Analysis
-
max time kernel
2626s -
max time network
2644s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
30-06-2024 18:05
Behavioral task
behavioral1
Sample
b1nja_4.1.5571.rar
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
b1nja_4.1.5571.rar
Resource
win10v2004-20240508-en
General
-
Target
b1nja_4.1.5571.rar
-
Size
349.0MB
-
MD5
c07c5d896251aa7561760651ec61b597
-
SHA1
37c2272149718130616787ea00e2a8af06690cec
-
SHA256
8513ac042c987c6d67779b532018e46be4762b3a6082348c53ab49ba7ac91b5b
-
SHA512
a25bf9b5720881993c8ca7636390ec31d6f9948c07ebee910ad54e01aac754a4287ea515fb45cce165df794e8e338d61d32543c9ec9cadb4edf5212f71e61203
-
SSDEEP
6291456:xKMOlsABtDpX/VKqtp0tcno1un6UKs/BN2MjiEReOXVAAoggJt8/C2fcikL1G2+T:6VXpX/h0tZonJn2Mznl6PXp+Pb
Malware Config
Signatures
-
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 3 IoCs
Processes:
binaryninja_personal_dev_win64.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\binaryninja.exe binaryninja_personal_dev_win64.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options binaryninja_personal_dev_win64.exe Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\binaryninja.exe\FrontEndHeapDebugOptions = "0" binaryninja_personal_dev_win64.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
vc_redist.x64.14.34.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation vc_redist.x64.14.34.exe -
Executes dropped EXE 4 IoCs
Processes:
binaryninja_personal_dev_win64.exevc_redist.x64.14.34.exevc_redist.x64.14.34.exebinaryninja.exepid process 6128 binaryninja_personal_dev_win64.exe 3028 vc_redist.x64.14.34.exe 2160 vc_redist.x64.14.34.exe 4740 binaryninja.exe -
Loads dropped DLL 64 IoCs
Processes:
binaryninja_personal_dev_win64.exeVC_redist.x64.exebinaryninja.exepid process 6128 binaryninja_personal_dev_win64.exe 6128 binaryninja_personal_dev_win64.exe 6128 binaryninja_personal_dev_win64.exe 5248 VC_redist.x64.exe 4740 binaryninja.exe 4740 binaryninja.exe 4740 binaryninja.exe 4740 binaryninja.exe 4740 binaryninja.exe 4740 binaryninja.exe 4740 binaryninja.exe 4740 binaryninja.exe 4740 binaryninja.exe 4740 binaryninja.exe 4740 binaryninja.exe 4740 binaryninja.exe 4740 binaryninja.exe 4740 binaryninja.exe 4740 binaryninja.exe 4740 binaryninja.exe 4740 binaryninja.exe 4740 binaryninja.exe 4740 binaryninja.exe 4740 binaryninja.exe 4740 binaryninja.exe 4740 binaryninja.exe 4740 binaryninja.exe 4740 binaryninja.exe 4740 binaryninja.exe 4740 binaryninja.exe 4740 binaryninja.exe 4740 binaryninja.exe 4740 binaryninja.exe 4740 binaryninja.exe 4740 binaryninja.exe 4740 binaryninja.exe 4740 binaryninja.exe 4740 binaryninja.exe 4740 binaryninja.exe 4740 binaryninja.exe 4740 binaryninja.exe 4740 binaryninja.exe 4740 binaryninja.exe 4740 binaryninja.exe 4740 binaryninja.exe 4740 binaryninja.exe 4740 binaryninja.exe 4740 binaryninja.exe 4740 binaryninja.exe 4740 binaryninja.exe 4740 binaryninja.exe 4740 binaryninja.exe 4740 binaryninja.exe 4740 binaryninja.exe 4740 binaryninja.exe 4740 binaryninja.exe 4740 binaryninja.exe 4740 binaryninja.exe 4740 binaryninja.exe 4740 binaryninja.exe 4740 binaryninja.exe 4740 binaryninja.exe 4740 binaryninja.exe 4740 binaryninja.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
VC_redist.x64.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{d4cecf3b-b68f-4995-8840-52ea0fab646e} = "\"C:\\ProgramData\\Package Cache\\{d4cecf3b-b68f-4995-8840-52ea0fab646e}\\VC_redist.x64.exe\" /burn.runonce" VC_redist.x64.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exedescription ioc process File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe -
Drops file in System32 directory 50 IoCs
Processes:
msiexec.exedescription ioc process File opened for modification C:\Windows\system32\mfc140deu.dll msiexec.exe File opened for modification C:\Windows\system32\mfc140ita.dll msiexec.exe File created C:\Windows\system32\mfc140fra.dll msiexec.exe File opened for modification C:\Windows\system32\msvcp140_2.dll msiexec.exe File created C:\Windows\system32\vcruntime140_1.dll msiexec.exe File opened for modification C:\Windows\system32\mfcm140u.dll msiexec.exe File opened for modification C:\Windows\system32\msvcp140_codecvt_ids.dll msiexec.exe File opened for modification C:\Windows\system32\concrt140.dll msiexec.exe File opened for modification C:\Windows\system32\vcomp140.dll msiexec.exe File created C:\Windows\system32\msvcp140_2.dll msiexec.exe File opened for modification C:\Windows\system32\mfc140esn.dll msiexec.exe File opened for modification C:\Windows\system32\mfc140jpn.dll msiexec.exe File created C:\Windows\system32\mfc140enu.dll msiexec.exe File created C:\Windows\system32\mfc140ita.dll msiexec.exe File opened for modification C:\Windows\system32\msvcp140_atomic_wait.dll msiexec.exe File opened for modification C:\Windows\system32\mfc140fra.dll msiexec.exe File created C:\Windows\system32\mfc140u.dll msiexec.exe File created C:\Windows\system32\vcomp140.dll msiexec.exe File opened for modification C:\Windows\system32\mfc140chs.dll msiexec.exe File opened for modification C:\Windows\system32\mfc140cht.dll msiexec.exe File created C:\Windows\system32\mfcm140.dll msiexec.exe File opened for modification C:\Windows\system32\vcruntime140_1.dll msiexec.exe File opened for modification C:\Windows\system32\msvcp140.dll msiexec.exe File created C:\Windows\system32\vcamp140.dll msiexec.exe File created C:\Windows\system32\mfc140.dll msiexec.exe File created C:\Windows\system32\mfc140esn.dll msiexec.exe File opened for modification C:\Windows\system32\vccorlib140.dll msiexec.exe File created C:\Windows\system32\msvcp140_atomic_wait.dll msiexec.exe File created C:\Windows\system32\vcruntime140.dll msiexec.exe File opened for modification C:\Windows\system32\mfcm140.dll msiexec.exe File opened for modification C:\Windows\system32\mfc140enu.dll msiexec.exe File opened for modification C:\Windows\system32\vcamp140.dll msiexec.exe File opened for modification C:\Windows\system32\mfc140u.dll msiexec.exe File created C:\Windows\system32\mfcm140u.dll msiexec.exe File opened for modification C:\Windows\system32\msvcp140_1.dll msiexec.exe File created C:\Windows\system32\concrt140.dll msiexec.exe File created C:\Windows\system32\msvcp140_1.dll msiexec.exe File opened for modification C:\Windows\system32\mfc140kor.dll msiexec.exe File created C:\Windows\system32\mfc140cht.dll msiexec.exe File created C:\Windows\system32\mfc140deu.dll msiexec.exe File created C:\Windows\system32\mfc140jpn.dll msiexec.exe File opened for modification C:\Windows\system32\mfc140rus.dll msiexec.exe File created C:\Windows\system32\msvcp140.dll msiexec.exe File created C:\Windows\system32\msvcp140_codecvt_ids.dll msiexec.exe File created C:\Windows\system32\mfc140chs.dll msiexec.exe File opened for modification C:\Windows\system32\mfc140.dll msiexec.exe File opened for modification C:\Windows\system32\vcruntime140.dll msiexec.exe File created C:\Windows\system32\vccorlib140.dll msiexec.exe File created C:\Windows\system32\mfc140kor.dll msiexec.exe File created C:\Windows\system32\mfc140rus.dll msiexec.exe -
