1e6cf8fcfb714f8c0953d959a6c0209f35b137ad92c45852d64f16d56641317a

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
28-08-2024 22:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1e6cf8fcfb714f8c0953d959a6c0209f35b137ad92c45852d64f16d56641317a.exe
Size

89KB
MD5

98d330f53a4bc56bb3e972b457e4e0b5
SHA1

873e35f3d39653d8239603332153a6b45b29e61f
SHA256

1e6cf8fcfb714f8c0953d959a6c0209f35b137ad92c45852d64f16d56641317a
SHA512

1e6ae473a2200e325a60b1905b430742f2678c740d04b2830a55fb4c0f8027cf553921eb619e8bb2c2490da5af154c666eab29b42f8d961c6c92c97026fc0be1
SSDEEP

1536:L7fPGykbOqjoHm4pICdfkLtAfupcWX50MxFY+yIOlnToIfQx/nO+:Hq6+ouCpk2mpcWJ0r+QNTBfQv

Score

9^/10

credential_access discovery stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	1e6cf8fcfb714f8c0953d959a6c0209f35b137ad92c45852d64f16d56641317a.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1e6cf8fcfb714f8c0953d959a6c0209f35b137ad92c45852d64f16d56641317a.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133693592761961526"	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4182098368-2521458979-3782681353-1000\{12068E9B-B7FF-432F-8317-EF486BE81AC6}	chrome.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1732	msedge.exe
1732	msedge.exe
3724	msedge.exe
3724	msedge.exe
3964	chrome.exe
3964	chrome.exe
4636	chrome.exe
4636	chrome.exe
2616	msedge.exe
2616	msedge.exe
2616	msedge.exe
2616	msedge.exe
4636	chrome.exe
4636	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
3724	msedge.exe
3724	msedge.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3964	chrome.exe
Token: SeCreatePagefilePrivilege	3964	chrome.exe
Token: SeDebugPrivilege	3492	firefox.exe
Token: SeDebugPrivilege	3492	firefox.exe
Token: SeShutdownPrivilege	3964	chrome.exe
Token: SeCreatePagefilePrivilege	3964	chrome.exe
Token: SeShutdownPrivilege	3964	chrome.exe
Token: SeCreatePagefilePrivilege	3964	chrome.exe
Token: SeShutdownPrivilege	3964	chrome.exe
Token: SeCreatePagefilePrivilege	3964	chrome.exe
Token: SeShutdownPrivilege	3964	chrome.exe
Token: SeCreatePagefilePrivilege	3964	chrome.exe
Token: SeShutdownPrivilege	3964	chrome.exe
Token: SeCreatePagefilePrivilege	3964	chrome.exe
Token: SeShutdownPrivilege	3964	chrome.exe
Token: SeCreatePagefilePrivilege	3964	chrome.exe
Token: SeShutdownPrivilege	3964	chrome.exe
Token: SeCreatePagefilePrivilege	3964	chrome.exe
Token: SeShutdownPrivilege	3964	chrome.exe
Token: SeCreatePagefilePrivilege	3964	chrome.exe
Token: SeShutdownPrivilege	3964	chrome.exe
Token: SeCreatePagefilePrivilege	3964	chrome.exe
Token: SeShutdownPrivilege	3964	chrome.exe
Token: SeCreatePagefilePrivilege	3964	chrome.exe
Token: SeShutdownPrivilege	3964	chrome.exe
Token: SeCreatePagefilePrivilege	3964	chrome.exe
Token: SeShutdownPrivilege	3964	chrome.exe
Token: SeCreatePagefilePrivilege	3964	chrome.exe
Token: SeShutdownPrivilege	3964	chrome.exe
Token: SeCreatePagefilePrivilege	3964	chrome.exe
Token: SeShutdownPrivilege	3964	chrome.exe
Token: SeCreatePagefilePrivilege	3964	chrome.exe
Token: SeShutdownPrivilege	3964	chrome.exe
Token: SeCreatePagefilePrivilege	3964	chrome.exe
Token: SeShutdownPrivilege	3964	chrome.exe
Token: SeCreatePagefilePrivilege	3964	chrome.exe
Token: SeShutdownPrivilege	3964	chrome.exe
Token: SeCreatePagefilePrivilege	3964	chrome.exe
Token: SeShutdownPrivilege	3964	chrome.exe
Token: SeCreatePagefilePrivilege	3964	chrome.exe
Token: SeShutdownPrivilege	3964	chrome.exe
Token: SeCreatePagefilePrivilege	3964	chrome.exe
Token: SeShutdownPrivilege	3964	chrome.exe
Token: SeCreatePagefilePrivilege	3964	chrome.exe
Token: SeShutdownPrivilege	3964	chrome.exe
Token: SeCreatePagefilePrivilege	3964	chrome.exe
Token: SeShutdownPrivilege	3964	chrome.exe
Token: SeCreatePagefilePrivilege	3964	chrome.exe
Token: SeShutdownPrivilege	3964	chrome.exe
Token: SeCreatePagefilePrivilege	3964	chrome.exe
Token: SeShutdownPrivilege	3964	chrome.exe
Token: SeCreatePagefilePrivilege	3964	chrome.exe
Token: SeShutdownPrivilege	3964	chrome.exe
Token: SeCreatePagefilePrivilege	3964	chrome.exe
Token: SeShutdownPrivilege	3964	chrome.exe
Token: SeCreatePagefilePrivilege	3964	chrome.exe
Token: SeShutdownPrivilege	3964	chrome.exe
Token: SeCreatePagefilePrivilege	3964	chrome.exe
Token: SeShutdownPrivilege	3964	chrome.exe
Token: SeCreatePagefilePrivilege	3964	chrome.exe
Token: SeShutdownPrivilege	3964	chrome.exe
Token: SeCreatePagefilePrivilege	3964	chrome.exe
Token: SeShutdownPrivilege	3964	chrome.exe
Token: SeCreatePagefilePrivilege	3964	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3492	firefox.exe
