9daeac604bc8f2e2e95cde6690bbf8b22d47e1c70bec15c3f8f603b396b2b0d1

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14/08/2024, 13:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9daeac604bc8f2e2e95cde6690bbf8b22d47e1c70bec15c3f8f603b396b2b0d1.exe
Size

89KB
MD5

c69ac7b65d67f046cba1ef1f35a5aaa7
SHA1

8f57e81c00c801c3a057f7438ac8c4e82834162c
SHA256

9daeac604bc8f2e2e95cde6690bbf8b22d47e1c70bec15c3f8f603b396b2b0d1
SHA512

2e3407757ec766b61f5be53c930dbaa0b16833ee5a7892105e6a66d5cdefd4423742de1f1cad2354a4a878c46d8669a4685204d3fb87bcf22f85576d9a1133ae
SSDEEP

1536:L7fPGykbOqjoHm4pICdfkLtAfupcWX50MxFY+yIOlnToIflxZCRO+:Hq6+ouCpk2mpcWJ0r+QNTBflvC3

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	9daeac604bc8f2e2e95cde6690bbf8b22d47e1c70bec15c3f8f603b396b2b0d1.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9daeac604bc8f2e2e95cde6690bbf8b22d47e1c70bec15c3f8f603b396b2b0d1.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133681158158766147"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2392887640-1187051047-2909758433-1000\{A46B29E8-3996-4CC1-A46F-C052974941F0}	chrome.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4688	msedge.exe
4688	msedge.exe
780	msedge.exe
780	msedge.exe
4608	chrome.exe
4608	chrome.exe
5272	chrome.exe
5272	chrome.exe
5780	msedge.exe
5780	msedge.exe
5780	msedge.exe
5780	msedge.exe
5272	chrome.exe
5272	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
780	msedge.exe
780	msedge.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4608	chrome.exe
Token: SeCreatePagefilePrivilege	4608	chrome.exe
Token: SeDebugPrivilege	2944	firefox.exe
Token: SeDebugPrivilege	2944	firefox.exe
Token: SeShutdownPrivilege	4608	chrome.exe
Token: SeCreatePagefilePrivilege	4608	chrome.exe
Token: SeShutdownPrivilege	4608	chrome.exe
Token: SeCreatePagefilePrivilege	4608	chrome.exe
Token: SeShutdownPrivilege	4608	chrome.exe
Token: SeCreatePagefilePrivilege	4608	chrome.exe
Token: SeShutdownPrivilege	4608	chrome.exe
Token: SeCreatePagefilePrivilege	4608	chrome.exe
Token: SeShutdownPrivilege	4608	chrome.exe
Token: SeCreatePagefilePrivilege	4608	chrome.exe
Token: SeShutdownPrivilege	4608	chrome.exe
Token: SeCreatePagefilePrivilege	4608	chrome.exe
Token: SeShutdownPrivilege	4608	chrome.exe
Token: SeCreatePagefilePrivilege	4608	chrome.exe
Token: SeShutdownPrivilege	4608	chrome.exe
Token: SeCreatePagefilePrivilege	4608	chrome.exe
Token: SeShutdownPrivilege	4608	chrome.exe
Token: SeCreatePagefilePrivilege	4608	chrome.exe
Token: SeShutdownPrivilege	4608	chrome.exe
Token: SeCreatePagefilePrivilege	4608	chrome.exe
Token: SeShutdownPrivilege	4608	chrome.exe
Token: SeCreatePagefilePrivilege	4608	chrome.exe
Token: SeShutdownPrivilege	4608	chrome.exe
Token: SeCreatePagefilePrivilege	4608	chrome.exe
Token: SeShutdownPrivilege	4608	chrome.exe
Token: SeCreatePagefilePrivilege	4608	chrome.exe
Token: SeShutdownPrivilege	4608	chrome.exe
Token: SeCreatePagefilePrivilege	4608	chrome.exe
Token: SeShutdownPrivilege	4608	chrome.exe
Token: SeCreatePagefilePrivilege	4608	chrome.exe
Token: SeShutdownPrivilege	4608	chrome.exe
Token: SeCreatePagefilePrivilege	4608	chrome.exe
Token: SeShutdownPrivilege	4608	chrome.exe
Token: SeCreatePagefilePrivilege	4608	chrome.exe
Token: SeShutdownPrivilege	4608	chrome.exe
Token: SeCreatePagefilePrivilege	4608	chrome.exe
Token: SeShutdownPrivilege	4608	chrome.exe
Token: SeCreatePagefilePrivilege	4608	chrome.exe
Token: SeShutdownPrivilege	4608	chrome.exe
Token: SeCreatePagefilePrivilege	4608	chrome.exe
Token: SeShutdownPrivilege	4608	chrome.exe
Token: SeCreatePagefilePrivilege	4608	chrome.exe
Token: SeShutdownPrivilege	4608	chrome.exe
Token: SeCreatePagefilePrivilege	4608	chrome.exe
Token: SeShutdownPrivilege	4608	chrome.exe
Token: SeCreatePagefilePrivilege	4608	chrome.exe
Token: SeShutdownPrivilege	4608	chrome.exe
Token: SeCreatePagefilePrivilege	4608	chrome.exe
Token: SeShutdownPrivilege	4608	chrome.exe
Token: SeCreatePagefilePrivilege	4608	chrome.exe
Token: SeShutdownPrivilege	4608	chrome.exe
Token: SeCreatePagefilePrivilege	4608	chrome.exe
Token: SeShutdownPrivilege	4608	chrome.exe
Token: SeCreatePagefilePrivilege	4608	chrome.exe
Token: SeShutdownPrivilege	4608	chrome.exe
Token: SeCreatePagefilePrivilege	4608	chrome.exe
Token: SeShutdownPrivilege	4608	chrome.exe
Token: SeCreatePagefilePrivilege	4608	chrome.exe
Token: SeShutdownPrivilege	4608	chrome.exe
Token: SeCreatePagefilePrivilege	4608	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2944	firefox.exe
2944	firefox.exe
2944	firefox.exe
2944	firefox.exe
780	msedge.exe
780	msedge.exe
780	msedge.exe
780	msedge.exe
780	msedge.exe
780	msedge.exe
780	msedge.exe
780	msedge.exe
780	msedge.exe
780	msedge.exe
780	msedge.exe
780	msedge.exe
780	msedge.exe
780	msedge.exe
780	msedge.exe
780	msedge.exe
780	msedge.exe
2944	firefox.exe
