Malware Analysis Report

2024-11-16 12:44

Sample ID 240302-1yhjnshh2x
Target Chernobyl.exe
SHA256 2b6266f14d2ed46e921168fd2b4a5510f40c69cd591800d17ae8ca31fcde28c6
Tags
discovery evasion exploit persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2b6266f14d2ed46e921168fd2b4a5510f40c69cd591800d17ae8ca31fcde28c6

Threat Level: Known bad

The file Chernobyl.exe was found to be: Known bad.

Malicious Activity Summary

discovery evasion exploit persistence trojan

UAC bypass

Modifies WinLogon for persistence

Disables Task Manager via registry modification

Possible privilege escalation attempt

Disables RegEdit via registry modification

Modifies file permissions

Modifies WinLogon

Checks whether UAC is enabled

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Enumerates system info in registry

Suspicious use of SendNotifyMessage

Uses Task Scheduler COM API

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Checks processor information in registry

System policy modification

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Modifies registry class

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-02 22:03

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-02 22:03

Reported

2024-03-02 22:33

Platform

win11-20240221-en

Max time kernel

375s

Max time network

332s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, cluttscape.exe" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A

Disables Task Manager via registry modification

evasion

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoRestartShell = "0" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\DisableCAD = "1" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\kill.ico C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\cluttscape.exe C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
File opened for modification C:\Windows\cluttscape.exe C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Unknown\DefaultIcon\ = "C:\\Windows\\SysWow64\\kill.ico" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3144 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\SysWOW64\cmd.exe
PID 3144 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\SysWOW64\cmd.exe
PID 3144 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\SysWOW64\cmd.exe
PID 3144 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\SysWOW64\cmd.exe
PID 3144 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\SysWOW64\cmd.exe
PID 3144 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\SysWOW64\cmd.exe
PID 3144 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\SysWOW64\cmd.exe
PID 3144 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\SysWOW64\cmd.exe
PID 3144 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\SysWOW64\cmd.exe
PID 3144 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\SysWOW64\cmd.exe
PID 3144 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\SysWOW64\cmd.exe
PID 3144 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\SysWOW64\cmd.exe
PID 3144 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\SysWOW64\cmd.exe
PID 3144 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\SysWOW64\cmd.exe
PID 3144 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\SysWOW64\cmd.exe
PID 1004 wrote to memory of 892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 1004 wrote to memory of 892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 1004 wrote to memory of 892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 3144 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\SysWOW64\cmd.exe
PID 3144 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\SysWOW64\cmd.exe
PID 3144 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\SysWOW64\cmd.exe
PID 3144 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\SysWOW64\cmd.exe
PID 3144 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\SysWOW64\cmd.exe
PID 3144 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\SysWOW64\cmd.exe
PID 3144 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\SysWOW64\cmd.exe
PID 3144 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\SysWOW64\cmd.exe
PID 3144 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\SysWOW64\cmd.exe
PID 3144 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\SysWOW64\cmd.exe
PID 3144 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\SysWOW64\cmd.exe
PID 3144 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\SysWOW64\cmd.exe
PID 3144 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\SysWOW64\cmd.exe
PID 3144 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\SysWOW64\cmd.exe
PID 3144 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\SysWOW64\cmd.exe
PID 3144 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\SysWOW64\cmd.exe
PID 3144 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\SysWOW64\cmd.exe
PID 3144 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\SysWOW64\cmd.exe
PID 1424 wrote to memory of 680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 1424 wrote to memory of 680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 1424 wrote to memory of 680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 5112 wrote to memory of 3760 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 5112 wrote to memory of 3760 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 5112 wrote to memory of 3760 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 2364 wrote to memory of 3524 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 2364 wrote to memory of 3524 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 2364 wrote to memory of 3524 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 3144 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\SysWOW64\cmd.exe
PID 3144 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\SysWOW64\cmd.exe
PID 3144 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe C:\Windows\SysWOW64\cmd.exe
PID 4612 wrote to memory of 4480 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 4612 wrote to memory of 4480 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 4612 wrote to memory of 4480 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 3820 wrote to memory of 768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 3820 wrote to memory of 768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 3820 wrote to memory of 768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 1812 wrote to memory of 4188 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 1812 wrote to memory of 4188 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 1812 wrote to memory of 4188 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 1464 wrote to memory of 2944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 1464 wrote to memory of 2944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 1464 wrote to memory of 2944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 2644 wrote to memory of 5044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 2644 wrote to memory of 5044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 2644 wrote to memory of 5044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 4196 wrote to memory of 4796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon = "0" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\UseDefaultTile = "1" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe

"C:\Users\Admin\AppData\Local\Temp\Chernobyl.exe"

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\SysWOW64\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\SysWOW64\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\SysWOW64\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\SysWOW64\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k start RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters && exit

C:\Windows\SysWOW64\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\SysWOW64\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\SysWOW64\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\SysWOW64\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\SysWOW64\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\SysWOW64\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\SysWOW64\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\SysWOW64\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9119b3cb8,0x7ff9119b3cc8,0x7ff9119b3cd8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1868,8915595078094201140,9061057010679452856,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1912 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1868,8915595078094201140,9061057010679452856,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1868,8915595078094201140,9061057010679452856,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2512 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8915595078094201140,9061057010679452856,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8915595078094201140,9061057010679452856,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8915595078094201140,9061057010679452856,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4872 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,8915595078094201140,9061057010679452856,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3648 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1868,8915595078094201140,9061057010679452856,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5172 /prefetch:8

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5068.0.347786694\2062407478" -parentBuildID 20221007134813 -prefsHandle 1820 -prefMapHandle 1812 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cfbbe9da-3400-4eb8-a522-fb0dd7169c0f} 5068 "\\.\pipe\gecko-crash-server-pipe.5068" 1900 149ed4d8558 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5068.1.538947283\812777722" -parentBuildID 20221007134813 -prefsHandle 2268 -prefMapHandle 2264 -prefsLen 20783 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2271e683-bfde-4ace-ade1-e8b4e169fbfb} 5068 "\\.\pipe\gecko-crash-server-pipe.5068" 2280 149e14e4d58 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5068.2.2109894652\1464264661" -childID 1 -isForBrowser -prefsHandle 2828 -prefMapHandle 3172 -prefsLen 20821 -prefMapSize 233444 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a6f0702c-4b0c-45d9-8b62-96faa965415a} 5068 "\\.\pipe\gecko-crash-server-pipe.5068" 3252 149ed45ed58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5068.3.545302048\397580022" -childID 2 -isForBrowser -prefsHandle 3608 -prefMapHandle 3604 -prefsLen 26064 -prefMapSize 233444 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8ea672c5-64d3-4a64-bace-aa68cae9bf50} 5068 "\\.\pipe\gecko-crash-server-pipe.5068" 2820 149e1462858 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5068.4.135781728\1647966276" -childID 3 -isForBrowser -prefsHandle 4244 -prefMapHandle 4240 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d0b18a1a-47ef-4341-a150-49bb54e421a5} 5068 "\\.\pipe\gecko-crash-server-pipe.5068" 4216 149f37dda58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5068.5.1518743565\1828414592" -childID 4 -isForBrowser -prefsHandle 5076 -prefMapHandle 5072 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5f6188e6-c589-4748-ad63-e5b8c215b56c} 5068 "\\.\pipe\gecko-crash-server-pipe.5068" 5088 149f4954658 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5068.6.1218738732\2130217779" -childID 5 -isForBrowser -prefsHandle 5168 -prefMapHandle 5172 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ba2cbc83-24b0-4295-8074-be589a8c4eaa} 5068 "\\.\pipe\gecko-crash-server-pipe.5068" 5160 149f4b71158 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5068.7.822328114\1804542312" -childID 6 -isForBrowser -prefsHandle 5360 -prefMapHandle 5364 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b7f5e6e4-c803-4c9f-b82c-641e68706901} 5068 "\\.\pipe\gecko-crash-server-pipe.5068" 5352 149f4b71a58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5068.8.2111489437\443013592" -childID 7 -isForBrowser -prefsHandle 1624 -prefMapHandle 1640 -prefsLen 26283 -prefMapSize 233444 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b0561dcf-8c50-4de2-9f65-67a98efeeb51} 5068 "\\.\pipe\gecko-crash-server-pipe.5068" 3440 149f60bb558 tab

