Malware Analysis Report

2024-10-23 15:15

Sample ID 230806-vt4y8abc42
Target RANSOMWARE-WANNACRY-2.0-master.zip
SHA256 761e037ee186880d5f7d1f112b839818056f160a9ba60c7fb8d23d926ac0621f
Tags
wannacry discovery persistence ransomware spyware stealer worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

761e037ee186880d5f7d1f112b839818056f160a9ba60c7fb8d23d926ac0621f

Threat Level: Known bad

The file RANSOMWARE-WANNACRY-2.0-master.zip was found to be: Known bad.

Malicious Activity Summary

wannacry discovery persistence ransomware spyware stealer worm

Wannacry

Deletes shadow copies

Drops startup file

Modifies file permissions

Loads dropped DLL

Executes dropped EXE

Reads user/profile data of web browsers

Adds Run key to start application

Sets desktop wallpaper using registry

Enumerates physical storage devices

Unsigned PE

Views/modifies file attributes

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Interacts with shadow copies

Modifies registry key

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-08-06 17:17

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2023-08-06 17:17

Reported

2023-08-06 17:48

Platform

win10-20230703-en

Max time kernel

1531s

Max time network

1577s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\RANSOMWARE-WANNACRY-2.0-master\README.md

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4312 wrote to memory of 3224 N/A C:\Windows\system32\OpenWith.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4312 wrote to memory of 3224 N/A C:\Windows\system32\OpenWith.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3224 wrote to memory of 5056 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3224 wrote to memory of 5056 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3224 wrote to memory of 5056 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3224 wrote to memory of 5056 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3224 wrote to memory of 5056 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3224 wrote to memory of 5056 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3224 wrote to memory of 5056 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3224 wrote to memory of 5056 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3224 wrote to memory of 5056 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3224 wrote to memory of 5056 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3224 wrote to memory of 5056 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5056 wrote to memory of 4428 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5056 wrote to memory of 4428 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5056 wrote to memory of 4000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5056 wrote to memory of 4000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5056 wrote to memory of 4000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5056 wrote to memory of 4000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5056 wrote to memory of 4000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5056 wrote to memory of 4000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5056 wrote to memory of 4000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5056 wrote to memory of 4000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5056 wrote to memory of 4000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5056 wrote to memory of 4000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5056 wrote to memory of 4000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5056 wrote to memory of 4000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5056 wrote to memory of 4000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5056 wrote to memory of 4000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5056 wrote to memory of 4000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5056 wrote to memory of 4000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5056 wrote to memory of 4000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5056 wrote to memory of 4000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5056 wrote to memory of 4000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5056 wrote to memory of 4000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5056 wrote to memory of 4000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5056 wrote to memory of 4000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5056 wrote to memory of 4000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5056 wrote to memory of 4000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5056 wrote to memory of 4000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5056 wrote to memory of 4000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5056 wrote to memory of 4000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5056 wrote to memory of 4000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5056 wrote to memory of 4000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5056 wrote to memory of 4000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5056 wrote to memory of 4000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5056 wrote to memory of 4000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5056 wrote to memory of 4000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5056 wrote to memory of 4000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5056 wrote to memory of 4000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5056 wrote to memory of 4000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5056 wrote to memory of 4000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5056 wrote to memory of 4000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5056 wrote to memory of 4000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5056 wrote to memory of 4000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5056 wrote to memory of 4000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5056 wrote to memory of 4000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5056 wrote to memory of 4000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5056 wrote to memory of 4000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5056 wrote to memory of 4000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5056 wrote to memory of 4000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5056 wrote to memory of 4000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5056 wrote to memory of 4000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 5056 wrote to memory of 3172 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\RANSOMWARE-WANNACRY-2.0-master\README.md

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\RANSOMWARE-WANNACRY-2.0-master\README.md"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\AppData\Local\Temp\RANSOMWARE-WANNACRY-2.0-master\README.md