Drops file in Windows directory 16 IoCs
Processes:
msiexec.exesvchost.exedescription ioc process File created C:\Windows\Installer\SourceHash{EAE242B1-0A26-485A-BFEB-0292EE9F03CB} msiexec.exe File created C:\Windows\Installer\SourceHash{CF4C347D-954E-4543-88D2-EC17F07F466F} msiexec.exe File opened for modification C:\Windows\Installer\MSI6E13.tmp msiexec.exe File created C:\Windows\Installer\e596b26.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI6FE9.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI72F7.tmp msiexec.exe File created C:\Windows\Installer\e596b14.msi msiexec.exe File created C:\Windows\Installer\e596b27.msi msiexec.exe File opened for modification C:\Windows\Installer\e596b27.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSI6D37.tmp msiexec.exe File opened for modification C:\Windows\ServiceState\WinHttpAutoProxySvc\Data\cachev3.dat svchost.exe File created C:\Windows\Installer\e596b3c.msi msiexec.exe File opened for modification C:\Windows\Installer\e596b14.msi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Vector35\BinaryNinja\Uninstall.exe nsis_installer_1 C:\Users\Admin\AppData\Local\Vector35\BinaryNinja\Uninstall.exe nsis_installer_2 -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000b7d72a8ac39dc2e30000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000b7d72a8a0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900b7d72a8a000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1db7d72a8a000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000b7d72a8a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe -
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exefirefox.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe -
Modifies data under HKEY_USERS 14 IoCs
Processes:
svchost.exemsiexec.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c2-96-af-4b-20-96\WpadDecision = "0" svchost.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2C msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2e msiexec.exe Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c2-96-af-4b-20-96 svchost.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2A\52C64B7E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2d msiexec.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad svchost.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c2-96-af-4b-20-96\WpadDecisionReason = "1" svchost.exe Set value (data) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c2-96-af-4b-20-96\WpadDecisionTime = fc43171e1fcbda01 svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2B msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2c msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2D msiexec.exe -
Modifies registry class 64 IoCs
Processes:
msiexec.exeVC_redist.x64.exebinaryninja_personal_dev_win64.exebinaryninja.exeVC_redist.x64.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1B242EAE62A0A584FBBE2029EEF930BC\PackageCode = "1DBC1304665E4F940B80D553526312EA" msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.30,bundle VC_redist.x64.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\.bnpm\shell\open\command binaryninja_personal_dev_win64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14\Version = "14.34.31931" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D743C4FCE4593454882DCE710FF764F6\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{CF4C347D-954E-4543-88D2-EC17F07F466F}v14.34.31931\\packages\\vcRuntimeMinimum_amd64\\" msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A567BD6FA501A947AD1F646E53EEC14\SourceList msiexec.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\BinaryNinja\shell\open binaryninja_personal_dev_win64.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\.bnpm\shell\open\ = "Edit .bnpm" binaryninja_personal_dev_win64.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\.bnta\ = ".bnta" binaryninja_personal_dev_win64.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0 binaryninja.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ binaryninja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.34,bundle\Version = "14.34.31931.0" VC_redist.x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D743C4FCE4593454882DCE710FF764F6\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{CF4C347D-954E-4543-88D2-EC17F07F466F}v14.34.31931\\packages\\vcRuntimeMinimum_amd64\\" msiexec.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3 binaryninja.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\.bndb\DefaultIcon binaryninja_personal_dev_win64.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\.bnpm\DefaultIcon binaryninja_personal_dev_win64.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\.bnpm\shell\open binaryninja_personal_dev_win64.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\.bnpm\shell\edit\ = "Edit .bnpm" binaryninja_personal_dev_win64.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\.bnta\DefaultIcon binaryninja_personal_dev_win64.exe Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 binaryninja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D743C4FCE4593454882DCE710FF764F6\Provider msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D743C4FCE4593454882DCE710FF764F6\Servicing_Key msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\09A86F63C932FD435BC8463B1035EC53 msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\INSTALLER\DEPENDENCIES\MICROSOFT.VS.VC_RUNTIMEMINIMUMVSU_AMD64,V14\DEPENDENTS\{57A73DF6-4BA9-4C1D-BBBB-517289FF6C13} VC_redist.x64.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\.bndb\shell\edit\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Vector35\\BinaryNinja\\binaryninja.exe\" \"%1\"" binaryninja_personal_dev_win64.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\.bnpm\shell binaryninja_personal_dev_win64.