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\smss.exe && icacls C:\Windows\System32\smss.exe /grant "%username%:F" && exit

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\csrss.exe && icacls C:\Windows\System32\csrss.exe /grant "%username%:F" && exit

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\wininit.exe && icacls C:\Windows\System32\wininit.exe /grant "%username%:F" && exit

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\LogonUI.exe && icacls C:\Windows\System32\LogonUI.exe /grant "%username%:F" && exit

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\lsass.exe && icacls C:\Windows\System32\lsass.exe /grant "%username%:F" && exit

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\services.exe && icacls C:\Windows\System32\services.exe /grant "%username%:F" && exit

C:\Windows\SysWOW64\takeown.exe

takeown /f C:\Windows\System32\smss.exe

C:\Windows\SysWOW64\takeown.exe

takeown /f C:\Windows\System32\csrss.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\winlogon.exe && icacls C:\Windows\System32\winlogon.exe /grant "%username%:F" && exit

C:\Windows\SysWOW64\takeown.exe

takeown /f C:\Windows\System32\LogonUI.exe

C:\Windows\SysWOW64\takeown.exe

takeown /f C:\Windows\System32\wininit.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\winload.efi && icacls C:\Windows\System32\winload.efi /grant "%username%:F" && exit

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\winload.exe && icacls C:\Windows\System32\winload.exe /grant "%username%:F" && exit

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\ntoskrnl.exe && icacls C:\Windows\System32\ntoskrnl.exe /grant "%username%:F" && exit

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\svchost.exe && icacls C:\Windows\System32\svchost.exe /grant "%username%:F" && exit

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\afunix.sys && icacls C:\Windows\System32\drivers\afunix.sys /grant "%username%:F" && exit

C:\Windows\SysWOW64\takeown.exe

takeown /f C:\Windows\System32\lsass.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\gm.dls && icacls C:\Windows\System32\drivers\gm.dls /grant "%username%:F" && exit

C:\Windows\SysWOW64\takeown.exe

takeown /f C:\Windows\System32\winlogon.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32\drivers\gmreadme.txt && icacls C:\Windows\System32\drivers\gmreadme.txt /grant "%username%:F" && exit

C:\Windows\SysWOW64\takeown.exe

takeown /f C:\Windows\System32\services.exe

C:\Windows\SysWOW64\takeown.exe

takeown /f C:\Windows\System32\winload.exe

C:\Windows\SysWOW64\takeown.exe

takeown /f C:\Windows\System32\winload.efi

C:\Windows\SysWOW64\takeown.exe

takeown /f C:\Windows\System32\svchost.exe

C:\Windows\SysWOW64\takeown.exe

takeown /f C:\Windows\System32\ntoskrnl.exe

C:\Windows\SysWOW64\icacls.exe

icacls C:\Windows\System32\svchost.exe /grant "Admin:F"

C:\Windows\SysWOW64\takeown.exe

takeown /f C:\Windows\System32\drivers\gmreadme.txt

C:\Windows\SysWOW64\takeown.exe

takeown /f C:\Windows\System32\drivers\afunix.sys

C:\Windows\SysWOW64\takeown.exe

takeown /f C:\Windows\System32\drivers\gm.dls

C:\Windows\SysWOW64\icacls.exe

icacls C:\Windows\System32\drivers\gm.dls /grant "Admin:F"

