hxxps://greffedecheveuxinfo[.]com/the-mighty-hot-wilds-yang-luar-biasa/

Analysis

max time kernel
174s
max time network
180s
platform
windows10-2004_x64
resource
win10v2004-20230621-en
resource tags

arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
submitted
03-07-2023 13:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://greffedecheveuxinfo.com/the-mighty-hot-wilds-yang-luar-biasa/

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\Software\Microsoft\Windows\CurrentVersion\Run	chrome.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 59 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLsTime\url1 = e3ca5a6db6add901	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\mygreatbonushere.life\ = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31042998"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\mygreatbonushere.life\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "16"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\mygreatbonushere.life\ = "16"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{9D2BAAEA-19A9-11EE-94FE-4E498DEC5EB6} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\Software\Microsoft\Internet Explorer\IESettingSync	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\url6 = "https://twitter.com/"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\mygreatbonushere.life	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1938625056"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\url1 = "https://greffedecheveuxinfo.com/the-mighty-hot-wilds-yang-luar-biasa/"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\Software\Microsoft\Internet Explorer\DOMStorage\mygreatbonushere.life	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\mygreatbonushere.life\Total = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "6"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50684e82b6add901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLsTime\url2 = 0000000000000000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "6"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\mygreatbonushere.life\Total = "16"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0741082b6add901	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000067454abe1d381743b6f5ba16996af384000000000200000000001066000000010000200000003258d9ab9fc0d8f71dace934e5c96f1df5a446d46a56403583edc2182967802f000000000e80000000020000200000009a8e30c9050d3e100c21c3339f2b4daa2a673e399112b77aed7e2f11d0a0de7c20000000ee34eae1994725479eb09fbd3cab5d78c872d2cae4c8c6e1492d0a38dbd4df1b4000000072437d50d996e60ff91b8a19c5fc373b79384b6ef60fb38b44332ac2e04fcef6aa2fa95960274c1f35a30ba96c559eda26ddcb401eff80da25f96793f0b71551	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\url2 = "https://www.facebook.com/"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\url4 = "https://signin.ebay.com/ws/ebayisapi.dll"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLsTime\url6 = 0000000000000000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\Software\Microsoft\Internet Explorer\TypedURLsTime	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\url3 = "https://login.aliexpress.com/"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000067454abe1d381743b6f5ba16996af38400000000020000000000106600000001000020000000e1f33002a1bfd9239d07e61567e70408d81e4167349cb8de3d2c20b409b7b802000000000e8000000002000020000000eba8975d79b9cd75d97742669ac93ce0108dd91b237380cc039a8f3ecb45fb6020000000dbb9cdd4c80ff8e8b3fa7aea0c2689546c5225515f3d9adcacf8a66ffe70943e400000009807c8cb172ef36b38792406a9da366428e98a2cb7ba26d8cbba63e60889befba04aa6b067d1cc0e2fc4da21269fd0e302bc77cbeea66c018a9efb202b199cfb	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1913625614"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLsTime\url4 = 