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D743C4FCE4593454882DCE710FF764F6\Version = "237141179" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\1B242EAE62A0A584FBBE2029EEF930BC msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\INSTALLER\DEPENDENCIES\VC,REDIST.X64,AMD64,14.30,BUNDLE\DEPENDENTS\{57A73DF6-4BA9-4C1D-BBBB-517289FF6C13} VC_redist.x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D743C4FCE4593454882DCE710FF764F6 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D743C4FCE4593454882DCE710FF764F6\PackageCode = "41D6234F5FF418F46B8784B191BEBB15" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1B242EAE62A0A584FBBE2029EEF930BC\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{EAE242B1-0A26-485A-BFEB-0292EE9F03CB}v14.34.31931\\packages\\vcRuntimeAdditional_amd64\\" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14 VC_redist.x64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\INSTALLER\DEPENDENCIES\MICROSOFT.VS.VC_RUNTIMEADDITIONALVSU_AMD64,V14\DEPENDENTS\{57A73DF6-4BA9-4C1D-BBBB-517289FF6C13} VC_redist.x64.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\.bnpm\shell\edit\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Vector35\\BinaryNinja\\binaryninja.exe\" \"%1\"" binaryninja_personal_dev_win64.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic" binaryninja.exe Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" binaryninja.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D743C4FCE4593454882DCE710FF764F6\SourceList\Net msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14\Version = "14.34.31931" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14\Dependents\{d4cecf3b-b68f-4995-8840-52ea0fab646e} VC_redist.x64.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\BinaryNinja binaryninja_personal_dev_win64.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D743C4FCE4593454882DCE710FF764F6\AdvertiseFlags = "388" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1B242EAE62A0A584FBBE2029EEF930BC msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1B242EAE62A0A584FBBE2029EEF930BC\Clients = 3a0000000000 msiexec.exe Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" binaryninja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\1B242EAE62A0A584FBBE2029EEF930BC\VC_Runtime_Additional msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1B242EAE62A0A584FBBE2029EEF930BC\AdvertiseFlags = "388" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\09A86F63C932FD435BC8463B1035EC53\D743C4FCE4593454882DCE710FF764F6 msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A567BD6FA501A947AD1F646E53EEC14\SourceList\Media msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1B242EAE62A0A584FBBE2029EEF930BC\DeploymentFlags = "3" msiexec.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\.bnta\shell\open binaryninja_personal_dev_win64.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D743C4FCE4593454882DCE710FF764F6\Assignment = "1" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D743C4FCE4593454882DCE710FF764F6\DeploymentFlags = "3" msiexec.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\.bndb\shell\open\command binaryninja_personal_dev_win64.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\.bnta binaryninja_personal_dev_win64.exe Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202 binaryninja.exe Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" binaryninja.exe Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" binaryninja.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D743C4FCE4593454882DCE710FF764F6\SourceList msiexec.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\.bndb\ = ".bndb" binaryninja_personal_dev_win64.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\BinaryNinja\shell\open\command binaryninja_personal_dev_win64.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\.bnpm\shell\edit binaryninja_personal_dev_win64.exe Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 binaryninja.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8800A266DCF6DD54E97A86760485EA5D msiexec.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
binaryninja.exepid process 4740 binaryninja.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
msiexec.exepid process 4456 msiexec.exe 4456 msiexec.exe 4456 msiexec.exe 4456 msiexec.exe 4456 msiexec.exe 4456 msiexec.exe 4456 msiexec.exe 4456 msiexec.exe -
Suspicious behavior: GetForegroundWindowSpam 3 IoCs
Processes:
OpenWith.exe7zFM.exebinaryninja.exepid process 2672 OpenWith.exe 5336 7zFM.exe 4740 binaryninja.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
firefox.exe7zFM.exevssvc.exeVC_redist.x64.exemsiexec.exedescription pid process Token: SeDebugPrivilege 4680 firefox.exe Token: SeDebugPrivilege 4680 firefox.exe Token: SeRestorePrivilege 5336 7zFM.exe Token: 35 5336 7zFM.exe Token: SeSecurityPrivilege 5336 7zFM.exe Token: SeSecurityPrivilege 5336 7zFM.exe Token: SeBackupPrivilege 3816 vssvc.exe Token: SeRestorePrivilege 3816 vssvc.exe Token: SeAuditPrivilege 3816 vssvc.exe Token: SeShutdownPrivilege 2156 VC_redist.x64.exe Token: SeIncreaseQuotaPrivilege 2156 VC_redist.x64.exe Token: SeSecurityPrivilege 4456 msiexec.exe Token: SeCreateTokenPrivilege 2156 VC_redist.x64.exe Token: SeAssignPrimaryTokenPrivilege 2156 VC_redist.x64.exe Token: SeLockMemoryPrivilege 2156 VC_redist.x64.exe Token: SeIncreaseQuotaPrivilege 2156 VC_redist.x64.exe Token: SeMachineAccountPrivilege 2156 VC_redist.x64.exe Token: SeTcbPrivilege 2156 VC_redist.x64.exe Token: SeSecurityPrivilege 2156 VC_redist.x64.exe Token: SeTakeOwnershipPrivilege 2156 VC_redist.x64.exe Token: SeLoadDriverPrivilege 2156 VC_redist.x64.exe Token: SeSystemProfilePrivilege 2156 VC_redist.x64.exe Token: SeSystemtimePrivilege 2156 VC_redist.x64.exe Token: SeProfSingleProcessPrivilege 2156 VC_redist.x64.exe Token: SeIncBasePriorityPrivilege 2156 VC_redist.x64.exe Token: SeCreatePagefilePrivilege 2156 VC_redist.x64.exe Token: SeCreatePermanentPrivilege 2156 VC_redist.x64.exe Token: SeBackupPrivilege 2156 VC_redist.x64.exe Token: SeRestorePrivilege 2156 VC_redist.x64.exe Token: SeShutdownPrivilege 2156 VC_redist.x64.exe Token: SeDebugPrivilege 2156 VC_redist.x64.exe Token: SeAuditPrivilege 2156 VC_redist.x64.exe Token: SeSystemEnvironmentPrivilege 2156 VC_redist.x64.exe Token: SeChangeNotifyPrivilege 2156 VC_redist.x64.exe Token: SeRemoteShutdownPrivilege 2156 VC_redist.x64.exe Token: SeUndockPrivilege 2156 VC_redist.x64.exe Token: SeSyncAgentPrivilege 2156 VC_redist.x64.exe Token: SeEnableDelegationPrivilege 2156 VC_redist.x64.exe Token: SeManageVolumePrivilege 2156 VC_redist.x64.exe Token: SeImpersonatePrivilege 2156 VC_redist.x64.exe Token: SeCreateGlobalPrivilege 2156 