3492	firefox.exe
3492	firefox.exe
3492	firefox.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3492	firefox.exe
3492	firefox.exe
3492	firefox.exe
3492	firefox.exe
3492	firefox.exe
3492	firefox.exe
3492	firefox.exe
3492	firefox.exe
3492	firefox.exe
3492	firefox.exe
3492	firefox.exe
3492	firefox.exe
3492	firefox.exe
3492	firefox.exe
3492	firefox.exe
3492	firefox.exe
3492	firefox.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3492	firefox.exe
3492	firefox.exe
3492	firefox.exe
3492	firefox.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3492	firefox.exe
3492	firefox.exe
3492	firefox.exe
3492	firefox.exe
3492	firefox.exe
3492	firefox.exe
3492	firefox.exe
3492	firefox.exe
3492	firefox.exe
3492	firefox.exe
3492	firefox.exe
3492	firefox.exe
3492	firefox.exe
3492	firefox.exe
3492	firefox.exe
3492	firefox.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe
3964	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3492	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4492 wrote to memory of 2476	4492	1e6cf8fcfb714f8c0953d959a6c0209f35b137ad92c45852d64f16d56641317a.exe	85
PID 4492 wrote to memory of 2476	4492	1e6cf8fcfb714f8c0953d959a6c0209f35b137ad92c45852d64f16d56641317a.exe	85
PID 2476 wrote to memory of 3964	2476	cmd.exe	88
PID 2476 wrote to memory of 3964	2476	cmd.exe	88
PID 2476 wrote to memory of 3724	2476	cmd.exe	89
PID 2476 wrote to memory of 3724	2476	cmd.exe	89
PID 2476 wrote to memory of 3360	2476	cmd.exe	90
PID 2476 wrote to memory of 3360	2476	cmd.exe	90
PID 3964 wrote to memory of 3484	3964	chrome.exe	91
PID 3964 wrote to memory of 3484	3964	chrome.exe	91
PID 3724 wrote to memory of 3476	3724	msedge.exe	93
PID 3724 wrote to memory of 3476	3724	msedge.exe	93
PID 3360 wrote to memory of 3492	3360	firefox.exe	92
PID 3360 wrote to memory of 3492	3360	firefox.exe	92
PID 3360 wrote to memory of 3492	3360	firefox.exe	92
PID 3360 wrote to memory of 3492	3360	firefox.exe	92
PID 3360 wrote to memory of 3492	3360	firefox.exe	92
PID 3360 wrote to memory of 3492	3360	firefox.exe	92
PID 3360 wrote to memory of 3492	3360	firefox.exe	92
PID 3360 wrote to memory of 3492	3360	firefox.exe	92
PID 3360 wrote to memory of 3492	3360	firefox.exe	92
PID 3360 wrote to memory of 3492	3360	firefox.exe	92
PID 3360 wrote to memory of 3492	3360	firefox.exe	92
PID 3492 wrote to memory of 2700	3492	firefox.exe	94
PID 3492 wrote to memory of 2700	3492	firefox.exe	94
PID 3492 wrote to memory of 2700	3492	firefox.exe	94
PID 3492 wrote to memory of 2700	3492	firefox.exe	94
PID 3492 wrote to memory of 2700	3492	firefox.exe	94
PID 3492 wrote to memory of 2700	3492	firefox.exe	94
PID 3492 wrote to memory of 2700	3492	firefox.exe	94
PID 3492 wrote to memory of 2700	3492	firefox.exe	94
PID 3492 wrote to memory of 2700	3492	firefox.exe	94
PID 3492 wrote to memory of 2700	3492	firefox.exe	94
PID 3492 wrote to memory of 2700	3492	firefox.exe	94
PID 3492 wrote to memory of 2700	3492	firefox.exe	94
PID 3492 wrote to memory of 2700	3492	firefox.exe	94
PID 3492 wrote to memory of 2700	3492	firefox.exe	94
PID 3492 wrote to memory of 2700	3492	firefox.exe	94
PID 3492 wrote to memory of 2700	3492	firefox.exe	94
PID 3492 wrote to memory of 2700	3492	firefox.exe	94
PID 3492 wrote to memory of 2700	3492	firefox.exe	94
PID 3492 wrote to memory of 2700	3492	firefox.exe	94
PID 3492 wrote to memory of 2700	3492	firefox.exe	94
PID 3492 wrote to memory of 2700	3492	firefox.exe	94
PID 3492 wrote to memory of 2700	3492	firefox.exe	94
PID 3492 wrote to memory of 2700	3492	firefox.exe	94
PID 3492 wrote to memory of 2700	3492	firefox.exe	94
PID 3492 wrote to memory of 2700	3492	firefox.exe	94
PID 3492 wrote to memory of 2700	3492	firefox.exe	94
PID 3492 wrote to memory of 2700	3492	firefox.exe	94
PID 3492 wrote to memory of 2700	3492	firefox.exe	94
PID 3492 wrote to memory of 2700	3492	firefox.exe	94
PID 3492 wrote to memory of 2700	3492	firefox.exe	94
PID 3492 wrote to memory of 2700	3492	firefox.exe	94
PID 3492 wrote to memory of 2700	3492	firefox.exe	94
PID 3492 wrote to memory of 2700	3492	firefox.exe	94
PID 3492 wrote to memory of 2700	3492	firefox.exe	94
PID 3492 wrote to memory of 2700	3492	firefox.exe	94
PID 3492 wrote to memory of 2700	3492	firefox.exe	94
PID 3492 wrote to memory of 2700	3492	firefox.exe	94
PID 3492 wrote to memory of 2700	3492	firefox.exe	94
PID 3492 wrote to memory of 2700	3492	firefox.exe	94
PID 3492 wrote to memory of 2700	3492	firefox.exe	94
PID 3492 wrote to memory of 2700	3492	firefox.exe	94