C:\Windows\SysWOW64\icacls.exe

icacls C:\Windows\System32\drivers\gmreadme.txt /grant "Admin:F"

C:\Windows\SysWOW64\icacls.exe

icacls C:\Windows\System32\drivers\afunix.sys /grant "Admin:F"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 34.117.237.239:443 contile.services.mozilla.com tcp
US 8.8.8.8:53 push.services.mozilla.com udp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
US 44.237.149.213:443 shavar.prod.mozaws.net tcp
US 34.149.100.209:443 firefox.settings.services.mozilla.com tcp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
N/A 127.0.0.1:50173 tcp
N/A 127.0.0.1:50181 tcp
GB 172.217.16.228:443 www.google.com tcp
GB 172.217.16.228:443 www.google.com udp
US 34.149.100.209:443 firefox.settings.services.mozilla.com tcp

Files

memory/3144-0-0x00000000008D0000-0x000000000092C000-memory.dmp

memory/3144-1-0x0000000074D10000-0x00000000754C1000-memory.dmp

memory/3144-2-0x0000000005370000-0x0000000005402000-memory.dmp

memory/3144-3-0x00000000059C0000-0x0000000005F66000-memory.dmp

memory/3144-4-0x0000000005730000-0x0000000005740000-memory.dmp

C:\Users\Admin\Desktop\¤≈£Çõœ♫ε9ø↑▀6↑6◘£◄◙◄◘—♪╤╥£ÿ▌♪½8↑♠╠○ÿ±¬ÿ○▲Σ¤╬œ■♣Ÿõ◙éß1▬™¥▐○č☻ÿ♣õφ▲☼å♥žž®▀ñ√█ěš¥µ∩1«☻♂óæ∩►╬9╠č■♦∞♪◄Ç◘9

MD5 9e1e5883c74742a497cf5c272ccd2321
SHA1 2cf33e34d08b8e17743a60352baffef4b6f02dee
SHA256 ca687b6a7c3d29b566f3e1988b9f877b51d9a83ee25ffe0755a8dcd3eb5f434a
SHA512 f2284f0c624cc07a65c16f87865bb98aaa176b1d8b45cd4fbcc1143c9c2297fe6b1d4db55ef054be2bc151c8cc25ff4da7c997b7d38dae3dccd2ffe1c3c01a6b

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

MD5 82678367fa4297a26727ccc84e0b2f60
SHA1 0c65ab90390566f7d2f5b4751b9027f6bac1d22a
SHA256 fbf7356b28e05edc871dda40b318b147e6d07ece028da3d67c3cfbd30bfa0f29
SHA512 e5474444eecac25a06fe26a22dce9aa9311740dca264de1c824a36a7bc55216f301e934667fe0b9c3c7b062694f8a37e45ecce6b3889cb33bb47ecb9bd198db5

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

MD5 28d32a16ce87d488acc7632092f7d566
SHA1 325dd247e49113dd987531ffe7ca26c22ce08c31
SHA256 ba6d4f09117c098bd27508a14d44822f13399ebe16d5d2539ad2844157fa4907
SHA512 8159021f9d0e28d370faddf7fa41aa9d4bdf7a1aee71779706e43c30486526a0636568d8f90c580da543f8393f546090f71f87382f99e3e0a2b227b04670af57

memory/3144-329-0x0000000006670000-0x000000000667A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 0e10a8550dceecf34b33a98b85d5fa0b
SHA1 357ed761cbff74e7f3f75cd15074b4f7f3bcdce0
SHA256 5694744f7e6c49068383af6569df880eed386f56062933708c8716f4221cac61
SHA512 fe6815e41c7643ddb7755cc542d478814f47acea5339df0b5265d9969d02c59ece6fc61150c6c75de3f4f59b052bc2a4f58a14caa3675daeb67955b4dc416d3a