2944	firefox.exe
2944	firefox.exe
2944	firefox.exe
2944	firefox.exe
2944	firefox.exe
2944	firefox.exe
2944	firefox.exe
2944	firefox.exe
2944	firefox.exe
2944	firefox.exe
2944	firefox.exe
2944	firefox.exe
2944	firefox.exe
2944	firefox.exe
2944	firefox.exe
2944	firefox.exe
780	msedge.exe
780	msedge.exe
780	msedge.exe
780	msedge.exe
780	msedge.exe
780	msedge.exe
780	msedge.exe
780	msedge.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2944	firefox.exe
2944	firefox.exe
2944	firefox.exe
2944	firefox.exe
780	msedge.exe
780	msedge.exe
780	msedge.exe
780	msedge.exe
780	msedge.exe
780	msedge.exe
780	msedge.exe
780	msedge.exe
780	msedge.exe
780	msedge.exe
780	msedge.exe
780	msedge.exe
780	msedge.exe
780	msedge.exe
780	msedge.exe
780	msedge.exe
2944	firefox.exe
2944	firefox.exe
2944	firefox.exe
2944	firefox.exe
2944	firefox.exe
2944	firefox.exe
2944	firefox.exe
2944	firefox.exe
2944	firefox.exe
2944	firefox.exe
2944	firefox.exe
2944	firefox.exe
2944	firefox.exe
2944	firefox.exe
2944	firefox.exe
2944	firefox.exe
780	msedge.exe
780	msedge.exe
780	msedge.exe
780	msedge.exe
780	msedge.exe
780	msedge.exe
780	msedge.exe
780	msedge.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe
4608	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2944	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 220 wrote to memory of 4816	220	9daeac604bc8f2e2e95cde6690bbf8b22d47e1c70bec15c3f8f603b396b2b0d1.exe	84
PID 220 wrote to memory of 4816	220	9daeac604bc8f2e2e95cde6690bbf8b22d47e1c70bec15c3f8f603b396b2b0d1.exe	84
PID 4816 wrote to memory of 4608	4816	cmd.exe	87
PID 4816 wrote to memory of 4608	4816	cmd.exe	87
PID 4816 wrote to memory of 780	4816	cmd.exe	88
PID 4816 wrote to memory of 780	4816	cmd.exe	88
PID 4816 wrote to memory of 3236	4816	cmd.exe	89
PID 4816 wrote to memory of 3236	4816	cmd.exe	89
PID 780 wrote to memory of 5064	780	msedge.exe	90
PID 780 wrote to memory of 5064	780	msedge.exe	90
PID 4608 wrote to memory of 4736	4608	chrome.exe	91
PID 4608 wrote to memory of 4736	4608	chrome.exe	91
PID 3236 wrote to memory of 2944	3236	firefox.exe	92
PID 3236 wrote to memory of 2944	3236	firefox.exe	92
PID 3236 wrote to memory of 2944	3236	firefox.exe	92
PID 3236 wrote to memory of 2944	3236	firefox.exe	92
PID 3236 wrote to memory of 2944	3236	firefox.exe	92
PID 3236 wrote to memory of 2944	3236	firefox.exe	92
PID 3236 wrote to memory of 2944	3236	firefox.exe	92
PID 3236 wrote to memory of 2944	3236	firefox.exe	92
PID 3236 wrote to memory of 2944	3236	firefox.exe	92
PID 3236 wrote to memory of 2944	3236	firefox.exe	92
PID 3236 wrote to memory of 2944	3236	firefox.exe	92
PID 2944 wrote to memory of 3552	2944	firefox.exe	94
PID 2944 wrote to memory of 3552	2944	firefox.exe	94
PID 2944 wrote to memory of 3552	2944	firefox.exe	94
PID 2944 wrote to memory of 3552	2944	firefox.exe	94
PID 2944 wrote to memory of 3552	2944	firefox.exe	94
PID 2944 wrote to memory of 3552	2944	firefox.exe	94
PID 2944 wrote to memory of 3552	2944	firefox.exe	94
PID 2944 wrote to memory of 3552	2944	firefox.exe	94
PID 2944 wrote to memory of 3552	2944	firefox.exe	94
PID 2944 wrote to memory of 3552	2944	firefox.exe	94
PID 2944 wrote to memory of 3552	2944	firefox.exe	94
PID 2944 wrote to memory of 3552	2944	firefox.exe	94
PID 2944 wrote to memory of 3552	2944	firefox.exe	94
PID 2944 wrote to memory of 3552	2944	firefox.exe	94
PID 2944 wrote to memory of 3552	2944	firefox.exe	94
PID 2944 wrote to memory of 3552	2944	firefox.exe	94
PID 2944 wrote to memory of 3552	2944	firefox.exe	94
PID 2944 wrote to memory of 3552	2944	firefox.exe	94
PID 2944 wrote to memory of 3552	2944	firefox.exe	94
PID 2944 wrote to memory of 3552	2944	firefox.exe	94
PID 2944 wrote to memory of 3552	2944	firefox.exe	94
PID 2944 wrote to memory of 3552	2944	firefox.exe	94
PID 2944 wrote to memory of 3552	2944	firefox.exe	94
PID 2944 wrote to memory of 3552	2944	firefox.exe	94
PID 2944 wrote to memory of 3552	2944	firefox.exe	94
PID 2944 wrote to memory of 3552	2944	firefox.exe	94
PID 2944 wrote to memory of 3552	2944	firefox.exe	94
PID 2944 wrote to memory of 3552	2944	firefox.exe	94
PID 2944 wrote to memory of 3552	2944	firefox.exe	94
PID 2944 wrote to memory of 3552	2944	firefox.exe	94
PID 2944 wrote to memory of 3552	2944	firefox.exe	94
PID 2944 wrote to memory of 3552	2944	firefox.exe	94
PID 2944 wrote to memory of 3552	2944	firefox.exe	94
PID 2944 wrote to memory of 3552	2944	firefox.exe	94
PID 2944 wrote to memory of 3552	2944	firefox.exe	94
PID 2944 wrote to memory of 3552	2944	firefox.exe	94
PID 2944 wrote to memory of 3552	2944	firefox.exe	94
PID 2944 wrote to memory of 3552	2944	firefox.exe	94
PID 2944 wrote to memory of 3552	2944	firefox.exe	94
PID 2944 wrote to memory of 3552	2944	firefox.exe	94
PID 2944 wrote to memory of 3552	2944	firefox.exe	94

