hxxps://tik[.]porn/hannahowo | Triage

Analysis

max time kernel
419s
max time network
416s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
17/08/2024, 18:09

Sharing

Report Analysis Logs

General

Target

https://tik.porn/hannahowo

Score

8^/10

defense_evasion discovery evasion persistence privilege_escalation trojan

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 7 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

Active Setup

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\IsInstalled = "1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\Version = "43,0,0,0"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\ = "Google Chrome"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\StubPath = "\"C:\\Program Files\\Google\\Chrome\\Application\\127.0.6533.120\\Installer\\chrmstp.exe\" --configure-user-settings --verbose-logging --system-level --channel=stable"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\Localized Name = "Google Chrome"	setup.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 12 IoCs

pid	Process
5104	ChromeSetup.exe
5924	updater.exe
732	updater.exe
4756	updater.exe
3152	updater.exe
5780	updater.exe
2160	updater.exe
6404	127.0.6533.120_chrome_installer.exe
6476	setup.exe
6504	setup.exe
6656	setup.exe
6676	setup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 3 IoCs

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk	setup.exe
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_01cf530faf2f1752\display.PNF	chrome.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_01cf530faf2f1752\display.PNF	chrome.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\Temp\source6476_797045551\Chrome-bin\127.0.6533.120\Locales\sw.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source6476_797045551\Chrome-bin\127.0.6533.120\chrome_pwa_launcher.exe	setup.exe
File created	C:\Program Files (x86)\Google\GoogleUpdater\129.0.6651.0\uninstall.cmd	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\c7a010d3-bad7-4a51-9e23-75ae239a5094.tmp	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source6476_797045551\chrome.7z	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source6476_797045551\Chrome-bin\127.0.6533.120\Locales\id.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source6476_797045551\Chrome-bin\127.0.6533.120\Locales\am.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source6476_797045551\Chrome-bin\127.0.6533.120\Locales\es.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source6476_797045551\Chrome-bin\127.0.6533.120\Locales\de.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source6476_797045551\Chrome-bin\127.0.6533.120\Locales\fa.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source6476_797045551\Chrome-bin\127.0.6533.120\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll.sig	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source6476_797045551\Chrome-bin\127.0.6533.120\vk_swiftshader.dll	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source6476_797045551\Chrome-bin\127.0.6533.120\Locales\th.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source6476_797045551\Chrome-bin\127.0.6533.120\MEIPreload\preloaded_data.pb	setup.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\updater.log	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\updater.log	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source6476_797045551\Chrome-bin\127.0.6533.120\Locales\fil.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source6476_797045551\Chrome-bin\127.0.6533.120\Locales\gu.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source6476_797045551\Chrome-bin\127.0.6533.120\chrome.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\prefs.json	updater.exe
File created	C:\Program Files (x86)\Google\GoogleUpdater\129.0.6651.0\b5a7b711-9cc7-4fc5-b6e1-abd11746c8bb.tmp	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source6476_797045551\Chrome-bin\127.0.6533.120\Locales\zh-TW.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source6476_797045551\Chrome-bin\127.0.6533.120\resources.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source6476_797045551\Chrome-bin\127.0.6533.120\Locales\kn.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source6476_797045551\Chrome-bin\127.0.6533.120\dxcompiler.dll	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source6476_797045551\Chrome-bin\127.0.6533.120\chrome_200_percent.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source6476_797045551\Chrome-bin\127.0.6533.120\d3dcompiler_47.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\129.0.6651.0\Crashpad\metadata	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\129.0.6651.0\uninstall.cmd	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source6476_797045551\Chrome-bin\127.0.6533.120\127.0.6533.120.manifest	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source6476_797045551\Chrome-bin\127.0.6533.120\chrome_100_percent.pak	setup.exe
File created	C:\Program Files (x86)\Google\GoogleUpdater\129.0.6651.0\Crashpad\settings.dat	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source6476_797045551\Chrome-bin\127.0.6533.120\Locales\cs.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source6476_797045551\Chrome-bin\127.0.6533.120\Locales\hu.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source6476_797045551\Chrome-bin\127.0.6533.120\VisualElements\LogoCanary.png	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source6476_797045551\Chrome-bin\127.0.6533.120\Locales\el.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source6476_797045551\Chrome-bin\127.0.6533.120\VisualElements\SmallLogoBeta.png	setup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\new_chrome.exe	setup.exe
File created	C:\Program Files\Google\Chrome\Application\127.0.6533.120\Installer\setup.exe	setup.exe
File created	C:\Program Files (x86)\Google\GoogleUpdater\f8dd7443-fb31-45cc-8b12-a74758a52314.tmp	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\129.0.6651.0\Crashpad\metadata	updater.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\updater.log	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source6476_797045551\Chrome-bin\127.0.6533.120\Locales\ar.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source6476_797045551\Chrome-bin\chrome.exe	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source6476_797045551\Chrome-bin\127.0.6533.120\Locales\hi.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source6476_797045551\Chrome-bin\127.0.6533.120\Locales\lt.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source6476_797045551\Chrome-bin\127.0.6533.120\Locales\lv.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source6476_797045551\Chrome-bin\127.0.6533.120\Locales\ro.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Application\new_chrome.exe	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source6476_797045551\Chrome-bin\127.0.6533.120\Locales\fr.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source6476_797045551\Chrome-bin\127.0.6533.120\Locales\it.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source6476_797045551\Chrome-bin\127.0.6533.120\Locales\nl.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source6476_797045551\Chrome-bin\127.0.6533.120\chrome_wer.dll	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source6476_797045551\Chrome-bin\127.0.6533.120\eventlog_provider.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\129.0.6651.0\prefs.json	updater.exe
File created	C:\Program Files\Google\Chrome\Temp\source6476_797045551\Chrome-bin\127.0.6533.120\dxil.dll	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source6476_797045551\Chrome-bin\127.0.6533.120\Locales\ml.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source6476_797045551\Chrome-bin\127.0.6533.120\Locales\sl.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source6476_797045551\Chrome-bin\127.0.6533.120\icudtl.dat	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source6476_797045551\Chrome-bin\127.0.6533.120\Locales\en-US.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source6476_797045551\Chrome-bin\127.0.6533.120\Locales\te.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source6476_797045551\Chrome-bin\127.0.6533.120\libEGL.dll	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source6476_797045551\Chrome-bin\127.0.6533.120\Locales\pl.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\129.0.6651.0\Crashpad\metadata	updater.exe

Drops file in Windows directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp\Crashpad\metadata	setup.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5780_2031853636\127.0.6533.120_chrome_installer.exe	updater.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5780_2031853636\manifest.json	updater.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5780_2031853636\_metadata\verified_contents.json	updater.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5780_2031853636\manifest.fingerprint	updater.exe
File opened for modification	C:\Windows\SystemTemp	setup.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5780_2031853636\CR_D00C2.tmp\setup.exe	127.0.6533.120_chrome_installer.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\settings.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp	setup.exe
File created	C:\Windows\SystemTemp\Google5104_1228257394\updater.7z	ChromeSetup.exe
File created	C:\Windows\SystemTemp\Google5104_1228257394\bin\uninstall.cmd	ChromeSetup.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5780_2031853636\CR_D00C2.tmp\CHROME.PACKED.7Z	127.0.6533.120_chrome_installer.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5780_2031853636\CR_D00C2.tmp\SETUP.EX_	127.0.6533.120_chrome_installer.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\metadata	setup.exe
File opened for modification	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5780_2031853636\CR_D00C2.tmp\setup.exe	127.0.6533.120_chrome_installer.exe
File opened for modification	C:\Windows\SystemTemp	ChromeSetup.exe
File created	C:\Windows\SystemTemp\Google5104_1228257394\bin\updater.exe	ChromeSetup.exe
File opened for modification	C:\Windows\SystemTemp	updater.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\settings.dat	setup.exe
File created	C:\Windows\SystemTemp\Google5104_2010823177\UPDATER.PACKED.7Z	ChromeSetup.exe
File opened for modification	C:\Windows\SystemTemp	updater.exe
File created	C:\Windows\SystemTemp\chrome_url_fetcher_5780_1609917998\-8a69d345-d564-463c-aff1-a69d9e530f96-_127.0.6533.120_all_adbyvae3viehnqub2d5pdh4qqqeq.crx3	updater.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5780_2031853636\86534f3d-bf4e-465d-a230-845f7cd460b9.tmp	updater.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

description	ioc	Process
File created	C:\Users\Admin\Downloads\ChromeSetup.exe:Zone.Identifier	firefox.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

System Language Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ChromeSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	updater.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

