88eea96b008746e421344f0ea027f3ef87cb438dfc2b97770f0ec55abb7cefdd

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23/08/2024, 07:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

88eea96b008746e421344f0ea027f3ef87cb438dfc2b97770f0ec55abb7cefdd.exe
Size

89KB
MD5

5832f36b6c3cb6939d3971057e98e472
SHA1

0bbfa48b440b7e4de1e0ce09a1fee1c9ccae7df5
SHA256

88eea96b008746e421344f0ea027f3ef87cb438dfc2b97770f0ec55abb7cefdd
SHA512

550b45b84e906272eef5fb6b0fad2eae90ca0a50ca94e76a0c504e964ad8653b7ff93656ab3507c642c8ee9811f858562caa61f5744a4e18b5c60e95d585693a
SSDEEP

1536:L7fPGykbOqjoHm4pICdfkLtAfupcWX50MxFY+yIOlnToIfwxVinO+:Hq6+ouCpk2mpcWJ0r+QNTBfwaR

Score

9^/10

credential_access discovery stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	88eea96b008746e421344f0ea027f3ef87cb438dfc2b97770f0ec55abb7cefdd.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	88eea96b008746e421344f0ea027f3ef87cb438dfc2b97770f0ec55abb7cefdd.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2170637797-568393320-3232933035-1000\{4D09A606-88BE-42B6-B372-D6280A352F39}	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2170637797-568393320-3232933035-1000\{A59F3DA7-16A3-4520-B981-30BD81570A71}	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2860	chrome.exe
2860	chrome.exe
5900	chrome.exe
5900	chrome.exe
5900	chrome.exe
5900	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeCreatePagefilePrivilege	2860	chrome.exe
Token: SeDebugPrivilege	1528	firefox.exe
Token: SeDebugPrivilege	1528	firefox.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeCreatePagefilePrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeCreatePagefilePrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeCreatePagefilePrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeCreatePagefilePrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeCreatePagefilePrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeCreatePagefilePrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeCreatePagefilePrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeCreatePagefilePrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeCreatePagefilePrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeCreatePagefilePrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeCreatePagefilePrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeCreatePagefilePrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeCreatePagefilePrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeCreatePagefilePrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeCreatePagefilePrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeCreatePagefilePrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeCreatePagefilePrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeCreatePagefilePrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeCreatePagefilePrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeCreatePagefilePrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeCreatePagefilePrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeCreatePagefilePrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeCreatePagefilePrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeCreatePagefilePrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeCreatePagefilePrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeCreatePagefilePrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeCreatePagefilePrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeCreatePagefilePrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeCreatePagefilePrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeCreatePagefilePrivilege	2860	chrome.exe

Suspicious use of FindShellTrayWindow 47 IoCs

pid	Process
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
1528	firefox.exe
1528	firefox.exe
1528	firefox.exe
1528	firefox.exe
1528	firefox.exe
1528	firefox.exe
1528	firefox.exe
1528	firefox.exe
1528	firefox.exe
1528	firefox.exe
1528	firefox.exe
1528	firefox.exe
1528	firefox.exe
1528	firefox.exe
1528	firefox.exe
1528	firefox.exe
1528	firefox.exe
1528	firefox.exe
1528	firefox.exe
1528	firefox.exe
1528	firefox.exe

Suspicious use of SendNotifyMessage 44 IoCs

pid	Process
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
1528	firefox.exe
1528	firefox.exe
1528	firefox.exe
1528	firefox.exe
1528	firefox.exe
1528	firefox.exe
1528	firefox.exe
1528	firefox.exe
1528	firefox.exe
1528	firefox.exe
1528	firefox.exe
1528	firefox.exe
1528	firefox.exe
1528	firefox.exe
1528	firefox.exe
1528	firefox.exe
1528	firefox.exe
1528	firefox.exe
1528	firefox.exe
1528	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1528	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3920 wrote to memory of 2908	3920	88eea96b008746e421344f0ea027f3ef87cb438dfc2b97770f0ec55abb7cefdd.exe	91
PID 3920 wrote to memory of 2908	3920	88eea96b008746e421344f0ea027f3ef87cb438dfc2b97770f0ec55abb7cefdd.exe	91
PID 2908 wrote to memory of 2860	2908	cmd.exe	94
PID 2908 wrote to memory of 2860	2908	cmd.exe	94
PID 2908 wrote to memory of 1996	2908	cmd.exe	95
PID 2908 wrote to memory of 1996	2908	cmd.exe	95
PID 2908 wrote to memory of 4032	2908	cmd.exe	96
PID 2908 wrote to memory of 4032	2908	cmd.exe	96
PID 2860 wrote to memory of 3120	2860	chrome.exe	97
PID 2860 wrote to memory of 3120	2860	chrome.exe	97
PID 4032 wrote to memory of 1528	4032	firefox.exe	98
PID 4032 wrote to memory of 1528	4032	firefox.exe	98
PID 4032 wrote to memory of 1528	4032	firefox.exe	98
PID 4032 wrote to memory of 1528	4032	firefox.exe	98
PID 4032 wrote to memory of 1528	4032	firefox.exe	98
PID 4032 wrote to memory of 1528	4032	firefox.exe	98
PID 4032 wrote to memory of 1528	4032	firefox.exe	98
PID 4032 wrote to memory of 1528	4032	firefox.exe	98
PID 4032 wrote to memory of 1528	4032	firefox.exe	98
PID 4032 wrote to memory of 1528	4032	firefox.exe	98
PID 4032 wrote to memory of 1528	4032	firefox.exe	98
PID 1528 wrote to memory of 4008	1528	firefox.exe	104
PID 1528 wrote to memory of 4008	1528	firefox.exe	104
PID 1528 wrote to memory of 4008	1528	firefox.exe	104
PID 1528 wrote to memory of 4008	1528	firefox.exe	104
PID 1528 wrote to memory of 4008	1528	firefox.exe	104
PID 1528 wrote to memory of 4008	1528	firefox.exe	104
PID 1528 wrote to memory of 4008	1528	firefox.exe	104
PID 1528 wrote to memory of 4008	1528	firefox.exe	104
PID 1528 wrote to memory of 4008	1528	firefox.exe	104
PID 1528 wrote to memory of 4008	1528	firefox.exe	104
PID 1528 wrote to memory of 4008	1528	firefox.exe	104
PID 1528 wrote to memory of 4008	1528	firefox.exe	104
PID 1528 wrote to memory of 4008	1528	firefox.exe	104
PID 1528 wrote to memory of 4008	1528	firefox.exe	104
PID 1528 wrote to memory of 4008	1528	firefox.exe	104
PID 1528 wrote to memory of 4008	1528	firefox.exe	104
PID 1528 wrote to memory of 4008	1528	firefox.exe	104
PID 1528 wrote to memory of 4008	1528	firefox.exe	104
PID 1528 wrote to memory of 4008	1528	firefox.exe	104
PID 1528 wrote to memory of 4008	1528	firefox.exe	104
PID 1528 wrote to memory of 4008	1528	firefox.exe	104
PID 1528 wrote to memory of 4008	1528	firefox.exe	104
PID 1528 wrote to memory of 4008	1528	firefox.exe	104
PID 1528 wrote to memory of 4008	1528	firefox.exe	104
PID 1528 wrote to memory of 4008	1528	firefox.exe	104
PID 1528 wrote to memory of 4008	1528	firefox.exe	104
PID 1528 wrote to memory of 4008	1528	firefox.exe	104
PID 1528 wrote to memory of 4008	1528	firefox.exe	104
PID 1528 wrote to memory of 4008	1528	firefox.exe	104
PID 1528 wrote to memory of 4008	1528	firefox.exe	104
PID 1528 wrote to memory of 4008	1528	firefox.exe	104
PID 1528 wrote to memory of 4008	1528	firefox.exe	104
PID 1528 wrote to memory of 4008	1528	firefox.exe	104
PID 1528 wrote to memory of 4008	1528	firefox.exe	104
PID 1528 wrote to memory of 4008	1528	firefox.exe	104
PID 1528 wrote to memory of 4008	1528	firefox.exe	104
PID 1528 wrote to memory of 4008	1528	firefox.exe	104
PID 1528 wrote to memory of 4008	1528	firefox.exe	104
PID 1528 wrote to memory of 4008	1528	firefox.exe	104
PID 1528 wrote to memory of 4008	1528	firefox.exe	104
PID 1528 wrote to memory of 4008	1528	firefox.exe	104
PID 1528 wrote to memory of 4008	1528	firefox.exe	104
PID 1528 wrote to memory of 4008	1528	firefox.exe	104

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\88eea96b008746e421344f0ea027f3ef87cb438dfc2b97770f0ec55abb7cefdd.exe
"C:\Users\Admin\AppData\Local\Temp\88eea96b008746e421344f0ea027f3ef87cb438dfc2b97770f0ec55abb7cefdd.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3920
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\606B.tmp\606C.tmp\606D.bat C:\Users\Admin\AppData\Local\Temp\88eea96b008746e421344f0ea027f3ef87cb438dfc2b97770f0ec55abb7cefdd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2908
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd"
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2860
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffbeea8cc40,0x7ffbeea8cc4c,0x7ffbeea8cc58
      4⤵
      PID:3120
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1916,i,4390021914883705046,7565408820700641607,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1912 /prefetch:2
      4⤵
      PID:4908
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2172,i,4390021914883705046,7565408820700641607,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2132 /prefetch:3
      4⤵
      PID:1036
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2228,i,4390021914883705046,7565408820700641607,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2240 /prefetch:8
      4⤵
      PID:4852
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=2984,i,4390021914883705046,7565408820700641607,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3144 /prefetch:1
      4⤵
      PID:5152
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=2992,i,4390021914883705046,7565408820700641607,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3168 /prefetch:1
      4⤵
      PID:5160
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4392,i,4390021914883705046,7565408820700641607,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4428 /prefetch:1
      4⤵
      PID:6948
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=4612,i,4390021914883705046,7565408820700641607,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4228 /prefetch:8
      4⤵
      PID:7148
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4624,i,4390021914883705046,7565408820700641607,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4420 /prefetch:8
      4⤵
      Modifies registry class
      PID:7084
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=844,i,4390021914883705046,7565408820700641607,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4356 /prefetch:8
      4⤵
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      PID:5900
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" "https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd"
    3⤵
    PID:1996
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" "https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4032
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd
      4⤵
      Checks processor information in registry
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1528
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1968 -parentBuildID 20240401114208 -prefsHandle 1884 -prefMapHandle 1876 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fe16f10c-f332-4b65-9aab-22c38bc8a8c4} 1528 "\\.\pipe\gecko-crash-server-pipe.1528" gpu
        5⤵
        
        PID:4008
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2392 -parentBuildID 20240401114208 -prefsHandle 2452 -prefMapHandle 2448 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f1e17ad3-c3ce-4513-a81e-dc4a73af7cb7} 1528 "\\.\pipe\gecko-crash-server-pipe.1528" socket
        5⤵
        
        PID:2208
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3380 -childID 1 -isForBrowser -prefsHandle 3096 -prefMapHandle 3288 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1291899f-46d3-4411-8e63-5bcfeef300d1} 1528 "\\.\pipe\gecko-crash-server-pipe.1528" tab
        5⤵
        
        PID:5496
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3656 -childID 2 -isForBrowser -prefsHandle 3672 -prefMapHandle 3668 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1bff13e0-34d2-41a0-aaa3-e9846c36afad} 1528 "\\.\pipe\gecko-crash-server-pipe.1528" tab
        5⤵
        
        PID:5820
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4264 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4256 -prefMapHandle 4252 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {421e144d-7b3f-417d-ba85-564d741c4f4b} 1528 "\\.\pipe\gecko-crash-server-pipe.1528" utility
        5⤵
        Checks processor information in registry
        
        PID:5740
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5312 -childID 3 -isForBrowser -prefsHandle 5304 -prefMapHandle 5296 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9dda8a70-337b-40b7-a096-9b08b0716fa7} 1528 "\\.\pipe\gecko-crash-server-pipe.1528" tab
        5⤵
        
        PID:7076
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5532 -childID 4 -isForBrowser -prefsHandle 5108 -prefMapHandle 5140 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6fe0a52a-bd98-4634-a31f-c44225f3d20b} 1528 "\\.\pipe\gecko-crash-server-pipe.1528" tab
        5⤵
        
        PID:7124
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5740 -childID 5 -isForBrowser -prefsHandle 5588 -prefMapHandle 5764 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3ff207b7-90bd-4a54-88c4-f4c584235be3} 1528 "\\.\pipe\gecko-crash-server-pipe.1528" tab
        5⤵
        
        PID:6076
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6056 -childID 6 -isForBrowser -prefsHandle 6040 -prefMapHandle 6044 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8b241b90-3c7f-42f2-ae76-e39251746818} 1528 "\\.\pipe\gecko-crash-server-pipe.1528" tab
        5⤵
        
        PID:6564

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=4044,i,8231329449558834090,4540802069600791165,262144 --variations-seed-version --mojo-platform-channel-handle=5004 /prefetch:1
1⤵
PID:688

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --field-trial-handle=4116,i,8231329449558834090,4540802069600791165,262144 --variations-seed-version --mojo-platform-channel-handle=5020 /prefetch:1
1⤵
PID:3300

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --field-trial-handle=5372,i,8231329449558834090,4540802069600791165,262144 --variations-seed-version --mojo-platform-channel-handle=5408 /prefetch:1
1⤵
PID:2540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=5448,i,8231329449558834090,4540802069600791165,262144 --variations-seed-version --mojo-platform-channel-handle=5560 /prefetch:8
1⤵
PID:548

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --field-trial-handle=5564,i,8231329449558834090,4540802069600791165,262144 --variations-seed-version --mojo-platform-channel-handle=5632 /prefetch:8
1⤵
PID:4948

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:5524

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --field-trial-handle=6068,i,8231329449558834090,4540802069600791165,262144 --variations-seed-version --mojo-platform-channel-handle=5992 /prefetch:1
1⤵
PID:5568

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --field-trial-handle=6240,i,8231329449558834090,4540802069600791165,262144 --variations-seed-version --mojo-platform-channel-handle=6228 /prefetch:1
1⤵
PID:5628

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=6492,i,8231329449558834090,4540802069600791165,262144 --variations-seed-version --mojo-platform-channel-handle=6488 /prefetch:8
1⤵
PID:5764

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --field-trial-handle=5012,i,8231329449558834090,4540802069600791165,262144 --variations-seed-version --mojo-platform-channel-handle=6716 /prefetch:8
1⤵
PID:5936

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --field-trial-handle=6224,i,8231329449558834090,4540802069600791165,262144 --variations-seed-version --mojo-platform-channel-handle=6740 /prefetch:8
1⤵
- Modifies registry class
PID:5956

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --field-trial-handle=6984,i,8231329449558834090,4540802069600791165,262144 --variations-seed-version --mojo-platform-channel-handle=5768 /prefetch:8
1⤵
PID:5844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
384B

MD5
f3f3881ed088a3f588017db5752dc483

SHA1
99b85ad93ef6dd8fc878f62e8ded6ba7c9eba919

SHA256
6bfc51cac87b68bd75560e2abd8484a41740076225893a12e644d2794e4bb47f

SHA512
b29d685ee9ad1190c4a593d35140b4938a6e6aa49a0e8580edb671bbf1ab6ed6172c12b4711bc7c5ba94cda1f800845949fe7cdbb1246dbced4c0552a6098e2f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
f33965fcf6c1ffafe4dcfc1aa8866725

SHA1
534c5d51bdcf7c4ea12b72f3887eadd4bd73f04a

SHA256
a7f5d4ef9bba65c22b94210960ea28cd287632a4834dfaba3558ed7cdc161f5d

SHA512
7335b5d3533d0a0201ef31c0a472fc732a713196c784564daebdacde0e49f974cccc403b6d2802e3c24aec49379b2c2164d12a367d413de093cc2c32f474f66f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
e7c1feb91c0649b31f67e1b3d8d91cb2

SHA1
741ebd90afcbf8557c2bbbcacee4dc158588d57d

SHA256
1bffb330b5b99f8802b1ac43cb531d9025f6a9911e4965357157c6dfc7b11e5a

SHA512
f43c20851253d081744b508f79cb6fc1e95bf3278336af7f1407d86683646b052fc1c20c4029b0ca7eab89b4e41fdedfc1c2695894c2112f734b5142973ef0f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
09243490761521973b7b846cf7c38a53

SHA1
8e734d064799342a66a0645d25af7583b4d5e634

SHA256
2b4183d4de0bf7fd669a5292d502ac3621086d885ee8ad809056441504000f04

SHA512
231a9d20cb2c89012aac13fe13994ce4097a095483d45e7a3660159b0b7c89a943d6b080749c6fc28fceff7eebfc10f568ca945c0a220e6810a708c11886e5f1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ec1ff1e89f7deebae09f2ac586012422

SHA1
f1edfa12e9148bde9ee5a63a59a786438e43ea1a

SHA256
5fe18d2516765b725a89567378df99536893dbd2400342e211bdb0c19d676bd9

SHA512
df4d353431ab593aad269e9973d986757166d171086dd679a4b7f0d52723e7c24df744e68ae03fa8e322e309256d6fa41c55b86f04c74cfee024ffa1a52f38f8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5269d0419c0b532f20f35de169a3b0ab

SHA1
340508d302513900be7f919144b90e093a26931d

SHA256
dbf884c256e5d4b3076823678245527e142bd88b09fedc625aa43cecefb4b0d3

SHA512
25db209c1db0255089dfc113b916caac9cc8d4cf074c3b838567d754afa7105d6d6ea078a21f0d871d9051e97c357d67f6245a23d135b5a2b6d8195018bd7747

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ad138d7dd4d7666ec631984187254214

SHA1
cd75ba5fc8697992a2874d10ac0ee50652050c01

SHA256
132cf444027a0f5525f09cb6847e4e6bfd16dc47eef1e1f359606535b8b1e033

SHA512
ad1b0bd27a20c05ff58e6c4aea10e6997ebf08a45fab393e63769ef15f6733084c26c18d8add4b207901d38e611f83c1ab06d5074349360fd525aa0527b22b49

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9d5c8dca88e2108baf4b08b10112904e

SHA1
c46897eb989f0f1dafe4bbc58df3fd2b2c3e8eea

SHA256
3cd46ff90d1b72223cf9900c0a7abe48cd1fe8613604fc0eed4e340bde76003c

SHA512
1afc87d0bbb8d14c2be215da81387dd43bd2b165d106d0540faa14333343029c81f5e95ed2b4262f64b359e5209aeea55e819edcafd35431f6613b169cb0c1e6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1f8b15b2ddeba257a6d71b1d4549c4a5

SHA1
8b913b4cf605d0e60afca7809eab1ef5e8c20a80

SHA256
5909a6c5d654f6f82d0e49f39bdbcc0f8e8500fc27da694093bf3e3f0c7cb65e

SHA512
9d7d87a2f0c531e3675423472b4928e4c8765446d15384a80242e0ec095a8af0f246117192dbcea33a7fd8c4727beb382ac5ab8ce9b530524f6c612f98e0b98a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
cfd224cde0f57d6dc85c1259a310305c

SHA1
07df83444a0c13889a9538a5fa3e9db172e94359

SHA256
0ff935270097e30240d4bd8622beca6b81ad8e00ddf48e7e5386d94d01e92b5c

SHA512
26e087d14cfb0e5b98f3db926024758266fb67959e6212622e8faba3d9f43410eda1b07e37fcc95f0bbe6636d8fe2a78a850eb89bc312bc579517a2b87cdda79

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8a849abe1159516b95d461b2aeb1c9fc

SHA1
fa97b7b675297eb15c6f463e581cdb3e92c5778d

SHA256
17c3c9722db7626d8c448f7f866c9755bdb2fe7d17a2efb89b1d81b64326c6a5

SHA512
c25f763008f460a5fe7013fb9b3775dabdf709117d0baa35da8b2e1cd6cb286197d018b6861d4b7872645cf3b1e05290adfa3181f6bcdf11f3c9ac68272fbae0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
db9529c4d9796501cc24159e3a87b5f1

SHA1
c6c5950f64c449ff82170e1004930acfd7c5c019

SHA256
27be8a5899b4db12c03a394f0da5af22ffaf6aea419f0f4ffaeba2036481bbe7

SHA512
3306a7d1f990961b9d21fac94200bfe22ccd9e3758ee0292f4d794f9b434b9b757d16c5bab2a74d592dd6ad08e8cdba2cb5dbb8052b98c4296d649a827453457

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b2aa42e3732412a94c2c1e31a2fad537

SHA1
d93822dae7ca57692bd27768b12875506cc1120a

SHA256
43a2c7a98d7e5f2374b43026315e69097fd6544677095c7fe41af17d4e8273d3

SHA512
029eb3e855059f80304808aff836c02ed7cbf35e16561339f3e5d4b9d666beb6803f504bff13bd30d064ae0a60a18f2ad31c727e0569f92215080ebc452ab714

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7160063b94857e18232415bda33f43e1

SHA1
7942992fbe663bf633668b226ff06000d91af77d

SHA256
bc8249f192b895471cd67ec4e691447a8d31b9edd4b6cc0554972ac2881d228c

SHA512
776c3c675979fadcf964b4394d7657680b2fb16f66a13af9aaa77a12bad3e7deefc5f502dcb00d7a2350f0400498018cac1d9fac031ba34888e274ab9a23eb82

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
0111fb2f525584dbe48bfa6ac7e6ca15

SHA1
0f05a90941259ac58ebf914b8db74e6cb3e1ba69

SHA256
4d590c3c992a3af37b6b0bb2e35134896c62b5745a3fce234ba59cfbef03e4e2

SHA512
11072e537855ad8ef5f621fba3b5aaae4eca7b10f9cfe5bbce2d6c0c7adbffcdf067d3a99ee54d11f3cd6fef1224383021fa5597de7f9654cd91d69d86630414

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
76b3c7ae594772308918b79a128fd253

SHA1
32c142ad473cc54dd73579fa0bfcde485bbdcd56

SHA256
7e26832897960eba8beb6ef29a7fc0ca2e5b11de80ccea39ea49eda3519a29fd

SHA512
7557311f63c752f05761c0aca4457c1849442c6853550f8af1d3549cd7e680505556288e50aa24b90c4b6e7287081d080dc2615b211829e0baa788bbbb2d5cba

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\cache2\entries\58EFA56DB4BFFECB0EDA547894BC9A057159E22F

Filesize
13KB

MD5
5809c29b795ead2fb4c5e93e1dc0f4b9

SHA1
d7f8cbcd0e7e1acc4eeaf2f16572c88873bbdd0c

SHA256
9ec941781bcd0cc8b1a05b9285a9c103eb076603370c8c7b45b0d012748e1f2d

SHA512
c6a20f829e27427ee44b106f5b50aaa0d26a520bdcc6e842dcf647741b11832e2dc8e894906ba226ea3d10680e182cf1afc07208723d2e6ba98036f6af78d52c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xmd08l7e.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
7KB

MD5
c460716b62456449360b23cf5663f275

SHA1
06573a83d88286153066bae7062cc9300e567d92

SHA256
0ec0f16f92d876a9c1140d4c11e2b346a9292984d9a854360e54e99fdcd99cc0

SHA512
476bc3a333aace4c75d9a971ef202d5889561e10d237792ca89f8d379280262ce98cf3d4728460696f8d7ff429a508237764bf4a9ccb59fd615aee07bdcadf30

Download Submit
C:\Users\Admin\AppData\Local\Temp\606B.tmp\606C.tmp\606D.bat

Filesize
2KB

MD5
31c09b550c61042384ef240a1cd226df

SHA1
731fbe63179f646915f8fa37ca9f8c85fdb9b48a

SHA256
752a176e12900c9f3cf947bc36d506e360f86da00a2dbc1e5fa821f2584c75db

SHA512
8fcd654736e4b71765b5379c6e1699771e83c5c1df1b5e3fa7f74e4d3b5629ffa1f54aaedfdf9979416d3704bcfb38d73dba7c36c7b6f1ac9804737e7af698a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\AlternateServices.bin

Filesize
16KB

MD5
e2083d98e850eb1bdc85e8686aa82ab1

SHA1
4ff96e0b769c9436bf2e7b7f814f9d16e435230b

SHA256
cd330c7ff6afa0c8e42383c1a9ad903a891ce920185218b22a58a5fa6b4cbc2c

SHA512
86fdd6a6d37ee9af06278731f1feed96a61fa1b71c58e09377a56ead93e82f3497ce1c065f929663e9f439afe7ca25ba6251304782eda7aad90b3d367fe03e15

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\AlternateServices.bin

Filesize
8KB

MD5
7882ea195308aa3d8feec686d5d532df

SHA1
8a5a3f448d0d96b1e428463804d24cbaead09f1d

SHA256
b9e4aae70aa35b10c67413acc374f0010cdaf4cc5e1c30d9c575777372daea4f

SHA512
121a35ddbf8b5e633c0aca197f5b4dce1bc01e3be6374714f01201067ef6af0a95892cfd83b541a7151d963e69740e9d8c87452efb4b2544dce03c3e9894374d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
ed29f856ccbb4c25a3136dbc5140c07f

SHA1
bb17da9da2a3e89d7fbc65040fdeff46c37b5936

SHA256
c8ef7ce40fe1b922c8ca964b389252b410353301ab337645b1ab74fd3a8729da

SHA512
d7fe5de0307084f337f1eb7730a9a61dd4be89ae241946e31874f5815401f9c6ff29325acb092e6bfebd2c9d496814b585a9bc9915f24e256784954e52d9c8b4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\db\data.safe.tmp

Filesize
15KB

MD5
fd5fd0c1072e64b659d7371dae6e8137

SHA1
0eee8e0a8efcfac3c24781b12a6286aee74246aa

SHA256
443925bd6c42a973489f6118bedc15ae4eefb935c8c71fa51c6e51884d07960e

SHA512
1b0b6a1643c8898e30ea8cd400ec030d07dd1f2734cbabb0d8bb8da0583fbaef3be6d6322eb96e75a9b7b85ff55c0952c92a34d9c5aaa5a20026dafa790e44e9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
2e6c13632d47b38ff681dda696340094

SHA1
6e6ec091a19a5b523a34d49c672b3eb03d060f6a

SHA256
48506fe03c43399c46e99b9b401707d4ba24e537119fd83247a6a1f1f9871116

SHA512
bfb5b7eb12be01aa46d83ec040efe1e656e7ca3653a38880daa90d3eaed3d38ced13563daa084905e2057ed9ba7b34c06593a44057a1dbfd0778555b25fccaed

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\db\data.safe.tmp

Filesize
15KB

MD5
3716b93324d6b91b86da503f3d6a5a89

SHA1
3ac70ed175a7a213e78fa2c9bc0eb41de8974115

SHA256
92a84b5add298905ab4efa4a124d265711826948d8e224753774eadbd0d8ac3a

SHA512
5b7de1cba9afb7d2d264217b4055eef48f2ed56fdb0bdbd85ae56a4ff79fd145735383ec68a805bf72650a323eda0b7c0409e72be7568f50f5d1416a7f61cafe

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\pending_pings\71b12c0e-23c2-4b92-add4-aeaea220cf3a

Filesize
26KB

MD5
35add62e5c4c13781599960ddcf373bb

SHA1
c3eebddab7d6057e64866f8fe064b7def4c97c3a

SHA256
47eefeffcbd4df88f2a23a32bfd25089e36c68f91ee3993dc2c8efe84d140f54

SHA512
e8f7841b7fdd11089ff30d4d3eba72da14fbf3f4e920764fcc0e8f1734b9dea3f9fbb6899b1a1ad2b67aa61ce2a22bf0e04bf238f25acf247276e6c8d36f0701

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\pending_pings\73e3a643-5169-4a5b-bfc3-dd2ffbe3cf21

Filesize
671B

MD5
cc3e5a702ec6c11003c79cd269ff0e11

SHA1
4167428ab37f993ce6e60689db30568e07685482

SHA256
17abc5b638f03e6a788112c91c5ea05f92558c8b86fc4699ea24d7ba642d0e65

SHA512
d13f6bde60c41e7547756e0655625f3ccf2a0122cfcda5bf74fa170ad3b4a62c5303e3af629b98015601ed6a4940ed24f5aa7754afdf16f9592b83daf9a4e355

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\datareporting\glean\pending_pings\c3104ed5-cf94-495e-991f-4497a58d3b51

Filesize
982B

MD5
e83a537142677cccb525ac67626ce9fa

SHA1
fcc0313a6ba95ac8555c23e5404f1aa5e553d1cb

SHA256
8562dcd584ce9d8a2b814237ad31a80f058df0766f933fe44785bc4cb77157cb

SHA512
1073db489f853e9adff86287a1ac2afb9631acd3b6b83c2e01c5b21ef510d3d575e49bf229c6381deff39c0d4b4190a1d4707631f41edfdd6dd0e963621cef6e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\prefs-1.js

Filesize
16KB

MD5
7e462546852a7c4ce8cb0199f5b709c0

SHA1
1b883dfc26204a9ae25a08a0ada652c530d7772b

SHA256
9ee6f2c0ff8caf426868d5edaef2bea4ddac106be222b6ffa3dae6b01c3ef0d5

SHA512
3db59c24c2737d85cb744dcb30719e315b4c60e79a8310aa01e4c83c5574dfc86426811c6bddabb7e0b5782c3fb035d77297931625302900ac8097c4d8f662d0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\prefs.js

Filesize
11KB

MD5
828273bee145f1f99376f05feaa8e859

SHA1
6b2f050e3153f6a13e43c0c82e80fb76c9254771

SHA256
aaa768f443b38567ee341f2b15a0b37705b07f99caab5b9210dde7a9675d2ba7

SHA512
4fba25b3fa7862bbf333dc3e9b14671664f840078483eb87ffcbad8e09e0e24e0d101724fa7d60f40b88c0de43383a1483a1923dbb6aa07355d820ba9decb30d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\prefs.js

Filesize
12KB

MD5
178ad7d6fa6cedf1481ee19c53f51455

SHA1
312cc4c0d0017eb3aa7121d7bae4823bc06c5a43

SHA256
9bf102f98c1a3d8fbf027e2a9b04ee22682ec8536862158a238b0539da2d4045

SHA512
697b9f4003ba9fed5d624ae96bf758ec7c81883df814dbc948c5992aa4e3f0b6bebc419b69f4662825df5138c8abd3052db346638af33b42ef88b3cf9c9edd79

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\prefs.js

Filesize
11KB

MD5
bf9679dcc263965502c8ebad3a9b9398

SHA1
cc262defa8cb08ec22c85e394ac9a1a32e525475

SHA256
569b1c8857cc50dfb61d188d265af8923694065435c0fd8ae4a4f3e049095d8d

SHA512
4e9822bec2a15754fd9fee15efb48da2a33f59360ef1b6fd01901c1eefa788c14ce2a351b493719d7dd47ea98fa3c4f20461fb62b0e9c4d29bc6e882de1399df

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\sessionstore-backups\recovery.baklz4

Filesize
5KB

MD5
20a3a80baac4bedac37dad1e11adc6f5

SHA1
b5de2db552faa608b0259068689914f752f20f25

SHA256
7271b84d3df9e7a18d66b26960feaf397da8c58bf2c8f6dedf603831a800f5d8

SHA512
9818f4c08f5087ce1d6e99e87cd28ce709c3e81f0938a138936ea161f3ea6892e661324d423c1ab44cc4339a00d9b306db6bf9ed7b77dac38a1ecf45dac04d9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xmd08l7e.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
976KB

MD5
e41d07afe1ab31a5d51b91147a8228ba

SHA1
25e2270c85a8ef309beea2c92fc127261b3f1f76

SHA256
9c78bf68f6f08bc84e899265c5526367580e60a3e96c02219ca5fefd44a58dd0

SHA512
56e0daeb4fde2f0e876eb08128c87af7c547adbc3297265669c13e3258c63c1cd19bb9d3708285d8491ad69bbf09bc8fa7b8d7d11cf485b38eea0e4c214e294d

Download Submit