10c59dd6cef6195616ec76184885c1ed1134f9c2ca801652c81a018d040ebbe4

Analysis

max time kernel
120s
max time network
126s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
28-10-2024 12:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LDPlayer9_ens_com.roblox.client_25567197_ld.exe
Size

2.5MB
MD5

6908b774daad336d0ab1c55f55c344c4
SHA1

04ea8a943ca41fe152a4c2ec99ede83967d546f3
SHA256

10c59dd6cef6195616ec76184885c1ed1134f9c2ca801652c81a018d040ebbe4
SHA512

aa283489d2474f7b8a5f2bb6f524aa5c3f99932b61e52737db36b8cc7b168e6040217ec69860592e473fab6df5597cc30ce79c23b17805f6cf3c854f41d41de8
SSDEEP

49152:GNfatughHaKLIKN1cueXlaYbsISTb/am5B8y6sEUhSSwoUK0:Gla4ghHaKMu2IYbsIW/amj8yF8SE

Score

6^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

LDPlayer9_ens_com.roblox.client_25567197_ld.exe

description	ioc	Process
File opened (read-only)	\??\F:	LDPlayer9_ens_com.roblox.client_25567197_ld.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
2900	2380	WerFault.exe	29

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

LDPlayer9_ens_com.roblox.client_25567197_ld.exeMSOXMLED.EXEiexplore.exeIEXPLORE.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LDPlayer9_ens_com.roblox.client_25567197_ld.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSOXMLED.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exefirefox.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXE

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B1681411-9527-11EF-A276-7E6174361434} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\MINIE	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecf3e4259aa05419b9c0951a15b131900000000020000000000106600000001000020000000bcbe116808615dced9b4b281811cb8d0b96aeb84ab44f79fcf54b3bc8ac455ca000000000e80000000020000200000009a37533220cd3c53f48fbc33157c25ceb8ee9e511c3b027136faccc91ae02c192000000023f82ce42c2f4363ea9a36adeacafa7ef235419de0c5c45d41a3020b735c7c5c4000000048304b885a31d91d9369a510a4a5f5a0e875fc4fcf2e82855cad9133d56c9d54e261d16df63405b0cf48a3c01f0bcede16889466e05c7ed9d7cca032b8018803	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 805d5c863429db01	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecf3e4259aa05419b9c0951a15b131900000000020000000000106600000001000020000000b6c4c163457f01cbad5301206c400c318a8d95a2452419749abf6706917dc34f000000000e80000000020000200000006324d19ce618397fecd14f467c18ea3a35294b3088fb9e6a96d041dd35b281ba900000007d40c6aeaf526e6ca9cfcc287df752dce82629f4e94f27ecb0738614623ed65878b003c6505eb9ee6f7ca71ada5e879049822103f73c24d8b02ba2a24a7d557798bc7c20698eba73e53a88fd661a41558ed7d585e63dae14924c2a83db534cb503c2c100479ca0e36d91b63302add1ff1b6d3532acd5545b52760797c4745f7555e4b917778ebbbbfdf3d1e431bc40a04000000028a1e175dd7c4942d86123c1332be04145c5df4729f48d20e968a5fd95ca9f9f42ad660f1ce29733a1eb9acd3d83321a41c92c28e5c6e7387b8002e4beac717b	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE

Modifies registry class 1 IoCs

Processes:

firefox.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_Classes\Local Settings	firefox.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

LDPlayer9_ens_com.roblox.client_25567197_ld.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	LDPlayer9_ens_com.roblox.client_25567197_ld.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	LDPlayer9_ens_com.roblox.client_25567197_ld.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

LDPlayer9_ens_com.roblox.client_25567197_ld.exechrome.exechrome.exe

pid	Process
2380	LDPlayer9_ens_com.roblox.client_25567197_ld.exe
2064	chrome.exe
2064	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

