83aa0fba2c2ecba612b5bb7d91eee5c9a0c3e2f471f61b414d54d43ea6aed965

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17-08-2024 20:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

83aa0fba2c2ecba612b5bb7d91eee5c9a0c3e2f471f61b414d54d43ea6aed965.exe
Size

89KB
MD5

022a82f54407e185853e6d8efa72f6c2
SHA1

3279c0a28eaa15fdd997e3818db043cce1861a1b
SHA256

83aa0fba2c2ecba612b5bb7d91eee5c9a0c3e2f471f61b414d54d43ea6aed965
SHA512

b190e6de166a468d32ca513dc4953410d0ab7e5e1bb0f184b5e6f603c0401de0f000080cbb8fa879407cfc92cd4892b58619714f681c08e5ed0d79f1f150f11e
SSDEEP

1536:L7fPGykbOqjoHm4pICdfkLtAfupcWX50MxFY+yIOlnToIfIxyvO+:Hq6+ouCpk2mpcWJ0r+QNTBfIu

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	83aa0fba2c2ecba612b5bb7d91eee5c9a0c3e2f471f61b414d54d43ea6aed965.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	83aa0fba2c2ecba612b5bb7d91eee5c9a0c3e2f471f61b414d54d43ea6aed965.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133683986601132746"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2718105630-359604950-2820636825-1000\{F006EEB2-C328-4643-AC7A-8A2394497F33}	chrome.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3688	msedge.exe
3688	msedge.exe
4952	msedge.exe
4952	msedge.exe
3680	chrome.exe
3680	chrome.exe
684	chrome.exe
684	chrome.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
2292	msedge.exe
684	chrome.exe
684	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
4952	msedge.exe
4952	msedge.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeDebugPrivilege	4092	firefox.exe
Token: SeDebugPrivilege	4092	firefox.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe
Token: SeShutdownPrivilege	3680	chrome.exe
Token: SeCreatePagefilePrivilege	3680	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4092	firefox.exe
4092	firefox.exe
4092	firefox.exe
4092	firefox.exe
4092	firefox.exe
4092	firefox.exe
4092	firefox.exe
4092	firefox.exe
4092	firefox.exe
4092	firefox.exe
4092	firefox.exe
4092	firefox.exe
4092	firefox.exe
4092	firefox.exe
4092	firefox.exe
4092	firefox.exe
4092	firefox.exe
4092	firefox.exe
4092	firefox.exe
4092	firefox.exe
4092	firefox.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4092	firefox.exe
4092	firefox.exe
4092	firefox.exe
4092	firefox.exe
4092	firefox.exe
4092	firefox.exe
4092	firefox.exe
4092	firefox.exe
4092	firefox.exe
4092	firefox.exe
4092	firefox.exe
4092	firefox.exe
4092	firefox.exe
4092	firefox.exe
4092	firefox.exe
4092	firefox.exe
4092	firefox.exe
4092	firefox.exe
4092	firefox.exe
4092	firefox.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe
3680	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4092	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2768 wrote to memory of 1628	2768	83aa0fba2c2ecba612b5bb7d91eee5c9a0c3e2f471f61b414d54d43ea6aed965.exe	84
PID 2768 wrote to memory of 1628	2768	83aa0fba2c2ecba612b5bb7d91eee5c9a0c3e2f471f61b414d54d43ea6aed965.exe	84
PID 1628 wrote to memory of 3680	1628	cmd.exe	87
PID 1628 wrote to memory of 3680	1628	cmd.exe	87
PID 1628 wrote to memory of 4952	1628	cmd.exe	88
PID 1628 wrote to memory of 4952	1628	cmd.exe	88
PID 1628 wrote to memory of 4920	1628	cmd.exe	89
PID 1628 wrote to memory of 4920	1628	cmd.exe	89
PID 3680 wrote to memory of 860	3680	chrome.exe	90
PID 3680 wrote to memory of 860	3680	chrome.exe	90
PID 4920 wrote to memory of 4092	4920	firefox.exe	91
PID 4920 wrote to memory of 4092	4920	firefox.exe	91
PID 4920 wrote to memory of 4092	4920	firefox.exe	91
PID 4920 wrote to memory of 4092	4920	firefox.exe	91
PID 4920 wrote to memory of 4092	4920	firefox.exe	91
PID 4920 wrote to memory of 4092	4920	firefox.exe	91
PID 4920 wrote to memory of 4092	4920	firefox.exe	91
PID 4920 wrote to memory of 4092	4920	firefox.exe	91
PID 4920 wrote to memory of 4092	4920	firefox.exe	91
PID 4920 wrote to memory of 4092	4920	firefox.exe	91
PID 4920 wrote to memory of 4092	4920	firefox.exe	91
PID 4952 wrote to memory of 4040	4952	msedge.exe	92
PID 4952 wrote to memory of 4040	4952	msedge.exe	92
PID 4092 wrote to memory of 1768	4092	firefox.exe	93
PID 4092 wrote to memory of 1768	4092	firefox.exe	93
PID 4092 wrote to memory of 1768	4092	firefox.exe	93
PID 4092 wrote to memory of 1768	4092	firefox.exe	93
PID 4092 wrote to memory of 1768	4092	firefox.exe	93
PID 4092 wrote to memory of 1768	4092	firefox.exe	93
PID 4092 wrote to memory of 1768	4092	firefox.exe	93
PID 4092 wrote to memory of 1768	4092	firefox.exe	93
PID 4092 wrote to memory of 1768	4092	firefox.exe	93
PID 4092 wrote to memory of 1768	4092	firefox.exe	93
PID 4092 wrote to memory of 1768	4092	firefox.exe	93
PID 4092 wrote to memory of 1768	4092	firefox.exe	93
PID 4092 wrote to memory of 1768	4092	firefox.exe	93
PID 4092 wrote to memory of 1768	4092	firefox.exe	93
PID 4092 wrote to memory of 1768	4092	firefox.exe	93
PID 4092 wrote to memory of 1768	4092	firefox.exe	93
PID 4092 wrote to memory of 1768	4092	firefox.exe	93
PID 4092 wrote to memory of 1768	4092	firefox.exe	93
PID 4092 wrote to memory of 1768	4092	firefox.exe	93
PID 4092 wrote to memory of 1768	4092	firefox.exe	93
PID 4092 wrote to memory of 1768	4092	firefox.exe	93
PID 4092 wrote to memory of 1768	4092	firefox.exe	93
PID 4092 wrote to memory of 1768	4092	firefox.exe	93
PID 4092 wrote to memory of 1768	4092	firefox.exe	93
PID 4092 wrote to memory of 1768	4092	firefox.exe	93
PID 4092 wrote to memory of 1768	4092	firefox.exe	93
PID 4092 wrote to memory of 1768	4092	firefox.exe	93
PID 4092 wrote to memory of 1768	4092	firefox.exe	93
PID 4092 wrote to memory of 1768	4092	firefox.exe	93
PID 4092 wrote to memory of 1768	4092	firefox.exe	93
PID 4092 wrote to memory of 1768	4092	firefox.exe	93
PID 4092 wrote to memory of 1768	4092	firefox.exe	93
PID 4092 wrote to memory of 1768	4092	firefox.exe	93
PID 4092 wrote to memory of 1768	4092	firefox.exe	93
PID 4092 wrote to memory of 1768	4092	firefox.exe	93
PID 4092 wrote to memory of 1768	4092	firefox.exe	93
PID 4092 wrote to memory of 1768	4092	firefox.exe	93
PID 4092 wrote to memory of 1768	4092	firefox.exe	93
PID 4092 wrote to memory of 1768	4092	firefox.exe	93
PID 4092 wrote to memory of 1768	4092	firefox.exe	93
PID 4092 wrote to memory of 1768	4092	firefox.exe	93