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\1e6cf8fcfb714f8c0953d959a6c0209f35b137ad92c45852d64f16d56641317a.exe
"C:\Users\Admin\AppData\Local\Temp\1e6cf8fcfb714f8c0953d959a6c0209f35b137ad92c45852d64f16d56641317a.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4492
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\F472.tmp\F473.tmp\F474.bat C:\Users\Admin\AppData\Local\Temp\1e6cf8fcfb714f8c0953d959a6c0209f35b137ad92c45852d64f16d56641317a.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2476
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd"
    3⤵
    - Enumerates system info in registry
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:3964
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffc0b0acc40,0x7ffc0b0acc4c,0x7ffc0b0acc58
      4⤵
      PID:3484
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1916,i,9881505332441200109,10420832549263088288,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1912 /prefetch:2
      4⤵
      PID:3016
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2044,i,9881505332441200109,10420832549263088288,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2476 /prefetch:3
      4⤵
      PID:1648
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2120,i,9881505332441200109,10420832549263088288,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2580 /prefetch:8
      4⤵
      PID:3208
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3112,i,9881505332441200109,10420832549263088288,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3136 /prefetch:1
      4⤵
      PID:5340
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3116,i,9881505332441200109,10420832549263088288,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3348 /prefetch:1
      4⤵
      PID:5408
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3620,i,9881505332441200109,10420832549263088288,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4452 /prefetch:1
      4⤵
      PID:5184
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=4676,i,9881505332441200109,10420832549263088288,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4660 /prefetch:8
      4⤵
      PID:5264
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4648,i,9881505332441200109,10420832549263088288,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4816 /prefetch:8
      4⤵
      Modifies registry class
      PID:5320
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5144,i,9881505332441200109,10420832549263088288,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5160 /prefetch:8
      4⤵
      PID:1516
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5224,i,9881505332441200109,10420832549263088288,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5236 /prefetch:8
      4⤵
      PID:6156
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4976,i,9881505332441200109,10420832549263088288,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=848 /prefetch:8
      4⤵
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      PID:4636
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" "https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd"
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:3724
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ffc0af646f8,0x7ffc0af64708,0x7ffc0af64718
      4⤵
      PID:3476
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,9059403255474235089,7466025760017980569,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
      4⤵
      PID:392
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,9059403255474235089,7466025760017980569,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1732
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,9059403255474235089,7466025760017980569,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2908 /prefetch:8
      4⤵
      PID:1352
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,9059403255474235089,7466025760017980569,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
      4⤵
      PID:3604
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,9059403255474235089,7466025760017980569,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
      4⤵
      PID:4488
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,9059403255474235089,7466025760017980569,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4756 /prefetch:2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2616
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" "https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3360
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd
      4⤵
      Checks processor information in registry
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3492
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1984 -parentBuildID 20240401114208 -prefsHandle 1892 -prefMapHandle 1884 -prefsLen 23602 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9e28fe25-17d9-45b1-980d-6cc30aee1330} 3492 "\\.\pipe\gecko-crash-server-pipe.3492" gpu
        5⤵
        
