f959279f2f05e5c22c10b34635069b628bece346980991df87a15b14125798b8

Analysis

max time kernel
149s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29-08-2024 11:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f959279f2f05e5c22c10b34635069b628bece346980991df87a15b14125798b8.exe
Size

89KB
MD5

ee44e48020a289c6ec1c2b59aa485bbe
SHA1

410ecf6fe1057e09a263307189e2bc9c06a0d8b3
SHA256

f959279f2f05e5c22c10b34635069b628bece346980991df87a15b14125798b8
SHA512

44e4b6ac9a45c92220e4359591cd1b649d950adbe0f7331c8ca1049d3cbf29460522f656b4e49282f292c4b6856572985cd72aee6685c6c3d1e782b84f5e2a17
SSDEEP

1536:L7fPGykbOqjoHm4pICdfkLtAfupcWX50MxFY+yIOlnToIfcxsMO+:Hq6+ouCpk2mpcWJ0r+QNTBfcJ

Score

9^/10

credential_access discovery stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	f959279f2f05e5c22c10b34635069b628bece346980991df87a15b14125798b8.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f959279f2f05e5c22c10b34635069b628bece346980991df87a15b14125798b8.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133694039467956731"	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1194130065-3471212556-1656947724-1000\{BDA402C4-3387-45C4-9A7C-926247C99E21}	chrome.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2372	msedge.exe
2372	msedge.exe
1120	msedge.exe
1120	msedge.exe
4876	chrome.exe
4876	chrome.exe
4888	chrome.exe
4888	chrome.exe
6412	msedge.exe
6412	msedge.exe
6412	msedge.exe
6412	msedge.exe
4888	chrome.exe
4888	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
1120	msedge.exe
1120	msedge.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4876	chrome.exe
Token: SeCreatePagefilePrivilege	4876	chrome.exe
Token: SeDebugPrivilege	1580	firefox.exe
Token: SeDebugPrivilege	1580	firefox.exe
Token: SeShutdownPrivilege	4876	chrome.exe
Token: SeCreatePagefilePrivilege	4876	chrome.exe
Token: SeShutdownPrivilege	4876	chrome.exe
Token: SeCreatePagefilePrivilege	4876	chrome.exe
Token: SeShutdownPrivilege	4876	chrome.exe
Token: SeCreatePagefilePrivilege	4876	chrome.exe
Token: SeShutdownPrivilege	4876	chrome.exe
Token: SeCreatePagefilePrivilege	4876	chrome.exe
Token: SeShutdownPrivilege	4876	chrome.exe
Token: SeCreatePagefilePrivilege	4876	chrome.exe
Token: SeShutdownPrivilege	4876	chrome.exe
Token: SeCreatePagefilePrivilege	4876	chrome.exe
Token: SeShutdownPrivilege	4876	chrome.exe
Token: SeCreatePagefilePrivilege	4876	chrome.exe
Token: SeShutdownPrivilege	4876	chrome.exe
Token: SeCreatePagefilePrivilege	4876	chrome.exe
Token: SeShutdownPrivilege	4876	chrome.exe
Token: SeCreatePagefilePrivilege	4876	chrome.exe
Token: SeShutdownPrivilege	4876	chrome.exe
Token: SeCreatePagefilePrivilege	4876	chrome.exe
Token: SeShutdownPrivilege	4876	chrome.exe
Token: SeCreatePagefilePrivilege	4876	chrome.exe
Token: SeShutdownPrivilege	4876	chrome.exe
Token: SeCreatePagefilePrivilege	4876	chrome.exe
Token: SeShutdownPrivilege	4876	chrome.exe
Token: SeCreatePagefilePrivilege	4876	chrome.exe
Token: SeShutdownPrivilege	4876	chrome.exe
Token: SeCreatePagefilePrivilege	4876	chrome.exe
Token: SeShutdownPrivilege	4876	chrome.exe
Token: SeCreatePagefilePrivilege	4876	chrome.exe
Token: SeShutdownPrivilege	4876	chrome.exe
Token: SeCreatePagefilePrivilege	4876	chrome.exe
Token: SeShutdownPrivilege	4876	chrome.exe
Token: SeCreatePagefilePrivilege	4876	chrome.exe
Token: SeShutdownPrivilege	4876	chrome.exe
Token: SeCreatePagefilePrivilege	4876	chrome.exe
Token: SeShutdownPrivilege	4876	chrome.exe
Token: SeCreatePagefilePrivilege	4876	chrome.exe
Token: SeShutdownPrivilege	4876	chrome.exe
Token: SeCreatePagefilePrivilege	4876	chrome.exe
Token: SeShutdownPrivilege	4876	chrome.exe
Token: SeCreatePagefilePrivilege	4876	chrome.exe
Token: SeShutdownPrivilege	4876	chrome.exe
Token: SeCreatePagefilePrivilege	4876	chrome.exe
Token: SeShutdownPrivilege	4876	chrome.exe
Token: SeCreatePagefilePrivilege	4876	chrome.exe
Token: SeShutdownPrivilege	4876	chrome.exe
Token: SeCreatePagefilePrivilege	4876	chrome.exe
Token: SeShutdownPrivilege	4876	chrome.exe
Token: SeCreatePagefilePrivilege	4876	chrome.exe
Token: SeShutdownPrivilege	4876	chrome.exe
Token: SeCreatePagefilePrivilege	4876	chrome.exe
Token: SeShutdownPrivilege	4876	chrome.exe
Token: SeCreatePagefilePrivilege	4876	chrome.exe
Token: SeShutdownPrivilege	4876	chrome.exe
Token: SeCreatePagefilePrivilege	4876	chrome.exe
Token: SeShutdownPrivilege	4876	chrome.exe
Token: SeCreatePagefilePrivilege	4876	chrome.exe
Token: SeShutdownPrivilege	4876	chrome.exe
