d421b79f2d006be50927c5b957f96cfa15f0c305028481395503af92eab0a2d9

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
02/08/2024, 12:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d421b79f2d006be50927c5b957f96cfa15f0c305028481395503af92eab0a2d9.exe
Size

89KB
MD5

d36668da32d3c11544860b59e100700f
SHA1

7dfe29f69100af1d59393c79bd46eb76d25f3d46
SHA256

d421b79f2d006be50927c5b957f96cfa15f0c305028481395503af92eab0a2d9
SHA512

0b759eb246828e1d5b7d5cc0c8e2c8347cfd5aff6c36e56fdcdfc1cbff75e1ce3852042dd63373760453db28bd633bbeb02bb0215a37d3b3a3b9382e64b3977a
SSDEEP

1536:L7fPGykbOqjoHm4pICdfkLtAfupcWX50MxFY+yIOlnToIfexTdrOq:Hq6+ouCpk2mpcWJ0r+QNTBfeBdx

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2927035347-1736702767-189270196-1000\Control Panel\International\Geo\Nation	d421b79f2d006be50927c5b957f96cfa15f0c305028481395503af92eab0a2d9.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d421b79f2d006be50927c5b957f96cfa15f0c305028481395503af92eab0a2d9.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133670747038303253"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2927035347-1736702767-189270196-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3964	msedge.exe
3964	msedge.exe
1612	msedge.exe
1612	msedge.exe
2848	chrome.exe
2848	chrome.exe
5528	chrome.exe
5528	chrome.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
5528	chrome.exe
5528	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
2848	chrome.exe
2848	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2848	chrome.exe
Token: SeCreatePagefilePrivilege	2848	chrome.exe
Token: SeDebugPrivilege	3864	firefox.exe
Token: SeDebugPrivilege	3864	firefox.exe
Token: SeShutdownPrivilege	2848	chrome.exe
Token: SeCreatePagefilePrivilege	2848	chrome.exe
Token: SeShutdownPrivilege	2848	chrome.exe
Token: SeCreatePagefilePrivilege	2848	chrome.exe
Token: SeShutdownPrivilege	2848	chrome.exe
Token: SeCreatePagefilePrivilege	2848	chrome.exe
Token: SeShutdownPrivilege	2848	chrome.exe
Token: SeCreatePagefilePrivilege	2848	chrome.exe
Token: SeShutdownPrivilege	2848	chrome.exe
Token: SeCreatePagefilePrivilege	2848	chrome.exe
Token: SeShutdownPrivilege	2848	chrome.exe
Token: SeCreatePagefilePrivilege	2848	chrome.exe
Token: SeShutdownPrivilege	2848	chrome.exe
Token: SeCreatePagefilePrivilege	2848	chrome.exe
Token: SeShutdownPrivilege	2848	chrome.exe
Token: SeCreatePagefilePrivilege	2848	chrome.exe
Token: SeShutdownPrivilege	2848	chrome.exe
Token: SeCreatePagefilePrivilege	2848	chrome.exe
Token: SeShutdownPrivilege	2848	chrome.exe
Token: SeCreatePagefilePrivilege	2848	chrome.exe
Token: SeShutdownPrivilege	2848	chrome.exe
Token: SeCreatePagefilePrivilege	2848	chrome.exe
Token: SeShutdownPrivilege	2848	chrome.exe
Token: SeCreatePagefilePrivilege	2848	chrome.exe
Token: SeShutdownPrivilege	2848	chrome.exe
Token: SeCreatePagefilePrivilege	2848	chrome.exe
Token: SeShutdownPrivilege	2848	chrome.exe
Token: SeCreatePagefilePrivilege	2848	chrome.exe
Token: SeShutdownPrivilege	2848	chrome.exe
Token: SeCreatePagefilePrivilege	2848	chrome.exe
Token: SeShutdownPrivilege	2848	chrome.exe
Token: SeCreatePagefilePrivilege	2848	chrome.exe
Token: SeShutdownPrivilege	2848	chrome.exe
Token: SeCreatePagefilePrivilege	2848	chrome.exe
Token: SeShutdownPrivilege	2848	chrome.exe
Token: SeCreatePagefilePrivilege	2848	chrome.exe
Token: SeShutdownPrivilege	2848	chrome.exe
Token: SeCreatePagefilePrivilege	2848	chrome.exe
Token: SeShutdownPrivilege	2848	chrome.exe
Token: SeCreatePagefilePrivilege	2848	chrome.exe
Token: SeShutdownPrivilege	2848	chrome.exe
Token: SeCreatePagefilePrivilege	2848	chrome.exe
Token: SeShutdownPrivilege	2848	chrome.exe
Token: SeCreatePagefilePrivilege	2848	chrome.exe
Token: SeShutdownPrivilege	2848	chrome.exe
Token: SeCreatePagefilePrivilege	2848	chrome.exe
Token: SeShutdownPrivilege	2848	chrome.exe
Token: SeCreatePagefilePrivilege	2848	chrome.exe
Token: SeShutdownPrivilege	2848	chrome.exe
Token: SeCreatePagefilePrivilege	2848	chrome.exe
Token: SeShutdownPrivilege	2848	chrome.exe
Token: SeCreatePagefilePrivilege	2848	chrome.exe
Token: SeShutdownPrivilege	2848	chrome.exe
Token: SeCreatePagefilePrivilege	2848	chrome.exe
Token: SeShutdownPrivilege	2848	chrome.exe
Token: SeCreatePagefilePrivilege	2848	chrome.exe
Token: SeShutdownPrivilege	2848	chrome.exe
Token: SeCreatePagefilePrivilege	2848	chrome.exe
Token: SeShutdownPrivilege	2848	chrome.exe
Token: SeCreatePagefilePrivilege	2848	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