        PID:2700
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2444 -parentBuildID 20240401114208 -prefsHandle 2428 -prefMapHandle 2424 -prefsLen 24522 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1d18e0be-05a4-4f95-86fb-75ca78ce924d} 3492 "\\.\pipe\gecko-crash-server-pipe.3492" socket
        5⤵
        
        PID:1120
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3348 -childID 1 -isForBrowser -prefsHandle 3152 -prefMapHandle 2852 -prefsLen 22590 -prefMapSize 244628 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {93fbbe38-a217-4f42-818d-749b50570975} 3492 "\\.\pipe\gecko-crash-server-pipe.3492" tab
        5⤵
        
        PID:2036
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3724 -childID 2 -isForBrowser -prefsHandle 3720 -prefMapHandle 3716 -prefsLen 29012 -prefMapSize 244628 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {39d275fe-486d-4e9c-8324-0b2c677b6046} 3492 "\\.\pipe\gecko-crash-server-pipe.3492" tab
        5⤵
        
        PID:676
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4996 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4896 -prefMapHandle 5004 -prefsLen 29119 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8aebcfe2-3c66-40ce-ac9e-df424d08b3f7} 3492 "\\.\pipe\gecko-crash-server-pipe.3492" utility
        5⤵
        Checks processor information in registry
        
        PID:5168
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5384 -childID 3 -isForBrowser -prefsHandle 5272 -prefMapHandle 5376 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9f367593-310c-47cc-81be-1b0b67445e8c} 3492 "\\.\pipe\gecko-crash-server-pipe.3492" tab
        5⤵
        
        PID:5124
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5592 -childID 4 -isForBrowser -prefsHandle 5512 -prefMapHandle 5516 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e45a4e4c-7cb3-4d26-ae50-01c21df41525} 3492 "\\.\pipe\gecko-crash-server-pipe.3492" tab
        5⤵
        
        PID:5228
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5708 -childID 5 -isForBrowser -prefsHandle 5788 -prefMapHandle 5784 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bb3f3d98-8715-44fd-b00f-6f5aad07b094} 3492 "\\.\pipe\gecko-crash-server-pipe.3492" tab
        5⤵
        
        PID:5628
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5552 -childID 6 -isForBrowser -prefsHandle 6124 -prefMapHandle 6120 -prefsLen 27182 -prefMapSize 244628 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {95340737-5db8-40d1-a093-0d7b4f516489} 3492 "\\.\pipe\gecko-crash-server-pipe.3492" tab
        5⤵
        
        PID:6276

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2244

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5952

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:5728

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:6196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
4c31685d43267cb9c5155e88782166f5

SHA1
9a5fa01d8de104f66a1cad7635b37cef7e5f57c2

SHA256
07571e18ceb3526e6d03bf3a518af5cdde5136e06640426a7e6ade5cd91da31e

SHA512
c0e3986f02300afa08395171e1435995f695738e55221337f7307d5f312d279f78964f053f9bd763f4c7581ebfea0bbf7a442457153fee34164865e182a58688

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
384B

MD5
d3990e42b253057f2c09c37d20d722d3

SHA1
ef753f833b8f8edcb4a0aa3c5d6a9307aee865e3

SHA256
7e8048a622e0f3477b50fb5f4a07274fec67868141f1800afb57d37bdea3f80d

SHA512
1779648c5c1eeb00a465409f690d1de61aa069ff0e3426f14ee6ebb7cf1bd948aa971efb231b6d8bfd5b3db715e72c20b32fb11db339db8908e70ad6715f9e17

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
675eb23b967d4e7773decbb86c1545ce

SHA1
afdcea2753e1296c96956396a549e39cff3b6ea0

SHA256
375f80940ddeb63ec3dd724007d026114f9e0926880db41d9ef56f3c53516285

SHA512
ff3344d9a2ffcb42dc6ebcf4e6bb6662291d0587c3cccd09d2ae6165e2fe20c3e5263d67bc310ece6a0f52e65fee53763f814f07377a73f1453172aa362bc32f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
9a34887dc85e158dbeab0d1126b6fa92

SHA1
fc99bee5f10a7ecebf7172eb8ab9995b80a2f9e5

SHA256
3743ebb507707f27da993f33eeb002485c1378cdbb8bd7ebf4c8952d9ef0b0c3

SHA512
2187b83270e156c038b5bc5bff9103485acaf440ae4200376597eb20e913f9ebb329e34afb3d86eeeb5cd003118970be2c80ffee6fdd51b87fa625a8040de042

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
d8648d6155bab8b03d8eaac1741ece66

SHA1
f1a1059d8a8f3b03b962aa1b20fd6e215b54bd7f

SHA256
6c2c4cf610424126d97bfc5569c7deaee5bdf5e116e898f5f268795b0c888afe

SHA512
e4e7dad845be111826d4ea11f04882ea2da56d62a6154f42c9e48d2236da464b2733cd5040f2b617f6ccddbb5b541eaefb34b156335d2cb97848d8d49af18fa0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
9eaf9e8dfa7bf8b0a68433b331c27c9d