Processes:

chrome.exechrome.exefirefox.exe

description	pid	Process
Token: SeShutdownPrivilege	2064	chrome.exe
Token: SeShutdownPrivilege	2064	chrome.exe
Token: SeShutdownPrivilege	2064	chrome.exe
Token: SeShutdownPrivilege	2064	chrome.exe
Token: SeShutdownPrivilege	2064	chrome.exe
Token: SeShutdownPrivilege	2064	chrome.exe
Token: SeShutdownPrivilege	2064	chrome.exe
Token: SeShutdownPrivilege	2064	chrome.exe
Token: SeShutdownPrivilege	2064	chrome.exe
Token: SeShutdownPrivilege	2064	chrome.exe
Token: SeShutdownPrivilege	2064	chrome.exe
Token: SeShutdownPrivilege	2064	chrome.exe
Token: SeShutdownPrivilege	2064	chrome.exe
Token: SeShutdownPrivilege	2064	chrome.exe
Token: SeShutdownPrivilege	2064	chrome.exe
Token: SeShutdownPrivilege	2064	chrome.exe
Token: SeShutdownPrivilege	2120	chrome.exe
Token: SeDebugPrivilege	2524	firefox.exe
Token: SeDebugPrivilege	2524	firefox.exe

Suspicious use of FindShellTrayWindow 40 IoCs

Processes:

LDPlayer9_ens_com.roblox.client_25567197_ld.exechrome.exeIEXPLORE.EXEfirefox.exe

pid	Process
2380	LDPlayer9_ens_com.roblox.client_25567197_ld.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
956	IEXPLORE.EXE
2524	firefox.exe
2524	firefox.exe
2524	firefox.exe
2524	firefox.exe

Suspicious use of SendNotifyMessage 35 IoCs

Processes:

chrome.exefirefox.exe

pid	Process
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2524	firefox.exe
2524	firefox.exe
2524	firefox.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXE

pid	Process
956	IEXPLORE.EXE
956	IEXPLORE.EXE
2720	IEXPLORE.EXE
2720	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

LDPlayer9_ens_com.roblox.client_25567197_ld.exechrome.exe

description	pid	Process	procid_target
PID 2380 wrote to memory of 2900	2380	LDPlayer9_ens_com.roblox.client_25567197_ld.exe	31
PID 2380 wrote to memory of 2900	2380	LDPlayer9_ens_com.roblox.client_25567197_ld.exe	31
PID 2380 wrote to memory of 2900	2380	LDPlayer9_ens_com.roblox.client_25567197_ld.exe	31
PID 2380 wrote to memory of 2900	2380	LDPlayer9_ens_com.roblox.client_25567197_ld.exe	31
PID 2064 wrote to memory of 2120	2064	chrome.exe	33
PID 2064 wrote to memory of 2120	2064	chrome.exe	33
PID 2064 wrote to memory of 2120	2064	chrome.exe	33
PID 2064 wrote to memory of 892	2064	chrome.exe	35
PID 2064 wrote to memory of 892	2064	chrome.exe	35
PID 2064 wrote to memory of 892	2064	chrome.exe	35
PID 2064 wrote to memory of 892	2064	chrome.exe	35
PID 2064 wrote to memory of 892	2064	chrome.exe	35
PID 2064 wrote to memory of 892	2064	chrome.exe	35
PID 2064 wrote to memory of 892	2064	chrome.exe	35
PID 2064 wrote to memory of 892	2064	chrome.exe	35
PID 2064 wrote to memory of 892	2064	chrome.exe	35
PID 2064 wrote to memory of 892	2064	chrome.exe	35
PID 2064 wrote to memory of 892	2064	chrome.exe	35
PID 2064 wrote to memory of 892	2064	chrome.exe	35
PID 2064 wrote to memory of 892	2064	chrome.exe	35
PID 2064 wrote to memory of 892	2064	chrome.exe	35
PID 2064 wrote to memory of 892	2064	chrome.exe	35
PID 2064 wrote to memory of 892	2064	chrome.exe	35
PID 2064 wrote to memory of 892	2064	chrome.exe	35
PID 2064 wrote to memory of 892	2064	chrome.exe	35
PID 2064 wrote to memory of 892	2064	chrome.exe	35
PID 2064 wrote to memory of 892	2064	chrome.exe	35
PID 2064 wrote to memory of 892	2064	chrome.exe	35
PID 2064 wrote to memory of 892	2064	chrome.exe	35
PID 2064 wrote to memory of 892	2064	chrome.exe	35
PID 2064 wrote to memory of 892	2064	chrome.exe	35
PID 2064 wrote to memory of 892	2064	chrome.exe	35
PID 2064 wrote to memory of 892	2064	chrome.exe	35
PID 2064 wrote to memory of 892	2064	chrome.exe	35
PID 2064 wrote to memory of 892	2064	chrome.exe	35
PID 2064 wrote to memory of 892	2064	chrome.exe	35
PID 2064 wrote to memory of 892	2064	chrome.exe	35
PID 2064 wrote to memory of 892	2064	chrome.exe	35
PID 2064 wrote to memory of 892	2064	chrome.exe	35
PID 2064 wrote to memory of 892	2064	chrome.exe	35
PID 2064 wrote to memory of 892	2064	chrome.exe	35
PID 2064 wrote to memory of 892	2064	chrome.exe	35
PID 2064 wrote to memory of 892	2064	chrome.exe	35
PID 2064 wrote to memory of 892	2064	chrome.exe	35
PID 2064 wrote to memory of 892	2064	chrome.exe	35
PID 2064 wrote to memory of 892	2064	chrome.exe	35
PID 2064 wrote to memory of 2524	2064	chrome.exe	36
PID 2064 wrote to memory of 2524	2064	chrome.exe	36
PID 2064 wrote to memory of 2524	2064	chrome.exe	36
PID 2064 wrote to memory of 2948	2064	chrome.exe	37
PID 2064 wrote to memory of 2948	2064	chrome.exe	37
PID 2064 wrote to memory of 2948	2064	chrome.exe	37
PID 2064 wrote to memory of 2948	2064	chrome.exe	37
PID 2064 wrote to memory of 2948	2064	chrome.exe	37
PID 2064 wrote to memory of 2948	2064	chrome.exe	37
PID 2064 wrote to memory of 2948	2064	chrome.exe	37
PID 2064 wrote to memory of 2948	2064	chrome.exe	37
PID 2064 wrote to memory of 2948	2064	chrome.exe	37
PID 2064 wrote to memory of 2948	2064	chrome.exe	37
PID 2064 wrote to memory of 2948	2064	chrome.exe	37
PID 2064 wrote to memory of 2948	2064	chrome.exe	37
PID 2064 wrote to memory of 2948	2064	chrome.exe	37
PID 2064 wrote to memory of 2948	2064	chrome.exe	37
PID 2064 wrote to memory of 2948	2064	chrome.exe	37