3864	firefox.exe
3864	firefox.exe
3864	firefox.exe
3864	firefox.exe
3864	firefox.exe
3864	firefox.exe
3864	firefox.exe
3864	firefox.exe
3864	firefox.exe
3864	firefox.exe
3864	firefox.exe
3864	firefox.exe
3864	firefox.exe
3864	firefox.exe
3864	firefox.exe
3864	firefox.exe
3864	firefox.exe
3864	firefox.exe
3864	firefox.exe
3864	firefox.exe
3864	firefox.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
1612	msedge.exe
3864	firefox.exe
3864	firefox.exe
3864	firefox.exe
3864	firefox.exe
3864	firefox.exe
3864	firefox.exe
3864	firefox.exe
3864	firefox.exe
3864	firefox.exe
3864	firefox.exe
3864	firefox.exe
3864	firefox.exe
3864	firefox.exe
3864	firefox.exe
3864	firefox.exe
3864	firefox.exe
3864	firefox.exe
3864	firefox.exe
3864	firefox.exe
3864	firefox.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe
2848	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3864	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2136 wrote to memory of 2364	2136	d421b79f2d006be50927c5b957f96cfa15f0c305028481395503af92eab0a2d9.exe	84
PID 2136 wrote to memory of 2364	2136	d421b79f2d006be50927c5b957f96cfa15f0c305028481395503af92eab0a2d9.exe	84
PID 2364 wrote to memory of 2848	2364	cmd.exe	88
PID 2364 wrote to memory of 2848	2364	cmd.exe	88
PID 2364 wrote to memory of 1612	2364	cmd.exe	89
PID 2364 wrote to memory of 1612	2364	cmd.exe	89
PID 2364 wrote to memory of 2532	2364	cmd.exe	90
PID 2364 wrote to memory of 2532	2364	cmd.exe	90
PID 2848 wrote to memory of 768	2848	chrome.exe	91
PID 2848 wrote to memory of 768	2848	chrome.exe	91
PID 1612 wrote to memory of 368	1612	msedge.exe	92
PID 1612 wrote to memory of 368	1612	msedge.exe	92
PID 2532 wrote to memory of 3864	2532	firefox.exe	93
PID 2532 wrote to memory of 3864	2532	firefox.exe	93
PID 2532 wrote to memory of 3864	2532	firefox.exe	93
PID 2532 wrote to memory of 3864	2532	firefox.exe	93
PID 2532 wrote to memory of 3864	2532	firefox.exe	93
PID 2532 wrote to memory of 3864	2532	firefox.exe	93
PID 2532 wrote to memory of 3864	2532	firefox.exe	93
PID 2532 wrote to memory of 3864	2532	firefox.exe	93
PID 2532 wrote to memory of 3864	2532	firefox.exe	93
PID 2532 wrote to memory of 3864	2532	firefox.exe	93
PID 2532 wrote to memory of 3864	2532	firefox.exe	93
PID 3864 wrote to memory of 2740	3864	firefox.exe	94
PID 3864 wrote to memory of 2740	3864	firefox.exe	94
PID 3864 wrote to memory of 2740	3864	firefox.exe	94
PID 3864 wrote to memory of 2740	3864	firefox.exe	94
PID 3864 wrote to memory of 2740	3864	firefox.exe	94
PID 3864 wrote to memory of 2740	3864	firefox.exe	94
PID 3864 wrote to memory of 2740	3864	firefox.exe	94
PID 3864 wrote to memory of 2740	3864	firefox.exe	94
PID 3864 wrote to memory of 2740	3864	firefox.exe	94
PID 3864 wrote to memory of 2740	3864	firefox.exe	94
PID 3864 wrote to memory of 2740	3864	firefox.exe	94
PID 3864 wrote to memory of 2740	3864	firefox.exe	94
PID 3864 wrote to memory of 2740	3864	firefox.exe	94
PID 3864 wrote to memory of 2740	3864	firefox.exe	94
PID 3864 wrote to memory of 2740	3864	firefox.exe	94
PID 3864 wrote to memory of 2740	3864	firefox.exe	94
PID 3864 wrote to memory of 2740	3864	firefox.exe	94
PID 3864 wrote to memory of 2740	3864	firefox.exe	94
PID 3864 wrote to memory of 2740	3864	firefox.exe	94
PID 3864 wrote to memory of 2740	3864	firefox.exe	94
PID 3864 wrote to memory of 2740	3864	firefox.exe	94
PID 3864 wrote to memory of 2740	3864	firefox.exe	94
PID 3864 wrote to memory of 2740	3864	firefox.exe	94
PID 3864 wrote to memory of 2740	3864	firefox.exe	94
PID 3864 wrote to memory of 2740	3864	firefox.exe	94
PID 3864 wrote to memory of 2740	3864	firefox.exe	94
PID 3864 wrote to memory of 2740	3864	firefox.exe	94
PID 3864 wrote to memory of 2740	3864	firefox.exe	94
PID 3864 wrote to memory of 2740	3864	firefox.exe	94
PID 3864 wrote to memory of 2740	3864	firefox.exe	94
PID 3864 wrote to memory of 2740	3864	firefox.exe	94
PID 3864 wrote to memory of 2740	3864	firefox.exe	94
PID 3864 wrote to memory of 2740	3864	firefox.exe	94
PID 3864 wrote to memory of 2740	3864	firefox.exe	94
PID 3864 wrote to memory of 2740	3864	firefox.exe	94
PID 3864 wrote to memory of 2740	3864	firefox.exe	94
PID 3864 wrote to memory of 2740	3864	firefox.exe	94
PID 3864 wrote to memory of 2740	3864	firefox.exe	94
PID 3864 wrote to memory of 2740	3864	firefox.exe	94
PID 3864 wrote to memory of 2740	3864	firefox.exe	94
PID 3864 wrote to memory of 2740	3864	firefox.exe	94

