hxxps://randsoms[.]click

Analysis

max time kernel
202s
max time network
205s
platform
windows10-2004_x64
resource
win10v2004-20230831-en
resource tags

arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
submitted
14/09/2023, 21:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://randsoms.click

Score

7^/10

spyware stealer vmprotect

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2412	Setup.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

VMProtect packed file 5 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/files/0x0006000000023286-566.dat	vmprotect
behavioral1/files/0x0006000000023286-567.dat	vmprotect
behavioral1/memory/2412-580-0x0000000000E80000-0x00000000016E6000-memory.dmp	vmprotect
behavioral1/memory/2412-586-0x0000000000E80000-0x00000000016E6000-memory.dmp	vmprotect
behavioral1/memory/2412-599-0x0000000000E80000-0x00000000016E6000-memory.dmp	vmprotect

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
2392	chrome.exe
2392	chrome.exe
2412	Setup.exe
2412	Setup.exe
1992	chrome.exe
1992	chrome.exe
2412	Setup.exe
2412	Setup.exe
2412	Setup.exe
2412	Setup.exe
2412	Setup.exe
2412	Setup.exe
2412	Setup.exe
2412	Setup.exe
2412	Setup.exe
2412	Setup.exe
2412	Setup.exe
2412	Setup.exe
2412	Setup.exe
2412	Setup.exe
2412	Setup.exe
2412	Setup.exe
2412	Setup.exe
2412	Setup.exe
2412	Setup.exe
2412	Setup.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4312	firefox.exe
Token: SeDebugPrivilege	4312	firefox.exe
Token: SeShutdownPrivilege	2392	chrome.exe
Token: SeCreatePagefilePrivilege	2392	chrome.exe
Token: SeShutdownPrivilege	2392	chrome.exe
Token: SeCreatePagefilePrivilege	2392	chrome.exe
Token: SeShutdownPrivilege	2392	chrome.exe
Token: SeCreatePagefilePrivilege	2392	chrome.exe
Token: SeShutdownPrivilege	2392	chrome.exe
Token: SeCreatePagefilePrivilege	2392	chrome.exe
Token: SeShutdownPrivilege	2392	chrome.exe
Token: SeCreatePagefilePrivilege	2392	chrome.exe
Token: SeShutdownPrivilege	2392	chrome.exe
Token: SeCreatePagefilePrivilege	2392	chrome.exe
Token: SeShutdownPrivilege	2392	chrome.exe
Token: SeCreatePagefilePrivilege	2392	chrome.exe
Token: SeShutdownPrivilege	2392	chrome.exe
Token: SeCreatePagefilePrivilege	2392	chrome.exe
Token: SeShutdownPrivilege	2392	chrome.exe
Token: SeCreatePagefilePrivilege	2392	chrome.exe
Token: SeShutdownPrivilege	2392	chrome.exe
Token: SeCreatePagefilePrivilege	2392	chrome.exe
Token: SeShutdownPrivilege	2392	chrome.exe
Token: SeCreatePagefilePrivilege	2392	chrome.exe
Token: SeShutdownPrivilege	2392	chrome.exe
Token: SeCreatePagefilePrivilege	2392	chrome.exe
Token: SeShutdownPrivilege	2392	chrome.exe
Token: SeCreatePagefilePrivilege	2392	chrome.exe
Token: SeShutdownPrivilege	2392	chrome.exe
Token: SeCreatePagefilePrivilege	2392	chrome.exe
Token: SeShutdownPrivilege	2392	chrome.exe
Token: SeCreatePagefilePrivilege	2392	chrome.exe
Token: SeShutdownPrivilege	2392	chrome.exe
Token: SeCreatePagefilePrivilege	2392	chrome.exe
Token: SeShutdownPrivilege	2392	chrome.exe
Token: SeCreatePagefilePrivilege	2392	chrome.exe
Token: SeShutdownPrivilege	2392	chrome.exe
Token: SeCreatePagefilePrivilege	2392	chrome.exe
Token: SeShutdownPrivilege	2392	chrome.exe
Token: SeCreatePagefilePrivilege	2392	chrome.exe
Token: SeShutdownPrivilege	2392	chrome.exe
Token: SeCreatePagefilePrivilege	2392	chrome.exe
Token: SeShutdownPrivilege	2392	chrome.exe
Token: SeCreatePagefilePrivilege	2392	chrome.exe
Token: SeShutdownPrivilege	2392	chrome.exe
Token: SeCreatePagefilePrivilege	2392	chrome.exe
Token: SeShutdownPrivilege	2392	chrome.exe
Token: SeCreatePagefilePrivilege	2392	chrome.exe
Token: SeShutdownPrivilege	2392	chrome.exe
Token: SeCreatePagefilePrivilege	2392	chrome.exe
Token: SeShutdownPrivilege	2392	chrome.exe
Token: SeCreatePagefilePrivilege	2392	chrome.exe
Token: SeRestorePrivilege	6064	7zG.exe
Token: 35	6064	7zG.exe
Token: SeSecurityPrivilege	6064	7zG.exe
Token: SeSecurityPrivilege	6064	7zG.exe
Token: SeShutdownPrivilege	2392	chrome.exe
Token: SeCreatePagefilePrivilege	2392	chrome.exe
Token: SeShutdownPrivilege	2392	chrome.exe
Token: SeCreatePagefilePrivilege	2392	chrome.exe
Token: SeShutdownPrivilege	2392	chrome.exe
Token: SeCreatePagefilePrivilege	2392	chrome.exe
Token: SeShutdownPrivilege	2392	chrome.exe
Token: SeCreatePagefilePrivilege	2392	chrome.exe

