hxxps://vbmore[.]com/

Analysis

max time kernel
144s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
27-04-2024 21:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://vbmore.com/

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\devmgmt.msc	mmc.exe
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe

Drops file in Windows directory 57 IoCs

description	ioc	Process
File created	C:\Windows\INF\c_fsopenfilebackup.PNF	mmc.exe
File created	C:\Windows\INF\c_display.PNF	mmc.exe
File created	C:\Windows\INF\oposdrv.PNF	mmc.exe
File created	C:\Windows\INF\PerceptionSimulationSixDof.PNF	mmc.exe
File created	C:\Windows\INF\c_cashdrawer.PNF	mmc.exe
File created	C:\Windows\INF\wsdprint.PNF	mmc.exe
File created	C:\Windows\INF\c_fscompression.PNF	mmc.exe
File created	C:\Windows\INF\c_processor.PNF	mmc.exe
File created	C:\Windows\INF\c_fscontinuousbackup.PNF	mmc.exe
File created	C:\Windows\INF\xusb22.PNF	mmc.exe
File created	C:\Windows\INF\remoteposdrv.PNF	mmc.exe
File created	C:\Windows\INF\c_smrvolume.PNF	mmc.exe
File created	C:\Windows\INF\c_proximity.PNF	mmc.exe
File created	C:\Windows\INF\c_fsphysicalquotamgmt.PNF	mmc.exe
File created	C:\Windows\INF\c_netdriver.PNF	mmc.exe
File created	C:\Windows\INF\c_fsencryption.PNF	mmc.exe
File created	C:\Windows\INF\dc1-controller.PNF	mmc.exe
File created	C:\Windows\INF\c_fsquotamgmt.PNF	mmc.exe
File created	C:\Windows\INF\c_fscopyprotection.PNF	mmc.exe
File created	C:\Windows\INF\c_fssystem.PNF	mmc.exe
File created	C:\Windows\INF\rdcameradriver.PNF	mmc.exe
File created	C:\Windows\INF\c_camera.PNF	mmc.exe
File created	C:\Windows\INF\c_mcx.PNF	mmc.exe
File created	C:\Windows\INF\miradisp.PNF	mmc.exe
File created	C:\Windows\INF\c_computeaccelerator.PNF	mmc.exe
File created	C:\Windows\INF\c_fscontentscreener.PNF	mmc.exe
File created	C:\Windows\INF\c_smrdisk.PNF	mmc.exe
File created	C:\Windows\INF\ts_generic.PNF	mmc.exe
File created	C:\Windows\INF\c_fsundelete.PNF	mmc.exe
File created	C:\Windows\INF\c_fsreplication.PNF	mmc.exe
File created	C:\Windows\INF\c_linedisplay.PNF	mmc.exe
File created	C:\Windows\INF\c_barcodescanner.PNF	mmc.exe
File created	C:\Windows\INF\c_fssecurityenhancer.PNF	mmc.exe
File created	C:\Windows\INF\c_media.PNF	mmc.exe
File created	C:\Windows\INF\c_extension.PNF	mmc.exe
File created	C:\Windows\INF\c_fsactivitymonitor.PNF	mmc.exe
File created	C:\Windows\INF\c_holographic.PNF	mmc.exe
File created	C:\Windows\INF\c_ucm.PNF	mmc.exe
File created	C:\Windows\INF\c_sslaccel.PNF	mmc.exe
File created	C:\Windows\INF\c_fssystemrecovery.PNF	mmc.exe
File created	C:\Windows\INF\c_scmvolume.PNF	mmc.exe
File created	C:\Windows\INF\c_apo.PNF	mmc.exe
File created	C:\Windows\INF\c_fsantivirus.PNF	mmc.exe
File created	C:\Windows\INF\c_receiptprinter.PNF	mmc.exe
File created	C:\Windows\INF\c_magneticstripereader.PNF	mmc.exe
File created	C:\Windows\INF\c_swcomponent.PNF	mmc.exe
File created	C:\Windows\INF\c_fscfsmetadataserver.PNF	mmc.exe
File created	C:\Windows\INF\c_fsinfrastructure.PNF	mmc.exe
File created	C:\Windows\INF\c_scmdisk.PNF	mmc.exe
File created	C:\Windows\INF\c_fshsm.PNF	mmc.exe
File created	C:\Windows\INF\c_firmware.PNF	mmc.exe
File created	C:\Windows\INF\c_monitor.PNF	mmc.exe
File created	C:\Windows\INF\c_volume.PNF	mmc.exe
File created	C:\Windows\INF\rawsilo.PNF	mmc.exe
File created	C:\Windows\INF\c_fsvirtualization.PNF	mmc.exe
File created	C:\Windows\INF\digitalmediadevice.PNF	mmc.exe
File created	C:\Windows\INF\c_diskdrive.PNF	mmc.exe