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\d421b79f2d006be50927c5b957f96cfa15f0c305028481395503af92eab0a2d9.exe
"C:\Users\Admin\AppData\Local\Temp\d421b79f2d006be50927c5b957f96cfa15f0c305028481395503af92eab0a2d9.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2136
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\A7E8.tmp\A7E9.tmp\A7EA.bat C:\Users\Admin\AppData\Local\Temp\d421b79f2d006be50927c5b957f96cfa15f0c305028481395503af92eab0a2d9.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2364
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://www.youtube.com/account"
    3⤵
    - Enumerates system info in registry
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2848
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ff9cc56cc40,0x7ff9cc56cc4c,0x7ff9cc56cc58
      4⤵
      PID:768
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1916,i,121668876042259458,14850063509961012290,262144 --variations-seed-version=20240729-180130.470000 --mojo-platform-channel-handle=1912 /prefetch:2
      4⤵
      PID:824
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2176,i,121668876042259458,14850063509961012290,262144 --variations-seed-version=20240729-180130.470000 --mojo-platform-channel-handle=2208 /prefetch:3
      4⤵
      PID:4292
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2228,i,121668876042259458,14850063509961012290,262144 --variations-seed-version=20240729-180130.470000 --mojo-platform-channel-handle=2412 /prefetch:8
      4⤵
      PID:4732
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3096,i,121668876042259458,14850063509961012290,262144 --variations-seed-version=20240729-180130.470000 --mojo-platform-channel-handle=3112 /prefetch:1
      4⤵
      PID:2888
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3100,i,121668876042259458,14850063509961012290,262144 --variations-seed-version=20240729-180130.470000 --mojo-platform-channel-handle=3176 /prefetch:1
      4⤵
      PID:1432
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4588,i,121668876042259458,14850063509961012290,262144 --variations-seed-version=20240729-180130.470000 --mojo-platform-channel-handle=4624 /prefetch:8
      4⤵
      PID:1860
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4692,i,121668876042259458,14850063509961012290,262144 --variations-seed-version=20240729-180130.470000 --mojo-platform-channel-handle=4864 /prefetch:8
      4⤵
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      PID:5528
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" "https://www.youtube.com/account"
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:1612
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ff9cc6c46f8,0x7ff9cc6c4708,0x7ff9cc6c4718
      4⤵
      PID:368
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,6819748558279081137,14480690396809105095,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
      4⤵
      PID:3900
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,6819748558279081137,14480690396809105095,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3964
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,6819748558279081137,14480690396809105095,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2688 /prefetch:8
      4⤵
      PID:3948
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6819748558279081137,14480690396809105095,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
      4⤵
      PID:3392
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6819748558279081137,14480690396809105095,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
      4⤵
      PID:2996
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,6819748558279081137,14480690396809105095,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4760 /prefetch:1
      4⤵
      PID:488
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,6819748558279081137,14480690396809105095,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2280 /prefetch:2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4572
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" "https://www.youtube.com/account"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2532
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
      4⤵
      Checks processor information in registry
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3864
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1940 -parentBuildID 20240401114208 -prefsHandle 1880 -prefMapHandle 1872 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6ce9ce1d-0224-4a68-b720-9928184959c3} 3864 "\\.\pipe\gecko-crash-server-pipe.3864" gpu
        5⤵
        
