%:F" && exit2⤵PID:1452
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\services.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3524
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\winlogon.exe && icacls C:\Windows\System32\winlogon.exe /grant "%username%:F" && exit2⤵PID:2424
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\winlogon.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4480
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\winload.efi && icacls C:\Windows\System32\winload.efi /grant "%username%:F" && exit2⤵PID:1480
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\winload.efi3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1788
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\winload.exe && icacls C:\Windows\System32\winload.exe /grant "%username%:F" && exit2⤵PID:3332
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\winload.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1464
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\ntoskrnl.exe && icacls C:\Windows\System32\ntoskrnl.exe /grant "%username%:F" && exit2⤵PID:660
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\ntoskrnl.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3220
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\svchost.exe && icacls C:\Windows\System32\svchost.exe /grant "%username%:F" && exit2⤵PID:3480
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\svchost.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4896
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32\svchost.exe /grant "Admin:F"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2868
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\afunix.sys && icacls C:\Windows\System32\drivers\afunix.sys /grant "%username%:F" && exit2⤵PID:2304
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\drivers\afunix.sys3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4512
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32\drivers\afunix.sys /grant "Admin:F"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1672
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\gm.dls && icacls C:\Windows\System32\drivers\gm.dls /grant "%username%:F" && exit2⤵PID:3128
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\drivers\gm.dls3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:5004
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32\drivers\gm.dls /grant "Admin:F"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2696
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\gmreadme.txt && icacls C:\Windows\System32\drivers\gmreadme.txt /grant "%username%:F" && exit2⤵PID:2024
-
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System32\drivers\gmreadme.txt3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2292
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32\drivers\gmreadme.txt /grant "Admin:F"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2612
-
-
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3836
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:492 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9119b3cb8,0x7ff9119b3cc8,0x7ff9119b3cd82⤵PID:3964
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1868,8915595078094201140,9061057010679452856,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1912 /prefetch:22⤵PID:4600
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1868,8915595078094201140,9061057010679452856,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4516
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1868,8915595078094201140,9061057010679452856,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2512 /prefetch:82⤵PID:4024