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_com.roblox.client_25567197_ld.exe
"C:\Users\Admin\AppData\Local\Temp\LDPlayer9_ens_com.roblox.client_25567197_ld.exe"
1⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 1688
  2⤵
  - Program crash
  PID:2900

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fefb989758,0x7fefb989768,0x7fefb989778
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1184 --field-trial-handle=1208,i,8243618541956504254,3977635999826056082,131072 /prefetch:2
  2⤵
  PID:892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1540 --field-trial-handle=1208,i,8243618541956504254,3977635999826056082,131072 /prefetch:8
  2⤵
  PID:2524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1644 --field-trial-handle=1208,i,8243618541956504254,3977635999826056082,131072 /prefetch:8
  2⤵
  PID:2948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2296 --field-trial-handle=1208,i,8243618541956504254,3977635999826056082,131072 /prefetch:1
  2⤵
  PID:1672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2392 --field-trial-handle=1208,i,8243618541956504254,3977635999826056082,131072 /prefetch:1
  2⤵
  PID:652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1016 --field-trial-handle=1208,i,8243618541956504254,3977635999826056082,131072 /prefetch:2
  2⤵
  PID:1620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3232 --field-trial-handle=1208,i,8243618541956504254,3977635999826056082,131072 /prefetch:1
  2⤵
  PID:2732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3472 --field-trial-handle=1208,i,8243618541956504254,3977635999826056082,131072 /prefetch:8
  2⤵
  PID:2012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3584 --field-trial-handle=1208,i,8243618541956504254,3977635999826056082,131072 /prefetch:8
  2⤵
  PID:1648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3460 --field-trial-handle=1208,i,8243618541956504254,3977635999826056082,131072 /prefetch:8
  2⤵
  PID:2116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=2764 --field-trial-handle=1208,i,8243618541956504254,3977635999826056082,131072 /prefetch:1
  2⤵
  PID:3036

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:764

C:\Program Files\Windows Defender\MSASCui.exe
"C:\Program Files\Windows Defender\MSASCui.exe"
1⤵
PID:2188