Suspicious use of FindShellTrayWindow 51 IoCs

pid	Process
4312	firefox.exe
4312	firefox.exe
4312	firefox.exe
4312	firefox.exe
4312	firefox.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
6064	7zG.exe

Suspicious use of SendNotifyMessage 27 IoCs

pid	Process
4312	firefox.exe
4312	firefox.exe
4312	firefox.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4312	firefox.exe
4312	firefox.exe
4312	firefox.exe
4312	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 628 wrote to memory of 4312	628	firefox.exe	38
PID 628 wrote to memory of 4312	628	firefox.exe	38
PID 628 wrote to memory of 4312	628	firefox.exe	38
PID 628 wrote to memory of 4312	628	firefox.exe	38
PID 628 wrote to memory of 4312	628	firefox.exe	38
PID 628 wrote to memory of 4312	628	firefox.exe	38
PID 628 wrote to memory of 4312	628	firefox.exe	38
PID 628 wrote to memory of 4312	628	firefox.exe	38
PID 628 wrote to memory of 4312	628	firefox.exe	38
PID 628 wrote to memory of 4312	628	firefox.exe	38
PID 628 wrote to memory of 4312	628	firefox.exe	38
PID 4312 wrote to memory of 4412	4312	firefox.exe	86
PID 4312 wrote to memory of 4412	4312	firefox.exe	86
PID 4312 wrote to memory of 4952	4312	firefox.exe	87
PID 4312 wrote to memory of 4952	4312	firefox.exe	87
PID 4312 wrote to memory of 4952	4312	firefox.exe	87
PID 4312 wrote to memory of 4952	4312	firefox.exe	87
PID 4312 wrote to memory of 4952	4312	firefox.exe	87
PID 4312 wrote to memory of 4952	4312	firefox.exe	87
PID 4312 wrote to memory of 4952	4312	firefox.exe	87
PID 4312 wrote to memory of 4952	4312	firefox.exe	87
PID 4312 wrote to memory of 4952	4312	firefox.exe	87
PID 4312 wrote to memory of 4952	4312	firefox.exe	87
PID 4312 wrote to memory of 4952	4312	firefox.exe	87
PID 4312 wrote to memory of 4952	4312	firefox.exe	87
PID 4312 wrote to memory of 4952	4312	firefox.exe	87
PID 4312 wrote to memory of 4952	4312	firefox.exe	87
PID 4312 wrote to memory of 4952	4312	firefox.exe	87
PID 4312 wrote to memory of 4952	4312	firefox.exe	87
PID 4312 wrote to memory of 4952	4312	firefox.exe	87
PID 4312 wrote to memory of 4952	4312	firefox.exe	87
PID 4312 wrote to memory of 4952	4312	firefox.exe	87
PID 4312 wrote to memory of 4952	4312	firefox.exe	87
PID 4312 wrote to memory of 4952	4312	firefox.exe	87
PID 4312 wrote to memory of 4952	4312	firefox.exe	87
PID 4312 wrote to memory of 4952	4312	firefox.exe	87
PID 4312 wrote to memory of 4952	4312	firefox.exe	87
PID 4312 wrote to memory of 4952	4312	firefox.exe	87
PID 4312 wrote to memory of 4952	4312	firefox.exe	87
PID 4312 wrote to memory of 4952	4312	firefox.exe	87
PID 4312 wrote to memory of 4952	4312	firefox.exe	87
PID 4312 wrote to memory of 4952	4312	firefox.exe	87
PID 4312 wrote to memory of 4952	4312	firefox.exe	87
PID 4312 wrote to memory of 4952	4312	firefox.exe	87
PID 4312 wrote to memory of 4952	4312	firefox.exe	87
PID 4312 wrote to memory of 4952	4312	firefox.exe	87
PID 4312 wrote to memory of 4952	4312	firefox.exe	87
PID 4312 wrote to memory of 4952	4312	firefox.exe	87
PID 4312 wrote to memory of 4952	4312	firefox.exe	87
PID 4312 wrote to memory of 4952	4312	firefox.exe	87
PID 4312 wrote to memory of 4952	4312	firefox.exe	87
PID 4312 wrote to memory of 4952	4312	firefox.exe	87
PID 4312 wrote to memory of 4952	4312	firefox.exe	87
PID 4312 wrote to memory of 4952	4312	firefox.exe	87
PID 4312 wrote to memory of 4952	4312	firefox.exe	87
PID 4312 wrote to memory of 4952	4312	firefox.exe	87
PID 4312 wrote to memory of 4952	4312	firefox.exe	87
PID 4312 wrote to memory of 4952	4312	firefox.exe	87
PID 4312 wrote to memory of 4952	4312	firefox.exe	87
PID 4312 wrote to memory of 4952	4312	firefox.exe	87
PID 4312 wrote to memory of 4952	4312	firefox.exe	87
PID 4312 wrote to memory of 3632	4312	firefox.exe	88
PID 4312 wrote to memory of 3632	4312	firefox.exe	88
PID 4312 wrote to memory of 3632	4312	firefox.exe	88