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\83aa0fba2c2ecba612b5bb7d91eee5c9a0c3e2f471f61b414d54d43ea6aed965.exe
"C:\Users\Admin\AppData\Local\Temp\83aa0fba2c2ecba612b5bb7d91eee5c9a0c3e2f471f61b414d54d43ea6aed965.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2768
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\69B6.tmp\69B7.tmp\69B8.bat C:\Users\Admin\AppData\Local\Temp\83aa0fba2c2ecba612b5bb7d91eee5c9a0c3e2f471f61b414d54d43ea6aed965.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1628
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password"
    3⤵
    - Enumerates system info in registry
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:3680
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7fff28dfcc40,0x7fff28dfcc4c,0x7fff28dfcc58
      4⤵
      PID:860
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1916,i,5547017210780682635,7743936152512536567,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1912 /prefetch:2
      4⤵
      PID:1288
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2164,i,5547017210780682635,7743936152512536567,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2172 /prefetch:3
      4⤵
      PID:1652
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2256,i,5547017210780682635,7743936152512536567,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2268 /prefetch:8
      4⤵
      PID:3652
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3132,i,5547017210780682635,7743936152512536567,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3160 /prefetch:1
      4⤵
      PID:5224
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3152,i,5547017210780682635,7743936152512536567,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3196 /prefetch:1
      4⤵
      PID:5248
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4300,i,5547017210780682635,7743936152512536567,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4436 /prefetch:1
      4⤵
      PID:5628
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=4308,i,5547017210780682635,7743936152512536567,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4268 /prefetch:8
      4⤵
      PID:5384
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4716,i,5547017210780682635,7743936152512536567,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4828 /prefetch:8
      4⤵
      Modifies registry class
      PID:6096
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5168,i,5547017210780682635,7743936152512536567,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5176 /prefetch:8
      4⤵
      PID:6524
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5280,i,5547017210780682635,7743936152512536567,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5288 /prefetch:8
      4⤵
      PID:6584
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=3888,i,5547017210780682635,7743936152512536567,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4956 /prefetch:8
      4⤵
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      PID:684
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" "https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password"
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:4952
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7fff28cb46f8,0x7fff28cb4708,0x7fff28cb4718
      4⤵
      PID:4040
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2192,6699700415564375067,8422566004292752620,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2224 /prefetch:2
      4⤵
      PID:3064
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2192,6699700415564375067,8422566004292752620,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3688
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2192,6699700415564375067,8422566004292752620,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2824 /prefetch:8
      4⤵
      PID:4624
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,6699700415564375067,8422566004292752620,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
      4⤵
      PID:4564
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,6699700415564375067,8422566004292752620,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
      4⤵
      PID:4796
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2192,6699700415564375067,8422566004292752620,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1852 /prefetch:2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2292
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" "https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4920
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
      4⤵
      Checks processor information in registry
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4092
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1920 -parentBuildID 20240401114208 -prefsHandle 1836 -prefMapHandle 1828 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {47cbef32-810d-4bfb-b1f3-73febbf0cef5} 4092 "\\.\pipe\gecko-crash-server-pipe.4092" gpu
        5⤵
        
