2d79af8e1ff3465703e1dc73d3ef2182fd269ea2609c8afabdf1b80693405c1d

Resubmissions

14/12/2024, 03:38

241214-d7dwhstkgv 4

14/12/2024, 00:39

241214-azvmhstper 8

Analysis

max time kernel
150s
max time network
150s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
14/12/2024, 03:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

HorionInjector.exe
Size

147KB
MD5

6b5b6e625de774e5c285712b7c4a0da7
SHA1

317099aef530afbe3a0c5d6a2743d51e04805267
SHA256

2d79af8e1ff3465703e1dc73d3ef2182fd269ea2609c8afabdf1b80693405c1d
SHA512

104609adf666588af4e152ec7891cedafd89ad8d427063d03fb42a228babefc59428b0c8b1430cb3fc319a5014d2ee1083ff2b74fa585cab2d86cdad346e8b08
SSDEEP

3072:ckgHqUGSCoEslON/q178+oO3BAE4T/DvueX:cNHqUGSCPBh+7VST/Ke

Score

4^/10

discovery

Malware Config

Signatures

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FileCoAuth.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FileCoAuth.exe

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133786212064164838"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2320	chrome.exe
2320	chrome.exe

Suspicious behavior: LoadsDriver 10 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
680	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 25 IoCs

pid	Process
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3884	HorionInjector.exe
Token: SeDebugPrivilege	708	firefox.exe
Token: SeDebugPrivilege	708	firefox.exe
Token: SeShutdownPrivilege	2320	chrome.exe
Token: SeCreatePagefilePrivilege	2320	chrome.exe
Token: SeShutdownPrivilege	2320	chrome.exe
Token: SeCreatePagefilePrivilege	2320	chrome.exe
Token: SeShutdownPrivilege	2320	chrome.exe
Token: SeCreatePagefilePrivilege	2320	chrome.exe
Token: SeShutdownPrivilege	2320	chrome.exe
Token: SeCreatePagefilePrivilege	2320	chrome.exe
Token: SeShutdownPrivilege	2320	chrome.exe
Token: SeCreatePagefilePrivilege	2320	chrome.exe
Token: SeShutdownPrivilege	2320	chrome.exe
Token: SeCreatePagefilePrivilege	2320	chrome.exe
Token: SeShutdownPrivilege	2320	chrome.exe
Token: SeCreatePagefilePrivilege	2320	chrome.exe
Token: SeShutdownPrivilege	2320	chrome.exe
Token: SeCreatePagefilePrivilege	2320	chrome.exe
Token: SeShutdownPrivilege	2320	chrome.exe
Token: SeCreatePagefilePrivilege	2320	chrome.exe
Token: SeShutdownPrivilege	2320	chrome.exe
Token: SeCreatePagefilePrivilege	2320	chrome.exe
Token: SeShutdownPrivilege	2320	chrome.exe
Token: SeCreatePagefilePrivilege	2320	chrome.exe
Token: SeShutdownPrivilege	2320	chrome.exe
Token: SeCreatePagefilePrivilege	2320	chrome.exe
Token: SeShutdownPrivilege	2320	chrome.exe
Token: SeCreatePagefilePrivilege	2320	chrome.exe
Token: SeShutdownPrivilege	2320	chrome.exe
Token: SeCreatePagefilePrivilege	2320	chrome.exe
Token: SeShutdownPrivilege	2320	chrome.exe
Token: SeCreatePagefilePrivilege	2320	chrome.exe
Token: SeShutdownPrivilege	2320	chrome.exe
Token: SeCreatePagefilePrivilege	2320	chrome.exe
Token: SeShutdownPrivilege	2320	chrome.exe
Token: SeCreatePagefilePrivilege	2320	chrome.exe
Token: SeShutdownPrivilege	2320	chrome.exe
Token: SeCreatePagefilePrivilege	2320	chrome.exe
Token: SeShutdownPrivilege	2320	chrome.exe
Token: SeCreatePagefilePrivilege	2320	chrome.exe
Token: SeShutdownPrivilege	2320	chrome.exe
Token: SeCreatePagefilePrivilege	2320	chrome.exe
Token: SeShutdownPrivilege	2320	chrome.exe
Token: SeCreatePagefilePrivilege	2320	chrome.exe
Token: SeShutdownPrivilege	2320	chrome.exe
Token: SeCreatePagefilePrivilege	2320	chrome.exe
Token: SeShutdownPrivilege	2320	chrome.exe
Token: SeCreatePagefilePrivilege	2320	chrome.exe
Token: SeShutdownPrivilege	2320	chrome.exe
Token: SeCreatePagefilePrivilege	2320	chrome.exe
Token: SeShutdownPrivilege	2320	chrome.exe
Token: SeCreatePagefilePrivilege	2320	chrome.exe
Token: SeShutdownPrivilege	2320	chrome.exe
Token: SeCreatePagefilePrivilege	2320	chrome.exe
Token: SeShutdownPrivilege	2320	chrome.exe
Token: SeCreatePagefilePrivilege	2320	chrome.exe
Token: SeShutdownPrivilege	2320	chrome.exe
Token: SeCreatePagefilePrivilege	2320	chrome.exe
Token: SeShutdownPrivilege	2320	chrome.exe
Token: SeCreatePagefilePrivilege	2320	chrome.exe
Token: SeShutdownPrivilege	2320	chrome.exe
Token: SeCreatePagefilePrivilege	2320	chrome.exe
Token: 33	5608	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 52 IoCs