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://randsoms.click"
1⤵
- Suspicious use of WriteProcessMemory
PID:628
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://randsoms.click
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4312
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4312.0.1554604275\522163166" -parentBuildID 20221007134813 -prefsHandle 1860 -prefMapHandle 1852 -prefsLen 20938 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2a2bd314-d2ea-4438-8bf7-ee99ed7a7ea4} 4312 "\\.\pipe\gecko-crash-server-pipe.4312" 1960 1e49f6cc958 gpu
    3⤵
    PID:4412
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4312.1.1286765381\1168568449" -parentBuildID 20221007134813 -prefsHandle 2356 -prefMapHandle 2352 -prefsLen 21754 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d9b73f0b-86e1-4b11-a1e9-a4a803a32b17} 4312 "\\.\pipe\gecko-crash-server-pipe.4312" 2384 1e492e6d958 socket
    3⤵
    - Checks processor information in registry
    PID:4952
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4312.2.1927057306\455391683" -childID 1 -isForBrowser -prefsHandle 3436 -prefMapHandle 3432 -prefsLen 21857 -prefMapSize 232675 -jsInitHandle 1248 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0fe8452f-efa6-4776-8bc2-047ed0bfbe69} 4312 "\\.\pipe\gecko-crash-server-pipe.4312" 3444 1e4a37d9558 tab
    3⤵
    PID:3632
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4312.3.825723349\457939461" -childID 2 -isForBrowser -prefsHandle 2948 -prefMapHandle 2960 -prefsLen 26437 -prefMapSize 232675 -jsInitHandle 1248 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3b5e8d2f-bbdb-401e-9164-7fe3674458d1} 4312 "\\.\pipe\gecko-crash-server-pipe.4312" 2864 1e492e5eb58 tab
    3⤵
    PID:3620
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4312.4.1232811526\1836216683" -childID 3 -isForBrowser -prefsHandle 4768 -prefMapHandle 4772 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1248 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b0d2bc77-92d3-4e1d-b9c9-a345dfd80559} 4312 "\\.\pipe\gecko-crash-server-pipe.4312" 4796 1e4a5bcab58 tab
    3⤵
    PID:4992
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4312.5.774456328\186783545" -childID 4 -isForBrowser -prefsHandle 4976 -prefMapHandle 4980 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1248 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b390cced-c1ae-42ea-ac8c-be1a82e14f5c} 4312 "\\.\pipe\gecko-crash-server-pipe.4312" 4964 1e4a4bd6d58 tab
    3⤵
    PID:5008
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4312.6.1597743269\618766351" -childID 5 -isForBrowser -prefsHandle 5280 -prefMapHandle 5224 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1248 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1a402837-bebc-4284-947b-d271d1b32b34} 4312 "\\.\pipe\gecko-crash-server-pipe.4312" 5272 1e4a66ee658 tab
    3⤵
    PID:1576
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4312.7.1967010661\368199591" -childID 6 -isForBrowser -prefsHandle 5588 -prefMapHandle 5544 -prefsLen 26752 -prefMapSize 232675 -jsInitHandle 1248 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {af5f7ee5-7637-456b-8357-5f181e7ba3b9} 4312 "\\.\pipe\gecko-crash-server-pipe.4312" 5596 1e4a0f86358 tab
    3⤵
    PID:4200
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4312.8.1292993238\83674227" -childID 7 -isForBrowser -prefsHandle 4516 -prefMapHandle 4528 -prefsLen 26752 -prefMapSize 232675 -jsInitHandle 1248 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {11402a4e-8743-4056-bec0-8147710d31aa} 4312 "\\.\pipe\gecko-crash-server-pipe.4312" 4036 1e4a0fa3858 tab
    3⤵
    PID:2444
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4312.9.1637007818\527290238" -childID 8 -isForBrowser -prefsHandle 5056 -prefMapHandle 4864 -prefsLen 26752 -prefMapSize 232675 -jsInitHandle 1248 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {36ea3f34-16c9-4056-b608-7b88afcb81fd} 4312 "\\.\pipe\gecko-crash-server-pipe.4312" 5144 1e492e5c158 tab
    3⤵
    PID:5268
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4312.10.1619325564\1958248852" -childID 9 -isForBrowser -prefsHandle 5172 -prefMapHandle 4912 -prefsLen 27096 -prefMapSize 232675 -jsInitHandle 1248 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c85a9ed1-cac6-440d-936b-297d2ad3cf6b} 4312 "\\.\pipe\gecko-crash-server-pipe.4312" 4860 1e4a5bcc658 tab
    3⤵
    PID:5660
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4312.11.885637162\45073721" -childID 10 -isForBrowser -prefsHandle 5876 -prefMapHandle 5892 -prefsLen 27096 -prefMapSize 232675 -jsInitHandle 1248 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f7703002-f851-40e4-a36e-db8d02ea3cbc} 4312 "\\.\pipe\gecko-crash-server-pipe.4312" 5880 1e4a6128b58 tab
    3⤵
    PID:5880