Internet Connection Discovery

pid	Process
6404	127.0.6533.120_chrome_installer.exe
6476	setup.exe

Checks processor information in registry 2 TTPs 14 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Google	setup.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Google\Chrome\InstallerPinned = "0"	setup.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133683920358610838"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Google\Chrome	setup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	setup.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{1F1289FD-DD10-4579-81F6-1C59AAF2E1A9}\1.0\0\win64	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{F4FE76BC-62B9-49FC-972F-C81FC3A926DB}\1.0\0\win64	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}\ = "IAppWeb"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}\TypeLib	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1F1289FD-DD10-4579-81F6-1C59AAF2E1A9}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5F793925-C903-4E92-9AE3-77CA5EAB1716}\TypeLib\Version = "1.0"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F4FE76BC-62B9-49FC-972F-C81FC3A926DB}\ = "IProcessLauncherSystem"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{27634814-8E41-4C35-8577-980134A96544}\TypeLib\Version = "1.0"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{0E1D851D-4EAD-526F-B7CE-FCA5EC14314E}\ServiceParameters = "--com-service"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{85AE4AE3-8530-516B-8BE4-A456BF2637D3}\1.0\0	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F4FE76BC-62B9-49FC-972F-C81FC3A926DB}\ = "IProcessLauncherSystem"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{6430040A-5EBD-4E63-A56F-C71D5990F827}	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{05A30352-EB25-45B6-8449-BCA7B0542CE5}\1.0\0\win64	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{8018F647-BF07-55BB-82BE-A2D7049F7CE4}	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\1.0\ = "GoogleUpdater TypeLib for IProcessLauncher"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{F63F6F8B-ACD5-413C-A44B-0409136D26CB}\1.0\0\win64	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F258BE54-7C5F-44A0-AAE0-730620A31D23}\TypeLib\Version = "1.0"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{513BC7DA-6B8D-45F7-90A0-2E9F66CEF962}\TypeLib\Version = "1.0"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{27634814-8E41-4C35-8577-980134A96544}\1.0\0\win64\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\129.0.6651.0\\updater.exe\\6"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5F793925-C903-4E92-9AE3-77CA5EAB1716}\ = "IGoogleUpdate3WebSystem"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{463ABECF-410D-407F-8AF5-0DF35A005CC8}\ProxyStubClsid32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C4622B28-A747-44C7-96AF-319BE5C3B261}\TypeLib\Version = "1.0"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{6430040A-5EBD-4E63-A56F-C71D5990F827}\1.0\0\win64	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{05A30352-EB25-45B6-8449-BCA7B0542CE5}\1.0\0\win32	updater.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{521FDB42-7130-4806-822A-FC5163FAD983}\Elevation	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C4622B28-A747-44C7-96AF-319BE5C3B261}\TypeLib\ = "{C4622B28-A747-44C7-96AF-319BE5C3B261}"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}\ProxyStubClsid32	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B16B5A0E-3B72-5223-8DF0-9117CD64DE77}\1.0\ = "GoogleUpdater TypeLib for IUpdaterObserverSystem"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8476CE12-AE1F-4198-805C-BA0F9B783F57}\ = "IAppCommandWeb"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}\ = "IProcessLauncher2"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\1.0\0\win32	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{513BC7DA-6B8D-45F7-90A0-2E9F66CEF962}\1.0\0\win32\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\129.0.6651.0\\updater.exe\\6"	updater.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F258BE54-7C5F-44A0-AAE0-730620A31D23}\1.0\ = "GoogleUpdater TypeLib for IAppVersionWebSystem"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{4DC034A8-4BFC-4D43-9250-914163356BB0}\ProxyStubClsid32	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}\TypeLib\Version = "1.0"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{85AE4AE3-8530-516B-8BE4-A456BF2637D3}\ = "ICompleteStatusSystem"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5F793925-C903-4E92-9AE3-77CA5EAB1716}\TypeLib\Version = "1.0"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B685B009-DBC4-4F24-9542-A162C3793E77}\TypeLib\Version = "1.0"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{85AE4AE3-8530-516B-8BE4-A456BF2637D3}\TypeLib	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F4334319-8210-469B-8262-DD03623FEB5B}\1.0\0\win64\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\129.0.6651.0\\updater.exe\\6"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{1F1289FD-DD10-4579-81F6-1C59AAF2E1A9}\1.0\0\win32	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{C4622B28-A747-44C7-96AF-319BE5C3B261}\TypeLib	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{4DC034A8-4BFC-4D43-9250-914163356BB0}	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\1.0	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B7FD5390-D593-5A8B-9AE2-23CE39822FD4}\TypeLib\ = "{B7FD5390-D593-5A8B-9AE2-23CE39822FD4}"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{119413E1-D553-5881-9669-43EB131F5143}\1.0\0\win64\ = "C:\\Program Files (x86)\\Google\\GoogleUpdater\\129.0.6651.0\\updater.exe\\5"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{B7FD5390-D593-5A8B-9AE2-23CE39822FD4}\ProxyStubClsid32	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{D4757239-55B2-5C3D-8B06-DDE147267C2D}\1.0	updater.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{534F5323-3569-4F42-919D-1E1CF93E5BF6}\VersionIndependentProgID	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{521FDB42-7130-4806-822A-FC5163FAD983}\ServiceParameters = "--com-service"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\TypeLib\Version = "1.0"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{D4757239-55B2-5C3D-8B06-DDE147267C2D}	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\AppID\{708860E0-F641-4611-8895-7D867DD3675B}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F63F6F8B-ACD5-413C-A44B-0409136D26CB}\TypeLib\ = "{F63F6F8B-ACD5-413C-A44B-0409136D26CB}"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{05A30352-EB25-45B6-8449-BCA7B0542CE5}\1.0	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{4DC034A8-4BFC-4D43-9250-914163356BB0}\1.0\0\win32	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{ACAB122B-29C0-56A9-8145-AFA2F82A547C}\ = "IUpdaterSystem"	updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{463ABECF-410D-407F-8AF5-0DF35A005CC8}\ = "Interface {463ABECF-410D-407F-8AF5-0DF35A005CC8}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{119413E1-D553-5881-9669-43EB131F5143}\TypeLib\ = "{119413E1-D553-5881-9669-43EB131F5143}"	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{513BC7DA-6B8D-45F7-90A0-2E9F66CEF962}\1.0	updater.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{6430040A-5EBD-4E63-A56F-C71D5990F827}\ProxyStubClsid32	updater.exe

NTFS ADS 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\tikporn-251472-shower-sex.mp4:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\ChromeSetup.exe:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
5924	updater.exe
5924	updater.exe
5924	updater.exe
5924	updater.exe
5924	updater.exe
5924	updater.exe
4756	updater.exe
4756	updater.exe
4756	updater.exe
4756	updater.exe
4756	updater.exe
4756	updater.exe
5780	updater.exe
5780	updater.exe
5780	updater.exe
5780	updater.exe
5780	updater.exe
5780	updater.exe
5780	updater.exe
5780	updater.exe
4924	chrome.exe
4924	chrome.exe
2316	chrome.exe
2316	chrome.exe
2316	chrome.exe
2316	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
4924	chrome.exe
4924	chrome.exe
4924	chrome.exe
4924	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3020	firefox.exe
Token: SeDebugPrivilege	3020	firefox.exe
Token: SeDebugPrivilege	3020	firefox.exe
Token: SeDebugPrivilege	3020	firefox.exe
Token: SeDebugPrivilege	3020	firefox.exe
Token: SeDebugPrivilege	3020	firefox.exe
Token: SeDebugPrivilege	3020	firefox.exe
Token: 33	5104	ChromeSetup.exe
Token: SeIncBasePriorityPrivilege	5104	ChromeSetup.exe
Token: SeShutdownPrivilege	4924	chrome.exe
Token: SeCreatePagefilePrivilege	4924	chrome.exe
Token: SeShutdownPrivilege	4924	chrome.exe
Token: SeCreatePagefilePrivilege	4924	chrome.exe
Token: SeShutdownPrivilege	4924	chrome.exe
Token: SeCreatePagefilePrivilege	4924	chrome.exe
Token: SeShutdownPrivilege	4924	chrome.exe
Token: SeCreatePagefilePrivilege	4924	chrome.exe
Token: SeShutdownPrivilege	4924	chrome.exe
Token: SeCreatePagefilePrivilege	4924	chrome.exe
Token: SeShutdownPrivilege	4924	chrome.exe
Token: SeCreatePagefilePrivilege	4924	chrome.exe
Token: 33	6404	127.0.6533.120_chrome_installer.exe
Token: SeIncBasePriorityPrivilege	6404	127.0.6533.120_chrome_installer.exe
Token: SeShutdownPrivilege	4924	chrome.exe
Token: SeCreatePagefilePrivilege	4924	chrome.exe
Token: SeShutdownPrivilege	4924	chrome.exe
Token: SeCreatePagefilePrivilege	4924	chrome.exe
Token: SeShutdownPrivilege	4924	chrome.exe
Token: SeCreatePagefilePrivilege	4924	chrome.exe
Token: SeShutdownPrivilege	4924	chrome.exe
Token: SeCreatePagefilePrivilege	4924	chrome.exe
Token: SeShutdownPrivilege	4924	chrome.exe
Token: SeCreatePagefilePrivilege	4924	chrome.exe
Token: SeShutdownPrivilege	4924	chrome.exe
Token: SeCreatePagefilePrivilege	4924	chrome.exe
Token: SeShutdownPrivilege	4924	chrome.exe
Token: SeCreatePagefilePrivilege	4924	chrome.exe
Token: SeShutdownPrivilege	4924	chrome.exe
Token: SeCreatePagefilePrivilege	4924	chrome.exe
Token: SeShutdownPrivilege	4924	chrome.exe
Token: SeCreatePagefilePrivilege	4924	chrome.exe
Token: SeShutdownPrivilege	4924	chrome.exe
Token: SeCreatePagefilePrivilege	4924	chrome.exe
Token: SeShutdownPrivilege	4924	chrome.exe
Token: SeCreatePagefilePrivilege	4924	chrome.exe
Token: SeShutdownPrivilege	4924	chrome.exe
Token: SeCreatePagefilePrivilege	4924	chrome.exe
Token: SeShutdownPrivilege	4924	chrome.exe
Token: SeCreatePagefilePrivilege	4924	chrome.exe
Token: SeShutdownPrivilege	4924	chrome.exe
Token: SeCreatePagefilePrivilege	4924	chrome.exe
Token: SeShutdownPrivilege	4924	chrome.exe
Token: SeCreatePagefilePrivilege	4924	chrome.exe
Token: SeShutdownPrivilege	4924	chrome.exe
Token: SeCreatePagefilePrivilege	4924	chrome.exe
Token: SeShutdownPrivilege	4924	chrome.exe
Token: SeCreatePagefilePrivilege	4924	chrome.exe
Token: SeShutdownPrivilege	4924	chrome.exe
Token: SeCreatePagefilePrivilege	4924	chrome.exe
Token: SeShutdownPrivilege	4924	chrome.exe
Token: SeCreatePagefilePrivilege	4924	chrome.exe
Token: SeShutdownPrivilege	4924	chrome.exe
Token: SeCreatePagefilePrivilege	4924	chrome.exe
Token: SeShutdownPrivilege	4924	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe

Suspicious use of SetWindowsHookEx 22 IoCs

pid	Process
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4600 wrote to memory of 3020	4600	firefox.exe	81
PID 4600 wrote to memory of 3020	4600	firefox.exe	81
PID 4600 wrote to memory of 3020	4600	firefox.exe	81
PID 4600 wrote to memory of 3020	4600	firefox.exe	81
PID 4600 wrote to memory of 3020	4600	firefox.exe	81
PID 4600 wrote to memory of 3020	4600	firefox.exe	81
PID 4600 wrote to memory of 3020	4600	firefox.exe	81
PID 4600 wrote to memory of 3020	4600	firefox.exe	81
PID 4600 wrote to memory of 3020	4600	firefox.exe	81
PID 4600 wrote to memory of 3020	4600	firefox.exe	81
PID 4600 wrote to memory of 3020	4600	firefox.exe	81
PID 3020 wrote to memory of 5568	3020	firefox.exe	82
PID 3020 wrote to memory of 5568	3020	firefox.exe	82
PID 3020 wrote to memory of 5568	3020	firefox.exe	82
PID 3020 wrote to memory of 5568	3020	firefox.exe	82
PID 3020 wrote to memory of 5568	3020	firefox.exe	82
PID 3020 wrote to memory of 5568	3020	firefox.exe	82
PID 3020 wrote to memory of 5568	3020	firefox.exe	82
PID 3020 wrote to memory of 5568	3020	firefox.exe	82
PID 3020 wrote to memory of 5568	3020	firefox.exe	82
PID 3020 wrote to memory of 5568	3020	firefox.exe	82
PID 3020 wrote to memory of 5568	3020	firefox.exe	82
PID 3020 wrote to memory of 5568	3020	firefox.exe	82
PID 3020 wrote to memory of 5568	3020	firefox.exe	82
PID 3020 wrote to memory of 5568	3020	firefox.exe	82
PID 3020 wrote to memory of 5568	3020	firefox.exe	82
PID 3020 wrote to memory of 5568	3020	firefox.exe	82
PID 3020 wrote to memory of 5568	3020	firefox.exe	82
PID 3020 wrote to memory of 5568	3020	firefox.exe	82
PID 3020 wrote to memory of 5568	3020	firefox.exe	82
PID 3020 wrote to memory of 5568	3020	firefox.exe	82
PID 3020 wrote to memory of 5568	3020	firefox.exe	82
PID 3020 wrote to memory of 5568	3020	firefox.exe	82
PID 3020 wrote to memory of 5568	3020	firefox.exe	82
PID 3020 wrote to memory of 5568	3020	firefox.exe	82
PID 3020 wrote to memory of 5568	3020	firefox.exe	82
PID 3020 wrote to memory of 5568	3020	firefox.exe	82
PID 3020 wrote to memory of 5568	3020	firefox.exe	82
PID 3020 wrote to memory of 5568	3020	firefox.exe	82
PID 3020 wrote to memory of 5568	3020	firefox.exe	82
PID 3020 wrote to memory of 5568	3020	firefox.exe	82
PID 3020 wrote to memory of 5568	3020	firefox.exe	82
PID 3020 wrote to memory of 5568	3020	firefox.exe	82
PID 3020 wrote to memory of 5568	3020	firefox.exe	82
PID 3020 wrote to memory of 5568	3020	firefox.exe	82
PID 3020 wrote to memory of 5568	3020	firefox.exe	82
PID 3020 wrote to memory of 5568	3020	firefox.exe	82
PID 3020 wrote to memory of 5568	3020	firefox.exe	82
PID 3020 wrote to memory of 5568	3020	firefox.exe	82
PID 3020 wrote to memory of 5568	3020	firefox.exe	82
PID 3020 wrote to memory of 5568	3020	firefox.exe	82
PID 3020 wrote to memory of 5568	3020	firefox.exe	82
PID 3020 wrote to memory of 5568	3020	firefox.exe	82
PID 3020 wrote to memory of 5568	3020	firefox.exe	82
PID 3020 wrote to memory of 5568	3020	firefox.exe	82
PID 3020 wrote to memory of 5568	3020	firefox.exe	82
PID 3020 wrote to memory of 4352	3020	firefox.exe	84
PID 3020 wrote to memory of 4352	3020	firefox.exe	84
PID 3020 wrote to memory of 4352	3020	firefox.exe	84
PID 3020 wrote to memory of 4352	3020	firefox.exe	84
PID 3020 wrote to memory of 4352	3020	firefox.exe	84
PID 3020 wrote to memory of 4352	3020	firefox.exe	84
PID 3020 wrote to memory of 4352	3020	firefox.exe	84
PID 3020 wrote to memory of 4352	3020	firefox.exe	84

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://tik.porn/hannahowo"
1⤵
- Suspicious use of WriteProcessMemory
PID:4600
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://tik.porn/hannahowo
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - Checks processor information in registry
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3020
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1972 -parentBuildID 20240401114208 -prefsHandle 1892 -prefMapHandle 1884 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0898cfa5-3cb3-4950-8974-7966bb2256cf} 3020 "\\.\pipe\gecko-crash-server-pipe.3020" gpu
    3⤵
    PID:5568
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2400 -parentBuildID 20240401114208 -prefsHandle 2308 -prefMapHandle 2304 -prefsLen 24598 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c237d0dc-1b57-4e21-94ae-b95698abe8f4} 3020 "\\.\pipe\gecko-crash-server-pipe.3020" socket
    3⤵
    - Checks processor information in registry
    PID:4352
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3148 -childID 1 -isForBrowser -prefsHandle 3140 -prefMapHandle 3136 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d57f9d09-f091-4556-b407-6996605867a4} 3020 "\\.\pipe\gecko-crash-server-pipe.3020" tab
    3⤵
    PID:2172
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3712 -childID 2 -isForBrowser -prefsHandle 3620 -prefMapHandle 3752 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bc0c48de-dbe7-4783-a306-7ecf21d4e25e} 3020 "\\.\pipe\gecko-crash-server-pipe.3020" tab
    3⤵
    PID:2176
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4732 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4556 -prefMapHandle 4688 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a453aadf-f3a4-4109-9877-e16c77b9bcce} 3020 "\\.\pipe\gecko-crash-server-pipe.3020" utility
    3⤵
    - Checks processor information in registry
    PID:3960
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5488 -parentBuildID 20240401114208 -prefsHandle 5432 -prefMapHandle 5516 -prefsLen 29195 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {544d7c29-2d71-49b9-a96e-15caf5afb8ec} 3020 "\\.\pipe\gecko-crash-server-pipe.3020" rdd
    3⤵
    PID:5056
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5692 -childID 3 -isForBrowser -prefsHandle 5684 -prefMapHandle 5656 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6d4dce43-1d54-4c43-84b3-15df5ffba92e} 3020 "\\.\pipe\gecko-crash-server-pipe.3020" tab
    3⤵
    PID:508
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5844 -childID 4 -isForBrowser -prefsHandle 5852 -prefMapHandle 5856 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4bcd0c1a-3db0-4449-9276-904b94020b0a} 3020 "\\.\pipe\gecko-crash-server-pipe.3020" tab
    3⤵
    PID:4864
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2764 -childID 5 -isForBrowser -prefsHandle 6060 -prefMapHandle 5672 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5ba4b998-c60d-4c31-8b6c-960827f34c18} 3020 "\\.\pipe\gecko-crash-server-pipe.3020" tab
    3⤵
    PID:5896
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6276 -childID 6 -isForBrowser -prefsHandle 6428 -prefMapHandle 6416 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5b3205c8-0a20-4d84-8f67-1052587f9bc2} 3020 "\\.\pipe\gecko-crash-server-pipe.3020" tab
    3⤵
    PID:3968
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6644 -parentBuildID 20240401114208 -sandboxingKind 1 -prefsHandle 5456 -prefMapHandle 5116 -prefsLen 29276 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2251577d-0c16-4c38-92a0-843515501714} 3020 "\\.\pipe\gecko-crash-server-pipe.3020" utility
    3⤵
    - Checks processor information in registry
    PID:6124
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7028 -childID 7 -isForBrowser -prefsHandle 7020 -prefMapHandle 7016 -prefsLen 30977 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4b35c1fe-3771-4f70-8eeb-15a4a01ddd9c} 3020 "\\.\pipe\gecko-crash-server-pipe.3020" tab
    3⤵
    PID:2828
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7132 -childID 8 -isForBrowser -prefsHandle 7060 -prefMapHandle 7056 -prefsLen 28473 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fd92a16a-14f8-4ae2-9116-99329d8ef2ca} 3020 "\\.\pipe\gecko-crash-server-pipe.3020" tab
    3⤵
    PID:3676
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7384 -childID 9 -isForBrowser -prefsHandle 7276 -prefMapHandle 7300 -prefsLen 28552 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {be67da06-2736-48e5-b45a-9e47a83698e2} 3020 "\\.\pipe\gecko-crash-server-pipe.3020" tab
    3⤵
    PID:3268
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6976 -childID 10 -isForBrowser -prefsHandle 6292 -prefMapHandle 6104 -prefsLen 28552 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9d821eeb-dfbd-4c20-885f-85e7bcb7059a} 3020 "\\.\pipe\gecko-crash-server-pipe.3020" tab
    3⤵
    PID:1132
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6452 -childID 11 -isForBrowser -prefsHandle 6500 -prefMapHandle 6476 -prefsLen 28552 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4880123d-ba4b-4cab-99dd-3fd2e5609478} 3020 "\\.\pipe\gecko-crash-server-pipe.3020" tab
    3⤵
    PID:2740
- - C:\Users\Admin\Downloads\ChromeSetup.exe
    "C:\Users\Admin\Downloads\ChromeSetup.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:5104
  - - C:\Windows\SystemTemp\Google5104_1228257394\bin\updater.exe
      "C:\Windows\SystemTemp\Google5104_1228257394\bin\updater.exe" --install=appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&iid={990876CB-651F-EFC0-A92D-087A99825ED0}&lang=en-GB&browser=3&usagestats=1&appname=Google%20Chrome&needsadmin=prefers&ap=x64-statsdef_1&installdataindex=empty --enable-logging --vmodule=*/components/winhttp/*=1,*/components/update_client/*=2,*/chrome/updater/*=2
      4⤵
      Executes dropped EXE
      Checks whether UAC is enabled
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      PID:5924
    - - C:\Windows\SystemTemp\Google5104_1228257394\bin\updater.exe
        
        C:\Windows\SystemTemp\Google5104_1228257394\bin\updater.exe --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\129.0.6651.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=129.0.6651.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x2b4,0x2b8,0x2bc,0x290,0x2c0,0xad06cc,0xad06d8,0xad06e4
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        
        PID:732

C:\Program Files (x86)\Google\GoogleUpdater\129.0.6651.0\updater.exe
"C:\Program Files (x86)\Google\GoogleUpdater\129.0.6651.0\updater.exe" --system --windows-service --service=update-internal
1⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4756
- C:\Program Files (x86)\Google\GoogleUpdater\129.0.6651.0\updater.exe
  "C:\Program Files (x86)\Google\GoogleUpdater\129.0.6651.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\129.0.6651.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=129.0.6651.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x298,0x29c,0x2a0,0x250,0x2a4,0x11006cc,0x11006d8,0x11006e4
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3152

C:\Program Files (x86)\Google\GoogleUpdater\129.0.6651.0\updater.exe
"C:\Program Files (x86)\Google\GoogleUpdater\129.0.6651.0\updater.exe" --system --windows-service --service=update
1⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5780
- C:\Program Files (x86)\Google\GoogleUpdater\129.0.6651.0\updater.exe
  "C:\Program Files (x86)\Google\GoogleUpdater\129.0.6651.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\129.0.6651.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=129.0.6651.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x298,0x29c,0x2a0,0x274,0x2a4,0x11006cc,0x11006d8,0x11006e4
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2160
- C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5780_2031853636\127.0.6533.120_chrome_installer.exe
  "C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5780_2031853636\127.0.6533.120_chrome_installer.exe" --verbose-logging --do-not-launch-chrome --channel=stable --installerdata="C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5780_2031853636\86534f3d-bf4e-465d-a230-845f7cd460b9.tmp"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:6404
- - C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5780_2031853636\CR_D00C2.tmp\setup.exe
    "C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5780_2031853636\CR_D00C2.tmp\setup.exe" --install-archive="C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5780_2031853636\CR_D00C2.tmp\CHROME.PACKED.7Z" --verbose-logging --do-not-launch-chrome --channel=stable --installerdata="C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5780_2031853636\86534f3d-bf4e-465d-a230-845f7cd460b9.tmp"
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Network Configuration Discovery: Internet Connection Discovery
    - Modifies registry class
    PID:6476
  - - C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5780_2031853636\CR_D00C2.tmp\setup.exe
      C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5780_2031853636\CR_D00C2.tmp\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=127.0.6533.120 --initial-client-data=0x24c,0x250,0x254,0x228,0x258,0x7ff7c1fc41f8,0x7ff7c1fc4204,0x7ff7c1fc4210
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      PID:6504
  - - C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5780_2031853636\CR_D00C2.tmp\setup.exe
      "C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5780_2031853636\CR_D00C2.tmp\setup.exe" --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=1
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Windows directory
      Modifies data under HKEY_USERS
      PID:6656
    - - C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5780_2031853636\CR_D00C2.tmp\setup.exe
        