Token: SeCreatePagefilePrivilege	4876	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1580	firefox.exe
1580	firefox.exe
1580	firefox.exe
1580	firefox.exe
1580	firefox.exe
1580	firefox.exe
1580	firefox.exe
1580	firefox.exe
1580	firefox.exe
1580	firefox.exe
1580	firefox.exe
1580	firefox.exe
1580	firefox.exe
1580	firefox.exe
1580	firefox.exe
1580	firefox.exe
1580	firefox.exe
1580	firefox.exe
1580	firefox.exe
1580	firefox.exe
1580	firefox.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1120	msedge.exe
1580	firefox.exe
1580	firefox.exe
1580	firefox.exe
1580	firefox.exe
1580	firefox.exe
1580	firefox.exe
1580	firefox.exe
1580	firefox.exe
1580	firefox.exe
1580	firefox.exe
1580	firefox.exe
1580	firefox.exe
1580	firefox.exe
1580	firefox.exe
1580	firefox.exe
1580	firefox.exe
1580	firefox.exe
1580	firefox.exe
1580	firefox.exe
1580	firefox.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe
4876	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1580	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3444 wrote to memory of 2552	3444	f959279f2f05e5c22c10b34635069b628bece346980991df87a15b14125798b8.exe	86
PID 3444 wrote to memory of 2552	3444	f959279f2f05e5c22c10b34635069b628bece346980991df87a15b14125798b8.exe	86
PID 2552 wrote to memory of 4876	2552	cmd.exe	89
PID 2552 wrote to memory of 4876	2552	cmd.exe	89
PID 2552 wrote to memory of 1120	2552	cmd.exe	90
PID 2552 wrote to memory of 1120	2552	cmd.exe	90
PID 2552 wrote to memory of 1844	2552	cmd.exe	91
PID 2552 wrote to memory of 1844	2552	cmd.exe	91
PID 4876 wrote to memory of 4660	4876	chrome.exe	92
PID 4876 wrote to memory of 4660	4876	chrome.exe	92
PID 1120 wrote to memory of 2744	1120	msedge.exe	93
PID 1120 wrote to memory of 2744	1120	msedge.exe	93
PID 1844 wrote to memory of 1580	1844	firefox.exe	94
PID 1844 wrote to memory of 1580	1844	firefox.exe	94
PID 1844 wrote to memory of 1580	1844	firefox.exe	94
PID 1844 wrote to memory of 1580	1844	firefox.exe	94
PID 1844 wrote to memory of 1580	1844	firefox.exe	94
PID 1844 wrote to memory of 1580	1844	firefox.exe	94
PID 1844 wrote to memory of 1580	1844	firefox.exe	94
PID 1844 wrote to memory of 1580	1844	firefox.exe	94
PID 1844 wrote to memory of 1580	1844	firefox.exe	94
PID 1844 wrote to memory of 1580	1844	firefox.exe	94
PID 1844 wrote to memory of 1580	1844	firefox.exe	94
PID 1580 wrote to memory of 1604	1580	firefox.exe	95
PID 1580 wrote to memory of 1604	1580	firefox.exe	95
PID 1580 wrote to memory of 1604	1580	firefox.exe	95
PID 1580 wrote to memory of 1604	1580	firefox.exe	95
PID 1580 wrote to memory of 1604	1580	firefox.exe	95
PID 1580 wrote to memory of 1604	1580	firefox.exe	95
PID 1580 wrote to memory of 1604	1580	firefox.exe	95
PID 1580 wrote to memory of 1604	1580	firefox.exe	95
PID 1580 wrote to memory of 1604	1580	firefox.exe	95
PID 1580 wrote to memory of 1604	1580	firefox.exe	95
PID 1580 wrote to memory of 1604	1580	firefox.exe	95
PID 1580 wrote to memory of 1604	1580	firefox.exe	95
PID 1580 wrote to memory of 1604	1580	firefox.exe	95
PID 1580 wrote to memory of 1604	1580	firefox.exe	95
PID 1580 wrote to memory of 1604	1580	firefox.exe	95
PID 1580 wrote to memory of 1604	1580	firefox.exe	95
PID 1580 wrote to memory of 1604	1580	firefox.exe	95
PID 1580 wrote to memory of 1604	1580	firefox.exe	95
PID 1580 wrote to memory of 1604	1580	firefox.exe	95
PID 1580 wrote to memory of 1604	1580	firefox.exe	95
PID 1580 wrote to memory of 1604	1580	firefox.exe	95
PID 1580 wrote to memory of 1604	1580	firefox.exe	95
PID 1580 wrote to memory of 1604	1580	firefox.exe	95
PID 1580 wrote to memory of 1604	1580	firefox.exe	95
PID 1580 wrote to memory of 1604	1580	firefox.exe	95
PID 1580 wrote to memory of 1604	1580	firefox.exe	95
PID 1580 wrote to memory of 1604	1580	firefox.exe	95
PID 1580 wrote to memory of 1604	1580	firefox.exe	95
PID 1580 wrote to memory of 1604	1580	firefox.exe	95
PID 1580 wrote to memory of 1604	1580	firefox.exe	95
PID 1580 wrote to memory of 1604	1580	firefox.exe	95
PID 1580 wrote to memory of 1604	1580	firefox.exe	95
PID 1580 wrote to memory of 1604	1580	firefox.exe	95
PID 1580 wrote to memory of 1604	1580	firefox.exe	95
PID 1580 wrote to memory of 1604	1580	firefox.exe	95
PID 1580 wrote to memory of 1604	1580	firefox.exe	95
PID 1580 wrote to memory of 1604	1580	firefox.exe	95
PID 1580 wrote to memory of 1604	1580	firefox.exe	95
PID 1580 wrote to memory of 1604	1580	firefox.exe	95
PID 1580 wrote to memory of 1604	1580	firefox.exe	95
PID 1580 wrote to memory of 1604	1580	firefox.exe	95