VC_redist.x64.exe Token: SeRestorePrivilege 4456 msiexec.exe Token: SeTakeOwnershipPrivilege 4456 msiexec.exe Token: SeRestorePrivilege 4456 msiexec.exe Token: SeTakeOwnershipPrivilege 4456 msiexec.exe Token: SeRestorePrivilege 4456 msiexec.exe Token: SeTakeOwnershipPrivilege 4456 msiexec.exe Token: SeRestorePrivilege 4456 msiexec.exe Token: SeTakeOwnershipPrivilege 4456 msiexec.exe Token: SeRestorePrivilege 4456 msiexec.exe Token: SeTakeOwnershipPrivilege 4456 msiexec.exe Token: SeRestorePrivilege 4456 msiexec.exe Token: SeTakeOwnershipPrivilege 4456 msiexec.exe Token: SeRestorePrivilege 4456 msiexec.exe Token: SeTakeOwnershipPrivilege 4456 msiexec.exe Token: SeRestorePrivilege 4456 msiexec.exe Token: SeTakeOwnershipPrivilege 4456 msiexec.exe Token: SeRestorePrivilege 4456 msiexec.exe Token: SeTakeOwnershipPrivilege 4456 msiexec.exe Token: SeRestorePrivilege 4456 msiexec.exe Token: SeTakeOwnershipPrivilege 4456 msiexec.exe Token: SeRestorePrivilege 4456 msiexec.exe Token: SeTakeOwnershipPrivilege 4456 msiexec.exe Token: SeRestorePrivilege 4456 msiexec.exe -
Suspicious use of FindShellTrayWindow 7 IoCs
Processes:
firefox.exe7zFM.exepid process 4680 firefox.exe 4680 firefox.exe 4680 firefox.exe 4680 firefox.exe 5336 7zFM.exe 5336 7zFM.exe 5336 7zFM.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
firefox.exepid process 4680 firefox.exe 4680 firefox.exe 4680 firefox.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
Processes:
OpenWith.exepid process 2672 OpenWith.exe 2672 OpenWith.exe 2672 OpenWith.exe 2672 OpenWith.exe 2672 OpenWith.exe 2672 OpenWith.exe 2672 OpenWith.exe 2672 OpenWith.exe 2672 OpenWith.exe 2672 OpenWith.exe 2672 OpenWith.exe 2672 OpenWith.exe 2672 OpenWith.exe 2672 OpenWith.exe 2672 OpenWith.exe 2672 OpenWith.exe 2672 OpenWith.exe 2672 OpenWith.exe 2672 OpenWith.exe 2672 OpenWith.exe 2672 OpenWith.exe 2672 OpenWith.exe 2672 OpenWith.exe 2672 OpenWith.exe 2672 OpenWith.exe 2672 OpenWith.exe 2672 OpenWith.exe 2672 OpenWith.exe 2672 OpenWith.exe 2672 OpenWith.exe 2672 OpenWith.exe 2672 OpenWith.exe 2672 OpenWith.exe 2672 OpenWith.exe 2672 OpenWith.exe 2672 OpenWith.exe 2672 OpenWith.exe 2672 OpenWith.exe 2672 OpenWith.exe 2672 OpenWith.exe 2672 OpenWith.exe 2672 OpenWith.exe 2672 OpenWith.exe 2672 OpenWith.exe 2672 OpenWith.exe 2672 OpenWith.exe 2672 OpenWith.exe 2672 OpenWith.exe 2672 OpenWith.exe 2672 OpenWith.exe 2672 OpenWith.exe 2672 OpenWith.exe 2672 OpenWith.exe 2672 OpenWith.exe 2672 OpenWith.exe 2672 OpenWith.exe 2672 OpenWith.exe 2672 OpenWith.exe 2672 OpenWith.exe 2672 OpenWith.exe 2672 OpenWith.exe 2672 OpenWith.exe 2672 OpenWith.exe 2672 OpenWith.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
OpenWith.exefirefox.exefirefox.exedescription pid process target process PID 2672 wrote to memory of 3960 2672 OpenWith.exe firefox.exe PID 2672 wrote to memory of 3960 2672 OpenWith.exe firefox.exe PID 3960 wrote to memory of 4680 3960 firefox.exe firefox.exe PID 3960 wrote to memory of 4680 3960 firefox.exe firefox.exe PID 3960 wrote to memory of 4680 3960 firefox.exe firefox.exe PID 3960 wrote to memory of 4680 3960 firefox.exe firefox.exe PID 3960 wrote to memory of 4680 3960 firefox.exe firefox.exe PID 3960 wrote to memory of 4680 3960 firefox.exe firefox.exe PID 3960 wrote to memory of 4680 3960 firefox.exe firefox.exe PID 3960 wrote to memory of 4680 3960 firefox.exe firefox.exe PID 3960 wrote to memory of 4680 3960 firefox.exe firefox.exe PID 3960 wrote to memory of 4680 3960 firefox.exe firefox.exe PID 3960 wrote to memory of 4680 3960 firefox.exe firefox.exe PID 4680 wrote to memory of 1244 4680 firefox.exe firefox.exe PID 4680 wrote to memory of 1244 4680 firefox.exe firefox.exe PID 4680 wrote to memory of 1244 4680 firefox.exe firefox.exe PID 4680 wrote to memory of 1244 4680 firefox.exe firefox.exe PID 4680 wrote to memory of 1244 4680 firefox.exe firefox.exe PID 4680 wrote to memory of 1244 4680 firefox.exe firefox.exe PID 4680 wrote to memory of 1244 4680 firefox.exe firefox.exe PID 4680 wrote to memory of 1244 4680 firefox.exe firefox.exe PID 4680 wrote to memory of 1244 4680 firefox.exe firefox.exe PID 4680 wrote to memory of 1244 4680 firefox.exe firefox.exe PID 4680 wrote to memory of 1244 4680 firefox.exe firefox.exe PID 4680 wrote to memory of 1244 4680 firefox.exe firefox.exe PID 4680 wrote to memory of 1244 4680 firefox.exe firefox.exe PID 4680 wrote to memory of 1244 4680 firefox.exe firefox.exe PID 4680 wrote to memory of 1244 4680 firefox.exe firefox.exe PID 4680 wrote to memory of 1244 4680 firefox.exe firefox.exe PID 4680 wrote to memory of 1244 4680 firefox.exe firefox.exe PID 4680 wrote to memory of 1244 4680 firefox.exe firefox.exe PID 4680 wrote to memory of 1244 4680 firefox.exe firefox.exe PID 4680 wrote to memory of 1244 4680 firefox.exe firefox.exe PID 4680 wrote to memory of 1244 4680 firefox.exe firefox.exe PID 4680 wrote to memory of 1244 4680 firefox.exe firefox.exe PID 4680 wrote to memory of 1244 4680 firefox.exe firefox.exe PID 4680 wrote to memory of 1244 4680 firefox.exe firefox.exe PID 4680 wrote to memory of 1244 4680 firefox.exe firefox.exe PID 4680 wrote to memory of 1244 4680 firefox.exe firefox.exe PID 4680 wrote to memory of 1244 4680 firefox.exe firefox.exe PID 4680 wrote to memory of 1244 4680 firefox.exe firefox.exe PID 4680 wrote to memory of 1244 4680 firefox.exe firefox.exe PID 4680 wrote to memory of 1244 4680 firefox.exe firefox.exe PID 4680 wrote to memory of 1244 4680 firefox.exe firefox.exe PID 4680 wrote to memory of 1244 4680 firefox.exe firefox.exe PID 4680 wrote to memory of 1244 4680 firefox.exe firefox.exe PID 4680 wrote to memory of 1244 4680 firefox.exe firefox.exe PID 4680 wrote to memory of 1244 4680 firefox.exe firefox.exe PID 4680 wrote to memory of 1244 4680 firefox.exe firefox.exe PID 4680 wrote to memory of 1244 4680 firefox.exe firefox.exe PID 4680 wrote to memory of 1244 4680 firefox.exe firefox.exe PID 4680 wrote to memory of 1244 4680 firefox.exe firefox.exe PID 4680 wrote to memory of 1244 4680 firefox.exe firefox.exe PID 4680 wrote to memory of 1244 4680 firefox.exe firefox.exe PID 4680 wrote to memory of 1244 4680 firefox.exe firefox.exe PID 4680 wrote to memory of 1244 4680 firefox.exe firefox.exe PID 4680 wrote to memory of 3416 4680 firefox.exe firefox.exe PID 4680 wrote to memory of 3416 4680 firefox.exe firefox.exe PID 4680 wrote to memory of 3416 4680 firefox.exe firefox.exe PID 4680 wrote to memory of 3416 4680 firefox.exe firefox.exe PID 4680 wrote to memory of 3416 4680 firefox.exe firefox.exe PID 4680 wrote to memory of 3416 4680 firefox.exe firefox.exe PID 4680 wrote to memory of 3416 4680 firefox.exe firefox.exe PID 4680 wrote to memory of 3416 4680 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\b1nja_4.1.5571.rar1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\b1nja_4.1.5571.rar"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\AppData\Local\Temp\b1nja_4.1.5571.rar3⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4680.0.971588525\1810125943" -parentBuildID 20230214051806 -prefsHandle 1780 -prefMapHandle 1772 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {746f9ea6-f489-442f-bb17-a2adf673ab25} 4680 "\\.