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\9daeac604bc8f2e2e95cde6690bbf8b22d47e1c70bec15c3f8f603b396b2b0d1.exe
"C:\Users\Admin\AppData\Local\Temp\9daeac604bc8f2e2e95cde6690bbf8b22d47e1c70bec15c3f8f603b396b2b0d1.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:220
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\6D21.tmp\6D22.tmp\6D23.bat C:\Users\Admin\AppData\Local\Temp\9daeac604bc8f2e2e95cde6690bbf8b22d47e1c70bec15c3f8f603b396b2b0d1.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4816
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password"
    3⤵
    - Enumerates system info in registry
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:4608
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ff8d15bcc40,0x7ff8d15bcc4c,0x7ff8d15bcc58
      4⤵
      PID:4736
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1904,i,13560004956798931251,16384049561192159198,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1900 /prefetch:2
      4⤵
      PID:1104
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2148,i,13560004956798931251,16384049561192159198,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2156 /prefetch:3
      4⤵
      PID:4296
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2228,i,13560004956798931251,16384049561192159198,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2244 /prefetch:8
      4⤵
      PID:2900
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3136,i,13560004956798931251,16384049561192159198,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3180 /prefetch:1
      4⤵
      PID:5684
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3144,i,13560004956798931251,16384049561192159198,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3208 /prefetch:1
      4⤵
      PID:6040
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4416,i,13560004956798931251,16384049561192159198,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4468 /prefetch:1
      4⤵
      PID:5284
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=4700,i,13560004956798931251,16384049561192159198,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4604 /prefetch:8
      4⤵
      PID:5848
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4728,i,13560004956798931251,16384049561192159198,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4736 /prefetch:8
      4⤵
      Modifies registry class
      PID:5864
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5168,i,13560004956798931251,16384049561192159198,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5176 /prefetch:8
      4⤵
      PID:6680
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5252,i,13560004956798931251,16384049561192159198,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5260 /prefetch:8
      4⤵
      PID:6792
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=220,i,13560004956798931251,16384049561192159198,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4344 /prefetch:8
      4⤵
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      PID:5272
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" "https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password"
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:780
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x10c,0x110,0x114,0xe8,0x118,0x7ff8e0b046f8,0x7ff8e0b04708,0x7ff8e0b04718
      4⤵
      PID:5064
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,2975038519759001313,14542837567209670406,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2
      4⤵
      PID:4656
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,2975038519759001313,14542837567209670406,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4688
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,2975038519759001313,14542837567209670406,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2896 /prefetch:8
      4⤵
      PID:3624
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,2975038519759001313,14542837567209670406,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
      4⤵
      PID:4488
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,2975038519759001313,14542837567209670406,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
      4⤵
      PID:2184
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,2975038519759001313,14542837567209670406,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1388 /prefetch:2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5780
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" "https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3236
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
      4⤵
      Checks processor information in registry
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2944
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1956 -parentBuildID 20240401114208 -prefsHandle 1892 -prefMapHandle 1884 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {810d3332-51ee-494f-bd34-bb987bef340d} 2944 "\\.\pipe\gecko-crash-server-pipe.2944" gpu
        5⤵
        