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\f959279f2f05e5c22c10b34635069b628bece346980991df87a15b14125798b8.exe
"C:\Users\Admin\AppData\Local\Temp\f959279f2f05e5c22c10b34635069b628bece346980991df87a15b14125798b8.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3444
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\A5C5.tmp\A5C6.tmp\A5C7.bat C:\Users\Admin\AppData\Local\Temp\f959279f2f05e5c22c10b34635069b628bece346980991df87a15b14125798b8.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2552
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd"
    3⤵
    - Enumerates system info in registry
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:4876
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ff81faccc40,0x7ff81faccc4c,0x7ff81faccc58
      4⤵
      PID:4660
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1928,i,12214129740434904549,17362577340421207350,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1924 /prefetch:2
      4⤵
      PID:3208
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2164,i,12214129740434904549,17362577340421207350,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2204 /prefetch:3
      4⤵
      PID:1636
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2268,i,12214129740434904549,17362577340421207350,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2240 /prefetch:8
      4⤵
      PID:452
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3148,i,12214129740434904549,17362577340421207350,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3160 /prefetch:1
      4⤵
      PID:1516
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3164,i,12214129740434904549,17362577340421207350,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3196 /prefetch:1
      4⤵
      PID:4848
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4416,i,12214129740434904549,17362577340421207350,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4504 /prefetch:1
      4⤵
      PID:5772
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=3140,i,12214129740434904549,17362577340421207350,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4676 /prefetch:8
      4⤵
      PID:2300
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4644,i,12214129740434904549,17362577340421207350,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4812 /prefetch:8
      4⤵
      Modifies registry class
      PID:5648
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5128,i,12214129740434904549,17362577340421207350,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5144 /prefetch:8
      4⤵
      PID:6532
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5176,i,12214129740434904549,17362577340421207350,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5192 /prefetch:8
      4⤵
      PID:6544
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5224,i,12214129740434904549,17362577340421207350,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5216 /prefetch:8
      4⤵
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      PID:4888
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" "https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd"
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:1120
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ff8116c46f8,0x7ff8116c4708,0x7ff8116c4718
      4⤵
      PID:2744
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,11695504639899457690,8475554048326913994,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2196 /prefetch:2
      4⤵
      PID:540
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,11695504639899457690,8475554048326913994,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2372
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,11695504639899457690,8475554048326913994,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2920 /prefetch:8
      4⤵
      PID:4640
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,11695504639899457690,8475554048326913994,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
      4⤵
      PID:3240
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,11695504639899457690,8475554048326913994,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
      4⤵
      PID:2000
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,11695504639899457690,8475554048326913994,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4620 /prefetch:2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:6412
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" "https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1844
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://accounts.google.com/v3/signin/challenge/pwd
      4⤵
      Checks processor information in registry
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1580
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1940 -parentBuildID 20240401114208 -prefsHandle 1856 -prefMapHandle 1836 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c5e11b79-8eb4-450b-ae14-c801a4eab3ed} 1580 "\\.\pipe\gecko-crash-server-pipe.1580" gpu
        5⤵
        
