c746ebecaf2ecd213856b81121ddb0e92aebc7b6a44bb6480f217fa94a48d6a9

Analysis

max time kernel
143s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
24-08-2024 17:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MantiWPF.rar
Size

126.1MB
MD5

bd9792758b76ba95e96a99b92abf89ce
SHA1

912eeab7a4f9f85f8c3a8f526d096d5c9f1e8a85
SHA256

c746ebecaf2ecd213856b81121ddb0e92aebc7b6a44bb6480f217fa94a48d6a9
SHA512

9fd7bffd69982b777965ee3665b7a7192e7cbef57a7ba51c42a6580334d3af5f306f9c075f85fc8fc679c76635bf9b5ff04e1ecaf9879d35516c1060bddcd499
SSDEEP

3145728:hTPKxoK8eb4MKus3JFBvqVe8T5JqNjHT2Xnjpk137RgxuO2:hTPKxJF8du8J3vmxdINjHT+VYrRC2

Score

8^/10

defense_evasion discovery

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
3888	winrar-x64-701.exe
5664	winrar-x64-701.exe
4472	winrar-x64-701.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Crashpad\metadata	setup.exe
File opened for modification	C:\Program Files\Crashpad\settings.dat	setup.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File created	C:\Users\Admin\Downloads\winrar-x64-701.exe:Zone.Identifier	firefox.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 14 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133689957286394690"	chrome.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings	firefox.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\winrar-x64-701.exe:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
1276	chrome.exe
1276	chrome.exe
5756	taskmgr.exe
5756	taskmgr.exe
5756	taskmgr.exe
5756	taskmgr.exe
5756	taskmgr.exe
5756	taskmgr.exe
5756	taskmgr.exe
5756	taskmgr.exe
5756	taskmgr.exe
5756	taskmgr.exe
5756	taskmgr.exe
5756	taskmgr.exe
5756	taskmgr.exe
5756	taskmgr.exe
5756	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3236	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeCreatePagefilePrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeCreatePagefilePrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeCreatePagefilePrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeCreatePagefilePrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeCreatePagefilePrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeCreatePagefilePrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeCreatePagefilePrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeCreatePagefilePrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeCreatePagefilePrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeCreatePagefilePrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeCreatePagefilePrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeCreatePagefilePrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeCreatePagefilePrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeCreatePagefilePrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeCreatePagefilePrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeCreatePagefilePrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeCreatePagefilePrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeCreatePagefilePrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeCreatePagefilePrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeCreatePagefilePrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeCreatePagefilePrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeCreatePagefilePrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeCreatePagefilePrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeCreatePagefilePrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeCreatePagefilePrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeCreatePagefilePrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeCreatePagefilePrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeCreatePagefilePrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeCreatePagefilePrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeCreatePagefilePrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeCreatePagefilePrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeCreatePagefilePrivilege	1276	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
2632	firefox.exe
2632	firefox.exe
2632	firefox.exe
2632	firefox.exe
2632	firefox.exe
2632	firefox.exe
2632	firefox.exe
2632	firefox.exe
2632	firefox.exe
2632	firefox.exe
2632	firefox.exe
2632	firefox.exe
2632	firefox.exe
2632	firefox.exe
2632	firefox.exe
2632	firefox.exe
2632	firefox.exe
2632	firefox.exe
2632	firefox.exe
2632	firefox.exe
2632	firefox.exe
5756	taskmgr.exe
5756	taskmgr.exe
5756	taskmgr.exe
5756	taskmgr.exe
5756	taskmgr.exe
5756	taskmgr.exe
5756	taskmgr.exe
5756	taskmgr.exe
5756	taskmgr.exe
5756	taskmgr.exe
5756	taskmgr.exe
5756	taskmgr.exe
5756	taskmgr.exe
5756	taskmgr.exe
5756	taskmgr.exe
5756	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
2632	firefox.exe
2632	firefox.exe
2632	firefox.exe
2632	firefox.exe
2632	firefox.exe
2632	firefox.exe
2632	firefox.exe
2632	firefox.exe
2632	firefox.exe
2632	firefox.exe
2632	firefox.exe
2632	firefox.exe
2632	firefox.exe
2632	firefox.exe
2632	firefox.exe
2632	firefox.exe
2632	firefox.exe
2632	firefox.exe
2632	firefox.exe
2632	firefox.exe
5756	taskmgr.exe
5756	taskmgr.exe
5756	taskmgr.exe
5756	taskmgr.exe
5756	taskmgr.exe
5756	taskmgr.exe
5756	taskmgr.exe
5756	taskmgr.exe
5756	taskmgr.exe
5756	taskmgr.exe
5756	taskmgr.exe
5756	taskmgr.exe
5756	taskmgr.exe
5756	taskmgr.exe
5756	taskmgr.exe
5756	taskmgr.exe
5756	taskmgr.exe
5756	taskmgr.exe
5756	taskmgr.exe
5756	taskmgr.exe