        C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5780_2031853636\CR_D00C2.tmp\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=127.0.6533.120 --initial-client-data=0x24c,0x250,0x254,0x228,0x258,0x7ff7c1fc41f8,0x7ff7c1fc4204,0x7ff7c1fc4210
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:6676

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
PID:4924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa4829cc40,0x7ffa4829cc4c,0x7ffa4829cc58
  2⤵
  PID:5444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1820,i,13619018242098407378,13211023789809604125,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1816 /prefetch:2
  2⤵
  PID:3028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1924,i,13619018242098407378,13211023789809604125,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2120 /prefetch:3
  2⤵
  PID:4304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2196,i,13619018242098407378,13211023789809604125,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2220 /prefetch:8
  2⤵
  PID:5060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3080,i,13619018242098407378,13211023789809604125,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3248 /prefetch:1
  2⤵
  PID:1288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3100,i,13619018242098407378,13211023789809604125,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3296 /prefetch:1
  2⤵
  PID:5872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4428,i,13619018242098407378,13211023789809604125,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4412 /prefetch:1
  2⤵
  PID:3584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4832,i,13619018242098407378,13211023789809604125,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4856 /prefetch:8
  2⤵
  PID:5452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5012,i,13619018242098407378,13211023789809604125,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4608 /prefetch:8
  2⤵
  PID:1188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5024,i,13619018242098407378,13211023789809604125,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4852 /prefetch:1
  2⤵
  PID:6880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4968,i,13619018242098407378,13211023789809604125,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=872 /prefetch:8
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:2316

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1340

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2328

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:3336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Active Setup

Event Triggered Execution

Component Object Model Hijacking

Privilege Escalation

Boot or Logon Autostart Execution

Active Setup

Event Triggered Execution

Component Object Model Hijacking

Defense Evasion

Modify Registry

Subvert Trust Controls

SIP and Trust Provider Hijacking

Credential Access

Discovery

Browser Information Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\GoogleUpdater\129.0.6651.0\Crashpad\settings.dat

Filesize
40B

MD5
bd5a8d2dbd7ba036ee39dfbda28a32db

SHA1
84582ca96f1cc6be37ba5778d7d65273b2afb6c8

SHA256
ece0611446ba4fba32b95f02cd5ae674cfbe5e7c7251c0c1c540b8e645ee23de

SHA512
f521e1bb1a6e1f17837ed21fcb5b46f4170294ad6403e19a62a218da678ff768d646abb7f58085eb6e81264e1f42cc6494186768793fe67d4139c78a481377a9

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\prefs.json

Filesize
502B

MD5
bc6e7642673cde744e13d1fda6d04e18

SHA1
8a142dd3033d22c5f3c7828d79267d8cc6e9474f

SHA256
64438d9cab0df18bee837f7c3efe46baef1ab04056c93fc856c7572a64b27566

SHA512
69a0af68f568eb1988440b067c82005eda95d1c661547c9bb7d5f039be83059ad2b092f2e5422fe014c061ade9617728f40a163552f2fd0c5ffe9e09a0daa7cc

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\prefs.json

Filesize
49B

MD5
aecbd8fe3f7b64ddf70a33b920fd4bb4

SHA1
e4225361cb957a152b9fa94b060bad56ca0fc4ed

SHA256
8bb68574186a8c571e687af459dc5917a5fe2fb8ead1048e6286e74a87ad06a3

SHA512
0ff0f418a15f6fa0230cd5277003620ec13b87bb3f00dda64453fbeacecc0c1d0d3c5d0697692b1fb6be0be8cff03c919bc10589bc7685983bfdfe859273a4bf

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\prefs.json

Filesize
354B

MD5
04831982e260c4237ad64c96c00f179a

SHA1
dd5238f72ab6550a91dfc6f185ba7df3dab55912

SHA256
6ee1418c440156a58504bbc3419be33aa266b7917d1751478c29667f30cc9983

SHA512
5466b8dde7b38dbb9c4540fa63aa6a4976bbd71edcd7a14bbc23221c6c0ec9eb69672eb063a5267452e4a9d1c04c32c2f98c6a3142c3ec55e64167b9c8f4da98

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\prefs.json

Filesize
602B

MD5
0dbcca27b407e61aecf48eefb5981479

SHA1
401f3455e20cab3bbc1bb8e4bc0c20ef70de84cf

SHA256
a9f38425d887614a385b3616090606016e73406145ff68621f36e6c0fd62f81e

SHA512
c9069289d6d684e23a453d27ae1dd96828ef46c39df66dd354756116c18a4fb07e541048ef3489e9ac74ea64db3d29ad911154087f1270c31b5a65468cba2845

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\updater.log

Filesize
1KB

MD5
6cf305bd77cbc775afef043e3bc35c23

SHA1
834a22e7206951a57e0899fbc1ae0e52bb8c4b6b

SHA256
ac29171b302368351f09ca6e57ec9bbe496091dfcd840c146c362afe1e058817

SHA512
fe4034d52fc22980c4fd3c359883eb234486496dcb8ccf58de0764482543b5b300c731c974246c2cfa43fbe3f58ec9863d78fcead87d5170ff0cb4a8a70bfd00

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\updater.log

Filesize
2KB

MD5
d37ff402c64d147a93f554a7ac2c3a86

SHA1
615a0dad14eb4f763f0f7d1288e7402834f8c4d1

SHA256
94cd0e7fbad3b1a41beb8366a584e6abe5be35381d642809e7528eb862d5c7b5

SHA512
afda32f310ab6944efb220912df654efe834548f2dc03c98b1e8c6c60dc8f7056645a0fffcadfb2686f04f99ade889d3cc2743589b478e8e518abcda32825795

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\updater.log

Filesize
4KB

MD5
f72880791489c0f5259cfee110b85dbb

SHA1
b89e4333b8b153e121f5704e8c6cee4079029552

SHA256
e9bcf7b2bd99ede0064045ab4425eb14cce1b046091ae5f0dc21a22f80cb8be2

SHA512
da58cb39d495a00284db946444bf8ff14b504d8ab2bfb7e7c565a46de0c13b14195add2d6f405684112f714be039cdc677ea2919138c9f6686b654281b9a4491

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\updater.log

Filesize
6KB

MD5
b1842c8e235343f8253b0729eb04ff22

SHA1
fbff3bbe4a475627a2ef68605827e940646df8ee

SHA256
ae84bef996971c11c39f840418cabc68afde38e3d61f58cf4b5ec7cda9592c80

SHA512
6fb114bdbc6e510f88002e905d01b606ce0c7676f6ac2aae0c6e4295a4e8247381c046a57b3b3a9aa9c56650a2df41ae1e162635df0b76b76c72ed0c641012ff

Download Submit
C:\Program Files (x86)\Google\GoogleUpdater\updater.log

Filesize
11KB

MD5
4dffd10674684da7a97972019d7be1ba

SHA1
cbf01f392154de6fdc56c7ca4860d0b869ce4523

SHA256
10d6b1c46f9c0b964fa8a3f959642a82fa0e233ed311ee3eb3fc7dd6593d6a4f

SHA512
09b2bbbf89fc3e059e260643b4ed26a1145307a92d407a945a3a8bbed19fc5b0d8b8967a70e1e44ee70a2810a6a823d5dda03c01b344b2dbac0aad77ec20755d

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
8eadf92a71066955e268a1fc9446fbdd

SHA1
0d57e7ca7232a332db3cd717ec5b307015d58a01

SHA256
4267916cfd868ea13dfc07edd1b575c5441acd5c4bc2b1511787b32726291834

SHA512
b7625ecdde294cf504db013c5da92fd2956b988a06fdfe7fcfb3ebee03c396fdb63c8a70c601a1f4a7cb4d46251c0205f7ae0f9743ef29543e6c778d85ed701e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000002

Filesize
24KB

MD5
c594a826934b9505d591d0f7a7df80b7

SHA1
c04b8637e686f71f3fc46a29a86346ba9b04ae18

SHA256
e664eef3d68ac6336a28be033165d4780e8a5ab28f0d90df1b148ef86babb610

SHA512
04a1dfdb8ee2f5fefa101d5e3ff36e87659fd774e96aa8c5941d3353ccc268a125822cf01533c74839e5f1c54725da9cc437d3d69b88e5bf3f99caccd4d75961

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
1a654303251ef98157662005308c3885

SHA1
61d9a5ba25fecf860e05e801ff434318e2d73066

SHA256
4f96ddb3ed2013125bedb86b1300533d8dd93b6d7ac8a96706fd664bac5b69b3

SHA512
95c0196ef39765aff8059e95cd8698a9e256ae1d34dac76757687c4d915aefca7af4dff05bdce71b4e48b723d44c410910fbed1dac799d57e5cd6e60cc9e9310

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
19698e9fbad5924a8f2c1de3993f31ca

SHA1
39233eadc5a4f04d1fab7aea090674ad404a81cd

SHA256
24b342225adc323ce91067d73c7d5f4aee72ce28a94b6724a8f0855606581aa2

SHA512
77237087cd3af1f5af6e6a4e078ec5ecc7b9c55952e1ba05a343bf04a2ab679253adc4919d60b8bbbfc7299d7057db692ede4148ede9a5c29eec4e0b6f7e25e4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
16167c0effe6b18f3985f15e8f4a1105

SHA1
0a1ed6f392bad8a253a1a25a3972dffe07adb7a1

SHA256
646cf15170ccc08b4fd5564dc03bbc1d2f2667ea5561d635b9305831dc86af96

SHA512
783ec28bc011a7f6860ab0f17e902131d4bd81cf3a03ad61082c6275e76a1d1c05e63e2d71697ebe576d8ddae7639ac4e4405070d5d922bb28f54a312d68890a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
777e7faac49c1d9f52fab57c0dc83128

SHA1
cedff5f74ecabbfe952ff2df7c860ed7ac3df89e

SHA256
224a46f334d14355245ac00741ed7d4bb7a6b0893cc7aea967c08727d019332f

SHA512
78b0eecb3cffb9f819775a5269385f146d221fe071e27094bd9b267f57f54b53c938d3d340a850cee341d240fae2181c6c36a5295bfdf76571e8cc91dcc7c3ce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
6160a273b840f978ceb2f28c350ec7ca