        PID:1604
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2416 -parentBuildID 20240401114208 -prefsHandle 2408 -prefMapHandle 2396 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {00292c6a-a7e5-4ae3-b648-ef6f40a92ff2} 1580 "\\.\pipe\gecko-crash-server-pipe.1580" socket
        5⤵
        
        PID:3032
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2948 -childID 1 -isForBrowser -prefsHandle 3228 -prefMapHandle 3112 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7eff3f5a-5ee9-4e69-9127-54964dda5da4} 1580 "\\.\pipe\gecko-crash-server-pipe.1580" tab
        5⤵
        
        PID:4436
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3704 -childID 2 -isForBrowser -prefsHandle 3696 -prefMapHandle 3692 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8f95ea44-f66c-4975-877d-166e6b9c925e} 1580 "\\.\pipe\gecko-crash-server-pipe.1580" tab
        5⤵
        
        PID:1200
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4240 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4264 -prefMapHandle 4196 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b75d8309-50a4-452e-a171-a978da5c2f46} 1580 "\\.\pipe\gecko-crash-server-pipe.1580" utility
        5⤵
        Checks processor information in registry
        
        PID:5828
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5296 -childID 3 -isForBrowser -prefsHandle 5284 -prefMapHandle 5280 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d4681818-55bd-4fe9-a40d-415f796b1337} 1580 "\\.\pipe\gecko-crash-server-pipe.1580" tab
        5⤵
        
        PID:6028
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5556 -childID 4 -isForBrowser -prefsHandle 5564 -prefMapHandle 5568 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {83d7727a-db8d-4018-a2e5-3b88223d7224} 1580 "\\.\pipe\gecko-crash-server-pipe.1580" tab
        5⤵
        
        PID:6020
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5848 -childID 5 -isForBrowser -prefsHandle 5840 -prefMapHandle 5836 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0eb91b85-70b4-49dd-9988-e273c092b69c} 1580 "\\.\pipe\gecko-crash-server-pipe.1580" tab
        5⤵
        
        PID:5940
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4252 -childID 6 -isForBrowser -prefsHandle 5760 -prefMapHandle 6076 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 892 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a828c775-6cb6-4942-a064-e208c4589a57} 1580 "\\.\pipe\gecko-crash-server-pipe.1580" tab
        5⤵
        
        PID:6044

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1844

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5856

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:5404

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:6648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
463dd78554a50875880f0df0826c128d

SHA1
bd3110cbf72ac0860d48efc883db203f3bcb03b3

SHA256
8e19e9dd33be60908e9d7ed9d45c60df31c84d2ed109630eac70bd778815e9af

SHA512
4f14330d71ce5d02111f0c97f2a3361330309841c7965797d9dbe7f0a405928a489f7a52e7536192905f297726a307d2207cc28bb9c7d2ea8531ab26ff7dfc34

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
384B

MD5
edc227be0af3242c456a7fab373b458c

SHA1
e9089613cb71a0de1dbc4357705a8fe771770179

SHA256
00ab4066b6247c709ebf34e53b3d7577e2ed88cedb702067f6394394392db9e5

SHA512
43ce38ded62f4bcae9aa6b84a525676d49d2d5623ec726763d95694e71df931dff68eb524540c59d829241b84b23b0064ccbd02d00afb0717f7fd564c03c8a38

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
0659af651d19e3b0d664d8fffaad16bf

SHA1
f21f0526d93f483d6dea9389bc4cb540a032b28f

SHA256
a2911999f9ec575e71a9ba13f21a87edd1b075b203eae075ae4a7428afb8915f

SHA512
fdd9ae9239caec6a1a4252faa6a2ceee7dba4547e79ebebcafd8232d6a69c3cb390f6c2cb3b8025c063dda0e393aad6ee3ab2f92449de322bdf80e1e22f0e4cc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
7f352ee82b4e43db458b215acba8e7c5

SHA1
9e8aa2497b038b564231a40da95df38f4b7bed55

SHA256
1b2ef6b3534df32ad2f4d95a31e800a134804be0a9bd0c822df2587ecf374228

SHA512
d5eceb805f2452ea33aa57b0f91fe0a9edd6ccb51b5470b875a8149a04f65b7acbefc51c9c42cb201aabef9c1618641640cd1a9fbadc21283067dc7a81e61641

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
7406469dfd59f1950893e277d5f3bab3

SHA1
1051a95d3690852134a5bf81aba9bb84c2b0a1b2

SHA256
d431968aa17b533b495e173df3a74e0b1caf0e860b9145ab357b75490f44343e

SHA512
733c38f9c643faffb9be545a309db00a27bb82b41136de2607a001353bf4dfccafd5b58ad4be9b3c0e104dd1eaf5ef6a0e756caa6aead091380b47f6cb894a02

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
354B

MD5
346a54778508e89e173bd66ede6f12c2

SHA1
7e76874df9f4f30482fc63838bb8174dc2d3ba3b

SHA256
7db0826b9b0e0dca845b4bfd04d779277109c0b8b9edbe7980c628c911708009

SHA512
7e9e64b06ad90642a6a1a109b6368fbfbdcd91ff74bd5e8f183177b72f5d542b2022f55f9b093af02607831a60ebef2d5acf2f2665d5fff660a2cf8d29269750

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
deb40ac41ee9f05a7481f9221f1b5aae

SHA1
c27dd5c0e2171126cb611fca9fbad3f5c1980be3

SHA256
9517417cbcd93e5f9ab9b1a085a0adb70c37fe15803eedd8a9c55577e23329a3

SHA512
0b696d0f07cac7cfe5abe81a3a99590f63d939045aa9c7396b9b0518e7a3d824d14c465c13e5ad2688c2cf366b894d6e383f8143eecd4ad3eb4e0b0b2f255576

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
cbea4d513e32e0a8cd6639eb4b6990be

SHA1
376fee1cb504d8d278857f06c8a52b0740bafd22

SHA256
7b5ea263f77200f518df1cc91ef6f27553fa0b80adbefd9d7cd9a1b7bcba14bd

SHA512
ffec39ecc84e7c14fb18efd00516e163f35b8ca90ed25a54f2eeacf8de450f25a99084f895130458dfcae5f98d7680746a1a974cef57ffc7432813f985de4ba8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b0ac054fb470c9b707cd6022b464c41b

SHA1
ca968cad0c8ae62b3e07ba06231a25b96889ad2c

SHA256
69ee110bddc8e5686f2016f154de61358fefe89a2eeb7883b5cd16625161a498

SHA512
278c180858b04b3f9f9910473e2fd8af997c694567f74e98cae7f0a3fcfa0d87328959c9b382f11ff6154df8f6f5549164e916f0921c17299de347dd92fbc071

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e7ed1e9cd1c0fef214bfaa7547a55be1

SHA1
44cafc8b61afb08e4f09af5587d88383088a8e2f

SHA256
597e1c5726ce52401cbfb636590775eae61c2e4445c1adb99c3549a204b0540c

SHA512
147de87ac26b69ce71ed1e9e3cbb838ebe0f7bc279c752b3632c10b8d9bb841473e153f2560ee78989d6761a686ab468daa040cb7d76e1cbb7f18226b98a63b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
059a3246464cedea3d367edb50c49c14

SHA1
bcfc4117d07dfd92fc3160a9f633e6a84b8e8093

SHA256
3a00e174b23470976b8286f9faa3770b10e41493dc8924940d88f4e25c616fce

SHA512
e1443b386a00384d8a35711718e72a4d6c112c0433308f3ded551427aeb6360af90e731895612f2c2524bdb7bd61c8da3126c7a7d9a288498583185b51e56dc6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f885cd3f01e528aaad63b7133c383fb6

SHA1
591d80c45611179734e70094a909754ec85a2627

SHA256
6dc4d5bfc701ccb09c19a81751bc38631f3e6679f38e49752c91c5e3d55d192a

SHA512
5833d0816f801e8ebc940c56af219765e11f30311f02486b945aa2b8c27b11327c70543ac2532dd1708d00bcb02b4167292fc4557d58bb6a71338ac62b3b7738

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
dc306eceafb3244cbd613cf9bcd44f75

SHA1
2ee82f28d228a7c416a7da584b0de20efbbdf110

SHA256
730e77c89b8d8930d684dd05ff905cadb87aa8adb1302c0e9e9e3a9414f2d4e1

SHA512
21ea076f9c7bb47c8b8514b57a91bc4df0a3a1d81a5c9ec60bb36a6c74e93dd2220a62377071d9d945103ab2bc58ce33af3d77da32168f36f9291a96fa7924f2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
81adb57f36003a0462a7969daa36b1f0

SHA1
3a1af96d92123fcfab8549236de584a8bb03e287

SHA256
547404a7b3744d94dd229ae47787bf7772fd82b5fc4eba09d545b11d9aed74f7

SHA512
7497192db4ee3de7963879730cbfc06fcd7d291725c53764cfb2d7428059b7f5b2be86f69b8dcbf6d536add6c237861f61c6189d0678f1d5c9b28f97caa91073

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e62ed9fedba0eb495c897d6aa297d19b

SHA1
5f71cbc2e765f422b7a1636faf6e67a372909d16

SHA256
364d6ffa844f12321772cb3d635ced7e654c3a9972fb2728c5ad53995e9573f0

SHA512
f4d0b839a039073cce9f31e3a2c33aa5080995ee083898de2559e9057909dbb9a796ce1f7cd23eff29337097c852ed0caed4cd76d2e335a7527846cbd8b4813e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
2fe8e27e6d963f7203db96a5f931e207

SHA1
245fec9689135587adad09b864edb40b0a8e2d3b

SHA256
a3c5cbb630cca159e9fe1cf5dcc26fde28b0485e0597c329ca733b0ab14de9fe

SHA512
a6ddb9cfc844d3f419d71c08ae843d391f2636f2ba1bd7fe3869cfec177c67b308dae2ee31e2342c93efd7c01d365c95980ab11c47ba3d1b720e02f8f4613731

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
202KB

MD5
6212aa4fa02f2beb75d99a7347e43434

SHA1
d75dd5a85db8927dbe175b8ba72eff1a7c6a3a64

SHA256
df6aabf1e969a4462823f7b72030b6d00ddf824290c100f3d77ea2b680d0f0d7

SHA512
79c2959dd250c410bf9afd47b9552eeb8b3d3f6f5dcbf6f6abaf1d7c643c52b1bcba2ffbdf71d7fa7327c71c8862a6e074ec220337e5a90a312f15622d0b48d2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
202KB

MD5
c0a271561b944674675f569e5ed9ae40

SHA1
46ced5668038eb90e72e839a39ef5c4b18211865

SHA256
8f692fd5bdbefad6e1fdc63acb92547b8aaf9528d132ca488d2ab8846c1668ad

SHA512
6affb6d616c9726d057477c74fd4a5775723cef5c7ebf6e0f085dbdbd1f17865ace9a979b3146ac62723cf8f1fe6da0535e3acce66ec1cf6edbb00127d319296

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ecf7ca53c80b5245e35839009d12f866

SHA1
a7af77cf31d410708ebd35a232a80bddfb0615bb

SHA256
882a513b71b26210ff251769b82b2c5d59a932f96d9ce606ca2fab6530a13687

SHA512
706722bd22ce27d854036b1b16e6a3cdb36284b66edc76238a79c2e11cee7d1307b121c898ad832eb1af73e4f08d991d64dc0bff529896ffb4ebe9b3dc381696

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4dd2754d1bea40445984d65abee82b21

SHA1
4b6a5658bae9a784a370a115fbb4a12e92bd3390

SHA256
183b8e82a0deaa83d04736553671cedb738adc909f483b3c5f822a0e6be7477d

SHA512
92d44ee372ad33f892b921efa6cabc78e91025e89f05a22830763217826fa98d51d55711f85c8970ac58abf9adc6c85cc40878032cd6d2589ab226cd099f99e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\4d3bd167-499b-4941-8482-aca813cad3f7.tmp

Filesize
1KB

MD5
91a12aacaf856025eab7574407a86869

SHA1
7f43a625536ad72291631e105dc311e95862d481

SHA256
8ca1f0b2b7110f2f25fdcf5d37475549a32e27b324c93d6ed9b325c006fbbc33

SHA512
df73805e592760d13760c78b5baec88df236cfc9c5ee0d2ce1121daf7225b83fc0b1fa9b4c1bded30ce4ac6fd897ba895f6fd52b9622d9ef096e0c6cecc35e18

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
336B

MD5
601fbff9734ec6c0561665faeb7d75c3

SHA1
683338f169533dfe6bab2354fcb09bc5cbb18a64

SHA256
48c9869724e050d28bd4c59ddaf7e030e25283bbb830b1a16b5004a0dfa15e5a

SHA512
918bd96f4f457dc2c467262b800c807add94f539422f894f03aece267e8afbac85b4259c9860286605e5a4be36dfe9b2d9eaf41b7f74b1c10c01d47af86dc0db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
cec3768e6bd037b04461d69b95828bd5

SHA1
0c71332a613a8846e3a38a14170adcc26c921774

SHA256
c12da2123757e1e475d830f8da3ef0889c9b96219c87ca2f2b5ce0eb55d13310

SHA512
85d61abb44189ce0fca3d13d5e235a291ed649627f0bcae717b095fb6e8dcc0f282408463a1cbd799f2cf7b1fdbffce54277dc0445d40ea20119687a7802000f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
c38520ca1fb295ee5007bbd7b42a8e82

SHA1
9541669ac3c192c6c9460ca697f7fe5c09a20bb3

SHA256
590f2fd9041215ec7843b8611071312bb5fe97c2e786f042956b77285a613de5

SHA512
ccfdf0acbd73abeada357913c5c2d436137efed8b3599815558b5048431237e09edc47a97f45d760dac6713b7c983625c9778d8a474d19d24b4f050eb6dc8913

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0a0f6e071ae0a4a28400d998183572e8

SHA1
3cb7bbbb057695600074840d55597b4eeb8b8130

SHA256
d774e7f96d63303dfe0e23d6dfbbd89a3992fb40fed5a5268616f98f322d452b

SHA512
308cdadf3744eddb8578646f449cc6c97e04ef00c2efae6fe92854ef82073e5443aa4c5f39e0050d687a3b8da08d87878f39b799f0ede3f3bc944c0b243987f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
222694246d2a0a5476639893eb1a6ecd

SHA1
df123cbda5edd821fe805ca754fe0f2b20d81423

SHA256
e8ab3d54305b405caaad16f051e2c2fa24c59f50999d70986e855e460114426d

SHA512
1098435f91f581baddb1385d14c0f13ce4ffc5623a144ac14b7336a16d81ce23c4c67b02a30c325cd57cf82bb5dc9eb0419d55e8a7173c446865280743932bc2

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\activity-stream.discovery_stream.json

Filesize
43KB

MD5
2b16f9922bb3ad7c4b2f067c7554ea8b

SHA1
20f7ea41f4b252ab3a43ff1a9745cfa0a2954a75

SHA256
26ef92501a6a3460eec66f75c447698e2aa08f0079e8c6c6c28efbe97367cd5c

SHA512
0a21e01012087d9142f719e4c5f845067ac6c935a44ee9b2ecf18d885e19b918d6eb30fcaa20ebed0d42ed32c3ee1dfe507c304e279bc694fa3cb3aaba881aad

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\cache2\entries\58EFA56DB4BFFECB0EDA547894BC9A057159E22F

Filesize
13KB

MD5
4da5a2db7d0d2760e8a962fcbb924a17

SHA1
3009b20b042df5e3bdd1f6eef67d1d3724911ed9

SHA256
aa16ac2402298c1adcd17016909852b8da433aa941165d760dbc0039ddbf2f36

SHA512
43e614902833b302b3db1a5b0cb3dd1e6a4b884ec64ec4fc966a6cc924342370f92c8e8706cb793b2cd1c1b8d69c30cbcce2671afa109af08b84ac873f59c00b

Download Submit
C:\Users\Admin\AppData\Local\Temp\A5C5.tmp\A5C6.tmp\A5C7.bat

Filesize
2KB

MD5
31c09b550c61042384ef240a1cd226df

SHA1
731fbe63179f646915f8fa37ca9f8c85fdb9b48a

SHA256
752a176e12900c9f3cf947bc36d506e360f86da00a2dbc1e5fa821f2584c75db

SHA512
8fcd654736e4b71765b5379c6e1699771e83c5c1df1b5e3fa7f74e4d3b5629ffa1f54aaedfdf9979416d3704bcfb38d73dba7c36c7b6f1ac9804737e7af698a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\AlternateServices.bin

Filesize
7KB

MD5
ce1df993461a4fdb0b73957bc4e1414a

SHA1
0c4894debcc8877fbdb92c3f0380808853a005a0

SHA256
6760139b100ef32fef4b5f47092e8f4f0f3629d54375b97fdf3e018c50963397

SHA512
afacdb8a173849339c466a7013a36a123c09e4d947412f703b8e6e67dcaa654468432c7bfbe4a4ba58124454ab0b200d67fa8d8b36ec36a7a52e4e03b904ab84

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\AlternateServices.bin

Filesize
10KB

MD5
1a685a3104366c014a5cf561b15a17ea

SHA1
3252ad41a5ed1a6a95c4fb9119cf6986090cab03

SHA256
7ee0054ae14bcb1afcefe7b20b3aca77926a76e6d47a07166d31d31afab8088f

SHA512
9797618b0ffa35765fc12f54d0f65eb8f4329c0adf5da97e40d4bc42cc9e643309ebef1de1785c1eb1e6fa273312fd2e8eb8cf0689e1d737cca82be4978a0834

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\datareporting\glean\db\data.safe.tmp

Filesize
15KB

MD5
4f567233d74a68f89682daba89673fc0

SHA1
4cf73bbfc2e44ba23d83047c30aaf385420ed095

SHA256
1c307d763dffd34c84bb9fa7270d9261ad61560f55bcbfe1dfa6c2d371c2f525

SHA512
389f1a3d3d2b106e3461f967ea65bcaddc27735ebdbe37ef48cca1480e70c40c1e9f1bde1347604c269dbcce0f726a0d2405acea556c9d44e08ee037c0a98a76

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
e8ff46cb4cfbe49cc9d19664e6d4158e

SHA1
252aa229b22850fe7c1957a6d091a3ad6e1ff321

SHA256
22ca9d0ee987b8dbd624f69fbb264390fea3f443fba46e7b038dbefe89a599a8

SHA512
75f37c9fe464e3a7e0f78723c110396bb73fd414f00b4cdd7fae6e76bbf495034dd5ca56a38505c11e9ceeef37a69ebc24694e4892cfedfa9db09eaf79d39219

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
768a6870aa066b66c9ca5c9836d63c5f