0000000000000000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1913469050"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31042998"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLsTime\url5 = 0000000000000000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31042998"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\Software\Microsoft\Internet Explorer\TypedURLs	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLsTime\url3 = 0000000000000000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\url5 = "https://login.live.com/"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3980	chrome.exe
3980	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3980	chrome.exe
Token: SeCreatePagefilePrivilege	3980	chrome.exe
Token: SeShutdownPrivilege	3980	chrome.exe
Token: SeCreatePagefilePrivilege	3980	chrome.exe
Token: SeShutdownPrivilege	3980	chrome.exe
Token: SeCreatePagefilePrivilege	3980	chrome.exe
Token: SeShutdownPrivilege	3980	chrome.exe
Token: SeCreatePagefilePrivilege	3980	chrome.exe
Token: SeShutdownPrivilege	3980	chrome.exe
Token: SeCreatePagefilePrivilege	3980	chrome.exe
Token: SeShutdownPrivilege	3980	chrome.exe
Token: SeCreatePagefilePrivilege	3980	chrome.exe
Token: SeShutdownPrivilege	3980	chrome.exe
Token: SeCreatePagefilePrivilege	3980	chrome.exe
Token: SeShutdownPrivilege	3980	chrome.exe
Token: SeCreatePagefilePrivilege	3980	chrome.exe
Token: SeShutdownPrivilege	3980	chrome.exe
Token: SeCreatePagefilePrivilege	3980	chrome.exe
Token: SeShutdownPrivilege	3980	chrome.exe
Token: SeCreatePagefilePrivilege	3980	chrome.exe
Token: SeShutdownPrivilege	3980	chrome.exe
Token: SeCreatePagefilePrivilege	3980	chrome.exe
Token: SeShutdownPrivilege	3980	chrome.exe
Token: SeCreatePagefilePrivilege	3980	chrome.exe
Token: SeShutdownPrivilege	3980	chrome.exe
Token: SeCreatePagefilePrivilege	3980	chrome.exe
Token: SeShutdownPrivilege	3980	chrome.exe
Token: SeCreatePagefilePrivilege	3980	chrome.exe
Token: SeShutdownPrivilege	3980	chrome.exe
Token: SeCreatePagefilePrivilege	3980	chrome.exe
Token: SeShutdownPrivilege	3980	chrome.exe
Token: SeCreatePagefilePrivilege	3980	chrome.exe
Token: SeShutdownPrivilege	3980	chrome.exe
Token: SeCreatePagefilePrivilege	3980	chrome.exe
Token: SeShutdownPrivilege	3980	chrome.exe
Token: SeCreatePagefilePrivilege	3980	chrome.exe
Token: SeShutdownPrivilege	3980	chrome.exe
Token: SeCreatePagefilePrivilege	3980	chrome.exe
Token: SeShutdownPrivilege	3980	chrome.exe
Token: SeCreatePagefilePrivilege	3980	chrome.exe
Token: SeShutdownPrivilege	3980	chrome.exe
Token: SeCreatePagefilePrivilege	3980	chrome.exe
Token: SeShutdownPrivilege	3980	chrome.exe
Token: SeCreatePagefilePrivilege	3980	chrome.exe
Token: SeShutdownPrivilege	3980	chrome.exe
Token: SeCreatePagefilePrivilege	3980	chrome.exe
Token: SeShutdownPrivilege	3980	chrome.exe
Token: SeCreatePagefilePrivilege	3980	chrome.exe
Token: SeShutdownPrivilege	3980	chrome.exe
Token: SeCreatePagefilePrivilege	3980	chrome.exe
Token: SeShutdownPrivilege	3980	chrome.exe
Token: SeCreatePagefilePrivilege	3980	chrome.exe
Token: SeShutdownPrivilege	3980	chrome.exe
Token: SeCreatePagefilePrivilege	3980	chrome.exe
Token: SeShutdownPrivilege	3980	chrome.exe
Token: SeCreatePagefilePrivilege	3980	chrome.exe
Token: SeShutdownPrivilege	3980	chrome.exe
Token: SeCreatePagefilePrivilege	3980	chrome.exe
Token: SeShutdownPrivilege	3980	chrome.exe
Token: SeCreatePagefilePrivilege	3980	chrome.exe
Token: SeShutdownPrivilege	3980	chrome.exe
Token: SeCreatePagefilePrivilege	3980	chrome.exe
Token: SeShutdownPrivilege	3980	chrome.exe
Token: SeCreatePagefilePrivilege	3980	chrome.exe

Suspicious use of FindShellTrayWindow 41 IoCs

pid	Process
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
2804	firefox.exe
2804	firefox.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
2804	firefox.exe
2804	firefox.exe
5892	iexplore.exe
5892	iexplore.exe