pid	Process
708	firefox.exe
708	firefox.exe
708	firefox.exe
708	firefox.exe
708	firefox.exe
708	firefox.exe
708	firefox.exe
708	firefox.exe
708	firefox.exe
708	firefox.exe
708	firefox.exe
708	firefox.exe
708	firefox.exe
708	firefox.exe
708	firefox.exe
708	firefox.exe
708	firefox.exe
708	firefox.exe
708	firefox.exe
708	firefox.exe
708	firefox.exe
708	firefox.exe
708	firefox.exe
708	firefox.exe
708	firefox.exe
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
708	firefox.exe
708	firefox.exe
708	firefox.exe
708	firefox.exe
708	firefox.exe
708	firefox.exe
708	firefox.exe
708	firefox.exe
708	firefox.exe
708	firefox.exe
708	firefox.exe
708	firefox.exe
708	firefox.exe
708	firefox.exe
708	firefox.exe
708	firefox.exe
708	firefox.exe
708	firefox.exe
708	firefox.exe
708	firefox.exe
708	firefox.exe
708	firefox.exe
708	firefox.exe
708	firefox.exe
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe
2320	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
708	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5364 wrote to memory of 708	5364	firefox.exe	96
PID 5364 wrote to memory of 708	5364	firefox.exe	96
PID 5364 wrote to memory of 708	5364	firefox.exe	96
PID 5364 wrote to memory of 708	5364	firefox.exe	96
PID 5364 wrote to memory of 708	5364	firefox.exe	96
PID 5364 wrote to memory of 708	5364	firefox.exe	96
PID 5364 wrote to memory of 708	5364	firefox.exe	96
PID 5364 wrote to memory of 708	5364	firefox.exe	96
PID 5364 wrote to memory of 708	5364	firefox.exe	96
PID 5364 wrote to memory of 708	5364	firefox.exe	96
PID 5364 wrote to memory of 708	5364	firefox.exe	96
PID 708 wrote to memory of 1244	708	firefox.exe	97
PID 708 wrote to memory of 1244	708	firefox.exe	97
PID 708 wrote to memory of 1244	708	firefox.exe	97
PID 708 wrote to memory of 1244	708	firefox.exe	97
PID 708 wrote to memory of 1244	708	firefox.exe	97
PID 708 wrote to memory of 1244	708	firefox.exe	97
PID 708 wrote to memory of 1244	708	firefox.exe	97
PID 708 wrote to memory of 1244	708	firefox.exe	97
PID 708 wrote to memory of 1244	708	firefox.exe	97
PID 708 wrote to memory of 1244	708	firefox.exe	97
PID 708 wrote to memory of 1244	708	firefox.exe	97
PID 708 wrote to memory of 1244	708	firefox.exe	97
PID 708 wrote to memory of 1244	708	firefox.exe	97
PID 708 wrote to memory of 1244	708	firefox.exe	97
PID 708 wrote to memory of 1244	708	firefox.exe	97
PID 708 wrote to memory of 1244	708	firefox.exe	97
PID 708 wrote to memory of 1244	708	firefox.exe	97
PID 708 wrote to memory of 1244	708	firefox.exe	97
PID 708 wrote to memory of 1244	708	firefox.exe	97
PID 708 wrote to memory of 1244	708	firefox.exe	97
PID 708 wrote to memory of 1244	708	firefox.exe	97
PID 708 wrote to memory of 1244	708	firefox.exe	97
PID 708 wrote to memory of 1244	708	firefox.exe	97
PID 708 wrote to memory of 1244	708	firefox.exe	97
PID 708 wrote to memory of 1244	708	firefox.exe	97
PID 708 wrote to memory of 1244	708	firefox.exe	97
PID 708 wrote to memory of 1244	708	firefox.exe	97
PID 708 wrote to memory of 1244	708	firefox.exe	97
PID 708 wrote to memory of 1244	708	firefox.exe	97
PID 708 wrote to memory of 1244	708	firefox.exe	97
PID 708 wrote to memory of 1244	708	firefox.exe	97
PID 708 wrote to memory of 1244	708	firefox.exe	97
PID 708 wrote to memory of 1244	708	firefox.exe	97
PID 708 wrote to memory of 1244	708	firefox.exe	97
PID 708 wrote to memory of 1244	708	firefox.exe	97
PID 708 wrote to memory of 1244	708	firefox.exe	97
PID 708 wrote to memory of 1244	708	firefox.exe	97
PID 708 wrote to memory of 1244	708	firefox.exe	97
PID 708 wrote to memory of 1244	708	firefox.exe	97
PID 708 wrote to memory of 1244	708	firefox.exe	97
PID 708 wrote to memory of 1244	708	firefox.exe	97
PID 708 wrote to memory of 1244	708	firefox.exe	97
PID 708 wrote to memory of 1244	708	firefox.exe	97
PID 708 wrote to memory of 1244	708	firefox.exe	97
PID 708 wrote to memory of 1244	708	firefox.exe	97
PID 708 wrote to memory of 1232	708	firefox.exe	98
PID 708 wrote to memory of 1232	708	firefox.exe	98
PID 708 wrote to memory of 1232	708	firefox.exe	98
PID 708 wrote to memory of 1232	708	firefox.exe	98
PID 708 wrote to memory of 1232	708	firefox.exe	98
PID 708 wrote to memory of 1232	708	firefox.exe	98
PID 708 wrote to memory of 1232	708	firefox.exe	98
PID 708 wrote to memory of 1232	708	firefox.exe	98