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x11c,0x120,0x124,0xfc,0x128,0x7fffc8b29758,0x7fffc8b29768,0x7fffc8b29778
  2⤵
  PID:3840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1940 --field-trial-handle=2044,i,4798736527858548139,16286936252371389553,131072 /prefetch:8
  2⤵
  PID:2752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2076 --field-trial-handle=2044,i,4798736527858548139,16286936252371389553,131072 /prefetch:8
  2⤵
  PID:5520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1760 --field-trial-handle=2044,i,4798736527858548139,16286936252371389553,131072 /prefetch:2
  2⤵
  PID:1192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3056 --field-trial-handle=2044,i,4798736527858548139,16286936252371389553,131072 /prefetch:1
  2⤵
  PID:5596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3036 --field-trial-handle=2044,i,4798736527858548139,16286936252371389553,131072 /prefetch:1
  2⤵
  PID:5600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4728 --field-trial-handle=2044,i,4798736527858548139,16286936252371389553,131072 /prefetch:1
  2⤵
  PID:5088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4900 --field-trial-handle=2044,i,4798736527858548139,16286936252371389553,131072 /prefetch:8
  2⤵
  PID:6084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4892 --field-trial-handle=2044,i,4798736527858548139,16286936252371389553,131072 /prefetch:8
  2⤵
  PID:6096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5116 --field-trial-handle=2044,i,4798736527858548139,16286936252371389553,131072 /prefetch:8
  2⤵
  PID:5824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5204 --field-trial-handle=2044,i,4798736527858548139,16286936252371389553,131072 /prefetch:8
  2⤵
  PID:5496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5336 --field-trial-handle=2044,i,4798736527858548139,16286936252371389553,131072 /prefetch:8
  2⤵
  PID:840
- C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  PID:4840
- - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x254,0x258,0x25c,0x230,0x260,0x7ff733947688,0x7ff733947698,0x7ff7339476a8
    3⤵
    PID:5644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5452 --field-trial-handle=2044,i,4798736527858548139,16286936252371389553,131072 /prefetch:1
  2⤵
  PID:5940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=6012 --field-trial-handle=2044,i,4798736527858548139,16286936252371389553,131072 /prefetch:1
  2⤵
  PID:5672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6140 --field-trial-handle=2044,i,4798736527858548139,16286936252371389553,131072 /prefetch:8
  2⤵
  PID:3348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=3156 --field-trial-handle=2044,i,4798736527858548139,16286936252371389553,131072 /prefetch:1
  2⤵
  PID:3512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3052 --field-trial-handle=2044,i,4798736527858548139,16286936252371389553,131072 /prefetch:8
  2⤵
  PID:1312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5772 --field-trial-handle=2044,i,4798736527858548139,16286936252371389553,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1992

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3912

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3108

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap6920:110:7zEvent6497
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:6064

C:\Users\Admin\Downloads\Setup.exe
"C:\Users\Admin\Downloads\Setup.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2412

C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\system32\PcaSvc.dll,PcaPatchSdbTask
1⤵
PID:4824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
432B

MD5
353d953abb01344f81097c97cd9f3aa2

SHA1
38c8a8a1e158b104dd818b4f952a8ada3eafa004

SHA256
c678bf5283ad27136a6279bd2be089db07936ab742c8d2d093704f87266167c0

SHA512
658863771c9ef9ee1db23e762a8862cbadf3f5e4044faa0d114f8571889943c398870c4777da7706dfbf2cf48eab7f85495c6b6a2336cc7959c870f384544bdc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\History