        PID:3552
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2460 -parentBuildID 20240401114208 -prefsHandle 2436 -prefMapHandle 2432 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c025588a-53b9-48a9-bebb-bd7db031785c} 2944 "\\.\pipe\gecko-crash-server-pipe.2944" socket
        5⤵
        
        PID:1808
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3368 -childID 1 -isForBrowser -prefsHandle 3360 -prefMapHandle 3356 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6b2ff386-6429-47b5-8861-0ac9828808b1} 2944 "\\.\pipe\gecko-crash-server-pipe.2944" tab
        5⤵
        
        PID:2096
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3300 -childID 2 -isForBrowser -prefsHandle 3128 -prefMapHandle 3212 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a0e08b80-bccb-4842-9dbf-07ccbd37702b} 2944 "\\.\pipe\gecko-crash-server-pipe.2944" tab
        5⤵
        
        PID:4976
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4844 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4704 -prefMapHandle 4692 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {25728f17-a0a7-4d07-8c27-c1728ccffc09} 2944 "\\.\pipe\gecko-crash-server-pipe.2944" utility
        5⤵
        Checks processor information in registry
        
        PID:6100
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5544 -childID 3 -isForBrowser -prefsHandle 5508 -prefMapHandle 5536 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {43244a49-c63f-47b7-bc7f-03b3f25dc890} 2944 "\\.\pipe\gecko-crash-server-pipe.2944" tab
        5⤵
        
        PID:5164
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5560 -childID 4 -isForBrowser -prefsHandle 5700 -prefMapHandle 5704 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d80109a5-c677-498b-bcf8-6a8628783fd9} 2944 "\\.\pipe\gecko-crash-server-pipe.2944" tab
        5⤵
        
        PID:508
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5884 -childID 5 -isForBrowser -prefsHandle 5892 -prefMapHandle 5896 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2b569b58-c5be-472d-ae06-501f7663ec5f} 2944 "\\.\pipe\gecko-crash-server-pipe.2944" tab
        5⤵
        
        PID:1280
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6256 -childID 6 -isForBrowser -prefsHandle 6248 -prefMapHandle 6228 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b6925ebe-8322-47ba-b6ba-788ef3fef821} 2944 "\\.\pipe\gecko-crash-server-pipe.2944" tab
        5⤵
        
        PID:6692

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3576

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2420

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:5928

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:6852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
9c02d9d5f5895cb4fa5fea75dbe71a41

SHA1
01642aac92a1d107e6da9a1151fc3f0569d28289

SHA256
d3c9fa06d6c6379ffaa854caab17987be6a591fb473953202247f24e4cdca9db

SHA512
b349508ba3b898a5686dcac1b805b7fcaf2632f88fa13110e92a7cf67bde0a19160cc0509a46cc49636a8a64f3f1323dd0738f64feb8f1fe9acdb73625527a81

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
384B

MD5
e46a9a21cefcd2f58c20994aee36474e

SHA1
2f307e42cfbd128f5ae5f41fc5f2a8ffc0f499df

SHA256
e6a351b5ef8c5b1453001d2f48605c0e1b2fa0b50132fe9e95fa0a1c25905b8f

SHA512
77c95b9f4d2aeb35d0c0d13125f144f2ee30054fa11b7c1a2da4f79d8e47ce6810d8171d40566e2fa2c5ad6bf8c11c0a9852f3ce047c8389e8079028aee4b5a6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
157e6e56a03218e38ebf75e1917b5d24

SHA1
460270aeb7638eee2d0850547daef840d11b9da5

SHA256
9ce2eb8b529499c1d152025cfab43428f4cad1c60f2199ed0cff5a849d4f99ee

SHA512
34d5aa09cba4c412768e727602f8d1ca85699a2802785f90c9b92ff2962cea4937d96ae4b7dca0948d770bee8f81fe3080d83ba76f4e3d4a7a1e5d1c902f8a0a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
4eed11a271f46f35fd9d8da9734dc668

SHA1
c8af2f50d95cc1f05b3567f8d66c298fecd6a69e

SHA256
e513feefc4f720a2993ea33e94c402840947b22f7e4de4256cbf91c213e17131

SHA512
33ab413067ceeca7267d2db7fe5364265b81503d6abdbef062f5d6a95f07aa8d0a768e2d0de8c6f4cd1fa5d4560388b8fdc07d953f24e87c57907391d4dc8324

