53fff9337c461ac70fd7cf955e28ed5491d510c8c0751ffc5399a9afe5fb1c92

Resubmissions

24-06-2023 18:32

230624-w6wdaaca62 10

24-06-2023 18:23

230624-w1la5adb3t 10

Analysis

max time kernel
737s
max time network
713s
platform
windows10-1703_x64
resource
win10-20230621-en
resource tags

arch:x64arch:x86image:win10-20230621-enlocale:en-usos:windows10-1703-x64system
submitted
24-06-2023 18:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

53fff9337c461ac70fd7cf955e28ed5491d510c8c0751ffc5399a9afe5fb1c92.exe
Size

3.9MB
MD5

0f960403760090619b597c4ffd500b66
SHA1

7b3fcd7f5e759d0cfb81ac6b8a4061e49a63596f
SHA256

53fff9337c461ac70fd7cf955e28ed5491d510c8c0751ffc5399a9afe5fb1c92
SHA512

bdb2be2d0cbbd8d25e0041fd3f931b06bceb1f9801328d3f4c48a368517684c2d366925564bb1a8365b0677c8ffc55660a37d6816dddf735c0509bb0e6923d82
SSDEEP

49152:eC/pVUOajTbpPHiHvVEgHztu+thX44ifGJtSqeQLgza6BDm5TN+IMUu9+d1cL+N:xBuh18VzArOSqeDalc6dF

Score

8^/10

microsoft persistence phishing

Malware Config

Signatures

Drops file in Drivers directory 5 IoCs

Processes:

procexp64.exeProcmon64.exeProcmon64.exe

description	ioc	process
File created	C:\Windows\system32\Drivers\PROCEXP152.SYS	procexp64.exe
File opened for modification	C:\Windows\system32\Drivers\PROCMON24.SYS	Procmon64.exe
File created	C:\Windows\system32\Drivers\PROCMON24.SYS	Procmon64.exe
File opened for modification	C:\Windows\system32\Drivers\PROCMON24.SYS	Procmon64.exe
File created	C:\Windows\system32\Drivers\PROCMON24.SYS	Procmon64.exe

Sets service image path in registry 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

procexp64.exeProcmon64.exeProcmon64.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PROCEXP152\ImagePath = "\\??\\C:\\Windows\\system32\\Drivers\\PROCEXP152.SYS"	procexp64.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PROCMON24\ImagePath = "\\??\\C:\\Windows\\system32\\Drivers\\PROCMON24.SYS"	Procmon64.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PROCMON24\ImagePath = "\\??\\C:\\Windows\\system32\\Drivers\\PROCMON24.SYS"	Procmon64.exe

Executes dropped EXE 1 IoCs

Processes:

Procmon64.exe

pid process

5064 Procmon64.exe
Loads dropped DLL 1 IoCs

Processes:

53fff9337c461ac70fd7cf955e28ed5491d510c8c0751ffc5399a9afe5fb1c92.exe

pid process

2264 53fff9337c461ac70fd7cf955e28ed5491d510c8c0751ffc5399a9afe5fb1c92.exe
Adds Run key to start application 2 TTPs 1 IoCs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Processes:

chrome.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1032500962-593345068-3128969974-1000\Software\Microsoft\Windows\CurrentVersion\Run chrome.exe

pid	process
5064	Procmon64.exe

pid	process
2264	53fff9337c461ac70fd7cf955e28ed5491d510c8c0751ffc5399a9afe5fb1c92.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1032500962-593345068-3128969974-1000\Software\Microsoft\Windows\CurrentVersion\Run	chrome.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

procexp64.exe

description	ioc	process
File opened (read-only)	\??\Q:	procexp64.exe
File opened (read-only)	\??\S:	procexp64.exe
File opened (read-only)	\??\T:	procexp64.exe
File opened (read-only)	\??\U:	procexp64.exe
File opened (read-only)	\??\W:	procexp64.exe
File opened (read-only)	\??\N:	procexp64.exe
File opened (read-only)	\??\O:	procexp64.exe
File opened (read-only)	\??\P:	procexp64.exe
File opened (read-only)	\??\Z:	procexp64.exe
File opened (read-only)	\??\Y:	procexp64.exe
File opened (read-only)	\??\B:	procexp64.exe
File opened (read-only)	\??\J:	procexp64.exe
File opened (read-only)	\??\V:	procexp64.exe
File opened (read-only)	\??\L:	procexp64.exe
File opened (read-only)	\??\X:	procexp64.exe
File opened (read-only)	\??\G:	procexp64.exe
File opened (read-only)	\??\H:	procexp64.exe
File opened (read-only)	\??\I:	procexp64.exe
File opened (read-only)	\??\M:	procexp64.exe
File opened (read-only)	\??\R:	procexp64.exe
File opened (read-only)	\??\A:	procexp64.exe
File opened (read-only)	\??\E:	procexp64.exe
File opened (read-only)	\??\K:	procexp64.exe

Detected potential entity reuse from brand microsoft.
phishing microsoft

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exefirefox.exeprocexp64.exetcpview.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	procexp64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	tcpview.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	procexp64.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	tcpview.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133321052095254416"	chrome.exe

Modifies registry class 64 IoCs

Processes:

Procmon64.exefirefox.exeProcmon.exeProcmon64.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1032500962-593345068-3128969974-1000_Classes\.PML	Procmon64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1032500962-593345068-3128969974-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2 = 14002e803accbfb42cdb4c42b0297fe99a87c6410000	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1032500962-593345068-3128969974-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1032500962-593345068-3128969974-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1032500962-593345068-3128969974-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1032500962-593345068-3128969974-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1032500962-593345068-3128969974-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1032500962-593345068-3128969974-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1032500962-593345068-3128969974-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\1\0\0	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1032500962-593345068-3128969974-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1032500962-593345068-3128969974-1000_Classes\ProcMon.Logfile.1	Procmon64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	Procmon.exe
Key created	\REGISTRY\USER\S-1-5-21-1032500962-593345068-3128969974-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1032500962-593345068-3128969974-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1032500962-593345068-3128969974-1000_Classes\ProcMon.Logfile.1\DefaultIcon\ = "\"C:\\Users\\Admin\\Downloads\\SysinternalsSuite\\Procmon64.exe\",0"	Procmon64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1032500962-593345068-3128969974-1000_Classes\ProcMon.Logfile.1\DefaultIcon\ = "\"C:\\Users\\Admin\\Downloads\\SysinternalsSuite\\Procmon.exe\",0"	Procmon64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1032500962-593345068-3128969974-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1032500962-593345068-3128969974-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\SniffedFolderType = "Generic"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1032500962-593345068-3128969974-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1032500962-593345068-3128969974-1000_Classes\.PML	Procmon64.exe
Key created	\REGISTRY\USER\S-1-5-21-1032500962-593345068-3128969974-1000_Classes\Local Settings	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1032500962-593345068-3128969974-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 020000000100000000000000ffffffff	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1032500962-593345068-3128969974-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1032500962-593345068-3128969974-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1032500962-593345068-3128969974-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\SniffedFolderType = "Generic"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1032500962-593345068-3128969974-1000_Classes\ProcMon.Logfile.1\shell\open\command	Procmon64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1032500962-593345068-3128969974-1000_Classes\ProcMon.Logfile.1\shell\open\command\ = "\"C:\\Users\\Admin\\Downloads\\SysinternalsSuite\\Procmon.exe\" /OpenLog \"%1\""	Procmon64.exe
Key created	\REGISTRY\USER\S-1-5-21-1032500962-593345068-3128969974-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1032500962-593345068-3128969974-1000_Classes\ProcMon.Logfile.1\ = "ProcMon Log File"	Procmon64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1032500962-593345068-3128969974-1000_Classes\ProcMon.Logfile.1\shell\open\command\ = "\"C:\\Users\\Admin\\Downloads\\SysinternalsSuite\\Procmon64.exe\" /OpenLog \"%1\""	Procmon64.exe
Key created	\REGISTRY\USER\S-1-5-21-1032500962-593345068-3128969974-1000_Classes\ProcMon.Logfile.1\DefaultIcon	Procmon64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1032500962-593345068-3128969974-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1032500962-593345068-3128969974-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = 0100000000000000ffffffff	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1032500962-593345068-3128969974-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\1\0 = 5000310000000000d856919410004c6f63616c003c0009000400efbed556d533d85691942e000000ba520100000001000000000000000000000000000000c4dea7004c006f00630061006c00000014000000	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1032500962-593345068-3128969974-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\1\0\MRUListEx = 00000000ffffffff	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1032500962-593345068-3128969974-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\1\0\0\MRUListEx = ffffffff	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1032500962-593345068-3128969974-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 020000000000000001000000ffffffff	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1032500962-593345068-3128969974-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1032500962-593345068-3128969974-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1032500962-593345068-3128969974-1000_Classes\ProcMon.Logfile.1\ = "ProcMon Log File"	Procmon64.exe
Key created	\REGISTRY\USER\S-1-5-21-1032500962-593345068-3128969974-1000_Classes\ProcMon.Logfile.1\DefaultIcon	Procmon64.exe
Key created	\REGISTRY\USER\S-1-5-21-1032500962-593345068-3128969974-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1032500962-593345068-3128969974-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1032500962-593345068-3128969974-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1032500962-593345068-3128969974-1000_Classes\ProcMon.Logfile.1\shell	Procmon64.exe
Key created	\REGISTRY\USER\S-1-5-21-1032500962-593345068-3128969974-1000_Classes\ProcMon.Logfile.1\shell\open\command	Procmon64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1032500962-593345068-3128969974-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\MRUListEx = ffffffff	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1032500962-593345068-3128969974-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1032500962-593345068-3128969974-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1032500962-593345068-3128969974-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1032500962-593345068-3128969974-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1032500962-593345068-3128969974-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1032500962-593345068-3128969974-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1032500962-593345068-3128969974-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\1\0	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1032500962-593345068-3128969974-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1032500962-593345068-3128969974-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1032500962-593345068-3128969974-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1032500962-593345068-3128969974-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1032500962-593345068-3128969974-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1032500962-593345068-3128969974-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1032500962-593345068-3128969974-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\1 = 5600310000000000d556d53312004170704461746100400009000400efbed556d533d556d5332e000000a7520100000001000000000000000000000000000000084492004100700070004400610074006100000016000000	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-1032500962-593345068-3128969974-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\1	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1032500962-593345068-3128969974-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\1\0\0 = 4e00310000000000d856f194100054656d7000003a0009000400efbed556d533d856f1942e000000bb52010000000100000000000000000000000000000023879800540065006d007000000014000000	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1032500962-593345068-3128969974-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\1\0\0\NodeSlot = "6"	firefox.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chrome.exechrome.exeprocexp64.exetcpview.exe