        PID:1768
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2424 -parentBuildID 20240401114208 -prefsHandle 2392 -prefMapHandle 2388 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {61ad1fb2-53cb-4b6b-8d96-9856118f42e2} 4092 "\\.\pipe\gecko-crash-server-pipe.4092" socket
        5⤵
        
        PID:3420
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3364 -childID 1 -isForBrowser -prefsHandle 3356 -prefMapHandle 3352 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1152 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7d58080d-33f0-4675-8cc7-27fe12596ea0} 4092 "\\.\pipe\gecko-crash-server-pipe.4092" tab
        5⤵
        
        PID:4036
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3064 -childID 2 -isForBrowser -prefsHandle 3076 -prefMapHandle 3196 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1152 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {14761f27-3189-433a-ae91-08fb3b7d596a} 4092 "\\.\pipe\gecko-crash-server-pipe.4092" tab
        5⤵
        
        PID:116
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4268 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4092 -prefMapHandle 4244 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {745579dc-74e2-43cc-8164-0bf625892972} 4092 "\\.\pipe\gecko-crash-server-pipe.4092" utility
        5⤵
        Checks processor information in registry
        
        PID:5156
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5164 -childID 3 -isForBrowser -prefsHandle 5140 -prefMapHandle 5084 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1152 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {00f744e9-7a7d-4ce9-ac36-7d6e5068ac2d} 4092 "\\.\pipe\gecko-crash-server-pipe.4092" tab
        5⤵
        
        PID:5308
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5128 -childID 4 -isForBrowser -prefsHandle 5064 -prefMapHandle 5116 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1152 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {67fa953d-b350-4d64-890a-6224483e1e50} 4092 "\\.\pipe\gecko-crash-server-pipe.4092" tab
        5⤵
        
        PID:5608
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5384 -childID 5 -isForBrowser -prefsHandle 5412 -prefMapHandle 5408 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1152 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {06e10111-6509-43ad-a254-94fcc9851388} 4092 "\\.\pipe\gecko-crash-server-pipe.4092" tab
        5⤵
        
        PID:5620
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5916 -childID 6 -isForBrowser -prefsHandle 5968 -prefMapHandle 5964 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1152 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {db8eea5a-6387-4685-a937-21c58dd7a4c7} 4092 "\\.\pipe\gecko-crash-server-pipe.4092" tab
        5⤵
        