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\Desktop\ResetMove.xml"
1⤵
- System Location Discovery: System Language Discovery
PID:1940
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1604
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    PID:956
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:956 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2720

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:1764
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2524
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2524.0.2081785698\802630713" -parentBuildID 20221007134813 -prefsHandle 1204 -prefMapHandle 1188 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8c36f6ac-6d44-40d4-993e-3cbcca620eda} 2524 "\\.\pipe\gecko-crash-server-pipe.2524" 1284 10cd5e58 gpu
    3⤵
    PID:1744
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2524.1.830771625\590471558" -parentBuildID 20221007134813 -prefsHandle 1496 -prefMapHandle 1492 -prefsLen 20928 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9e1b05de-eede-4c13-9e4b-e57615b02c1f} 2524 "\\.\pipe\gecko-crash-server-pipe.2524" 1508 f23a358 socket
    3⤵
    - Checks processor information in registry
    PID:2424
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2524.2.690739948\1923700052" -childID 1 -isForBrowser -prefsHandle 2068 -prefMapHandle 2052 -prefsLen 20966 -prefMapSize 233444 -jsInitHandle 672 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c22f6489-4a68-4c7c-b962-480f35b0cd4e} 2524 "\\.\pipe\gecko-crash-server-pipe.2524" 2080 19d7a558 tab
    3⤵
    PID:1720
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2524.3.1858038042\322488054" -childID 2 -isForBrowser -prefsHandle 2472 -prefMapHandle 2468 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 672 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8abdd25e-ce95-4c76-be8e-2ed92a796172} 2524 "\\.\pipe\gecko-crash-server-pipe.2524" 2488 d62858 tab
    3⤵
    PID:1932
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2524.4.604319911\2042145029" -childID 3 -isForBrowser -prefsHandle 3336 -prefMapHandle 3332 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 672 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {98c17dbc-c01a-4079-a684-b20163aa94cc} 2524 "\\.\pipe\gecko-crash-server-pipe.2524" 3352 1c12a858 tab
    3⤵
    PID:2196
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2524.5.2122604954\251553592" -childID 4 -isForBrowser -prefsHandle 3892 -prefMapHandle 3888 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 672 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1a302560-a032-4c67-ae7b-a325cf4549ff} 2524 "\\.\pipe\gecko-crash-server-pipe.2524" 3904 1f799b58 tab
    3⤵
    PID:568
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2524.6.570074638\1363447604" -childID 5 -isForBrowser -prefsHandle 4016 -prefMapHandle 4020 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 672 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d6786111-4522-41f3-86f1-2d078f183ac0} 2524 "\\.\pipe\gecko-crash-server-pipe.2524" 4004 1f7c0858 tab
    3⤵
    PID:2760
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2524.7.327926375\1004181943" -childID 6 -isForBrowser -prefsHandle 4136 -prefMapHandle 4140 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 672 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e8e4fba3-e83a-4064-9679-66e8bf4a639f} 2524 "\\.\pipe\gecko-crash-server-pipe.2524" 4124 1f7c0e58 tab
    3⤵
    PID:880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F59A01A8B782D93EA6991BC172CEFFB1

Filesize
867B

MD5
c5dfb849ca051355ee2dba1ac33eb028

SHA1
d69b561148f01c77c54578c10926df5b856976ad

SHA256
cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b

SHA512
88289cdd2c2dd1f5f4c13ab2cf9bc601fc634b5945309bedf9fc5b96bf21697b4cd6da2f383497825e02272816befbac4f44955282ffbbd4dd0ddc52281082da

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6c4c2300bb26fcbda9a33c69fb1a7cff

SHA1
14a6b3605164139527cff5b3aed8bca851cd7b11

SHA256
744a6976fb8fe186a1e11feeda3baf51ea09f1aca83b6c0f38b56e9fa1a12046

SHA512
205328806fe29cc4ce4ef779487d455f24f53713d89c5e6c61dadca1a6e835b8a41c35c5c5f7c78309e7711ef3a5dd3d65a93f887d5f365590c9135c19974ebf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1d1d6079e291c06186510344b29b73b5

SHA1
47add6647228dc5ef8b26ed643564a3fd04b214c

SHA256
bc5095803d7135bb00ba3a4b0c5d40c75e22396adf8cbf7cbdf9103683144c01

SHA512
68663acd39c275f22369d88665af2e11a29e883e43bbf87f5d8489ffe04c990c273186b6f07195b2e01f0d80d4ba71829baddb2435315694989ecd7c4186d3d6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
40e0805cf9a6749795607abf7a40761d