SHA1
8209e7dd6cc37f8f55a18c54c4f933fe31ee67cc

SHA256
c29bf80293afe082cbb1af97fdb2fe59fc0783fc4fb43d50061de06f8a9906a6

SHA512
c3c87a1b94440a5a773b911dc61d497124f32d9bb6d22fdbbc4968c82d5b4d28157f2afa36fb8a48ff556bbe9a0a43170079a548bd44c3d5fb8a2821c8eacb7c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5dc7cb9c1f2107023dd8795a888ec85c

SHA1
bbd1d1ecbf6c73a74756c343a5750e41fb2c0d12

SHA256
d47b95de4990646ca5a2e980509719ce52181fd868754bab4615c84a2dc150b6

SHA512
ee8731e664e1c2604a73753ad2149abdae5355c6e4a6b05685dfd66f85f25d1f5e0e0bf802f3910a61d85953916c48a8f7c536187224e47abf877bfb4c5aabe6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4de4319175ab1067cb83de5b748978d5

SHA1
0eb94ea53027d54882902d232fd7935f193d77aa

SHA256
9f3f6be2cf29ae5339c7ee1e4609718ce885595fd2dbed410cadd1f684560aae

SHA512
038f6425af950c88b646e2c118a2ea27e9e9a9261817f18a36dec08c9e08377bdba94d0bf548299ca897e8bb9e0af78544914f840baabaea53d5f93fe180c6a3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5c6985c19f3a3796d501c365de11b90e

SHA1
8635d4039e18c237756b393e1df8d4ee324f3302

SHA256
506943d04fcb87d0f07736dfee63172499d8891fa083a548adf77ac6a6345c6e

SHA512
fd4545239ae447cc806d47b977fc23f682b8076eacd2cf6a47e1e5fbc2a6d837914cfe668398c2bc69177392e106ddd130a98fb4a5588de6009ab39e83022273

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
cc8f73f1d051c0256d7f3ce4e39118bb

SHA1
3666567a81f85b68025629ca7896cc3a2fea51d7

SHA256
c8baabe9bd630148648602a0810935c0dd7934784c9e6a2181f13bac49c634a5

SHA512
9dca78beb0cd92e0b7ffc39dcde51f743be403e67eb67557e2ada3d2da562fa18eab237392282154e652b612af016b6d78f58a572e757d8f6854c518e379d163

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
64cf3f2a51b654a6b0040e49060226a2

SHA1
0c02ab96ca8fbe727f28ae05d7cb0448e0393726

SHA256
a84a464ae7dfeff699467b846589e3987c55f5e2d5e624ee0c6c348d2c456f9a

SHA512
109ce267f15453d85a63dd0938b750a791c454c5535db981ca5641534fcfefe6073333e5fc2df262a7ef42f09e28fa363dee30ce21cf88716491b8446a28c4df

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
88e251cad813506764a190e42de14d78

SHA1
ddbf3bbfed599b4c20f96ddddabb56cea2a18ebd

SHA256
f08f4f305a16eabe56e1d152a37680ec1dc6b041ba5a9181d3d1d5b6d387f60b

SHA512
b8bbdbe9d55f091a7aae4f44700d9072578808b7775e4e35fbf7a05b086ae328029960a5081fdda3e394e1f8794dc13a1bdb530a9b48069d90e1f16b1e615f70

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f0782d91ae341d920b1efde7b4bbb245

SHA1
3e6a2a01bbf6ea7d180a4f41b4ca97e4babbb94e

SHA256
2a748300ac6609318c762f27c9380a85869bbad4aefc1572699712e76f9b8424

SHA512
9378cd5e7d2a15fa298169cd31c7174f36554842225ca453e615dda48123328feeed304a3cd2e67c7b5748756e315fdf394b0ff68b2ba1091c5244cd7fded2b1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
538017464b1b5e354fb71dcdbc449be5

SHA1
c297d55ddfde88f4d8c4cee34288d36210d7fb0b

SHA256
25faf41341bb0201152daaead1367fb4436d8ead82b97bc61d3c1c4ea053f8bd

SHA512
9d548b7b2838f3f32b020cd5cb6a06ae8f9a0e8d4b85c54d9b490b87c5d7c39edb02ca856c1990def3d63f7d1b67b6a614c7f5ffffd898642d95b3d3b475f36d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
31ec34eaa754424dee3e509357b848cd

SHA1
199f64081bae2dac7d68038b60754b4a95e79763

SHA256
006bf6e7c22a6969da458145483891000c56667c25a7f94cde9cf64548ab542a

SHA512
bc6b921db702172d04e4bbe4a859778808d02fc81f0d0c6555577bd1da65b011abc576d693280947a1c3f0bb1e8865f9d67bacff22d31e2f1bd538a16014cc9d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b2d7a370ff13fe606d87dd98813a8fc3

SHA1
963ba18defc4511c75948f270509d9e67bc2d3b9

SHA256
99de49c041545c0f8b4c40cb0b800c0f095e21069b36f6b4deb3a21473cc315f

SHA512
02e278b6a51b5b4c97b0a3985a88496ce796c976b1b25d15bc984ccdfb4c1548ebe44b75acbb04b60080d63b349371fb71a3b96759a83aebadf56daf9ae7ad00

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
27747263a31083d2f8cb56491073eb55

SHA1
c213f66757648d396dc6489b385ea83dcb98d47e

SHA256
b6cc2202f462a06c9b6282d4489bc4ea3dac8ca12d0dde44002cb7186793bae6

SHA512
cb6c0c419e5484ffe124d35889743e8dc24416c31998301ff506a0a52a6d07bf412c1150beee47326559d3cb5d5f1e35a08327dc3ec09d4f341bfb2e33e335b7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
196KB

MD5
32383360e67fae1cee9cc28ce0c16347

SHA1
69a31a22ebec6a089e806b6360878c909dbeb86a

SHA256
0a8360931a4d7fd7bdbd904a6025ade305532f6c8f8f0466d0b6632cb04762f3

SHA512
1cfeea722baaf50121190645a0d6c13516f997b3583d7ac94081efc53bdb0e36cab48dbe2211e25fdd7702608b5cf020c718229a99d55602c27a030f9415ed72

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
196KB

MD5
fb916cecf3b2c231db04958c3b1a178f

SHA1
c6ef222c383163a9a0c9c3254d8fe4165c4faf9b

SHA256
14094fc1d4d6fe7ac16de37b43e177083a0cb40e27c03ee0cc33683ddfa77b5f

SHA512
371d34b1459ea9c8a3e2ce02f379bf9427c0947336ae3c8f42ddc81a4dd4034e8e9d81de10dadbaba57e083650e736ba8aea61ea3c60f73c8dd8bcf7183960a4

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\adahrqhl.default-release\activity-stream.discovery_stream.json

Filesize
31KB

MD5
f69e2171d8e4d2312c1a42ab60e71bba

SHA1
0b1acc892b274af1b3fb8625d88833a6ea879069

SHA256
dcb563e5c1f4ff5365f10e2f344b35980870331270a953549b4bf283c6c7eb97

SHA512
b696400eba67fa511d3a295298e7b9b7879b071c42e9eb9a371562fed13aad5d9f231273d675ed1c9788b39f728651205bd25cee6e9f3ce42048276da66bbdfe

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\adahrqhl.default-release\cache2\entries\3F2E3C5672599012E226C23C09A3310980753F11

Filesize
15KB

MD5
ba06443354fe6a822d41a33422fe2946

SHA1
ff44ad9f3f106719c7d4196cef97997aaeff38f1

SHA256
ba4464fb5334a4352a9896dd1b8a7e749a6f88f03f6ee3ebbe4e74c87586a3f0

SHA512
3f40638a1666781426e2fc5be9385f3367bfb0ce542bb522c7ecab6a1cde392a11ce93dac3cd9f7d20c1e43f3096a6fa70e96489993b3cc4ccf17e27a24e2cdf

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\adahrqhl.default-release\cache2\entries\9357B92D7A82DC731CBB46EBC4F197AB314C7C11

Filesize
218KB

MD5
4e40a6826f9eb01e2c81024baa942e38

SHA1
a61450b6e9ae938b58acc47f88cb89b705d03847

SHA256
59d8752f32c7bc5292a684e74adba88b11b609bfbbb0092dce99ddab8d4e18d7

SHA512
6b0ce92bff3b9b8c338e871bb3ddcd3dc9d8ce8f845023d03f7f6185a4eaf3be07877f606009c855f85c2df2362f6a6fa2a9fa2cd3d799ac65333b35bebd7add

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\adahrqhl.default-release\cache2\entries\A6B684B60D0BE769615484B7505688EE4480AAD3

Filesize
19KB

MD5
e8dcefdd065d51b538a21ea8b60418a9

SHA1
8f58782ec838e5def2bbc634dcd8b318b3ad9903

SHA256
f38142886b3c570fa50c114bc1af4a46bd5b9efe96e1da399c71164ea56a8a11

SHA512
ae0c044fd7644e651ec1ea05d6bf968e414b9bd0a040e1479073dea53f0ed38608b89c5066c39b83b5cbb5a68dc375b720eb123cf77b9cb5892a4fb89ac00bd2

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\adahrqhl.default-release\cache2\entries\BE87F002AA1BDD4CB9B911DB8CFC1B7C0A3A869F

Filesize
60KB

MD5
cd98727eae7ac665de37f6fec60df326

SHA1
f6dbaeb3d6b00b772fcc8510754d1c5278e7708d

SHA256
41d617677fea2bc791acb36a91f9461d112be322ef89b214caf4a9c085a82b0b

SHA512
c17398abb465c0fd3cebe0d934f7c290dadd3ce2d5185c348aa10e0789a4e57aff2768ca3bdca6356b26add563c3822824c8f7e1df51d23f015b1bdaac8811c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
20KB

MD5
69b78bf0168fff30366b2aa611231337

SHA1
f7735e812e052f886bfc1b752ff3b6ecd95bac23

SHA256
d61df80f3bcdabbdd8e5ff5703d64f1155dff834509160b892fc02dd5a78126f

SHA512
96c43d3af2815a97ddf93e6a0f9e3862bd309e1c053ae58b7ff6b3cd9817aa34bc849f0bd38172116922d0b878e2fd28e5ad150b44b0d80ba3a6156fcd5aa9fb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
13KB

MD5
14697a99d0d035e4f2600a20a3d0de8c

SHA1
8aa7b50dad9790ea36ea9235f935a62e77d886a0

SHA256
7b0dbb897cbf67d011789b2c81711c4d80add63b032ce08f3a20e6798130e73b

SHA512
70d3f318448056913312e99546da1208c3a4d66543698ea28de1b61795c3aadee6d04b2ce5200259e86934a622af16c5a20e7d67e2b844e547a8089e40552919

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\AlternateServices.bin

Filesize
8KB

MD5
d095ae5997d221955eae33eca05f7881

SHA1
2cbacd3d9dbfc19c1058fec41074edae0c765638

SHA256
68580964ac3ea2a411c848fb958356fa265014942ed1be4b10fe4f3d8f962cb4

SHA512
6fd637366604687d56e907ab2b4daf97c07bca4e06eee75a29ccf8ef942ebc416ef41df674bc60772ceeb26b0d30e671c2d42ce18a8ce2f4b9d5925f271fc75b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\AlternateServices.bin