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8915595078094201140,9061057010679452856,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:12⤵PID:1360
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8915595078094201140,9061057010679452856,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:12⤵PID:4588
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8915595078094201140,9061057010679452856,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4872 /prefetch:12⤵PID:4316
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8915595078094201140,9061057010679452856,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3648 /prefetch:12⤵PID:2492
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1868,8915595078094201140,9061057010679452856,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5172 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2668
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3288
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1540
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵PID:4528
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:5068 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5068.0.347786694\2062407478" -parentBuildID 20221007134813 -prefsHandle 1820 -prefMapHandle 1812 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cfbbe9da-3400-4eb8-a522-fb0dd7169c0f} 5068 "\\.\pipe\gecko-crash-server-pipe.5068" 1900 149ed4d8558 gpu3⤵PID:1400
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5068.1.538947283\812777722" -parentBuildID 20221007134813 -prefsHandle 2268 -prefMapHandle 2264 -prefsLen 20783 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2271e683-bfde-4ace-ade1-e8b4e169fbfb} 5068 "\\.\pipe\gecko-crash-server-pipe.5068" 2280 149e14e4d58 socket3⤵
- Checks processor information in registry
PID:3580
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5068.2.2109894652\1464264661" -childID 1 -isForBrowser -prefsHandle 2828 -prefMapHandle 3172 -prefsLen 20821 -prefMapSize 233444 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a6f0702c-4b0c-45d9-8b62-96faa965415a} 5068 "\\.\pipe\gecko-crash-server-pipe.5068" 3252 149ed45ed58 tab3⤵PID:648
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5068.3.545302048\397580022" -childID 2 -isForBrowser -prefsHandle 3608 -prefMapHandle 3604 -prefsLen 26064 -prefMapSize 233444 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8ea672c5-64d3-4a64-bace-aa68cae9bf50} 5068 "\\.\pipe\gecko-crash-server-pipe.5068" 2820 149e1462858 tab3⤵PID:4316
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5068.4.135781728\1647966276" -childID 3 -isForBrowser -prefsHandle 4244 -prefMapHandle 4240 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d0b18a1a-47ef-4341-a150-49bb54e421a5} 5068 "\\.\pipe\gecko-crash-server-pipe.5068" 4216 149f37dda58 tab3⤵PID:5044
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5068.5.1518743565\1828414592" -childID 4 -isForBrowser -prefsHandle 5076 -prefMapHandle 5072 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5f6188e6-c589-4748-ad63-e5b8c215b56c} 5068 "\\.\pipe\gecko-crash-server-pipe.5068" 5088 149f4954658 tab3⤵PID:2336
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5068.6.1218738732\2130217779" -childID 5 -isForBrowser -prefsHandle 5168 -prefMapHandle 5172 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ba2cbc83-24b0-4295-8074-be589a8c4eaa} 5068 "\\.\pipe\gecko-crash-server-pipe.5068" 5160 149f4b71158 tab3⤵PID:2304
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5068.7.822328114\1804542312" -childID 6 -isForBrowser -prefsHandle 5360 -prefMapHandle 5364 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b7f5e6e4-c803-4c9f-b82c-641e68706901} 5068 "\\.\pipe\gecko-crash-server-pipe.5068" 5352 149f4b71a58 tab3⤵PID:1360
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5068.8.2111489437\443013592" -childID 7 -isForBrowser -prefsHandle 1624 -prefMapHandle 1640 -prefsLen 26283 -prefMapSize 233444 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b0561dcf-8c50-4de2-9f65-67a98efeeb51} 5068 "\\.\pipe\gecko-crash-server-pipe.5068" 3440 149f60bb558 tab3⤵PID:3540
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Winlogon Helper DLL
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD50e10a8550dceecf34b33a98b85d5fa0b
SHA1357ed761cbff74e7f3f75cd15074b4f7f3bcdce0
SHA2565694744f7e6c49068383af6569df880eed386f56062933708c8716f4221cac61
SHA512fe6815e41c7643ddb7755cc542d478814f47acea5339df0b5265d9969d02c59ece6fc61150c6c75de3f4f59b052bc2a4f58a14caa3675daeb67955b4dc416d3a
-
Filesize
152B
MD53b1e59e67b947d63336fe9c8a1a5cebc
SHA15dc7146555c05d8eb1c9680b1b5c98537dd19b91
SHA2567fccd8c81f41a2684315ad9c86ef0861ecf1f2bf5d13050f760f52aef9b4a263
SHA5122d9b8f574f7f669c109f7e0d9714b84798e07966341a0200baac01ed5939b611c7ff75bf1978fe06e37e813df277b092ba68051fae9ba997fd529962e2e5d7b0
-
Filesize
5KB
MD5638c4c56f9cdc590ae5ed62c1ffb3546
SHA1daf02be74975ffb2bd7e1f0519d882daa1b7fccb
SHA256055b8fec099f4756b698b8a20dbb672e196be0d28292a2449fff35dc94f6889b
SHA512395072bd2b989cc4cf28912ef9346cb7fc36252c66ee895d8ccbfa8b6ab8d822e5898d71ec2053e30d093190c19a6ff8c43380ac48932f48e1c87cb871d29419
-
Filesize
5KB
MD5c3b6ba2e415388ba6e5d9bfe53b3f806
SHA15ab26546d0962ccea7deaf61e408b4b5f91fd7ee
SHA256ad381c03527352e8116e3866e3f3eb25c2ff9de2e7ada0768ba93a696a9a8a03
SHA5126eec719255283ec81232394bf403233b2ef92ae2283634f34172e59bbc74a7b3b281d781de38acbc82d7c96645fbc4d6ad0a2d01a68968abc4ff213e01f6deb4
-
Filesize
11KB
MD586b1f0ac37252d1acc375a3e31bead4c
SHA15d1d7fcea50bcf3b7c7929f0fa899d47dd116789
SHA2564539ed65c2fc46f1dba700544e6e3d32181036437ebe7977e76603485859dce7
SHA512a30f7d057c5bb6de6f5d6ccecac8ab54be2bda87a0c20d30ca719116a37ea92f3268e557cec1997c87fbe73a07225b9ca2f64483eb18b56c45ff75431a5267eb
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
10KB
MD505ce3f2822db3b2067aa653e518f4023
SHA126efe3d058a09a490cf8dab02286cf9b19dfe0cb
SHA256d28c55630f6bc45bc55894086ffed92b9a1210d5a55a8b9cdf95af5961c18b4e
SHA512b8bd71f9c3594c39d2e90fcbe6ab194bcff0536463535143c9072e6b5d007797881ad838286c2ad644f880c665bbb07e7535b2db50c6865e0d422f022bdae475
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
Filesize10KB
MD582678367fa4297a26727ccc84e0b2f60
SHA10c65ab90390566f7d2f5b4751b9027f6bac1d22a
SHA256fbf7356b28e05edc871dda40b318b147e6d07ece028da3d67c3cfbd30bfa0f29
SHA512e5474444eecac25a06fe26a22dce9aa9311740dca264de1c824a36a7bc55216f301e934667fe0b9c3c7b062694f8a37e45ecce6b3889cb33bb47ecb9bd198db5
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
Filesize10KB
MD528d32a16ce87d488acc7632092f7d566
SHA1325dd247e49113dd987531ffe7ca26c22ce08c31
SHA256ba6d4f09117c098bd27508a14d44822f13399ebe16d5d2539ad2844157fa4907
SHA5128159021f9d0e28d370faddf7fa41aa9d4bdf7a1aee71779706e43c30486526a0636568d8f90c580da543f8393f546090f71f87382f99e3e0a2b227b04670af57
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0zk78kq5.default-release\datareporting\glean\db\data.safe.bin
Filesize2KB
MD5e834f7889fe05055ad5e05bbf08473c7
SHA136e170ef95c5b8ed9436788ed4d48dc5c631d4d0
SHA2561ebccc8f58d5929aa02fa9f39a74ffd53bada39b8801cc8cd17e80a637a1a2bf
SHA5126e5caec61adc548162766e87b06578b97d152e093ada312d0eda1fb938be1455a206887bf5eb780353a3aa33ab8b62262c6ac4ccb5836e797ff13c6cd36e1c01
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0zk78kq5.default-release\datareporting\glean\pending_pings\2010c100-bb7a-4db4-8d05-82a98c2d4446
Filesize10KB
MD5fbe36eb9cfbfdd3971c179d706cb792a
SHA11053a81bcfecb6f380e066b9e8495b2cf692f953
SHA2566dfbd1047811b41c3707f8253d7d8e05410bd9566a3d37f29ea8aadf18baba42
SHA512098fb058fc47b01e8cc942b4f98853b9cabaa828b66188ee525b6b18d8ab801f65f99b4b9cdf9083c71062a303f3a11176307d3b064b384b27a25a4432b56ab9
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0zk78kq5.default-release\datareporting\glean\pending_pings\9026a33c-0af5-4761-bbb5-3984e1f4b763
Filesize746B
MD58324a4179593ff6fe6eb1d82e8f9c732
SHA12a90abd9e6cba934c0db47ae790fbc73dcc13947
SHA2562ee4aacc66e522c39d2026451ab289ba8b94ff7d251c0aed4c54c94291296188
SHA5122a182ea85761973ec90a12bd60d072227e38f658bb4ec36fb79d832d7204bf4a7b5051011ee34bfe6bd4a3fa6829809ad0a3c677f0876a820d0bf6e33e3c2bf2
-
Filesize
6KB
MD5a80bb1c098c7cfe25a3c7715aaa54f25
SHA19730ddb28ca57f331db27c9833be1916d036f225
SHA2562f345282834425abd4995c02d6957c8495dd6853b61ed1aab9209f28564a84e2
SHA5127b23cffb764056fb74091f733a94c4f8e08af0e7d52bab4aafdcf581fd7beeb03638154cf9d26a81acbc743c54d0e832063036f2c4d88003e9d8911925e5c627
-
Filesize
6KB
MD54c703980a7c2c9230d9828ad80360c91
SHA18fdbdfe9f31ea3c2563678ef95a803b032b13b69
SHA256ef1ed6eb604f4b4ad48d548b8bbfeaa6540e1ca613fbc641ee889d246aafc6ff
SHA512e8be2ff1dbe8bb63bb187a9b9aafc6f4ffa67e9e36d4ca61a173c8062a7ae492d7cd160e9004f34c17eb8250f50089ccb0c4f526bdef1f10acde1e9ef6bc14e3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0zk78kq5.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD55a24159e5d0ba5a01cebf63b5be9a9a6
SHA1ebd152365478f55b651cf712ae168b2797aac270
SHA256bf0da9d90af0c7a8879e0bf5af5ba883dc296b756b69285fd8f1b6f220efcccb
SHA5127234fbaa3d7c4db460499d5f0cc5a3d7961045fc56e1e5e3e83df998a5c2849fdf5c8b10a728269baacb9f4252ef343274053fe42942f26d351b9cb213adf2e9
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0zk78kq5.default-release\sessionstore-backups\recovery.jsonlz4
Filesize3KB
MD5534adf05e3389a2ef33647de3d329dd0
SHA1f3d29efc3d16ab4b6bf0d8074e53bd6d697ae67c
SHA25659162b4720a1cc4bd837f020e3d8d623a4bfb65eb4a354b628391fbca1ad237c
SHA512b44c2b3390a2ef8926b87955660a1af585a6e7640cf037fb0032334dd24888a9b85fb77943f61913ac43142ee05bd6b710ba96ba6359c061da92a8f51d48697e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0zk78kq5.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD5b6eaef0cddec58d987415e65845fe88a
SHA1e16660c7b3dd184efd964fb2ec0fd829fb36bf29
SHA25665e3459967d1506a2de1f078548d393a381592fc46a47a0debd59bd9202175d2
SHA5128e2d28b88b3e7bce06017ab573245c4e201abed8b96c52792101f0095dd28d00a03cd070d16fdfdcf5371a70179926eb86ab29a250f2184b1e191cf057f85858
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0zk78kq5.default-release\sessionstore.jsonlz4
Filesize5KB
MD5b9547f2df4b69f6166d0a4a9b8988686
SHA17d9faee812cf23ab32344dae4db3d8e751a45f33
SHA256286420c37c359493d336675b9c33a04b720a4a6789988ceb9a52967dc1b5f1a0
SHA512143aba9884b6bf41175b7052e420b2fe41938cb21e8de40ab5e2e42ecf42248a361a098acd2f24b83b00a581dad7d0c5d3eab32cf75f5c0d8fe3592b36cafcd9
-
C:\Users\Admin\Desktop\¤≈£Çõœ♫ε9ø↑▀6↑6◘£◄◙◄◘—♪╤╥£ÿ▌♪½8↑♠╠○ÿ±¬ÿ○▲Σ¤╬œ■♣Ÿõ◙éß1▬™¥▐○č☻ÿ♣õφ▲☼å♥žž®▀ñ√█ěš¥µ∩1«☻♂óæ∩►╬9╠č■♦∞♪◄Ç◘9
Filesize666B
MD59e1e5883c74742a497cf5c272ccd2321
SHA12cf33e34d08b8e17743a60352baffef4b6f02dee
SHA256ca687b6a7c3d29b566f3e1988b9f877b51d9a83ee25ffe0755a8dcd3eb5f434a
SHA512f2284f0c624cc07a65c16f87865bb98aaa176b1d8b45cd4fbcc1143c9c2297fe6b1d4db55ef054be2bc151c8cc25ff4da7c997b7d38dae3dccd2ffe1c3c01a6b
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e