Checks SCSI registry key(s) 3 TTPs 20 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	mmc.exe

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133587285573588987"	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000_Classes\Local Settings	control.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4676	chrome.exe
4676	chrome.exe
5244	chrome.exe
5244	chrome.exe
5244	chrome.exe
5244	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5184	mmc.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4676	chrome.exe
Token: SeCreatePagefilePrivilege	4676	chrome.exe
Token: SeShutdownPrivilege	4676	chrome.exe
Token: SeCreatePagefilePrivilege	4676	chrome.exe
Token: SeShutdownPrivilege	4676	chrome.exe
Token: SeCreatePagefilePrivilege	4676	chrome.exe
Token: SeShutdownPrivilege	4676	chrome.exe
Token: SeCreatePagefilePrivilege	4676	chrome.exe
Token: SeShutdownPrivilege	4676	chrome.exe
Token: SeCreatePagefilePrivilege	4676	chrome.exe
Token: SeShutdownPrivilege	4676	chrome.exe
Token: SeCreatePagefilePrivilege	4676	chrome.exe
Token: SeShutdownPrivilege	4676	chrome.exe
Token: SeCreatePagefilePrivilege	4676	chrome.exe
Token: SeShutdownPrivilege	4676	chrome.exe
Token: SeCreatePagefilePrivilege	4676	chrome.exe
Token: SeShutdownPrivilege	4676	chrome.exe
Token: SeCreatePagefilePrivilege	4676	chrome.exe
Token: SeShutdownPrivilege	4676	chrome.exe
Token: SeCreatePagefilePrivilege	4676	chrome.exe
Token: SeShutdownPrivilege	4676	chrome.exe
Token: SeCreatePagefilePrivilege	4676	chrome.exe
Token: SeShutdownPrivilege	4676	chrome.exe
Token: SeCreatePagefilePrivilege	4676	chrome.exe
Token: SeShutdownPrivilege	4676	chrome.exe
Token: SeCreatePagefilePrivilege	4676	chrome.exe
Token: SeShutdownPrivilege	4676	chrome.exe
Token: SeCreatePagefilePrivilege	4676	chrome.exe
Token: SeShutdownPrivilege	4676	chrome.exe
Token: SeCreatePagefilePrivilege	4676	chrome.exe
Token: SeShutdownPrivilege	4676	chrome.exe
Token: SeCreatePagefilePrivilege	4676	chrome.exe
Token: SeShutdownPrivilege	4676	chrome.exe
Token: SeCreatePagefilePrivilege	4676	chrome.exe
Token: SeShutdownPrivilege	4676	chrome.exe
Token: SeCreatePagefilePrivilege	4676	chrome.exe
Token: SeShutdownPrivilege	4676	chrome.exe
Token: SeCreatePagefilePrivilege	4676	chrome.exe
Token: SeShutdownPrivilege	4676	chrome.exe
Token: SeCreatePagefilePrivilege	4676	chrome.exe
Token: SeShutdownPrivilege	4676	chrome.exe
Token: SeCreatePagefilePrivilege	4676	chrome.exe
Token: SeShutdownPrivilege	4676	chrome.exe
Token: SeCreatePagefilePrivilege	4676	chrome.exe
Token: SeShutdownPrivilege	4676	chrome.exe
Token: SeCreatePagefilePrivilege	4676	chrome.exe
Token: SeShutdownPrivilege	4676	chrome.exe
Token: SeCreatePagefilePrivilege	4676	chrome.exe
Token: SeShutdownPrivilege	4676	chrome.exe
Token: SeCreatePagefilePrivilege	4676	chrome.exe
Token: SeShutdownPrivilege	4676	chrome.exe
Token: SeCreatePagefilePrivilege	4676	chrome.exe
Token: SeShutdownPrivilege	4676	chrome.exe
Token: SeCreatePagefilePrivilege	4676	chrome.exe
Token: SeShutdownPrivilege	4676	chrome.exe
Token: SeCreatePagefilePrivilege	4676	chrome.exe
Token: SeShutdownPrivilege	4676	chrome.exe
Token: SeCreatePagefilePrivilege	4676	chrome.exe
Token: SeShutdownPrivilege	4676	chrome.exe
Token: SeCreatePagefilePrivilege	4676	chrome.exe
Token: SeShutdownPrivilege	4676	chrome.exe
Token: SeCreatePagefilePrivilege	4676	chrome.exe
Token: SeShutdownPrivilege	4676	chrome.exe
Token: SeCreatePagefilePrivilege	4676	chrome.exe