Suspicious use of SendNotifyMessage 35 IoCs

pid	Process
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
2804	firefox.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
2804	firefox.exe
2804	firefox.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2804	firefox.exe
2804	firefox.exe
2804	firefox.exe
2804	firefox.exe
5892	iexplore.exe
5892	iexplore.exe
6100	IEXPLORE.EXE
6100	IEXPLORE.EXE
6100	IEXPLORE.EXE
6100	IEXPLORE.EXE
6100	IEXPLORE.EXE
6100	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3980 wrote to memory of 1384	3980	chrome.exe	84
PID 3980 wrote to memory of 1384	3980	chrome.exe	84
PID 3980 wrote to memory of 5112	3980	chrome.exe	86
PID 3980 wrote to memory of 5112	3980	chrome.exe	86
PID 3980 wrote to memory of 5112	3980	chrome.exe	86
PID 3980 wrote to memory of 5112	3980	chrome.exe	86
PID 3980 wrote to memory of 5112	3980	chrome.exe	86
PID 3980 wrote to memory of 5112	3980	chrome.exe	86
PID 3980 wrote to memory of 5112	3980	chrome.exe	86
PID 3980 wrote to memory of 5112	3980	chrome.exe	86
PID 3980 wrote to memory of 5112	3980	chrome.exe	86
PID 3980 wrote to memory of 5112	3980	chrome.exe	86
PID 3980 wrote to memory of 5112	3980	chrome.exe	86
PID 3980 wrote to memory of 5112	3980	chrome.exe	86
PID 3980 wrote to memory of 5112	3980	chrome.exe	86
PID 3980 wrote to memory of 5112	3980	chrome.exe	86
PID 3980 wrote to memory of 5112	3980	chrome.exe	86
PID 3980 wrote to memory of 5112	3980	chrome.exe	86
PID 3980 wrote to memory of 5112	3980	chrome.exe	86
PID 3980 wrote to memory of 5112	3980	chrome.exe	86
PID 3980 wrote to memory of 5112	3980	chrome.exe	86
PID 3980 wrote to memory of 5112	3980	chrome.exe	86
PID 3980 wrote to memory of 5112	3980	chrome.exe	86
PID 3980 wrote to memory of 5112	3980	chrome.exe	86
PID 3980 wrote to memory of 5112	3980	chrome.exe	86
PID 3980 wrote to memory of 5112	3980	chrome.exe	86
PID 3980 wrote to memory of 5112	3980	chrome.exe	86
PID 3980 wrote to memory of 5112	3980	chrome.exe	86
PID 3980 wrote to memory of 5112	3980	chrome.exe	86
PID 3980 wrote to memory of 5112	3980	chrome.exe	86
PID 3980 wrote to memory of 5112	3980	chrome.exe	86
PID 3980 wrote to memory of 5112	3980	chrome.exe	86
PID 3980 wrote to memory of 5112	3980	chrome.exe	86
PID 3980 wrote to memory of 5112	3980	chrome.exe	86
PID 3980 wrote to memory of 5112	3980	chrome.exe	86
PID 3980 wrote to memory of 5112	3980	chrome.exe	86
PID 3980 wrote to memory of 5112	3980	chrome.exe	86
PID 3980 wrote to memory of 5112	3980	chrome.exe	86
PID 3980 wrote to memory of 5112	3980	chrome.exe	86
PID 3980 wrote to memory of 5112	3980	chrome.exe	86
PID 3980 wrote to memory of 4500	3980	chrome.exe	87
PID 3980 wrote to memory of 4500	3980	chrome.exe	87
PID 3980 wrote to memory of 812	3980	chrome.exe	88
PID 3980 wrote to memory of 812	3980	chrome.exe	88
PID 3980 wrote to memory of 812	3980	chrome.exe	88
PID 3980 wrote to memory of 812	3980	chrome.exe	88
PID 3980 wrote to memory of 812	3980	chrome.exe	88
PID 3980 wrote to memory of 812	3980	chrome.exe	88
PID 3980 wrote to memory of 812	3980	chrome.exe	88
PID 3980 wrote to memory of 812	3980	chrome.exe	88
PID 3980 wrote to memory of 812	3980	chrome.exe	88
PID 3980 wrote to memory of 812	3980	chrome.exe	88
PID 3980 wrote to memory of 812	3980	chrome.exe	88
PID 3980 wrote to memory of 812	3980	chrome.exe	88
PID 3980 wrote to memory of 812	3980	chrome.exe	88
PID 3980 wrote to memory of 812	3980	chrome.exe	88
PID 3980 wrote to memory of 812	3980	chrome.exe	88
PID 3980 wrote to memory of 812	3980	chrome.exe	88
PID 3980 wrote to memory of 812	3980	chrome.exe	88
PID 3980 wrote to memory of 812	3980	chrome.exe	88
PID 3980 wrote to memory of 812	3980	chrome.exe	88
PID 3980 wrote to memory of 812	3980	chrome.exe	88
PID 3980 wrote to memory of 812	3980	chrome.exe	88
PID 3980 wrote to memory of 812	3980	chrome.exe	88

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://greffedecheveuxinfo.com/the-mighty-hot-wilds-yang-luar-biasa/
1⤵
- Adds Run key to start application
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9dad29758,0x7ff9dad29768,0x7ff9dad29778
  2⤵
  PID:1384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1796 --field-trial-handle=1816,i,16066183428150843107,7665431665337653250,131072 /prefetch:2
  2⤵
  PID:5112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1816,i,16066183428150843107,7665431665337653250,131072 /prefetch:8
  2⤵
  PID:4500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2232 --field-trial-handle=1816,i,16066183428150843107,7665431665337653250,131072 /prefetch:8
  2⤵
  PID:812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3152 --field-trial-handle=1816,i,16066183428150843107,7665431665337653250,131072 /prefetch:1
  2⤵
  PID:4184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3160 --field-trial-handle=1816,i,16066183428150843107,7665431665337653250,131072 /prefetch:1
  2⤵
  PID:4824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4516 --field-trial-handle=1816,i,16066183428150843107,7665431665337653250,131072 /prefetch:1
  2⤵
  PID:4708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4808 --field-trial-handle=1816,i,16066183428150843107,7665431665337653250,131072 /prefetch:1
  2⤵
  PID:4804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=5288 --field-trial-handle=1816,i,16066183428150843107,7665431665337653250,131072 /prefetch:1
  2⤵
  PID:4336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3192 --field-trial-handle=1816,i,16066183428150843107,7665431665337653250,131072 /prefetch:8
  2⤵
  PID:2460

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1860

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x338 0x33c
1⤵
PID:3880

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:5064
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2804
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2804.0.856676291\1031332772" -parentBuildID 20221007134813 -prefsHandle 1860 -prefMapHandle 1852 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1fea33cc-2c90-4971-ba4a-506f87f8471f} 2804 "\\.\pipe\gecko-crash-server-pipe.2804" 1940 2b47d318858 gpu
    3⤵
    PID:1404
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2804.1.2146221395\1312921985" -parentBuildID 20221007134813 -prefsHandle 2320 -prefMapHandle 2316 -prefsLen 20926 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a8aaaf02-77c7-4705-844b-27019ca03d32} 2804 "\\.\pipe\gecko-crash-server-pipe.2804" 2332 2b46f272b58 socket
    3⤵
    - Checks processor information in registry
    PID:1272
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2804.2.22686276\1808690332" -childID 1 -isForBrowser -prefsHandle 3008 -prefMapHandle 3004 -prefsLen 21009 -prefMapSize 232675 -jsInitHandle 1448 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0b4f8479-4876-425a-9fac-c3e4409ba057} 2804 "\\.\pipe\gecko-crash-server-pipe.2804" 3020 2b401e6cc58 tab
    3⤵
    PID:1376
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2804.3.919277617\576168778" -childID 2 -isForBrowser -prefsHandle 3340 -prefMapHandle 3348 -prefsLen 21115 -prefMapSize 232675 -jsInitHandle 1448 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4a68ec35-2cf6-46ab-baf0-1833b7c77122} 2804 "\\.\pipe\gecko-crash-server-pipe.2804" 3356 2b46f26d058 tab
    3⤵
    PID:4000
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2804.4.851727668\1651869053" -childID 3 -isForBrowser -prefsHandle 3572 -prefMapHandle 3568 -prefsLen 21115 -prefMapSize 232675 -jsInitHandle 1448 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4f2e616d-e791-4ecc-ab9d-32c29510d121} 2804 "\\.\pipe\gecko-crash-server-pipe.2804" 3488 2b47d856258 tab
    3⤵
    PID:1800
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2804.5.62588190\695097986" -childID 4 -isForBrowser -prefsHandle 3764 -prefMapHandle 3760 -prefsLen 21115 -prefMapSize 232675 -jsInitHandle 1448 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8aaf76a5-d15b-4d14-99a9-75cf8aa21eea} 2804 "\\.\pipe\gecko-crash-server-pipe.2804" 3772 2b47d855058 tab
    3⤵
    PID:4160
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2804.6.2009153776\1527117701" -childID 5 -isForBrowser -prefsHandle 4664 -prefMapHandle 4660 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1448 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6d0c8809-ad75-4d5d-850f-26994a09e506} 2804 "\\.\pipe\gecko-crash-server-pipe.2804" 4676 2b403f7c258 tab
    3⤵
    PID:5892
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2804.7.1269348316\1503021926" -childID 6 -isForBrowser -prefsHandle 5072 -prefMapHandle 5076 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1448 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f3a7bbb4-5382-44eb-8d77-dbf90f8a9c7e} 2804 "\\.\pipe\gecko-crash-server-pipe.2804" 4956 2b4049fee58 tab
    3⤵
    PID:6100
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2804.8.244981136\1095171089" -childID 7 -isForBrowser -prefsHandle 5528 -prefMapHandle 5672 -prefsLen 26755 -prefMapSize 232675 -jsInitHandle 1448 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a46e0d68-ad92-4c9b-b0c7-815f4309b563} 2804 "\\.\pipe\gecko-crash-server-pipe.2804" 5744 2b405ff2658 tab
    3⤵
    PID:5560
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2804.9.662542615\980968193" -childID 8 -isForBrowser -prefsHandle 6036 -prefMapHandle 6052 -prefsLen 26930 -prefMapSize 232675 -jsInitHandle 1448 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f4643619-972f-4cef-bb7f-61a0dc8b7d4f} 2804 "\\.\pipe\gecko-crash-server-pipe.2804" 6080 2b406224158 tab
    3⤵
    PID:3456
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2804.10.1046983735\453835564" -childID 9 -isForBrowser -prefsHandle 3436 -prefMapHandle 3432 -prefsLen 26930 -prefMapSize 232675 -jsInitHandle 1448 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9d08fb98-caaa-492d-8019-d6244a1952cc} 2804 "\\.\pipe\gecko-crash-server-pipe.2804" 3412 2b40657f958 tab
    3⤵
    PID:5948
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2804.11.1790428733\484524196" -parentBuildID 20221007134813 -prefsHandle 6212 -prefMapHandle 6176 -prefsLen 26930 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {41ed1136-fed3-4a5a-83b1-f825f2d9d8b7} 2804 "\\.\pipe\gecko-crash-server-pipe.2804" 6232 2b40235f458 rdd
    3⤵
    PID:2312
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2804.12.1389184285\353436588" -parentBuildID 20221007134813 -sandboxingKind 1 -prefsHandle 6404 -prefMapHandle 6400 -prefsLen 26930 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ca148b00-a94a-4884-b929-f7239df830e5} 2804 "\\.\pipe\gecko-crash-server-pipe.2804" 3708 2b400ac4958 utility
    3⤵
    PID:6116

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\3bb3cea41ef94c13b81e534fdbd37376 /t 4640 /p 2804
1⤵
PID:3348

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:5892
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5892 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:6100

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D307740CF5BC58FE489E0608360C2FF1

Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D307740CF5BC58FE489E0608360C2FF1

Filesize
426B

MD5
2629f6de630784e91e24ef89c4991ecc

SHA1
7e13c043c7fc36acc6843478b795c7894aac4f77

SHA256
6851062092b554b0b8cb2a518da9217a1eb788aa7f1f931b34df71807b1fb105

SHA512
511287377b96b1e0be1db9e108f720d1502b8d68f5fec342a5a5332e2fa723a02865f5eab0672244217984593c470b780b8f80e7505cad69e46903d407d10a82

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
528B

MD5
79f218f1e8d3b87fcf418de80b2ebf5c

SHA1
21333e93eaf204abc91d73c0c6b1e4d6a7207429

SHA256
05caee9725d202091c8670a805551e34d497e8f0bb142793537c3d4ed2e9263f

SHA512
6c7a6f3bfb193eaff5d1d527521dcff1c1e7b05c7a734e952ad19e47d1686195fe1df390be66e2bb11c45042c23fc4a33cc409e2ba9b70296c2d7aab733e2874

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
dceef446abbc7b1ac1fb91f0d882bec9

SHA1
bb2d686f4d6210dcf7c8b8db9aabecb5e605c89c

SHA256
2338397159152af2f2e947ccd29ed3860b462ebd7b93a7c55cf9a8303e233e77

SHA512
2a7b81be0e16f61fe23acc79f6a661db39d7723476187f2a1701d15125588c63944b665e1a0812672f985bdee8b36c081dab60ff8a92bf9acb375ef05f787290

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
c1cd1c2ffd2ff45d40141a490c3fe870

SHA1
b75207ab1c485d8e22258da9e518efa922a9ba30

SHA256
525651abb9de316b31ec3e652ea319764e750d5ccb82e03e13f5b1e5089b9463

SHA512
4724d09ab79d9c35843aa8b1f915d99ba6f92c7fce21857747d840b1e83753baa1ead952749709ee21abdf8332641f48ad3bdf93bb4b757f86454bdd822025f0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
32e07b6c1e949f7116cdb32aeb7741a4

SHA1
07a59c8233ebeffd3029a3921f98bf5ced4e995d

SHA256
1446160d2bd3f345f77910d58c9cc1598b4c18c7619de1cec80f504fd90888d2

SHA512
f0d5c6f77195fd3ef88333a8d82b5814a089d379c0186daed367c0da19bc8966359497420423cf0e1782e52e900e732c2bbd66044843252b39b91d66c92143d4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
6f40a7eb6c93f98be9f640ee21d3fd38

SHA1
35756ce8858c04407b24189eac9c69a5166a3974

SHA256
8d2c331fb160584ce802e10b591ff8fde5837ea920053073541e4a0d0de123af

SHA512
207ce43ab8b7440a2002fe0a518131cdf902f342a5d1b09364f1542487bfb4961d3dca3c18925e3d1b492a120f93349fc523301d1e5164812f6329b910176f99

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
8367ff0b48aa5e45ebe03a9710d65f81

SHA1
6e02ed4e45d1bb40b00336c591703d85d537054d

SHA256
fde7659761e88db99560a2efbf1a005438c6e176218abf847e1aabbe6962b80e

SHA512
1eab65133484cbd253889e87dd200119f7b8837af3cdb957791262b1bbbec10059493e0175ea815033cb05afeb04550b57a285e4948fc969fc5a3c4cb9dfe7d6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_1

Filesize
264KB

MD5
467cf1c9d00b27aa7166e6b17486e894

SHA1
bbc2ddc628c8ee36bc52a1619a27188cd80cd418

SHA256
a9c2a0758b2ff6397a6ca25c4ef3202cd3a09c26f2c597464cf622a97580fba7

SHA512
13533978d409c406f5345e29328c3832d72cb2e29880214b0183312d00ab31e3f5175c3694f5fa764491bb33f705a6af4a7f9ddb57ddf93939dd649ed3f7fc6f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
172KB

MD5
0be142941760b12d28f68606a540373c

SHA1
9553734b896642f6ab7e199cc0063110dfa8399f

SHA256
a091dfda547100bd691c9fd1beddf5e7de1c975a52c0465df5decedc2a9bb51c

SHA512
bab5c9d8ae6ecd4ef3f9a657099b0d4d8db40f23bd67e538a1a5e30c274fa4c24834f5e26127f7f34bd5a05ae58f916d1efb69253a441411bd63b6cc4e7eca40

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
172KB

MD5
4e9e2d50d4303e27349449252b1fbbc9

SHA1
3ad706970cb86bcdaac98b7ebbf2ac9eeb54f774

SHA256
9de80305a377cc7016ea93692114f0c513fb2488b3b05f59f8e6ec07608bf7a2

SHA512
71736db18e029c006c38c3ed51ce955777531cd7fe7c37f73305d8adba392a3afaeaad6eb7f1b6004692ff04086a675a0da25daef1fa68eade153e47dfafa5a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\H2ZRUA9R\mygreatbonushere[1].xml

Filesize
13B

MD5
c1ddea3ef6bbef3e7060a1a9ad89e4c5

SHA1
35e3224fcbd3e1af306f2b6a2c6bbea9b0867966

SHA256
b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db

SHA512
6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VPN0KP4V\jquery-3.3.1.min[1].js

Filesize
84KB

MD5
a09e13ee94d51c524b7e2a728c7d4039

SHA1
0dc32db4aa9c5f03f3b38c47d883dbd4fed13aae

SHA256
160a426ff2894252cd7cebbdd6d6b7da8fcd319c65b70468f10b6690c45d02ef

SHA512
f8da8f95b6ed33542a88af19028e18ae3d9ce25350a06bfc3fbf433ed2b38fefa5e639cddfdac703fc6caa7f3313d974b92a3168276b3a016ceb28f27db0714a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ld41mu0o.default-release\activity-stream.discovery_stream.json.tmp

Filesize
147KB

MD5
e5ccbaad55f75ecf15ec58c635f42c9a

SHA1
284d49a088b2b970cfe9800babcd96170feb1da2

SHA256
2dde1e9f0cdddaa7cc5cfa142adbe055de0f382c13be44ddbffc1edbd96bdd87

SHA512
7755c9d28089d2872c1b22388ef395f01c8358336973c036e77eb46e583e0b0f977fef9c0605070b08c8263a6390af69ff1c6e5495c46c73f2b751f43ef98f81

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ld41mu0o.default-release\cache2\doomed\3456

Filesize
23KB

MD5
9454abe8fba3203de0af9dbc7deaba20

SHA1
e35c2bbad73633b6a094db214357e924fbd27b47

SHA256
0aa7ee882ff2a5b437ab99c5a71570e9de1cbf7b8a647ffa5b107140228e2579

SHA512
95fd288137247d2c2b6295086abbeb6b70670f7eff86268f6d1616853913beeeced4a0724ddd082ec0921af10fc6cd293d1c96560c375ec4519d9ebec34d9c8e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ld41mu0o.default-release\cache2\entries\D501F66EA836CA5668DDDB3195AEE449534C69F8