SHA1
e657a584b922123e782e3aecd3f796196c723357

SHA256
880ada3f2df21a74c60967d13ed968a7676e9c56a35eaf5f178753c9bff5a618

SHA512
171125e961e3b7db4dfcc28f844c4cf92808516e0cad66ff4a0cde9a2ac6d31761f12a07e44294dd7cb63708709f22d0bad92a56a33ff6301ebe0e01fa707972

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\datareporting\glean\pending_pings\1d273b73-e1a9-4eeb-8229-37f5a4db8354

Filesize
27KB

MD5
8fe5adb6fd67afe5fd1a357401006c1f

SHA1
d9e60328616df535eaa682d48dfbce1815197b2a

SHA256
80914f5fe127fae01801598b8a74457bf038ae40a34686e0ce362f3dc815989c

SHA512
0f80e5f03b57e458d89e463d13dd946d7e0430432555bcd5c174378f79e9f9f86d46444fd521338126b289f87c6377abf8a2b1b750021a61a83d4f08b59fa453

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\datareporting\glean\pending_pings\79912954-9200-4af0-b139-a162fb2c732a

Filesize
982B

MD5
8071d967536498a7032ac4e0b1771d15

SHA1
de94af42d1f81cbf91bc47a0a90c9f810f1abafe

SHA256
8d168ecfe4b32392ded82c5c232c3b2b900d8dedd248ef848490b9a982529269

SHA512
bb78975bc225ad27d55f2ef2c36ffefa80a329e95011cf0e57cb73e29b8380f2a30a9da7b2aaba9be47b3818ea5bf63c6bec5a82ee61ffac18fd33ded28321af

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\datareporting\glean\pending_pings\7d36871d-fb58-4332-b36c-313675dfbcda

Filesize
671B

MD5
0c1b0d7b94531e41e9f111c5343a4d75

SHA1
a05bd7a0d7d656aa058915580bbcd2985a8629e7

SHA256
5fdb028da49a3ad3a03a93e191e26a95440b9d6b4c03e50712bff3067c779a35

SHA512
d29add257b69ea45ff1eea81835039efea074c1b0bacae1b4eae0de71aa055d97e7b1cc845e3921f7a6f5f84f68cdcbc40e0e51800ec4e30a1a32faf23d04480

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\prefs-1.js

Filesize
11KB

MD5
9fa2b3585d74e4aa7c8840b2872289d0

SHA1
3fbd02dac64c28b268b5ae2a5e65e725b421beb9

SHA256
86983181dfa87231071cef6cb25a7d51ddbb5f17a50ca30ea02c3438518ad72f

SHA512
aa330d3bd92385cd2b6ece8984393c774203d9b46287ab7b930e0ddf8c2656b85157cf85f5c1c3b26279d2791ef9a9df84c1c72240e84dd6eef727424b4bcbd3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\prefs-1.js

Filesize
13KB

MD5
b9da75ebea849a155e649b927372fbb2

SHA1
8192599a5920cb7e41156aef076b937838875088

SHA256
335a7403b15930a190b6a4255ec23638a36bc778f24894f23c15b025793eb586

SHA512
8bee5daea65292a739912d41fccda440d5ab323dd071c49738a5ad7a97f9fcebb9dff5fd1cf5eab7ff4191efc9a7a17e083dc2eea1503913817ef18ac52d9110

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\prefs-1.js

Filesize
16KB

MD5
e8aafeb897297e2d6a2ce1cb9b460f87

SHA1
5bd5396a7a8e8a7b9dfffa413b9c8bbdaf647632

SHA256
72165052af554c515e3ab001e4b0fdaf6639999186cbee2d27119e1fc0595e87

SHA512
cdc16f140c897a44a4e1ce94ff6a796574fb7106ceb08c281025c4231823af0502e33dc15bd5168626435386bfe14757ca73cf996dd1fbb4a5de8e0cd9c6be27

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\prefs.js

Filesize
11KB

MD5
da3eff58a63ec1257de901e6b2164cbe

SHA1
dd4651054b3a31803c84967a6961ea3b10d39ed9

SHA256
99cc84687f4c241a826b1cead80bf5c608b5b4f5b51146eb06fafbe95a497ed6

SHA512
0f63c7d175c672e200eb6df8be3c360cd8c0b1c294da6ad59e5d0150fae131e23f0d6323696d76f724b37e63d12f4d437b804916fc970a9481731ea8b025a7a0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\sessionstore-backups\recovery.baklz4

Filesize
5KB

MD5
d554252ff9360d90ec3044058fccddb0

SHA1
5f205041e1e4b42e85506756fceec9b099601f21

SHA256
85f00a92f52fc2659c88f8e70496094e7dee22060783b9bfc0aa2d2528933e7c

SHA512
10183a7b3208bd76d9c37762a3b88bf8f2c163f222d6cda25bd938f6f17431c8eeb3e1f8a1cc9f6fa9b0d0fd009ebcb569558084bfc70740fa5c98d83820543b

Download Submit