pid	process
3716	chrome.exe
3716	chrome.exe
5088	chrome.exe
5088	chrome.exe
2300	procexp64.exe
2300	procexp64.exe
2300	procexp64.exe
2300	procexp64.exe
2300	procexp64.exe
2300	procexp64.exe
2300	procexp64.exe
2300	procexp64.exe
2300	procexp64.exe
2300	procexp64.exe
2300	procexp64.exe
2300	procexp64.exe
2300	procexp64.exe
2300	procexp64.exe
2300	procexp64.exe
2300	procexp64.exe
2300	procexp64.exe
2300	procexp64.exe
2300	procexp64.exe
2300	procexp64.exe
2300	procexp64.exe
2300	procexp64.exe
2300	procexp64.exe
2300	procexp64.exe
2300	procexp64.exe
2300	procexp64.exe
2300	procexp64.exe
2300	procexp64.exe
2300	procexp64.exe
2300	procexp64.exe
2300	procexp64.exe
2300	procexp64.exe
2300	procexp64.exe
2300	procexp64.exe
2300	procexp64.exe
2300	procexp64.exe
2300	procexp64.exe
2300	procexp64.exe
2300	procexp64.exe
2300	procexp64.exe
2300	procexp64.exe
2300	procexp64.exe
2300	procexp64.exe
2300	procexp64.exe
2300	procexp64.exe
2300	procexp64.exe
2300	procexp64.exe
2300	procexp64.exe
2300	procexp64.exe
2300	procexp64.exe
2300	procexp64.exe
3352	tcpview.exe
3352	tcpview.exe
2300	procexp64.exe
2300	procexp64.exe
2300	procexp64.exe
2300	procexp64.exe
2300	procexp64.exe
2300	procexp64.exe
2300	procexp64.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

tcpview.exe

pid process

3352 tcpview.exe
Suspicious behavior: LoadsDriver 3 IoCs

Processes:

procexp64.exeProcmon64.exeProcmon64.exe

pid process

2300 procexp64.exe
4060 Procmon64.exe
5064 Procmon64.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

Processes:

chrome.exe

pid process

3716 chrome.exe
3716 chrome.exe
3716 chrome.exe
3716 chrome.exe
3716 chrome.exe
3716 chrome.exe
3716 chrome.exe
3716 chrome.exe
3716 chrome.exe

pid	process
3352	tcpview.exe

pid	process
2300	procexp64.exe
4060	Procmon64.exe
5064	Procmon64.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	3716	chrome.exe
Token: SeCreatePagefilePrivilege	3716	chrome.exe
Token: SeShutdownPrivilege	3716	chrome.exe
Token: SeCreatePagefilePrivilege	3716	chrome.exe
Token: SeShutdownPrivilege	3716	chrome.exe
Token: SeCreatePagefilePrivilege	3716	chrome.exe
Token: SeShutdownPrivilege	3716	chrome.exe
Token: SeCreatePagefilePrivilege	3716	chrome.exe
Token: SeShutdownPrivilege	3716	chrome.exe
Token: SeCreatePagefilePrivilege	3716	chrome.exe
Token: SeShutdownPrivilege	3716	chrome.exe
Token: SeCreatePagefilePrivilege	3716	chrome.exe
Token: SeShutdownPrivilege	3716	chrome.exe
Token: SeCreatePagefilePrivilege	3716	chrome.exe
Token: SeShutdownPrivilege	3716	chrome.exe
Token: SeCreatePagefilePrivilege	3716	chrome.exe
Token: SeShutdownPrivilege	3716	chrome.exe
Token: SeCreatePagefilePrivilege	3716	chrome.exe
Token: SeShutdownPrivilege	3716	chrome.exe
Token: SeCreatePagefilePrivilege	3716	chrome.exe
Token: SeShutdownPrivilege	3716	chrome.exe
Token: SeCreatePagefilePrivilege	3716	chrome.exe
Token: SeShutdownPrivilege	3716	chrome.exe
Token: SeCreatePagefilePrivilege	3716	chrome.exe
Token: SeShutdownPrivilege	3716	chrome.exe
Token: SeCreatePagefilePrivilege	3716	chrome.exe
Token: SeShutdownPrivilege	3716	chrome.exe
Token: SeCreatePagefilePrivilege	3716	chrome.exe
Token: SeShutdownPrivilege	3716	chrome.exe
Token: SeCreatePagefilePrivilege	3716	chrome.exe
Token: SeShutdownPrivilege	3716	chrome.exe
Token: SeCreatePagefilePrivilege	3716	chrome.exe
Token: SeShutdownPrivilege	3716	chrome.exe
Token: SeCreatePagefilePrivilege	3716	chrome.exe
Token: SeShutdownPrivilege	3716	chrome.exe
Token: SeCreatePagefilePrivilege	3716	chrome.exe
Token: SeShutdownPrivilege	3716	chrome.exe
Token: SeCreatePagefilePrivilege	3716	chrome.exe
Token: SeShutdownPrivilege	3716	chrome.exe
Token: SeCreatePagefilePrivilege	3716	chrome.exe
Token: SeShutdownPrivilege	3716	chrome.exe
Token: SeCreatePagefilePrivilege	3716	chrome.exe
Token: SeShutdownPrivilege	3716	chrome.exe
Token: SeCreatePagefilePrivilege	3716	chrome.exe
Token: SeShutdownPrivilege	3716	chrome.exe
Token: SeCreatePagefilePrivilege	3716	chrome.exe
Token: SeShutdownPrivilege	3716	chrome.exe
Token: SeCreatePagefilePrivilege	3716	chrome.exe
Token: SeShutdownPrivilege	3716	chrome.exe
Token: SeCreatePagefilePrivilege	3716	chrome.exe
Token: SeShutdownPrivilege	3716	chrome.exe
Token: SeCreatePagefilePrivilege	3716	chrome.exe
Token: SeShutdownPrivilege	3716	chrome.exe
Token: SeCreatePagefilePrivilege	3716	chrome.exe
Token: SeShutdownPrivilege	3716	chrome.exe
Token: SeCreatePagefilePrivilege	3716	chrome.exe
Token: SeShutdownPrivilege	3716	chrome.exe
Token: SeCreatePagefilePrivilege	3716	chrome.exe
Token: SeShutdownPrivilege	3716	chrome.exe
Token: SeCreatePagefilePrivilege	3716	chrome.exe
Token: SeShutdownPrivilege	3716	chrome.exe
Token: SeCreatePagefilePrivilege	3716	chrome.exe
Token: SeShutdownPrivilege	3716	chrome.exe
Token: SeCreatePagefilePrivilege	3716	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exe

pid	process
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

chrome.exeprocexp64.exe

pid	process
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe
3716	chrome.exe
2300	procexp64.exe
2300	procexp64.exe
2300	procexp64.exe
2300	procexp64.exe
2300	procexp64.exe
2300	procexp64.exe
2300	procexp64.exe
2300	procexp64.exe
2300	procexp64.exe
2300	procexp64.exe
2300	procexp64.exe
2300	procexp64.exe
2300	procexp64.exe
2300	procexp64.exe
2300	procexp64.exe
2300	procexp64.exe
2300	procexp64.exe
2300	procexp64.exe
2300	procexp64.exe
2300	procexp64.exe
2300	procexp64.exe
2300	procexp64.exe
2300	procexp64.exe
2300	procexp64.exe
2300	procexp64.exe
2300	procexp64.exe
2300	procexp64.exe
2300	procexp64.exe
2300	procexp64.exe
2300	procexp64.exe
2300	procexp64.exe
2300	procexp64.exe
2300	procexp64.exe
2300	procexp64.exe
2300	procexp64.exe
2300	procexp64.exe
2300	procexp64.exe
2300	procexp64.exe
2300	procexp64.exe
2300	procexp64.exe

Suspicious use of SetWindowsHookEx 13 IoCs

Processes:

Procmon64.exeProcmon64.exetcpview.exefirefox.exe

pid	process
4060	Procmon64.exe
4060	Procmon64.exe
4060	Procmon64.exe
5064	Procmon64.exe
5064	Procmon64.exe
5064	Procmon64.exe
3352	tcpview.exe
2164	firefox.exe
2164	firefox.exe
2164	firefox.exe
2164	firefox.exe
2164	firefox.exe
2164	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

53fff9337c461ac70fd7cf955e28ed5491d510c8c0751ffc5399a9afe5fb1c92.exechrome.exe

description	pid	process	target process
PID 2264 wrote to memory of 4012	2264	53fff9337c461ac70fd7cf955e28ed5491d510c8c0751ffc5399a9afe5fb1c92.exe	cmd.exe
PID 2264 wrote to memory of 4012	2264	53fff9337c461ac70fd7cf955e28ed5491d510c8c0751ffc5399a9afe5fb1c92.exe	cmd.exe
PID 2264 wrote to memory of 4012	2264	53fff9337c461ac70fd7cf955e28ed5491d510c8c0751ffc5399a9afe5fb1c92.exe	cmd.exe
PID 3716 wrote to memory of 2612	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 2612	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 3492	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 3492	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 3492	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 3492	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 3492	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 3492	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 3492	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 3492	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 3492	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 3492	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 3492	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 3492	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 3492	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 3492	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 3492	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 3492	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 3492	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 3492	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 3492	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 3492	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 3492	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 3492	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 3492	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 3492	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 3492	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 3492	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 3492	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 3492	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 3492	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 3492	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 3492	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 3492	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 3492	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 3492	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 3492	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 3492	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 3492	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 3492	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 4964	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 4964	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 744	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 744	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 744	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 744	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 744	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 744	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 744	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 744	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 744	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 744	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 744	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 744	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 744	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 744	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 744	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 744	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 744	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 744	3716	chrome.exe	chrome.exe
PID 3716 wrote to memory of 744	3716	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\53fff9337c461ac70fd7cf955e28ed5491d510c8c0751ffc5399a9afe5fb1c92.exe
"C:\Users\Admin\AppData\Local\Temp\53fff9337c461ac70fd7cf955e28ed5491d510c8c0751ffc5399a9afe5fb1c92.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2264

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3716

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ff9c3799758,0x7ff9c3799768,0x7ff9c3799778
2⤵
PID:2612

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1596 --field-trial-handle=1752,i,11221163606939752270,13045735108746038227,131072 /prefetch:2
2⤵
PID:3492

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1968 --field-trial-handle=1752,i,11221163606939752270,13045735108746038227,131072 /prefetch:8
2⤵
PID:4964

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2136 --field-trial-handle=1752,i,11221163606939752270,13045735108746038227,131072 /prefetch:8
2⤵
PID:744

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2856 --field-trial-handle=1752,i,11221163606939752270,13045735108746038227,131072 /prefetch:1
2⤵
PID:4768

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2876 --field-trial-handle=1752,i,11221163606939752270,13045735108746038227,131072 /prefetch:1
2⤵
PID:4952

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4308 --field-trial-handle=1752,i,11221163606939752270,13045735108746038227,131072 /prefetch:1
2⤵
PID:4276

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4464 --field-trial-handle=1752,i,11221163606939752270,13045735108746038227,131072 /prefetch:8
2⤵
PID:5104

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3484 --field-trial-handle=1752,i,11221163606939752270,13045735108746038227,131072 /prefetch:8
2⤵
PID:4468

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4696 --field-trial-handle=1752,i,11221163606939752270,13045735108746038227,131072 /prefetch:1
2⤵
PID:3448

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5108 --field-trial-handle=1752,i,11221163606939752270,13045735108746038227,131072 /prefetch:8
2⤵
PID:168

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3004 --field-trial-handle=1752,i,11221163606939752270,13045735108746038227,131072 /prefetch:8
2⤵
PID:3580

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5140 --field-trial-handle=1752,i,11221163606939752270,13045735108746038227,131072 /prefetch:1
2⤵
PID:3672

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5196 --field-trial-handle=1752,i,11221163606939752270,13045735108746038227,131072 /prefetch:1
2⤵
PID:2360

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5080 --field-trial-handle=1752,i,11221163606939752270,13045735108746038227,131072 /prefetch:8
2⤵
PID:3732

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=1472 --field-trial-handle=1752,i,11221163606939752270,13045735108746038227,131072 /prefetch:1
2⤵
PID:3664

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=4208 --field-trial-handle=1752,i,11221163606939752270,13045735108746038227,131072 /prefetch:1
2⤵
PID:2180

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=4608 --field-trial-handle=1752,i,11221163606939752270,13045735108746038227,131072 /prefetch:1
2⤵
PID:3708

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4516 --field-trial-handle=1752,i,11221163606939752270,13045735108746038227,131072 /prefetch:8
2⤵
PID:5096

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1956 --field-trial-handle=1752,i,11221163606939752270,13045735108746038227,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5088

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:5076

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5056

C:\Users\Admin\Downloads\SysinternalsSuite\procexp64.exe
"C:\Users\Admin\Downloads\SysinternalsSuite\procexp64.exe"
1⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of SendNotifyMessage
PID:2300

C:\Users\Admin\Downloads\SysinternalsSuite\Procmon64.exe
"C:\Users\Admin\Downloads\SysinternalsSuite\Procmon64.exe"
1⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Modifies registry class
- Suspicious behavior: LoadsDriver
- Suspicious use of SetWindowsHookEx
PID:4060

C:\Users\Admin\Downloads\SysinternalsSuite\Procmon.exe
"C:\Users\Admin\Downloads\SysinternalsSuite\Procmon.exe"
1⤵
- Modifies registry class
PID:1728

C:\Users\Admin\AppData\Local\Temp\Procmon64.exe
"C:\Users\Admin\AppData\Local\Temp\Procmon64.exe" /originalpath "C:\Users\Admin\Downloads\SysinternalsSuite\Procmon.exe"
2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: LoadsDriver
- Suspicious use of SetWindowsHookEx
PID:5064

C:\Users\Admin\Downloads\SysinternalsSuite\tcpview.exe
"C:\Users\Admin\Downloads\SysinternalsSuite\tcpview.exe"
1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3352

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:4128

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2164

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2164.0.516259701\1662096463" -parentBuildID 20221007134813 -prefsHandle 1628 -prefMapHandle 1616 -prefsLen 20888 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {20509840-12b0-452b-afcf-0bf373ee101d} 2164 "\\.\pipe\gecko-crash-server-pipe.2164" 1720 207e6b85958 gpu
3⤵
PID:384

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2164.1.538783522\338248168" -parentBuildID 20221007134813 -prefsHandle 2044 -prefMapHandle 2040 -prefsLen 20969 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a9a71b70-4180-425d-850e-9e5f98af6fb0} 2164 "\\.\pipe\gecko-crash-server-pipe.2164" 2076 207da371c58 socket
3⤵
- Checks processor information in registry
PID:700

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2164.2.1896517075\218344941" -childID 1 -isForBrowser -prefsHandle 2820 -prefMapHandle 2776 -prefsLen 21117 -prefMapSize 232675 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e5000f23-5b93-4419-831d-a13609a1d4ed} 2164 "\\.\pipe\gecko-crash-server-pipe.2164" 2952 207e94e5e58 tab
3⤵
PID:2476

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2164.3.1072056350\786150408" -childID 2 -isForBrowser -prefsHandle 2692 -prefMapHandle 2456 -prefsLen 26562 -prefMapSize 232675 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8cebe814-41ce-411c-8915-e666e18f6f99} 2164 "\\.\pipe\gecko-crash-server-pipe.2164" 3576 207da35d358 tab
3⤵
PID:4060

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2164.4.1405810993\13118664" -childID 3 -isForBrowser -prefsHandle 4284 -prefMapHandle 4280 -prefsLen 26621 -prefMapSize 232675 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {66ab6c60-9fc2-446a-8d48-9872863179c9} 2164 "\\.\pipe\gecko-crash-server-pipe.2164" 4228 207ebba2258 tab
3⤵
PID:352

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2164.5.912290026\1128748272" -childID 4 -isForBrowser -prefsHandle 4808 -prefMapHandle 4804 -prefsLen 26702 -prefMapSize 232675 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9ce56017-2a8c-4081-8bfd-c18a0fd187b0} 2164 "\\.\pipe\gecko-crash-server-pipe.2164" 4816 207eb0d4558 tab
3⤵
PID:3464

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2164.7.765716310\241847515" -childID 6 -isForBrowser -prefsHandle 5132 -prefMapHandle 5136 -prefsLen 26702 -prefMapSize 232675 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4c2b7942-3602-4bf2-87ef-0dc8e046f8fc} 2164 "\\.\pipe\gecko-crash-server-pipe.2164" 4816 207ec4c4558 tab
3⤵
PID:2004

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2164.6.569629860\32220420" -childID 5 -isForBrowser -prefsHandle 4936 -prefMapHandle 4940 -prefsLen 26702 -prefMapSize 232675 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7e061022-fcae-41d2-8a43-d7ded5fb58f2} 2164 "\\.\pipe\gecko-crash-server-pipe.2164" 4928 207ebba0458 tab
3⤵
PID:4748

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2164.8.2019057654\2408618" -childID 7 -isForBrowser -prefsHandle 5356 -prefMapHandle 4928 -prefsLen 26877 -prefMapSize 232675 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6f0c2ea8-1413-4c4e-a77e-7feebaf9ba61} 2164 "\\.\pipe\gecko-crash-server-pipe.2164" 5204 207ea567158 tab
3⤵
PID:4932

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2164.9.1977879796\402948645" -childID 8 -isForBrowser -prefsHandle 5672 -prefMapHandle 5668 -prefsLen 26894 -prefMapSize 232675 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {52ff2013-c9f9-4ccc-9bf1-b0271da1fceb} 2164 "\\.\pipe\gecko-crash-server-pipe.2164" 5680 207eda41558 tab
3⤵
PID:924

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2164.10.739914598\1750231459" -childID 9 -isForBrowser -prefsHandle 5932 -prefMapHandle 5844 -prefsLen 26894 -prefMapSize 232675 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2cf55175-7e85-4227-b304-bdd73273f207} 2164 "\\.\pipe\gecko-crash-server-pipe.2164" 5952 207edcda258 tab
3⤵
PID:1324

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2164.11.1029041624\1534960466" -childID 10 -isForBrowser -prefsHandle 5988 -prefMapHandle 5992 -prefsLen 26894 -prefMapSize 232675 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c3918667-3f74-4f85-a961-7b6b21cbf3c9} 2164 "\\.\pipe\gecko-crash-server-pipe.2164" 6072 207eda05958 tab
3⤵
PID:4708

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2164.12.1284673177\1504785645" -childID 11 -isForBrowser -prefsHandle 7464 -prefMapHandle 3344 -prefsLen 27374 -prefMapSize 232675 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ec633be7-3bea-4997-8537-ccf0543c0324} 2164 "\\.\pipe\gecko-crash-server-pipe.2164" 5504 207ebf70258 tab
3⤵
PID:4828

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2164.13.1582136114\110552914" -childID 12 -isForBrowser -prefsHandle 1520 -prefMapHandle 5516 -prefsLen 27374 -prefMapSize 232675 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {585f3de8-12a7-4f9c-9998-008de27bbc91} 2164 "\\.\pipe\gecko-crash-server-pipe.2164" 5824 207edc4b558 tab
3⤵
PID:320

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2164.14.1189809313\962248628" -parentBuildID 20221007134813 -prefsHandle 6064 -prefMapHandle 5600 -prefsLen 27374 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {05637a73-c33a-42e1-88dd-7b9dc208fafd} 2164 "\\.\pipe\gecko-crash-server-pipe.2164" 7692 207edcd7258 rdd
3⤵
PID:2868

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2164.15.986426327\1058928551" -childID 13 -isForBrowser -prefsHandle 6728 -prefMapHandle 4620 -prefsLen 27374 -prefMapSize 232675 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {741a4f28-9ed7-4324-be4b-fff0d9a62674} 2164 "\\.\pipe\gecko-crash-server-pipe.2164" 7060 207e5164b58 tab
3⤵
PID:1796

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2164.16.2042190226\1018894718" -parentBuildID 20221007134813 -sandboxingKind 1 -prefsHandle 7472 -prefMapHandle 6728 -prefsLen 27374 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c9b50653-2e3f-415c-953c-03477fd644d9} 2164 "\\.\pipe\gecko-crash-server-pipe.2164" 6648 207e5166058 utility
3⤵
PID:2716

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2164.17.1779650641\1585422631" -childID 14 -isForBrowser -prefsHandle 7124 -prefMapHandle 6980 -prefsLen 27374 -prefMapSize 232675 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {af985beb-6991-43ab-8f78-97b8f432f4f2} 2164 "\\.\pipe\gecko-crash-server-pipe.2164" 6004 207da36ae58 tab
3⤵
PID:304

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2164.18.1840141026\2101648901" -childID 15 -isForBrowser -prefsHandle 11668 -prefMapHandle 11676 -prefsLen 27374 -prefMapSize 232675 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5340dbe2-4406-4bac-974a-a02497ece884} 2164 "\\.\pipe\gecko-crash-server-pipe.2164" 11704 207ebf72958 tab
3⤵
PID:824

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2164.19.347198\1580553795" -childID 16 -isForBrowser -prefsHandle 5168 -prefMapHandle 4440 -prefsLen 27383 -prefMapSize 232675 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bd194067-87d3-4b37-9177-fbb1cc7042f8} 2164 "\\.\pipe\gecko-crash-server-pipe.2164" 7748 207ea909058 tab
3⤵
PID:5376

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2164.20.203447022\629518247" -childID 17 -isForBrowser -prefsHandle 11364 -prefMapHandle 3708 -prefsLen 27383 -prefMapSize 232675 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c2ce663a-ee84-467d-8d62-0d2beecccd74} 2164 "\\.\pipe\gecko-crash-server-pipe.2164" 11528 207e515b258 tab
3⤵
PID:5628

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2164.21.1555975949\243007712" -childID 18 -isForBrowser -prefsHandle 11672 -prefMapHandle 11536 -prefsLen 27455 -prefMapSize 232675 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {84ce1287-a845-4121-ab93-50b7c4d12ba4} 2164 "\\.\pipe\gecko-crash-server-pipe.2164" 11508 207e53b7558 tab
3⤵
PID:5404

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3cc
1⤵
PID:3720

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000c
Filesize
69KB

MD5
996ac44350796326120f9f1a3c82ea9b

SHA1
f61575b8ac8ca3db9b07a1ecc907dc193b2d65e0

SHA256
fa702a36275b3aa324ac97c840b0eb234059e3e27cdcf2ddf7cb0d1a0820e90e

SHA512
4642f3affc690b1cd854265ee35aa0e8423568a1b43b0e7829c30263b96aaf08332679d8d0b66dc63af5a90fc3c159367ce6f02f3605e0941efc6c2511e19ccb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000f
Filesize
39KB

MD5
8877fbc3201048f22d98ad32e400ca4a

SHA1
993343bbecb3479a01a76d4bd3594d5b73a129bd

SHA256
22f8221159c3f919338da3a842d9a50171ddc5ac805be6239bd63e0db78046af

SHA512
3dfb36cd2d15347eaa3c7ae29bfa6aa61638e9739174f0559a3a0c676108ccc1a6028f58dad093d6b90cac72b4468eb1d88b6414339555c9f872a5638271d9c9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000016
Filesize
66KB

MD5
8c88e42819c6e77524b9baee2d055c3a

SHA1
1dc0fd32c7c741c3aa818996af7a3c958e752044

SHA256
15ecfcb2083be536b5cffccf220d46d007aea86e26dda73df63c555d9fbbfbb4

SHA512
1737e9ac0a022087f804b2a8ebb39f540eee492a48d45efd47094ddcbfffc4399cf5bd13823116ab0784064d0ffa83afbc4dff218845faa83cab76e855e9d5ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000017
Filesize
33KB

MD5
700ccab490f0153b910b5b6759c0ea82

SHA1
17b5b0178abcd7c2f13700e8d74c2a8c8a95792a

SHA256
9aa923557c6792b15d8a80dd842f344c0a18076d7853dd59d6fd5d51435c7876

SHA512
0fec3d9549c117a0cb619cc4b13c1c69010cafceefcca891b33f4718c8d28395e8ab46cc308fbc57268d293921b07fabaf4903239091cee04243890f2010447f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
552B

MD5
82d31db6edc38ec4598781555a5c9b91

SHA1
82837b36ef26237793d0e931f78f3d54e5af1129

SHA256
27c29a06ae5faaacef5afa155ef00aa5eab60578ec33fee18f7d27cd8e586313

SHA512
ff5d67fe26c1d8fede797b7be4e86f0a1eb699aa2613cef5cee5d81221f391e47700269001b6a273bc124fa388b1f72cb7d11af69d58d09bfd5eef87ba707716

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
864B

MD5
7ec65ee085331413d6a8b10c61f225af

SHA1
bbcf245fb6a47cf5b59fb9ca885fbb400f8fdbc3

SHA256
93c24554673742c145e691e98a8563820a160a404288a4ded23982dd7ee5e876

SHA512
c4278cb7b147ee89e6c34ff1bf305cc8cd662a4ade1367d797f6691284b0e81e136799dec41d6f007aebde780e4f260bf99f294373b8de464f98ba5a63d877a7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1
Filesize
264KB

MD5
85c59e84843dbc01a5d163311ca10602

SHA1
105f7e9cdd358c860c2a57a1737d3ebf59197b29

SHA256
b3e8edd0b797fec680b939b81ba59f7791a053d4b1818e073641faeae67259af

SHA512
0911ade44d7ac39db51e60bf451633efaaa9b9a1cc9d839599fec1e3e90874efd6fd35349abb89c31c989438329d0eebc49f2584cc9bf780d5051e5a89b5fcc1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
7132ccf1720322b4c58aadd4f571c94e

SHA1
a81cf38168e7b7a027738830137bcd58875e9584

SHA256
93aa8a4ec3faaf8f8fea168e110a5be80fe89e8bb07e2c6ca966bb8751695136

SHA512
dafca5502107b822ad2146fefae6b7df503170912ead6db88b3d3234fd8881013c032ea274fc91e722487af6af138b523baada128018b04ee3c3bc392e47fb77

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
3KB

MD5
b6e53bb6060ecd4ad0d1a00fa2739c98

SHA1
d9df5b8061138b76d8259b43812c0eae82b8b20f

SHA256
035a955666c95939cfd797d4ba53c5068a0c746775bc70b81b7f4cbe78bdf8a4

SHA512
6dae9e20e35af7e81bbd694c586cf61784345f6d84cb661ddbfd99dd8c901af39ef31dbdeda9abd5d4bc969ec1d9c814281660f8ad0f3085a1de3f5a63483241

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
3KB

MD5
7d90e0e0fdf565ab30f41eea4c98a3f0

SHA1
b72cf3be84397ec359f58716f7b73be20b238f83

SHA256
f63663f0636f9dfc2292bec2a2a1baa9faf130f9b433a22b8434425ee29d5b42

SHA512
398ff494186a4510aaf3d0df47fc9acc11c8427a64f054aa7308123ed3cc3afbd646a93bb30c9a81002158093f49394fe4f327934321a4be7b37120b96beeea6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
873B

MD5
5d7539cf1efa7d364e3c65c7aea97434

SHA1
b72350f81bd8d64d5f001e6490502878ea889246

SHA256
162093c0a22946d12f2cc10098a6a22f2c471ace85c59741c40b8fabe8d7ff92

SHA512
eab7e3069bda958eff7d6e8a60e40ba7a987e27f277bb143ddccd62b8f2059cdc687812449cb76cefaa75dc18b212b8a693401513c7ebdfbde819446da2b2310

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
538B

MD5
ee9b15b5e874d1d03b7f3ebf0db79a5d

SHA1
42d013c1e2bc3d2e8a629ea372cc9e82970a322d

SHA256
fbfa55298e688e52efadc3949d0609e9ec3f88387c925dde95bec8eaa8b8d354

SHA512
dbd5cec7c2be88bf6c2a645d41a5be9987359171068b57735c08799bb55d5b4ecdf882ae93eb0af8eadf603672cad381c8a9a30969f79d15b4c2c822eb861b58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
873B

MD5
f175caf5f7d8d12725ec6772ca9c4174

SHA1
85102a42036f7c9beee1e75d7e04f0ca814920da

SHA256
68ff289aba3d3e9739d9b14ef6f86c1bef9e04155bea253a364490ada54e6dd2

SHA512
0292530477ab8c38fa4d8f80684709b1a9031a6c1a6754a262866ad7f66b40860ba1d509910c76e8cb9f961acaace59217924b22a99561823ca19778ae1d20f8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
873B

MD5
2b7efa54b0a5724f0a13f9cc525bb7c7

SHA1
b42d97f67a6d735ce61a7667ed8a0f8bd7ec939a

SHA256
dc5a67d873ade687d8b0866731edf2f4c4dd764e7f724ddbb3628792fee078f0

SHA512
f24080717dd2079502536f2fe06cb2c19284ee8e19d012a3d217c77228be8eadc03b53f9f4a70a8e71738d5e01de527c71aa0ab07e7d45434f35ae99c2f35bd5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
873B

MD5
30b45fdc4c295582911efc8f95357650

SHA1
99fcc1d6b315aab5e62cd0c713b567672a7319ff

SHA256
6400a4ccfddc2f773ddbed4289455388835c4cf509a8571461fa83ed24f84721

SHA512
2933129e7d596ed22eb27b0787c92c7019899a52948c0bb7c438e4659aba9d0f3dfe637aa7e9fb8ca6529f16138be4c2002a7cad25150897e5ddfed58ae54a35

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
873B

MD5
051eca3982c4108caadfd0174272db51

SHA1
42e56da09bc49d719c03e894683a6d253ad903a2

SHA256
0129dd44350831e682a45ad1a0bba4c53a06d86c01beafe9f7bda371dc58cef7

SHA512
94a90a49c926fd9cf635fdc7926b8a2fb297d04221e9e258499311e640467ea14900a41b598011f08c958148cd38e957956b6ab5f4f198de65c3fa84cb50260e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
873B

MD5
87e3d982f189176be8e05dfe129da2c7

SHA1
9aea63a4e3a0cd7d2a790a4c68af1222e1dd17ad

SHA256
ebf2a2e589d7f4b04b4cff941f6d2a7dced82768915566c5f28d33b432236edf

SHA512
b77c5603a5efccfa11c20b30f9cdbcdb0876c1ac1ecf447cffba02766948100269c7d0f431913c9c2557dbaab254aa92ee1ea25cdc36e3e0490cedc1d2281b54

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
873B

MD5
f2b38b0c80a8e06f9be7dfb00b6479fa

SHA1
1b669b5ed5b4ff6cddb6588bb4d668ab02f8b4d7

SHA256
f26d6f558704ff05a472dd52256469c00d4f1fde759cf26f861ae6711e6674d8

SHA512
9a098ca01c7cae0bb19301304487798f86dc22993231966559e01174470c3ab22052201edc60a7f95536e62a3a003071eab182554f513868f6f81c7a412f6801

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
873B

MD5
b861a7ee578287ee646019a47a19bedd

SHA1
e02dad213b78eaa2f2c6085b340080159fb01442

SHA256
95e82904b70381e6697c6c3ad123432ac99d114ea30a011147460a5af73a4fdd

SHA512
9466e12172de6d7b6dc2c1d4c3d75b7daaab7e2b4e25200006783d37f2646d12111f61c06909a5212037c4c063673e017947409376a3e92913c69b0ce832d42e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
873B

MD5
16b05aff6321d7a3e82197f57395d78e

SHA1
de0c907ceb044ed0ea474783d3da2ccfcd6f39fc

SHA256
1b0ec69a9aa8797b5957fc6e841f9464fd26fc8236a30edc00dc022ca4b7276c

SHA512
bca42f4294092cdc86044b14a27790c98c65376f14004d5b6b8823cdff312eb6d1165fda93c3f4aa1be5de34fbc000ce2b915c3d4e46d5c50d2e4a4a803b085b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\e3867e07-65cd-46ca-9a60-e68083eb8358.tmp
Filesize
873B

MD5
babc9f59c01de62d28a6692a06221b5b

SHA1
a939b7e385b9b28eeffd4cb84c6777243d8dd7b8

SHA256
fd2e3e0ec7416151a096f148a462f24c0ac9bdfd626f7ddbe27f8482af0a2997

SHA512
896ef5829342d078c28598276dc0070986688954b1c07ef50d66cc5ad7668ae0061a8c10edd723b0f4379766b0152f1ab6160627341fc3cad59c7f0bc994a588

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
49da89f98128c1b6a449a4861fa25a8e

SHA1
a5e58864c2b66266d2a3300548e1f6fe7feb3f88

SHA256
79ceba9e320bc31c653f117f2a68f2bff82f62e5397b7d7c7d94b1ed8a1ea7db

SHA512
a558a5e4a0dcc1b9832f41b9c5d2399d8db10cb48f230c8b7459201ba09bffaadb1b2957378f5aa2681a4b82bdefbb9c162cb3a30d26066cdffb8b59f0a7dab8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
b20ff7dc93acbdadef33aa62e752b87c

SHA1
e2e5cfb610091465c25bc91e77aaf6b4cfbc6905

SHA256
e62f08cf2fc7b07d5a4616eb38f9462b7d4791338bbb6f6dd6fdff35abe6df42

SHA512
2fcfdf063213d92071028ca005844eb007f0fd817b25e14200e11a9322a0395cbfd2fea36c295d22403e2fe39d9c0e3868413ad9cd250a5d3658dd0c8749a12a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
352d63918ff6cf898f61b71ad4161652

SHA1
402ba921e47507e4cb927b8edb271ad612ede165

SHA256
2c06e201b6b0d8653c8ea14c58a206958e9421cc79e0551957100e5913a57d7c

SHA512
dd10f34c570cd5c9179ef319037abe302a936fc5bebc086e680cb8f36793a996472eebd1aff946c9b3881234a934c27482986cae6e0dad743321f7f253f78b25

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
52a940f2c907595b654ca7e3e3491f1e

SHA1
f69032612b1c07504af6cee8aaf03f793f5b4dfe

SHA256
821a452c64d2261d74af6efa6ca2627078866af0eac3f96b8ad9ef411e7a31bb

SHA512
36a4832813d16fe4c98a1f654329b5a34cc2fd556b349d27ce9e43aa1f17d410356e93c034e7ffb20d845b26f287afec7ba0cbc8397a976be9c732b5d0aba2ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
84f6ddb868780c006e432a90927b353b

SHA1
0d9ce25961529acb476e3524dc74da4c78a0204b

SHA256
2851457864637c8868505819137f4205c539c34339593c6901c4c48f540f7031

SHA512
fb315988285980ccdf186701cb41dde5e5562f1064d8fa70b06ee8c00c35174b3a645f34e4e316da03d6ed566dcd689c40d02ae7a042bf5709b512ff60daf336

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
18c4fac056dc984a67226d0a1d6868ff

SHA1
6dce126111eb6405fac525e703d72915aab7d4a1

SHA256
568d4a87114623b2f4ab1f559cdba7f5367774861414827a746cb0782da7b31e

SHA512
d7595e01ed846c5bd6d6d033c7fac7db4af07f3b9e9da2d399b16ebb84ffa174e14c85b146e12c0554654559030b41b0931b2e733e0c371887ba5f2d1a0fe235

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
174KB

MD5
18fa78c1fa90576b56a76da712df3358

SHA1
49a6784ceae0aac13e609be1f6c9f62cdc9e355b

SHA256
ed15e56de4ab2cdae67848ee1d8966b9936d587fbc68b5e073ade91d989b003f

SHA512
560fc2da31d3dd37a1caa7bede7718f6b5a5c549f64f29cdfa949806351df0c9a9316b95b19f963caf6cbf3e8941afaefd4280e2fc1f6da8ba48168f3395d272

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
174KB

MD5
03e0d5a55bd79bcefd5c239304912bc9

SHA1
6f6bdabfd01c203370f5d6d6aceba58c486b44a3

SHA256
341972e8b24253bbd2f0929c7eb7ddcf97e91259c49db51638a7d7c5cc155e0d

SHA512
e14ab37bdaabff5ba31888d227ade9eff88d1a01b00340782503cb64abe2eb2de9ed84b766db9f225d2c469b75dd1c3378745bb0be5ba29322d7f5238f5a7ff8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\q0o3c1yt.default-release\activity-stream.discovery_stream.json.tmp
Filesize
144KB

MD5
d50e9bca1a206c370ea995a746352295

SHA1
730c8b7bfb3ebd58e128ccf3024600da311b45db

SHA256
e3bdd832ac8265daba26c8f8c1b551a15f048fbe3f4381377a704d0f7cd87cab

SHA512
f139e4382db5d51ccdbee18539f045ccdd9460625b2b9b5ef066dc08c2b502a9b82fec11ac1954b6fadd271cc58aee587f1db44d2dd6c1bf97789e02f36f3926

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\q0o3c1yt.default-release\cache2\doomed\12332
Filesize
9KB

MD5
dbdc01346fa5f18e17addef10d1ef6be

SHA1
63d90b0ed04dc17ee8991109d21d94d555fe75ca

SHA256
5cde3fb2b6bcfb896895086630431a82ac195b7b0d2d3a679df878f099fca5a3

SHA512
3aca1184751afb9f1df13bc945bcfe55d3505c16c9869df91f8b455749beee0873192ce18f704bbaa38a4c80a37e285073902e73a0d05ec886045c1d223a6128

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\q0o3c1yt.default-release\cache2\doomed\19723
Filesize
14KB

MD5
63c7b4b8439ef0ca7baf3cda82d52240

SHA1
0bfde5f9d2102d3bd0b0a9a7cd4dd485d5c5c41b

SHA256
966e9bfa65ab19a6c9bfccf8fea042edebd48166fad99ff005bb5580aa7728a9

SHA512
a1a922198798829f1897808eaf6d8df7c6396ecc47fc012d6bb1e0514eaff2faa60ed239df1e8895ff8609e7f01c743f64c5aca900602ec3b280e0f70998078b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\q0o3c1yt.default-release\cache2\doomed\22197
Filesize
9KB

MD5
76d60c30fd8c98681f4e767085d8ce30

SHA1
3473f487d9d97443e6511a079e9592ee4541e913

SHA256
f4c5b2977c6ed1bb40e77915c2c7625a0a1a9f0b0b09c1e51f09c8a944238548

SHA512
75938990c4701bc9c60f14d37e875423edffad66f96995955588e0945775677f2d838f11e69d9830f3e0e870cdbe13d192c09d8889e9f8b28ee6f96cc5a88af0

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\q0o3c1yt.default-release\cache2\doomed\31312
Filesize
16KB

MD5
0776410683ececba4f7bf034caf8036e

SHA1
50bf5cb06cf0b446d6dac8c8b48db8725a97f808

SHA256
019e890f48a2dbc2b47dd10693208174de75caa6324ebeee023902ffcb61fc86

SHA512
940258c2e19412430c8fd726d877cae667c37948b617923066ef3d8bb883ed6d86c0e0a447f61bb7704d9b44f37fa44659ed9e3080f9d2efed4980e91674b402

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\q0o3c1yt.default-release\cache2\doomed\5713
Filesize
18KB

MD5
336f8e0b879060d25f6dcb035616f351

SHA1
4a4822c1e7e4587565d0f135cd35187a2ffd239e

SHA256
8870b9ae448c4528209bf5896b2d48629ceaac102f3778b981c416366d774c6e

SHA512
eee4aa5c2f06f7c6ad95469615c9d6b1e270effad0f2bd9879620d6a55cb792fb8f62f89ad89a226562f99f9a9445053ce9fc9975d842ba835add5b567666d55

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\q0o3c1yt.default-release\cache2\doomed\7263
Filesize
15KB

MD5
6b82e151abdf70df85b9227f6b309253

SHA1
c34f70d6efa51ee91c042fc7f711524779396727

SHA256
4f8cb5fe4a8dd12b6f76f1f3b7634b18c56ee8757330d6ede7ca083abfb10928

SHA512
bcd0e021ecc8c96101008bf32162d180afacc8298aaa48edf5bf9b2d5f760ac9ca4aa5b573123b317ad9cb43240c48c6d3063dc2c3ff85cc0d834233a2602647

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\q0o3c1yt.default-release\cache2\doomed\9223
Filesize
14KB

MD5
cffdec5de9480fd14e1509171534e7f5

SHA1
c5da3f7baa14d68b553371003f30c5ee90b5fb20

SHA256
22ff2ad28dc8db6084d3af0ef352793472e3be9ae134ad6323bb23dcf6eca9c4

SHA512
34bb4186d028b3b55a887f6f717a393d7f75afe752bdf0dfa2d4145f58e01cf189de2fd12d64242dfab64be38361acc91912495ab2189fd6943f42f5357614e6

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\q0o3c1yt.default-release\cache2\entries\F96A1A8368D3C3DD1FA81D170326E6C1C65D342F
Filesize
30KB

MD5
931774e16a4f1ee34bbd859ab5d26148

SHA1
ba09782857527186852a5b65c417343088b5d0af

SHA256
8c375414fc758860e582919425e23b05358a90f033f6f07006ff942c129c1026

SHA512
e6b0c31848abe7b7b80c4d539ebecd64e39fff3a05d181697fa8fb8182c0ba7466c5eb97410cabb6ea4d24a4bb11b1693cc1deacb3ef520bbacf557347c58e3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Procmon64.exe
Filesize
2.6MB

MD5
f887d8d20ed10524ff74b3e037f775d5

SHA1
49577ab39ace16b7c8ca2f94973891c637a88c4b

SHA256
1c7704dcdef2268c0ede14232197ef99f9de4b21d64d2f85c8871824af90add5

SHA512
c001b38e0f4a95e4a09395f40dd65bb9bccab16b2d9c7edc37873ef02768c16d0855775750e3b6b5a2b4c6e99bc2fed3e391de6249bf4eb7138715f0e591171d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Procmon64.exe
Filesize
2.6MB

MD5
f887d8d20ed10524ff74b3e037f775d5

SHA1
49577ab39ace16b7c8ca2f94973891c637a88c4b

SHA256
1c7704dcdef2268c0ede14232197ef99f9de4b21d64d2f85c8871824af90add5

SHA512
c001b38e0f4a95e4a09395f40dd65bb9bccab16b2d9c7edc37873ef02768c16d0855775750e3b6b5a2b4c6e99bc2fed3e391de6249bf4eb7138715f0e591171d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Procmon64.exe
Filesize
2.6MB

MD5
f887d8d20ed10524ff74b3e037f775d5

SHA1
49577ab39ace16b7c8ca2f94973891c637a88c4b

SHA256
1c7704dcdef2268c0ede14232197ef99f9de4b21d64d2f85c8871824af90add5

SHA512
c001b38e0f4a95e4a09395f40dd65bb9bccab16b2d9c7edc37873ef02768c16d0855775750e3b6b5a2b4c6e99bc2fed3e391de6249bf4eb7138715f0e591171d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms
Filesize
15KB

MD5
753d244b90046f774ea09a4e65d814bd

SHA1
10f26f4f7c13b1ce4a45827fb34f4a6a5a158ec9

SHA256
f8e240fa6724549451bf11539d5c1d740acfcfcb2795efcd9b2a0bfd4c447755

SHA512
105c08b55f0e76cb8576bd54f53cb9d906ada8495ab2162dbb9845c4ce0109feb18e430b110ef8afbd998fe8943101dd0837a7792d08abadfba595eeb8f9d459

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q0o3c1yt.default-release\prefs-1.js
Filesize
6KB

MD5
387a4d082db5d2ce1543327c6f88d68e

SHA1
39261742f489e830181df61ce884df80f4dc72b5

SHA256
ccda9763a89d2f8e64c0a085c295f4ad564f5cb21a87e6b72a1f04d66dfa40f2

SHA512
ba685972cccb0f464b2bcba92d4f77a3becd346b4699a2d4808606e84542e9c0cd226f7af6a3cdbc2ed1acec1f310dae5808a92e8a2fd70e0b2fbdad380e254e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q0o3c1yt.default-release\prefs-1.js
Filesize
6KB

MD5
8eff949a7913c54dc3c7f736c70e68a6

SHA1
4578bd90e32ccc9b9fc4cc93620f9ff1dce4dbfb

SHA256
2a57f0c47c9a457ac59dd80c4ed741e29d8f7eb97b8888655b8c3bc6ed962012

SHA512
5803af00f210c9650fd8121754771b803455afc7b51af9830a3ce7f76b25834d25d37fb14f3f8fc0dc4d93b604318bb4bcd0f6458551e392f64665bb1541b4bb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q0o3c1yt.default-release\prefs-1.js
Filesize
7KB

MD5
0c5543b9505005ca66951f453531258d

SHA1
2cfd7a94c2aba5a4165043f69ca104ecba0dc2d8

SHA256
5df225c539ab665dbad9ea37e8c0e516576b91f48a779f4b9c58ad39528a2bc7

SHA512
921d3689f5b7c9aec48daa8ec9e49928974b24c278099f5213acbf722aa1f8bd5cf568f79d482d8323504e19d2b8b60709da8c2607f73decd6d485230391777f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q0o3c1yt.default-release\prefs-1.js
Filesize
7KB

MD5
f1998bfebb0e957a4f2b185b0ee43e71

SHA1
0005115a10d057f988a794eec54dc26b1ebbc932

SHA256
9f6e60e61e164b878ba9e9673b05b961c2afc86138b6795ce1fc125e5863ed06

SHA512
6ea20631dbd78519ec13888e2e97bb81e5b07ee88d59f5d41f0672ccff358dcf249a4f2cc70d43cc67e4f01732171f3a4c23f6562c6f7356b873847a2c603413

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q0o3c1yt.default-release\prefs-1.js
Filesize
6KB

MD5
dcc1d787041cb1c1087b30d21be2b91a

SHA1
7c9bc7620ab129f2dbb0f218eeaa42b8bdec6fba

SHA256
4334d79e30ba82b08205a97bf76e83e4fb340172cb8677a3c10ea696d479f9aa

SHA512
2cf9894e7584dff88fbc9d805cd0ce290571630d3b0771e9e0e6d5f467e4cfd788912937eb42ba6ae242b9c0f0d331f334defe1eb255349bcf621dd283dead72

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q0o3c1yt.default-release\prefs-1.js
Filesize
7KB

MD5
ba0cfb04496863890cc01dfe8153ae11

SHA1
8194f5fee7569ccff84459cd74532d911921a461

SHA256
19170ea9090138c1942d7f89bb9bb82a5b9a3cacf890c647423319ad3e37589a

SHA512
0b1eb0514c58588e10bc28b148a064f6527ee470c955c99c79c86a426c1591412652c4274768defcebc3d5ce2e8e896537b01ea28cd670e83bd79bdbfa8cd522

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q0o3c1yt.default-release\prefs.js
Filesize
6KB

MD5
2eae50a371da00f798f5f47ab5dca829

SHA1
7a384348c51042b8228e593063b1337e87f75cfb

SHA256
23d24f12339a9403aa9f9882128b40d303b4e4b72dc578b832473b03c39c4738

SHA512
2cdc33cfa86fa41c2e037917f2bc87e920cf53ef0f136b1d5a3c8e404dde788e1ab594624ff3e181a382979e34f6bf469b0ce56e605b41efb27de29fc8524692

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q0o3c1yt.default-release\prefs.js
Filesize
7KB

MD5
652edceda8706e045889f6b7c956948a

SHA1
e46360478e2373b9e173286c59b8c7ab80bff0f1

SHA256
c7914dbcd47a91acad6a1ff17e4f3e4286fbec0f54bbeac06392b1d20fab6f46

SHA512
4d9b624e704e3a43921f348ca90b2d2762b3fae2f86472796c07cd9097799268c730a8587621942a72f00b1b73f5946a5910b36a25812ae60a3ff08429d2f4ba

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q0o3c1yt.default-release\serviceworker.txt
Filesize
190B

MD5
4aabbfa97b869d8e362255954ade25c8

SHA1
37a2448d8b99cc021dc66624d6ab81c2553778ba

SHA256
38b688a630340ce5c28b53983dfb8769ee215c9f998f91bd874c4aae34650f7d

SHA512
60f4c24c24374268bf4d60e62b25c14c49c1127775072395b0603bdf3a072ff9076b080bd7883ee85544b370de88456f0f9bb5786c2e850a93769316a2379053

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q0o3c1yt.default-release\sessionCheckpoints.json.tmp
Filesize
259B

MD5
700fe59d2eb10b8cd28525fcc46bc0cc

SHA1
339badf0e1eba5332bff317d7cf8a41d5860390d

SHA256
4f5d849bdf4a5eeeb5da8836589e064e31c8e94129d4e55b1c69a6f98fb9f9ea

SHA512
3fa1b3fd4277d5900140e013b1035cb4c72065afcc6b6a8595b43101cfe7d09e75554a877e4a01bb80b0d7a58cdcfe553c4a9ef308c5695c5e77cb0ea99bada4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q0o3c1yt.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
3KB

MD5
b8da42ab7adf366734c1ec0cd2a3359b

SHA1
69e51ac94a232be497968406ea6c5d7da53e9076

SHA256
6d60fe899733c0ccd12b4f25c7a21baa387dc0674bbfbee5ace260853cd9436c

SHA512
ec838d5cda9569aa24dd263fcb08b7deec424089f5757e9679b181a8006df05213d7f247a0e838fd8dbd7dc4465b6a083928acb349c0ad9d0a13724b0a1e1a08

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q0o3c1yt.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
4KB

MD5
9cbaeea714493e643a2ec0abda28ad55

SHA1
8eb37edfc6f52f5ba5804045b75a252e53579983

SHA256
d8034adff0de93270a1e689edc62e48bf5563bbfd41afbd9abaad5592a5b3e30

SHA512
52246c1774577102f67443d953a7afdd7e1da9320bf3b10e039a9a1a2d726f5a6c22e043e31c6861c318630a19ccb644471fdaf0898786ac0ef8c2451573dbef

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q0o3c1yt.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
7KB

MD5
b4ae9cb9a9708b29cbe5d48e657efa80

SHA1
2290d8fcaa4f9e543807a059fe472c2d64f4c0af

SHA256
bc7470109c36ca8fc3c9e571335e02ffb27f2d3b5979f24a4e3a5431add2de7a

SHA512
a865710f5090910be14a21e4ee97959435a645616174d248113cd325476fe5d5a71e23131d1eb567d6a6f40b86f9a06be8aae2e19f9e70d576c255ecc6653918

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q0o3c1yt.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
8KB

MD5
062b91b7397adff8dc53df386584c0a1

SHA1
1407d94e51f7c6cf6e4834fbced79a974c2a0fbe

SHA256
738317c09e2da4a4cc7cd404b48e9ae6f669ed1049825bb3897b592fc2d9edc5

SHA512
2a2afa17b3e276ac37dc77b96cdc288833327832f2e8c76c6443acd4391d99cd8d07ccd01681ac9898908c6200dc490d2dc9e20425b357e13e71071d11f3f9c8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q0o3c1yt.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
9KB

MD5
c9e14fbc7d3d4bf45f1b2ba4bcb911cb

SHA1
d50c9ef3ada9fe2327836cd2e14a984d1b996988

SHA256
1f0d86dc7182993689e9ab94ee50e275ce2f64d79248325e455118c2a80c6e8e

SHA512
4cae2dcb5d671576de65ad835ac9fbdaeb480c2963fd57b6e481b248b3d014daf356b2af952cccb58232a158d84e78a56ee3d1b265d7ba629e262d9c259b2d2f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q0o3c1yt.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
3KB

MD5
e6a162162c0cade569cb4a0274b8135d

SHA1
846e2f95f2b7651cc7a276eedd45eaa268875297

SHA256
e30aefecee681c2c2ade210db0a5ca3c463dff96f6fd365fc2511fde20feeee1

SHA512
f1fff8a71d21d99523a753f7f32b163f35a652ac55ef2e1b2145ca7053bfd99f30b72f9f58e1f844702e8ea0445179a7a2d8f77910c007dfd6323b8334ab080d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q0o3c1yt.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
5KB

MD5
ae3d963f2a5bcdfbd0aec7a37f45e178

SHA1
73e881ae9e419045172ad19970a17846b9569258

SHA256
5a6e0cd7e27ec1ba085c3702dbac5e00a24449dbf07af7f913d1dc8c28d59ef3

SHA512
8930ed4ffa38e281a27d79d30bd2b730f404928d3aabea034c9d52d0723d2f4a2914264ffc84b4514d070feb790f4653fde3b82bd579270258f934161aa4ce1f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q0o3c1yt.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
12KB

MD5
05470f95d2ba194a1e9dc8067f5639e4

SHA1
d0ebf0495a5a4e792df079d93a07ba78339ddf45

SHA256
6c0845afc419be1374703ba2cf5e6fbceae18990cb270526ad9b7245cd54b47f

SHA512
2a118ddeebc880697f678f9f03b8c528f4b7cb107c9035db45a60e44cddc08daf9c21f9c82b23c5d44a2e823b52f3ca9c72308e57f0e6a8da19bf95dbcc29fdf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q0o3c1yt.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
8KB

