383fd45963bc97b729b1cbc4bb666410bf8310c52d35ea6e48951dd875d53910

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18-08-2024 20:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

383fd45963bc97b729b1cbc4bb666410bf8310c52d35ea6e48951dd875d53910.exe
Size

89KB
MD5

34834999c6393aa0398abfde8bf69db9
SHA1

46fdbdeb1c3bfc74aff2fbbfc8a045c87b80fe82
SHA256

383fd45963bc97b729b1cbc4bb666410bf8310c52d35ea6e48951dd875d53910
SHA512

9fff1de58521d2d9516b855c77297d922855580c3c1938a6610bc49bcffbda5670d62195835eabe79e227e494572a15ac8b7b7b50ec07adcb93387c8c98b73a5
SSDEEP

1536:L7fPGykbOqjoHm4pICdfkLtAfupcWX50MxFY+yIOlnToIfQxHhCJO+:Hq6+ouCpk2mpcWJ0r+QNTBfQlIP

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	383fd45963bc97b729b1cbc4bb666410bf8310c52d35ea6e48951dd875d53910.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	383fd45963bc97b729b1cbc4bb666410bf8310c52d35ea6e48951dd875d53910.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133684870769653895"	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-355097885-2402257403-2971294179-1000\{C52CD5EF-B559-4C10-AE75-6C630E9B6CFF}	chrome.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
728	msedge.exe
728	msedge.exe
4552	msedge.exe
4552	msedge.exe
1716	chrome.exe
1716	chrome.exe
6280	chrome.exe
6280	chrome.exe
5204	msedge.exe
5204	msedge.exe
5204	msedge.exe
5204	msedge.exe
6280	chrome.exe
6280	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
4552	msedge.exe
4552	msedge.exe
1716	chrome.exe
1716	chrome.exe
1716	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1716	chrome.exe
Token: SeCreatePagefilePrivilege	1716	chrome.exe
Token: SeDebugPrivilege	1912	firefox.exe
Token: SeDebugPrivilege	1912	firefox.exe
Token: SeShutdownPrivilege	1716	chrome.exe
Token: SeCreatePagefilePrivilege	1716	chrome.exe
Token: SeShutdownPrivilege	1716	chrome.exe
Token: SeCreatePagefilePrivilege	1716	chrome.exe
Token: SeShutdownPrivilege	1716	chrome.exe
Token: SeCreatePagefilePrivilege	1716	chrome.exe
Token: SeShutdownPrivilege	1716	chrome.exe
Token: SeCreatePagefilePrivilege	1716	chrome.exe
Token: SeShutdownPrivilege	1716	chrome.exe
Token: SeCreatePagefilePrivilege	1716	chrome.exe
Token: SeShutdownPrivilege	1716	chrome.exe
Token: SeCreatePagefilePrivilege	1716	chrome.exe
Token: SeShutdownPrivilege	1716	chrome.exe
Token: SeCreatePagefilePrivilege	1716	chrome.exe
Token: SeShutdownPrivilege	1716	chrome.exe
Token: SeCreatePagefilePrivilege	1716	chrome.exe
Token: SeShutdownPrivilege	1716	chrome.exe
Token: SeCreatePagefilePrivilege	1716	chrome.exe
Token: SeShutdownPrivilege	1716	chrome.exe
Token: SeCreatePagefilePrivilege	1716	chrome.exe
Token: SeShutdownPrivilege	1716	chrome.exe
Token: SeCreatePagefilePrivilege	1716	chrome.exe
Token: SeShutdownPrivilege	1716	chrome.exe
Token: SeCreatePagefilePrivilege	1716	chrome.exe
Token: SeShutdownPrivilege	1716	chrome.exe
Token: SeCreatePagefilePrivilege	1716	chrome.exe
Token: SeShutdownPrivilege	1716	chrome.exe
Token: SeCreatePagefilePrivilege	1716	chrome.exe
Token: SeShutdownPrivilege	1716	chrome.exe
Token: SeCreatePagefilePrivilege	1716	chrome.exe
Token: SeShutdownPrivilege	1716	chrome.exe
Token: SeCreatePagefilePrivilege	1716	chrome.exe
Token: SeShutdownPrivilege	1716	chrome.exe
Token: SeCreatePagefilePrivilege	1716	chrome.exe
Token: SeShutdownPrivilege	1716	chrome.exe
Token: SeCreatePagefilePrivilege	1716	chrome.exe
Token: SeShutdownPrivilege	1716	chrome.exe
Token: SeCreatePagefilePrivilege	1716	chrome.exe
Token: SeShutdownPrivilege	1716	chrome.exe
Token: SeCreatePagefilePrivilege	1716	chrome.exe
Token: SeShutdownPrivilege	1716	chrome.exe
Token: SeCreatePagefilePrivilege	1716	chrome.exe
Token: SeShutdownPrivilege	1716	chrome.exe
Token: SeCreatePagefilePrivilege	1716	chrome.exe
Token: SeShutdownPrivilege	1716	chrome.exe
Token: SeCreatePagefilePrivilege	1716	chrome.exe
Token: SeShutdownPrivilege	1716	chrome.exe
Token: SeCreatePagefilePrivilege	1716	chrome.exe
Token: SeShutdownPrivilege	1716	chrome.exe
Token: SeCreatePagefilePrivilege	1716	chrome.exe
Token: SeShutdownPrivilege	1716	chrome.exe
Token: SeCreatePagefilePrivilege	1716	chrome.exe
Token: SeShutdownPrivilege	1716	chrome.exe
Token: SeCreatePagefilePrivilege	1716	chrome.exe
Token: SeShutdownPrivilege	1716	chrome.exe
Token: SeCreatePagefilePrivilege	1716	chrome.exe
Token: SeShutdownPrivilege	1716	chrome.exe
Token: SeCreatePagefilePrivilege	1716	chrome.exe
Token: SeShutdownPrivilege	1716	chrome.exe
Token: SeCreatePagefilePrivilege	1716	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
1912	firefox.exe
1912	firefox.exe
1912	firefox.exe
1912	firefox.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
1912	firefox.exe
1912	firefox.exe
1912	firefox.exe
1912	firefox.exe
1912	firefox.exe
1912	firefox.exe
1912	firefox.exe
1912	firefox.exe
1912	firefox.exe
1912	firefox.exe
1912	firefox.exe
1912	firefox.exe
1912	firefox.exe
1912	firefox.exe
1912	firefox.exe
1912	firefox.exe
1912	firefox.exe
1716	chrome.exe
1716	chrome.exe
1716	chrome.exe
1716	chrome.exe
1716	chrome.exe
1716	chrome.exe
1716	chrome.exe
1716	chrome.exe
1716	chrome.exe
1716	chrome.exe
1716	chrome.exe
1716	chrome.exe
1716	chrome.exe
1716	chrome.exe
1716	chrome.exe
1716	chrome.exe
1716	chrome.exe
1716	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
1912	firefox.exe
1912	firefox.exe
1912	firefox.exe
1912	firefox.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
1912	firefox.exe
1912	firefox.exe
1912	firefox.exe
1912	firefox.exe
1912	firefox.exe
1912	firefox.exe
1912	firefox.exe
1912	firefox.exe
1912	firefox.exe
1912	firefox.exe
1912	firefox.exe
1912	firefox.exe
1912	firefox.exe
1912	firefox.exe
1912	firefox.exe
1912	firefox.exe
1716	chrome.exe
1716	chrome.exe
1716	chrome.exe
1716	chrome.exe
1716	chrome.exe
1716	chrome.exe
1716	chrome.exe
1716	chrome.exe
1716	chrome.exe
1716	chrome.exe
1716	chrome.exe
1716	chrome.exe
1716	chrome.exe
1716	chrome.exe
1716	chrome.exe
1716	chrome.exe
1716	chrome.exe
1716	chrome.exe
1716	chrome.exe
1716	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1912	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3032 wrote to memory of 628	3032	383fd45963bc97b729b1cbc4bb666410bf8310c52d35ea6e48951dd875d53910.exe	86
PID 3032 wrote to memory of 628	3032	383fd45963bc97b729b1cbc4bb666410bf8310c52d35ea6e48951dd875d53910.exe	86
PID 628 wrote to memory of 1716	628	cmd.exe	90
PID 628 wrote to memory of 1716	628	cmd.exe	90
PID 628 wrote to memory of 4552	628	cmd.exe	91
PID 628 wrote to memory of 4552	628	cmd.exe	91
PID 628 wrote to memory of 4224	628	cmd.exe	92
PID 628 wrote to memory of 4224	628	cmd.exe	92
PID 1716 wrote to memory of 760	1716	chrome.exe	93
PID 1716 wrote to memory of 760	1716	chrome.exe	93
PID 4224 wrote to memory of 1912	4224	firefox.exe	94
PID 4224 wrote to memory of 1912	4224	firefox.exe	94
PID 4224 wrote to memory of 1912	4224	firefox.exe	94
PID 4224 wrote to memory of 1912	4224	firefox.exe	94
PID 4224 wrote to memory of 1912	4224	firefox.exe	94
PID 4224 wrote to memory of 1912	4224	firefox.exe	94
PID 4224 wrote to memory of 1912	4224	firefox.exe	94
PID 4224 wrote to memory of 1912	4224	firefox.exe	94
PID 4224 wrote to memory of 1912	4224	firefox.exe	94
PID 4224 wrote to memory of 1912	4224	firefox.exe	94
PID 4224 wrote to memory of 1912	4224	firefox.exe	94
PID 4552 wrote to memory of 2156	4552	msedge.exe	95
PID 4552 wrote to memory of 2156	4552	msedge.exe	95
PID 1912 wrote to memory of 1996	1912	firefox.exe	96
PID 1912 wrote to memory of 1996	1912	firefox.exe	96
PID 1912 wrote to memory of 1996	1912	firefox.exe	96
PID 1912 wrote to memory of 1996	1912	firefox.exe	96
PID 1912 wrote to memory of 1996	1912	firefox.exe	96
PID 1912 wrote to memory of 1996	1912	firefox.exe	96
PID 1912 wrote to memory of 1996	1912	firefox.exe	96
PID 1912 wrote to memory of 1996	1912	firefox.exe	96
PID 1912 wrote to memory of 1996	1912	firefox.exe	96
PID 1912 wrote to memory of 1996	1912	firefox.exe	96
PID 1912 wrote to memory of 1996	1912	firefox.exe	96
PID 1912 wrote to memory of 1996	1912	firefox.exe	96
PID 1912 wrote to memory of 1996	1912	firefox.exe	96
PID 1912 wrote to memory of 1996	1912	firefox.exe	96
PID 1912 wrote to memory of 1996	1912	firefox.exe	96
PID 1912 wrote to memory of 1996	1912	firefox.exe	96
PID 1912 wrote to memory of 1996	1912	firefox.exe	96
PID 1912 wrote to memory of 1996	1912	firefox.exe	96
PID 1912 wrote to memory of 1996	1912	firefox.exe	96
PID 1912 wrote to memory of 1996	1912	firefox.exe	96
PID 1912 wrote to memory of 1996	1912	firefox.exe	96
PID 1912 wrote to memory of 1996	1912	firefox.exe	96
PID 1912 wrote to memory of 1996	1912	firefox.exe	96
PID 1912 wrote to memory of 1996	1912	firefox.exe	96
PID 1912 wrote to memory of 1996	1912	firefox.exe	96
PID 1912 wrote to memory of 1996	1912	firefox.exe	96
PID 1912 wrote to memory of 1996	1912	firefox.exe	96
PID 1912 wrote to memory of 1996	1912	firefox.exe	96
PID 1912 wrote to memory of 1996	1912	firefox.exe	96
PID 1912 wrote to memory of 1996	1912	firefox.exe	96
PID 1912 wrote to memory of 1996	1912	firefox.exe	96
PID 1912 wrote to memory of 1996	1912	firefox.exe	96
PID 1912 wrote to memory of 1996	1912	firefox.exe	96
PID 1912 wrote to memory of 1996	1912	firefox.exe	96
PID 1912 wrote to memory of 1996	1912	firefox.exe	96
PID 1912 wrote to memory of 1996	1912	firefox.exe	96
PID 1912 wrote to memory of 1996	1912	firefox.exe	96
PID 1912 wrote to memory of 1996	1912	firefox.exe	96
PID 1912 wrote to memory of 1996	1912	firefox.exe	96
PID 1912 wrote to memory of 1996	1912	firefox.exe	96
PID 1912 wrote to memory of 1996	1912	firefox.exe	96

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\383fd45963bc97b729b1cbc4bb666410bf8310c52d35ea6e48951dd875d53910.exe
"C:\Users\Admin\AppData\Local\Temp\383fd45963bc97b729b1cbc4bb666410bf8310c52d35ea6e48951dd875d53910.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\8462.tmp\8463.tmp\8464.bat C:\Users\Admin\AppData\Local\Temp\383fd45963bc97b729b1cbc4bb666410bf8310c52d35ea6e48951dd875d53910.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:628
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password"
    3⤵
    - Enumerates system info in registry
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:1716
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ff80c17cc40,0x7ff80c17cc4c,0x7ff80c17cc58
      4⤵
      PID:760
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1916,i,11104177536791158530,16345202452566113756,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1912 /prefetch:2
      4⤵
      PID:3412
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2164,i,11104177536791158530,16345202452566113756,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2176 /prefetch:3
      4⤵
      PID:4344
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1336,i,11104177536791158530,16345202452566113756,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2588 /prefetch:8
      4⤵
      PID:3016
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3104,i,11104177536791158530,16345202452566113756,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3148 /prefetch:1
      4⤵
      PID:1472
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3112,i,11104177536791158530,16345202452566113756,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3292 /prefetch:1
      4⤵
      PID:2088
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4472,i,11104177536791158530,16345202452566113756,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1640 /prefetch:1
      4⤵
      PID:6112
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=4668,i,11104177536791158530,16345202452566113756,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4296 /prefetch:8
      4⤵
      PID:5476
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4308,i,11104177536791158530,16345202452566113756,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4820 /prefetch:8
      4⤵
      Modifies registry class
      PID:5460
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5144,i,11104177536791158530,16345202452566113756,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5156 /prefetch:8
      4⤵
      PID:6228
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5316,i,11104177536791158530,16345202452566113756,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5324 /prefetch:8
      4⤵
      PID:6244
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4380,i,11104177536791158530,16345202452566113756,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5284 /prefetch:8
      4⤵
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      PID:6280
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" "https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password"
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:4552
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ff80b9f46f8,0x7ff80b9f4708,0x7ff80b9f4718
      4⤵
      PID:2156
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,5971702642748824724,12304204308867917548,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
      4⤵
      PID:3680
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,5971702642748824724,12304204308867917548,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:728
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,5971702642748824724,12304204308867917548,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2708 /prefetch:8
      4⤵
      PID:4320
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,5971702642748824724,12304204308867917548,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
      4⤵
      PID:208
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,5971702642748824724,12304204308867917548,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
      4⤵
      PID:2488
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,5971702642748824724,12304204308867917548,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4680 /prefetch:2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5204
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" "https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4224
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
      4⤵
      Checks processor information in registry
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1912
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1912 -parentBuildID 20240401114208 -prefsHandle 1828 -prefMapHandle 1820 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ed8e032e-db5a-40cc-951e-e6c2c525f9e8} 1912 "\\.\pipe\gecko-crash-server-pipe.1912" gpu
        5⤵
        
        PID:1996
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2400 -parentBuildID 20240401114208 -prefsHandle 2368 -prefMapHandle 2364 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4d0042a0-dc45-438b-9739-d29119823eba} 1912 "\\.\pipe\gecko-crash-server-pipe.1912" socket
        5⤵
        
        PID:1628
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3236 -childID 1 -isForBrowser -prefsHandle 3068 -prefMapHandle 3060 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 984 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d2077ca1-a020-49c5-924f-a38908fe2992} 1912 "\\.\pipe\gecko-crash-server-pipe.1912" tab
        5⤵
        
        PID:4436
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3800 -childID 2 -isForBrowser -prefsHandle 3672 -prefMapHandle 3052 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 984 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {640fcf67-cbbe-4469-a398-51ea4fa9928b} 1912 "\\.\pipe\gecko-crash-server-pipe.1912" tab
        5⤵
        
        PID:856
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4196 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 1692 -prefMapHandle 1688 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {59a2bd15-6702-4d1a-aff5-795c2301b55d} 1912 "\\.\pipe\gecko-crash-server-pipe.1912" utility
        5⤵
        Checks processor information in registry
        
        PID:5760
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5132 -childID 3 -isForBrowser -prefsHandle 5128 -prefMapHandle 5032 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 984 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cde554f5-690c-406f-ab54-6760da184e59} 1912 "\\.\pipe\gecko-crash-server-pipe.1912" tab
        5⤵
        
        PID:5828
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5264 -childID 4 -isForBrowser -prefsHandle 5272 -prefMapHandle 5276 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 984 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4740abfc-203f-42eb-aab0-8a32d195c5a5} 1912 "\\.\pipe\gecko-crash-server-pipe.1912" tab
        5⤵
        
        PID:912
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5248 -childID 5 -isForBrowser -prefsHandle 5480 -prefMapHandle 5484 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 984 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8bf6ddc7-c240-4c54-b1f9-f25199a3e04c} 1912 "\\.\pipe\gecko-crash-server-pipe.1912" tab
        5⤵
        
        PID:5784
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5996 -childID 6 -isForBrowser -prefsHandle 5976 -prefMapHandle 5948 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 984 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {89d13fad-a6aa-487f-b4f0-57a3211bca98} 1912 "\\.\pipe\gecko-crash-server-pipe.1912" tab
        5⤵
        
        PID:6392

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:884

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6108

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:5220

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:6336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
d19675e31937f1622253bdd9f5e2b092

SHA1
0484d59888b89b6dedd83d8539b279b0195c7d8d

SHA256
6fef0256ca70d09bfdaecbd5d44741fb2a2ab4f375c26dd6eff1db5a50d5f30e

SHA512
d23cdb6284c52b7bca072a90cd540b8189b2d85dd1215036a59e03dbd1d086a1e70f95a2bfe898b0181c007b4f8b46adbc819c1e95cbdbca14c8f8362e3f0b63

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
384B

MD5
ac9752a9ec84637b4e8e4e4a5df90057

SHA1
a81a01702ec7025390e0fbd07d8cb91107ba8883

SHA256
cb4e3f7c84f913075a7d9619446f9c9d338c6113fe9ff8637a05e830f9700b3d

SHA512
7e53ffa4927cd77bcad9196ff5759f3b5a1f0d5998b4f04214f8b9003e8c22463077cde7e07f56b2225d54137d9002ad3ed30632ea5d1997a9296ceb7d9e0990

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
5860bca3bcec158981eaa527c01caa45

SHA1
dec77929bf96ed4691f09e17ed47950c7d8426e9

SHA256
e32d07b94640b34386f4b8dafdddda775706ca4ef243acd681a78302b302065b

SHA512
021e4e5b47501deaf661124e77ec561a4ec9a3fea4730c1cf89fbb8f7a8375b0eae7a47ef7eac156c6c772b1338fed7de71a76f022f46c8e25d3d7def882a673

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
38a3b78587134a03990e20fd32957aa7

SHA1
0b22f86cb53841cc359c99a3d929e2842e647dda

SHA256
44786506be929c14b6f6153399f0e3bf757c282ec9d59490f186bfebbdbdc51a

SHA512
08e4dd16fbffae4d47f9d53ec67098bb5dd32d0941be722f2b93b1951c67f8a9c3ff5c5f6b6fea6e05629eee33f66499694781c7842f5e77bb7aaa6fe1f29b39

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
c6c7b09c3f36c06fd750e7d3cd416af8

SHA1
4c3e6d4926bb26a8c6b2980c7dff4cf8e0804991

SHA256
5093f940e6794d6ccfe069d98fc9098efb14b0feb22fa21e66951c58f1fc4c47

SHA512
2c15ecced27a7e19ba93b2b79f85def36df0c907b8990c299ec2c75cd86cf75ea5ee256926c01d3d9d14a5617b2bec028dee2ddec4090924aac2695c6afee849

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
2805d481e9b773474dd991bc7dfac019

SHA1
e226ec2c7db209eb5296df63a7235cf44c737520

SHA256
e8109af85d97a0f37fe74411ad834a550960fd80dce862bf5e7bf233eeaea73e

SHA512
4c3f6f4ef8a6509b72cf3ebbbf6de8cc8bf5954ed45397bdb2d4e81d1d71b62746e8e8eea9cedc1bd6c4a96f562fc0134accc941963d8ecc282f9810de74a79e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7445d447d6cbb00abeece19ea3f8d80e

SHA1
d60fa66df6bfa8e45b55ab7312e280c6a8603d3e

SHA256
9c6b8580f40e4ec222733ea1ec5ac0b6d8aedb64cab0b0968535c5c1b82dd56d

SHA512
c9c01959f066babce815fbdd945d7b7e722faac8a26f14aacaa8103e9c1400abae958c91e9a5fa3ebfa1c7615da93089df5c70558004128fedc8b2bd0473343b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8fb92b4e359707b9315f84a708bb8786

SHA1
ea9be5953c48234ae1798aef18534764e470fe4d

SHA256
08a6daa235faf39661129e4e7e33d4b451d65ce19c84879d4e46cbe2504a495b

SHA512
c6c1f64768d22f32c7f08b7e97cff7c7426d25c7ecd712f640671765752dc1c8e1cc09c4a5eea9fb2b20a0ea4cdeedacc0d6d468883c48c8e7729d52c0869c52

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6b30cbaa4884f35b5789730c9353b009

SHA1
12cae67de3629f692eec4b5786bde99fe8d4439e

SHA256
65c7b19bd53d5c2e869842594bf785824168065669245dbda6aa610b35e4b4b1

SHA512
d86bc4d358562b8baa84265e97184b18fe2d140c8c2c6eb7e6beaaefde96179331447d5c28bbd29b6478a9bc9b5c2952ca27b0fdf30e535b169b3e4d7ffa27f0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
bbf53569b4373b6213e013c58f24af35

SHA1
e337d2d1ce7d1699fd6de28c2dcbc800a026c0d2

SHA256
a04d5e81dd6be2f382394743612a3346127b896b2b3989d4af7f14c814d72720

SHA512
61b94f9c3d043d14175b7ca087bfc33a69e83a7105d631b6e81565d486db12904e249a541efc54cf03f77ec84f31af9e5c90948f2b3311c02e3259f18a089a7a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b99263c7ecd4998df3e2b4ad0c294cfb

SHA1
9dd63cdcbb242fd103d91f176eba8fa91adabe0c

SHA256
e82c08035be2ad9f7ee0235c689b24dfdc72e4494002df4d272d1275c8628fe5

SHA512
a1e1cc8dd2364dc4a1f5f340f4d9f1f101755524c3744438bba60f17988d4b2d34989206965b9f3fa2324c384271c77ecb839c737e203f347b02c7d8152d1e08

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ed0bdc7dd1313b585104e1a99f5d7ac1

SHA1
7441c365e776731e7155dc2d47323a3443cf957d

SHA256
f6cf3b060b75329d7bf1d70bbe747814f72f63c5c432c35795e135f8ec4a527a

SHA512
06aba671f7e60400af4b076e171446a0171f3e281c1be1dfb75def5e0336e1a2a8bf59a2589a20773962ad8bc1309514ea20e64d4344e04bdf546644bae26724

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
fcd77834cfc75f406e15ee54ae8907ee

SHA1
24d415636a897942f09c2c91c8463221ce0099bf

SHA256
80f8961bc6d5198786d2688908858449ac45495f6b2e169e944961706f473e96

SHA512
f6c1cb0c534669349da15e8f72e81667a2412a68cbd06437d0cfe5082fd2396ecd282610eefad3512251570f26f8f6c1d4299c3a88392a0a87abedbe7cf55060

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
413c87791f253f78fc890ebdf26496e7

SHA1
64a38010b0860146180e5aaddfa3d5c4d2413e14

SHA256
513fa9f20107026f7abcd348996a213ddf3d1084dc5cdfbf83a6a613c8d49c12

SHA512
a422b130643032911606f8274a86a8b0d801a2a7f34540655a3343ce4220256c15810b910e172f8d80a769a6162058b35913e80d2d6b3de9d2b59947df560cdf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
1fa364f98b2f42cc43fcd65ef710ebc7

SHA1
8651fbab3bef650903f9e11a099a96bc10abf08e

SHA256
6785b1514855201d622f0a0f4929501c2dc1ac7eba2c6abd1794a74eaa98a917

SHA512
1433d1b763e34dda472c3abe3d7db26bd70212daad0f6373180844c89cf4284c548eb2770f319d904a01f930fc8fe1d65d42b5d0c053b2ea8edb6ee8b47d522e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
196KB

MD5
de43a1c7c69b0efb8e0845bea62f4666

SHA1
6917a1f742bbeaeff851fbc8be21408fe6f0d5cc

SHA256
823f3412646a41317694aab87506d399e7655affea9ba0d0b43d003d3c106e36

SHA512
5dedce0e245fcd6d077bdcf2d730fd7d09e26b9082660856ac25de9fd6d1840226f97b14bb61293f2ea59a8d4ca5c033e9e3f300ae7fb0246356068e13015c77

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
196KB

MD5
b08a88b538a3e29568d92a4c0cea3ad6

SHA1
85918d1427dbe85a2ee3990960fa2c40fbd9a45b

SHA256
db73b63812bf34edd9c591b8302d4d78be2650821e4902866c5c0f561839868b

SHA512
9d00e86377118fe6f7836da0f62393c7106d18c48f314e2c131f3ceb9e396d29aad6bce24919b9d826649425ff87140e41e70cc5c52e31c4a18c7a7fbe811d2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e4f80e7950cbd3bb11257d2000cb885e

SHA1
10ac643904d539042d8f7aa4a312b13ec2106035

SHA256
1184ee8d32d0edecddd93403fb888fad6b3e2a710d37335c3989cc529bc08124

SHA512
2b92c9807fdcd937e514d4e7e1cc7c2d3e3aa162099b7289ceac2feea72d1a4afbadf1c09b3075d470efadf9a9edd63e07ea7e7a98d22243e45b3d53473fa4f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2dc1a9f2f3f8c3cfe51bb29b078166c5

SHA1
eaf3c3dad3c8dc6f18dc3e055b415da78b704402

SHA256
dcb76fa365c2d9ee213b224a91cdd806d30b1e8652d72a22f2371124fa4479fa

SHA512
682061d9cc86a6e5d99d022da776fb554350fc95efbf29cd84c1db4e2b7161b76cd1de48335bcc3a25633079fb0bd412e4f4795ed6291c65e9bc28d95330bb25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
336B

MD5
359361ec44711753b4244cd1a2ee3bfd

SHA1
0fc9e78edd9da1ee0fb8098736fc73cb4fb4986b

SHA256
e14b4d8699e5e8dc0012ca2016765957e34bd46a8000e3af5a9332b889f13373

SHA512
4ec17d2046e3f7eb4a898ebe7e1f62bce68390918a8cef7f689ee433152533a1ad4cd203c2483a14af4617b6e71c0bcfb72066ba8f7ecf5d10e16453484dea9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
148437cc2c3eae1a48d0ec7fb80bbbe7

SHA1
04e1d4bcf879aababc37ff75b4f6bec87b283559

SHA256
3a8f977309c585c6de0093e06e09d8af476f7bf8f34f5181c91eb9c66fa854de

SHA512
81be4951d3b40ef860b2f98a946e5029f1967c9f1cc4c220b591b97b3fbc97f6c454cbbcb3841332de14da4cf620a0558e6d8d8b060964b86b84483be9eb4fde

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
ed52975ba0dae2a95bb4ee2d0c073ce8

SHA1
9d1b55630b22b3d91950ac59a26fcfb9162f27de

SHA256
03bd410911ab349f15e66370148406d4d998e7b89aea7d71b66c6671ef50776c

SHA512
f20769859c8d38175c55e365496ccf269ecb5a3735d703b2905282db76a7730b45e06d4045fc0a43435455ff042d2380888f2a029936cd256ec5343c1deffc2e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
8da9a40dafdb5470f35a715536fe5a8a

SHA1
b704b0327edb742fac7ec8bd144870880fc4f68c

SHA256
aaf31601379970b4965aa8b5a4defcfb2a19d7d9affdf5e1b2463522cb20d9cf

SHA512
541e42dd2f0c7ac9329ae8a0ae91acb92c0aaaf41f5f8ada0102f788508183cb0ee34c6d2736cc660876a8769b82aed8ed9d6b4f23e0341057b4210229fd142b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
cd7144e420427ce6092c0412974ae54f

SHA1
0db624fd770e980bac38f4cdf0dc1ae6443f01d0

SHA256
b915c37bb44f7aa4a34d4b81dbdf091051adc11e2d3eab44012b41de164a6cd9

SHA512
30083c2bd0ed0d6d2130f897184705eb11a95bc09b164c5ff95a612e394ce3059b431ff48b3d7d2a1e99abd75fec372fd6b35457a6abc69bfc8f11a3527fa8be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
ec7411260146a572be2a09d03f10df6a

SHA1
93f2528795bafbf2d9abcd8afd5f7563daeeb595

SHA256
1c5de8ade3a7f2ab85f73b7b2b7ab954334dd42026b5d0ea549b616d6308ee07

SHA512
903365e29b479c9c6d7f1ff6affcf2975ea255fb47ed160948933375086293e68118cc0e17b11b1df8ef0f584b531397cdd6ebd22e5bf729e35e116544eda563

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\activity-stream.discovery_stream.json

Filesize
36KB

MD5
6ff368b7c4881b0c74b3a4171197042e

SHA1
cb86c5cb87acd2744013c6d31632a2aede85c7c2

SHA256
2e3c329a33bd8c53c7fa84e12a0d6873541499b7e8235bcb4f089debfb67632f

SHA512
f6287eb3f6f58ab92d97d0c9912089178bce9fd425e71d658e821d4abdf778bd76b1cf78a784f1f4c19ea8ad4f98f2de9b842cc3aaba80033cf7fe21dc284173

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B

Filesize
13KB

MD5
0ce462c22c6e2caecf8bedacd637d7f9

SHA1
4a54525947f25f3d68b9cb5fdb8480ffabd8c088

SHA256
00e9be839632de2200f319dfdad79e993eff8717036cb3b91086742ff6c87440

SHA512
88a7d50cfc86ed03fd0152fb28a922c1aa687469b19a49a24f40ed81399ddfc8a888d8e2fad49217489720424c94c640e9766b6353b7db4aedad8c423527dd12

Download Submit
C:\Users\Admin\AppData\Local\Temp\8462.tmp\8463.tmp\8464.bat

Filesize
2KB

MD5
4ac6a9d9e192f54598f8b67cf299ea5e

SHA1
c3c63fc731603f581ab71bab7651a4d5112b04e6

SHA256
f1179bc15a8c644c353af64d6c6c3f13fd2d48eed2fb0b709a167185d2ed806e

SHA512
3ff1226c147403aa5afdc515f260849196dec92166273206256ce8437a98dc1dd3b2cf913861e7537ccf36d6bc53537bd49b600e9adb1671f4bdb3d6e3da23a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\AlternateServices.bin

Filesize
7KB

MD5
84a4b8a0c8ef1f1640bd82e1aa6f10e4

SHA1
e676afc022cbd6a66d0294204d2e8e843872211e

SHA256
254389b2fdb342ae980d4da94f692bf2586e426c3283ee3dae45c8fe976c3e07

SHA512
045d6ec6939aed6550177ff9d860b78ef8f794aa694b137fd0162ffa430a6298267879658a2ddf7ed2080093e31d174603facc272b4c8296b9294b24f0a882b4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\AlternateServices.bin

Filesize
8KB

MD5
5574e1e22e58f0b311712a9540e6dc3b

SHA1
5d798c185bbb41fc7c66fb931f3084fa3c8ce081

SHA256
d797124f9f9bdd1a866a01aaf5cef1eed87ccb7e735360002a4a22660e68bbf2

SHA512
3ff14c529218bbc653176b6a4e14519bfa415a2d8bf8242d058fd6063009dd85e63268009808b8ea26638bd9695723bce85ba3815a3e270f49e3f84f2263fef8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\datareporting\glean\db\data.safe.tmp

Filesize
14KB

MD5
39b7043bac3db7d899e6545c83bb0919

SHA1
b2d43e3836168fe52cc36d635cdde375431ec9c3

SHA256
fee83db01e554f3ef3e471115caa9b88c095a4796835d6f0f85898298091ac61

SHA512
730d2316928fb9d3e7eb8c17dfe20c16f77b87d2c4fdd900fc022c05eff7c5ad57bea63e4dafb4523a50a27a1aa46b16446a78a51ba97b26b5f5137eea728d33

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
f4df623cc4691461e54a23155cd634fe

SHA1
0ef5f36a2098a0358cfc595f59dbd0befe49bff4

SHA256
0725c3cf492b7046c57ab531c50d888268c0b24e47de2893800935a737993579

SHA512
6161bff0fd717602839f07f653723246ef7a4f098f82d13080dc08e52b14d0636c3f1ae74d2f842d8aa2af5a83791c54c1679fe7b0dfdad5cb208ffce1e427fe

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
58ebb704b925c3e131e4fcce7a689847

SHA1
e8d2c55faf30d2b8156efe426b3398f5d8b9f6a4

SHA256
f9d0fadc1e8a602a10b13e48e39d3039e7038038a719db09bb54cfbdf3bb4a7d

SHA512
ec20514977701ba658e18b5edabaf5e6b054803c40f9343c95569d1360f5d909817d9c1710520cbf9b31caa76f910e0767eb552b1fba9b2f6e8e73ae713c5959

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\datareporting\glean\pending_pings\33ecff87-de11-4a28-81b3-9505a885a0d8

Filesize
982B

MD5
c61827c8525868ae0866b6ba404169c8

SHA1
9a718470b685305381246219712753d1187d241a

SHA256
b8a11d9a7d8f0c90a3f17931750d4c187bbf5b3bbdcf3ed3b172c4807b103141

SHA512
5fdfa94985e9ba431cef73bfefadeca98895acc25380dc638c4c24452c2f63c349eb2ea6671d7d8474a1aba272be7345cb23bcba25dc7686569142df1bfd10dc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\datareporting\glean\pending_pings\3471248d-21b8-4502-b373-604877b58b21

Filesize
671B

MD5
013b8d26c1240628d28a5a56e44d880f

SHA1
5d1c60cc3e4aaff1a7a7f2f759f500fdbc0d0817

SHA256
633823c6d54282dd701f3e693c4dd889ee4c1ed6b64d47ec3fbd6da894555f33

SHA512
549557f06a84c1d37d2a08be758016dff23b9fe2d5dd87521c3dbc3036b71084a7d5386e68a5956b4751f0c81efdbe8bf425325109b314f9e5cc661a12eadedf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\datareporting\glean\pending_pings\f6b99d03-758c-4e25-9205-9885905e928c

Filesize
25KB

MD5
b24063700d3e55a640fd6b7a97498150

SHA1
b60ffd4bfadb0975d87aeda75ee856f96e982bd7

SHA256
3c9f827b354c1d0feb3890e68c649e41bf908c3563b3cb83766c39105f21b3f9

SHA512
d212f6a248a038b4aef9118783c97ce51d7b2e79bf3727a01fe76a6f583c1d464c7e1292b7ee475290f7c60448834d2fe0f4a15a540591338b2a3cde5aebf6cc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\prefs-1.js

Filesize
12KB

MD5
ca00cc3a0d95d693e30367d3aae9cb0c

SHA1
71cadb40e7a0767c51485968c41a0c6defd204f7

SHA256
b0ba9e618742d6a5ad5f3542e074b91109a86b97446a6af2ab930eaa7099daa4

SHA512
c42cbd4533d6f42d1a4d611420f4f36e1388f0c1d9e36167071b574860af5a4138c8bf373c6fb711496589857719f96f0dc906c611ba8bed2e21c46c55c54150

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\prefs-1.js

Filesize
16KB

MD5
f172dfb74c1d47f29d08e17235a2ff6a

SHA1
5112ab8721d202dc5b5a84cb3b28b063ea0299cd

SHA256
4af40ddf745367dfd15098ae6a47c1e893722d1f6e8a22fefcc29b4f4882a8f0

SHA512
fb26055319259c35783deac6cce953bb20979d0399f5101aa0da073fb68cc486a0d4daf939f7081c24751cc7fd500ca5a8b01c1328e93b3012708be9393e893b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\prefs.js

Filesize
11KB

MD5
01df11bee37c272d5548c30f244c7f3c

SHA1
9da25ecec82f058c3bcffd279a4b177391bf6015

SHA256
48c4b4c05fd316df1018e892faa6923b723e139a79678f57a4a21247d3198d78

SHA512
64cee15b9eaf55637b9763bfd494e915b9b0bb8776c5d6d30162b484b5db64d9f900bfa78fde0faa5e39c2654a303adf1536a3a66cecf36e9f6416b23887cc94

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\prefs.js

Filesize
11KB

MD5
922bf7380f3dbc0db14fff2d25d8dcf2

SHA1
c5539b0898c0935674bc1e69f621bfdbd9828eec

SHA256
c197599ec3b70592a4c192118af1107013dffa460552a8e99b155c537d7a304e

SHA512
ce710a8823aa3b8b286bd1da1e4381c9c19d3fc499e65192e6903bc987654d5ed9e116a601702097d7f59b82f83e2c161c8c2c843bbbb9527c3502e91ada1af2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\sessionstore-backups\recovery.baklz4

Filesize
5KB

MD5
8380089ed1121fac944e7bcd581d4260

SHA1
e3df1b49ee83f6f2fa590d20a04b204da91328b8

SHA256
2c54bf323a70b3662bb17d7ac73b12d1926d623893baf40b14c010f8b61569ca

SHA512
b8b2e0b9bd1b5a1108f7611d2a1948f36e2351e48771ecc3f40c0a45fbd34136a02658def4860195e5d486a0230c459eeb7142c46343e6275e034e78dc2ad2ee

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vpqsq2xy.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
1.2MB

MD5
eb48329f7c2d85a3a31fb49fdb3f8d63

SHA1
c25729e641bc7afe7370d6eeb651b3f6f1ae743b

SHA256
73decb67176cc9e03eaa8330d40148eef4a27c6934b9e5e3b2b436893dd9724c

SHA512
33b4595749ffd569280f0073cc02990622a016c19bf7809361ca5816409c14d2d333e41fe6c409af6d5d3af43c695fca15b489ed0642a82e7b8daf98be7f8b8f

Download Submit