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
efd610789e5336a9f7af6b401c025023

SHA1
894bb4d36ed230a0ef90b8cde5fc22fd744a7628

SHA256
92bedcc752938436bab122676817db1c99f0fe6b0b341b49faa87caa4b1363ea

SHA512
1946cae238d24b97da9d1afc97c068e56b87e549eb7f079fe65dffc30a756618068c9d88328113f219d474966c38951ac19e8010fac806ecb0c03dc401ca8df3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
1c485ce226566040a10dd28de678c6a6

SHA1
020cd53b886de98bf705c97ac1e2d080413cd24f

SHA256
ece59898927340f06064ed852918bc8db39306032aa06f294f020906fa18245a

SHA512
c185e21d46565dd198f7304ae6c6894bbc290c7db358b1d03bca8e9a20b8a96d67d90daab9486ad2b6aafe1f2b2938d17aab5b7f171d5eb0832df7ccadf1f686

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9da9b7ad64bb71c55b32684f29427763

SHA1
65088adb84226c0c0e568fbc555e86ea2d93ee5a

SHA256
35b33fc00d9b91f4e8a89836331943c211898e19d62f68dfc3c434011f64d3c0

SHA512
f2ab317c29a4fda24bfcd841344fabdf57adcf0d599a3e9ef38f95fe958610c0b72e7a4018d706e6cf64a222573a8da9d3db10fc9f8017cd5d5b7a3266cb7f82

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1a270b46fad0d5c6d0699090834ceb1e

SHA1
11f169363c1d9df4ab8a653e207b79a2cbfa666e

SHA256
f8a8d3aeb82cfdfb0371a5817d1380bd11596ea6b0be73a0a5cf53585cc53745

SHA512
d065e58e52d7ad9a86e3543ddb72b8e32687543226ef22e17dce788182f242713373dc51d6ea2bd9a376f1731db65c247e272f21ddf108aac74bbc142cfe3aeb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
bee5f1053592d5510fccd9e00692efcf

SHA1
3183abe54e15422df48611f3563efb6022d38fb6

SHA256
521318cf919aa38ee4e687af10d03da0df43b3b0a364f6b6ade377c3ad99f22c

SHA512
fcb37006b8ad3554054924c6b7d35e86f77f385e5e0e88657e553d36b95850ecb26cd311c2561de31379a76ace3e1bc3199ed212df771f6a34503fa8936cfcdc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ef9509680bae594dfab6e649186afa3f

SHA1
cffbd72df6c7dda145172185a85a92be85522fe7

SHA256
4a2ec1a1f6fed47dcfc4f9f346d6057c5e48cd173129ab937cdf9c735249eb69

SHA512
f82cb3cf7ab19d6ebd76444d4a198674d7ecd800ba7eddb899452475a668ce3cf99b6d0cb74d2444089e4c1313834f7988b207d8780d63fff5e1ee725d6ade0e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
05e5b762f3b9a80aebfc3f42131f93a0

SHA1
6a9d65945529b36f66dba62eb462059fd4a91dd0

SHA256
2da8d7600b5328a4c7efeee6344734aaaaa15290eaf3ff1592339b0ad1a0cc82

SHA512
5748f0419a96ff2bdff8da3598ebb0006dc6dcd8bf8fe11cece22001ec5f86d0ede8d40e3c4fa70afb57ab377141f7bdbbb011a2d28b9fad80a18f2d7c10b56d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9efe8b603ad0797b60644944ba511f62

SHA1
4cef4539ad80a8af7e3ce27ec20c8d2d7161c889

SHA256
08b38880cdcbe390f19cd93859888e34bb5a9c503810b5c9fe1f4cf53ab39e6c

SHA512
2a1bd5d06201ebc3af60400e4fd0a4df543467f4de87e8acdcfb6953c993ed617475a584e143fe28beaefb67ea6efbce47b9720028237dd7c9b8a4882d158a97

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
405409fb7970150361d3358f2456374f

SHA1
7fa48e45f9204d112149f6708072f71fcf1515c0

SHA256
356acff8d6aeffab6aea8d65acaa5ea2e68384f93a1c2ee6343a5053880c375f

SHA512
621290f32cac70867cfebc2b954b4aebd043b3cd3a6a6abb493285d2d1ec7670b790ff2b38e1766d28b2a81b2f0757b790076d2c9a31c3669ea94f6f5280a6a1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e7a869f4a01130774642927343b18342

SHA1
4a73f17dc3090824b76c8dd2e85c8dd3890dface

SHA256
770ae4120dfd4ecab352bb18199f7105de106d3c9d2b7acb05358663a63b5edc

SHA512
a285580fbd98cd930534288a618e7ccfb1da02441d2baa945ade0fe21bb2f66922943d00ddad05600eac2ef3fe4723f373d8a28f4650e252eb91bd9da3e0c1b9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a657229b02087c8cfd712409095d580e