MD5
54b83d7911b0d0cce7f5a71b66a7738e

SHA1
d623920935c8643d6f3994eb6492830ac9619e3c

SHA256
f13b67eb810ffeb655741e39719d6b85dc9656aec2c764877a6e6a00765489a6

SHA512
04ca66b414124e4d398c91ff08d2731b44de54e0d0caf6c50bdf5207d787fe171634ad9d35a391d6c00a2e2aaf2f69ceef22a42a0e1006b5d7f4877da8e83cc3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q0o3c1yt.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
11KB

MD5
aa4d5555dce2e21dc712e9f56b55c600

SHA1
deded2bc3b0fd0b2125caf90abf148390ddf1691

SHA256
ff7770f052fbadaf1e208355e60559fe0dc55c6a36b70725dc23def333cc6a6a

SHA512
a53e552aa0f7a52b7377ad973eebd7a1b285902deb0908e814d26dcd2b9d2cac9c80d1a1d3a125502d6a09ff7ae32bb6579e491d041bbff06d0e07985175a87b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q0o3c1yt.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
11KB

MD5
760fa72a386daf30451f7d5b82409c26

SHA1
5c6144793195b07dc4ae6d6d7706834e75e8b696

SHA256
9a489bb6d5ff211a4a34f2e0b1ff6b275f686a6ae7f0c7a74c96aaf4bb7a102a

SHA512
41aeac9f6e5ff1d91cd4ca841b44088728c88946c2974ec350604ae440a7b8b8f59aaedfd6953aac0b12366832f05fa1583f9fb107bde8c0c83744c524d98854

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q0o3c1yt.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
10KB

MD5
3a13d508d91fb44b338c28c93ee681b5

SHA1
21a76d52c8697dc0ee7f5dcbd1c1b144317af4cb

SHA256
07b8c54f53d7a00f30baa903c82edd04a237e87b85b229eb1085cb449a65a55e

SHA512
d431625f22b3a8640605398bf6e141294f52a51b72520550c072d13af47d3c200795552f1dbd980b720b1f346526d0571626c731baba6f8488b5d9206665cc11

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q0o3c1yt.default-release\sessionstore.jsonlz4
Filesize
11KB

MD5
1d927a316f9d265e559aeb4d8fd5f775

SHA1
82a437961e27c2a58aa0a4070199d0c0d2be9e1f

SHA256
e1f9f159aa3779ed835d18cbd1b328e380bb224d866c53f055f40432a3315db4

SHA512
ec0088c8509225cafb9d0bf3cd470a430644a85ef2bfa59e0f962cc433b380c87f7f1144becbb8c735c090fd18524a14aae40d2fdf5267ef94b816bb32ee0288

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q0o3c1yt.default-release\storage\default\https+++www.virustotal.com\cache\morgue\34\{184c752d-b37a-40ff-9ca9-a858ba5a2522}.final
Filesize
44KB

MD5
a40ca5b5d57c9597eee1e1eec971c240

SHA1
91396a14d113f1519390da89798b2a935be712dd

SHA256
2959d0ace9bb9c18e3144d8d8964ded2fccc25df96966dc1f71f1ac9c0dda507

SHA512
766cb2211bef8a69e9db873eec689c65389d0d156319e234fbd3b5c905ee58dd55e3f70f91d127e549116bd675bf3b763d09ef7b4504c8b3c0803239e589a67a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q0o3c1yt.default-release\storage\default\https+++www.youtube.com\cache\morgue\236\{a51b1393-f069-4bbb-a0c5-3ebdeef924ec}.final
Filesize
71KB

MD5
d779bfb9222260576dd2e7a8895e1354

SHA1
4bcb682b78bf4e59972e8bf210486bf4a2e3655d

SHA256
627cccabcbb39917e871405bc8b88b03b58a45fbd0c79f251c78c0c75df9bfc4

SHA512
c4d389707fd27d862dfa7e934423dbf37cdc0b3f10c4a578680a611d8e5846cca28587b77905fc2b0720caa304c2168bc4b3bd2a3150a5d14e7b71c13b0031a2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q0o3c1yt.default-release\storage\default\https+++www.youtube.com\cache\morgue\82\{5943a73c-d7bc-481f-8005-67fb5e09f052}.final
Filesize
3KB

MD5
27bb0bb474b67b622c62d52beae7962d

SHA1
56ec54509b1bea33116d038d1cfd5fd2830eda4e

SHA256
f1bf6601606f5f0e5e4563bc22c38d68386910e01664e2e944a3ec3dab5d1f07

SHA512
4cdf7ec8fd430119d70211893153673b9f20a4f2e02282cbf845ddad9a167aee1aba25cb35baf22b9d6c66475b378473d1a9e9a8035d9c4dcae93434b33501ab

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q0o3c1yt.default-release\storage\default\https+++www.youtube.com\idb\2171031483YattIedMb.sqlite
Filesize
48KB

MD5
0fc1f8454efd91e718e65459c9bb707a

SHA1
2e88d1730aa7bfb957f85ff68f412060b6cbf75c

SHA256
6818f675f36f8a1040368b7314785bf119b1a1786728406681a4ac7eb504faec

SHA512
ec9e5e392bc1c65e3e4098dca06ec906e118627f41bbec89a062232bb9af301d99d493917d47aa84625918f54d0e4db2d2c0751ba8cea014411b1d27ed66b0ab

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q0o3c1yt.default-release\storage\default\https+++www.youtube.com\idb\3211250388sbwdpsunsohintoatciif.sqlite-wal
Filesize
40KB

MD5
02063cf3f63d6682879aa991fd0b101d

SHA1
a4033248e43a9b2843cc26415435dfe07fadfbc8

SHA256
05b637127fd85554d3add133c7b89ec8e3bc99098aba7b43dfdf183058ad6588

SHA512
1923c2dfc3f4cc1c6a67b949dd6407ae770ef139f468559e181aa4c8a8f9fa0a587d8fbcf6381a82153d1de884e7c5c46b4e522238c3267eb8e9afabb9d5ac38

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q0o3c1yt.default-release\storage\default\https+++www.youtube.com\idb\4000853238yCt7-%iCt7-%r2e5sap0o.sqlite
Filesize
56KB

MD5
35b4fd0f38e0435701541ba824d28063

SHA1
1893162065aba927526cb95f49ed2b3745b82f22

SHA256
6e1bb72713024e6f0284ea8cc602110258d800c0d6be423f7cb86194a4bce783

SHA512
a2189407c6b4cdd1e684ac4836e2975c6b65347ba9bdfb55b89acc6bc3e72e3b69f235b66842469049878f03169add464a531eb4ae9056e2859941d96c97b555

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q0o3c1yt.default-release\storage\default\https+++www.youtube.com\idb\720959283LCo7g%sCD7a%t2a5baa0s.sqlite
Filesize
48KB

MD5
e9386adae2b028cf72cdb5dbb03bc68e

SHA1
26627fea4d18a68e52b5d8ca2ffc7939bbdcda0c

SHA256
2395be6e6604010d09fd04b842a4c2e9a92e27984f070f32cf4654aedd5fe6a5

SHA512
b0d5cc9478c0ed4ee9c5546cdd108a2028750937c14d01ff47032240c07e8c6173f7a69cba4f362b957388766ee2bd002569bbaad8d2765e112f1efd773aacf9

Download Submit
\??\pipe\crashpad_3716_XXCETQYCHWMJQIFV
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\E2EECore.2.7.2.dll
Filesize
8.4MB

MD5
8b6c94bbdbfb213e94a5dcb4fac28ce3

SHA1
b56102ca4f03556f387f8b30e2b404efabe0cb65

SHA256
982a177924762f270b36fe34c7d6847392b48ae53151dc2011078dceef487a53

SHA512
9d6d63b5d8cf7a978d7e91126d7a343c2f7acd00022da9d692f63e50835fdd84a59a93328564f10622f2b1f6adfd7febdd98b8ddb294d0754ed45cc9c165d25a

Download Submit
memory/2264-130-0x0000000000E70000-0x0000000000E71000-memory.dmp

Filesize
4KB

Download
memory/2264-129-0x0000000000EB0000-0x0000000000F09000-memory.dmp

Filesize
356KB

Download
memory/2264-132-0x0000000000E90000-0x0000000000E91000-memory.dmp

Filesize
4KB

Download
memory/2264-131-0x0000000000E60000-0x0000000000E61000-memory.dmp

Filesize
4KB

Download
memory/2264-143-0x0000000000F10000-0x0000000000F11000-memory.dmp

Filesize
4KB

Download
memory/2264-145-0x00000000031E0000-0x00000000031E1000-memory.dmp

Filesize
4KB

Download
memory/2264-144-0x00000000031F0000-0x00000000031F1000-memory.dmp

Filesize
4KB

Download
memory/2264-128-0x0000000010000000-0x0000000010059000-memory.dmp

Filesize
356KB

Download
memory/4060-577-0x00007FF98E010000-0x00007FF98E020000-memory.dmp

Filesize
64KB

Download
memory/4060-562-0x00007FF98E010000-0x00007FF98E020000-memory.dmp

Filesize
64KB

Download
memory/5064-632-0x00007FF98E010000-0x00007FF98E020000-memory.dmp

Filesize
64KB

Download
memory/5064-634-0x00007FF98E010000-0x00007FF98E020000-memory.dmp

Filesize
64KB

Download