Filesize
13KB

MD5
49aa706a14ca194d72d84433c655df1a

SHA1
d4e4765ea1c494351e8eb5c2c2a0e1a89c0c6c54

SHA256
4e607813e74a164226c6611a8e6efe32306fb7e40d13deccf93440c18e551beb

SHA512
4928d31e106282c523b8471859c7c7b7f7b87909ab4a9513db3697cf556080013889f75293915d6298545183681b72751c60cdf87478e58157a43cd12966a0cc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
f9c0446f6bc5f8ee8a2f16e18858015a

SHA1
1da0a15b70cc3392df02372cfd90160bd239c984

SHA256
2ae0d7295d4d365088b4be6e0ded63fb008dfeaa486c1f0ca8885adcbd1ff10c

SHA512
e33761211c635ec188ac7232b7f2dd813be066862614a48306ab901bc2b8f376c9fbcf51918584b48aebc2a81f87c55d1adfbf79e625b192aa14d5cc108510c0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\datareporting\glean\db\data.safe.tmp

Filesize
18KB

MD5
ed04457657479da8ee49af6a85bf21e5

SHA1
de85cb2a2283f546a30052ec7de90cec7b63beae

SHA256
b79553248d8917d0e4ece2581fbe39a438b7454a0b4186096b53ac2a27863267

SHA512
2fba24b81365a4c258b9baf842996c5f874eff99f1a5dad7ff704455f712bf793afcad9db1660b9d368eaf34c7fa566243d8681787ae1c54df20a0d14d4a7887

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\datareporting\glean\db\data.safe.tmp

Filesize
19KB

MD5
4410b387126f25deaeca2e0f5e1dd828

SHA1
47a83488f136b90cf0e42701eb8c9d63781a0078

SHA256
05c93d3d478c00466aa8f2a902e6e615cab24366996aae727fb1dcd7e026f65f

SHA512
b60b00a0209883ee74d7ec379f545236abc10bc67c6d34c430bc2639c186d566a450d157fbded771337710bb484d1605400075985d95f70998f8001a9b9a1d2d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
f2c39b4304460b519d4d01095481f52b

SHA1
cee6b1b3b95fe480ddde6c7cba774a13949e5c7d

SHA256
e2ccc3408b3544e6f9699955ae8d853c3c5f123891fc4118f65b5211e27e52ed

SHA512
c61ebb521a83abc9a1f49ab6c4919c771596d7b2d57ca69ee537d434e1a4c11fda38568443a408636c3029825ad9999e6673f3a337c670629b9003468e1eab9e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\datareporting\glean\db\data.safe.tmp

Filesize
19KB

MD5
e1bb16ddaa2bc4563c282551d057c5bf

SHA1
a1985971eba35de09e9f4de72c963ef87eddfb7b

SHA256
1cb0697c34e422652fd17b510a553642559debcdcf1718536d37ee516db2af34

SHA512
ccc42983e7e2d27bbb5209f6fe636a1b354c300e6d76d1a9345d11df5649f592e5f50fab213c4a3d77cbbe9c6e7a3560d209e3de0067676a9ba27b97eababe99

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
bf24747c55655aaa0298c244c2ab21d9

SHA1
9d5d340292fa0b11363190f296c193990b1b2e65

SHA256
81e65e622f5362b3806ce66567aeca34bba5670f0cd5f52302871c49dc8e32d0

SHA512
e27c13a42770040b9689005f7be0873795cbb15241af50cf0111bbcdb2427b963c69c3af0487783c7126c1de5f6245e442a10e9ad2ebc28833333b8c9017b428

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\datareporting\glean\pending_pings\0cd12afa-c2b6-49ef-802e-65b9291efe6c

Filesize
671B

MD5
09205a02be8c0c27290cc1f5bbd3b219

SHA1
7d76d424526d1a1eb99e4b1b724c3965e0d5b6fb

SHA256
7498260cc3b8aa5f3774124e6cea1c2aca7549f59ebdf0509ce1b13a419ae6f0

SHA512
2c89bd250c18368a073b3f3b18bd1c30ed344ce9ed45526f7a08da327af2a30ef7aa9893568ec51f02a7a705a2c30df767ffb712a8fb56aa69d363b937eb5bf3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\datareporting\glean\pending_pings\9a72d39f-f586-42c3-b72d-bf97c025a7dd

Filesize
982B

MD5
974d868b09d39bb69286c0e6408c3627

SHA1
b7c8175737f885e2cc8c21bf51ee158b9fb0f4c7

SHA256
f3d10fa0155ac9463ea3253c8653f35858746631c902e54e7c26e5c49a676b8e

SHA512
5c979ce897102acb146f7a21fcbbb5df24973244e6aee5ae09018aca17253c71ec26540666e03e3386b2797987a4654fc627f7c34050591e8f75b5e135109068

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\datareporting\glean\pending_pings\d5a30760-af0a-4545-b257-247adba97798

Filesize
25KB

MD5
9390ac7b4e628b9fcbd48f23a8755691

SHA1
bcd9a48efdeaa30cd0fc2d8a246373f59d7233e5

SHA256
4fd50c7aeb74860ac0f03de25224d5dd5bf8e88deefa720987445a3e776d17d0

SHA512
8b9af80e89389ba43e3b1c8712b78d96a5ab7613ce9d7d3985e5dd5a89b45df30a31940bbcc2eb8dd060f9b9fe7ac2b669f3151db2f3561d9d6ded00f97d2f55

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\datareporting\glean\pending_pings\e17427a3-3c9a-49c6-b575-35029abf8477

Filesize
798B

MD5
5798a92b8119ca0703779073d30282d0

SHA1
e2d0765a64ced5b38eb9bab7e2fbd2ed9c8f3ebb

SHA256
1e24ac496af12d9bd984dba223809058619c952f240f8df7686a022aa7c97305

SHA512
645d00f3cb1efd75cac45aea534d97ec61bc81893b35de7e23c3e6985623d2ce95c18d95e7478817e795ef77d8fd0a685f2596264556b820b7619b3bc2d599d1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\datareporting\glean\pending_pings\faee467c-0c30-4159-bee8-c1d2335e3032

Filesize
865B

MD5
9e14a9a333539fc16442e671cf8dff3a

SHA1
ab88576ff70785300020937f624c7e60ea23b2af

SHA256
77584f26068365c4e1a694e149dcaed63fb16d416c18850cc2e60903bb04f664

SHA512
57792bd8f1875765e22642ee94abb84ce43e18183f2ccc10d47de13ff8a8a9a84e25f3593024fb5d186421605b438e776d289c81c2b62f6007f7ee30b08a8b9d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\datareporting\glean\pending_pings\fcdae38b-e82f-4b38-88ba-623a32eaeba5

Filesize
2KB

MD5
1863803f08ba0ea01427885cb9f44b5c

SHA1
05c436233c50c47fd82771a52d50dc55e642b7a7

SHA256
0686e57595823c4a2ced7aad669e9047b32281f7267200c499f890956615c834

SHA512
183a7249e03b46e7146343057af23fb9dd6f06fd45affac4cb708fc0a79ac8fd9d33267505638e96e54c7cc2b5224f25396e8afccdd85488668e6988d1f844c5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\prefs-1.js

Filesize
13KB

MD5
7114125918cd3b20fbb033a43a6f7ce1

SHA1
5468bc5ffe53897b741cd587602622bfc6a6490a

SHA256
622aa8cbd39a4fc082420d0c8bbfb9c5405e8e49ec45fbe8aaba9220627e86e5

SHA512
145c1bb73d28e54cd764930f1913b6b85b8a6fdc19edd74b28736394856542e2da79d187a5f0d05cf15b560d3d50acc8fb63ca27e1cd74ac68f6caf55cbecd8f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\prefs-1.js

Filesize
13KB

MD5
b419953cdc0b36cc4cce319c4acd3a8f

SHA1
13e868b60328ec722669912d91988ed26df9bb02

SHA256
f515f7a1740e34d3214f27a754298f78867833cfbcab0471c3e84c28365558fb

SHA512
940beb9c3e3f6ff34bae559bc078cd3e2b457be131aedcafcea7c860838eb94c659a8009fbe950548f5dc30f0bc7bb7e8f06625fe4a87ae7e5a5cc8223d61363

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\prefs-1.js

Filesize
12KB

MD5
9301c318f95fb92bea5e5c8617d5aa3d

SHA1
73c43bdfd870ff21164051806702c1d0413dafe8

SHA256
3b63eacad1b0d1fec1ea895c9e8f6b5d677e9ca136f377da765a46dbc98b1ee9

SHA512
a5765ff31917480624cbe45a74cf887fef97afc9891f5e822714b19a8b788da1640de65274825d1433c874acf7f90980d76a38367cbc8503c08da89059390a67

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\prefs.js

Filesize
11KB

MD5
42fbebb798670e9c23b1ea94de70e288

SHA1
f95949698eddcd00eda223da9cc11165a30363b2

SHA256
0db9e79eaba58d5a1518a89c2800a7fbda17279916e9ef0b75fd4cb4d73c64cd

SHA512
441b377f8f0596136435ac29f57b0e61a48a07a309349280537afac60c6ddac0cb18301b253cf2c5ccedc06418fef1578e5718b3d1d2ace33fc3ca605a1f7368

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\prefs.js

Filesize
10KB

MD5
a1037b976c4e2b5eb55da060b5a96840

SHA1
172223142565dc5e24ce565acb188fe3c4ba1a28

SHA256
137e564b32681a3f9b5e580415111988fe1d2c947f44347370fe0e923a114931

SHA512
737ec0e0a7877f802f0a7f508d4d97355f255e92bfddbd35956ed7b890d99b0bec1f677dff321c64a1ed5639ec9ac352a3aa30fd645d511e95a6bd09c7dfea6f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\sessionCheckpoints.json.tmp

Filesize
259B

MD5
c8dc58eff0c029d381a67f5dca34a913

SHA1
3576807e793473bcbd3cf7d664b83948e3ec8f2d

SHA256
4c22e8a42797f14510228f9f4de8eea45c526228a869837bd43c0540092e5f17

SHA512
b8f7c4150326f617b63d6bc72953160804a3749f6dec0492779f6c72b3b09c8d1bd58f47d499205c9a0e716f55fe5f1503d7676a4c85d31d1c1e456898af77b4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\sessionstore-backups\recovery.baklz4

Filesize
3KB

MD5
fee64e0f0b3d86a4fa404589e42143ae

SHA1
39c7b4f727c5c720d43be66f39b3af9eac86be51

SHA256
b3b4d281d753f477f59e714ae0d2896cd5d2a26a58010f91a384821ef3dfbe1f

SHA512
dd318c3bbe8401f099ab6443c43a727eafb63d17481973fe04f47120fba48643d3400c95a6549de3ccc05234d39d8da5b2041ff6d9cfa4bdeda8b8f4882a1397