SHA1
e722e559194a48dd577baf051676af29b7314e91

SHA256
61370454cdff32ba64fee66786a7cf6a039ce0ef2d7bfd21a2f91c7529006626

SHA512
37f9b0f3144eb3eed0dbbee70f83f758ed13717fedc477f6b4d7c89567dd54c13150c036007860d4993416080db2e519256d20bdc3af4897074413505ea8f8dc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d4252ae4dc8ec7df5e3fc9fa70e3d03a

SHA1
b9a49651eccd4d5b0fd57cbfc02973eec5e81330

SHA256
35443b06960e348d2b17eb614e2f690ef9a88b0a853089ef71e1fbb98646ef2f

SHA512
b86470a4beeab337bd76ebe1352b21f1531fba69ac9a7b5a76df84f1739e8cd83059dd46b6c66635bbe75462123514a66c80ae4cd1e279ed8b2d6bb2cb893d0a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
7f8d4d71fcad43342bf6f17528df5eea

SHA1
6c6ea8bfa45100d26c1edb65f24c5e5835f74d6c

SHA256
289adaf4a56971e1160fc6f8b5f657696b8e6e3ef28c3a872d0c22fa7f41368e

SHA512
97069d69dd9d84a28d1a454a4a397ec577540045fb4c82866c2d51fcbc372fb2da30b36e5e41917141b7152ad11cda64197916164916369d6dad89bc011580d1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
194KB

MD5
05e8bf402799252bb9fe157d888fd9d3

SHA1
17e9e0838c78ca0a0adfe71a0a68204f70771220

SHA256
c1a59487cdfc82c9b60303ff9a2a0614b09dd16d7270629b4c91496e96c58080

SHA512
a05779c3220a327079be33e36eb14ed329ad68a8aa9eec8f8576e4a8b47f35ee37658d7b4a15c73638e8a372bc66102ebd57d1b508c54ac52fe48c31d1f9d263

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
194KB

MD5
5967b595de8348160e7b8b60d58c1b60

SHA1
33728fe0dff89ba1e101233fa8c48f8fde89bafd

SHA256
699589c393636b2f7fd08c76d24e1380f9fde0400a39049d8af2e511e9cd2a15

SHA512
63a27eeb20bc8c05c2ad1d94c19e0aa0217af73240b9eb2c3f02bbfdd64117435de41550bcd48b9fda1b5a73c7c7672d52f468272229e828a29883cc13106eb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
eeaa8087eba2f63f31e599f6a7b46ef4

SHA1
f639519deee0766a39cfe258d2ac48e3a9d5ac03

SHA256
50fe80c9435f601c30517d10f6a8a0ca6ff8ca2add7584df377371b5a5dbe2d9

SHA512
eaabfad92c84f422267615c55a863af12823c5e791bdcb30cabe17f72025e07df7383cf6cf0f08e28aa18a31c2aac5985cf5281a403e22fbcc1fb5e61c49fc3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b9569e123772ae290f9bac07e0d31748

SHA1
5806ed9b301d4178a959b26d7b7ccf2c0abc6741

SHA256
20ab88e23fb88186b82047cd0d6dc3cfa23422e4fd2b8f3c8437546a2a842c2b

SHA512
cfad8ce716ac815b37e8cc0e30141bfb3ca7f0d4ef101289bddcf6ed3c579bc34d369f2ec2f2dab98707843015633988eb97f1e911728031dd897750b8587795

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
336B

MD5
c2088a3fdb13396f612d1e6f980b3833

SHA1
036bca1edc30a2bc7aa6e049e3d0330117d7012d

SHA256
5f0b69371b88e4c5d8fe6f8f68dd14dcbacf85ab42fef16a9121bccb91db63cf

SHA512
0275b1ef89f418143adf49b4232a1447e4fea84711c849930991b761d6f9e04d5b29971ebdab6708ad1393159e822628bb6e3a4e2d13491d25c6c006439a702a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
dc9b74ecf82db8844910bc1a85b4051c

SHA1
1a1fd7746d37a394560b5b5454a8b24c1db3f594

SHA256
5edb1c5017a548147e35d9787c40d7edf44d1e42a64a8d3e451525080e01bd07

SHA512
8d8bf35fd9fd8309a715511f05cf90b4b34cf77f0ea0c6296bc63cbcd522c2cb709f7d73d544e1d4fd22e00e5dd78ca568beb045c9005cc45f5700d2e553277b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
290eca3f3c676b08fa3dea643ccdd72a

SHA1
2d79ae7a697c3e73d2d24e2388c518b623a41040

SHA256
234afb3119c7be7ace7649e3ae5f44c442cbd06eee05ee45575ac811394193b4

SHA512
da949976c73fbe0e68d4263666cccbc0316d3e888ae99e337d296646db45bcded81357673c0488a7ef430e987df93d284afca6c33e39970c90084dc149cc6f3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3935f6bb4c23920a1fa98890696a60c7