        PID:2740
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2460 -parentBuildID 20240401114208 -prefsHandle 2428 -prefMapHandle 2424 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dbe4d6d2-ad63-4f32-b30d-142dadc329f6} 3864 "\\.\pipe\gecko-crash-server-pipe.3864" socket
        5⤵
        
        PID:4876
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1364 -childID 1 -isForBrowser -prefsHandle 1376 -prefMapHandle 2996 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f2b0035d-8983-4f70-bc6b-621f592538e5} 3864 "\\.\pipe\gecko-crash-server-pipe.3864" tab
        5⤵
        
        PID:4892
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3708 -childID 2 -isForBrowser -prefsHandle 3700 -prefMapHandle 3696 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3f4f38c3-4f57-4993-99dc-652459c31928} 3864 "\\.\pipe\gecko-crash-server-pipe.3864" tab
        5⤵
        
        PID:2540
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4276 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4268 -prefMapHandle 4264 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a16071b0-ddae-4337-ab74-311cb6908f2b} 3864 "\\.\pipe\gecko-crash-server-pipe.3864" utility
        5⤵
        Checks processor information in registry
        
        PID:5736
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5284 -childID 3 -isForBrowser -prefsHandle 5312 -prefMapHandle 5300 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4287f7e2-8590-4bec-8f63-ab4449a26a1c} 3864 "\\.\pipe\gecko-crash-server-pipe.3864" tab
        5⤵
        
        PID:5624
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5580 -childID 4 -isForBrowser -prefsHandle 5524 -prefMapHandle 5556 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c2ec9e65-fa1a-4261-99db-2abbf6cee4c5} 3864 "\\.\pipe\gecko-crash-server-pipe.3864" tab
        5⤵
        
        PID:5716
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5844 -childID 5 -isForBrowser -prefsHandle 5840 -prefMapHandle 5836 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bf8e4040-2772-46b2-a803-94b527f804f1} 3864 "\\.\pipe\gecko-crash-server-pipe.3864" tab
        5⤵
        
        PID:5748

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4036

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1712

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:5304

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
fa173d722a6f1e731d353dd432a7cc38

SHA1
f28adf2f8f7b35d11e2cce6b25e9a259f9ec843a

SHA256
adb49757bbfb45cadf2e9696fd739dcdb6f6966a670f016bcb21478ce60bebf9

SHA512
41ba83619b292c8f463d63d00aef77823f382450a0bac116b060b23ba1e0cb4bf0d9b55c4c79b4ff6c605dea27a0f156deb787d04bd7c54cb6e89b0e829c218f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
5ed93d17b9bf93a9189670c0baa7d25d

SHA1
732a4e1ea5adc758ae856dc35899a3ab4f1c5294

SHA256
52393044c5cb939d86b3b35b4ed9c5ce5204f5f24f5588a5ee3b39377609e85e

SHA512
ae7c289e7a9d01d5eda90861c99e9958a79ff65dda94541c5565497699e103e6ab0276fb2ad361186bebc21775e8d034243abe56d7a2b3746939e7f3ad2ec2d5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
ad677b335d75b8adc3f52bf96057cf77