SHA1
4c54a78f28af6cd699cc9078d1b16683388f522b

SHA256
ab627bbec508fb0eac49122f8880727496a9b1ce83e578281d786609f7849375

SHA512
3a11a571782daeec144f4d98d20bf7f3b9f94c4910a25b1706159e49925b7e6a96c603bbd14c035776aaba2998d8b7b2f1990d5b8077dc8ce359cc6830ae7a4e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8547369a943aae73e6509d92fc96f823

SHA1
64eb411c60c8b7a54a9d59ff7f87f0b0ffba6f90

SHA256
3bed047bf64ac81550e6f21e4455672b933a24b0a7c4c8b4685a2a4c09042c82

SHA512
b4f089b08bf2f02eda983c36b2115df11fb17ff489c53a77d1a743e283e9c6d4713be3547982846827d06792de7599872912480748e23a112b2d338ab49e1da4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f467d0f5d7bdc0b6565e59a72639b974

SHA1
b93ae153b95f04fc41841bcc6037cffeb3f44932

SHA256
0e39a38a100241eb316d68b59727f87de42fdfef5e31e6160949fc5a4ed611a1

SHA512
b1222557c9ee7d3e08804df3f2b5b755fac19fe793005bca3d649477701a00d3ba3c727a4e7f6748e3f7762ae3ec0e7ef8865318eb06f81ad36b661562005161

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
84b2aeab229e3c1f87206464774c54dc

SHA1
23d11e81184580a361e135aa74f9b7c103652995

SHA256
910983fbf552e6b13b6f3928b53bd29426a180105caec396dff8c82aa81316b5

SHA512
735d74410e243752f792ccf12307b279e4a4c49e21d5ed060944cecc51962ad9fa6f63949d43e115089b5e15d85a5013a5865accd287ccd4c76ad0ed32e388a7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e118243c442423e4be32c6b51bdfd3ec

SHA1
42105fffcf1a2f6074e9703c2ea26db9798a127c

SHA256
6aeb8c77e2fada564c5f3d210a4f7a5835d07319c0854d507a11add946b458ea

SHA512
5569ae52ab2357ec5dd98b1bfe9358faefff262b3f4c29983eeb69cfc33f33d71657b71707e7abaad69371367eb91ea1420955c90fc9ff4ed164e973b5d8d425

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
24ac87b10d320a21768273e522a9a0e6

SHA1
743fdb08ad9b07c52c2ee3844e5862568f4bbf87

SHA256
0f92499b7ef1c91ee8850d8824ff198acb2164c92305975ad1b2a5849fb35496

SHA512
a9f32d3166935a2288bbb5680037359e11655c32c2725276c5a5f0838ba049b326d497f276ed3f1cc1e625151d0cd3a1bfec9415142eaaad7ca9a9eaec71fc0b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2f004a897e5c744b1063166207b80aa6

SHA1
67432243d778bfd9c4e541cd5e23f4cb4d93be5d

SHA256
cb79e453bcbcce52cf25b172fa6a48a14fdd420ddf93bfa46c4ec5bbcfe486fd

SHA512
f53f4ee8c49779b8e88e37e23046f44ef44dfb85486ae1d10ea23e4eb083e6ada3300c5d6af49f37d3cccca050bff1bb16d6987693914a64bae1b4287f686e26

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F59A01A8B782D93EA6991BC172CEFFB1

Filesize
242B

MD5
5076d6fcb13880db69ac570f3415df18

SHA1
103932aaa5fd43e487722a626e41bd51f5e1716f

SHA256
5f2b10517b76b2917cd1eb119b402a375e080124387ce7ba49e4dd1fb3af5fd0

SHA512
9e87d36491ea08aaba230069349930d26bce710c60088e69d6342178f82932ee4207275fba3ab0be46d10b48b35936ff250e7f2dd688745b96d5209cf5de53e6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
9b1c99d5245940563e9e81e95c4832ec