SHA1
0a64ee34a5d4e58fee90ac16012bfc44355dd1e3

SHA256
cdb2c8f43c5e8a40858e64c5caa923dd4046157557c8df5cf89594b437827868

SHA512
080938f0849d93e085968298dfcdc0f036aa5853833fe2f71fcad530d9e2bfb80277b2b5edede096f7eedbe9bfa9a1014fdafc4c5e384b358ce2f45a40ef5981

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c5d8858e4fe679a9bf287106602f11b2

SHA1
ee12c5fa661788beffb0a2d85cf4317e9f96527d

SHA256
95db2e014ff6fa5d88929feeafe83b44fa4b410a518776842c41bd90123346ef

SHA512
23cbff9fc56f6d051d29c7b7418ae1ad41c00215602f5f8e7c391b01724cb22f42e773b7fb349cfd8d3e236b2e34582e1bc0e436c383643becc2d96a1c83597e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
3f2bd61ba4796de5161c4cbafc442e2e

SHA1
b3e8e8149f9838320c504838d9a82869aee86524

SHA256
2cc76eb7c2a9c7a5e333fcbd87fbdafc26fa55d865037b77ebfd4d5ed114dda5

SHA512
b159d9346a2ef2c9e2abfb1b3625f4bdcc8ae89dd924ccf75f4509a4e8f16874dcfb0bc264cfe46387e4ba69a664dd1499d7eb156b4c2d6e7e87de8d9537bb97

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\illkw0pr.default-release\activity-stream.discovery_stream.json

Filesize
45KB

MD5
04fd6a44671d801f814fec06fdf6fbc6

SHA1
a5cc130bfb96ff4ca891cd8d1bb6801f360fed70

SHA256
721a0644bb3ddd310d8e13134e529839c4961c8f1550c5918d71e3cd0b4139d9

SHA512
67c963ebaacdbee8d515f406fa9abae41d66d9e1a0a5b34ae8eab0a84f2627846bd0fdbac76297db6e49b4ce1a248358db1779b324519b728cb5887d07e8a2e8

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\illkw0pr.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B

Filesize
13KB

MD5
2e398b64737b0bd7a97c265ee8c715d2

SHA1
a544dba0139585dba79fd16ba8986e63721619fe

SHA256
0adf5a6f5b15358e164cfc957b40e556767c4b9589936664e67eb7586063a5f6

SHA512
6639eabc3c2fce3a941ee9e377c2b0e4780591eacc5d5a719c53102177068625bac3551dcea5d84d5bd98b167b9b5f2fc728253997f677a58bee0dc6a7193dfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\6D21.tmp\6D22.tmp\6D23.bat

Filesize
2KB

MD5
4ac6a9d9e192f54598f8b67cf299ea5e

SHA1
c3c63fc731603f581ab71bab7651a4d5112b04e6

SHA256
f1179bc15a8c644c353af64d6c6c3f13fd2d48eed2fb0b709a167185d2ed806e

SHA512
3ff1226c147403aa5afdc515f260849196dec92166273206256ce8437a98dc1dd3b2cf913861e7537ccf36d6bc53537bd49b600e9adb1671f4bdb3d6e3da23a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\AlternateServices.bin

Filesize
8KB

MD5
53a351ab918194dfa63ac243d30794fd

SHA1
58221c5c0aa44a0be9aa85061b71c63e82150504

SHA256
6bd6632eded7c3b2d7a7365026f878df6a47bca3eae752690c2254df29fdc7af

SHA512
f1f3551e2ac5ff2287c850544442c1dd6ff03be76c1ba3996e0f9695f854e927803aeb4534b4db1b93e609cc06696f2361c5dc13bb51247ed12644fba22a95e8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
ee83892cd089bc6dc760cbf5401c0a18

SHA1
276283337c832046b18c7f4415453d9092867073

SHA256
585910c4348aed5c09e6fe2d93cc184d8a8d0ddc424ba2d47093917e7436e62f

SHA512
1efbdf281570eef4a5bf64643e35647ad8f73b4f8824f8f85175645171202ff183f39a108c61f866398839a2803624a9b6ee867250b3339c85e548d098896d79

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\datareporting\glean\db\data.safe.tmp

Filesize
14KB

MD5
9f7ce6a523d6df0e6f1889e29380b3f3

SHA1
7a9e74eb0b032117cb02222df878a27eb2d5b3a4

SHA256
f2837442e1a63a0cb42c4d39c1059d91b0160f78422b95f9a7d1c076a38e9b62

SHA512
1a8e1ca90620847cc8c0f1501478e971b3bad6ff0d12fb8fafc422dad7103116de5dc67cc69a9f11209d737449ad469662eff6d85ee6a3a11a30019a609dac52

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\datareporting\glean\pending_pings\505d32f6-6f66-4ae0-8e94-ae56aaae7d97

Filesize
982B

MD5
2483bc095439b33ae49400a3aef6e08f

SHA1
5a7db2be1afc905575758fc3a0206b81fb6042f3

SHA256
70470d8d32326b56b726d5521c33dc28bcae8e0a839cdb89a12170f17d142fd7

SHA512
a56c0ea90ac411dffd6031e3bcda7bf1179c4cc90982166cd0d876932e40b4d064723477f26bf06c1bbcbe638e46950b53b34a86cdec315e21e7d1285ac5722d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\datareporting\glean\pending_pings\a4ad565f-7ebc-4252-940e-17745b7984d4