\??\pipe\LOCAL\crashpad_492_TBJNJHVEJIUHCBRM

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 3b1e59e67b947d63336fe9c8a1a5cebc
SHA1 5dc7146555c05d8eb1c9680b1b5c98537dd19b91
SHA256 7fccd8c81f41a2684315ad9c86ef0861ecf1f2bf5d13050f760f52aef9b4a263
SHA512 2d9b8f574f7f669c109f7e0d9714b84798e07966341a0200baac01ed5939b611c7ff75bf1978fe06e37e813df277b092ba68051fae9ba997fd529962e2e5d7b0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 c3b6ba2e415388ba6e5d9bfe53b3f806
SHA1 5ab26546d0962ccea7deaf61e408b4b5f91fd7ee
SHA256 ad381c03527352e8116e3866e3f3eb25c2ff9de2e7ada0768ba93a696a9a8a03
SHA512 6eec719255283ec81232394bf403233b2ef92ae2283634f34172e59bbc74a7b3b281d781de38acbc82d7c96645fbc4d6ad0a2d01a68968abc4ff213e01f6deb4

memory/3144-360-0x0000000074D10000-0x00000000754C1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 86b1f0ac37252d1acc375a3e31bead4c
SHA1 5d1d7fcea50bcf3b7c7929f0fa899d47dd116789
SHA256 4539ed65c2fc46f1dba700544e6e3d32181036437ebe7977e76603485859dce7
SHA512 a30f7d057c5bb6de6f5d6ccecac8ab54be2bda87a0c20d30ca719116a37ea92f3268e557cec1997c87fbe73a07225b9ca2f64483eb18b56c45ff75431a5267eb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 638c4c56f9cdc590ae5ed62c1ffb3546
SHA1 daf02be74975ffb2bd7e1f0519d882daa1b7fccb
SHA256 055b8fec099f4756b698b8a20dbb672e196be0d28292a2449fff35dc94f6889b
SHA512 395072bd2b989cc4cf28912ef9346cb7fc36252c66ee895d8ccbfa8b6ab8d822e5898d71ec2053e30d093190c19a6ff8c43380ac48932f48e1c87cb871d29419

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

memory/3144-427-0x0000000005730000-0x0000000005740000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0zk78kq5.default-release\datareporting\glean\pending_pings\9026a33c-0af5-4761-bbb5-3984e1f4b763

MD5 8324a4179593ff6fe6eb1d82e8f9c732
SHA1 2a90abd9e6cba934c0db47ae790fbc73dcc13947
SHA256 2ee4aacc66e522c39d2026451ab289ba8b94ff7d251c0aed4c54c94291296188
SHA512 2a182ea85761973ec90a12bd60d072227e38f658bb4ec36fb79d832d7204bf4a7b5051011ee34bfe6bd4a3fa6829809ad0a3c677f0876a820d0bf6e33e3c2bf2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0zk78kq5.default-release\datareporting\glean\pending_pings\2010c100-bb7a-4db4-8d05-82a98c2d4446

MD5 fbe36eb9cfbfdd3971c179d706cb792a
SHA1 1053a81bcfecb6f380e066b9e8495b2cf692f953
SHA256 6dfbd1047811b41c3707f8253d7d8e05410bd9566a3d37f29ea8aadf18baba42
SHA512 098fb058fc47b01e8cc942b4f98853b9cabaa828b66188ee525b6b18d8ab801f65f99b4b9cdf9083c71062a303f3a11176307d3b064b384b27a25a4432b56ab9

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0zk78kq5.default-release\datareporting\glean\db\data.safe.bin

MD5 e834f7889fe05055ad5e05bbf08473c7
SHA1 36e170ef95c5b8ed9436788ed4d48dc5c631d4d0
SHA256 1ebccc8f58d5929aa02fa9f39a74ffd53bada39b8801cc8cd17e80a637a1a2bf
SHA512 6e5caec61adc548162766e87b06578b97d152e093ada312d0eda1fb938be1455a206887bf5eb780353a3aa33ab8b62262c6ac4ccb5836e797ff13c6cd36e1c01

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0zk78kq5.default-release\prefs-1.js