SHA1
ecae9cfe89a2d45a32468fb69bedd8d76fa81916

SHA256
18e2127de96d96b05b40a9059cb28639ae5932b2f0112ab646d55b8d59d76e25

SHA512
6496c30e202c2c392e2b8ff0dfa49d55dd5489ae99b1f5cae20c807a61e64d9a6c0232b356e0ea8b02d7dc9355c14a43b93cde77e6e4617286bddc65df3956fc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
be5d58a4c22706b22e7d44aec5d3dcfc

SHA1
ecb1c7f7bf3f5718d932b9556fd494f89c4cd372

SHA256
edf68ab2bad883b3428d88de7832b2d7d3b2e51815a5c069f47abf27d1a7e382

SHA512
d6edd3684aba97572aa43855ea85240ce15fd154c61a8f7d9402535a4489925a9d47d02f0a3b1cf986645f8def0ac5e88c0f71a74204337ea82d59d186e683da

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3afb3696f73cf2e8c9d00d80d0bf02d1

SHA1
470e8b92098e24449a66baca12040c4c54d625a5

SHA256
6efe77b5e525b9ba203aaddff491395e94db421a83dd85ddd79b8e6efc99ceea

SHA512
1c4a60fcf4541f1cd83f5da2a8d8d5731707c2f420f94e8d1abcd6da56b7621ceec51db8fa3ac405bed02b94e2d4217dc666495514ec28424229dbcf980e8a76

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f40981ae21eb6cac786932b15bdbdb29

SHA1
b54a624463626e2b1847da4618aa71936d8184e0

SHA256
960116eca6a42ca8a8f162c9aa14070152e09b4270c3cd68896e7d791bfad9ae

SHA512
5e9ab01de4e03f17214d5e7a5e2e61cb354f7aa84ca04abe84f8c62fdfb719a5bb5834d7f50642cb547e39456eb3040fdb6adbabcec586be74311d349b732a28

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f840a067e9386a1a77933ea185273d06

SHA1
2c099d07f5f2cc35f4f9d4d1824909d8aba2bd6e

SHA256
84456d3443222c6379e8d917dfe0e37ce8d10c055e33b6faef6897438dfb739e

SHA512
ec39249654168fe92f9ee2d39b79fb55d11c020af941fd9da8d9b5dbfcd023e5d76ce2ae3c4f14c136847d1091f73c4d640e4ee688dd4f1edf6646216d01b559

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2fb3cd758f53c67a78728b530d8644fe

SHA1
b5ac48f75532b82b9bd1e26a5bdcef691daf7784

SHA256
590e1ca81bc239a8c5364908bf8ca0d2c4387f43ac3752d467f4ec50489ff7d6

SHA512
e7055d182d0190afcd5cda35afa5b4e1296d5a0f1d15c55cf365a594c750317db169c76c2fb9af60313e9ef749739ca02088995b5dca043162274b5a50a024a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1bf1aa408bc834cc17541ac02d332fd5

SHA1
4e44cb942cdd8f1bac0334e68a374bef62b5e1cb

SHA256
05cc3b210bcbcb985d5f9a82e65839bcaec95ac0d70bc4b1bff70b879aa073a0

SHA512
ae1a59838971ab7c57d7ee8bb1b1f145018b0e34b717a67bfe7cfe0ca493ded432c48593d34fe3e06bf6ef29f57ba7b5fb28258c48d3dd7fa9efd228cabed917

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d31a3ab4bf0b4cffca7ae20cb607f71a

SHA1
e2aca65bf901568f2115bbf14ed4b3d1aade06a3

SHA256
caf2a1f2abb9a5335173b611c0b6ab8ebb5fadaf572524398583d45ba12e9544

SHA512
58624dc93f69fb92cb94f676f67cbf9e7767cc8f1c3b9163afdf3ab603170d1c6df12ab1763b063664a0d0fd7701145dac09533dda15faff27e66d0db6281526

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9ae9bb773d97df50f98576100e3a7e7e

SHA1
c1169997e5796070281e8331e382d8532623a102

SHA256
5c532e07d90508f7f1e954182456581e1657792530e8fe03080c08167c304efb

SHA512
358868cb58c86643dc7f8f4672b7bc7a551472fbe173dfd1aea6dd7dcf4577aa21b4619d5383b782fa71298e008cd07d08567dff75b4c278477e370cbc7a7fe8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f70731b79d6d6dc55265efdd804ad6e4

SHA1
2ce0b58b4b5483742caeec34ed11537488736243

SHA256
8f183d562fb2d1c179ae78b52fe1f3f063651d3c358a7a90e4a878eb6c65a9eb

SHA512
de9bdef14b4cd8009097b9c2561ad36b87b2a7661c0aa6eccae3b689b9f716a16d9c857d9b0fa1cbd4e7c5bc97f1adba0c967d45ba1080070cb9edb2f708e530