Suspicious use of SetWindowsHookEx 28 IoCs

pid	Process
3236	OpenWith.exe
3236	OpenWith.exe
3236	OpenWith.exe
3236	OpenWith.exe
3236	OpenWith.exe
3236	OpenWith.exe
3236	OpenWith.exe
3236	OpenWith.exe
3236	OpenWith.exe
3236	OpenWith.exe
3236	OpenWith.exe
3236	OpenWith.exe
3236	OpenWith.exe
3236	OpenWith.exe
3236	OpenWith.exe
2632	firefox.exe
2632	firefox.exe
2632	firefox.exe
2632	firefox.exe
3888	winrar-x64-701.exe
3888	winrar-x64-701.exe
3888	winrar-x64-701.exe
5664	winrar-x64-701.exe
5664	winrar-x64-701.exe
5664	winrar-x64-701.exe
4472	winrar-x64-701.exe
4472	winrar-x64-701.exe
4472	winrar-x64-701.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1276 wrote to memory of 3160	1276	chrome.exe	96
PID 1276 wrote to memory of 3160	1276	chrome.exe	96
PID 1276 wrote to memory of 1548	1276	chrome.exe	97
PID 1276 wrote to memory of 1548	1276	chrome.exe	97
PID 1276 wrote to memory of 1548	1276	chrome.exe	97
PID 1276 wrote to memory of 1548	1276	chrome.exe	97
PID 1276 wrote to memory of 1548	1276	chrome.exe	97
PID 1276 wrote to memory of 1548	1276	chrome.exe	97
PID 1276 wrote to memory of 1548	1276	chrome.exe	97
PID 1276 wrote to memory of 1548	1276	chrome.exe	97
PID 1276 wrote to memory of 1548	1276	chrome.exe	97
PID 1276 wrote to memory of 1548	1276	chrome.exe	97
PID 1276 wrote to memory of 1548	1276	chrome.exe	97
PID 1276 wrote to memory of 1548	1276	chrome.exe	97
PID 1276 wrote to memory of 1548	1276	chrome.exe	97
PID 1276 wrote to memory of 1548	1276	chrome.exe	97
PID 1276 wrote to memory of 1548	1276	chrome.exe	97
PID 1276 wrote to memory of 1548	1276	chrome.exe	97
PID 1276 wrote to memory of 1548	1276	chrome.exe	97
PID 1276 wrote to memory of 1548	1276	chrome.exe	97
PID 1276 wrote to memory of 1548	1276	chrome.exe	97
PID 1276 wrote to memory of 1548	1276	chrome.exe	97
PID 1276 wrote to memory of 1548	1276	chrome.exe	97
PID 1276 wrote to memory of 1548	1276	chrome.exe	97
PID 1276 wrote to memory of 1548	1276	chrome.exe	97
PID 1276 wrote to memory of 1548	1276	chrome.exe	97
PID 1276 wrote to memory of 1548	1276	chrome.exe	97
PID 1276 wrote to memory of 1548	1276	chrome.exe	97
PID 1276 wrote to memory of 1548	1276	chrome.exe	97
PID 1276 wrote to memory of 1548	1276	chrome.exe	97
PID 1276 wrote to memory of 1548	1276	chrome.exe	97
PID 1276 wrote to memory of 1548	1276	chrome.exe	97
PID 1276 wrote to memory of 2796	1276	chrome.exe	98
PID 1276 wrote to memory of 2796	1276	chrome.exe	98
PID 1276 wrote to memory of 624	1276	chrome.exe	99
PID 1276 wrote to memory of 624	1276	chrome.exe	99
PID 1276 wrote to memory of 624	1276	chrome.exe	99
PID 1276 wrote to memory of 624	1276	chrome.exe	99
PID 1276 wrote to memory of 624	1276	chrome.exe	99
PID 1276 wrote to memory of 624	1276	chrome.exe	99
PID 1276 wrote to memory of 624	1276	chrome.exe	99
PID 1276 wrote to memory of 624	1276	chrome.exe	99
PID 1276 wrote to memory of 624	1276	chrome.exe	99
PID 1276 wrote to memory of 624	1276	chrome.exe	99
PID 1276 wrote to memory of 624	1276	chrome.exe	99
PID 1276 wrote to memory of 624	1276	chrome.exe	99
PID 1276 wrote to memory of 624	1276	chrome.exe	99
PID 1276 wrote to memory of 624	1276	chrome.exe	99
PID 1276 wrote to memory of 624	1276	chrome.exe	99
PID 1276 wrote to memory of 624	1276	chrome.exe	99
PID 1276 wrote to memory of 624	1276	chrome.exe	99
PID 1276 wrote to memory of 624	1276	chrome.exe	99
PID 1276 wrote to memory of 624	1276	chrome.exe	99
PID 1276 wrote to memory of 624	1276	chrome.exe	99
PID 1276 wrote to memory of 624	1276	chrome.exe	99
PID 1276 wrote to memory of 624	1276	chrome.exe	99
PID 1276 wrote to memory of 624	1276	chrome.exe	99
PID 1276 wrote to memory of 624	1276	chrome.exe	99
PID 1276 wrote to memory of 624	1276	chrome.exe	99
PID 1276 wrote to memory of 624	1276	chrome.exe	99
PID 1276 wrote to memory of 624	1276	chrome.exe	99
PID 1276 wrote to memory of 624	1276	chrome.exe	99
PID 1276 wrote to memory of 624	1276	chrome.exe	99
PID 1276 wrote to memory of 624	1276	chrome.exe	99

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\MantiWPF.rar
1⤵
- Modifies registry class
PID:1444

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3236

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffa85c6cc40,0x7ffa85c6cc4c,0x7ffa85c6cc58
  2⤵
  PID:3160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1984,i,7843548605924654341,12342466432776811169,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1980 /prefetch:2
  2⤵
  PID:1548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2108,i,7843548605924654341,12342466432776811169,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2280 /prefetch:3
  2⤵
  PID:2796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2308,i,7843548605924654341,12342466432776811169,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2324 /prefetch:8
  2⤵
  PID:624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3180,i,7843548605924654341,12342466432776811169,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3196 /prefetch:1
  2⤵
  PID:388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3288,i,7843548605924654341,12342466432776811169,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3452 /prefetch:1
  2⤵
  PID:1872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4664,i,7843548605924654341,12342466432776811169,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4632 /prefetch:1
  2⤵
  PID:4848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4852,i,7843548605924654341,12342466432776811169,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4860 /prefetch:8
  2⤵
  PID:1256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5000,i,7843548605924654341,12342466432776811169,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5012 /prefetch:8
  2⤵
  PID:4440
- C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  - Drops file in Program Files directory
  PID:4292
- - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x284,0x288,0x28c,0x260,0x290,0x7ff7049c4698,0x7ff7049c46a4,0x7ff7049c46b0
    3⤵
    - Drops file in Program Files directory
    PID:60
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4940,i,7843548605924654341,12342466432776811169,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5048 /prefetch:1
  2⤵
  PID:2688

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1528

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1816

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:3840
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2632
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2032 -parentBuildID 20240401114208 -prefsHandle 1960 -prefMapHandle 1952 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3a672f5e-6b7a-4834-8d85-6369f09d2d08} 2632 "\\.\pipe\gecko-crash-server-pipe.2632" gpu
    3⤵
    PID:3380
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2444 -parentBuildID 20240401114208 -prefsHandle 2436 -prefMapHandle 2424 -prefsLen 23716 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {389b6aca-7c75-4daf-a623-f47ca8be7777} 2632 "\\.\pipe\gecko-crash-server-pipe.2632" socket
    3⤵
    - Checks processor information in registry
    PID:2660
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2996 -childID 1 -isForBrowser -prefsHandle 3144 -prefMapHandle 2992 -prefsLen 23857 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1ffe9cdb-1f02-4104-9756-d20fa16516bb} 2632 "\\.\pipe\gecko-crash-server-pipe.2632" tab
    3⤵
    PID:2328
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4220 -childID 2 -isForBrowser -prefsHandle 4212 -prefMapHandle 1232 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5ccef128-0d16-4840-a197-136fe94af1e3} 2632 "\\.\pipe\gecko-crash-server-pipe.2632" tab
    3⤵
    PID:3864
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4700 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4636 -prefMapHandle 4632 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {11a4c3d5-61e6-4f8f-84fb-29c539882df1} 2632 "\\.\pipe\gecko-crash-server-pipe.2632" utility
    3⤵
    - Checks processor information in registry
    PID:2280
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4860 -childID 3 -isForBrowser -prefsHandle 5208 -prefMapHandle 5176 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c12d6f13-1352-47bd-a336-46d8bde0f89d} 2632 "\\.\pipe\gecko-crash-server-pipe.2632" tab
    3⤵
    PID:5872
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5116 -childID 4 -isForBrowser -prefsHandle 5376 -prefMapHandle 5372 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b391c96c-914e-44f2-8148-da89bc0ec06f} 2632 "\\.\pipe\gecko-crash-server-pipe.2632" tab
    3⤵
    PID:5884
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5456 -childID 5 -isForBrowser -prefsHandle 5500 -prefMapHandle 5504 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0d9a7428-1210-4810-8f49-054218be3653} 2632 "\\.\pipe\gecko-crash-server-pipe.2632" tab
    3⤵
    PID:5896
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6184 -childID 6 -isForBrowser -prefsHandle 6176 -prefMapHandle 6168 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6d4ba8a5-38a9-4314-b03d-717058551961} 2632 "\\.\pipe\gecko-crash-server-pipe.2632" tab
    3⤵
    PID:2668
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4200 -childID 7 -isForBrowser -prefsHandle 5200 -prefMapHandle 4192 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b0de5048-4d3e-45c9-807d-d2a9c93083cc} 2632 "\\.\pipe\gecko-crash-server-pipe.2632" tab
    3⤵
    PID:5748
- - C:\Users\Admin\Downloads\winrar-x64-701.exe
    "C:\Users\Admin\Downloads\winrar-x64-701.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3888

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\b9a04cca44cf4c78aed2328364aa2e9e /t 1384 /p 3888
1⤵
PID:2520

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5756

C:\Users\Admin\Downloads\winrar-x64-701.exe
"C:\Users\Admin\Downloads\winrar-x64-701.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5664

C:\Users\Admin\Downloads\winrar-x64-701.exe
"C:\Users\Admin\Downloads\winrar-x64-701.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
9eb2e788c16a3bda8faeabe7667a3021

SHA1
cde07d9eca24917046eabad8b6dad6755189b08a

SHA256
e2544a4b4d2902a7c11d0d3451bfa9f53088dd55970df0a051f612ce41049e5f

SHA512
ee8f6ed72688d66f4386709d6a40f980d6181503a239fa16a5e7be308ab8e64a618aaccb34ee6f5c5fd2d674cef4c8020a52c3c2317a16753f9969d5a2354890

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
212KB

MD5
2257803a7e34c3abd90ec6d41fd76a5a

SHA1
f7a32e6635d8513f74bd225f55d867ea56ae4803

SHA256
af23860fb3a448f2cc6107680078402555a345eb45bc5efb750f541fe5d7c174

SHA512
e9f4dc90d0829885f08879e868aa62041150b500f62682fc108da258eee26ad9509dcbf6e8a55f2d0bdba7aa9118dd149a70a7d851820d4ea683db7808c48540

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
1be383bbd4bdcef247efb3ce37625971

SHA1
8a930048afdc225bb3a41e2a14e2038cb50b6297

SHA256
608e9a1e8e72e22f437f305c6bbab5a32575e1f0af1607e470d1f77707b469af

SHA512
31e0d28d861fc9c88e5eb7be9dd304062c09c5d3709e26cb14e26b932deb36ae4003c7208e1213fdbe6e22ff9046f7e892132410b359d4ab14c43df46497e709

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
8edac998b80ce848d73f1941c7385412

SHA1
99481ad05c9fb9100eaec00073169da4fc90148a

SHA256
0375aa2f60e68463dc159d422c2093010c7cfe446682f1b2bbcba9689c758969

SHA512
f2600b325042a355c3f68632759f175cabf6264d1fa14e56853775f4c1f8caefb84a4fe95694c169e4abaedc0db9e28b7d58d699ac4e32f690e7ee3de027baea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
708261c78eaf5f84356ad50de29a8fa3

SHA1
a68ad1bac02f3734171286dbf3248ac97771acbc

SHA256
9fd93c3ad2ca92d6cd4a1b24121f30ca1fa481b5e444ad01aae4e2b43d55a810

SHA512
142927020cbd0e81ac41010401105916121cb11aff9771200d9bb6c67a494b1d162fc0fc142a9ba6c7a104ff84f020c6d93fa25dad4714a19430304e5aeb8a0d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
77e8ff806ae67ba221e960353a6032f3

SHA1
31cd2f977b7d8bf2e754fe820796f2493e96bfbc

SHA256
dd43b5aadd438281edd3ce9cf74fe297dc744331e4aa2b4816ed0bc175ac221f

SHA512
0f228cd8328bcd92986a7cae7f9301d44023a98628e6d4944789a4c475b3de18c374b1666f7249f8f53ebcf21a40eefe4f8e08aca6befc5b7223195eea3da135

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7508dfc533ba69a9f389e6e14c5a2695

SHA1
d848db7f93db0f4b8d0eb3dd255f29770178f4f2

SHA256
afb8410558f4320b1dfd993fc32d4bf77c33494f7ea424e989a93aaa814e9558

SHA512
87cb85d2ca50bde5c6f25c5d13e431617ba9530d34c59ca4540f82b0ce77a74663bac5846739f3c792bfd33fa5ba4ab637be48574a7b08674da5bbfc9182e008

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ce497766ffd8fbfbb602d257c0122df1

SHA1
1f4fc1208809967b12c1d422267d4a9fb7b3a4a5

SHA256
e434568f9d40f796c2d7fae2a62cee60d9d539491c549a2216ab310300153e98

SHA512
015e90aa2430d578c8f66ab370bf72b08e938e7c0932eb36486f51549bb92edaf0e6e39c30a9acba47ea2e79c56cba7f7bc70295a9fe239d95e9664ca91d4edd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2e912de8012516e74c78316cdf311712

SHA1
695a494aa9808415073e7e8ec3300bbb0f1ec6b0

SHA256
2a4653c203c93a5282d9b5bbeb7a0e8981636538e467a413f5635737e721b22a

SHA512
11628f0b0e5a3d156fcf8ddbdb23cde95ac94a80201532084aea6707ed1d8cc1f9b73e21376a338f3f3cf2e77e42e679abf104a6523efe8d98c1fd4dc1392481

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
aa444b33df4085a6a501fa9b069190c2

SHA1
f31e93a9e92e864fd4a0ada71f2acf9f1310f2fd

SHA256
5d2a0f5e748b85f7f1451ac0e86e57e6a86b66c460d2aa09e7300bd4057aeba4

SHA512
2c7d923afed23ebea3584e844a3c42af171a07e698afc63ddb4e716ebc969ca4773827c1c261c68d3d05bf71648bfad59c28b5f1f622227f06e83572aca54247

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
198KB

MD5
4a134aa179c4abe8d3781973827606f3

SHA1
2e1d8d4ac4939c6d257022715964037f1bd4e664

SHA256
86441fd632355e082942174e8e6c25c9c85b1932c961715503f23a309a3b7867

SHA512
f52f647698fdaa9ae97cff4301af3e36dd1112e255dc621b102e8e1da38d21e2393e3a75165207a61814e6d2cc9443823883e9428ae9043dddeb6b4f4147ba51

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
198KB

MD5
0974b8c21cdc61041af2a44f6075430a

SHA1
1d27e36a9b923a31bf2dfe72534e8df71eeb98af

SHA256
b653ab1f8bdf64d211d9e1e24e1daa823a9311b660939456c526b9d5b7ab8110

SHA512
69a09bd18fe86920ffdea10bb7cbefe5af3c3b75f0d9d47e2aac588f75571ba82d86d97d8e11f831f2f45afd4f13d83402371964d8b40784ecdda506dd898ade

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
198KB

MD5
78249c7d88922cfd0b0ed08874fc92d5

SHA1
628893aaa20a269e1acdd62bc2f6f18a67ec2302

SHA256
5ea43e5c87097bdfb95a9631b453a941e3066af2665274ea3b7bae189bbc3aa8

SHA512
6ebde48ad63d4f16c987b1dfbdf0cc8c58fd7865767695ed4c3144607065f31c0eca7ef5189a00b63dd5e1028a0c743a37ba93a011c3cd25e4bcde6340e3dac1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
e225b3ee537d8266dac251f3025ad94a

SHA1
1849acd9478abe981ae55ad14686792575ab73e5

SHA256
7927ff45853c1119df15b7241ffe952dcdc9df7f9db002db88b56fc833ea064c

SHA512
a9f4abf00b87acb17cb76165cb678412809b5b68b91c1ccfb844eb827d226ec5a01c20dc0746c834c8ac4fdb046cdcee494a81019869748202815fb569d72522

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\zrrtvxky.default-release\cache2\entries\83E3BDEEE2656890431C3484D2DFAC5D44936E89

Filesize
32KB

MD5
61793bdbb181b84067f213386c4149c4

SHA1
dc5929bb948ad8f60552308bf874a0b31e8c1d95

SHA256
12731f4eae8080fd5605af77b48fa361edc1b87035d9c891b2f1d09958b257a9

SHA512
b4617a6ee25d5540cc2201b1b7fb9b81feaa7e01ec6aec804a911fcce5a4d41c98b94b0164b57b3b6541af2bc8a3149c7d2117d3c03312adb05f19170af28d2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\AlternateServices.bin

Filesize
7KB

MD5
23061cc644fe295f50a96df9f1360ccb

SHA1
410172beab8e1a4d9573705ab2f408b7db98ea2c

SHA256
ef2efad48a4e81d1b98b7a7526d031c351e91f3d7509e47a86560f24440b68fa

SHA512
5118ea6b19fde2cb2411b408cb28b8b604e008b53cffc5b56c8fb7a03316ab4b15e9139bd1512489f85c88f9e27fd55af80b5dd5952c84ac29d373b76b6e0b88

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\AlternateServices.bin

Filesize
12KB

MD5
119b2b4034759922ff9dbb712ef5b8f8

SHA1
2c25534636bb97b2d229083cbd1748bf83ee0bcf

SHA256
314490ad0de66a8f7b878960d7683779cad539a1a6663f154ff5fe7cc283b993

SHA512
42e1e5bf45332ffb982cd7071bece3a30ed30604e599120927391a3880e7a07feaa3cef1e5bcf1c4dfe867b68e5f3bd9b0a23828a336527ff8b165d66e670f5e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
6fe88057b4299f09863d7232d0624333

SHA1
b1de147e70679ec3154da2fd8d1e59feda74e458

SHA256
85a549a5b5cdd1f4b4678d20b1fdbf8e84284a7566f161654251782442de9b19

SHA512
e356c6a240b8509353966d0de34ef15a534f90a6c97df5e9195f924a01ac01ab39b0eadc9cb6a83c494bbb4a5fb6daf2b764e9642dfe5360cd498fae2d304b95

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
c8353052c23c3b4e76429dc2b2864e13