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\HorionInjector.exe
"C:\Users\Admin\AppData\Local\Temp\HorionInjector.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3884

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5364
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:708
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2004 -parentBuildID 20240401114208 -prefsHandle 1920 -prefMapHandle 1896 -prefsLen 23681 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7dacf8f6-30de-4d7e-a5e9-5fc9a24adae0} 708 "\\.\pipe\gecko-crash-server-pipe.708" gpu
    3⤵
    PID:1244
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2412 -parentBuildID 20240401114208 -prefsHandle 2388 -prefMapHandle 2376 -prefsLen 23717 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c175b7f5-e1f1-42f1-b31b-f9e0e9407d85} 708 "\\.\pipe\gecko-crash-server-pipe.708" socket
    3⤵
    - Checks processor information in registry
    PID:1232
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3308 -childID 1 -isForBrowser -prefsHandle 2768 -prefMapHandle 3432 -prefsLen 23858 -prefMapSize 244658 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {00247902-e12d-4f69-be9f-48b157ab530f} 708 "\\.\pipe\gecko-crash-server-pipe.708" tab
    3⤵
    PID:6024
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4300 -childID 2 -isForBrowser -prefsHandle 4288 -prefMapHandle 4284 -prefsLen 29091 -prefMapSize 244658 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1f85baea-09ae-4494-aa7c-498ef4fbea37} 708 "\\.\pipe\gecko-crash-server-pipe.708" tab
    3⤵
    PID:4116
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4976 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4952 -prefMapHandle 4948 -prefsLen 29091 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {698dbd2d-eb80-44a2-ad24-dfdd38c50fae} 708 "\\.\pipe\gecko-crash-server-pipe.708" utility
    3⤵
    - Checks processor information in registry
    PID:5004
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5412 -childID 3 -isForBrowser -prefsHandle 5376 -prefMapHandle 5392 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {42414162-0cc2-429d-aa39-c6ec0d574385} 708 "\\.\pipe\gecko-crash-server-pipe.708" tab
    3⤵
    PID:2372
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5540 -childID 4 -isForBrowser -prefsHandle 5620 -prefMapHandle 5616 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8a888ff4-3ddd-4c07-9c3e-18e0094bf9f4} 708 "\\.\pipe\gecko-crash-server-pipe.708" tab
    3⤵
    PID:2164
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5516 -childID 5 -isForBrowser -prefsHandle 5764 -prefMapHandle 5772 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {981c8fd2-afa7-4e98-afad-858e7f101bf5} 708 "\\.\pipe\gecko-crash-server-pipe.708" tab
    3⤵
    PID:2332
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6220 -childID 6 -isForBrowser -prefsHandle 6256 -prefMapHandle 6252 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {647fedfb-4d97-4fda-86ce-7cc166f020c0} 708 "\\.\pipe\gecko-crash-server-pipe.708" tab
    3⤵
    PID:2100