SHA1
7a5d7464833e8c86e571753de6ec6b10bb6e004e

SHA256
7f9a14f5373b0a77c9b1906ad76183a5d10fb91eb45bd7589d3b2cb2cd1d1215

SHA512
2e52d9d2a624f6b9d933bdf77c77d47f245c85e9b114c01ac300e220f2793f16185b3211c2d9e7b20cbf88ef65a244deaa5314504caeb6c93c32c92d2c210590

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
67deb94865da719fb15ebdf6ecca5395

SHA1
5a18aa477d63b92624aa3252efec976a9d4efb0b

SHA256
6a1afd60d00a8d380c4aa9467eb3b12d7e4ffdbc536df80c0823c8c7d9b2f885

SHA512
1c8f418ba83cd90ab1f17101e2e4f8483317a7f852584eae961e36b37801c0b068ee033dd4abac99707d108c9fa2381c57e14eda2fd87af9591b9944a906722b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
bb2f4c666957d1f52d1320b8f715f3c0

SHA1
c2e9abfc120e7238656ddb84cae8abeaab1de7c3

SHA256
c546feb821f79d88043dc80f144c5135a3996840409e3e1791e337ff9fef0806

SHA512
65e96d130bab59968070156a891509df08187f931b399cc13a42e65fdd6e96f950b001e9adfa640e2e5fc854bccc1887952a79f3425090237bc727bac20d9589

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
3219a026b7a1abd538163e56a2a3d73a

SHA1
acdc5e0c90c3c0685a487ea2ca9f230e5cd02304

SHA256
a33d23f2db885e04e26b93e0a382ffec48169446ed0145abfed3e54c53946491

SHA512
74bae21264f64326afaa0b8240a8b502847cb13046473ca90f3e8f40eef302061b9a8e38041d9466c0149546b9b13b3b8eb7742a0bff814e3fa70cdf84ab7f2b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
be69d226f58d637adfd8f004e78bc7ab

SHA1
eb5e7cca9acfb3263144e6d41f0bedb73156d452

SHA256
630462b3158a6e65c1355c2f238dc0ab233ce33b7273c2ba5442b178a3e40dac

SHA512
9a11aac817b3ea733aa3190fe65151d3a0e02e66bec17cd6c6c97f1a2d30c4772573e054cbbf97426d3b674da8895de0e3ec69e92f29cf5e10fcad19f4236ddf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
b97dcaa003d98d2b784f5d235281d1e1

SHA1
7dc5e5090b7fd8778d346cc585245680f194bba9

SHA256
37bc5c5e8aa74c8c6cc06980bb8833fdf643e92d0493e906eea6ed32094b6cf8

SHA512
822790b834f86f52c23943887e72f100b07eaff680ea90f534c9c0047c75d1bf649248b2b6bcd62b3e75975ce8a2a9402551d75e55caa4d553ff2b08b815c0d2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
e0fbba3735ae7ae3a8fa6e12ac8e433d

SHA1
b5405edf82759d43269e0622b17aa1572461c538

SHA256
e9b5fbae9f53202ac4e69e542bd52232dfffe4c45c518a8973eb74a0bedfd7f6

SHA512
41cf64e2812718401e707a0a1b8d1b509518fdb8d401ff4ad1ae98b5aa71803fdff2c5ecb894583fbdc931d1bde687f57e8d0807301199d7e8a99362919fe96d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
b80d2c1ada2ab7fa16966db37e311ec1

SHA1
27aae8013617887863054e51259139a3cbb4ff82

SHA256
0fd4b10a3ffdfe57dfdd88410f57eb03bab773912a157ee9b7e48fa4a46d6559

SHA512
34857cc8038ea00ae2d1b69978322d225b7a840224abf9ba8fa86c42e7440e1f92ef7a3c04fa2be51084d36be25125e8ee9393bc23f587845994081d6f4ce832

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
03ff43852cdfc8b22ae4517eea592a4c

SHA1
34aca52e4706bed9f9577dc0723d9e16cf0dcdf5

SHA256
9aa3ad3b016123a3b03a9bc9a1e821711dcd9f5505df7f4b0d6f399bc0d3816b

SHA512
74efe5fe6f61196e2468418ee95d4f01aeda46dc140f212423cc103a7051e645e16574c6c59c17204d39e9505711b2b26005c4f79f8d96c0670b9fc8111f38b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
f37bf201338ce00cfd5533d974298938