\pipe\gecko-crash-server-pipe.4680" 1872 24140bef458 gpu4⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4680.1.40284289\415200316" -parentBuildID 20230214051806 -prefsHandle 2460 -prefMapHandle 2448 -prefsLen 22927 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b01a3ae8-b219-4855-b6f0-c0db63c203fb} 4680 "\\.\pipe\gecko-crash-server-pipe.4680" 2472 24134e8b558 socket4⤵
- Checks processor information in registry
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4680.2.662068674\1917176743" -childID 1 -isForBrowser -prefsHandle 1580 -prefMapHandle 3036 -prefsLen 23030 -prefMapSize 235121 -jsInitHandle 912 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4c3b8692-80fa-44d7-a00c-27ac2b529065} 4680 "\\.\pipe\gecko-crash-server-pipe.4680" 3020 24144a54258 tab4⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4680.3.1045833762\30243164" -childID 2 -isForBrowser -prefsHandle 3600 -prefMapHandle 3588 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 912 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8317d90d-6b38-43c6-96b4-ab22e613e70b} 4680 "\\.\pipe\gecko-crash-server-pipe.4680" 3624 24134e7bb58 tab4⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4680.4.143915904\257415161" -childID 3 -isForBrowser -prefsHandle 5232 -prefMapHandle 5228 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 912 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6a3f1744-cadc-473b-a457-a1bbcd9ec8f8} 4680 "\\.\pipe\gecko-crash-server-pipe.4680" 5220 24147b49b58 tab4⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4680.5.440554481\520762962" -childID 4 -isForBrowser -prefsHandle 5244 -prefMapHandle 5240 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 912 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {29ae28c6-985d-4f76-ae29-6a1fd350a313} 4680 "\\.\pipe\gecko-crash-server-pipe.4680" 5260 24147d37558 tab4⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4680.6.1184042159\1695104253" -childID 5 -isForBrowser -prefsHandle 5496 -prefMapHandle 5500 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 912 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8fe752ca-9b18-4710-8903-4f8cde13cf68} 4680 "\\.\pipe\gecko-crash-server-pipe.4680" 5380 241478c2258 tab4⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\b1nja_4.1.5571.rar"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\Desktop\binaryninja_personal_dev_win64.exe"C:\Users\Admin\Desktop\binaryninja_personal_dev_win64.exe"1⤵
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
-
C:\Users\Admin\AppData\Local\Vector35\BinaryNinja\vc_redist.x64.14.34.exeC:\Users\Admin\AppData\Local\Vector35\BinaryNinja\vc_redist.x64.14.34.exe /install /quiet /norestart2⤵
- Executes dropped EXE
-
C:\Windows\Temp\{1BF824DC-488B-4D97-9690-0E5CF0A5114E}\.cr\vc_redist.x64.14.34.exe"C:\Windows\Temp\{1BF824DC-488B-4D97-9690-0E5CF0A5114E}\.cr\vc_redist.x64.14.34.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Vector35\BinaryNinja\vc_redist.x64.14.34.exe" -burn.filehandle.attached=544 -burn.filehandle.self=564 /install /quiet /norestart3⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\Temp\{61C6B65A-0849-4559-9280-FD0E4F2689D2}\.be\VC_redist.x64.exe"C:\Windows\Temp\{61C6B65A-0849-4559-9280-FD0E4F2689D2}\.be\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{796C06BD-2199-404F-857A-6F855DD157BF} {29922589-0E6A-4A01-ABEB-941E891CE7E4} 21604⤵
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe"C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={d4cecf3b-b68f-4995-8840-52ea0fab646e} -burn.filehandle.self=1104 -burn.embedded BurnPipe.{7AB05A26-9039-4022-8924-ED49101BFA64} {0262AD9C-0BEF-4EC2-88EC-8AF10DE92040} 21565⤵
-
C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe"C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -burn.clean.room="C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -burn.filehandle.attached=544 -burn.filehandle.self=564 -uninstall -quiet -burn.related.upgrade -burn.ancestors={d4cecf3b-b68f-4995-8840-52ea0fab646e} -burn.filehandle.self=1104 -burn.embedded BurnPipe.{7AB05A26-9039-4022-8924-ED49101BFA64} {0262AD9C-0BEF-4EC2-88EC-8AF10DE92040} 21566⤵
- Loads dropped DLL
-
C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe"C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{D43DFFEB-7290-48E1-97BF-1DA4E2B7AFCE} {F24CA603-5968-4306-B84F-382658DBA984} 52487⤵
- Modifies registry class
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:21⤵
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Vector35\BinaryNinja\binaryninja.exe"C:\Users\Admin\AppData\Local\Vector35\BinaryNinja\binaryninja.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "ver"2⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3960,i,18168883380598738769,14202261231630113808,262144 --variations-seed-version --mojo-platform-channel-handle=4080 /prefetch:81⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Event Triggered Execution
1Image File Execution Options Injection
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Event Triggered Execution
1Image File Execution Options Injection
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Config.Msi\e596b19.rbsFilesize
19KB
MD5b93ab01989f912cf7f665ae7d35bfc65
SHA1a7e3b92a3cf498954b814b0ca4cdf6204daf2343
SHA256e692367daf639099f4308564ef053b3528be51f885c84697ec8cb117160089ec
SHA5124910e5202afc7e964635e228956dc2bacf1afcf77780d2078eed9e6c0ce83f46b12dd25d2f44a01caa564cecf26ed0ad7619bdfbf26670b85b05c7461c4ccfb3
-
C:\Config.Msi\e596b25.rbsFilesize
19KB
MD5a300068d68feb2b05798fd3519012838
SHA1ed7094c6f7afa42b094b4e78371c72ae0470780d
SHA2566e6c6f7b92c46f72686f8e429b6ef6a21c5021d9aa56ac8f4cfe42103943ed38
SHA5124964b319cf0a5db36f7c9a4906c5fbb542ae9dc3c662dc9c0dac74b68db7dd94840d2e3d5bd7c3021d3fdc230554772d573a00adaf242736c963acb4401d2589
-
C:\Config.Msi\e596b2c.rbsFilesize
21KB
MD5b74360324d7fd220bf5c932f51889265
SHA1dfb94f845089a2309f9c13c531991284074005a6
SHA256a44506aa1f2751a5c3e99832c8edbba01059fbfe20991c31bb88f7a70c14c8e8
SHA5124a9535b2ab6dd1bfb7c884d7e86447d587b662919c3b6a0295098a73116e1c66f6c64eb796a2d628ef30a9c272cd67f19cde103d3dc2e914d6b4a5ac9f3c4f40
-
C:\Config.Msi\e596b3b.rbsFilesize
21KB
MD51c849d2fef0a6de2046c6db485c5f54d
SHA1e3881ea1dd651cd85810cd9bdfef2ff0de67eb2e
SHA256af5870f58812d1dbbe6870929056c1f6d0b0b62481bc035a64b64bae6974eaf2
SHA512e63714c2e304e03e6896693502c002cccc0a20aa15ec6d1c4131610e70b9a9e3e8b25113518b8c1c1c872a8b16e276296dcdbdaa80ec3f3f9a0a2072d98b17ca
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n9vxbo99.default-release\activity-stream.discovery_stream.json.tmpFilesize
27KB
MD500106a8385620708f88f051333284114
SHA11e7e3bb26cc5aaa8d7cd2d8b6e292b1d97f0d70b
SHA25622c82c96f9551b3565efa51102faca9fa39117f7827321a8da11ad72ac0a8903
SHA5125e5c56cad501578981f1517a06215d0531adb4e1b6cab8ace0a78929851a567e572569dd7fdf00dcbd17d4d1d041158388deade3b96b9af41411b6664b66a601
-
C:\Users\Admin\AppData\Local\Temp\dd_vcredist_amd64_20240630181500_000_vcRuntimeMinimum_x64.logFilesize
2KB
MD5663a8af822acbf62a627f470fd766f93
SHA1dadd4f722e33b7307f3810665d95955eff177c10
SHA256e9491a5f111445a3d17ab20623fe98c8ce1b82e2c6de48debef4ff663d06c1f8
SHA512aba26610d27c8efa9412b3357e297281ab1e03ae3e81b68af2ecd9a14ad21c95dfa097cd69dbe557feb33f76dc5634407a62da6d9084d79a2288c2e247500e39
-
C:\Users\Admin\AppData\Local\Temp\dd_vcredist_amd64_20240630181500_001_vcRuntimeAdditional_x64.logFilesize
2KB
MD55311af008c183a211834ebc0fa7a12a0
SHA1aaa8ca4fd9914f60e31344da40c408de789e3656
SHA2566c785dceb53191fb8c662bf52848a8dd14cf62ba0d9191ba516b9887f4fab58c
SHA512946323cc2b1a22727a91ec2486ba69242ab97430ab3ae720e5e1d3d6d3e4f25cbc535b575ad932495a60fda47639942b72b1f3a7aa0b106dcac51f28be4df86c
-
C:\Users\Admin\AppData\Local\Temp\nsjE636.tmp\System.dllFilesize
11KB
MD50063d48afe5a0cdc02833145667b6641
SHA1e7eb614805d183ecb1127c62decb1a6be1b4f7a8
SHA256ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7
SHA51271cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0
-
C:\Users\Admin\AppData\Local\Temp\nsjE636.tmp\UserInfo.dllFilesize
4KB
MD5e167f9a565781a30c03ff10370033319
SHA11858758b076946073de375c6eb1bec9867aa3689
SHA256a912514823df595ba3a048099d3b89e925a4d41742afc67e772060952892f312
SHA51296d8f5ac8e2c0961ba71075de52d12515e7a058cddf3fa1ec14e77545b0b5f4e29324a13e2eb287a447f1d24dc9f09e0a70b0a25401b0ef8d90e6e4a96ce6c61
-
C:\Users\Admin\AppData\Local\Temp\nsjE636.tmp\nsDialogs.dllFilesize
9KB
MD56e64e5d5f9498058a300b26b8741d9d5
SHA1837ce28e5e02788da63a7f1d8f20207d2b0bf523
SHA2568d4b1c275fd1cd0782a265080b56d1aec8d1c93edca5ef3b050d1d20d7b61f33
SHA512f53514d36021d79f85df2494d403f03589b3ad848889b9224f962cc932ef740f127131a914c7171ad8136ca1ef631285ea1c80576db18ccf8ea56940eb00ea1e
-
C:\Users\Admin\AppData\Local\Vector35\BinaryNinja\Qt6Core.dllFilesize
5.9MB
MD5a0e1974d44b567a5d996f02cab676876
SHA1ed7e9b3f52fe5191e35b6906a359b67d3c5e670b
SHA25683bbf9f90caa9caafef9ddcbdf244c1839e0a2e1a9481940695ff4cc2238bd4f
SHA512d3593b2e1815e0acd04fd1e928f8c7145122608fba942980bb8665180197d0774c51e3e4871315d75cf6842c38cf3c05ffd0d8309917f20a270e9a26e8acb7b8
-
C:\Users\Admin\AppData\Local\Vector35\BinaryNinja\Qt6Gui.dllFilesize
8.1MB
MD5aeb9886b7aef5f8e933896eef9764b5f
SHA18e214fdce4b25383f19d318096a5e9e1fb3197a4
SHA256192c5bfd621d58610faf6736f993be378fcbcfd809a39ef4d8c9f72bf4feed4e
SHA5127ab2bd20afbcb89feb9296369192bb46b353ec1f30b04957ba95e9ae760703361170b0728c33f05695968571bf076c84cc9e995699b7963dd6f473bf5aa729b9
-
C:\Users\Admin\AppData\Local\Vector35\BinaryNinja\Qt6Svg.dllFilesize
369KB
MD519a2b8a9a41d022809b466b11fef2c1e
SHA1ac90eeb70b2c8dd916fb735391fe944c69e94942
SHA25673db4f24d83f312a6de049fa199c4b2c30378a7e87fd6e8e095bfe004baa15ef
SHA5124231d34983ff1e59dea40e0f49e0b2c5d260e1a4fee9e926e765f08730d76c52d39c9a1145e5fbc3f87a41578b23a1ce5e27ff83412464b8ce224cb4983fe1b8
-
C:\Users\Admin\AppData\Local\Vector35\BinaryNinja\Qt6Widgets.dllFilesize
6.0MB
MD57886edbba5544742678777b5e8110ea0
SHA15e88f98867c7032b3448dc754a959b411ed485ea
SHA256a5f96aa7416bc2a18bc75a14f55f5fbd35af36a944be263b42544eba7e9c17d6
SHA51244f8b43f66ba07b25560695421ab32759438bb2707b225e2bb6c78c04c004fadc11f3f017359d613fac1e47165e849c22b1c62a62a62a038670ba69e8231af08
-
C:\Users\Admin\AppData\Local\Vector35\BinaryNinja\Uninstall.exeFilesize
258KB
MD5df829de1f997497c93567914f633d0ec
SHA10036aa7a004dd44fb93d6ed84406b27dcab210a2
SHA256b0d85b9100bec0fca8e66a219ee5f61d3c8d2f82380f2260444218e0c4099ecb
SHA512fdaa8b81ec6f2ffc7151207d852293cdb7a9fe5cb53597a611c0ce5c6232a736784bce31e6b19d5f1b24e4bf32af8ba9b0875a74eae493285434519227fd5d24
-
C:\Users\Admin\AppData\Local\Vector35\BinaryNinja\banner.bmpFilesize
150KB
MD5d86a52db82581ed078b2d9d00d51b4d5
SHA14ddfe48aec0b82378c3e7c7e6feaf781e3c45cdd
SHA2561e92d6afb12182deebf30fbf9e63975dcc5dd062615e57e474efb3a336fee822
SHA512aa9e24fa32e7bb75ddadd2bf833bc3cd4bbf7e47e5ee58711b17d52acfb2f99e3facad8c21d7db5fd1ebe572f8ad9f08fd3e2b6eec52edbf7b166297be56f161
-
C:\Users\Admin\AppData\Local\Vector35\BinaryNinja\binaryninja.exeFilesize
22.5MB
MD5a64582a86f200c2dc55617de3ae2f9a6
SHA1a791dae399f74d3bd51621f28ea148e8d1d3bbc5
SHA2567a4710a1e1d5c832f96078dee68774a124a7c24989f151ac268a5fdcee37beb8
SHA51281dd37bc848e5fe368091da3daf3d482cd185cb880f3a9a335b206d6f23e63e4087114dfc246f319564cfae022655aa1ea547b2ffd4b8ae8fae74b27b806eebe
-
C:\Users\Admin\AppData\Local\Vector35\BinaryNinja\binaryninjaui.dllFilesize
13.6MB
MD5794b52fa0909259bfe46fb7df38d0b23
SHA14dd238e2987b22dff5d27328d0a0c1c067f283cf
SHA256cea13b0b62b3722295022c93c1a37a1cb260557e7294df937a8566e8de5e7082
SHA512b5b489332dff3f2411ed1b917b2c4c3fb2b2d82c30f5fa789d3812a6673cfa9c9cbc382284e1497217b20fadec4a39fbde169f39b7640ac296453298b4033e32
-
C:\Users\Admin\AppData\Local\Vector35\BinaryNinja\license.datFilesize
1KB
MD5e76f642922b35b464756eb881741b1cf
SHA14fc3e5f2e3415e355137308868c10ff2d2132d71
SHA2569e7068e303e2caf7387f730003a3b8d9090557688b8a40e53e762996bc707abc
SHA5125bfecd0d86ab27a5dd0f2162db6ee73541bc03e524584207a73e2b8ec63daa518f9fae7f68c5a5431da17ee355063668dc91edfee8f888bfd45a2b475eb92251
-
C:\Users\Admin\AppData\Local\Vector35\BinaryNinja\plugins\arch_arm64.dllFilesize
4.7MB
MD50c4526e6bb1ac0b4e67126db02923685
SHA14188e47ee12c3436816a59991c2ff8d46c2bdb14
SHA25648fd9e5ad5dd5f7d772cb5b917a876be52daca2cf0b9364c11da558392356115
SHA5126edbdc42cd6b3fd2b8a8633b9f06136617bd0499dc0524f53516270f55ec3a2b373ec4001aa3d05749b28799825a54206807e67fd599c82394162dea3062bce1
-
C:\Users\Admin\AppData\Local\Vector35\BinaryNinja\plugins\arch_armv7.dllFilesize