Filesize
40KB

MD5
31cf64466220358772ad4c84ea619f0b

SHA1
0ebb73558c81746de7993871ec017d57135b64c7

SHA256
c0093be4ac1503f6122ab45ddd35bdebfab2c9376af302afe81b7a74fed13636

SHA512
f6c1a4b54e34c528e1d6b105eb53adcce311fcbe77e466b42a5574fd53b3b54162cc5d85a31fa9c85d09103d00d478d0c48c9843348ca4171b16b3283cbdc4cf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ld41mu0o.default-release\prefs-1.js

Filesize
6KB

MD5
633aeb30e43736efd800aebe3bbee929

SHA1
c07d299e0cf8dcd4c1aaddc94d141f33a3ce9cdf

SHA256
2c0a1ecb673a40c2e504c1b1b6c24cdf167f2d996b96751d3b77ffd055fdfc7a

SHA512
6018b98fa5595ad9cd573aff5f5e0af2fdc8e9628a07dbc42f50949db1f6ef89cd6fd0fd176732f4c154169a80c6339c6e95dd8d5cc39e6f60256f920a03c189

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ld41mu0o.default-release\prefs-1.js

Filesize
7KB

MD5
53113c9c7384b735b6be4c3d4fb39dd8

SHA1
8742bbc6d727e19c80fcce7449f541fd234315e3

SHA256
1ef35c4a3497645ff1a2a0477ece380dcacc52a895d7fb5fb07599d1bc227090

SHA512
852f0d7370573646efdf3d11df35e14e8328500262237393d202831d277d154c7b0805cad7e2aeaf495fb44013275f75069a6380d93e672e3b86d76593cb1e5b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ld41mu0o.default-release\prefs.js

Filesize
6KB

MD5
d9ccaed3c8619acc3f9b6b4097362695

SHA1
af946800d45389f38c3ceb16253619bd2d0a79b9

SHA256
1957f6b5f734c747e6307b5a91e2ae9cf4c522ae66a5a221b28c5d8d08282ab0

SHA512
2f9a7387bb31a834697ce415afe8052178f38b44cdd18e3eeb51597efbe6b642948d1a36347970b1a71d1695a576dbc8bcf2d8400c56d1ff6075906cd3266cef

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ld41mu0o.default-release\prefs.js

Filesize
6KB

MD5
f6aa59247b189b4e763e2f599f1101c3

SHA1
65b9f83ffec5fa20445035b0c887133d1d2dac55

SHA256
9e6326372a49ccb5f8b59872f5caf281ef345cd2804d11f7ad6a7d1b15b9c01e

SHA512
1ecb6e5a3ef60b2f85a68d02a5e32f8a3bf11ca5235ce24cc5c85dce2ddbaefd2164e8122c5a5fc2803e736d07f601b3ad0b14a9d9516cc37fe64b235bdaf446

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ld41mu0o.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
84bca7079a39ba7ac28705f6e643e5c2

SHA1
a936e9ca619357e58bd59f4fe89d657556494090

SHA256
beafab62d43e316e90ad8d8c000b53cab1fdda4f9b0ecfd0d8fdccfb12f73ea4

SHA512
910bd15c2de3799d10789b998512e3c303776fd1a296ef94f2ff581b71b2f4a1aa30dc6215ec32597ee8bff5ec89bc7919bc3a6bb8a73c732e6f865d4e41bb00

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ld41mu0o.default-release\sessionstore.jsonlz4

Filesize
4KB

MD5
cacee913c594554bd1996615aab78d36

SHA1
90a7ccc9a123ed3ee1d28dca6d9860048f01744d

SHA256
628f115908db45be6cc3e75a1ae6494857bebcc7fb7241c75f8d2437ebf4517f

SHA512
931f89d2c5d6da71a7c4b988d42c58ca2599d3650e705344ee9c24f76338703c78d5f5a9c000fbb909619e90edb4fa6039b8ca8f2eda12f4c616866e4d010eae

Download Submit