SHA1
62e46c927c858a344fabd6baad0123b7de7b617b

SHA256
7afa48ac0565cfc9c2c068d4eabb23944ba9a372544c1b0a19fca027d7626d25

SHA512
c0614812e73f3e03727a25dfcc3c6abf6b95e8ff3622e3ee2dd95b4ef50fb2164abf459b96ad1a77cbee1e5b6b291c8ffbe03a60abc58d9c4df5f71aa7110547

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
196KB

MD5
1b1a0849bcb948d49e27d07215341c17

SHA1
98f8f7cc1c1f1a44ecf175b65a41ec5e26e663c0

SHA256
e9c9534e7f88a4cc585322102fce4c1cd51967da0b98c13e12cf8f0f8a1877c8

SHA512
bed12262da9bb12f26774904ba19b2fa293a76ced524f61b46863fff3b35f6040a01cc489d484d09363da4891c006655302139fdea79952f5cf5e0d57ce9432f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
195KB

MD5
caa99e9a09bcdc3509f3c51b675e230f

SHA1
b1bd8189173b7dc1da01c1826a7734376eb1f25c

SHA256
47f6610636491646832bc75f5ac470f0492b3d2b2826cfb01daa63f44ff1207a

SHA512
909b241bafd693c64403b6d957e7ae23256d6b11778ff375ae7e382b4d7ec738789368e473453a7794c17223177fe91dd747f817c4d000debb5b9be8f68f270b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
94eddc8c760c6582645d582b4f107cca

SHA1
01860648fbebb62eadd53d3bc58471df3b8d211e

SHA256
710d6dcbe48115aecea88b0a8c0124f5ae5f30225e59dde1bdfcc4574b5e5933

SHA512
1cf9e561257755bbf563df4f348bba14ffbce2faa7cfb96738dd2aa4b166d1ddfee114578f8b84b4d7c59f3d18cadd9ebc5b45557116bf68c2eda0867d9e5484

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
71a22f9fe81453c6c788bfe09ab8fe0c

SHA1
f4ee9368e5795c5b3f9470e0434358170e7646b6

SHA256
ca6f5b89e7361282ace0d96bba28c2a4434ccecfd0a97d925e9bc61524efd908

SHA512
a36d9a0c814d4293ae70a62a76e8a98e712ad91674a26cb3d8ffd300e22a6cba134e501b4a7e742229a66005db3b508aa821abcab1347b05457f06c712a1d724

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
38KB

MD5
6cdd1833d5b7bf4d7dd2f4dac5b6a08a

SHA1
54ae217a93901471ac46fb4d3ef81ad0d4571c8a

SHA256
dd3d51cbc6460eaab9f3d7af15c7bd23f76cb3889ac65acdeb33a0575532f0f2

SHA512
47f5433c2916c84c28a8f48ea86150ffaf131ddb616d39e6d529fb07ef3fa8ade33bd8633fe3e015a6fa0b068d3e6a5a1cb69fe78ce0dbd3f2a8eeb0b61a8aef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
93822c3a5185fd3fb669405881aba2bb

SHA1
a1f95f1eaf4aac4c48b1216711f99b5dfb1a1609

SHA256
9d6ec9cf09c5a24e8ca829e2bc8a82b57885ee5a15ee501487868a27185d0dea

SHA512
71181246c81d3521aa185a14c3573bc0d6e2cbd6fcb8f6846e697510242d31821d78390706125dae086ecb34e6e1f586a2ca0559f4a80353740345bb45f72b19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
11071f8a5ab9cc57adc9c6cab2d479b3

SHA1
a1c3e9092e3ffee689efcc01f249e4a0393e8caf

SHA256
8300c744c4f9eb6c722878700eda949375d3733192d27670bd339a3154946073

SHA512
adb27429d208d9f1ab7da6848c7ee5601a0a3313f970977d0601bbf9a6d9f8cab6dcc7a32f92f991f49022cd1ae9cc294a3f464cfd9f943925da1151c3299b79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b338dda29cb2bbff763f5776d6aaf3da

SHA1
15b35e3488df5fbfa0487f23e8dcbd2f67715533

SHA256
95a8883c0ed30257523e17fd0485f3b9747c6b97d01b689bb3b58d34244e3941

SHA512
eab8eee35e810decaf0dfef5f0b5c7abf302de284bcf6076eb3be8b8f1704d1b62c769c4f74644641eaef36470f147e04e3887e4502661d4bb73bfbc3ec931c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
988b947fe00e75d530f468e14ce3084f

SHA1
d6fe30dcf75e2e2761200c868c65713d444d3073

SHA256
d88409f3f10d9aee1b4b3c80171074527d7eabaf2c693c9accab0809012e2434

SHA512
a65ad27816585dd4ed6505b171668ede9d83a2f3e475b3a37a412e6ed4b8e0eaba1526fc32fce8a065f79b9e3b46a31e46ea746e4ef9173d88a648a3e9528d91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
f6659d418b0de51302a10d4a8c3c1738

SHA1
17cb5d01e9b482484ac15a9a33ab1403afeac14e

SHA256
9c9823e62daf39e29fd7a12e2f4ec6421217650e1f66dacdcdff1b93de35c90d

SHA512
bd8b9eb7fc2ad9b647de9862b6158a9c253e478663884cda8d937f051754f4d3a3304f808db1e68c942a005097620078df02efcc1f6331da5f342cc17e00da15

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\h38twc8p.default-release\activity-stream.discovery_stream.json.tmp

Filesize
19KB

MD5
53e01c2ac7b20afcabd244f286849dc5

SHA1
a787c10aa18068e63bd07abd4327d50a51a0f228

SHA256
e22322f984a82e310d3e1dec43a2ada07708578874f9728ea506dbe34764948b

SHA512
b34be74968f7aea793da799cf44d6805f2257f15a95b74ee8294215a269755003c6e3186c92fde84311ad83abebb9b29bed72e47d7746dd115277ec540ec2809

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\h38twc8p.default-release\cache2\entries\8A2034D325DC0B5C9E11EDDA3FC70A54C8DC1C0D

Filesize
13KB

MD5
da967b1ea6c0e7fa521d46e03944c74e

SHA1
062402b00d63f6c079328f76bd6ba78384c92969

SHA256
ed26f366ea636cf1a6d47ad899cc61262bfb3c3f07013a4e9e02a72e7408162b

SHA512
737560d71fdff3050c09c3c881572844febcc3fc59532ff89dc32e462dd619f12e0bd02399d12ade92533ff38376542f0d8a3b78c88ff8ec612e523d71fdaf23

Download Submit
C:\Users\Admin\AppData\Local\Temp\A7E8.tmp\A7E9.tmp\A7EA.bat

Filesize
2KB

MD5
de9423d9c334ba3dba7dc874aa7dbc28

SHA1
bf38b137b8d780b3d6d62aee03c9d3f73770d638

SHA256
a1e1b422c40fb611a50d3f8bf34f9819f76ddb304aa2d105fb49f41f57752698

SHA512
63f13acd904378ad7de22053e1087d61a70341f1891ada3b671223fec8f841b42b6f1060a4b18c8bb865ee4cd071cadc7ff6bd6d549760945bf1645a1086f401

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h38twc8p.default-release\AlternateServices.bin

Filesize
12KB

MD5
0608077a16ad7b39126e721ff552c37e

SHA1
e47416040fdf91e6863d41c6cc544226b6c47f46

SHA256
a2700ebdfcb6955f7f16a7b6fd57a525c2912867a69db857c1bb7dc5969345ae

SHA512
119a115816707099d934fd0b47cff4ecbdd64769d8f3f315812596353c7da0e8af431c6d282ef848cccd1a7166365836505b0518e8ceecd83fcf3fd26175ded2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h38twc8p.default-release\datareporting\glean\db\data.safe.tmp

Filesize
15KB

MD5
c6eb667be7e85160c5ddb79aa6df554b

SHA1
0110bcbe96dc07d11fcee5bfe5de345d4b61f58a

SHA256
3a97702a37dfed92dfd05c391234bb8b9615be0cc3bd8ed3ce031377e0076db4

SHA512
148d412460bfc54dbcfcedf618fabf3f7f8fdf86429461896ffa43614adbde609352981b766b4a21e0c544518c1dfa9ca12dbede60ac45b83f0c3d78e8f4d331

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h38twc8p.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
8485fa22d669019b1a2a1909dd27a1ed

SHA1
f9a84902cb2af838d2dc2844224782f41d6385a4

SHA256
d2c72d617e4392b2cf5eae579b89bc9b8a4bd99df0fa481940d79216edc6527c

SHA512
9769562e58cdcda811cb515b905ff008105dec5ad677d6f563d36dd6be078b739a5bcdcbc39e3c615d93f99fb0b553ccd3c6051cb2cddc04307a66c0f7d19f83

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h38twc8p.default-release\datareporting\glean\db\data.safe.tmp