3.9MB
MD558e2f5a9ce74e91328c1d16ccc4b5455
SHA1275ddf346007287c299d650bab4fd481dd5f9255
SHA25623c4020447884262945abc6b87089f96b0b83f26cdaea23625c43a8084b378e0
SHA512d0a3867d53e37779ca834ca93e9f3b4f3c153aeade4c9c1877d6e80de2ea19329ca50e0b4295754a004bc6b15c0fe9d68115a8fd266de3d149494cb42022822a
-
C:\Users\Admin\AppData\Local\Vector35\BinaryNinja\plugins\arch_mips.dllFilesize
2.9MB
MD56cfe3e14081aad57d75df9e9710d252b
SHA1a64cdd9f1e34d6575054da54f8b6d5c9de959b9a
SHA256028c69ce3249931e139341fa64655eb2387e06e8edc5dbdb7b74d05d58165f93
SHA5122622ad63d7be2ece6a71081cc1481c9104724558ff6313661431c5cb66f575dd853e858d9eb4c9f85b0e36826e1610520d3f2b88fdf9c06fab039c8e78bc8c3e
-
C:\Users\Admin\AppData\Local\Vector35\BinaryNinja\plugins\arch_ppc.dllFilesize
10.4MB
MD50006307a63a911ac23d17fa683a876b7
SHA17b83e4b837d0677f597bdc9bdef4716fc9407858
SHA2566590e59d8db80ad2c91279892311195ddf5cc2d4c6547772e2fb7f93b9c06811
SHA5120d15cd3bb8d3e502c4ffbd292817a35d3fb177dfe1d3cc73d8f312bbbea73ce78c4c96be102b88fcc41586bd3e615ff782341a58471cbcdd15bebdb190ba100e
-
C:\Users\Admin\AppData\Local\Vector35\BinaryNinja\plugins\arch_riscv.dllFilesize
278KB
MD50119895428a89c13503caac50eab3561
SHA1e65b59fa0f0cde2dea4b5934b37dfda4df158438
SHA25694e3c775a672bec767f3601911c7ca9d26ee73999ebabe2ef7d2b2ed9b1597f5
SHA5124e14b22a5b309c92270fc03ada71e7d80611c7ce3aad065e944a9b1fcaf9370c4863bd788b828fa46faec452eaa39a600618dd0d5518e550f37e2ed357c0275a
-
C:\Users\Admin\AppData\Local\Vector35\BinaryNinja\plugins\arch_x86.dllFilesize
9.0MB
MD5d2017f91f1c253a1d981e578ae7e9985
SHA1d5001828a497ce27cd5ae203eb025dd4e5db8053
SHA2565ca194d6c682a2fb985ca7db7043ab25ba4dded32176549d1765c416d8d4e2de
SHA5127c840c1397fd2b8fd6ebe7f1b53ad701d3df00a5233843b64e07124bc33511c4572359c8073040eede8cd2fed00529c713c754f3b35b850b3882d868b12851a0
-
C:\Users\Admin\AppData\Local\Vector35\BinaryNinja\plugins\debuggercore.dllFilesize
3.3MB
MD5e75786a74deea85e5580d6da8abe11f0
SHA181438b909a85d59fe789824a344567c04efe6bb0
SHA25698b78ca84baeb02ac217c52d39e91d8f18ef23876956108bb597517d2e2f2c42
SHA512130080037d9b07d4b1287a6c69cc765ce20e338a35d947b17eb2d75cad12e2f3df28310a9e9371bb88c632299be6feef2651df8fdfe8a622a5b1b0091f690b3e
-
C:\Users\Admin\AppData\Local\Vector35\BinaryNinja\plugins\platform_decree.dllFilesize
2.8MB
MD50dbbaffb7efaf66483bd7c00c603acff
SHA1255093282f1043f42e78f772bc2dbdb6f028665a
SHA25614e234a8610daabc41f6936f9bd162a94ec5f01055241d720d8c3899d1c784a4
SHA512913ee5ee0fbe2efd61933e207dc7b1f48b6371b8f40933aef11ade47d766afb788ee1a984e0539c774309d78699908dca1473a20ab073506cf6650668446bad0
-
C:\Users\Admin\AppData\Local\Vector35\BinaryNinja\plugins\platform_freebsd.dllFilesize
2.8MB
MD564bf7f0dd2680614a97f20ecdaf53e28
SHA1e6a43ce8b2bbadd0f8c5de0a4b794614b3ba04ae
SHA2566ad11a0af9f3b7bfaf2fe0aa101be07a5de47f93f0f57c8f58199ed16bda5b56
SHA5120aa780fea1ccef6a7a2fe7ec3086da6fed86827233ab3b8a230c81c0a72ad82988bdd03c96626c57775a430021a9bbd0e41e9193bb96830f2e11ae83acf6c414
-
C:\Users\Admin\AppData\Local\Vector35\BinaryNinja\python3\PySide6\metatypes\qt6qmltyperegistrarprivate_release_metatypes.jsonFilesize
4B
MD5f17c6890ce3e5d805aad7ee46da00fd7
SHA1855ca7e4e0c1c862e50b76ecfb4184cc39df46fe
SHA2563fbbd4c6d76130399b0c79cdf41758669224a91e05b7b216953f0c9728750865
SHA512eeb77c599dbe5da30338cf5a7b9dc16f5f4493aa68ce5e9953553434541551b5ea8bb9f5289fd0ee15e1ac4513c7d2888797b3d72438defb196270483608fb45
-
C:\Users\Admin\AppData\Local\Vector35\BinaryNinja\qt.confFilesize
140B
MD55b2b53ca62eec3846a3647277fd5df85
SHA1fc160b8d94e025b60934c4ff2fecd7cb4ff9e491
SHA256941b4a02b8794e0787817a0fb015ee9ea2b9da4de1061fbb784d9ce1ff077a79
SHA512e828068e1032c6d0f90ef393f5b631abd14bcb8027ae7e8b93f1da484258e8f5b82e720963bb1588a6f2a3ba692056e078e065e0b2bda3dfb15504690a9828db
-
C:\Users\Admin\AppData\Local\Vector35\BinaryNinja\qt\imageformats\qgif.dllFilesize
46KB
MD58cffcf9b2898c01230b51accbc83244e
SHA1fb886795f77d439e924e836cfb9bf56f523d230e
SHA256e0102a4fb68d6516d98c721077f72c90a80672efefb8aeaf2434554be86466c6
SHA512a21e6d524f47e5a73dfa95a3142bdb60e0ce6f3a6debcfc74564b8cf8c372a39b555e88675640c9711030a1b1ab4a01ae4b0e6fe7bd55ed230c64b76c8e1cd3a
-
C:\Users\Admin\AppData\Local\Vector35\BinaryNinja\qt\imageformats\qjpeg.dllFilesize
615KB
MD5ea0c5d5eb0aa2a2d60666d200464c005
SHA1843246ed8887e319ad497d24d116ccc7b130c999
SHA256aeb8391c50cd4499b24f3212afe58655475e4f0327c301a0f07d8ba9b8d98831
SHA512a539ac588a6c79ab1f728dfa322bf92a47268577a32ac7cca57dcef4fc80b6400d9cd1a8ffb55f7626e802d695be1d4085cabc39b026b6c74f5ba18170b87b3f
-
C:\Users\Admin\AppData\Local\Vector35\BinaryNinja\qt\imageformats\qsvg.dllFilesize
37KB
MD5f3194c219c6e4eee90fe08a98b0b7caa
SHA17417b5ec8018d90cc1822938cdb90906d8abc7fe
SHA256bbb1dac7b189f577ea73be8e1e83cd9a65cf44dbb5926ee924431c21d532a369
SHA512dd9c59a749e6c4dbda18cff1009ca146c480b4ea3e64976f5fbac690413d63735f2f9eb18c87f849eb165bcd706b396f1f13d950e8d73daf9a277f0468547869
-
C:\Users\Admin\AppData\Local\Vector35\BinaryNinja\qt\platforms\qwindows.dllFilesize
852KB
MD5220c2f94cbb884f61f4f65642b1b0ea1
SHA16eb700ce8f73fb378c6db3fe1cb4891228523f9a
SHA256c1d48b54cde919cfb600a3b73e5ff2fd3ad131fb463d9c8ce28d5f6efb618fe3
SHA51262637fcb7b43edba524aaa12953441bba497264742ea2bdd671c6a43e60fea60d1c56406454098c092c10f5e6c0d1ad68430802dc0d3f8d34cf507a65c83b1dd
-
C:\Users\Admin\AppData\Local\Vector35\BinaryNinja\rust-docs\trait.impl\binaryninja\architecture\trait.FlagGroup.jsFilesize
187B
MD5d758ec0f72929c2123b5408a155ce078
SHA1e5ff82a7cf89535bdde1355fa00a96e31caadc52
SHA2565b1f6255dfc366257dea1be3a1aa6f7cdc27fbcbc5164e92ef45439223cce80c
SHA512bbf58295a92342a7d4f223d5a9b79708be46c7f69e7c221bbdecdf7e0b23e56f4fad1b8d88501a38cb6df28162c7fb7cef46c67f76e2cf3ce4d4f14280097682
-
C:\Users\Admin\AppData\Local\Vector35\BinaryNinja\vc_redist.x64.14.34.exeFilesize
24.3MB
MD5703bd677778f2a1ba1eb4338bac3b868
SHA1a176f140e942920b777f80de89e16ea57ee32be8
SHA2562257b3fbe3c7559de8b31170155a433faf5b83829e67c589d5674ff086b868b9
SHA512a66ea382d8bdd31491627fd698242d2eda38b1d9df762c402923ef40bbca6aa2f43f22fa811c5fc894b529f9e77fcdd5ced9cd8af4a19f53845fce3780e8c041
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\prefs-1.jsFilesize
6KB
MD5e49b215b3248ea851a7abb7896be5100
SHA19a6183ac28c2c4c5c9e64fcb7c4b75aaeb1457f8
SHA256492f48397d0e258d527effd860469776e6860f5446e0472e8b25e261418bda5e
SHA512cdb41504e92c9f306399780d3dcb2c27a7dde4604c56b1e0c21dbb16f7e595d8ec6098e0bd50f7ce12898879a4844ea0566be377f8a7e475dc1d6101c2032f1d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\prefs.jsFilesize
6KB
MD51993a95e5df85d51df347a61598cc22d