SHA1
35d51e5046c7ae108986137a3a033818aef7870a

SHA256
5d608638c6b2526e8b280997c4584328f493d56563da33bd134b25e92b3f77d9

SHA512
f801f03f5805ad30d05f8c9460d44b8e0afce37fe8cf94fb829c947018edcfdbcd6803b84e1030f924e409f41653bf018806360e96b412803bdb492b03dc2eb0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\db\data.safe.tmp

Filesize
7KB

MD5
eba44563203e5d7db341c66c21efa4cc

SHA1
37d28b56f9ae2bbb2d12f3f45c4bafcaf73e5914

SHA256
37d7d93ea27b76866b677e1c0bcb7e3db179a2fdffde2cd0f27c0a5ed7f84b16

SHA512
fea74ef7a64a322fb037fad14d5d55b5b114d159a36d02f11a6815b1d381e32c30236889321ca8b6cd16995290c0714e2c2dd74e379f88cc8cc7d5bd02371565

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\pending_pings\1d67eb6a-1936-4d69-81f4-1abc7983e5ec

Filesize
27KB

MD5
108cd31b86d853ccee21b549807f03cc

SHA1
1957a45b4b0ba09e3034d7cc75af27d62abe4c7b

SHA256
5c06aaea5c06281d1b34f630aafa6b3ffd26acccf5a1ddb3fce00fbd65e80231

SHA512
0ac104ab8b53020d730a877e6590d7e8727896985af002d5fa6af59d26db834988bdf43ac3bb96b45663b18f52f00fa379bd2f35fe6c40920af81d83632a2c79

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\pending_pings\a6c1efc0-af1e-4d92-a726-15930cc4a447

Filesize
9KB

MD5
47e04b6234fa25901f9a4616efd19776

SHA1
3e3d7126411ecf180566348adcc2ba68eb35fae0

SHA256
bb70db3ec41cec71b0deaffe9edbd0b79b44e3a5975f38de4b306b0f523ba72b

SHA512
691113b39932eea1c6a7297484ed7b3fa92091918b8d9df2afcbf0a1da47005aa52c9512f45936e774592147b964737b10a7393b2f2696b060cdd9ac9dc8b277

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\pending_pings\d4b9e63d-10e1-4d3c-96eb-6ce9ba82ed73

Filesize
671B

MD5
c0ba51f409b9e450130595d1616b4607

SHA1
089b3461a9e5f978dd5cb3103b8cbca6ceaeaf53

SHA256
506f54f7310572f23f28a7ba540a5422ef7e74861e0396e3470199ad7a915750

SHA512
7f948cbbd29094fafaee598dfc27ee127c0663ca69c3eb957d52cbb1077242d9e435ed702473a0d2936190e678bfbc7dca3e4df7e212b974116441986d9996e6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\pending_pings\f5e756a4-56db-4054-8e10-69ce5b71ffc0

Filesize
982B

MD5
1a549a99fa1abd48ce6243d69f744303

SHA1
74b11c1409c6ef586fb0f40c0827f7bc942fd8ff

SHA256
927741df98c0996d0693acb558cfd9b98f0e6d2960da01afb1de17e6205e8894

SHA512
df0f5ea26857108e1db3bb16d3e84c899b1aa6c7065a40ae6cbfa7322fc402ba61500c3c1713352683c8937f90b82e6088d129773b0551d22dfe16e840314310

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\prefs-1.js

Filesize
11KB

MD5
23bb5a9fea303b1dcd2fcafd0364229b

SHA1
0771acd355fc9d881f140a8bdae1d12c743b7223

SHA256
0bbcb0b9c925c486771f422d7af0611383115868e99c3c72b4085b44e5529cce

SHA512
d074a4b02a6c4c7b97d19535ff50dbb2ec02af3ff82c9450a7a75413249f9809f67d341de4887c005d4a908ab3b6f28364a70aafbda635c1082eb7f4ddbd7840

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\prefs.js

Filesize
11KB

MD5
391798792e9afebe7f115e3cf957ed50

SHA1
119b35c79010422ba6ffa097429ad3767cc545ce

SHA256
c791a15084d8d39729e19c9efd5fb696859b6b3a6669fa6780341c7336d90480

SHA512
ee9c8ab64a0f719b22dbc4e641c836cdc2dfb9d80120e18386a445cd689e70fff21b63565de38004eb202055486d3ba04304b3cd37edce0b7d5bd85284a89ed0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\prefs.js