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ffa6832cc40,0x7ffa6832cc4c,0x7ffa6832cc58
  2⤵
  PID:1268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1820,i,17494876225195804292,570034407504719396,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2036 /prefetch:2
  2⤵
  PID:4944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1952,i,17494876225195804292,570034407504719396,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2080 /prefetch:3
  2⤵
  PID:1148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2216,i,17494876225195804292,570034407504719396,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2340 /prefetch:8
  2⤵
  PID:960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3196,i,17494876225195804292,570034407504719396,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3204 /prefetch:1
  2⤵
  PID:4864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3228,i,17494876225195804292,570034407504719396,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3236 /prefetch:1
  2⤵
  PID:1572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4512,i,17494876225195804292,570034407504719396,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4520 /prefetch:1
  2⤵
  PID:64
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4848,i,17494876225195804292,570034407504719396,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4860 /prefetch:8
  2⤵
  PID:5748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5116,i,17494876225195804292,570034407504719396,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5076 /prefetch:8
  2⤵
  PID:6012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4580,i,17494876225195804292,570034407504719396,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4456 /prefetch:1
  2⤵
  PID:2836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=5212,i,17494876225195804292,570034407504719396,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5256 /prefetch:1
  2⤵
  PID:3844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4464,i,17494876225195804292,570034407504719396,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5332 /prefetch:1
  2⤵
  PID:4644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=3424,i,17494876225195804292,570034407504719396,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5340 /prefetch:1
  2⤵
  PID:4084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5492,i,17494876225195804292,570034407504719396,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5484 /prefetch:1
  2⤵
  PID:4920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=3328,i,17494876225195804292,570034407504719396,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5536 /prefetch:1
  2⤵
  PID:5024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5772,i,17494876225195804292,570034407504719396,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5556 /prefetch:1
  2⤵
  PID:4988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=5180,i,17494876225195804292,570034407504719396,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5792 /prefetch:1
  2⤵
  PID:2696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=5784,i,17494876225195804292,570034407504719396,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5932 /prefetch:1
  2⤵
  PID:776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=5940,i,17494876225195804292,570034407504719396,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=6076 /prefetch:1
  2⤵
  PID:5616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=6104,i,17494876225195804292,570034407504719396,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=6224 /prefetch:1
  2⤵
  PID:5460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=6208,i,17494876225195804292,570034407504719396,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=6368 /prefetch:1
  2⤵
  PID:5516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --field-trial-handle=6676,i,17494876225195804292,570034407504719396,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=6700 /prefetch:1
  2⤵
  PID:5404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --field-trial-handle=7556,i,17494876225195804292,570034407504719396,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=7516 /prefetch:1
  2⤵
  PID:4840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --field-trial-handle=7600,i,17494876225195804292,570034407504719396,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=7584 /prefetch:1
  2⤵
  PID:4104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --field-trial-handle=7732,i,17494876225195804292,570034407504719396,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=7744 /prefetch:1
  2⤵
  PID:2008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --field-trial-handle=4196,i,17494876225195804292,570034407504719396,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=7628 /prefetch:1
  2⤵
  PID:6020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --field-trial-handle=6508,i,17494876225195804292,570034407504719396,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=7920 /prefetch:1
  2⤵
  PID:5816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --field-trial-handle=8084,i,17494876225195804292,570034407504719396,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=7940 /prefetch:1
  2⤵
  PID:3496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --field-trial-handle=8108,i,17494876225195804292,570034407504719396,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=8088 /prefetch:1
  2⤵
  PID:5984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --field-trial-handle=8116,i,17494876225195804292,570034407504719396,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=6928 /prefetch:1
  2⤵
  PID:5320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --field-trial-handle=8080,i,17494876225195804292,570034407504719396,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=7840 /prefetch:1
  2⤵
  PID:4640

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4776

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4172

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:5848

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:2224

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:1896

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2f4 0x414
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5608

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:5064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
cfbdf23b7585a584ade7fd1f6794d6d4

SHA1
467b5bfc33f736565863f153a38fa7d81f32aa7a

SHA256
2902d43cc4139a149ea3d05c51c4a5b891706febb365f4af7fb43b8fe9e98339

SHA512
3033b50e3fcdc8888aafa77d67f12d0bc2cac0b86a2f827d945b670fb7e05e88a657b63184ef36094181f4b025a43ecb0b96b6eafcd46eef4396aa85f198e8c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00002f

Filesize
20KB

MD5
efb9f6a1680c9d3ce3abe4d5a75c7c6c

SHA1
a454374b7f43f129d4245e73c2048849a78768c9

SHA256
96919908509422207d3fe3dbdf26a7bf0da651dae2b8481c4dce4ef0812add18

SHA512
1d6fa00634b899162a4e97adf05cdb97ca1eeaec3f43bdef4412ccbe4ae560ee19073817aab38508b724f177e7942b07982acbf918750fad0385d3b5db3d124a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000034