        PID:6800

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1476

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2992

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:5628

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:6704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
3ac0b6ef3108af8d41bb22a1a5e4c36a

SHA1
bac06b00ed9dcd36359efa9d1e5f90cdd4978ca0

SHA256
09966152f2f404e3d0680af71487b50e23f86f24a5ea07f54beba0055a27cac4

SHA512
88f8c825477941583ee3cc2b467442a922a7a1d5d6828b39adb2368db753070c2faf614f70f1058587a627c8665fd7c43f9691b51f313a8da4d6b2c534625992

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
384B

MD5
11dc6b895622eadcfd64b209e0047c98

SHA1
e5e158fbf76968042988275222a7ed9903bbced0

SHA256
aa5314cf3aa573dfd5a5f10057dfbbde9df3dddd9181cf0af6f41c5205594d66

SHA512
73a9e42b929fe31eb0be6e6e8fd941c0bc066673ca19f5f7b047025f09d54e246e0ec7c0c869f2e686a911ccd771393170c0002071a056e279348daeb14bb155

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
563e68bae9f19425a42f8270ad202db1

SHA1
0183165c957d8e608d62199b7e22b22347916d26

SHA256
cacc8008b1edd5527b3db15a3009f9c4c2bdc5f4d248a2ec450c5262bbe29dfe

SHA512
ccdfce57075fd171fd6aea41d29b2e22a62220175e7e9a99659a048993c62aa7016db82be89c1620025051ae7a24358100a1c8e1d0c0f1a9106d71946e351444

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
9848dae19d36dab6b210ec274dc5faa5

SHA1
6d176d7551443a344144c8c3a8a5621c3ff54acf

SHA256
22f3a42a81317f18f4afb00f61902099fcb050a9caba34505b18f452dd07135a

SHA512
b6c180f6df844ccd0407f89392d17fb6ac16f1e37cab4da7035d6005b8d32029d8966489e9d3da1f65ba0fc4639ee7408b9c2f0ff297dfda7f56b5fe6b790d03

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
354B

MD5
fb2723bedf06101d99bf99708c3f1f2d

SHA1
8fa123b8cd5c88bfbdf7a66785e075075377ad14

SHA256
0fd53b0ecb74d9e5cf3f2305abbf530a5329dda4ec4049d8b774ec0efa777989

SHA512
a48e3ea43bcbbfa9604371a5c4142b9f5dfdced77d57534a14c077093ce612c9a590f13c686b1b717f55b736973920fde8f912256ed25b83a3d45690841311db

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
354B

MD5
ce76895e1dbd1a29dbf4bb6b391eca97

SHA1
dbbee49b59774dfba28e8ded3deede357f41baba

SHA256
862286216940bded3b2717e81562be314eb5e35b06c845a11afcbea2a5852437

SHA512
7be2cec870edd4a26e1ccf0f301402eeddc35c6db1d1463d44e5a32aed7ae1636793f03bbe4c2024e80473595e26292236799ca9f926c21ab47fd963e9089093

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d9aacc0e5655bbceea870c41e519ca14

SHA1
c7d30c965307642eb5c3dfb25d5b6d8f192eabad

SHA256
f149a3cc813622b0765162ea98cc57130198b702990df9e69243906d294a56a6

SHA512
f2f2cdac33c7351e89ad9aa4bfebfb6c2db50d8ce6b6bd1a0a21a1aae7c6acf66e73d573a67dd3c19d956a1b139095d59fc6cbfc491f3fb79a89b67e2a9f629a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
595021706360354f8b6c8f3945981601

SHA1
71c3b00b1db4e851015429b9842a50ee02af086e

SHA256
9244fbdc75cf79d897c80778cc8341d82aa4e8ade4701ffca630b5f861fa01e2

SHA512
f42cd5683b2ddb2cdc7832cbe2915ed2ecdb44f96f4d39ee9dc798e9f4c092302cb61a0b38561f12ea01bf88e621a75a13e442f38f7fbf064fb660a55be6473f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
288b405a7c7eb53ed16bd72d6a9d3459

SHA1
63556ca512cef78bbf5d33e9a1e6234c80e0fd43

SHA256
af8fa9bac5b88098c778f1f0366c1340ea862d4cf9b4f024008e09b846ebfd73

SHA512
24429358bdc8257f9a45240ccc5ddc9d9742c2dad2baffbd37c4f762d4905f76663a8d725c5f8c1298287a66306452ddc7e2df4c1fb63a0721690819d2bd21b9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3036edba5217f178ac435dc11df04b3b

SHA1
fa29d92555f42ca1274fc285faec7ca5aed88487

SHA256
ae9df921f771f50c6c32f731394ab4fd62b75256b074d60eba03ec222f240ed8

SHA512
3769784bb8cd92393e74623b20a0fb3bda4cbd122c845bce890abb3b37f8f57c3a6e54f403b4189cb3b9bd0c77341c21aed61d8fdeb1614d9b09c306866b6250

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ffea7884bd488c49e89a263d8a7d39df

SHA1
dec5294a2ba429fcf939a786df586bbe83d5d744

SHA256
bae896d586fcc88ed39674f6070223f719b9656222fa9cefeba89deb1b64588a

SHA512
33e70418bf02cf54431a268d7e582de9be34872e6cc6c9ae66f37638742f00cb4e3cff8443173e9d0f678b0a83d02a4619de0e5606fd8ffb65c24070d2cca13f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
29477ba8e2abfecebd1e006974650413

SHA1
6cf818ca157b9f3f0a6f49022bb8029cdb80e638

SHA256
8c0369c580e0266b449c10eb44e709103edcffc80435767cb331cee1c2c9a2dc

SHA512
bc5cfc3a48fa108cd4619e23c484cd436728ab628f32b0c2aa3bc95bc10b6f2794a999a4e7ae5367fe3f814937026d09634cdad13444b479436833b942a4f79c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9666e951a4f3d72cefc720956c3a3a48

SHA1
ed33fd20584bc5400e028b6f66d5b5c0fae8dd1a

SHA256
2cae594a04e2eb8562969cc711abda208d4640fbbc15f922877133979a1c3896

SHA512
f60ff3ecd3cdbfb5622fa4d621697b836ea7a6ea3cb82edb5250094c6d5ecd1c3061ad1f8a1bf1a08fe4687a29d3fe1f9a937bb7cdb3840f123becb0931554e4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b363cadfca972c1b5d6e49807c629c04

SHA1
ccf69fcd74cefe34e0cc98a4c2a9570b4596ef15

SHA256
b28468edd3e898a541b875b611b9b48daf84eaee62db5fe81d85b4df873f3f0b

SHA512
54aadb0703bc9e54694b52d1fac0b1a467ae9c858c34ac4398e430721f0a5d3ba12b653af29518665f83b25854ca696e3fee443e845e6ca5650e9f531b52d1d1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8b079b711ad3b8284a2e4e1ea7c66abe

SHA1
292427bfae9f752286924424f47e5f3fb8535634

SHA256
ae881345510df1b270a1289f200c1c8abfe2af3d29ccc757c3f3bdb243fb77a2

SHA512
657d82cb0b607842b12fc68a7b9f024d0390cc31cb33763f30ccf8a3b3140dee03a9ff8eb491780b76a3f4b1aa0f24047f9d243b0b79c0def160ccaadfe6bf48

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
749c7033fdbfb543d6d604b77ce05113

SHA1
d05702e540a3108692ffae0c29fb7a5a1e05fd43

SHA256
b1369a4da664419e99f6d43f30374e6a5110cbf739974e988c04fd89322d69ca

SHA512
99c021178065c15a24ef27829b3f76700175dc46109f1c4164d742559be5d13a1f21ea0147df7829cf07f3e068131ae64c4e3f8f96812a17c6cede98b7ca67de

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
9d42c178892ff2ac5fda9b4975894536

SHA1
51d2f864acc177b35cb0dcbfdbec872e4a346875

SHA256
d366dfaa07c5c1c7ce212db5f622199f1bf82963076585e807ced22b825e19c2

SHA512
60e6b966902db911caffb087cca7faf343418e6e382ddc41f6010c909e43ff3ef0cc7cc48fb0e824f3ddbbc504a605898b4d2db93072f5846cd3d3f804bc1adc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
196KB

MD5
49935713c7dc4618f5b71abeaa6b9da9

SHA1
9c12b2342ed5ab6633d22d2dde1ad83b6fa0700e

SHA256
58b86ea50c392f7583f9af1721246d0943bcc0ade18a9b29312a7b0c43b4fabc

SHA512
9ee1db9ef73065da30fc394d2a21c5ee5249dadf3a286e600d8d5275757e12d0cfde3d3683735e1a20d4f4ed1e82a5f176ea17028d418d9d61d28c27dc1f1a11

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
196KB

MD5
d5eb25775380f4ad9104f905bc55369c

SHA1
820f3e5b6dcb1c3d3242b04c03194f9d0fcd1f1b

SHA256
1563ee6cd68c4765191649b95e09b9a71aeb5ce8646c71ac19f6a96577b90288

SHA512
248b90cb19c26c57bf481028c7af8b7bfc654b68b9a1e2f8005a74d0fcf63e080163e2312c986a9f242eefada3036e73a624de2b4192f083c8b766751919a378

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ab8ce148cb7d44f709fb1c460d03e1b0

SHA1
44d15744015155f3e74580c93317e12d2cc0f859

SHA256
014006a90e43ea9a1903b08b843a5aab8ad3823d22e26e5b113fad5f9fa620ff

SHA512
f685423b1eaee18a2a06030b4b2977335f62499c0041c142a92f6e6f846c2b9ce54324b6ae94efbbb303282dcda70e2b1597c748fddc251c0b3122a412c2d7c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
38f59a47b777f2fc52088e96ffb2baaf

SHA1
267224482588b41a96d813f6d9e9d924867062db

SHA256
13569c5681c71dc42ab57d34879f5a567d7b94afe0e8f6d7c6f6c1314fb0087b

SHA512
4657d13e1bb7cdd7e83f5f2562f5598cca12edf839626ae96da43e943b5550fab46a14b9018f1bec90de88cc714f637605531ccda99deb9e537908ddb826113b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
336B

MD5
b9a6328d14179d9fd1a2ca0e1b39be12

SHA1
7695e15d8e8dbffe7c41b3d3d72105bbc11d8544

SHA256
2eae37ecdddce6727d3d4970cb8c3cfcd8ab9f2375856578a114153cac535eb5

SHA512
137095bb737ffbe0447f2f9d56f4b30bd2e24a6b2f9cd8169e672addcef90aafdd08b06d3617df3734fe322adb1c2d768a76f3b6497504151ff799169e3e4497

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
2e122fd2b277d74b5597d3e466f1f4e7

SHA1
9b289da12f7213930a591278f0fc60d613f13974

SHA256
d61d1d10396da99294d7feab7998024a0d4da65198f9f7a2d695b2ccd07693cc

SHA512
4bfd1e941ca2c1158f9f574f804c7e7e70c756431676d9b6c6579575b8c478ec15f7e2a3ae4638de30728b2c36dca5160e2a3f1291d5f032d8a2d53fe4bcc3cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
9048734181b73d3f5fdd834b037748d3

SHA1
459eca08d71e5cc6c636f787ba535243c37f961a

SHA256
1084634393ce69b6b4150d0916b83e26123f3520c93c3040049e48aaae0851aa

SHA512
1f95267c3d09b5858af857be546d2a3bec76e0d5752f99ccda84dfb08a8d0fa6dc9eb337fdf83ab98582cd5c278291bdfdfbe69322470d6adddd040ecd9f7e13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ea82022136f0dbd90492522a5fc88605

SHA1
d7faa60aa677eeb1e2ee9284bc13764a85069ed0

SHA256
2d43edade1d1af97a64267368fc598a64dcb526107b52efba1e8a003115698e4

SHA512
f4fb2be1392bf36397fdd77609657925332b60ebbd5a625ba05e457667e20cc91ef16f6b7bab4941dd5ff4c5ccb569480254c45c72dd40bfae86597fa53f7e8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
02c5be808213cc67bbcff92c271a6672

SHA1
8c94ca37b3e369e55461a3f5bb6e1db6f9adc26b

SHA256
cf63814fc5f96263b402d858fde3b3f5d3ac003df6d2b10cfcce3c31e9807d5c

SHA512
6d1782e415b2d7d80a5278e4e0493a8d18ce804dfa4c891d8a3abe4036a03a0fd7b33bc4b7f15ae186f22e2d631f31228414a5710a86ab40c06953018a331617

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
955e8d2d8962d6b768aeaebd27312881

SHA1
80797d4482cd189ea78af74eb66a47bc97de6c09

SHA256
d87bb2b14670522aa8af6746343428744fa7e5dba34a25119a5f1a9472343898

SHA512
e8ffb34adf9be1e2310da035a501e35ae3ec991624f0edf6d8377ae77a493115f5282e57eeda3a37ed88494fa489b3c2ef765d67863a0300899e74bb1af15964

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yaq795em.default-release\activity-stream.discovery_stream.json

Filesize
37KB

MD5
5350f0a7fa49ffa52101b4cd2ef770df

SHA1
fd2475a8e0ba9480165f9627622da3b164557d58

SHA256
4963e52075bf51e7f5e3f2aa28ba9f16a67feef77acb799b704490a4c98a7ed8

SHA512
f7e11cdd9135b2158982fd665780c839b52144d2aa2528cd1f2983d4e5f343d85d81501b5a97be26b6ed7221441e8dbc2a538f56d51c13d9e2849ee4ad9e6e25

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yaq795em.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B

Filesize
13KB

MD5
8de7e321fc01bab0b2af5ad608a35980

SHA1
e8e719f95a490b69c85792dd55ac2534b15aea78

SHA256
5cb9db8f7b22201c62cc7215a85eb8b68e9d59e5de15050757d23ced43f289cd

SHA512
2657339102a5074e0ce8de679ccd0c2fa7818d2e995cca56eb518792bbc1f8bca99da0852d6765d45831780fe7c61a95459b41ac18cbf5dd1e253580b5609843

Download Submit
C:\Users\Admin\AppData\Local\Temp\69B6.tmp\69B7.tmp\69B8.bat

Filesize
2KB

MD5
4ac6a9d9e192f54598f8b67cf299ea5e

SHA1
c3c63fc731603f581ab71bab7651a4d5112b04e6

SHA256
f1179bc15a8c644c353af64d6c6c3f13fd2d48eed2fb0b709a167185d2ed806e

SHA512
3ff1226c147403aa5afdc515f260849196dec92166273206256ce8437a98dc1dd3b2cf913861e7537ccf36d6bc53537bd49b600e9adb1671f4bdb3d6e3da23a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\AlternateServices.bin

Filesize
7KB

MD5
20a662d75dfd1a95c04f5e27e2a7a0ee

SHA1
71f3ca1d7f81650eb03e8f26afe9a2946ef60e6e

SHA256
5007532471efed658592ba866f84f5f2c7995b2d3e607a80c0e2c9df41586e9b

SHA512
13b60e6f632924ccc215d5763048353391c99761421e26b646e4fcce393edb4f7126f3f5263aea6bf73e21ab59edb7f5973d0f6962cbb5ccdf7cfb812a380d53

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
a664a22f4e3a6c058e5808df6a74c83a

SHA1
5f822b3a7ee17c1c6b7a2666988bc5c2b58d3587

SHA256
5025d69188ee32ddf071973eba4bd53ff7beda11ca942b3323b84d5c76ee72d5

SHA512
a1b23b3846b5f556d7cbab48115d9917174e3e722e739c7a63c5549481901df16696c34d700edd24c0db455b23f5e69c70aacb6c53c780306dae74c80487f3a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
38c306a7b6aa250b075a26ee0f0d9c6b

SHA1
2ddf6be8206eeb6b3d4b2774c27027d17b4b9ded

SHA256
bef3b061d82b6cff8134f0a3961271008dc68c1e4c9d2e63256432a39be64a19

SHA512
7afbfb5b2addadaa0b2d7574864c4fc42cd113f69e457360bf7d2494f830c8e8673b2a90913bbcc347d5c4fa836f049c238ffe1448ded4fda9241acaf8a3e6b2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\datareporting\glean\db\data.safe.tmp

Filesize
15KB

MD5
2774ef8e6f579cc5cbaabc953167c047

SHA1
1174f890573ab339ef4dc22d0a2211acd609bdb7

SHA256
7264493e6bf2903b27c67902c891865e36d00860e04d2a846709cbc642de6ec5

SHA512
ffac5f0c0c56be5aa94ac6b090cf9cc6f175b1d726494df74547bd3cbf667f15ed2b540816aa5be04cd091b485111b5cd4ecc7002e755855e8b0c0c15a644c96

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
4c9f6eb9d3c16ba4bac89132db2207cb

SHA1
06dee7f641479765f2c964b48ef0f774172dd658

SHA256
6892d5abbeb514f501600047f3fe69783a847a8e871a3f94c200f517cdb22605

SHA512
1c915191b04373ae1109a07f05ebc82e2b2b07544eacce2d68041de7c397b46511b41bf92be3873e485cf6e09fd588f313a23944713a7c64b47afa56093d3416

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\datareporting\glean\pending_pings\297e8095-71e6-4c08-9d88-9f61970ecd85

Filesize
982B

MD5
5e1dc3fd45fe9b5543c8f48acfbac59a

SHA1
c8d1f8d0b1d1bc8aadb5d83ad1d1c5639fb8ffd1

SHA256
d1319f3330ca2fce46cfe0866826888b9fe7d92aea927855159a682e3e21d90f

SHA512
b354c2d10ddbe2899b3ffe9068ff8e0f974034d67cff72725433554530866eab1ec08fb4f10b2c7d4eeb2a0d02f174ed0fbd5689ac087f4a403c4ef9fee1d646

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\datareporting\glean\pending_pings\50c84bff-5b0d-41ef-a298-3f479a85d73d

Filesize
27KB

MD5
d96e2d74f418c3dec06c2d392a6898af

SHA1
c8fbfdba4c89bd50f2eaa2c57e9cf331e146b4c3

SHA256
d4060e7a3c874dfcda904540de4f90ddb8d30de5d32ba10bad57c56cc8df4ce0

SHA512
29b9ffe64a2fbb0bc9ac8c163d1f7726c8f8cf913ddc7fda113f7f1e318ce1bd47cf08106ece8ff34ec75773f4bc0896d34dfcaa703076065f6fc5d40f01c300

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\datareporting\glean\pending_pings\b678c2a1-12c9-49b8-a589-90940cd3b4cc

Filesize
671B

MD5
dd1e095de42670d46966cb18b42b0f52

SHA1
58c23ca7502f35b17ca1e1a54ff7bc09ad7981e5

SHA256
d3c1a1be8c4ff8cb9491e2d41bf340e14ea6759187bc90031a64936a88eb96af

SHA512
2b4c31362ad759ec1fee9af594248d845f5893a880918b90655675f7a970bf3489754f14f73bfd2b2074ba61280dc1aa3cc43d73453804f98582e7449908f13c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\prefs-1.js

Filesize
12KB

MD5
799cd55b4f6b483505c02ba6d26ed4b3

SHA1
568a3e3fc385fe44fbd6e66837be4e2cc43501f4

SHA256
da8ac50de5717c8ccda6b3d8898e31a1283b01bb8c937a8e41ec33248cc41440

SHA512
6f9dff38616b4d3097c2f1385b3d8a40f8b93c5f4c6a3c6f6ce08a79dcedd1fd5d11d7ae18228b8e45ad4a474c956e58e3c04a8dd7a0b48bc90c70ce0c269f69

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\prefs-1.js

Filesize
16KB

MD5
db5b630a2fc9b8bf8c079e598fc8ec4f

SHA1
158c59a4627af8707872e3abed33aac75b6a0d01

SHA256
7cdd92006eb318153a0a1cdde0b036c4836bc4f90c67e45cc12566d0a1d1e5d1

SHA512
fee412ece8b953647e91cab193ce0ad441c82686c24ecf8497b0e87a018d9cee4246a76fcd3f2eb2c7181392b4294ed4348d99b7e6061d5846a2deaf380fe9ad

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\prefs-1.js

Filesize
11KB

MD5
885c368fd082441f52bb3cfd8ba49c6d

SHA1
60013e188d7a7cf000eac310e9cd6d4eed94819a

SHA256
ec5fe625610c87e2c6032b94fd6dd150dc7bb9c67d98cc0ba93c4ce3e5687f22

SHA512
5430bdf69ad956bd1688f2e9f8ef577413edef498350f7ee566f0846bc9eb64feaf06fdfb3925d70c23a26749c7cecf9d33b48fcb63a7c6c4f8fb32e133cc2c0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\prefs.js

Filesize
11KB

MD5
b3b0063ffceea21c22f10b63f7b06522

SHA1
55bb00004e325140c1f3cc811555d193e3f6e238

SHA256
efc1ed638ccb1aa6fd34dbe197a9ed13cefb1342b4e455838efc814e26d43c65

SHA512
8529c26308e3156d21b40b65104dcae6059ae06eae5e76e8dee463239fbcf2098d9dfe4dbbd50784234953a20989b132b98cf83fc71705690ab43ce73a09aa10

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yaq795em.default-release\sessionstore-backups\recovery.baklz4

Filesize
5KB

MD5
a583e281fe5cd3ee3dcb1e9675b9e145

SHA1
f769f99fe382dd1067b1ce8185b0e21f6bfc6d61

SHA256
56bbdf599692451ece1ba9c9f3ea5be3c071eb730977dc19e30347d526a63c55

SHA512
092711f9aadee4817468938fc24a9b8a45cf1b404bd42db4d6d7965f2dfabcc08f417eec530b529a62fafd377846093d3f24b3e08dbc0e48a0160bdb207791f3

Download Submit