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
54e8db3de2bbade2d84ead000e54218d

SHA1
231c800e3332f1bef05a2542ecc727204a0ebee9

SHA256
77894260d64cf88c79853fccb34ce3d30e779a06013dd46bba47b465023645ae

SHA512
53849a6234b3689c9399ea6c910e00e7a5ef252db28ce879b7c1c3633f84564c13362dc9040e5598d7332924fffd80996ebac2bc85bf85fb76990b48ace7da3e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
4a2e37e9d723dcd66ffe8ff2fec3ddd2

SHA1
d7f5157fccad6ae6377d21de9e5764282a44b2fb

SHA256
8ba670091a35de77a43309afdb79af2edd71e85b667939a53c51cef72edc8092

SHA512
8a7a16497c843658f5073c3e0cdd2a37e980823a2a918d4947a101d575e657bdd5121e134fe8b716ec922189d3ac9c8dd121cf22f0bdf9d6dec406fbe8ad877d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
199KB

MD5
d2c494aa73d083cf41a01ba0593bb2a0

SHA1
dbb4a1cb85c972403b2840a4338ba29efb5f5faa

SHA256
6b9948edccb5747d73f034ac746e7573fd27e82d486be80e7a26ed4292e75e91

SHA512
e70f2927657f69a313a99a0ea7cea84bb9c32fcd20b7e4952236eda64a47033da5b1e62dd45b79b00af8068aab6325b78f34069d65b3244bb184887b5b46df9c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
199KB

MD5
6366a73a4ea8e187190cf22db2a4f1b9

SHA1
c2ffe1becd0bc149f184b45f511033af62eebc18

SHA256
c86e7f68040b53f7a4cff23f3ce7875634d718a60cc9ce230bc5f73d01379d8e

SHA512
ab7abe8114ffb34d907874340013bf356b4bba872607f1569e3a69b69c47a7d1cb9394692531ec32cc5ed1d9b04936d84f20889e7c87a8af036e3c61c7e1fcfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
111c361619c017b5d09a13a56938bd54

SHA1
e02b363a8ceb95751623f25025a9299a2c931e07

SHA256
d7be4042a1e3511b0dbf0ab5c493245e4ac314440a4ae0732813db01a21ef8bc

SHA512
fc16a4ad0b56899b82d05114d7b0ca8ee610cdba6ff0b6a67dea44faf17b3105109335359b78c0a59c9011a13152744a7f5d4f6a5b66ea519df750ef03f622b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
983cbc1f706a155d63496ebc4d66515e

SHA1
223d0071718b80cad9239e58c5e8e64df6e2a2fe

SHA256
cc34b8f8e3f4bfe4c9a227d88f56ea2dd276ca3ac81df622ff5e9a8ec46b951c

SHA512
d9cf2ca46d9379902730c81e615a3eb694873ffd535c6bb3ded2dc97cdbbfb71051ab11a07754ed6f610f04285605b702b5a48a6cfda3ee3287230c41c9c45cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
336B

MD5
04ffeacb8190fdf1d9368d8ebb05bfb2

SHA1
6eec80e3ca3cc78d1d0f7a36305d8a68925e8db7

SHA256
fa861e86a53842a72c60c80c0131a5a1cba6d08e4cb4719f56987cf4e2f1ee5c

SHA512
b2f6a9ba7b9fd380511d4e78295d2ff762dfcfa5993218005788b1652d4ff6fec89ddecfa99a4cb0ee1bd39b6a9434d19559b2d187ef22f41866b78a20fdef19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
d43b9a82776c7137136792b8714d9adf

SHA1
6dccde28ec7d01f2f48c6b80fd2b3cefbbf5e458

SHA256
c24852f51c7ab7f557dcca596618534023f317fc90453be42d2b44e0346c2063

SHA512
15909bb356746882541735f077e6f0d7643ff6b7b8d7f7c99b785dc50e28351d537d2c778311c1f3fa3177f4edb5c0bed4429c01977476e9a5f79785d262995d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
841a6cf0dccf2ec7811d8c9f2e1fb554

SHA1
3a87666ec9d9d0ac48049704dc805bbe2e1c7232

SHA256
320d1db0428745424a7550ec42bc490f767352366a6967093783b077719a565b

SHA512
4f6d1713c0886ed634a4d84df18feb44964ba10b44a8c970c5e56ac08c3c8d45bdf92a0686783427876302aa555e21fc67dbb01ed409ee09ea9e80cc582bbe54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
811f7132a4ed4cbddeea0f07f9f2505b

SHA1
1cafc8d8f31028ae50ad62fdd1decc21b18e3bd0

SHA256
b8f52aebe5c906108e268acfb3342ecd1b9a87139dcdf703fcb969209b3f4f71

SHA512
34326061f28d3df7c552658fed783fea052e9230785409b2bdb23e28481cc88ebd32ed9137e1214f4613aea70be879fceaea9154c8c970e34b77295bac9972ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e710f448a4e33fc56651e01b78a84667