Filesize
67KB

MD5
bcfda9afc202574572f0247968812014

SHA1
80f8af2d5d2f978a3969a56256aace20e893fb3f

SHA256
7c970cd163690addf4a69faf5aea65e7f083ca549f75a66d04a73cb793a00f91

SHA512
508ca6011abb2ec4345c3b80bd89979151fee0a0de851f69b7aa06e69c89f6d8c3b6144f2f4715112c896c5b8a3e3e9cd49b05c9b507602d7f0d6b10061b17bd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
72bd4de99d2b8f8a2781b94b02219333

SHA1
dd3261b59e30b1deb7b074a9e64802e156681079

SHA256
8143f509b70252a36faf7d263f42e3a4fbd0be27dc085860ad24854d3483bfb1

SHA512
5ebbbca7e1a5086676411f3f55a58b766567f4120788468cc7bd60a2ffe7eaa64c8351aed59011cd9c341f95dd57af0e5b855f353d4e1ccc0ea811c61cd9a37d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
0cfba777bc3c154083da622cc1f6e6f0

SHA1
98d5113a061436ea733550296dd97e6c56550073

SHA256
785e1f69364243ab8e8c4554ffc7dff3f916b6b8c6cbc33f5b7ab20ca4f3567e

SHA512
873de3ca133ee2289b948758d239029b518b3a858b2f55e55c7e3e7b3820cac6c8a415f8c427c909b3c3e9f402b2bc58fa69d6b7fa774ba45ef7ec193328ea47

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\9724f0a6-3fef-4f58-9607-5dc6d481a92f.tmp

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
21KB

MD5
daad844215ff46fe72dbc83088371a29

SHA1
32f0151c19d8644a127b37b1b275a783de7024d2

SHA256
fac040f5c776d4e37aed83680b704124deacc5b0962c84722605e99172a162a1

SHA512
4939e69245ee3f189e3903f0de7f299435100f77ef6e37e8f23103d4fb1d59fc21fe88198f5126238cc6e7fdd4da9c766ae379283d373d219cc6d333a87ce01e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
6KB

MD5
39b6a2899c0d4aa7d1f4c7ca3fc10f2b

SHA1
a65b751fb4a9024a8a47ba77098bb0f095c146c7

SHA256
1620232f773bb2f87b701471c3d3da4a279093d2ba3fcd7106fc4bb99518df14

SHA512
714797acd527ae59b2264d00dba68c4db10a8c2fe36dd4f7272c24ddd111bc434182c21917924c9440575ec31fadf655f744e7c7ead96327d45fab9f695487c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
603db2954016b0249ea4ec5529e8a4a3

SHA1
e718345bd61cd6a78c3449eb7052771234d6228c

SHA256
e086cb7867c80c0da76574b942cd1c02996548f8933a994a592d418cd14d416f

SHA512
bb4032a903aaf09dd168c63a036a4d7490cd087da4c36aa0e969315f0149c69fee0779d1cbac6e6f6b90342095ef2613ef50bef46e9372bdfa927a9623982ebe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
5KB

MD5
ba368e66aa1bcb079c825f4ca5163b8e

SHA1
6497bb8ee72128c25d61b41290ef2610e61ea3c0

SHA256
65d8e45c55aedcfc0529943e9e6997e74004b16bf846770e80d9074ae79170fa

SHA512
1a1d07be2b499c9c59877866d7aae86cf25c189cf6d45279ed92486bed9c090b4fa34bf9b77b4e953c9e1ac36d828f9abb7fe9be182c3e23f1f3258a372e5c60

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
a5466bbb7772049b032b34db7c219598

SHA1
e0acd50da139a19665d20e9925fe8c7075cd4b16

SHA256
187e441f8c4dde96c8c204d4d7f85f91481c4e3a2c6e768e7b18560f42446950

SHA512
9af3082edea9d2680b9adce61623e7e7d6f5eb82472a6409f5728bb2f760ac4b9a47bdccd58618e81147bd4241a19a6fd2725fbd85b87aa93be2e48b58578af7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f51716cc0e2415caf97e56bf5f435cfd

SHA1
35bf445d9f23888050c753fc5bb4b7a181148b4b

SHA256
574ceb40180a4a9fe1105edcf695b40a800d3cb26cad4dd79565e4d5d0f2163b

SHA512
dd2785a332777420d46b2bfc8b43848d75108074febac5d68240ea50d9d178fe4a9367b0d06031af49f8b99ab360836bc6387f908eb8b949182315bd5e6562ee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
fa2276103cd3f6bd52d6ebb6bc1d8080

SHA1
24af939ae4d97d53fe5c5e0dec480d9a3d49028c

SHA256
84e50a9f2980ef9017111a8a383396cd8a77d85b9f7e957d28ed223dbc83b80d

SHA512
3d3e1261f4d9fc9cc40fd00612a3796c45c582589b2c57eafbc305c647380ba5f5bdb8924d8a9403f16f6a3e7e2232a198386488dc6d4ccb8fa43732014c1d34

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
973ab207097dfc50c4da3c6b2daa46cf

SHA1
4b755ad9616308d32c3bfbdb575ef800b6f2984c

SHA256
ba966d20e3597e8a0435cf78ceb2e5ca95467d86e48a7a7c2df8dc4128826a78

SHA512
29b8c136ad92aeff37645f506e5ead249d4048b29659b9f68abb512c7806f718bec4e6668d5403eedb057276ac5081607d1747bf58889e5a387a3a68896e355a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
234KB

MD5
00484d71ee96f7683e0f7f78534c84b7

SHA1
50942a3a37b333724a38def3d16d96cd977ee9cf

SHA256
1c028d2cdf8be9875aab1afe8f4b7d2aec4eaf64ed62eec61f4ccafaf12a1d9c

SHA512
673d2d11519eb76b1a361522cbb4823a341c7fb62b2a9c1c6201ca7bf8b1f827c1361192fc51d928a471a5d5ee9dfb0964f530c4db417a870b166a247630a291

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
234KB

MD5
1ff5e3ac2868f66dd38ed3ca3e25b31d

SHA1
bdc46a543ed4bf20dce6c6ab62fabd9639b742e3

SHA256
20e72a41923ea99b2afac38545214f4f9e847a664de88bfdfceb49d3af421908

SHA512
0165bc3b0aa198951ae5bb0d82b570e9b0cdd3422132d6a4d16ce0709b31e8a8156ce5bd293c93de290c147bf73e4beda4d0c4428479b5a67e9e3ede4498f717

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2024-12-14.341.2224.1.odl

Filesize
706B

MD5
66e302a8be4e6cfdb218fefe57b4471c

SHA1
fc3d71ca0228cb6f63ef97ed2e051044a074680e

SHA256
eb4429158d636675585e90c493759f6ba44bc9e5054e2e27140e605da2f1b293

SHA512
d9f02e3ac9934263d4f3255665d191d7f391045e96706c9996ad3445a9ac43c4ea5a9108a15913bfa3908fc3170b87a951313a0068bea132c81e69a9a94c97bf

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\afyb4qvh.default-release\activity-stream.discovery_stream.json

Filesize
27KB

MD5
9dfd6955076782f3919d3a6066f58924

SHA1
357889a2dbcd443100d3f8afc7efe186c0c2ca57

SHA256
c6655fa3bf4d337abbe7f9d4daea3a3e880696e0a0c040ce9fd5c548a8659d39

SHA512
ba9c0fd1d3f3e8080c6e16f702260b1658ab285c52d3f8c7e63168bf72ed719e04e6993fe4f4f129f5c00fc292a8b598a6cd4441ecae7f879433149a01a3dfbd

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\afyb4qvh.default-release\cache2\entries\586D25A03895848B0609C1B0C9097200E0CF65C6

Filesize
61KB

MD5
3f0e7cb68d22a33778956a77cb725f95

SHA1
b261dc485b68b909a247a0b918a81932cde98d9a

SHA256
396fa9d5ceec02d7dd135d72823636e0d5135ae86233b456e4b386bb728ad221

SHA512
fea724b9b70dba546523ddd6fe0d072388e3a9c0d79dac46b52f790638bffcbf0e4b4be1386b979fba82c26442329b945300e559a7649109f8b3b3ee2367aaf1

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\afyb4qvh.default-release\cache2\entries\DC904F6FE13AF2FDD1A89E5DC2045B0E5EE12A27

Filesize
224KB

MD5
a573dda31966758a1ee4c5bc956d7815

SHA1
c3e7fa9dae4349c26224db3e2526db640ba2a145

SHA256
e9563027aad7c1fe46d1062201bf5f4f5b00d76f1db19f779a96a36fe86a1f8f

SHA512
a259e447546e06516562d0ef810f23fe6d105da5a340ef4db577e440b89659150504d0787b664b4422054cf5d972d13f504bdaebc21af239d9919a4892d5e85d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\afyb4qvh.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
15KB

MD5
96c542dec016d9ec1ecc4dddfcbaac66

SHA1
6199f7648bb744efa58acf7b96fee85d938389e4

SHA256
7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

SHA512
cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\AlternateServices.bin

Filesize
8KB

MD5
ee972996989e3039390293b2e5237b14

SHA1
1bac1ca127f8a1c1cb8c260edf5721c2a9ec67ff

SHA256
480b91a510288d18f2e7c1a96dce66dfeae55cfa410c66db8d1593fcb47ed329

SHA512
6908c3718a1d6de19ba2320556051e2639552a4a7a154a66409cd0f2206f14104f4efccd3e113bd855a3a121ff5a3ebc487ef67b7cb0e7736b09a7c08e4dc24f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\AlternateServices.bin

Filesize
12KB

MD5
76abfddeee1c103c6fe2eead32cf68ed

SHA1
d1c08836c51e11a9716a1d03ec752c87c2c36e8c

SHA256
9a271022441eb675d5d1a9c249922cac5147d7f28524c3cd4c358d9398d1336d

SHA512
8efe13fbc6cdf806cf766352aa0f64257d6b664aadff7fabb111047095c9c994ad5a7ad9668870e20607d3bf417e5d6f25b4913f0d9a50921bb24c41e2f5b45f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\datareporting\glean\db\data.safe.tmp

Filesize
22KB

MD5
d7a75b6a4e2e3d88abc7abae329afa61

SHA1
bad7e4dc58a4a53be79d82e7e1c1157b2912302f

SHA256
34466728e62641026e6869f010bfacdbd91b53fe1de4cce2ce4f818a769782e8

SHA512
c09bd5885fc5f5ef6cc8eeeb5c672a0ec3c9cf0363de17a5e06d25892f151a4484ae06dabf42a5ce3ac4eeb34ae6efe0fb1531fdb267b3bd568f0c58363b49f7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\datareporting\glean\db\data.safe.tmp

Filesize
21KB

MD5
ee6a3a75cbf44b0503c4988c9636b6c6

SHA1
cf774bbc0e81fbe0cee7f02c48f13a7b01ec4037

SHA256
9477e0b04fec8ec9cc303d7f39705dce8b439f08d673b44d2900f341827fdce0

SHA512
f183327fa617bd85a85d743d94258f00adfcb57f766c763e74bc23c521f1b78a9d160a23295c4fa096eb9f954c7baab4b11867d8084a3888a47148148d1e4f3b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\datareporting\glean\db\data.safe.tmp

Filesize
23KB

MD5
ea0187f8c0844244ce87d3f28fb2a0cf

SHA1
b5c89cc23080d50321ecedb26f4a098e84ff2083

SHA256
c9641602737cf7ab10a5af3da7ca1ef5a9ef45f9958fbdc0a6cb51320a71e9b0

SHA512
71bcf2e6bcd753f0c22a428f44c3b4a6d809e4e9d637320bca547fec04401721802f4f4107aaf399fe11a56a80df859fa67ea5aaa3a17a1717b5299d8bd6efd8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\datareporting\glean\pending_pings\3cdaf659-04d7-4871-aa39-aec1484a1eb0

Filesize
4KB

MD5
88ef379261f2c9f79beb34566a5a7119

SHA1
64d0cc92964d66e369eb64cc1379387e103ee222

SHA256
1f496a68852ebfa5d26b2d64028aed71c34b66b713312d843ba9671ab42d0544

SHA512
51ed196f0feb8a430ebf8e68fa0e7a8b1bf10f6a102b05849570c0150839d70cc337bf9c5a1a04d91abd894ea89628e058fc81a9db3295fe3018ccd57221c12d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\datareporting\glean\pending_pings\3fe4505f-4ccf-41f0-a443-59521352230e

Filesize
982B

MD5
c962523a2e6445ad6db113437c985c32

SHA1
58bbac95218b4798b303d03088a4a6fa4f3874e5

SHA256
51b1482b9408b6d3eebc6af755ba8a33cb1124a9df8f9b447a904db2d24c326b

SHA512
0698f644af6b10e0afb61de3418a581929dbd27ccd560b4b9123c88416ae04f80d9d2185fc0856a54ff5de212e1eaadace3b447496699bd829c9c666f3535447

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\datareporting\glean\pending_pings\bf718fab-9186-4d15-bc51-c80d7d978ba1

Filesize
659B

MD5
50ca6278e43df60aa9927c20a2c4b141

SHA1
02822b13de6847cd6d0c991b201471a55deced0e

SHA256
8e373ef3e94748e6241d6244f5a2282949c747953d84faa3cef9336abd3a1eb8

SHA512
c7a5d14975898c6acb8c8765d9e14740eecfe718d240529760455c64955bdb12b3fdace4208a3cd6610cae1e999d85b0eab8766be445beba644f91fd9b4a0a52

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\prefs-1.js

Filesize
11KB

MD5
6afeec6ae2337f0f9bba180d64ed415c

SHA1
18a2e76056f2f582ecdb0b707c45e876e1b9c01d

SHA256
fcfbd5fd1fe74a1ddc13ac3e50929d34c14646613afaa2d738df48d1146bac1c

SHA512
5220e7f098594b88f3c7a2983e4dd0d81a5a4afd91f464d36ef771b0040d584c1fac2f1750c2d56008d23ec82978c842fdf0ae498d3272aa7e9a32a33ff4a014

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\prefs.js

Filesize
10KB

MD5
398c98d987ca59147d9ad6441c843089

SHA1
6c52bbe256f863a0521f90298451cd9bca6748bc

SHA256
290b54b03a168dbef16a8c2d2ae2e5a017213fe18bb2f1a671c95fb713725e5b

SHA512
7931bb6d6132d26ad8075ee2f6879f02f8fa31050fe069fddaa6e8d034f4b0877017a7600494d5636c9b05a2de2917ef280e2236bbe8f7023758a513cff0b885

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\prefs.js

Filesize
10KB

MD5
ee9006e67cf8d08494fef5708f5fea10

SHA1
cb217199bbcfbfa58a3b89a17894ad86950f2ff2

SHA256
b3a2759403a74153d2dcef47f0a653e9852bf9ba964fc741f603f6096a30ff26

SHA512
59ce4cc6f677e18a3ee41cc15066b70e0d193e42b5cb4fca3c76c5fb6cc0214c32d2e3369497c849f4232da0d00be26cdd6abd0b68b1994eb739ed34415f21bf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\sessionCheckpoints.json

Filesize
259B

MD5
e6c20f53d6714067f2b49d0e9ba8030e

SHA1
f516dc1084cdd8302b3e7f7167b905e603b6f04f

SHA256
50a670fb78ff2712aae2c16d9499e01c15fddf24e229330d02a69b0527a38092

SHA512
462415b8295c1cdcac0a7cb16bb8a027ef36ae2ce0b061071074ac3209332a7eae71de843af4b96bbbd6158ca8fd5c18147bf9a79b8a7768a9a35edce8b784bf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\sessionstore-backups\recovery.baklz4

Filesize
3KB

MD5
dbb0697cc15c6ab9f4d418f7db370fee

SHA1
15527ea7534210f06eaa2e232a51225f9c1da90d

SHA256
0191c404c6664b8e99b1447aca42e317c6cb1d4b3aa6db315167b99efc6eba38

SHA512
d52c3ad9d1f065b6dfd0401e44c4ef66169bb6c1206da29da6fa03bf57e091b349ebae51068e56a84e2ebcff2f16f184460b594cebfde483e1c10197d5968c73

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afyb4qvh.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
384KB

MD5
6feabc4689a5552f7b52a19ffab0eef9

SHA1
48234cadd8b6d454ec230fd332402fc55549d42b

SHA256
569b4ae7814718600a351b053f1992f6ff8fbed2e12c3e00276703e27e57deb1

SHA512
276eb8715572cded564a614522886cfe588f1ed43a0112dbfafdbda0a039be3c2e765dbdf5cefb78827a3c308df81cf74e0d98249b44b2349d87640b80b24f3e

Download Submit
memory/3884-6-0x0000022F3D8F0000-0x0000022F3D8F8000-memory.dmp

Filesize
32KB

Download
memory/3884-17-0x00007FFA71900000-0x00007FFA723C2000-memory.dmp

Filesize
10.8MB

Download
memory/3884-10-0x00007FFA71903000-0x00007FFA71905000-memory.dmp

Filesize
8KB

Download
memory/3884-7-0x0000022F3DE20000-0x0000022F3DE58000-memory.dmp

Filesize
224KB

Download
memory/3884-8-0x0000022F3DDE0000-0x0000022F3DDEE000-memory.dmp

Filesize
56KB

Download
memory/3884-9-0x00007FFA71900000-0x00007FFA723C2000-memory.dmp

Filesize
10.8MB

Download
memory/3884-0-0x00007FFA71903000-0x00007FFA71905000-memory.dmp

Filesize
8KB

Download
memory/3884-5-0x00007FFA71900000-0x00007FFA723C2000-memory.dmp

Filesize
10.8MB

Download
memory/3884-4-0x00007FFA71900000-0x00007FFA723C2000-memory.dmp

Filesize
10.8MB

Download
memory/3884-3-0x0000022F39C80000-0x0000022F39D3A000-memory.dmp

Filesize
744KB

Download
memory/3884-2-0x00007FFA71900000-0x00007FFA723C2000-memory.dmp

Filesize
10.8MB

Download
memory/3884-1085-0x00007FFA71900000-0x00007FFA723C2000-memory.dmp

Filesize
10.8MB

Download
memory/3884-1-0x0000022F1D500000-0x0000022F1D528000-memory.dmp

Filesize
160KB

Download