Suspicious use of FindShellTrayWindow 47 IoCs

pid	Process
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
3312	firefox.exe
3312	firefox.exe
3312	firefox.exe
3312	firefox.exe
3312	firefox.exe
3312	firefox.exe
3312	firefox.exe
3312	firefox.exe
3312	firefox.exe
3312	firefox.exe
3312	firefox.exe
3312	firefox.exe
3312	firefox.exe
3312	firefox.exe
3312	firefox.exe
3312	firefox.exe
3312	firefox.exe
3312	firefox.exe
3312	firefox.exe
3312	firefox.exe
3312	firefox.exe

Suspicious use of SendNotifyMessage 44 IoCs

pid	Process
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
4676	chrome.exe
3312	firefox.exe
3312	firefox.exe
3312	firefox.exe
3312	firefox.exe
3312	firefox.exe
3312	firefox.exe
3312	firefox.exe
3312	firefox.exe
3312	firefox.exe
3312	firefox.exe
3312	firefox.exe
3312	firefox.exe
3312	firefox.exe
3312	firefox.exe
3312	firefox.exe
3312	firefox.exe
3312	firefox.exe
3312	firefox.exe
3312	firefox.exe
3312	firefox.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3312	firefox.exe
5184	mmc.exe
5184	mmc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4676 wrote to memory of 3712	4676	chrome.exe	86
PID 4676 wrote to memory of 3712	4676	chrome.exe	86
PID 4676 wrote to memory of 4664	4676	chrome.exe	87
PID 4676 wrote to memory of 4664	4676	chrome.exe	87
PID 4676 wrote to memory of 4664	4676	chrome.exe	87
PID 4676 wrote to memory of 4664	4676	chrome.exe	87
PID 4676 wrote to memory of 4664	4676	chrome.exe	87
PID 4676 wrote to memory of 4664	4676	chrome.exe	87
PID 4676 wrote to memory of 4664	4676	chrome.exe	87
PID 4676 wrote to memory of 4664	4676	chrome.exe	87
PID 4676 wrote to memory of 4664	4676	chrome.exe	87
PID 4676 wrote to memory of 4664	4676	chrome.exe	87
PID 4676 wrote to memory of 4664	4676	chrome.exe	87
PID 4676 wrote to memory of 4664	4676	chrome.exe	87
PID 4676 wrote to memory of 4664	4676	chrome.exe	87
PID 4676 wrote to memory of 4664	4676	chrome.exe	87
PID 4676 wrote to memory of 4664	4676	chrome.exe	87
PID 4676 wrote to memory of 4664	4676	chrome.exe	87
PID 4676 wrote to memory of 4664	4676	chrome.exe	87
PID 4676 wrote to memory of 4664	4676	chrome.exe	87
PID 4676 wrote to memory of 4664	4676	chrome.exe	87
PID 4676 wrote to memory of 4664	4676	chrome.exe	87
PID 4676 wrote to memory of 4664	4676	chrome.exe	87
PID 4676 wrote to memory of 4664	4676	chrome.exe	87
PID 4676 wrote to memory of 4664	4676	chrome.exe	87
PID 4676 wrote to memory of 4664	4676	chrome.exe	87
PID 4676 wrote to memory of 4664	4676	chrome.exe	87
PID 4676 wrote to memory of 4664	4676	chrome.exe	87
PID 4676 wrote to memory of 4664	4676	chrome.exe	87
PID 4676 wrote to memory of 4664	4676	chrome.exe	87
PID 4676 wrote to memory of 4664	4676	chrome.exe	87
PID 4676 wrote to memory of 4664	4676	chrome.exe	87
PID 4676 wrote to memory of 4016	4676	chrome.exe	88
PID 4676 wrote to memory of 4016	4676	chrome.exe	88
PID 4676 wrote to memory of 2500	4676	chrome.exe	89
PID 4676 wrote to memory of 2500	4676	chrome.exe	89
PID 4676 wrote to memory of 2500	4676	chrome.exe	89
PID 4676 wrote to memory of 2500	4676	chrome.exe	89
PID 4676 wrote to memory of 2500	4676	chrome.exe	89
PID 4676 wrote to memory of 2500	4676	chrome.exe	89
PID 4676 wrote to memory of 2500	4676	chrome.exe	89
PID 4676 wrote to memory of 2500	4676	chrome.exe	89
PID 4676 wrote to memory of 2500	4676	chrome.exe	89
PID 4676 wrote to memory of 2500	4676	chrome.exe	89
PID 4676 wrote to memory of 2500	4676	chrome.exe	89
PID 4676 wrote to memory of 2500	4676	chrome.exe	89
PID 4676 wrote to memory of 2500	4676	chrome.exe	89
PID 4676 wrote to memory of 2500	4676	chrome.exe	89
PID 4676 wrote to memory of 2500	4676	chrome.exe	89
PID 4676 wrote to memory of 2500	4676	chrome.exe	89
PID 4676 wrote to memory of 2500	4676	chrome.exe	89
PID 4676 wrote to memory of 2500	4676	chrome.exe	89
PID 4676 wrote to memory of 2500	4676	chrome.exe	89
PID 4676 wrote to memory of 2500	4676	chrome.exe	89
PID 4676 wrote to memory of 2500	4676	chrome.exe	89
PID 4676 wrote to memory of 2500	4676	chrome.exe	89
PID 4676 wrote to memory of 2500	4676	chrome.exe	89
PID 4676 wrote to memory of 2500	4676	chrome.exe	89
PID 4676 wrote to memory of 2500	4676	chrome.exe	89
PID 4676 wrote to memory of 2500	4676	chrome.exe	89
PID 4676 wrote to memory of 2500	4676	chrome.exe	89
PID 4676 wrote to memory of 2500	4676	chrome.exe	89
PID 4676 wrote to memory of 2500	4676	chrome.exe	89
PID 4676 wrote to memory of 2500	4676	chrome.exe	89

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://vbmore.com/
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffa2660cc40,0x7ffa2660cc4c,0x7ffa2660cc58
  2⤵
  PID:3712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1900,i,13606869772016685695,14839908568544399094,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=1892 /prefetch:2
  2⤵
  PID:4664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2036,i,13606869772016685695,14839908568544399094,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2188 /prefetch:3
  2⤵
  PID:4016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2264,i,13606869772016685695,14839908568544399094,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2276 /prefetch:8
  2⤵
  PID:2500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3112,i,13606869772016685695,14839908568544399094,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3144 /prefetch:1
  2⤵
  PID:4404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3132,i,13606869772016685695,14839908568544399094,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3280 /prefetch:1
  2⤵
  PID:464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4384,i,13606869772016685695,14839908568544399094,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4492 /prefetch:1
  2⤵
  PID:1096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4368,i,13606869772016685695,14839908568544399094,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4832 /prefetch:8
  2⤵
  PID:4064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4892,i,13606869772016685695,14839908568544399094,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4516 /prefetch:1
  2⤵
  PID:4796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4004,i,13606869772016685695,14839908568544399094,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5012 /prefetch:1
  2⤵
  PID:2824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=5284,i,13606869772016685695,14839908568544399094,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5280 /prefetch:1
  2⤵
  PID:2284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4676,i,13606869772016685695,14839908568544399094,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5064 /prefetch:1
  2⤵
  PID:4944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=5588,i,13606869772016685695,14839908568544399094,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=5604 /prefetch:1
  2⤵
  PID:4104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=3276,i,13606869772016685695,14839908568544399094,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3144 /prefetch:1
  2⤵
  PID:3592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=976,i,13606869772016685695,14839908568544399094,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4968 /prefetch:8
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:5244

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:2316

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3996

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:1780
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:3312
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2000 -parentBuildID 20240401114208 -prefsHandle 1916 -prefMapHandle 1908 -prefsLen 25457 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {81608335-0098-439f-be51-ffa4f057580e} 3312 "\\.\pipe\gecko-crash-server-pipe.3312" gpu
    3⤵
    PID:4340
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2416 -parentBuildID 20240401114208 -prefsHandle 2392 -prefMapHandle 2388 -prefsLen 25493 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b90f16c3-81bb-4694-a706-19eacd1d7444} 3312 "\\.\pipe\gecko-crash-server-pipe.3312" socket
    3⤵
    - Checks processor information in registry
    PID:3212
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3156 -childID 1 -isForBrowser -prefsHandle 2988 -prefMapHandle 3292 -prefsLen 25634 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {16b0ce6a-a77f-481d-a829-d9ab0df28c5b} 3312 "\\.\pipe\gecko-crash-server-pipe.3312" tab
    3⤵
    PID:2792
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4264 -childID 2 -isForBrowser -prefsHandle 3440 -prefMapHandle 4020 -prefsLen 30867 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4c46b5d9-1a7e-495c-9fde-4553e02a01df} 3312 "\\.\pipe\gecko-crash-server-pipe.3312" tab
    3⤵
    PID:3156
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4836 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4812 -prefMapHandle 4820 -prefsLen 30867 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e3acf988-cf76-40f8-90c3-cee5a2e399c0} 3312 "\\.\pipe\gecko-crash-server-pipe.3312" utility
    3⤵
    - Checks processor information in registry
    PID:5636
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5132 -childID 3 -isForBrowser -prefsHandle 5124 -prefMapHandle 5084 -prefsLen 26990 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {de0a8eda-8445-4817-838c-60cc66897771} 3312 "\\.\pipe\gecko-crash-server-pipe.3312" tab
    3⤵
    PID:5948
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5348 -childID 4 -isForBrowser -prefsHandle 5268 -prefMapHandle 5272 -prefsLen 26990 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a174d885-0194-4b62-9015-4fd4b6a4219d} 3312 "\\.\pipe\gecko-crash-server-pipe.3312" tab
    3⤵
    PID:5960
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5484 -childID 5 -isForBrowser -prefsHandle 5560 -prefMapHandle 5556 -prefsLen 26990 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7019ca24-a93b-485c-8c55-e533d0a52500} 3312 "\\.\pipe\gecko-crash-server-pipe.3312" tab
    3⤵
    PID:5972

C:\Windows\system32\control.exe
"C:\Windows\system32\control.exe" /name Microsoft.DeviceManager
1⤵
- Modifies registry class
PID:772
- C:\Windows\system32\mmc.exe
  "C:\Windows\system32\mmc.exe" C:\Windows\system32\devmgmt.msc
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:5184

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:5140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
1a0460c53f15188f17188285aa73f293

SHA1
2700f01423e0f67cd2abb6ccb9e8f09f1f693c4c

SHA256
d90ae24af766205218dd8d91b6f88b920a43d219357706e8486385076c30ff7e

SHA512
0e3426b6fcb4b7109f3c82d32de3058601d76f85e23e41f20eb8a145e020cb83d831a4fe5f631ee3bf28d26ec904d1b233da4d81d8692df507b8ecc02ab90f4c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
d2f80c6ac600f1346ba9396d89dc3ad6

SHA1
5485b62d548290e90f0dd7ed4ca2836786c68983

SHA256
571a036eb8c026e239c5ff014f8ee1980013c7b8c18e190aa472f3d24419e1a9

SHA512
290010294b437012399f243d9ae1660a023db786f46d509c6cb926200a7971c1231288f7e71b9a59b40f1b077d5a3d1a3702a5798331f15247a92cc1bd875fda

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1a981eccefc852a427b5bd5b76c7993b

SHA1
03761a2bc3a9edb80a29a481be1829ecfacee229

SHA256
3abde0be9e03e51547be17f14c304454286ffe384dd78b9fe3b467476044a65c

SHA512
cd46e4d2114cdd2ccd889d7292ec9da2679e3d11b886524826ff9a072b7384ac3f2f32e2ad73576a25e5279aaf8b91b58f1af2513bb183ed486f7e4e6ba9c829

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5671af4e05ea79d1754ba94eb0e6aa79

SHA1
56e5cf3a8939316e2e5a819668c6377e1a501e9d

SHA256
e39f9d8e0d8470a09c1b4196bd1b966b222b28f71bb89f654146183459ca27f2

SHA512
188293bc2e6afe28888fcb30fd19260bdbb344fc24efacab0d2fdce6d8d115815d6f21dec826ed503bbd2c34d5ccf33cf89ed16ef92280fd645787069a5d1741

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
cf1966f3b429d445ca43211f43d9cf21

SHA1
a7b7a356214bd503fbeef6b42726084618727c71

SHA256
2d536e909ef25be51b16b4144adeb75692e97e8826deb97ed263ed9466c4500d

SHA512
0d0be019d7a98d999d063e1c836966c68d277aed43cbdd433d31088f0f38368b8f566b733bfc330757658b469e8547c6e0bc8784a51f33483ea81ea246bde366

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e730ef5bc63b4bca44cb04a593938fd8

SHA1
6391a382d7a4c336a02786789e8a284e932dadd4

SHA256
1862d026c71c7cf5d2fcc5c6bd546a9559faa89271d41ea35f895cb31bb40c70

SHA512
c973bdd6331be470c7badc95bb4cdd4d7a8cdd159f0a127d2fbfa5f307aa118f7e31c2c51810e15c83b4d20552b050123c9bd15255014dda70e794fef4274c86

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
08de2224246a9561db875e87bd9739c3

SHA1
d816d296d90934349b0e08aee5a9e272e4f141e4

SHA256
d15287c11fb9061fe3e045c16f69de3c3758ff25fc8510b92255db07ceaf2c83

SHA512
cecedfd74ec2b2e79f6d654e3bb13789ccb5fefd6d014caa5ce5ff0f30cfafb05c6f10d1ff6bd06eb89d41e0f01ba7e4c2fdc6ff1c5fe3f68acbdaab7845a339

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
98c2d983820370e3c879ce5e89534848

SHA1
e54e48f857e0876d9f07c06ded22416cf21e60ad

SHA256
bb3d4eaf29ef04b8b560bada706ebcde898ebb5152642bee63e7f4c4ee4caa0d

SHA512
0e8748fa64874730059d4e4ea2bcd4f24c3a49c32fc1656ea818ec10b4a884eeec3c4fbe9fbe142a3764f8d49423c5ee6278b86a076d30a87ed3b2675f8990a3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5b76b66123981b66395ff540465e3534

SHA1
62238a9590c371ec9895a628118880bc63115253

SHA256
f57f63aa5352c7b76979027b9dafc0de4dcef11cd68447d1f558d31b4651bba3

SHA512
4604e69189b5b21aa0fad3e3af2c1dd994f2c2b7eaa7bdadb8934be2d41c6922fa4278a0b9f0e61bd357c84f970aab34ed71697dd6ade484dba84fc4d0cd99cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9f7dd5cc66bf21a1403f861e11ba7c13

SHA1
fdaad0db1cc15bd1636c999c4d9a7a710ab4f15c

SHA256
772d3d71d980085e9853fda9035c4ad3492ee4d5a8663091204ce4bf164ac2ce

SHA512
66d0cff11be11457385f6cf0a0a5b8e4bd453c8cda8e23e26729b3a925a8b6b02dd783fc535f3ac5de219613812b346635a555703f90eb50ca9edac8d22b0700

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
77KB

MD5
c1b5f4867b33a47d86667f40e7c89246

SHA1
5a3ca572ac3fa57a4146445909280fab638e7cd2

SHA256
56783f3c3534dd1ec32ae39a037219f4ebd5cd2f6bcc8f6aea32b95405ca4821

SHA512
555ce9bcbd4d06782182294a3c24e90be4634058688c474ee565b76d50177eaf1def27602edbd73922fbe2a9c9eb2d70ed6767be2b1198d04843f2321ca05dbf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
77KB

MD5
d053758f6ea925d8a1ec1b666bad63dc

SHA1
74b18bec1b569fd8a185ad96e87c26a9a66495df

SHA256
f035781401662744a9e99564a68868d120a54d927685ed3cb4c83e33f3b4aefb

SHA512
f814c67119fab8934b052134e763a7306c6f5b198f8931578e8652ab810c973a40c357d8f348e34e5dc178ee178ce98d80aa2c354984af3b9ff7504f85af1aa3

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\rvwtj7c1.default-release\activity-stream.discovery_stream.json.tmp

Filesize
18KB

MD5
1d9311dd6a9979c5a4b2ad1c7452cedf

SHA1
09ee49cc7d4635c8a560acadbb0d179b66b85ed4

SHA256
a0f1a7f80eb1e4ddf341e72b8d5be82f9dc8b5df80488fff3295ba741808a6c5

SHA512
86658451894487b417e580ad287683f4b83077224c0edcd7b822c65af46de02174478434fab211088dc21fe2eaee183f77a9fb140627f16794593b3f8003d8eb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rvwtj7c1.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
dd63fba8c9c46228e6bfd16a8956f135

SHA1
285bad96c917c4ea3ddbf2a1ced01b5c8ebeaa94

SHA256
d9f7ac89cdb9ca1c948bf3fa840c2e26c3d8a76103d6fa44d517c990b04e47bc

SHA512
c2a8ef223b567659c32560aae96ad05ebf92d51a9048c8518adc8a0ef454824c6e19d3c27c6293bb753d9fb54d93e500051f1c9992ab8262352f2d493880c185

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rvwtj7c1.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
aa7a863b1ffd0cb92135856029732a95

SHA1
459c426b619fd15518260563d19023c1f60d7405

SHA256
96af931c6f74a3ab6eb88bebc354b2c5cab628aa24be2c09e400844f5b07e52d

SHA512
f1614248eb63a558cf576982916911a10dda0dafe1b077251162c1220d76b09859fc847c130301e839459df87aa35f8e2660009e84bf06791c0ecd686e843751

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rvwtj7c1.default-release\datareporting\glean\pending_pings\273c0524-c1c9-4942-a232-c9c7a1ea4f15

Filesize
26KB

MD5
6d1374a1d2eba4fef69672c2d7ab2ff4

SHA1
2d440090fdbe8e8cce1447d5ebc7d7847c755abd

SHA256
97b68fd58efe9d57d7afddbc6d6e2d35cb0180f267a3e4f6b2152b11dbe8ae96

SHA512
5619c6a7ef2a7e303de1ba47f9094be3e9305709e7ed86f31a72685257063d59289e5c4a1a425d9cb92e81605dfef775948f0deec3b57db60db2e00f8460ca7b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rvwtj7c1.default-release\datareporting\glean\pending_pings\bf588d43-b233-424f-942e-b42ed09967ca

Filesize
982B

MD5
730dd496f82fbf9e9d8d38dfc18a262c

SHA1
e86adf9514937cbdada2a4716d9b5af0cc2a958f

SHA256
93865d8ae7b89046f5bb904bd1c6a01bb014927dfd154272a41f12c48392fd67

SHA512
77f867d2db71fb772c50cd370a7d932c6af7b247165df8166cf7ced87ef7e7afed08b84afb02c107ba5f8726f13eb4c44d2e2e8c712743ceb781a61300b05214

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rvwtj7c1.default-release\datareporting\glean\pending_pings\e89f54d2-3ee3-4390-840a-f56bff0d0bf1

Filesize
671B

MD5
99ca37da312ebff6e7aadb9be9fef47b

SHA1
fb5d97c01717ebc101fc65efe827ae2cd85cae3e

SHA256
74c8e6fd24a5e63ea518e9dae48bbe170d4db8e6a69f068189f1aae21f87d722

SHA512
1691e580f39484c5b1b310aab6db73d0199b9b39b9a3cf5614511fa2968bbc2eb6076277aea43933ea8624c09bc92ab1da2db5fd67ba56b7c34d172cdb4e018e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rvwtj7c1.default-release\prefs-1.js

Filesize
9KB

MD5
3fa890bde0d7108b29c12de52d96c9fb

SHA1
3b8a2cccc4b93df4f822cef6d6490b311080a8e2

SHA256
9fcf9fecc91d20c1d36cd12b2ed423f81fedf48fde7236f1b9d3105314936fa4

SHA512
28784d3e0ad098b16ad78343369d6e1da372e5325468890e53702c29312b18344b7bdd134a675cab37812ba7d6eae6aa0909a4c99522da936def62923eab78a5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rvwtj7c1.default-release\prefs-1.js

Filesize
8KB

MD5
b963473175f146ae9a42912a43a12417

SHA1
80f24827f080cd01eedb9864163284eaefd9bb50

SHA256
0fd5cb2196cbbe0fbd97d57c1c817de8d26f8f19abb8bdafc10c73f497cbe7e5

SHA512
b02d94c97ed23c1034991a41eecddffcb7b088dabb5824ce9f9e7c3331818277b98ae4ffa14ce9fd71963aa124cee44014d077c5f3ac97837cae6365db9d71ea

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rvwtj7c1.default-release\prefs.js

Filesize
8KB

MD5
6cf48b19265d4cfe4086fcbb3ad0c2f2

SHA1
3e2945a9dfd1b18180023b04020b5b4eb84254fb

SHA256
9804b877511e0b346e6171373ba5b28ee1a0a9aa7185885370e6edc973aeffd1

SHA512
e8c65494c34ed2cad5ab9defd3f5e27c7e375d0c8d61091e19693691bba0c6cba80e67fb0c0e7012fbac975c6ff15d84f7e9f9f9f3d25a30cec80598f7584e76

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rvwtj7c1.default-release\sessionCheckpoints.json

Filesize
259B

MD5
e6c20f53d6714067f2b49d0e9ba8030e

SHA1
f516dc1084cdd8302b3e7f7167b905e603b6f04f

SHA256
50a670fb78ff2712aae2c16d9499e01c15fddf24e229330d02a69b0527a38092

SHA512
462415b8295c1cdcac0a7cb16bb8a027ef36ae2ce0b061071074ac3209332a7eae71de843af4b96bbbd6158ca8fd5c18147bf9a79b8a7768a9a35edce8b784bf

Download Submit