SHA1
6ee1bd8cf53bbabe7c47c1419c6436ff9e288c20

SHA256
cf015d06949d4618f8ce4d457c1fa562db92082cff8afa7137f0f99eb8fa2c14

SHA512
62d72f7a5121d278eeadb0b299df2c21af868fbecb915d1a4c735c6bcebfb72bd8535e0673e8f04f81591b76ecf0e8d29482df5ec1d0cacd77d725e49931e3c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
b5838363584cc86f659e00d6a68410d4

SHA1
f4229cfc053627c5d52bb2fb350e4bf4949993bf

SHA256
fbc198afa874fca2dc1d125e5455fb7b4a70085ce43ddfe2f4792d796d7abb1b

SHA512
d8090d8a3202a9657d17c8187f6f3dc18e69057b04de84fdb2279e515804abd05d242feedfbb87d4fa60e7c83ab7ea0e549feb6ab6c3610b415468d063b00c87

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\zrrtvxky.default-release\cache2\entries\58EFA56DB4BFFECB0EDA547894BC9A057159E22F

Filesize
13KB

MD5
f21cc5f30e5813581c145729bbeade06

SHA1
4258d590d67ee73ffbe9a8ec6ae8566f794cd52d

SHA256
40d10993f36527dfdd9e80a3e54feb7e6fce6a827393597ba59f54fa35883a5f

SHA512
a9ebcb74909d1fb621d117a142f7daa0e0e6e5ca446e775a2efb797871808483c8730b1f69195450d6e509ca471bf1817e2a5aeac9bedcd97ce24e376d88c269

Download Submit
C:\Users\Admin\AppData\Local\Temp\F472.tmp\F473.tmp\F474.bat

Filesize
2KB

MD5
31c09b550c61042384ef240a1cd226df

SHA1
731fbe63179f646915f8fa37ca9f8c85fdb9b48a

SHA256
752a176e12900c9f3cf947bc36d506e360f86da00a2dbc1e5fa821f2584c75db

SHA512
8fcd654736e4b71765b5379c6e1699771e83c5c1df1b5e3fa7f74e4d3b5629ffa1f54aaedfdf9979416d3704bcfb38d73dba7c36c7b6f1ac9804737e7af698a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\AlternateServices.bin

Filesize
7KB

MD5
90e34f259cb2062d6f18b7a78e090135

SHA1
6bb6f7e02cf2a101262a894d1ac76aa7d815650e

SHA256
5fe37bf52ee89a82a4086a51ce247996f819b0ea9b6db10f96173718bf7bbaac

SHA512
94432d05c6a761bcff125f4315299da552dbb4b9a18634be2c1751713d4ae48e546ad5c40360f312781bf916b1cb43afbc8e7c9ad8d7198ca95e236282dadf11

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\AlternateServices.bin

Filesize
10KB

MD5
5dd3b4130828c21462c53f3a6880a0d7

SHA1
8f3423ceda71b07321c44e8de3a6d6828a09a32f

SHA256
94955acc1af8c8d1b4dfeceadf8e3a9276f1fadd3a740333c8b676f960c520be

SHA512
83726ffdea3908dfbe7803d53c7f422448f4548ecb59861984b7aafc04939dc4c0a5bc7470a2bae14ce70706810eee1fdbba70d9f1adfda2850f6f1fc973074c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\db\data.safe.tmp

Filesize
23KB

MD5
dea2b1ad9d86901ee35db985b71e8310

SHA1
c86c8467492d366f1c1773e2b9dbd7ac91e84d59

SHA256
ebbcc9e9e52d19c30130fac3e516e1e6d27b60e559ac5b59485181d59948096e

SHA512
bbde66c73640c36565a876ed5d8ab5f71f38941b8c38c70fe2c68e157e470e52d62f8e5ea2a6394da86d032b81056b51016605befcef4dad66cbe68ab0999317

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
3b4f43d836f187b1b4b783238277de7a

SHA1
820c691b55e20f59c6485f990d34078e0ea272b2

SHA256
19ae45c00f6ffa2c0cdb05c0fc7fe8e529d9d70c1bfa7d928ef2e5e67fb65dc3

SHA512
70da9a50f8e0b3bb1c34e1af0cce95ea733e2cb6bee8973cd8b0cdaf71508f6f06ad86f699e31d374b7a060d88856f735ab8c217e331bde63020733fce0ecd69

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\db\data.safe.tmp

Filesize
15KB

MD5
13c4ea04ced9745585c7fbc9d3cdc519

SHA1
98a667ba927a8272752eb7a40b318659bc3cbc51

SHA256
8292c27349d16d3a2537ca33519d68b40720fc4a271ac122f15d3970cfff1ef5

SHA512
20d35a619d42fe9ecf1ff3a54b39001bf7a870fa3c7aad889513b6a811d9de73a432aac0f224f9c07c89b3919ba055719e9cd338e24cbb354bd54fa7eba6def6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\pending_pings\130cda1e-0307-41a6-8289-b886fe85e71a