Filesize
25KB

MD5
8cabb1e52b3be8ace3b5e2f6e7081c76

SHA1
e6b07684ff79376872e86945cbd428939c916d19

SHA256
ee65ec32ca1128d2f8bb32331eaeb7091ab97c33024bd4824d051d04903cb915

SHA512
5bd47154d5cd9e94eed9de932c6a9839b342c2c91392469528a556585cfec5e2c5946aa618fb1fb76d3a1e4e9e9ea1804706670ab56b9a4da58d6d1a73e2717e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\datareporting\glean\pending_pings\f6398738-a058-48bd-a5f5-3f4cedbcec11

Filesize
671B

MD5
9af3ba6ea8de46908a7f2f80d6c554af

SHA1
bb14d29d1024e7071b3af47895ce52e728257bc2

SHA256
171bc53db71435dda774e9aaad777d06f89089dc285ba875952bf9d6d01a78db

SHA512
d7f314063a44012fe250df9b31c8c178cf7a144b4063b36df4278e6ec4eee497cdc3b5b03a221f1d176c96d1c5bbac45dc131c67abb55f9d9ea7f5ef204a2615

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\prefs-1.js

Filesize
12KB

MD5
e0e9bfdd6482673cc603d44eb979c303

SHA1
89f99193bf68e52eb5b2c88f5b2672395163cc85

SHA256
7008e91e45382c3bb4bf72aab0bab3de59fc1825529b59c1b09f6bd5f30358c9

SHA512
e97dda4f5d33261fec27513e406fe38f30bdd412f2644c81b237d052e60484590ea019b8b532faf7333f07e78d4f28a704093e4e44e71ada541683091afe83f4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\prefs-1.js

Filesize
16KB

MD5
23aac1235a4437b230be3e69d466f81f

SHA1
df1af46ef044a740e6e2cdb710e76927d74d2bf1

SHA256
7102c103f1bc7e34d97bba0ad1b9325e75babe8355afc289a6785c938f96d052

SHA512
faf5a4e987a536fee314e53d75c85c36718e04af31d473f35f5feabdd29ec22d181498591ec5e57831c1682c4e635f0cc4485aca12f339be2b7c311e3dc2b93b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\prefs.js

Filesize
11KB

MD5
eb35002c4ddf7981cbd4b8f4eb81066e

SHA1
923e4249261210cb07a6d0de4a128df9a48a2285

SHA256
a590ad909115fc191eec1c7c6f9d1ce74f14d159ffadd75e9daa8c591dc9c566

SHA512
fd5783d4fe49fded84e378be01c60a7ed8ce62d3c57b2fed3843e7f68cd9b6647205249d9a0782d84ce2cf69d18d265f3b0d0e1f25297ed4239f7f8490f57d2b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\prefs.js

Filesize
11KB

MD5
7bbc3ce71fdcb75a25083728f1e777b8

SHA1
f4747b95ac8cad249d3af465a9e63106a9edd718

SHA256
0596348004a29fed7fb4ceefbf5efd19bad0c6d4e44e18de250f6f768183e421

SHA512
bb6af33400b65cdddb7619d1fbd580e940a18c71c1e14313366bbb36355066b4787cc91117060b7a7cc5818e63bd16fe0cfba37f09db4f777ec3b23c231720af

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\sessionstore-backups\recovery.baklz4

Filesize
5KB

MD5
5edc39c8553dfda19a7bb9290de59045

SHA1
543cf040be33bff7c94aacd2bfbd76f14cb460d6

SHA256
e08ab9d87967e0153de93b5d917f8eceec0ec8d587bb4536ab51fed1f59ef93e

SHA512
f1dc7ec59f65ee161d419ba759351d2f81f8e05f745b9c076dc50539b516d59aab1a11850547ef5c2e8169a8725e84a4c16efb09a6ac4c5b6615c1a7dd19cadb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
1.5MB

MD5
f3f11a5b812e741a7ab8681a6cc73aa5

SHA1
003af06583e6a077d9d41b78d7294004db0a9ee6

SHA256
133d99cd85d30a67f8d457b0580d1f538c6df02cad934e5a872cbdbaab1c6f3b

SHA512
4035aeaaeaf2ef7c5e07cd1b51e7a67a2626fa031efca6dc2c2dc448ecd4ba9096506c4745bc443cb04956dffef59f51c4ca3539055f5d11e2e65a5c73bc42bb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
1.7MB

MD5
de5995074c7fe608f37bad5120e728e1

SHA1
28f604d794598f6d3ab0c0849e289ac19423453e

SHA256
eb5a600dc45e773f80b77bdc4f7e33e6f5a6b8dbcf235b2e3f86818f332776a4

SHA512
1289f3dfce86d7fc5f742806f3f2fa6f2dcf88d2a538c0c994024364ee4f4474c9f4a2279b6d9b07135b69c8a875871cd1b29d5ef268e0edc3172c106283cb67

Download Submit