Filesize
148KB

MD5
a515b49b754bd10d6a9fe277f6ed11c9

SHA1
1b7c35da5aad335a71c2ca6aa141b1d702779d37

SHA256
eea3c5adf4c670003b581acd0f56aa5751b4525f26623112066b219f4a63b5f1

SHA512
4e50e1fed46c0ec91027eff1f844862e23cfff572b9530fe66cf0c4a33f4d7a7b4e035323b03fd5fbbe1e565721fef3491bbc2e219c06ba22273170c0eaa5952

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log

Filesize
12KB

MD5
041e904a5e8de87ddfd034ba4ef60ae6

SHA1
8f244be8f8b11dbf0c0cfc69f16032d32ac486c0

SHA256
135cfcdf26cc553df9d7d702cba31f5a49386116a164d125402dc8ffc181415b

SHA512
89d5eb801ebe2c29aaf7faf68934c2d57063506d9b804428250eb7f76fd84e49680860d138f5dac25527244dad6a7f0cdbed9bcd71e8e182da5d65a142883685

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG

Filesize
329B

MD5
4670dedaab7637227dc36285156be788

SHA1
32ad187ca6c003efcb9520e8a456ba0bdfd51ce3

SHA256
8001eaf395c40f93f6a671c6069a58a77eca7a00cf7571e8254a0cd64a320e5e

SHA512
38c678fa0bbc26c5e0c8449e66b4b90ccba001789da824bf2e9fe946f909a7234c0edd2df6188235e2102d8b26d6c76ea43fe680cd1eb072b15d0f323bd57c19

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies

Filesize
20KB

MD5
58a8cf031563d68ad9703e0142ed1235

SHA1
c6a5afd53bf5c39ee51eed6da47a4423867c696d

SHA256
c5f282cfc885ee55d2048810187951292a46efa3a4d8f556a8974ebca99bb3d6

SHA512
5ab66292388694b7817db1fbcbd10240bbbac3585bc2204a0d672ca5c0bcd68e9ec26c5d6aab776c6263e475e2208066dcbe2fa6b7c50391d83e9c07fd2051a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
b3f3097e5b01248b33ca4f112ef4383d

SHA1
d396281bc732d4355a61d5b55efa01bd11354fc9

SHA256
ccfd4bf87d8abfca2afa0c441c0f8c04a8c0ad0ddff3691a1456afb4b316b156

SHA512
b1ff49ae0b7cfd35bb4abd7ff86046b5b943801d1a142d381c585f3dd231ff3dd073b6c2f9a11045391611a033152abf803a9c8a0d5f7d82cc81235cae402392

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
146db5f01b36c0ea0ab2c2129be88684

SHA1
99a17a6cbc035c9f0ba032e04956c9411392ec67

SHA256
2a481d28be12b3f8ccb08643176c0d683d170029fb0bafc8d920c82dbd36b0f1

SHA512
3fbe539cc737c290c70d9e20e23339bc045d4e320f3541732f5bc88a9a2eab85daf8b619ec5abbd8681d712bdb84cb0b3a5337fcbd1342b43f0e6de245ac950c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
706B

MD5
ad94b191e54469e01787c6b7dbe53010

SHA1
52b55ac6eae5f31f9cec1a5de83c4c4953b533d6

SHA256
d20bc0f7a14ff36082eaf1e6e485f6bbc95fae6dabdadc756ebcf404207b9dd2

SHA512
07a6792c030ba20da7478fcbbcb4789a3bced2cec1fb638a4a0300be8fa54e4ada0a131a09a346a2baaa70d75863d95267e1c763f0f876441318b59058d4e1c7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
538B

MD5
3dec3e812fffc714306a7607cda15517

SHA1
dfb8848fbc2115bdd69c8ca346671679fe2b4797

SHA256
72ffa35cee8aceccc22398d7dd795dde820dbee3b36e2cf2a21940d107d8c6c0

SHA512
f4ad20f6c2eb79107b769e28c0d009bfa89eedfb6b7b6789152a943bed760cca5e164c9001d08fad600495ea8cdb745ebbd194befe5e0dffcccd3d18e256e337

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
823734c023134af6ea668b91058cc049

SHA1
bcf2feccda03ad650147856dc17968779c72a152

SHA256
673a71423a9af7f000f21436655539e97a87446d9389a1bd1a4164fc26d352a6

SHA512
7a1eb9661a748fb2be47a0cfbe4201e285999235148c25c1901571a19733f528d3ad3cc18a2f2e65f062bf0d2a2161538da6192df3acb5923ac33428805772ac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
bea89a2f64dae2aecc052a15ece4a253