SHA1
1bc5970a797d7160879f1ab93559a23b736a2ce7

SHA256
5e5e2d6ab15529a13c5f6fddf4908f82199df64cd0fff65ec624e324f6f20a45

SHA512
6d270d67927d391ddb39f5f2c3bbcbe36add45dc5cbf35099b0876b1b1c91f7ff23389e564bdf583fb4245984cd0a8af8f75ef87695296a8dc1d91269763b957

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bhzluvd5.default-release\activity-stream.discovery_stream.json.tmp

Filesize
29KB

MD5
59b64b05c9551b29d08343a9016d8132

SHA1
49c010ec1360cd8a25d03cf9e9d605c5b9c71869

SHA256
13f4ed5a5d675f2a4c6f2c18eaccbaa51b76ae817973d6aab62d479d812d94d8

SHA512
9839ea0939cd616caafe8f24443caeb579475872d415d60c5077443554beef33a2205bb4b28ffc43a814a681a61a3d288be005508acc853222cc4dd3904839b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab958D.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar95CF.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
646ba15894a9838d263cd5461f46c096

SHA1
2051ead7528e457449e85654c8a8c7e920c2383a

SHA256
ab772878e9236bcf5692370da50914cc2cc1d56c8d2ed216f1bb734455c39719

SHA512
75c2e5e95e30c32166270dde7a0346a0611328932216185ec6d9e91895b2981b4d1be6b229f915506ea669893100d15449e1b9906523f23a8899fa87815422b5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.default-release\datareporting\glean\pending_pings\92f08f6a-9cb1-4f21-8209-7ddd21bcb4e7

Filesize
11KB

MD5
7032b2071b9be512169058795d86ca8f

SHA1
c627f0467b407d962fa563b5629365dbf28979c2

SHA256
aa34a90b4e69315db8e2471fb1759c34dda069e29e4a14610a22c40633ce8c5b

SHA512
01210730f6d34b41193549a67d2af7e8a84c4dc90f46551fa680641e201786f8ef1aa3e3a06acf33e93be3266e9a9a087dcc972725ef1ffb3e5ddcf09e56eba3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.default-release\datareporting\glean\tmp\619ce23f-d777-4118-a662-b55de277b2f7

Filesize
745B

MD5
ee8d76690fa279afd708948199a977aa

SHA1
8a6e5bb7025fb4104d9fe94afe57fb931e30b01a

SHA256
2128007d6a89112475410c00c4fa2667804f4901e3adecd67f91a93297d9bc30

SHA512
3ba2885af3d5ae761f83dcd2aaa34190640be948d51d68a75916b9fdea0ae9f3e1d0aacbdbb7e9f6c485d4c76b976a63a5547caf39f53c7b62584178cf4c6a5a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.default-release\prefs-1.js

Filesize
6KB

MD5
7f74671ed157764b2d583d8cc3802117

SHA1
34b0d3ec2b9a2fb89f035cf466e2d4d3423bd9f5

SHA256
65ba75c4308097c502d8ae051bf800f56af8d822c20209e33365ecd286c151b1

SHA512
4ca7d52a22e03554479acba3faad970b6482e485406ff166e14585bc5828a8fb94c12e8649d6dc96779cb6d4231e64d994cce808ed905bdf2702a382602cdd1f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.default-release\prefs.js

Filesize
6KB

MD5
307a506ecc9f747aa5fedadcb41fb602

SHA1
d83b0ec6d99f1ba787ee29079c1c0ea3741da08b

SHA256
7355851f3e895e23ffa51ed282746b8ff7a1dcc748a2d0a0d8d4188f61c8555f

SHA512
4f610e4afb8729960871f91b092397adb6b0d27fdc3e9411a953004cd09f18aa9993cc444eedc3b219f31794cce07df224990080609c2f5b6297d515b7f3f1e6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.default-release\sessionstore.jsonlz4

Filesize
832B

MD5
a2f0a663da5bf750375235a5e188ae67

SHA1
8a6b93105a31a8d4d202d46f37fed84fe96b7c2e

SHA256
fd91cae10eda885f01f0293e70f8e131ac13e27dd178c1a7cd504ee8b5c4a529

SHA512
828e71611af2be3c104b36a974035330b60c81f61b6470b3cbc1d3cee22e1a990d0a53a10fdc74ae1e8dbed417f2aed35481e12576b4e101eaa1c911c008455f

Download Submit
\??\pipe\crashpad_2064_XBQIVAZSZJRWIMQW

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit