a337310a37558e91518d2e4e6fc73486acec4f4ac178118fc8c5a44d97e4ef5e

Analysis

max time kernel
589s
max time network
586s
platform
windows11-21h2_x64
resource
win11-20240709-en
resource tags

arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
submitted
12-07-2024 20:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

radare2-5.9.2-w64.zip
Size

11.2MB
MD5

19ea998f7792b3ba3afbc8636de5dba5
SHA1

5b14ed9e033a81aaa72fdac74e251ae6c17c4a1c
SHA256

a337310a37558e91518d2e4e6fc73486acec4f4ac178118fc8c5a44d97e4ef5e
SHA512

469076fc5cb9f894d5d4db6288edbc983b77ed07952b0a3b429f17f0a7d1fcbb974c38e79f63dea7fe1dfa943fd29cee2d4b2d2a20d0aaabbee9059e58dae92a
SSDEEP

196608:awh+tHH5Z10D3xZqa62N5nm5xvo/walKONd2k6JXxAi87zk644vAI8wBCCp041Kf:awhonP1sZqAlwxy3lKLxVTLIrr0jf

Score

4^/10

Malware Config

Signatures

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\SystemTemp	setup.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\metadata	setup.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\settings.dat	setup.exe

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133652891455777109"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3666881604-935092360-1617577973-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
2876	msedge.exe
2876	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
2752	msedge.exe
2752	msedge.exe
2784	chrome.exe
2784	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

pid	Process
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

description	pid	Process
Token: SeDebugPrivilege	1916	radare2.exe
Token: SeDebugPrivilege	1916	radare2.exe
Token: SeDebugPrivilege	1008	radare2.exe
Token: SeDebugPrivilege	1008	radare2.exe
Token: SeDebugPrivilege	660	radare2.exe
Token: SeDebugPrivilege	660	radare2.exe
Token: SeDebugPrivilege	1720	radare2.exe
Token: SeDebugPrivilege	1720	radare2.exe
Token: SeDebugPrivilege	4760	radare2.exe
Token: SeDebugPrivilege	4760	radare2.exe
Token: SeDebugPrivilege	3264	radare2.exe
Token: SeDebugPrivilege	3264	radare2.exe
Token: SeDebugPrivilege	3336	rabin2.exe
Token: SeDebugPrivilege	3336	rabin2.exe
Token: SeDebugPrivilege	2272	rabin2.exe
Token: SeDebugPrivilege	2272	rabin2.exe
Token: SeDebugPrivilege	1336	rabin2.exe
Token: SeDebugPrivilege	1336	rabin2.exe
Token: SeDebugPrivilege	4884	radare2.exe
Token: SeDebugPrivilege	4884	radare2.exe
Token: SeDebugPrivilege	4780	radare2.exe
Token: SeDebugPrivilege	4780	radare2.exe
Token: SeDebugPrivilege	3776	radare2.exe
Token: SeDebugPrivilege	3776	radare2.exe
Token: SeDebugPrivilege	4416	radare2.exe
Token: SeDebugPrivilege	4416	radare2.exe
Token: SeShutdownPrivilege	2784	chrome.exe
Token: SeCreatePagefilePrivilege	2784	chrome.exe
Token: SeShutdownPrivilege	2784	chrome.exe
Token: SeCreatePagefilePrivilege	2784	chrome.exe
Token: SeShutdownPrivilege	2784	chrome.exe
Token: SeCreatePagefilePrivilege	2784	chrome.exe
Token: SeShutdownPrivilege	2784	chrome.exe
Token: SeCreatePagefilePrivilege	2784	chrome.exe
Token: SeShutdownPrivilege	2784	chrome.exe
Token: SeCreatePagefilePrivilege	2784	chrome.exe
Token: SeShutdownPrivilege	2784	chrome.exe
Token: SeCreatePagefilePrivilege	2784	chrome.exe
Token: SeShutdownPrivilege	2784	chrome.exe
Token: SeCreatePagefilePrivilege	2784	chrome.exe
Token: SeShutdownPrivilege	2784	chrome.exe
Token: SeCreatePagefilePrivilege	2784	chrome.exe
Token: SeShutdownPrivilege	2784	chrome.exe
Token: SeCreatePagefilePrivilege	2784	chrome.exe
Token: SeShutdownPrivilege	2784	chrome.exe
Token: SeCreatePagefilePrivilege	2784	chrome.exe
Token: SeShutdownPrivilege	2784	chrome.exe
Token: SeCreatePagefilePrivilege	2784	chrome.exe
Token: SeDebugPrivilege	3924	firefox.exe
Token: SeDebugPrivilege	3924	firefox.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
3924	firefox.exe
3924	firefox.exe
3924	firefox.exe
3924	firefox.exe
3924	firefox.exe
3924	firefox.exe
3924	firefox.exe
3924	firefox.exe
3924	firefox.exe
3924	firefox.exe
3924	firefox.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe
2784	chrome.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3924	firefox.exe
3924	firefox.exe
3924	firefox.exe
3924	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4784 wrote to memory of 1452	4784	cmd.exe	105
PID 4784 wrote to memory of 1452	4784	cmd.exe	105
PID 4784 wrote to memory of 1916	4784	cmd.exe	106
PID 4784 wrote to memory of 1916	4784	cmd.exe	106
PID 1916 wrote to memory of 4924	1916	radare2.exe	107
PID 1916 wrote to memory of 4924	1916	radare2.exe	107
PID 4924 wrote to memory of 1028	4924	cmd.exe	108
PID 4924 wrote to memory of 1028	4924	cmd.exe	108
PID 4784 wrote to memory of 612	4784	cmd.exe	109
PID 4784 wrote to memory of 612	4784	cmd.exe	109
PID 4784 wrote to memory of 1008	4784	cmd.exe	110
PID 4784 wrote to memory of 1008	4784	cmd.exe	110
PID 1008 wrote to memory of 4888	1008	radare2.exe	111
PID 1008 wrote to memory of 4888	1008	radare2.exe	111
PID 4888 wrote to memory of 492	4888	cmd.exe	112
PID 4888 wrote to memory of 492	4888	cmd.exe	112
PID 1264 wrote to memory of 868	1264	cmd.exe	119
PID 1264 wrote to memory of 868	1264	cmd.exe	119
PID 2908 wrote to memory of 660	2908	r2pm.exe	124
PID 2908 wrote to memory of 660	2908	r2pm.exe	124
PID 660 wrote to memory of 872	660	radare2.exe	125
PID 660 wrote to memory of 872	660	radare2.exe	125
PID 872 wrote to memory of 2096	872	cmd.exe	126
PID 872 wrote to memory of 2096	872	cmd.exe	126
PID 2908 wrote to memory of 1720	2908	r2pm.exe	127
PID 2908 wrote to memory of 1720	2908	r2pm.exe	127
PID 1720 wrote to memory of 2544	1720	radare2.exe	128
PID 1720 wrote to memory of 2544	1720	radare2.exe	128
PID 2544 wrote to memory of 4032	2544	cmd.exe	129
PID 2544 wrote to memory of 4032	2544	cmd.exe	129
PID 2908 wrote to memory of 4760	2908	r2pm.exe	130
PID 2908 wrote to memory of 4760	2908	r2pm.exe	130
PID 4760 wrote to memory of 3628	4760	radare2.exe	131
PID 4760 wrote to memory of 3628	4760	radare2.exe	131
PID 3628 wrote to memory of 3160	3628	cmd.exe	132
PID 3628 wrote to memory of 3160	3628	cmd.exe	132
PID 2908 wrote to memory of 3264	2908	r2pm.exe	133
PID 2908 wrote to memory of 3264	2908	r2pm.exe	133
PID 3264 wrote to memory of 2596	3264	radare2.exe	134
PID 3264 wrote to memory of 2596	3264	radare2.exe	134
PID 2596 wrote to memory of 2512	2596	cmd.exe	135
PID 2596 wrote to memory of 2512	2596	cmd.exe	135
PID 3336 wrote to memory of 1800	3336	rabin2.exe	140
PID 3336 wrote to memory of 1800	3336	rabin2.exe	140
PID 1800 wrote to memory of 1548	1800	cmd.exe	141
PID 1800 wrote to memory of 1548	1800	cmd.exe	141
PID 2272 wrote to memory of 4320	2272	rabin2.exe	144
PID 2272 wrote to memory of 4320	2272	rabin2.exe	144
PID 4320 wrote to memory of 2372	4320	cmd.exe	145
PID 4320 wrote to memory of 2372	4320	cmd.exe	145
PID 4064 wrote to memory of 2764	4064	msedge.exe	173
PID 4064 wrote to memory of 2764	4064	msedge.exe	173
PID 4064 wrote to memory of 4104	4064	msedge.exe	174
PID 4064 wrote to memory of 4104	4064	msedge.exe	174
PID 4064 wrote to memory of 4104	4064	msedge.exe	174
PID 4064 wrote to memory of 4104	4064	msedge.exe	174
PID 4064 wrote to memory of 4104	4064	msedge.exe	174
PID 4064 wrote to memory of 4104	4064	msedge.exe	174
PID 4064 wrote to memory of 4104	4064	msedge.exe	174
PID 4064 wrote to memory of 4104	4064	msedge.exe	174
PID 4064 wrote to memory of 4104	4064	msedge.exe	174
PID 4064 wrote to memory of 4104	4064	msedge.exe	174
PID 4064 wrote to memory of 4104	4064	msedge.exe	174
PID 4064 wrote to memory of 4104	4064	msedge.exe	174

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\radare2-5.9.2-w64.zip
1⤵
PID:3040

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4696

C:\Users\Admin\Downloads\radare2-5.9.2-w64\radare2-5.9.2-w64\bin\radare2.exe
"C:\Users\Admin\Downloads\radare2-5.9.2-w64\radare2-5.9.2-w64\bin\radare2.exe"
1⤵
PID:1756

C:\Users\Admin\Downloads\radare2-5.9.2-w64\radare2-5.9.2-w64\bin\radare2.exe
"C:\Users\Admin\Downloads\radare2-5.9.2-w64\radare2-5.9.2-w64\bin\radare2.exe"
1⤵
PID:4544

C:\Users\Admin\Downloads\radare2-5.9.2-w64\radare2-5.9.2-w64\bin\radare2.exe
"C:\Users\Admin\Downloads\radare2-5.9.2-w64\radare2-5.9.2-w64\bin\radare2.exe"
1⤵
PID:1264

C:\Users\Admin\Downloads\radare2-5.9.2-w64\radare2-5.9.2-w64\bin\radare2.exe
"C:\Users\Admin\Downloads\radare2-5.9.2-w64\radare2-5.9.2-w64\bin\radare2.exe"
1⤵
PID:760

C:\Users\Admin\Downloads\radare2-5.9.2-w64\radare2-5.9.2-w64\bin\radare2.exe
"C:\Users\Admin\Downloads\radare2-5.9.2-w64\radare2-5.9.2-w64\bin\radare2.exe"
1⤵
PID:2348

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4784
- C:\Users\Admin\Downloads\radare2-5.9.2-w64\radare2-5.9.2-w64\bin\radare2.exe
  radare2.exe
  2⤵
  PID:1452
- C:\Users\Admin\Downloads\radare2-5.9.2-w64\radare2-5.9.2-w64\bin\radare2.exe
  radare2.exe -ACdfjLMnNqStuvwzX
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1916
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c chcp 437 > NUL
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4924
  - - C:\Windows\system32\chcp.com
      chcp 437
      4⤵
      PID:1028
- C:\Users\Admin\Downloads\radare2-5.9.2-w64\radare2-5.9.2-w64\bin\radare2.exe
  radare2.exe
  2⤵
  PID:612
- C:\Users\Admin\Downloads\radare2-5.9.2-w64\radare2-5.9.2-w64\bin\radare2.exe
  radare2.exe -c
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1008
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c chcp 437 > NUL
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4888
  - - C:\Windows\system32\chcp.com
      chcp 437
      4⤵
      PID:492

C:\Users\Admin\Downloads\radare2-5.9.2-w64\radare2-5.9.2-w64\bin\r2r.exe
"C:\Users\Admin\Downloads\radare2-5.9.2-w64\radare2-5.9.2-w64\bin\r2r.exe"
1⤵
PID:2772

C:\Users\Admin\Downloads\radare2-5.9.2-w64\radare2-5.9.2-w64\bin\r2r.exe
"C:\Users\Admin\Downloads\radare2-5.9.2-w64\radare2-5.9.2-w64\bin\r2r.exe"
1⤵
PID:4456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\radare2-5.9.2-w64\radare2-5.9.2-w64\bin\r2.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:1264
- C:\Users\Admin\Downloads\radare2-5.9.2-w64\radare2-5.9.2-w64\bin\radare2.exe
  "C:\Users\Admin\Downloads\radare2-5.9.2-w64\radare2-5.9.2-w64\bin\\radare2"
  2⤵
  PID:868

C:\Users\Admin\Downloads\radare2-5.9.2-w64\radare2-5.9.2-w64\bin\r2agent.exe
"C:\Users\Admin\Downloads\radare2-5.9.2-w64\radare2-5.9.2-w64\bin\r2agent.exe"
1⤵
PID:3936

C:\Users\Admin\Downloads\radare2-5.9.2-w64\radare2-5.9.2-w64\bin\r2pm.exe
"C:\Users\Admin\Downloads\radare2-5.9.2-w64\radare2-5.9.2-w64\bin\r2pm.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2908
- C:\Users\Admin\Downloads\radare2-5.9.2-w64\radare2-5.9.2-w64\bin\radare2.exe
  radare2 -NN -H R2_USER_PLUGINS
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:660
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c chcp 437 > NUL
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:872
  - - C:\Windows\system32\chcp.com
      chcp 437
      4⤵
      PID:2096
- C:\Users\Admin\Downloads\radare2-5.9.2-w64\radare2-5.9.2-w64\bin\radare2.exe
  radare2 -NN -H R2_PREFIX
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1720
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c chcp 437 > NUL
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2544
  - - C:\Windows\system32\chcp.com
      chcp 437
      4⤵
      PID:4032
- C:\Users\Admin\Downloads\radare2-5.9.2-w64\radare2-5.9.2-w64\bin\radare2.exe
  radare2 -NN -H R2_USER_PLUGINS
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4760
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c chcp 437 > NUL
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3628
  - - C:\Windows\system32\chcp.com
      chcp 437
      4⤵
      PID:3160
- C:\Users\Admin\Downloads\radare2-5.9.2-w64\radare2-5.9.2-w64\bin\radare2.exe
  radare2 -NN -H R2_PREFIX
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3264
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c chcp 437 > NUL
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2596
  - - C:\Windows\system32\chcp.com
      chcp 437
      4⤵
      PID:2512

C:\Users\Admin\Downloads\radare2-5.9.2-w64\radare2-5.9.2-w64\bin\r2r.exe
"C:\Users\Admin\Downloads\radare2-5.9.2-w64\radare2-5.9.2-w64\bin\r2r.exe"
1⤵
PID:3064

C:\Users\Admin\Downloads\radare2-5.9.2-w64\radare2-5.9.2-w64\bin\rabin2.exe
"C:\Users\Admin\Downloads\radare2-5.9.2-w64\radare2-5.9.2-w64\bin\rabin2.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3336
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c chcp 437 > NUL
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1800
- - C:\Windows\system32\chcp.com
    chcp 437
    3⤵
    PID:1548

C:\Users\Admin\Downloads\radare2-5.9.2-w64\radare2-5.9.2-w64\bin\rabin2.exe
"C:\Users\Admin\Downloads\radare2-5.9.2-w64\radare2-5.9.2-w64\bin\rabin2.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2272
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c chcp 437 > NUL
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4320
- - C:\Windows\system32\chcp.com
    chcp 437
    3⤵
    PID:2372

C:\Users\Admin\Downloads\radare2-5.9.2-w64\radare2-5.9.2-w64\bin\radare2.exe
"C:\Users\Admin\Downloads\radare2-5.9.2-w64\radare2-5.9.2-w64\bin\radare2.exe"
1⤵
PID:3564

C:\Users\Admin\Downloads\radare2-5.9.2-w64\radare2-5.9.2-w64\bin\radiff2.exe
"C:\Users\Admin\Downloads\radare2-5.9.2-w64\radare2-5.9.2-w64\bin\radiff2.exe"
1⤵
PID:4592

C:\Users\Admin\Downloads\radare2-5.9.2-w64\radare2-5.9.2-w64\bin\rafind2.exe
"C:\Users\Admin\Downloads\radare2-5.9.2-w64\radare2-5.9.2-w64\bin\rafind2.exe"
1⤵
PID:3688

C:\Users\Admin\Downloads\radare2-5.9.2-w64\radare2-5.9.2-w64\bin\ragg2.exe
"C:\Users\Admin\Downloads\radare2-5.9.2-w64\radare2-5.9.2-w64\bin\ragg2.exe"
1⤵
PID:1980

C:\Users\Admin\Downloads\radare2-5.9.2-w64\radare2-5.9.2-w64\bin\rahash2.exe
"C:\Users\Admin\Downloads\radare2-5.9.2-w64\radare2-5.9.2-w64\bin\rahash2.exe"
1⤵
PID:720

C:\Users\Admin\Downloads\radare2-5.9.2-w64\radare2-5.9.2-w64\bin\rahash2.exe
"C:\Users\Admin\Downloads\radare2-5.9.2-w64\radare2-5.9.2-w64\bin\rahash2.exe"
1⤵
PID:3472

C:\Users\Admin\Downloads\radare2-5.9.2-w64\radare2-5.9.2-w64\bin\rarun2.exe
"C:\Users\Admin\Downloads\radare2-5.9.2-w64\radare2-5.9.2-w64\bin\rarun2.exe"
1⤵
PID:2868

C:\Users\Admin\Downloads\radare2-5.9.2-w64\radare2-5.9.2-w64\bin\rasign2.exe
"C:\Users\Admin\Downloads\radare2-5.9.2-w64\radare2-5.9.2-w64\bin\rasign2.exe"
1⤵
PID:4924

C:\Users\Admin\Downloads\radare2-5.9.2-w64\radare2-5.9.2-w64\bin\rasm2.exe
"C:\Users\Admin\Downloads\radare2-5.9.2-w64\radare2-5.9.2-w64\bin\rasm2.exe"
1⤵
PID:3044

C:\Users\Admin\Downloads\radare2-5.9.2-w64\radare2-5.9.2-w64\bin\rasm2.exe
"C:\Users\Admin\Downloads\radare2-5.9.2-w64\radare2-5.9.2-w64\bin\rasm2.exe"
1⤵
PID:2320

C:\Users\Admin\Downloads\radare2-5.9.2-w64\radare2-5.9.2-w64\bin\ravc2.exe
"C:\Users\Admin\Downloads\radare2-5.9.2-w64\radare2-5.9.2-w64\bin\ravc2.exe"
1⤵
PID:1388

C:\Users\Admin\Downloads\radare2-5.9.2-w64\radare2-5.9.2-w64\bin\rax2.exe
"C:\Users\Admin\Downloads\radare2-5.9.2-w64\radare2-5.9.2-w64\bin\rax2.exe"
1⤵
PID:1620

C:\Users\Admin\Downloads\radare2-5.9.2-w64\radare2-5.9.2-w64\bin\r2agent.exe
"C:\Users\Admin\Downloads\radare2-5.9.2-w64\radare2-5.9.2-w64\bin\r2agent.exe"
1⤵
PID:4656

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffece5e3cb8,0x7ffece5e3cc8,0x7ffece5e3cd8
  2⤵
  PID:2764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1812,10387059264751117267,17955985696149955783,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1884 /prefetch:2
  2⤵
  PID:4104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1812,10387059264751117267,17955985696149955783,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1812,10387059264751117267,17955985696149955783,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2520 /prefetch:8
  2⤵
  PID:2444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,10387059264751117267,17955985696149955783,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:1
  2⤵
  PID:2596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,10387059264751117267,17955985696149955783,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:1
  2⤵
  PID:3356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,10387059264751117267,17955985696149955783,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4568 /prefetch:1
  2⤵
  PID:2160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,10387059264751117267,17955985696149955783,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4616 /prefetch:1
  2⤵
  PID:3992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,10387059264751117267,17955985696149955783,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4964 /prefetch:1
  2⤵
  PID:2892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1812,10387059264751117267,17955985696149955783,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5136 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,10387059264751117267,17955985696149955783,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4500 /prefetch:1
  2⤵
  PID:3904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1812,10387059264751117267,17955985696149955783,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3816 /prefetch:1
  2⤵
  PID:2416

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4292

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1600

C:\Users\Admin\Downloads\radare2-5.9.2-w64\radare2-5.9.2-w64\bin\rahash2.exe
"C:\Users\Admin\Downloads\radare2-5.9.2-w64\radare2-5.9.2-w64\bin\rahash2.exe"
1⤵
PID:4292

C:\Users\Admin\Downloads\radare2-5.9.2-w64\radare2-5.9.2-w64\bin\rax2.exe
"C:\Users\Admin\Downloads\radare2-5.9.2-w64\radare2-5.9.2-w64\bin\rax2.exe"
1⤵
PID:3496

C:\Users\Admin\Downloads\radare2-5.9.2-w64\radare2-5.9.2-w64\bin\ravc2.exe
"C:\Users\Admin\Downloads\radare2-5.9.2-w64\radare2-5.9.2-w64\bin\ravc2.exe"
1⤵
PID:3808

C:\Users\Admin\Downloads\radare2-5.9.2-w64\radare2-5.9.2-w64\bin\rasm2.exe
"C:\Users\Admin\Downloads\radare2-5.9.2-w64\radare2-5.9.2-w64\bin\rasm2.exe"
1⤵
PID:4576

C:\Users\Admin\Downloads\radare2-5.9.2-w64\radare2-5.9.2-w64\bin\rasign2.exe
"C:\Users\Admin\Downloads\radare2-5.9.2-w64\radare2-5.9.2-w64\bin\rasign2.exe"
1⤵
PID:756

C:\Users\Admin\Downloads\radare2-5.9.2-w64\radare2-5.9.2-w64\bin\rarun2.exe
"C:\Users\Admin\Downloads\radare2-5.9.2-w64\radare2-5.9.2-w64\bin\rarun2.exe"
1⤵
PID:1912

C:\Users\Admin\Downloads\radare2-5.9.2-w64\radare2-5.9.2-w64\bin\rahash2.exe
"C:\Users\Admin\Downloads\radare2-5.9.2-w64\radare2-5.9.2-w64\bin\rahash2.exe"
1⤵
PID:4076

C:\Users\Admin\Downloads\radare2-5.9.2-w64\radare2-5.9.2-w64\bin\ragg2.exe
"C:\Users\Admin\Downloads\radare2-5.9.2-w64\radare2-5.9.2-w64\bin\ragg2.exe"
1⤵
PID:796

C:\Users\Admin\Downloads\radare2-5.9.2-w64\radare2-5.9.2-w64\bin\rafind2.exe
"C:\Users\Admin\Downloads\radare2-5.9.2-w64\radare2-5.9.2-w64\bin\rafind2.exe"
1⤵
PID:3472

C:\Users\Admin\Downloads\radare2-5.9.2-w64\radare2-5.9.2-w64\bin\radiff2.exe
"C:\Users\Admin\Downloads\radare2-5.9.2-w64\radare2-5.9.2-w64\bin\radiff2.exe"
1⤵
PID:3904

C:\Users\Admin\Downloads\radare2-5.9.2-w64\radare2-5.9.2-w64\bin\radare2.exe
"C:\Users\Admin\Downloads\radare2-5.9.2-w64\radare2-5.9.2-w64\bin\radare2.exe"
1⤵
PID:2120

C:\Users\Admin\Downloads\radare2-5.9.2-w64\radare2-5.9.2-w64\bin\rabin2.exe
"C:\Users\Admin\Downloads\radare2-5.9.2-w64\radare2-5.9.2-w64\bin\rabin2.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1336
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c chcp 437 > NUL
  2⤵
  PID:4560
- - C:\Windows\system32\chcp.com
    chcp 437
    3⤵
    PID:2884

C:\Users\Admin\Downloads\radare2-5.9.2-w64\radare2-5.9.2-w64\bin\r2r.exe
"C:\Users\Admin\Downloads\radare2-5.9.2-w64\radare2-5.9.2-w64\bin\r2r.exe"
1⤵
PID:1196

C:\Users\Admin\Downloads\radare2-5.9.2-w64\radare2-5.9.2-w64\bin\r2r.exe
"C:\Users\Admin\Downloads\radare2-5.9.2-w64\radare2-5.9.2-w64\bin\r2r.exe"
1⤵
PID:4756

C:\Users\Admin\Downloads\radare2-5.9.2-w64\radare2-5.9.2-w64\bin\r2pm.exe
"C:\Users\Admin\Downloads\radare2-5.9.2-w64\radare2-5.9.2-w64\bin\r2pm.exe"
1⤵
PID:3484
- C:\Users\Admin\Downloads\radare2-5.9.2-w64\radare2-5.9.2-w64\bin\radare2.exe
  radare2 -NN -H R2_USER_PLUGINS
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4884
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c chcp 437 > NUL
    3⤵
    PID:4552
  - - C:\Windows\system32\chcp.com
      chcp 437
      4⤵
      PID:1048
- C:\Users\Admin\Downloads\radare2-5.9.2-w64\radare2-5.9.2-w64\bin\radare2.exe
  radare2 -NN -H R2_PREFIX
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4780
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c chcp 437 > NUL
    3⤵
    PID:1444
  - - C:\Windows\system32\chcp.com
      chcp 437
      4⤵
      PID:1556
- C:\Users\Admin\Downloads\radare2-5.9.2-w64\radare2-5.9.2-w64\bin\radare2.exe
  radare2 -NN -H R2_USER_PLUGINS
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3776
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c chcp 437 > NUL
    3⤵
    PID:2324
  - - C:\Windows\system32\chcp.com
      chcp 437
      4⤵
      PID:3616
- C:\Users\Admin\Downloads\radare2-5.9.2-w64\radare2-5.9.2-w64\bin\radare2.exe
  radare2 -NN -H R2_PREFIX
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4416
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c chcp 437 > NUL
    3⤵
    PID:2544
  - - C:\Windows\system32\chcp.com
      chcp 437
      4⤵
      PID:1124

C:\Users\Admin\Downloads\radare2-5.9.2-w64\radare2-5.9.2-w64\bin\r2agent.exe
"C:\Users\Admin\Downloads\radare2-5.9.2-w64\radare2-5.9.2-w64\bin\r2agent.exe"
1⤵
PID:868

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffece49cc40,0x7ffece49cc4c,0x7ffece49cc58
  2⤵
  PID:4420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1904,i,4866686108944567570,7806594954823282978,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=1900 /prefetch:2
  2⤵
  PID:3376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1816,i,4866686108944567570,7806594954823282978,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=1968 /prefetch:3
  2⤵
  PID:2444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2180,i,4866686108944567570,7806594954823282978,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=2324 /prefetch:8
  2⤵
  PID:1220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3096,i,4866686108944567570,7806594954823282978,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3224 /prefetch:1
  2⤵
  PID:4644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3196,i,4866686108944567570,7806594954823282978,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3272 /prefetch:1
  2⤵
  PID:3192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3560,i,4866686108944567570,7806594954823282978,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3512 /prefetch:1
  2⤵
  PID:4576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4456,i,4866686108944567570,7806594954823282978,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4748 /prefetch:8
  2⤵
  PID:1080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4784,i,4866686108944567570,7806594954823282978,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4776 /prefetch:8
  2⤵
  PID:3256
- C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  - Drops file in Windows directory
  PID:2480
- - C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0x244,0x248,0x24c,0x220,0x250,0x7ff693804698,0x7ff6938046a4,0x7ff6938046b0
    3⤵
    - Drops file in Windows directory
    PID:4204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4280,i,4866686108944567570,7806594954823282978,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4796 /prefetch:1
  2⤵
  PID:1588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=4532,i,4866686108944567570,7806594954823282978,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4464 /prefetch:1
  2⤵
  PID:4944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4564,i,4866686108944567570,7806594954823282978,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3272 /prefetch:1
  2⤵
  PID:5060

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:3176

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4040

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:1028

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:2548
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:3924
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1932 -parentBuildID 20240401114208 -prefsHandle 1844 -prefMapHandle 1828 -prefsLen 25751 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {106a4031-4023-45c8-a3e8-4fddd7497ee5} 3924 "\\.\pipe\gecko-crash-server-pipe.3924" gpu
    3⤵
    PID:408
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2332 -parentBuildID 20240401114208 -prefsHandle 2308 -prefMapHandle 2296 -prefsLen 25787 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {eb9424f4-fe31-4e86-888a-5e4c3bcc46bb} 3924 "\\.\pipe\gecko-crash-server-pipe.3924" socket
    3⤵
    - Checks processor information in registry
    PID:2264
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3012 -childID 1 -isForBrowser -prefsHandle 3004 -prefMapHandle 2812 -prefsLen 25928 -prefMapSize 244658 -jsInitHandle 1336 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {95b8e152-8599-4c22-b185-d9f78ad3d560} 3924 "\\.\pipe\gecko-crash-server-pipe.3924" tab
    3⤵
    PID:2876
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3636 -childID 2 -isForBrowser -prefsHandle 3096 -prefMapHandle 3300 -prefsLen 31161 -prefMapSize 244658 -jsInitHandle 1336 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d3fceec2-685a-4e63-bb8d-04ed3f783f87} 3924 "\\.\pipe\gecko-crash-server-pipe.3924" tab
    3⤵
    PID:484
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4244 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4324 -prefMapHandle 4320 -prefsLen 31161 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9df57918-624e-48f0-8bf2-c408c674f489} 3924 "\\.\pipe\gecko-crash-server-pipe.3924" utility
    3⤵
    - Checks processor information in registry
    PID:5208
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5328 -childID 3 -isForBrowser -prefsHandle 5340 -prefMapHandle 5336 -prefsLen 26990 -prefMapSize 244658 -jsInitHandle 1336 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {65cc732e-0fc7-467a-a8fa-d74d46c2401f} 3924 "\\.\pipe\gecko-crash-server-pipe.3924" tab
    3⤵
    PID:5584
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5408 -childID 4 -isForBrowser -prefsHandle 5484 -prefMapHandle 5480 -prefsLen 26990 -prefMapSize 244658 -jsInitHandle 1336 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8e99fa5c-2c6a-4813-a11f-8ff399f24e92} 3924 "\\.\pipe\gecko-crash-server-pipe.3924" tab
    3⤵
    PID:5596
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5576 -childID 5 -isForBrowser -prefsHandle 5584 -prefMapHandle 5588 -prefsLen 26990 -prefMapSize 244658 -jsInitHandle 1336 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b0a82658-9fc3-4c6d-ba56-99bebf7ac922} 3924 "\\.\pipe\gecko-crash-server-pipe.3924" tab
    3⤵
    PID:5608
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6048 -childID 6 -isForBrowser -prefsHandle 6044 -prefMapHandle 6040 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1336 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f6d51f98-5344-409f-a72a-bf3957d9afb5} 3924 "\\.\pipe\gecko-crash-server-pipe.3924" tab
    3⤵
    PID:3208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
11d5d4e06af9f2cf818350cd33b52867

SHA1
ba00a73be2e16fcc44b4c8edc761df80e2c87bbc

SHA256
d26d38b0873463075572c8e5c37500853f48a4c120d100562acb5caae4e35c0b

SHA512
6536967b9cce1eced22b583b5024ba6dd0d8de46042aedf0acc18b155250c50cac9face07345a6ad08ffb55691eb1ae860ad6bde42c1d3a9766b4bd78ff913b9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
354B

MD5
33ca1ece5093954c26a36e80d3daa0ed

SHA1
9f9b27ef3d13cc0d997c9ffbf8417da71dacd7c2

SHA256
cfe872d8e26263361645308d535fdb59f5a3713f9b62bf4eb7db00722b9fbc7d

SHA512
04cadd2d5b69c9f3d2f9d788a595c35bbb9f578412913a6556cc0ce5426c0a54dd3787a8aba9fecbaaf2c8bf2f1a5ad1ef2c971b7928f9e11511364e4c43142e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
a7123a0c9a7b07793aed0fb82d36fee9

SHA1
cba61b5002f8cb9d1e8fee557c7dc71dd7f8820d

SHA256
3843f6377772de01258e7cd4149eeb3fdc8110fb14c989b0e426eb18d43f1c8a

SHA512
bcfb53b6bdd181a7bb38d55595985bf6d74f5482d0b81cfb0993188f647b384a5c5d38173767036969d6b1d5edf16db1258b8ea4cacc82a7f28fa31bb636ec94

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
f00adadb651aa33d3355be7fcb31f2f6

SHA1
8cfda861cf7e85e84379de7cd0b014615b9a7be0

SHA256
7d48e8a75292faa9fd0a08e6cd263d9c666d147b233977608abb92ea0c8922cc

SHA512
c81180a26bf99736aed00314a2ef5e780a4820e6635125b342dd5f327f7515d392b5c4329f64df65a3f11248271b8ed86a35e6fa4936a917785578d3002d17af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
182KB

MD5
3311a4a4111febb00f4fda8547123d44

SHA1
f65e1ae966b841dd501448ef5dcac2d9b2852d3a

SHA256
1cb2f6d7eb45266f519a44107e81450c8b94ad2d30b79cb74626d9e8101d38b4

SHA512
513ff835a8af383cd60889a01afc770a8b6b83cd015afa20b54915fabac34138727be4316f6abbf905f4dc33cafca2137f66370ec425b4ca16de98f5b76783fb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
182KB

MD5
2fb127e63e941fb2b7fd8a3d6cf7a3da

SHA1
7f0ce94dff97d19d1a56216a057c31e1d973cc5b

SHA256
abf45d9150d72c88dd19b4dd4a0f0b7352abd99ae23404569788cf28f14e4e6d

SHA512
50f5bb85297f26ca5b1a1fcf0e6f9540c69894e6b8e943fa9381fff9cab2183e45860b8c201979d5a1d604afe1fd2077e334abbd571e24ef367f0df66a03103b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
caaeb604a99d78c4a41140a3082ca660

SHA1
6d9cd8a52c0f2cd9b48b00f612ec33cd7ca0aa97

SHA256
75e15f595387aec18f164aa0d6573c1564aaa49074547a2d48a9908d22a3b5d6

SHA512
1091aa1e8bf74ed74ad8eb8fa25c4e24b6cfd0496482e526ef915c5a7d431f05360b87d07c11b93eb9296fe386d71e99d214afce163c2d01505349c52f2d5d66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1fe10b6cb6b345a095320391bda78b22

SHA1
46c36ab1994b86094f34a0fbae3a3921d6690862

SHA256
85a627e9b109e179c49cf52420ad533db38e75bc131714a25c1ae92dd1d05239

SHA512
9f9d689662da014dfae3565806903de291c93b74d11b47a94e7e3846537e029e1b61ad2fad538b10344641003da4d7409c3dd834fed3a014c56328ae76983a2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
180B

MD5
00a455d9d155394bfb4b52258c97c5e5

SHA1
2761d0c955353e1982a588a3df78f2744cfaa9df

SHA256
45a13c77403533b12fbeeeb580e1c32400ca17a32e15caa8c8e6a180ece27fed

SHA512
9553f8553332afbb1b4d5229bbf58aed7a51571ab45cbf01852b36c437811befcbc86f80ec422f222963fa7dabb04b0c9ae72e9d4ff2eeb1e58cde894fbe234f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
a38a8fec2f7c7e4fa0531823ed649c81

SHA1
46482ad909daf2d761de3b52c2e674f7d5783e57

SHA256
63a52bd34c4b2460334c0ced9cb488c867710617146d38a722225e82cb0a6f63

SHA512
424f618df82cdfbfbb19a2e9370f55a60414c79ebeb5f0aa368fd59b0a108291bb49b4cf437e86020214f39af5d88a91358671eef422d6cf5ccd71d3a6b75543

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
33d38777f384bf1ae22386ad9c563171

SHA1
ddc45f3af0577e0f0482d105d72cf53baf7ac250

SHA256
228c7cebf321fedc0f279c74cb59339c7a0852963053048f12d7452d25331a08

SHA512
6aa87a9b2b414c7e61b7ea9cce89c24fbf8bfd4ca9566245cb56a67ff416b852d953911cca6fb0ca4404b34ce2b1dacd4362f99a56a05a0967327c40ad386dbd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a02df4efee16c3c67517d897d9b996c8

SHA1
e011b1508f2db4aab99dfe7b7df66b1fd054ac27

SHA256
b6cf4eab39e1b3d99d628a5b60c631939ddffb9bfb9e0f58cae903b757799e67

SHA512
937a5d9e713eeda840f848d834d8927e28dd9afbc3fc01412707cec31162accb7ba2a222a318d37503a8585c7bcc4adf686413442a79a77d8bb3533bdbbe087b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c742b8934b16a3a7e292ff4ba1e10c54

SHA1
b964b179793aaa4c6091a69ea7e05287d0470bfc

SHA256
82a77d2db49682bb5f0863c29990f05a9eaf8e272507c5ecee87da0ab2f0eab9

SHA512
60482d0bd00425232ae2131df262d97a2b29cf10bf7b4e1e3a55f0bbe7ed6eae76fd5e8187ebe14c9990ccaf046c16c2b2d3507f6db72c165a479f01eb4bbdb3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c77edbae41f854242dc7bf7da79882f9

SHA1
6949676e1bf5bd4d0da9744ed2c7c7b642dba014

SHA256
938a087860cab51e561a7d18a5d705f227a5cb238e7c5463794a44a6ce04c26d

SHA512
9e3c9f228e34f93159f85ab0819228b804d67e5937ef6e3105b3f1e1ae7d2099d279c4ef8fe824aa01ded87b5d682618ea7eab6701cf361f879a20546b784708

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\tu0k8f5w.default-release\activity-stream.discovery_stream.json.tmp

Filesize
18KB

MD5
e2f10c15c8c932c06f2d8d4bdd995135

SHA1
e1bf0f607ede730ee9421ad7b87c12352e1d0cd1

SHA256
2fe0b7a85c08200abc3d7b0ee8b502d5c46868ddf517a5d0aee09554dc22850d

SHA512
894e420c6ba12cf105ed93fa99402952ca567f98d9519049c0bc7faf483dde04ff5d2022a080ff9513b2e200a10474b086dbc5567cb54b2d17b5c057fa6b9fef

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tu0k8f5w.default-release\AlternateServices.bin

Filesize
8KB

MD5
91ee16a8a4dc8abb94d624fd6a02b0cf

SHA1
b22d2841ef192e993893109740dd2b2f5f3da258

SHA256
0737752899eed638728f0e630a006b471591903c7e2f2ae0b5ee60863ad7c5ba

SHA512
a3cb37e276136d50537d8fccecaff914837c6c9b81a0e11102d61af49bb05239790b5a8437363573fd64cbed2563215deaf1618fa3d017346be856bbe5cd6f14

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tu0k8f5w.default-release\datareporting\glean\db\data.safe.bin

Filesize
6KB

MD5
afc5c6016bece00cc3094d6b2004400e

SHA1
0044bad72eadcd58e30917d44457a53fb8cdfae5

SHA256
8205360738ac465f180d48cb709a64a15406bbeab3d12f5791dfa7bfb1524af0

SHA512
1d7ebf468d4f5fd17b160005d27b4126de5573fa25359c0c904efbf8d1d8bf85123d7e0fe0e4eda07d5b2549d1bb7b1f1f5f5aff9b3e5012156e78258c4886c8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tu0k8f5w.default-release\datareporting\glean\db\data.safe.tmp

Filesize
33KB

MD5
f526a0fb31c35bcc9707e8925c62c84f

SHA1
fdfc16bae55134a73f05bbfe9877dcb9e7fb5145

SHA256
bd562ddcbd853a591f870109fff6f8a6a66a4d3801389379f3e817261aea6315

SHA512
0f9557712946b668056a29756b9153ecf99f2fc4b312fdf8d516b6116f0814e33fd7ed9fb8890ca0cb4780022420f0811434ed4cbfa4d3290eae4c3b920769ac

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tu0k8f5w.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
7fcfd9dade1211f12f288ed43c764a58

SHA1
d424a16eebde1bd65c935cb87099e7d0a606d323

SHA256
f19f40e0a77a2863f4f764ce973456fd54b592ac7b05f7962690c35a01fe1428

SHA512
bfa62e8bf50629201611a119c49da6fd496f5a1a79bfacee24b85d6ba09c8f9c3052642fb9bfa2cb75370e5675c5e79581c59c171d212d51e7dbe6bb677296a1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tu0k8f5w.default-release\datareporting\glean\pending_pings\30fb8db3-ca89-4543-9dce-1c09fcccdfb0

Filesize
671B

MD5
a9e92c8767909636793669ce4f92428d

SHA1
be0fa7c942a664826323652ae2cd2c03f3cfef13

SHA256
35be3d6e021dc3a201d8d6b806fb9c529b9fa72986d6257b4b7338de20d41051

SHA512
135db17b0ea5991607af8297fca1f43ef20d5520974bf20891b9dcd8666d3cad81cc24476bc2b9757de7a5857e907f397cc48723d934ad0fae87c728c11d824c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tu0k8f5w.default-release\datareporting\glean\pending_pings\752f42ab-6e78-4d65-9ca4-10a2151f0b05

Filesize
982B

MD5
0ddcd0bbbc0d2f9749a723457b095c1f

SHA1
473e5d9e2066cf3d08bdbd75c695348109f53207

SHA256
a69a20a5222cd5e4b613aefcf466fbf357012addf56256a83c818a86e050fabe

SHA512
00a23d3387b8872d7c874d47505812919f887bf476ebdbd4c2f5110718f146534b20ff8944a0a03fdc08d795e5816f7de435da009057470491036352683cbd10

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tu0k8f5w.default-release\datareporting\glean\pending_pings\deccc5a5-a6dd-4142-ad15-9c733829c10d

Filesize
25KB

MD5
5d1af58d841d158c8c52643277b7d64b

SHA1
eba4c33f5bbb10bf21274debce2819727af7aeef

SHA256
d5c396fe54bff3b66961a5774c4e702b99434d9d00e373355212f2c25effb0d2

SHA512
3cce3ca7d943b09832b9210edde1d74edd9079d34db51cf53269fdb30a17c209a8b684b71f6dba3e3fe8f9011f7e597d737b0a0f419907cd0e7e1abde4d6adfe

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tu0k8f5w.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tu0k8f5w.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tu0k8f5w.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tu0k8f5w.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tu0k8f5w.default-release\prefs-1.js

Filesize
11KB

MD5
a4bfe80f4caba525f4369440dff71363

SHA1
dfc26e9ff460f55ab105de7e35d73e29d24de5fd

SHA256
bb45a39ee1d10a1f86e8df930db3d0abe8fe2b3e03d07ece7356044618640856

SHA512
55c6c2acbfd66ccb0fc19ea090ee5c4e94a77a05dd6805c55a011c049a5a03d733b288ff1e4ccbfd2f5058ae461b3b5b3a880a8500851471236f94326ddcfca8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tu0k8f5w.default-release\prefs.js

Filesize
11KB

MD5
d9fe743f30bc155061f0616a9ef048fb

SHA1
9909f40fa12c492fcf290a69412766ac46cdf833

SHA256
f7cc9627bf2199d69084b3a3b978db89e6767c058cb5c54125dc2455cb26f9ed

SHA512
c925f3fb8e7257b8ba5d965b5095ee8a0680307b5bdf4cbcf00275c2b82869256fa5e51ce70290cd1cfc28f82ac223c735f0a682132852a5cfc5cb8e59c2adc0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tu0k8f5w.default-release\prefs.js

Filesize
8KB

MD5
1c136ffcbcab20635eafab570ff0b0d5

SHA1
deea3a2f9a11d9121a6abb15e65e122b24979505

SHA256
8dca6ae3badea5623598352206caf9ba50a643b0bdcbf55a43077806f8a069e1

SHA512
7976af89d96d15cfc828f7438182ec9de910248f599b706ce261376faa4f1f034a70308fe84b7754a514cd9874339638d6a199fef89ea971649b997175b76cb1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tu0k8f5w.default-release\prefs.js

Filesize
12KB

MD5
e80992bf525ef2c6490bbf42857b23ef

SHA1
af194813ce0a2f8e4db0e537117012d6209cb3ea

SHA256
7b4cf7478e7563ceb14f5b5f323ff65f5dfdcdc387277959d162a7343ca6c6e8

SHA512
227d4af60866685be4043faf7378b8bb8389b622891f3b0d00725f28e390531f5523b4d4a5ba55a2469f1171d1132fc5fbafe9cf73e6b83e45a9eba472e82e08

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tu0k8f5w.default-release\sessionCheckpoints.json

Filesize
259B

MD5
e6c20f53d6714067f2b49d0e9ba8030e

SHA1
f516dc1084cdd8302b3e7f7167b905e603b6f04f

SHA256
50a670fb78ff2712aae2c16d9499e01c15fddf24e229330d02a69b0527a38092

SHA512
462415b8295c1cdcac0a7cb16bb8a027ef36ae2ce0b061071074ac3209332a7eae71de843af4b96bbbd6158ca8fd5c18147bf9a79b8a7768a9a35edce8b784bf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tu0k8f5w.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
fa27b0da62aed95ce23d5cd9d6bf7f8e

SHA1
f07cd87f0fde5c51d4804130b06419e2ee0c387d

SHA256
d0e7c8f0b776f2a9447f27a5327324262d09eaec997bbbd5f0610ebcfbec05e9

SHA512
445baa8e357a667fb9dd19809f5453bb70e14e0df7fff2a1ead2696d71d865101d986aa9874643ad2356bc1705b02405dc77a717acf46b318c5cc9e2caf23183

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tu0k8f5w.default-release\sessionstore-backups\recovery.baklz4

Filesize
2KB

MD5
3f00790dbb2056bfec5cc999c22a39d1

SHA1
eabe348c4cbb115838ae960a261c95565c42c3df

SHA256
e199e21dd39be4a485a50ed5e57199185870aaaedf78d7bf6c32344dfc51e7fd

SHA512
2fab45c1711573fa5cfb4b2f38aa3f6969a30988959e743064758de3a421e62fbc750b1325580b0b2e08d12fa7c69048535f2a50401d122c5a977ff5cef1e578

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tu0k8f5w.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
d7ed108f70ee5eb080bd84a15a0afe67

SHA1
cab1ab03bf12dbdf4642fcd2b146b971caad2c7f

SHA256
5b36f35e79db1b124b93f73bbda0f034ce47e37e649d54ad58f5ccd92d8fd1e8

SHA512
3bf687b8eb8a14c7cf9fea245f366261c0b15a60fbbb5b83d90175ac3104902c50e84c2fa9d5570a2cce2991d886fc1d1fbdc0505fabe71ebc9f600400b25bf5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tu0k8f5w.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
36fb92c3a784d42fccbac1c717eeeb8c

SHA1
9ba0d3f0f15b3d01929cb4187fed2fce98d2bc6d

SHA256
fcdd210833ec3763d6a37809270e18a8d339585d2f0f02abe8543d6bcac4f3cb

SHA512
3356be817c6beda1a14957de3f72200cfa911af298f07ce5b04113fabd1cf30472104450d41f651ae1da80d0a3e91c6f9206967014b7a8c22fb947189c3b135b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tu0k8f5w.default-release\sessionstore-backups\recovery.baklz4

Filesize
2KB

MD5
705080a92a3cf46342851b6a6ea26bde

SHA1
017d306b8a4020ee3b0f6c8f65f793e61cd3a38e

SHA256
d232565b1524a4459e1f41b153db3f0bfda40774c38db33e4cee898543d96935

SHA512
8007cf8cbee418d6f0434e24f3b20a181e629f29e3d452a662adc1c4867ce490431df9fd3d2b50a055e4f604813efa668da77b29c04683d82c3a82452c128751

Download Submit