Filesize
15KB

MD5
7ba38a3f7fe00f8c43a6cd15348a7763

SHA1
38e350b80d6aac564658fba1c893cb006f272754

SHA256
5df80a33a1f1b754a7e8cc2c3b27c401368ba2b81f25ea7852bff818ab79e1d6

SHA512
b191fe2c76231ca28a5282f76d529e17f7619b6f58a96a2da4bd8fdd92c3214231819885bcab2daf541217af059b57de45437b82006c7c8e8ead99422b456361

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h38twc8p.default-release\datareporting\glean\pending_pings\09f8b755-7448-47a4-a6c7-40c1c72de430

Filesize
27KB

MD5
30797d28ee528134c77808aa5ebf8843

SHA1
49037b9e36f960d3ceae14e09731dfd926df1d4a

SHA256
c2d4480f75408810cc743fd135cbb4f4680e07f13053a84c6fa11cb5010b05d6

SHA512
073e051b67a768fd093fa8f27a08822465d5beb77592d697c6da1a0e70dac35f2493f54ec6619d427f73b0300374e6971d52580c0eb53604479aaa3e866c4c6d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h38twc8p.default-release\datareporting\glean\pending_pings\ef64200d-cb05-4a0b-96d7-9be1103f876d

Filesize
671B

MD5
6fb191e31fe62abd045be41ee39b054a

SHA1
772624465c1378558a5231023102b89cb328636d

SHA256
7efb4720118fc47bae4ced22c6734da6ab789f8d6d21a41965654d711f79d942

SHA512
688f03b15a9db831cc03aebff08384fcf17e0bc5fb1a7c97b33d29b7009af4ce4d8543adeb86a817ce76600710dd64f960bd7a7fcd8253b9f57bf3fda5adc591

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h38twc8p.default-release\datareporting\glean\pending_pings\f9796de8-d600-4951-9bab-950e68043268

Filesize
982B

MD5
96834df4ff6725c03137b449de2f7b68

SHA1
7101239a7649302993d73fb4a822a8aa56872a47

SHA256
934ee5900d228a1759ef72088ebae3037418004f149ef976e4688753268107ee

SHA512
5ac95cd58b41ceda291713833564b6a558d971af28881e2ea40588ec2c87c222e79d65919b2132d7be2c5d1f24ad8b73dd555440f238b8617ae9ed823b090ea0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h38twc8p.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h38twc8p.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h38twc8p.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h38twc8p.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h38twc8p.default-release\prefs-1.js

Filesize
13KB

MD5
2a84273a8fe1e994edd68da35f1cccbe

SHA1
a5adc6eefd2103dcfcf1f068f376111ee4a572c7

SHA256
de88e0ef799b3c544a66b14de6d9665e6b5d2cba33aa446a1d876b2074c49ba1

SHA512
16b8ef997f725437a0e088ebfda098e4630581cf50835b822845c3d3257487da7a2f821cf361bf3b585ff06d776ffc450952ca756dd99a5bc1ee34675f2250b7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h38twc8p.default-release\prefs-1.js

Filesize
16KB

MD5
395ac77168ef4e79c85c7cf5ec6131b4

SHA1
8d08bc8c4d489be35006b505f6235081278f4afc

SHA256
bd206b1beb1cba416ada78de09c56d73fa4379fe1c2164d6f5ec65e4a770bc29

SHA512
58e9fc046fe52ab21182c9b6b04d89bfe52389c456d974f82c20c40c429bcaabdb3fe10d336b3b94f12fa8d99308755dbc77d7498355f16543bd86021e88aef5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h38twc8p.default-release\prefs.js

Filesize
10KB

MD5
863c7893e08fa240b28108ac6644cb32

SHA1
9c81e51c82aa9743a9006e2ac94f5320a91a382f

SHA256
ea8c128a70376a42ad818e57a46df8a975740abade5b3636ef46c45060788eb7

SHA512
9a5bbaa2af65fc65afe832c59a7f16719fd8de32fb70e2ad8dd9b178ab995502af7249db19b3459ecac58f50fc91f3226dccf0a5fe129c935a5be5ee7b8f4f83

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h38twc8p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
1.2MB

MD5
e3ca72c22ae6ed2cfcbf5a61275e6e12

SHA1
347521080ac44b9028a0054537854d26739fa58f

SHA256
aef20bf203fb6e8db570935b4ec2d5859b817d0ac0576ed18b6e90964e615243

SHA512
3c936cba854928c8db2752b51aefab3a0e5a12550cdef686e75f56baea9769efc8599cc90ba5cb7fef2044c929011da67c9f19880f57b1eb68d2064c84abd11e

Download Submit