SHA1c4e3bd9704c5c4247d6fd64a8bb3eb8c7b54e7e8
SHA256fb13debcfb30f6a90b4b6622845f03323ba56aa20ab662ce1853d07980c3d0bd
SHA51286922417faa2a3282423f09457a389f5900426eada5dda3a6b29dcc73d337cd3228dcaa8928a7fde867efb83310b24428e105f4b4bf64184cc19f88ad5d45046
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\sessionstore-backups\recovery.jsonlz4Filesize
1KB
MD5658abcf72e106cbff0045e9743af7037
SHA14e3d01a045990a9ec6ed40d9a8132cf9fd9c0918
SHA256965e3c3461e30dbd61dabe446e186cd6233b80ec934478c1561ebe330188d7fd
SHA5128cc16ffca0271b286483a12edc773f8e026a38660528c1f9776f5bac1231c934569a7a7a00dca402035fe1dd1ff8dcd6b493567a2402f44996151e0d33a653d8
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\sessionstore.jsonlz4Filesize
641B
MD5cdf552c948aafaded992f408e7dea345
SHA10e487511cef5984e5e5c1d4a98ba8f44fd740326
SHA256da82bc2a4e0b3ee09c81a36eb430916d39c98f75f8d6be4a1bf43fecc58b0e1e
SHA512b980e4f723bb0cae3c0db5abf0f5b323706ab5bc303ed417e662f4fcfd7f3825c79dde60c94852a3a3c16463c8d7c4a4ed65c2825a6d7113b5adb10da6cd20b6
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqliteFilesize
192KB
MD5058df786c387debe4bca196f2d406e0f
SHA111fa2d330feab1989e1bfd44e810c405449e9642
SHA25697e26ef8ca3a71131771605e3174d09d8847f6ea950fcde1a91c463cd1c40f5d
SHA512a459f6f713eb224fda72b7e647b2b74e7238591ca2c4413e6809c8e14261377f1bb83cb55d12f2d26ef3d0c7fd7d3391c73947d31e7828d69e5357e37b9d33dc
-
C:\Windows\Installer\e596b27.msiFilesize
180KB
MD5c214a9e931bbdd960bb48ac1a2b91945
SHA1a640c55dd522e01d0be4307a5eee9a40f779a6cc
SHA2561dbd3e4e71c6678e640c289c1c64bbb12c70f65f52b27191680a9e4141d64b11
SHA512d25fef3bdd3cd18035892618602e27621e9fb3a913e7972ec7bb624d593ae4b766e718fd2e2c7342c589e9a97beb03d2fedef22e824c6b539b83f199cb967933
-
C:\Windows\System32\msvcp140.dllFilesize
566KB
MD50929e46b1020b372956f204f85e48ed6
SHA19dc01cf3892406727c8dc7d12ad8855871c9ef09
SHA256cb3c74d6fcc091f4eb7c67ee5eb5f76c1c973dea8b1c6b851fcca62c2a9d8aa8
SHA512dd28fca139d316e2cc4d13a6adffb7af6f1a9dc1fc7297976a4d5103fae44de555a951b99f7601590b331f6dbb9bfc592d31980135e3858e265064117012c8d5
-
C:\Windows\System32\msvcp140_1.dllFilesize
34KB
MD5c385ebc3a83d842489021e48e23bc925
SHA10a992abb2e424da981196edb280e7821f2033d9f
SHA2568e49a6d937ee6ac20d949629b54e28caf01aef312bc7184063280346b35899e3
SHA51285cc4c9fbeacddc934d46d907354c1fe93dc62b1bad7a6ccdb7c9101e820d01717e863fab39dd6bc062f38a100f03d49ebe2b3905146bcedfc6c014703d8c3b3
-
C:\Windows\System32\msvcp140_2.dllFilesize
192KB
MD54b27f209925c247252babeff90d6cd2a
SHA1709dc2e8a03a9f261c64adf3f1c0839de62ddf52
SHA25625305353c51ac72f4646bd549493becdbd6c997605f70c937e72cad3f962182d
SHA51230e8ef20ec13abe50a13319159eb2ba1ebb117e1e4c438e24de48331acab34d8af3531e051cd93597eb5bede0af81ae223a06daa072ff226d79240ffff68b7a6
-
C:\Windows\System32\vcruntime140.dllFilesize
106KB
MD5870fea4e961e2fbd00110d3783e529be
SHA1a948e65c6f73d7da4ffde4e8533c098a00cc7311
SHA25676fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644
SHA5120b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88
-
C:\Windows\System32\vcruntime140_1.dllFilesize
48KB
MD5bba9680bc310d8d25e97b12463196c92
SHA19a480c0cf9d377a4caedd4ea60e90fa79001f03a
SHA256e0b66601cc28ecb171c3d4b7ac690c667f47da6b6183bff80604c84c00d265ab
SHA5121575c786ac3324b17057255488da5f0bc13ad943ac9383656baf98db64d4ec6e453230de4cd26b535ce7e8b7d41a9f2d3f569a0eff5a84aeb1c2f9d6e3429739
-
C:\Windows\Temp\{1BF824DC-488B-4D97-9690-0E5CF0A5114E}\.cr\vc_redist.x64.14.34.exeFilesize
635KB
MD5848da6b57cb8acc151a8d64d15ba383d
SHA18f4d4a1afa9fd985c67642213b3e7ccf415591da
SHA2565a61f9775032457db28edd41f98f08c874e759f344ea8475c9ac8abbba68de12
SHA512ff8b87e7746ecf19a150874dedd6ea4c51c76cfc291c5a80d9e5073a9bbbb2bd6ed7d10425b083578dc8d28d0d905e379fa3f919a60979e5b5c44ebc0ac613e6
-
C:\Windows\Temp\{B0B70801-E3C0-4AEF-AD85-011DA59E2721}\.ba\logo.pngFilesize
1KB
MD5d6bd210f227442b3362493d046cea233
SHA1ff286ac8370fc655aea0ef35e9cf0bfcb6d698de
SHA256335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef
SHA512464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b
-
C:\Windows\Temp\{B0B70801-E3C0-4AEF-AD85-011DA59E2721}\.ba\wixstdba.dllFilesize
191KB
MD5eab9caf4277829abdf6223ec1efa0edd
SHA174862ecf349a9bedd32699f2a7a4e00b4727543d
SHA256a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041
SHA51245b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2
-
memory/4740-4354-0x00007FFCBD6C0000-0x00007FFCBE12D000-memory.dmpFilesize
10.4MB
-
memory/4740-4371-0x00007FFCB6FD0000-0x00007FFCB72CF000-memory.dmpFilesize
3.0MB
-
memory/4740-4373-0x00007FFCB6910000-0x00007FFCB6C82000-memory.dmpFilesize
3.4MB
-
memory/4740-4374-0x00007FFCB6630000-0x00007FFCB6904000-memory.dmpFilesize
2.8MB
-
memory/4740-4370-0x00007FFCB7C40000-0x00007FFCB7F0C000-memory.dmpFilesize
2.8MB
-
memory/4740-4366-0x00007FFCBA9E0000-0x00007FFCBACAE000-memory.dmpFilesize
2.8MB
-
memory/4740-4362-0x00007FFCBD3F0000-0x00007FFCBD6B9000-memory.dmpFilesize
2.8MB
-
memory/4740-4323-0x00007FFCC1C80000-0x00007FFCC2279000-memory.dmpFilesize
6.0MB
-
memory/4740-4357-0x00007FFCB9C50000-0x00007FFCBA54F000-memory.dmpFilesize
9.0MB
-
memory/4740-4375-0x00007FFCABB70000-0x00007FFCABE50000-memory.dmpFilesize
2.9MB
-
memory/4740-4380-0x00007FFC98F60000-0x00007FFC9931B000-memory.dmpFilesize
3.7MB
-
memory/4740-4324-0x00007FFCBF1F0000-0x00007FFCBFF89000-memory.dmpFilesize
13.6MB
-
memory/4740-4372-0x00007FFCB6C90000-0x00007FFCB6FCF000-memory.dmpFilesize
3.2MB
-
memory/4740-4368-0x00007FFCB96B0000-0x00007FFCB9980000-memory.dmpFilesize
2.8MB
-
memory/4740-4379-0x00007FFC99320000-0x00007FFC9965B000-memory.dmpFilesize
3.2MB
-
memory/4740-4369-0x00007FFCB7F10000-0x00007FFCB81DE000-memory.dmpFilesize
2.8MB
-
memory/4740-4367-0x00007FFCB9980000-0x00007FFCB9C4B000-memory.dmpFilesize
2.8MB
-
memory/4740-4365-0x00007FFCBB020000-0x00007FFCBB2EB000-memory.dmpFilesize
2.8MB
-
memory/4740-4348-0x00007FFCBE130000-0x00007FFCBE518000-memory.dmpFilesize
3.9MB
-
memory/4740-4322-0x00007FF788AC0000-0x00007FF78A13D000-memory.dmpFilesize
22.5MB
-
memory/4740-4321-0x00007FFCBF1F0000-0x00007FFCBFF89000-memory.dmpFilesize
13.6MB
-
memory/4740-4351-0x00007FFCC0070000-0x00007FFCC035B000-memory.dmpFilesize
2.9MB
-
memory/4740-4345-0x00007FFCBE520000-0x00007FFCBE9CD000-memory.dmpFilesize
4.7MB
-
memory/4740-4342-0x00007FFCC13B0000-0x00007FFCC16FB000-memory.dmpFilesize
3.3MB
-
memory/5228-4266-0x0000000000A60000-0x0000000000AD7000-memory.dmpFilesize
476KB
-
memory/5248-4265-0x0000000000A60000-0x0000000000AD7000-memory.dmpFilesize
476KB
-
memory/5684-4228-0x0000000000A60000-0x0000000000AD7000-memory.dmpFilesize
476KB