MD5 4c703980a7c2c9230d9828ad80360c91
SHA1 8fdbdfe9f31ea3c2563678ef95a803b032b13b69
SHA256 ef1ed6eb604f4b4ad48d548b8bbfeaa6540e1ca613fbc641ee889d246aafc6ff
SHA512 e8be2ff1dbe8bb63bb187a9b9aafc6f4ffa67e9e36d4ca61a173c8062a7ae492d7cd160e9004f34c17eb8250f50089ccb0c4f526bdef1f10acde1e9ef6bc14e3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0zk78kq5.default-release\sessionstore-backups\recovery.jsonlz4

MD5 534adf05e3389a2ef33647de3d329dd0
SHA1 f3d29efc3d16ab4b6bf0d8074e53bd6d697ae67c
SHA256 59162b4720a1cc4bd837f020e3d8d623a4bfb65eb4a354b628391fbca1ad237c
SHA512 b44c2b3390a2ef8926b87955660a1af585a6e7640cf037fb0032334dd24888a9b85fb77943f61913ac43142ee05bd6b710ba96ba6359c061da92a8f51d48697e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0zk78kq5.default-release\sessionstore-backups\recovery.jsonlz4

MD5 5a24159e5d0ba5a01cebf63b5be9a9a6
SHA1 ebd152365478f55b651cf712ae168b2797aac270
SHA256 bf0da9d90af0c7a8879e0bf5af5ba883dc296b756b69285fd8f1b6f220efcccb
SHA512 7234fbaa3d7c4db460499d5f0cc5a3d7961045fc56e1e5e3e83df998a5c2849fdf5c8b10a728269baacb9f4252ef343274053fe42942f26d351b9cb213adf2e9

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0zk78kq5.default-release\prefs-1.js

MD5 a80bb1c098c7cfe25a3c7715aaa54f25
SHA1 9730ddb28ca57f331db27c9833be1916d036f225
SHA256 2f345282834425abd4995c02d6957c8495dd6853b61ed1aab9209f28564a84e2
SHA512 7b23cffb764056fb74091f733a94c4f8e08af0e7d52bab4aafdcf581fd7beeb03638154cf9d26a81acbc743c54d0e832063036f2c4d88003e9d8911925e5c627

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\0zk78kq5.default-release\cache2\doomed\13867

MD5 05ce3f2822db3b2067aa653e518f4023
SHA1 26efe3d058a09a490cf8dab02286cf9b19dfe0cb
SHA256 d28c55630f6bc45bc55894086ffed92b9a1210d5a55a8b9cdf95af5961c18b4e
SHA512 b8bd71f9c3594c39d2e90fcbe6ab194bcff0536463535143c9072e6b5d007797881ad838286c2ad644f880c665bbb07e7535b2db50c6865e0d422f022bdae475

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0zk78kq5.default-release\sessionstore-backups\recovery.jsonlz4

MD5 b6eaef0cddec58d987415e65845fe88a
SHA1 e16660c7b3dd184efd964fb2ec0fd829fb36bf29
SHA256 65e3459967d1506a2de1f078548d393a381592fc46a47a0debd59bd9202175d2
SHA512 8e2d28b88b3e7bce06017ab573245c4e201abed8b96c52792101f0095dd28d00a03cd070d16fdfdcf5371a70179926eb86ab29a250f2184b1e191cf057f85858

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\0zk78kq5.default-release\sessionstore.jsonlz4

MD5 b9547f2df4b69f6166d0a4a9b8988686
SHA1 7d9faee812cf23ab32344dae4db3d8e751a45f33
SHA256 286420c37c359493d336675b9c33a04b720a4a6789988ceb9a52967dc1b5f1a0
SHA512 143aba9884b6bf41175b7052e420b2fe41938cb21e8de40ab5e2e42ecf42248a361a098acd2f24b83b00a581dad7d0c5d3eab32cf75f5c0d8fe3592b36cafcd9