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\sessionstore-backups\recovery.baklz4

Filesize
3KB

MD5
744c1bc8c65c3282c5ad1e3678c534c8

SHA1
ad8e6a778362ac3a3f94ae4e5ebeeb2a7ae8260a

SHA256
c497697fd86298cdcff65b06416c9da8330b623ec976bcd6b33e920a0cf5ccc4

SHA512
9a8cd9f142fab0c1aa280884be473064976d0096f4ffbece96b533f2614ea994af6e8136d493bc7dc116862994eb8858b6938a6baabfc98a5e0e7de26204cf69

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\sessionstore-backups\recovery.baklz4

Filesize
2KB

MD5
5c30ec9d1645a9f9a88497024c098eb0

SHA1
10bbeba50d09861253d52cbe486f8b165da8e80a

SHA256
21f92fd4158b3291f759d89cadf3fae16f4780eeb60a3bd3008bb5ae9b0067b0

SHA512
9529065f1071dd5bf2109be2cbeab98b8f18a951b020d30d76fd5687851ad72154c48e4b206273652cba846038169c644df5ff8d3af775be2cb16d90fb2867a0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\sessionstore-backups\recovery.baklz4

Filesize
3KB

MD5
58d1db531706fc18e20ba0cc6912be98

SHA1
40cd0c4b7be433405bbf170f2e8095129b59c6ee

SHA256
3ab8a7bc713b8d9c4bb4fc11438bde1dc8a4299b8c0cbe531f03190e805d8666

SHA512
39d902bc6fbafeab112f803238c9a9701a585b051cd8a0f6bec84149803e3ffdd305221731d785074ff03f38447c9397db3d3f4bf74197116e203a1a700d4b66

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\sessionstore-backups\recovery.baklz4

Filesize
3KB

MD5
55193a15cf0f6e80fd068ef7b70f6e8e

SHA1
1de86f24c3cb0e094553908181d79c48843321a3

SHA256
2ee427bcfd69d1bb74ca25f2764f878f0e9a8414dbb15199cb92d9d76634ebd2

SHA512
22218f3357c9f52deeef548ea8cead876ca14fb9661e275c2eba48b4e207ac500f4b5eed2a8108e056114710c192bb670bdede35536f49030a43771e58328743

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\sessionstore-backups\recovery.baklz4

Filesize
3KB

MD5
fed04c3e5df596da11f72d9be06b56b3

SHA1
cdfc73878db7567b779352717528add5ff03983a

SHA256
36c031f724e069c370371edc1d8cf215feb802ff13a107d0b2d4055127700777

SHA512
fb3f9ad48cf601cf87749cee85d29cc56d250590d130643b2b1e48b86865aea706ed7e4df896a967514d5378a1e0fa79cca67eb381e5a30f872fedac3e5d60d7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\sessionstore-backups\recovery.baklz4

Filesize
6KB

MD5
ac2467cf3d1c4080f2e847741875dc49

SHA1
c95f0a5016ce1249df8b7bc4e8985aa717334c10

SHA256
906e6a4ad45967135e84d343e24b29891ef0a212484baf4dca105bdad5c71435

SHA512
a27bd9cf3be207262af097ac13788d5afe06e1011b28c76f4a61ee157dd5499201601630ad435f6f429543c4114d40af519ff40f08a68c109e77b7cd0cf95d6b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\sessionstore-backups\recovery.baklz4

Filesize
3KB

MD5
b9b11d9f6bfdc81d32ebabb77d0d488d

SHA1
6c95b533674d162a0d0c34723402fa7dba287068

SHA256
2ae6c6546f244b00d88634364bf797d8b61e1e69a05d35dc9145b594fa4de4ff

SHA512
c6bd04da92f7b49e5e28ed04334982e1d586fc4db51478eb08af5f0865c00f3db09c4d4e2c08d95fdc00374250ef403198d7c77047a0154f18aea1ea141ebf1c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\sessionstore-backups\recovery.baklz4

Filesize
7KB

MD5
a22fda9a2a075fd2a598e8f9e6404b78

SHA1
81175ec85c12151455e6c9f29670b7b56b8b5bff

SHA256
c67ea07cd51f75e04b11bd1da9a62917f2fcbd3d3d4eeadee81e8fea159ae7b6

SHA512
8634aa7210d101c9f28eccad415e5ac786556f4105de57fe9b4322312c990ceb18d5886b33f14a68b0e58546a980ae2658fb87b878c7fd69bf90607a7e97280a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\sessionstore-backups\recovery.baklz4

Filesize
7KB

MD5
bb1a5697361bd77b859ad172db716af8

SHA1
d443458ba8b7558c48a61e4c4a04ea60f2201ff9

SHA256
0bb67fe082273cdd949f7a827e8ef87d30379697c58291a3229f00bcd0dc171a

SHA512
8165481d4698a68abb3bd1a7a0c485073eaedd28e438dbd0c7268d8ee2c4c7b244664f9aa84fcf76df4aaee8d58a6d50ff3013aa974b99c788e54dc0d78ffbd9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\sessionstore-backups\recovery.baklz4

Filesize
8KB

MD5
66e84a81a4b3902b2b5e39df64fd7041

SHA1
189bc2402d0387aa5d31e0cfb1443e91c177d05c

SHA256
a467f678c0402226377d81a9f0f02dff9fdccb8c376c6aee22ca2473f84a350e

SHA512
d8b8be4a949e4448b607ceafdd5f4d1c7106ff7e8a644cbca81c0b480a5d6a231488fee7398976d6ebc450e6f2c04a55f90624dc493d352f5af42d296afbc009

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\storage\default\https+++tik.porn\cache\.padding

Filesize
8B

MD5
dfcc6222cd33fa0dedb231c7fc8c0f27

SHA1
598618377dea2eaf3d597abe11387de098290d1f

SHA256
514fc9066993ea9d670a84ebec1ec900b3b78af399041fc674383907a85d53fc

SHA512
18cf25d3c32b69b9f1298c23e2c06eca272b50d20176c1ff8c4c83966d163e52deec1e7198210567ec695fb691ea8de6fc17a7b4e318a25d7f38455c8309d04b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\storage\default\https+++tik.porn\cache\.padding

Filesize
8B

MD5
8d4bf3192d2342b4c568f4d7e0c94755

SHA1
2690c42c16d5969f6106ff1d0c9b59b1ee326e6b

SHA256
0934f2572205772619c14fcdefc0f7cec0da7de474345be7f36dc0634ae24af9

SHA512
306997de4b0f4534fad7c8ddac898e9e35577cb0e8c4bd5e1fc9db7b910e9a1bf61d20cd0159a94292c6182abc9d4565706553104337198c93d620dea816cc17

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\storage\default\https+++tik.porn\cache\.padding

Filesize
8B

MD5
c7cf7573732ccf7930cbd1a7851d5c25

SHA1
a76c0dc143e3cf2acd3ac379037cd7ce0d0bf639

SHA256
c11687320462faab2cb23701f78954146d430790d5981ad7147667c11058c1a8

SHA512
5f759dd14bfbdab80943ddfddc107b084b6817003c6f27bfc9efa191c7fe3aedae842b3ae7d1c6cf31c83d64e71728b6feb9ed38dff5012fbee205e138c20cb3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\storage\default\https+++tik.porn\cache\.padding

Filesize
8B

MD5
bc450b526dcf43def45027054a7aa0f7

SHA1
0d3b19c293554071500b2ec6179bf34023f7aaa6

SHA256
97aff1b9e04140046b7a10b84690b08786bf4c3838893b4b8f023440e8c70f77

SHA512
f46732fda1f646d967ecb8bdf7e93ba6b3b83f56ace147cc313ec00aa60a3b47f81e1ab0507dc55a3f3f8c69d36052b4628949dfb3d72fc40e06217d1950bfa0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\storage\default\https+++tik.porn\cache\.padding

Filesize
8B

MD5
d0092803c15ad6c05156fbbb24fefc06

SHA1
bf8c1f2a11cfdafa62226a6dff04759999271975

SHA256
0aa3df31bd1dabe7c53c572c8c11c3d52e0addb8c0c5002c75220e9520c3bcbf

SHA512
d4fb3a47d0d9472085577a3b8ef3267e741caf14bb2713aa6bb670106b4e84a889d7a41912d564122463f5a878e6fbb4a207c19767bfb5155878271c9f0f819b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\storage\default\https+++tik.porn\cache\.padding

Filesize
8B

MD5
86ded9b62880a80071761c0761fb215b

SHA1
b47584e854f0587d863a9823fbdb48dbfddedda4

SHA256
812dcb3fcb9e3ff7a7cc6b085f8d4b4a49c253a4d36c19e370b9ac730897e14f

SHA512
157d46e9aadb189f1e10dd0fa36788fa48766fe8f2204ed151dd77a595cc2a51cc2230c0037b8e4e1caa4b196b8b05ccd494de927d190b5cff6c471d8f438500

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\storage\default\https+++tik.porn\cache\.padding

Filesize
8B

MD5
a3e4d2a4bee2cdee2a08b71c59753a42

SHA1
a131e9d856f67a5c341e7b36146e89af902242c5

SHA256
41cd095a8624d86c914aecac10569b1d7a238583af62669b16da4a83ed148065

SHA512
bda2f8b280a8d172678384b29dc232a9b99e3d5e89c0da0d45d6ea20c1fe8a3b5e1085b32ebfd4f36fddf33ab838cfa678a8be5087f687c4e0e4c4b5114dc104

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\storage\default\https+++tik.porn\cache\.padding

Filesize
8B

MD5
7f4d33ca379da01c2fcc2260c159ec92

SHA1
ff77a0142f04b3bfbd91f376014439552cad15be

SHA256
0a8f529abf2d06c4dad76bde173a0602a383798e85ec69aed38077bcfda625b0

SHA512
e36529093321bb257522460332a0fa23d97ae726df85fd9cd7091ac1ef6381d9aa2720bd3594eeb1e86cb7f4c20db7c46c10189067051c5af29a442bf7edde70

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\storage\default\https+++tik.porn\cache\morgue\101\{0c9ae33c-04f8-4508-9844-d7c26be55a65}.tmp

Filesize
62B

MD5
06ce6707cb7d23be38c1bca906cae574

SHA1
44a49a38aa723e87ee86ed58059ad6bf3a6a0c30

SHA256
e95bd1c15e8450d5c405d39248232cd3508b23a14bb58369d8b4d59be7d2a6ce

SHA512
f8ba970df073f67510b21035ea44007021abf2081a1a52edc3556aeb4dffb1434277a0ac09ac6db9bec5b999693114f2a0907601e2f286f41858d496d0b14cba

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\storage\default\https+++tik.porn\cache\morgue\142\{66ff908b-230e-4f5f-9d71-56608138b38e}.tmp