SHA1
4b7b5da05ba329fd4bc85677f5889b87a435741f

SHA256
83c6440e3d224969bcc97d72283e7e8eb58aecb705d2166527ecaa10cdfbc8fe

SHA512
d9278b769864a442b7abeb2f84c951b3b1369bd752294b0c76c72de33ddb1c979d5fc95b0b730f472713e3bb669ca20c201afe8f4d5d51d34dbba6bb57bd866d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
644ec2e4ff8aace85ecaa5b35194e1af

SHA1
deb577c55104d1768644aa5ac2b93484a677f90c

SHA256
0fed57c1803dea7be1fa679257d19fd8be637cdc5c6fa895436d56ca2520c000

SHA512
0642303cbb0b31db39368a2dbf0527b5927e36f47cca3f4822195a9f0282122cb45e3bab1acf6c4e109c8a2386972aa14db63623829dc8e2f3e2804647e06f5b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
56B

MD5
ae1bccd6831ebfe5ad03b482ee266e4f

SHA1
01f4179f48f1af383b275d7ee338dd160b6f558a

SHA256
1b11047e738f76c94c9d15ee981ec46b286a54def1a7852ca1ade7f908988649

SHA512
baf7ff6747f30e542c254f46a9678b9dbf42312933962c391b79eca6fcb615e4ba9283c00f554d6021e594f18c087899bc9b5362c41c0d6f862bba7fb9f83038

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe5853e7.TMP

Filesize
120B

MD5
c37f74484d5c8ad457eb21bc57a7ffc5

SHA1
8527b887b00df19aae7a1c7ad9fa13d6e2b47ae0

SHA256
172f3d7a6ed2855ab21a04e0197a89e2d1825f36c48ea09369a4ef2376277d8a

SHA512
7189321af6b9fe4c9a4f1d99a4dbb4eb484133adbccdff9caf4674c1a6ff0f25dbbadc9b68a45e4a9b3727cd26ca04c7b54a9c8cc86eaf7cc3b243f8c0436679

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Data

Filesize
92KB

MD5
7a170e912e11e027a2c09b17ca9c7ca5

SHA1
75833f52ecbea6a8938511fb1d9e51eb8512dc53

SHA256
10f4cfaceb17249fe24dc8459c6543020551ce317ba2e69794bfe513eaa3c242

SHA512
33fc387af2b9e136fb36c4b496388faba725378555746fd2bfb6e59180e83764bafed52ffdce989e10f469172fecab4bba3fa48598dd474b9f897f1e8759b6ed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
195KB

MD5
95c9adee7b53dfc36048a2fb843b7c9c

SHA1
18e6ef4b88d988006b43fcd0ee46716011399692

SHA256
533863d836c15b88044e387d4ba8571bc839b7afdf2cf2c721a86d163dc1b713

SHA512
c0225011a1fb12564523a86a491e7b489165f3280051637cde794d3986c2f7fe903afcb51b84e52f43d77e4aac1bb77a8cbf4958e769fc087843671f3dba09ba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
195KB

MD5
95c9adee7b53dfc36048a2fb843b7c9c

SHA1
18e6ef4b88d988006b43fcd0ee46716011399692

SHA256
533863d836c15b88044e387d4ba8571bc839b7afdf2cf2c721a86d163dc1b713

SHA512
c0225011a1fb12564523a86a491e7b489165f3280051637cde794d3986c2f7fe903afcb51b84e52f43d77e4aac1bb77a8cbf4958e769fc087843671f3dba09ba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
110KB

MD5
e0e281afbacf243ef17ae6416e43a1f3

SHA1
3cfc96838246a61dcac1dbe3ce94ea200202ad42

SHA256
cba452280e5c7fe3f687297f98e8f85313691e50726cbe74f0fbb400e7d673dc

SHA512
cec5c69b4b54efc713cbecb2bef99d9d79453275228355d6e9df52245295597cab5f49f8eef2d2234ebf19b19df1cce40305ad98d1ec43bda757023417f38943

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe5886ee.TMP

Filesize
107KB

MD5
2218b3fcbf5ffc88af8051801a5a3ffe

SHA1
0398171e58f7e9cd49a62e6d9ad831e07af8a0ab

SHA256
deb2959aebe0aef38602bab5742b6d5333fcc99acd8a9aef2975d38610a8be72

SHA512
36d3d7ca4d069f060a4e9002435ba702196d0883ff7db57b96b22b12dd52d1383efc9a97a912f531e573d9550413725c7f4135ba9835ab94f9a830a1b72a1b22

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\p2pa85fv.default-release\activity-stream.discovery_stream.json.tmp

Filesize
22KB

MD5
6a7c1d753a0ed54432d9f6f481a4c6ff

SHA1
e09756f2790b64fd4597195c361ac09421c20d9d

SHA256
bff6cb5ec0d9eb1e0e627f0e6f9529e00778c34294bc2d3fa12e12af9cb64bf5

SHA512
87e30e3c1dda6e74fc8d12472d822f006a6f6fab1ba668e87aa776e5db0fc34fcf02722255e6f574c8cd6e5e04c80a31d9edc4184b0420d5f50120c230534caa

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p2pa85fv.default-release\cert9.db

Filesize
224KB

MD5
d549a684bc0ce8948dc36535de539f89

SHA1
983d1ea9e739f2368e94837102f0751dd029adb6

SHA256
ee5b2d12c58d273e5a09cc6027c4b3c89a0f4c54ef22a11e082828c28a3f19c2

SHA512
f6b5a77b0a27fcf294800e00386b52b3ed4c1f2e33b13bf0b60221a87e9bb086603902ca560bafd3e0c23a130d264cbfbb4ce2dfc0fbfb7a763d3cb27c4d403e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p2pa85fv.default-release\cookies.sqlite

Filesize
512KB

MD5
257b510cf6e823c3a41259c0dd38e50f

SHA1
2709501aa79b202eec5543ffcdac3c1c0866310d

SHA256
c6e1373792c4d2dcf31994babcc28492ce63274935eb821d591a179b210edf3b

SHA512
97a9e532da20bba8bb945c7690980db41281387e7d8b9e2803eb35decb6853a3f4961cb1cbab113b5ecae497c78d87843a51670b6812280df011bb2ef20d93d6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p2pa85fv.default-release\places.sqlite

Filesize
5.0MB

MD5
3876196b044bfe0ab2b628ac40a36a49

SHA1
1113cfc79627f419f36dc5ec7aafc54318687af1

SHA256
8c81c16a41369f5beeee8ff03fed1633edb4d2f037b5bcf5eebacccf4658f37b

SHA512
06edac9dcd41f9c4fc67de19771626e03873e676f0ad08f0b179519d78325d1b210c5c414fec2e7b6f9aee5606eb15f56e050fcbd1f43f29c33ce52ac6d61c41

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p2pa85fv.default-release\prefs-1.js

Filesize
6KB

MD5
33e0bf6e692ded5f32b40c549f1f6b0d

SHA1
f241bd1413e93eaac59a83a264191f6896770d51

SHA256
12521498406ed17263ff21f4397373f25975cee06f001e65f387d4012635a783

SHA512
585b7282367a57c86876fcd454d413439e7eb1aa68f95fb4b9a796147715810ab3133c65fffade3be7d7735f6e4e6b22348e7e010334a1b364c1fc656dbb1cfc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p2pa85fv.default-release\prefs-1.js

Filesize
7KB

MD5
44080c7affda3053d0c62d5d5f3242ba

SHA1
8040cdf693083fcf95917f2831a3771d174734be

SHA256
00a23fc0220fc1fa5851fc2badf974ada62d17e874a4fbd8be0e377078dae745

SHA512
cff725ee98dc75a2df1d10e826c76cddf3341384ce347c6b44a61d61d4b4c25a1d5ba47d6f89c76931d70512eb5c99ff843ee37d4b2d8d4425a0d9dc5621982c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p2pa85fv.default-release\sessionCheckpoints.json.tmp

Filesize
259B

MD5
c8dc58eff0c029d381a67f5dca34a913

SHA1
3576807e793473bcbd3cf7d664b83948e3ec8f2d

SHA256
4c22e8a42797f14510228f9f4de8eea45c526228a869837bd43c0540092e5f17

SHA512
b8f7c4150326f617b63d6bc72953160804a3749f6dec0492779f6c72b3b09c8d1bd58f47d499205c9a0e716f55fe5f1503d7676a4c85d31d1c1e456898af77b4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p2pa85fv.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
63ecf148e1fe61588f9473d5d11886c9

SHA1
cc4813fc5368c85971aa6fe1fe395fd09fbbb9a7

SHA256
42aa6c8d5f7711c3d2b623da30b26bad1da0a712b4c58299f46e77700afb44ea

SHA512
77cfc0123a43e575932af0e96c7249aa4b3f9146a32bab1d27661ad7e41d54f970235c003e8d1910796dad45115ec8b4fd313022378f48474a1559864a321b1d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p2pa85fv.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
2KB

MD5
df570b5c5037fc5e9685903a06d67633

SHA1
d5fd291d670e3cdfa1edc048ed89123306b92989

SHA256
0569190fdbb82fa86775963ba1112b64a1e7ae7f289ccd5eb04b0e8ec0ec2832

SHA512
1c417be50a59a647f52165bb1e15b75c6b88842cb7726cd643a4edf98258d31739c93512935f0b9b9ee998feb3d9023de61bea26b75417871aa7dae71b192104

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p2pa85fv.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
11547bce204bb45cb895038f0bf35694

SHA1
2d9fe45b2fd46af5959f882c353011e3a793a300

SHA256
dff64dc0d837dc90d1a199803969e451cf8e18a09cdf57ee303a0b418f8ae4e0

SHA512
79ed292a1694d5d2e2af05173886ab2b04fcc3416d5f2c31b487722839eaca8686b135d4168a884eda9b856c49005ecf60b651ddb7942d6194222b8282ecb42c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p2pa85fv.default-release\sessionstore.jsonlz4

Filesize
1KB

MD5
df19394df570390476ffab2f5f4ace2d

SHA1
bd00eb2fbd806b8da729e8e355a8ff2fcb6621c4

SHA256
6336dd59dba9635369d12139183862b54991a7df8809e21b65687663b4a9de2b

SHA512
d48a6223958aabe5c5eab7139738e9e9e96380754b9ce3910281dc196e4ec283e5097d46ef82dd229cf2659558bcb9a80ddd64fdfe42b92eb779eb32e3bfd34e

Download Submit
C:\Users\Admin\Downloads\Setup.exe

Filesize
780.5MB

MD5
377d95027b050ac16bbe524eae3bb26a

SHA1
0f4565aa074c3cdc9f2a91b48c52df7efad50235

SHA256
eec9c293d6612530a3eb080bf6d555bfe43cd28678c5e3b0ad9e787509f6b4b6

SHA512
fc6d8f60c6a7f81b9373d943545e966963e6425e3299586122ee7ae6be50bd6400580e0edbd80d2ffccf073e55b851c6b60985d1eb32a49cedd3c1b71b375e17

Download Submit
C:\Users\Admin\Downloads\Setup.exe

Filesize
780.5MB

MD5
377d95027b050ac16bbe524eae3bb26a

SHA1
0f4565aa074c3cdc9f2a91b48c52df7efad50235

SHA256
eec9c293d6612530a3eb080bf6d555bfe43cd28678c5e3b0ad9e787509f6b4b6

SHA512
fc6d8f60c6a7f81b9373d943545e966963e6425e3299586122ee7ae6be50bd6400580e0edbd80d2ffccf073e55b851c6b60985d1eb32a49cedd3c1b71b375e17

Download Submit
C:\Users\Admin\Downloads\Setup_123_Passwords_Full.rar

Filesize
20.6MB

MD5
7d1cd0fed35c1bae7929ffcd92cbc0c3

SHA1
f7fc142051c5e2dc788e6f5fe9ddefab9d2e51f0

SHA256
0a8f61af11519e9aca6c4798aed0e01ed0b6a8d125e9a1336ffbd3596d2bf840

SHA512
2d04bbacdda60404a5edce8c7218b0cbfb39684afa0cb2ccf640babff5ef26316c3157fffe21e4484ba339ebf248a42f6a38c4b8f0abc9defc462d674bbebd85

Download Submit
C:\Users\Admin\Downloads\Setup_123_Passwords_Full.rar.crdownload

Filesize
20.6MB

MD5
7d1cd0fed35c1bae7929ffcd92cbc0c3

SHA1
f7fc142051c5e2dc788e6f5fe9ddefab9d2e51f0

SHA256
0a8f61af11519e9aca6c4798aed0e01ed0b6a8d125e9a1336ffbd3596d2bf840

SHA512
2d04bbacdda60404a5edce8c7218b0cbfb39684afa0cb2ccf640babff5ef26316c3157fffe21e4484ba339ebf248a42f6a38c4b8f0abc9defc462d674bbebd85

Download Submit
memory/2412-579-0x0000000000A50000-0x0000000000A51000-memory.dmp

Filesize
4KB

Download
memory/2412-599-0x0000000000E80000-0x00000000016E6000-memory.dmp

Filesize
8.4MB

Download
memory/2412-586-0x0000000000E80000-0x00000000016E6000-memory.dmp

Filesize
8.4MB

Download
memory/2412-582-0x0000000000A90000-0x0000000000A91000-memory.dmp

Filesize
4KB

Download
memory/2412-584-0x0000000000E50000-0x0000000000E51000-memory.dmp

Filesize
4KB

Download
memory/2412-583-0x0000000000E40000-0x0000000000E41000-memory.dmp

Filesize
4KB

Download
memory/2412-581-0x0000000000A80000-0x0000000000A81000-memory.dmp

Filesize
4KB

Download
memory/2412-580-0x0000000000E80000-0x00000000016E6000-memory.dmp

Filesize
8.4MB

Download
memory/2412-578-0x00000000008E0000-0x00000000008E1000-memory.dmp

Filesize
4KB

Download