Filesize
11KB

MD5
7be1e3eead4c29f366f3ec78870283de

SHA1
845f2b74521fe4a29bad52a1aa557ae03ef4b5db

SHA256
afd36e6a61f0d43a5968d713fd943aee7c1d0083a9747ef985ad33c1dd3454f8

SHA512
a0412585822d3996b88d7a908f59e8f773006934f2bd8536656d684674c98f27cda2899293f1a5ede05c9e9ed63da033c9094c9bd8a44af0ac805a8e101036f1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\sessionCheckpoints.json

Filesize
259B

MD5
e6c20f53d6714067f2b49d0e9ba8030e

SHA1
f516dc1084cdd8302b3e7f7167b905e603b6f04f

SHA256
50a670fb78ff2712aae2c16d9499e01c15fddf24e229330d02a69b0527a38092

SHA512
462415b8295c1cdcac0a7cb16bb8a027ef36ae2ce0b061071074ac3209332a7eae71de843af4b96bbbd6158ca8fd5c18147bf9a79b8a7768a9a35edce8b784bf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\sessionstore-backups\recovery.baklz4

Filesize
4KB

MD5
088ba9958cf5a2311ae14fd67373f4e7

SHA1
83dd49c13e9b2c6dfeeee943df612f9781aab19a

SHA256
111d2f9d32a301eda3aadd63f9aaac1222ad21e66cc64d0796a9ecc45e55ae18

SHA512
3f71d60abba8649de906e7a53121574993c4e035c915794edd999cc05fd78c1ff2615c5875bdb906c806a564a9813b42ed1272be92a0a0925dcf0abfaf0cf188

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\sessionstore-backups\recovery.baklz4

Filesize
7KB

MD5
baee20c970578e53b3ffedc569e2681c

SHA1
d8f1d73fb64033e3f8e42abc4cc24f5db8c43fd4

SHA256
609de63ba48eddb805f75c875cfd04a2e865d7d9b96a313a305f1a26c5f0b898

SHA512
7ef634c526fe953e7f09e79c9cea114d0c88fd485116b01c53b5c5e6ad57679288abf3d3a3818e81f1328d96965225fcfd3062bdec3c5b1f892a4f034d4c47f3

Download Submit
C:\Users\Admin\Downloads\winrar-x64-701.StoNVQUW.exe.part

Filesize
3.8MB

MD5
46c17c999744470b689331f41eab7df1

SHA1
b8a63127df6a87d333061c622220d6d70ed80f7c

SHA256
c5b5def1c8882b702b6b25cbd94461c737bc151366d2d9eba5006c04886bfc9a

SHA512
4b02a3e85b699f62df1b4fe752c4dee08cfabc9b8bb316bc39b854bd5187fc602943a95788ec680c7d3dc2c26ad882e69c0740294bd6cb3b32cdcd165a9441b6

Download Submit
memory/5756-811-0x0000024496850000-0x0000024496851000-memory.dmp

Filesize
4KB

Download
memory/5756-813-0x0000024496850000-0x0000024496851000-memory.dmp

Filesize
4KB

Download
memory/5756-812-0x0000024496850000-0x0000024496851000-memory.dmp

Filesize
4KB

Download
memory/5756-802-0x0000024496850000-0x0000024496851000-memory.dmp

Filesize
4KB

Download
memory/5756-810-0x0000024496850000-0x0000024496851000-memory.dmp

Filesize
4KB

Download
memory/5756-809-0x0000024496850000-0x0000024496851000-memory.dmp

Filesize
4KB

Download
memory/5756-808-0x0000024496850000-0x0000024496851000-memory.dmp

Filesize
4KB

Download
memory/5756-814-0x0000024496850000-0x0000024496851000-memory.dmp

Filesize
4KB

Download
memory/5756-803-0x0000024496850000-0x0000024496851000-memory.dmp

Filesize
4KB

Download
memory/5756-804-0x0000024496850000-0x0000024496851000-memory.dmp

Filesize
4KB

Download