Analysis Overview
SHA256
2b6266f14d2ed46e921168fd2b4a5510f40c69cd591800d17ae8ca31fcde28c6
Threat Level: Known bad
The file Chernobyl.exe was found to be: Known bad.
Malicious Activity Summary
UAC bypass
Modifies WinLogon for persistence
Disables Task Manager via registry modification
Possible privilege escalation attempt
Disables RegEdit via registry modification
Modifies file permissions
Modifies WinLogon
Checks whether UAC is enabled
Drops file in System32 directory
Drops file in Windows directory
Unsigned PE
Enumerates physical storage devices
Enumerates system info in registry
Suspicious use of SendNotifyMessage
Uses Task Scheduler COM API
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Checks processor information in registry
System policy modification
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Modifies registry class
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-02 22:03
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-02 22:03
Reported
2024-03-02 22:33
Platform
win11-20240221-en
Max time kernel
375s
Max time network
332s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, cluttscape.exe" | C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe | N/A |
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe | N/A |
Disables Task Manager via registry modification
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoRestartShell = "0" | C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\DisableCAD = "1" | C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\kill.ico | C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\cluttscape.exe | C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe | N/A |
| File opened for modification | C:\Windows\cluttscape.exe | C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Local Settings\MuiCache | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Unknown\DefaultIcon\ = "C:\\Windows\\SysWow64\\kill.ico" | C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon = "0" | C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\UseDefaultTile = "1" | C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe | N/A |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe
"C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe"
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit
C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9119b3cb8,0x7ff9119b3cc8,0x7ff9119b3cd8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1868,8915595078094201140,9061057010679452856,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1912 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1868,8915595078094201140,9061057010679452856,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1868,8915595078094201140,9061057010679452856,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2512 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8915595078094201140,9061057010679452856,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8915595078094201140,9061057010679452856,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8915595078094201140,9061057010679452856,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4872 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8915595078094201140,9061057010679452856,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3648 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1868,8915595078094201140,9061057010679452856,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5172 /prefetch:8
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5068.0.347786694\2062407478" -parentBuildID 20221007134813 -prefsHandle 1820 -prefMapHandle 1812 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cfbbe9da-3400-4eb8-a522-fb0dd7169c0f} 5068 "\\.\pipe\gecko-crash-server-pipe.5068" 1900 149ed4d8558 gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5068.1.538947283\812777722" -parentBuildID 20221007134813 -prefsHandle 2268 -prefMapHandle 2264 -prefsLen 20783 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2271e683-bfde-4ace-ade1-e8b4e169fbfb} 5068 "\\.\pipe\gecko-crash-server-pipe.5068" 2280 149e14e4d58 socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5068.2.2109894652\1464264661" -childID 1 -isForBrowser -prefsHandle 2828 -prefMapHandle 3172 -prefsLen 20821 -prefMapSize 233444 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a6f0702c-4b0c-45d9-8b62-96faa965415a} 5068 "\\.\pipe\gecko-crash-server-pipe.5068" 3252 149ed45ed58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5068.3.545302048\397580022" -childID 2 -isForBrowser -prefsHandle 3608 -prefMapHandle 3604 -prefsLen 26064 -prefMapSize 233444 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8ea672c5-64d3-4a64-bace-aa68cae9bf50} 5068 "\\.\pipe\gecko-crash-server-pipe.5068" 2820 149e1462858 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5068.4.135781728\1647966276" -childID 3 -isForBrowser -prefsHandle 4244 -prefMapHandle 4240 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d0b18a1a-47ef-4341-a150-49bb54e421a5} 5068 "\\.\pipe\gecko-crash-server-pipe.5068" 4216 149f37dda58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5068.5.1518743565\1828414592" -childID 4 -isForBrowser -prefsHandle 5076 -prefMapHandle 5072 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5f6188e6-c589-4748-ad63-e5b8c215b56c} 5068 "\\.\pipe\gecko-crash-server-pipe.5068" 5088 149f4954658 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5068.6.1218738732\2130217779" -childID 5 -isForBrowser -prefsHandle 5168 -prefMapHandle 5172 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ba2cbc83-24b0-4295-8074-be589a8c4eaa} 5068 "\\.\pipe\gecko-crash-server-pipe.5068" 5160 149f4b71158 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5068.7.822328114\1804542312" -childID 6 -isForBrowser -prefsHandle 5360 -prefMapHandle 5364 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b7f5e6e4-c803-4c9f-b82c-641e68706901} 5068 "\\.\pipe\gecko-crash-server-pipe.5068" 5352 149f4b71a58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5068.8.2111489437\443013592" -childID 7 -isForBrowser -prefsHandle 1624 -prefMapHandle 1640 -prefsLen 26283 -prefMapSize 233444 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b0561dcf-8c50-4de2-9f65-67a98efeeb51} 5068 "\\.\pipe\gecko-crash-server-pipe.5068" 3440 149f60bb558 tab
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\smss.exe && icacls C:\Windows\System32\smss.exe /grant "%username%:F" && exit
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\csrss.exe && icacls C:\Windows\System32\csrss.exe /grant "%username%:F" && exit
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\wininit.exe && icacls C:\Windows\System32\wininit.exe /grant "%username%:F" && exit
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\LogonUI.exe && icacls C:\Windows\System32\LogonUI.exe /grant "%username%:F" && exit
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\lsass.exe && icacls C:\Windows\System32\lsass.exe /grant "%username%:F" && exit
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\services.exe && icacls C:\Windows\System32\services.exe /grant "%username%:F" && exit
C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32\smss.exe
C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32\csrss.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\winlogon.exe && icacls C:\Windows\System32\winlogon.exe /grant "%username%:F" && exit
C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32\LogonUI.exe
C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32\wininit.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\winload.efi && icacls C:\Windows\System32\winload.efi /grant "%username%:F" && exit
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\winload.exe && icacls C:\Windows\System32\winload.exe /grant "%username%:F" && exit
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\ntoskrnl.exe && icacls C:\Windows\System32\ntoskrnl.exe /grant "%username%:F" && exit
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\svchost.exe && icacls C:\Windows\System32\svchost.exe /grant "%username%:F" && exit
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\afunix.sys && icacls C:\Windows\System32\drivers\afunix.sys /grant "%username%:F" && exit
C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32\lsass.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\gm.dls && icacls C:\Windows\System32\drivers\gm.dls /grant "%username%:F" && exit
C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32\winlogon.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\gmreadme.txt && icacls C:\Windows\System32\drivers\gmreadme.txt /grant "%username%:F" && exit
C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32\services.exe
C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32\winload.exe
C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32\winload.efi
C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32\svchost.exe
C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32\ntoskrnl.exe
C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32\svchost.exe /grant "Admin:F"
C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32\drivers\gmreadme.txt
C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32\drivers\afunix.sys
C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32\drivers\gm.dls
C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32\drivers\gm.dls /grant "Admin:F"
C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32\drivers\gmreadme.txt /grant "Admin:F"
C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32\drivers\afunix.sys /grant "Admin:F"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 34.117.237.239:443 | contile.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | push.services.mozilla.com | udp |
| US | 34.160.144.191:443 | prod.content-signature-chains.prod.webservices.mozgcp.net | tcp |
| US | 8.8.8.8:53 | firefox.settings.services.mozilla.com | udp |
| US | 44.237.149.213:443 | shavar.prod.mozaws.net | tcp |
| US | 34.149.100.209:443 | firefox.settings.services.mozilla.com | tcp |
| US | 34.107.243.93:443 | autopush.prod.mozaws.net | tcp |
| N/A | 127.0.0.1:50173 | tcp | |
| N/A | 127.0.0.1:50181 | tcp | |
| GB | 172.217.16.228:443 | www.google.com | tcp |
| GB | 172.217.16.228:443 | www.google.com | udp |
| US | 34.149.100.209:443 | firefox.settings.services.mozilla.com | tcp |
Files
memory/3144-0-0x00000000008D0000-0x000000000092C000-memory.dmp
memory/3144-1-0x0000000074D10000-0x00000000754C1000-memory.dmp
memory/3144-2-0x0000000005370000-0x0000000005402000-memory.dmp
memory/3144-3-0x00000000059C0000-0x0000000005F66000-memory.dmp
memory/3144-4-0x0000000005730000-0x0000000005740000-memory.dmp
C:\Users\Admin\Desktop\¤≈£Çõœ♫ε9ø↑▀6↑6◘£◄◙◄◘—♪╤╥£ÿ▌♪½8↑♠╠○ÿ±¬ÿ○▲Σ¤╬œ■♣Ÿõ◙éß1▬™¥▐○č☻ÿ♣õφ▲☼å♥žž®▀ñ√█ěš¥µ∩1«☻♂óæ∩►╬9╠č■♦∞♪◄Ç◘9
| MD5 | 9e1e5883c74742a497cf5c272ccd2321 |
| SHA1 | 2cf33e34d08b8e17743a60352baffef4b6f02dee |
| SHA256 | ca687b6a7c3d29b566f3e1988b9f877b51d9a83ee25ffe0755a8dcd3eb5f434a |
| SHA512 | f2284f0c624cc07a65c16f87865bb98aaa176b1d8b45cd4fbcc1143c9c2297fe6b1d4db55ef054be2bc151c8cc25ff4da7c997b7d38dae3dccd2ffe1c3c01a6b |
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
| MD5 | 82678367fa4297a26727ccc84e0b2f60 |
| SHA1 | 0c65ab90390566f7d2f5b4751b9027f6bac1d22a |
| SHA256 | fbf7356b28e05edc871dda40b318b147e6d07ece028da3d67c3cfbd30bfa0f29 |
| SHA512 | e5474444eecac25a06fe26a22dce9aa9311740dca264de1c824a36a7bc55216f301e934667fe0b9c3c7b062694f8a37e45ecce6b3889cb33bb47ecb9bd198db5 |
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
| MD5 | 28d32a16ce87d488acc7632092f7d566 |
| SHA1 | 325dd247e49113dd987531ffe7ca26c22ce08c31 |
| SHA256 | ba6d4f09117c098bd27508a14d44822f13399ebe16d5d2539ad2844157fa4907 |
| SHA512 | 8159021f9d0e28d370faddf7fa41aa9d4bdf7a1aee71779706e43c30486526a0636568d8f90c580da543f8393f546090f71f87382f99e3e0a2b227b04670af57 |
memory/3144-329-0x0000000006670000-0x000000000667A000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 0e10a8550dceecf34b33a98b85d5fa0b |
| SHA1 | 357ed761cbff74e7f3f75cd15074b4f7f3bcdce0 |
| SHA256 | 5694744f7e6c49068383af6569df880eed386f56062933708c8716f4221cac61 |
| SHA512 | fe6815e41c7643ddb7755cc542d478814f47acea5339df0b5265d9969d02c59ece6fc61150c6c75de3f4f59b052bc2a4f58a14caa3675daeb67955b4dc416d3a |
\??\pipe\LOCAL\crashpad_492_TBJNJHVEJIUHCBRM
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 3b1e59e67b947d63336fe9c8a1a5cebc |
| SHA1 | 5dc7146555c05d8eb1c9680b1b5c98537dd19b91 |
| SHA256 | 7fccd8c81f41a2684315ad9c86ef0861ecf1f2bf5d13050f760f52aef9b4a263 |
| SHA512 | 2d9b8f574f7f669c109f7e0d9714b84798e07966341a0200baac01ed5939b611c7ff75bf1978fe06e37e813df277b092ba68051fae9ba997fd529962e2e5d7b0 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | c3b6ba2e415388ba6e5d9bfe53b3f806 |
| SHA1 | 5ab26546d0962ccea7deaf61e408b4b5f91fd7ee |
| SHA256 | ad381c03527352e8116e3866e3f3eb25c2ff9de2e7ada0768ba93a696a9a8a03 |
| SHA512 | 6eec719255283ec81232394bf403233b2ef92ae2283634f34172e59bbc74a7b3b281d781de38acbc82d7c96645fbc4d6ad0a2d01a68968abc4ff213e01f6deb4 |
memory/3144-360-0x0000000074D10000-0x00000000754C1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 86b1f0ac37252d1acc375a3e31bead4c |
| SHA1 | 5d1d7fcea50bcf3b7c7929f0fa899d47dd116789 |
| SHA256 | 4539ed65c2fc46f1dba700544e6e3d32181036437ebe7977e76603485859dce7 |
| SHA512 | a30f7d057c5bb6de6f5d6ccecac8ab54be2bda87a0c20d30ca719116a37ea92f3268e557cec1997c87fbe73a07225b9ca2f64483eb18b56c45ff75431a5267eb |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 638c4c56f9cdc590ae5ed62c1ffb3546 |
| SHA1 | daf02be74975ffb2bd7e1f0519d882daa1b7fccb |
| SHA256 | 055b8fec099f4756b698b8a20dbb672e196be0d28292a2449fff35dc94f6889b |
| SHA512 | 395072bd2b989cc4cf28912ef9346cb7fc36252c66ee895d8ccbfa8b6ab8d822e5898d71ec2053e30d093190c19a6ff8c43380ac48932f48e1c87cb871d29419 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1
| MD5 | f50f89a0a91564d0b8a211f8921aa7de |
| SHA1 | 112403a17dd69d5b9018b8cede023cb3b54eab7d |
| SHA256 | b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec |
| SHA512 | bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58 |
memory/3144-427-0x0000000005730000-0x0000000005740000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0zk78kq5.default-release\datareporting\glean\pending_pings\9026a33c-0af5-4761-bbb5-3984e1f4b763
| MD5 | 8324a4179593ff6fe6eb1d82e8f9c732 |
| SHA1 | 2a90abd9e6cba934c0db47ae790fbc73dcc13947 |
| SHA256 | 2ee4aacc66e522c39d2026451ab289ba8b94ff7d251c0aed4c54c94291296188 |
| SHA512 | 2a182ea85761973ec90a12bd60d072227e38f658bb4ec36fb79d832d7204bf4a7b5051011ee34bfe6bd4a3fa6829809ad0a3c677f0876a820d0bf6e33e3c2bf2 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0zk78kq5.default-release\datareporting\glean\pending_pings\2010c100-bb7a-4db4-8d05-82a98c2d4446
| MD5 | fbe36eb9cfbfdd3971c179d706cb792a |
| SHA1 | 1053a81bcfecb6f380e066b9e8495b2cf692f953 |
| SHA256 | 6dfbd1047811b41c3707f8253d7d8e05410bd9566a3d37f29ea8aadf18baba42 |
| SHA512 | 098fb058fc47b01e8cc942b4f98853b9cabaa828b66188ee525b6b18d8ab801f65f99b4b9cdf9083c71062a303f3a11176307d3b064b384b27a25a4432b56ab9 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0zk78kq5.default-release\datareporting\glean\db\data.safe.bin
| MD5 | e834f7889fe05055ad5e05bbf08473c7 |
| SHA1 | 36e170ef95c5b8ed9436788ed4d48dc5c631d4d0 |
| SHA256 | 1ebccc8f58d5929aa02fa9f39a74ffd53bada39b8801cc8cd17e80a637a1a2bf |
| SHA512 | 6e5caec61adc548162766e87b06578b97d152e093ada312d0eda1fb938be1455a206887bf5eb780353a3aa33ab8b62262c6ac4ccb5836e797ff13c6cd36e1c01 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0zk78kq5.default-release\prefs-1.js
| MD5 | 4c703980a7c2c9230d9828ad80360c91 |
| SHA1 | 8fdbdfe9f31ea3c2563678ef95a803b032b13b69 |
| SHA256 | ef1ed6eb604f4b4ad48d548b8bbfeaa6540e1ca613fbc641ee889d246aafc6ff |
| SHA512 | e8be2ff1dbe8bb63bb187a9b9aafc6f4ffa67e9e36d4ca61a173c8062a7ae492d7cd160e9004f34c17eb8250f50089ccb0c4f526bdef1f10acde1e9ef6bc14e3 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0zk78kq5.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 534adf05e3389a2ef33647de3d329dd0 |
| SHA1 | f3d29efc3d16ab4b6bf0d8074e53bd6d697ae67c |
| SHA256 | 59162b4720a1cc4bd837f020e3d8d623a4bfb65eb4a354b628391fbca1ad237c |
| SHA512 | b44c2b3390a2ef8926b87955660a1af585a6e7640cf037fb0032334dd24888a9b85fb77943f61913ac43142ee05bd6b710ba96ba6359c061da92a8f51d48697e |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0zk78kq5.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 5a24159e5d0ba5a01cebf63b5be9a9a6 |
| SHA1 | ebd152365478f55b651cf712ae168b2797aac270 |
| SHA256 | bf0da9d90af0c7a8879e0bf5af5ba883dc296b756b69285fd8f1b6f220efcccb |
| SHA512 | 7234fbaa3d7c4db460499d5f0cc5a3d7961045fc56e1e5e3e83df998a5c2849fdf5c8b10a728269baacb9f4252ef343274053fe42942f26d351b9cb213adf2e9 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0zk78kq5.default-release\prefs-1.js
| MD5 | a80bb1c098c7cfe25a3c7715aaa54f25 |
| SHA1 | 9730ddb28ca57f331db27c9833be1916d036f225 |
| SHA256 | 2f345282834425abd4995c02d6957c8495dd6853b61ed1aab9209f28564a84e2 |
| SHA512 | 7b23cffb764056fb74091f733a94c4f8e08af0e7d52bab4aafdcf581fd7beeb03638154cf9d26a81acbc743c54d0e832063036f2c4d88003e9d8911925e5c627 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\0zk78kq5.default-release\cache2\doomed\13867
| MD5 | 05ce3f2822db3b2067aa653e518f4023 |
| SHA1 | 26efe3d058a09a490cf8dab02286cf9b19dfe0cb |
| SHA256 | d28c55630f6bc45bc55894086ffed92b9a1210d5a55a8b9cdf95af5961c18b4e |
| SHA512 | b8bd71f9c3594c39d2e90fcbe6ab194bcff0536463535143c9072e6b5d007797881ad838286c2ad644f880c665bbb07e7535b2db50c6865e0d422f022bdae475 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0zk78kq5.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | b6eaef0cddec58d987415e65845fe88a |
| SHA1 | e16660c7b3dd184efd964fb2ec0fd829fb36bf29 |
| SHA256 | 65e3459967d1506a2de1f078548d393a381592fc46a47a0debd59bd9202175d2 |
| SHA512 | 8e2d28b88b3e7bce06017ab573245c4e201abed8b96c52792101f0095dd28d00a03cd070d16fdfdcf5371a70179926eb86ab29a250f2184b1e191cf057f85858 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0zk78kq5.default-release\sessionstore.jsonlz4
| MD5 | b9547f2df4b69f6166d0a4a9b8988686 |
| SHA1 | 7d9faee812cf23ab32344dae4db3d8e751a45f33 |
| SHA256 | 286420c37c359493d336675b9c33a04b720a4a6789988ceb9a52967dc1b5f1a0 |
| SHA512 | 143aba9884b6bf41175b7052e420b2fe41938cb21e8de40ab5e2e42ecf42248a361a098acd2f24b83b00a581dad7d0c5d3eab32cf75f5c0d8fe3592b36cafcd9 |