Filesize
28KB

MD5
61fd9a1e91ad88f2e8a3988a7e3167c9

SHA1
4fe3d10758df823588855b9ba6ed826168bff5d2

SHA256
57463633960dd8aee3ce259b9c77a0af6f5528f6e225d11431e01e0a91596411

SHA512
922963471199eb7743d64e1335aa3a557a960165384f5c63f9d4821e9eaf902571be9dc714fbb19197706755dfec957af19077dbb6dce0fe1f89236b7205da16

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\pending_pings\9bcfffa3-4598-4bff-b9a2-0cfb5e19f25b

Filesize
982B

MD5
0572324d002fcf8a81164b4f6df34f21

SHA1
ae0938703eaddc3f6ed7f9493cb08a89bf41ecb9

SHA256
cdef36203b768f90ebd982d5a791de45f12b99580b3baa798178a34962f21e36

SHA512
8c0bfc3a2171d56fd964813551948d76cc183f1d8ecd7479fbc1f26aee91df5a1675fbd5b62a75b38c6ffec698f192ce1ce57001d38e123268285577f5dac10f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\pending_pings\e8ce5324-01f7-4694-b041-3bba42a41a52

Filesize
671B

MD5
0b7454b3161900fbebbee6a934d5705b

SHA1
a683767de3acdc5fd6f934b11fd417c65b476bdf

SHA256
dfaf664c022acc153f98fc4840e65d94718b47be8cca8e52f5a035a6f391ba5b

SHA512
fa889a025c7c1bfe1fc0ee81a82bfce7450b094e9c070476dee61d7ca2ac8a800f0ad77fb0da4e4b4124b7c3b26ec2f03a5ca333be6741a1cabe88d03aa52519

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\prefs-1.js

Filesize
10KB

MD5
acbb1c7b75892689e69ed804623d5831

SHA1
5ceb5e4702b341cbfdc05230e77cf01f6d047de3

SHA256
ce05d638af8c552b3242b9f8530ab02ffc1262354811b6ca5f0c9b42e0e3d761

SHA512
66d2224992407139dd1b98c1189cfabb11580d8685d5165be0539db9ddbafa00bc6920425a18e67593c61ab986dba2a8de210e6f2692400e6f48443d338785dc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\prefs-1.js

Filesize
12KB

MD5
1887ad99390e3ed734af863f99abb297

SHA1
f8603cca86cc318ce8fc7b8ae97ee5846aa08031

SHA256
73c7d5aeb99a767cabf0f115af391273a410e82b55c802b4169c7f6ed25713e9

SHA512
f16fa4501939c7780b167b40184dcd5d0516417b7a055258b304e656e177254d535a563553c0c683d3992008d2ca09c281402d59a975c77f726b07e558d3b47c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\prefs-1.js

Filesize
16KB

MD5
131b074a9337f17e1e8a90d85d8b2579

SHA1
6a284c74fba29108ddb8c40bc1c2a4ae1948f615

SHA256
a243441568bbdc12beca18d12389ca0932472bf2c7c9877e5c1f8475d4198305

SHA512
654ca79f22df526a7f92cb3da54bac8a58e3b5775179989a148838250b4773e05b13f70d7ad1f46370b76e086c11c6fdbfe100233f52c702f41d005f885a4a6a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\prefs.js

Filesize
11KB

MD5
275ac1d72a1ead3379e0fb8d54368c1d

SHA1
e412de654e07bfa3d0825c8fe441f3db050dd62a

SHA256
2842574cf27787e8cb339bf08c6b0a6ea0a82e8b77bc421611d3093ea4d5e3a1

SHA512
59a3af4c13a3e36c0797641e971ecdbeaaa155a029b847c6ef29a4463596003cd516302ec57851e35e01420d90e55c63b513e4c3034562b7a489d443a9013d18

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\sessionstore-backups\recovery.baklz4

Filesize
5KB

MD5
0a25ef5646c198c06a834d161154e3ce

SHA1
155b94926d1efac2241285e59240aee5b7e37af3

SHA256
c84155d39950a8362e281d698c05fb617768d180a5c14b552c9fc5332d9d5c8b

SHA512
8ae4447f102e195df3601406f44cd05c719a163f87a47da07cf571c069a770bdc904fc83a79caf8b000dc2a6c1402731b2714aa26d4ffde10ad3d446bfd05bf0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
1.4MB

MD5
dbf903b624bf1fc156df48b47c1717ea

SHA1
4e308376d7614abfc54a5bbcb01a77ecca48aa34

SHA256
958268e2de51a80dde89fc04d2c42ee7135e3a88e465113ab2bf804b6e7d8515

SHA512
9e6155456ba3299c01801204912275a7f5c073850544c411c8386e1ee71d70c9aef191f3113368ebcb64f768750728fc4df78b0257b384573fe4d6e55aa4f703

Download Submit