Filesize
23KB

MD5
6ed1334fd06f07c8ae3a7c45105c22d4

SHA1
b59451883ab2c731045793773300dc853935ba79

SHA256
f0bb57c624017238c3d68116ef28b21e671fcd3db43790bc9fb4221ae885378d

SHA512
d717c4e81170e406796c04a1ea3ff957b4483f0997ac94a3a0d8d2cf56d8b5239169183c491058a098e290132db9e064b1b24b35d9d91295030aefa422c604eb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\storage\default\https+++tik.porn\cache\morgue\151\{5873fcab-5375-44aa-8f02-14b131428697}.final

Filesize
4KB

MD5
57dac30f4aea90e51136516e97053590

SHA1
b4ef6e4d7753a73ca259108a4ddda9aa68793afe

SHA256
66d4c7281d3e900ff2e1d2d0296d296df94b3afc28cdae4064f82c7aff017430

SHA512
7bbb6afe1acae4ef7fdcfa06e81774f00f893678f6c2cbed46fdde42fb3de9fd817c6c80343a8221574e6a2b7327d4132f526803fed7c11163378d939ea0e049

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\storage\default\https+++tik.porn\cache\morgue\177\{60df07b1-8650-449a-a5b6-ba6b92e6b4b1}.tmp

Filesize
21KB

MD5
2e44fec2afc9471e1158e9a34ac84e59

SHA1
89cc11354cbbd690a8ed9ae0e9e4b02878929659

SHA256
d42df05cb7c18cbeef953a3d25ed649606c3c11e000b673e73156695c4af61c3

SHA512
8a70d8f3e5e36703e3d8ab0125d9012bcebf7b02130d522f222f8aaa0057001a4e8dcc1f4cf19d7eac24c05f8ae2ca2d44eaedf84d00c3115a39b494c42f4148

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\storage\default\https+++tik.porn\cache\morgue\183\{5aacb35b-c442-4a7e-a750-dc5f8c3adbb7}.tmp

Filesize
3KB

MD5
c387454386fe485bd7eba75ec491dc10

SHA1
bc969366d6a5602afdd4111bda4dc4527e777bda

SHA256
65358372af63d32960b965a6d5ffe17d386093bcd1d49d359c30c1323ed5b120

SHA512
383c84cb9d6489a777f3d6ae8975ef4eeae45cb1423dff5d98bca30f01c3047ec9d0b094f23ac2fe1d3471515a3cf383fffb4b7fbf759b0a2cca5ad6697af906

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\storage\default\https+++tik.porn\cache\morgue\189\{e23de05d-9657-4d7e-af72-9ee256c834bd}.final

Filesize
11KB

MD5
caf44db8e69607d67385260bfe6a0816

SHA1
a3b77b194e9f95576767ef3ea238d049978e4dad

SHA256
be7d0e734ac31d7f2f6da22dd745d5f8b0f1a9d2a58b283903586f6f9f455533

SHA512
03047f4dfdb0de324236e9b06014efebb5c1dbddd937dd20a5778596743f9639f586733a52641e56228cf8d20cf1c5b155fb13708fc419fba36b5ff750d0600a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\storage\default\https+++tik.porn\cache\morgue\195\{3ab98361-0172-4a37-b7a6-ed7a6019f1c3}.tmp

Filesize
58B

MD5
ee5542da4493bdf00c6ee47cabfc4e48

SHA1
8f4801a8fe960fcb952295d7a63a96fe5850899e

SHA256
98d169987418ca0cac89653a2a954581a7f75838da2d35c0245c27d022dbfee7

SHA512
cd91e5fc6287e8fb5848399dafaeb214e9caa4812d46bcc50ddc06febd4ec6261083f91677bbd30cbed1e29656f715065b88d88e1ce1c7c41e42b4dc7276c888

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\storage\default\https+++tik.porn\cache\morgue\210\{06abccb6-eb08-4f44-bb66-9cf645fa0ed2}.tmp

Filesize
21KB

MD5
212d4838a1bfc4082e73ed7e776e0854

SHA1
897a3a358a65dbd7d98115707f725fc83da444bb

SHA256
2272babbd4cef8187c14aa1210f78d29f9a3444c2f80be7cfdb03466d0764c63

SHA512
41eee3ee11f92811062f2f496915a7622d17522dc2e714d2fa01102316154adbb8faf9a5dfb7c48fae28fab7b303f2ac86ca74dc231d45b1ab4d5eac8199c3c7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\storage\default\https+++tik.porn\idb\4197078560wnooriktbaorxi-pex.sqlite

Filesize
48KB

MD5
880726cd5ef9b1d7c6b931263d8e5e12

SHA1
2737220c6b90c54cf041eba64447855601640715

SHA256
6cc6abd80c9e36c73f3cf7b58f423c6ad266253888642cfd778dd100ee03ad93

SHA512
1cd6bedbf326afff1968cb5b75fe7b56758430729f8d07450e3537ae617fa02269948cdcb64f6bc43bbc5053718bb842aca645b86f3737b6de22a3e4b4bf3aca

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\storage\default\https+++tik.porn\idb\4197078560wnooriktbaorxi-pex.sqlite-wal

Filesize
100KB

MD5
9932ac9e19db7cafe0768b60d764ff55

SHA1
9c89ef191dd9c70a0e6370aa7ec9a266931a3825

SHA256
e90e287c126bf424e433ddebe04aec941deaa9104869628faca60caec4cf604d

SHA512
dbbc2513579df91aa802540359ab47c3f07d32a5306b50b5babb469b0a362c10b05be00f27a45a55936686e819ac71c7ad3071f892b46bb728b310608f348fb0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\storage\default\https+++tik.porn\ls\usage

Filesize
12B

MD5
e75de3fad25428a04f8766f062ec993e

SHA1
e74584959d1ace9e608307c7a35dc04d12906f06

SHA256
ecd2ede6690d0e8e25fa088eec3159d8936c5644b2d74996277d807530dd493e

SHA512
a3f038019f89898925030896004c12d7784125c015e645dbbfad24da20702e6154935d2b805bb68986625fe92eb9d74a65a2ec8a9cec2061cd23e2ec351275a9

Download Submit
C:\Users\Admin\Downloads\ChromeSetup.exe

Filesize
8.5MB

MD5
26832493618886fa401134d2ad85e9d8

SHA1
84fab0a827e0ac472c18d30259918654bddc6dbb

SHA256
e0ba9d03231b377ef8565ca722c78c65da1bbaf754840a4e3112cfcfcf9cb5de

SHA512
79d415cdf64193af8c8be9b129a60324a333acbdd2d45542951606db9fcf499d8f2f723a5fa006f10c1209c8458f11fb1b7de28a61a3e5c2c2e049e301d1c9ff

Download Submit
C:\Users\Admin\Downloads\ChromeSetup.exe:Zone.Identifier

Filesize
387B

MD5
9745b1000285f813cd199702bda88e71

SHA1
83f586521391f801d5cabef0fe2fb5f3e0214e75

SHA256
30f46e9408fe1789b8fc1a37bff2e0555d6e5f4cb4fc5e0597227fe826973b18

SHA512
3a34a99fa73e88feace03290b28580f3d6d8c30301ce3f82be2042ea44963e514e033186aa8580ffc60d37caa498d9385a330a051a8d2426d109d1fa9909832d

Download Submit
C:\Users\Admin\Downloads\tikporn-251472-shower-sex.le4k8rMz.mp4.part

Filesize
5.8MB

MD5
68c31564882968eb957bd66098b94b4b

SHA1
9d21bb66588379e619a84d4ba397775d3a7f4bf5

SHA256
647d7d0cd49ea603c88df406bcfb252569b0de490138d0969efdfe9061510a8d

SHA512
5e67ec5b9ed9696a7641990eb32a75625b7db897fed999a54ed90cf1dfe1c12502308670cee032b4b049b9d73ca8914a8fc002e96705a54b5031f0c7d667c13c

Download Submit
C:\Windows\SystemTemp\Crashpad\settings.dat

Filesize
40B

MD5
6e983d38a9f518f5b720836e0feeb41d

SHA1
4d812211d60fd3eb162fecd98d21ea723dfd660d

SHA256
169940799f1aae8c2ab466779296286c787c03f13a283af4e8a3f963bbeae6e8

SHA512
c4d1405e0251fbca1ff016adf9b6ff2e81872c07f5688a17c19edc623454311c33c757e452949025fef9d84d5ea8d65a260130514e41cf7390ec1a25df28917d

Download Submit
C:\Windows\SystemTemp\Google5104_1228257394\bin\updater.exe

Filesize
4.7MB

MD5
a1361c84ae51ae71617978842d129712

SHA1
b4aa7a27da802454cc1a06d49020ef5f85096dad

SHA256
c06bf6776aa78e9aa48f7b1f19ae9b77b7e3277066003c653ab501304d8c2f10

SHA512
eb4bd87f78a16ea215c067781d664837bb8e1dd50c59a66dd4f7ed1fda13cd16741c3f351b319ecb9d63c2b9d99695fc0e0f15a3f22ece8bb02bfef5c8a2f99d

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5780_2031853636\86534f3d-bf4e-465d-a230-845f7cd460b9.tmp

Filesize
660KB

MD5
3afeffc7e863072897b10cfede05f658

SHA1
d35be4742a2336e259b96095507ca1b7d088e0ce

SHA256
5d82ed2f1374b450f59d937a572840fa85581fd1e34f536937d8b1d041d65f9b

SHA512
1eba4772cc3b8c16f3d21ccdef2461a03f59742cd8eaffbfc636e5f3ba6a3208b3f72f0d9f0cbedeb80b9f07678b77a2fa8bbeb400ba30436db316dd620a782b

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5780_2031853636\CR_D00C2.tmp\setup.exe

Filesize
3.9MB

MD5
5aa8ebc484fabcfaba8d10170d0b4b59

SHA1
522c14c36b2a515426b0a97c97d9a11b20605fcb

SHA256
fcdf6ee87d81342d7949eb27d5716de504b0b0c7feb9ade2e24a4f83f2fc4165

SHA512
fd6f029b11908bf19532b4991cdd02a398d1be1bdbcc4b59adba2ae72a3cf3430b52a94be0b6487844b8b74b094aa91d1f514116ea14ae585ca65382f95c702d

Download Submit
C:\Windows\TEMP\chrome_installer.log

Filesize
22KB

MD5
3019a4f2b409b9639ff2e0905a344f64

SHA1
919f317d997a08ce280cc47a84aa3972911d338b

SHA256
df00a2b6f76d168f28950daffd5cd348389e21f2d8f0c4c029d18fc94b9d9db2

SHA512
654602dfb1ffd06342dc5f507de3a2d1e9462ed056ff7783ac73a2191f96bb3f5cb190a101a779f348e61f01f0465d27a53b2122b32163ca76e2197ce75b139c

Download Submit