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5056.0.605634954\1462604351" -parentBuildID 20221007134813 -prefsHandle 1712 -prefMapHandle 1704 -prefsLen 20936 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a55a40ef-6a5b-4591-aebe-6871e479f2f7} 5056 "\\.\pipe\gecko-crash-server-pipe.5056" 1792 22e14f0a158 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5056.1.1662554420\1793188353" -parentBuildID 20221007134813 -prefsHandle 2156 -prefMapHandle 2152 -prefsLen 21797 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f841e983-df93-4e94-811d-0615e26c79b3} 5056 "\\.\pipe\gecko-crash-server-pipe.5056" 2168 22e13ce5258 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5056.2.1892690624\1831903606" -childID 1 -isForBrowser -prefsHandle 2772 -prefMapHandle 2956 -prefsLen 21900 -prefMapSize 232675 -jsInitHandle 1248 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e4cd6efb-09e1-4968-b18c-d2441765ba90} 5056 "\\.\pipe\gecko-crash-server-pipe.5056" 3112 22e18235458 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5056.3.706940286\1344496278" -childID 2 -isForBrowser -prefsHandle 3528 -prefMapHandle 3524 -prefsLen 26480 -prefMapSize 232675 -jsInitHandle 1248 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b8bf5ea3-4dbe-48e5-a585-6071811fede1} 5056 "\\.\pipe\gecko-crash-server-pipe.5056" 3536 22e08e69a58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5056.4.870891017\162093778" -childID 3 -isForBrowser -prefsHandle 4664 -prefMapHandle 4660 -prefsLen 26795 -prefMapSize 232675 -jsInitHandle 1248 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {48e18690-004c-4105-9453-e15f759916fb} 5056 "\\.\pipe\gecko-crash-server-pipe.5056" 4680 22e188b6558 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5056.5.1967093551\477069365" -childID 4 -isForBrowser -prefsHandle 4816 -prefMapHandle 4820 -prefsLen 26795 -prefMapSize 232675 -jsInitHandle 1248 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4dc46cd5-6499-4b25-8d95-cff1017fe842} 5056 "\\.\pipe\gecko-crash-server-pipe.5056" 4808 22e1a66e358 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5056.6.1048801303\20479901" -childID 5 -isForBrowser -prefsHandle 5012 -prefMapHandle 5016 -prefsLen 26795 -prefMapSize 232675 -jsInitHandle 1248 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {090c73c3-92fa-46e8-b784-8ddb46cdee71} 5056 "\\.\pipe\gecko-crash-server-pipe.5056" 5004 22e1bb58958 tab

Network

Country Destination Domain Proto
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 getpocket.cdn.mozilla.net udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.services.mozilla.com udp
US 34.117.237.239:443 contile.services.mozilla.com tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 34.120.5.221:443 getpocket.cdn.mozilla.net tcp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 34.211.118.46:443 shavar.services.mozilla.com tcp
N/A 127.0.0.1:49753 tcp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 push.services.mozilla.com udp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 34.149.100.209:443 firefox.settings.services.mozilla.com tcp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 34.117.65.55:443 autopush.prod.mozaws.net tcp
US 8.8.8.8:53 0.0.a.0.0.0.8.2.0.0.9.0.0.0.9.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa udp
US 8.8.8.8:53 46.118.211.34.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
N/A 127.0.0.1:49760 tcp
US 8.8.8.8:53 aus5.mozilla.org udp
US 35.244.181.201:443 aus5.mozilla.org tcp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 ciscobinary.openh264.org udp
GB 88.221.134.209:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 216.58.208.110:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 216.58.208.110:443 redirector.gvt1.com udp
US 8.8.8.8:53 r4---sn-5hneknee.gvt1.com udp
NL 74.125.8.73:443 r4---sn-5hneknee.gvt1.com tcp
US 8.8.8.8:53 r4.sn-5hneknee.gvt1.com udp
US 8.8.8.8:53 r4.sn-5hneknee.gvt1.com udp
NL 74.125.8.73:443 r4.sn-5hneknee.gvt1.com udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 8.8.8.8:53 209.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 110.208.58.216.in-addr.arpa udp
US 8.8.8.8:53 73.8.125.74.in-addr.arpa udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 53.121.117.34.in-addr.arpa udp
US 8.8.8.8:53 2.77.109.52.in-addr.arpa udp
US 8.8.8.8:53 38.148.119.40.in-addr.arpa udp
US 8.8.8.8:53 25.73.42.20.in-addr.arpa udp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 34.117.237.239:443 contile.services.mozilla.com tcp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 aus5.mozilla.org udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 35.244.181.201:443 prod.balrog.prod.cloudops.mozgcp.net tcp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 34.117.237.239:443 contile.services.mozilla.com tcp

Files

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1qi9pr8t.default-release\activity-stream.discovery_stream.json.tmp

MD5 7e30272f189e72f99b384c0cbdec0735
SHA1 d296dc646c3b3e7c84d9d9b911fd97eeedea54f6
SHA256 38a7e36b6fb1397750de1248718f1992e7cf55fd9b0308746e098b58e6c2ab57
SHA512 65b5827c89b74a9a1767270a836fa731baca6c4e4f0ca9548b64f04c14a6abfd69197f2c89301de497abfdebabbca54f7640a4d6d0f81aa0a01569a6b596eeab

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1qi9pr8t.default-release\sessionstore-backups\recovery.jsonlz4

MD5 780b273ad64469d387484b136d6f3653
SHA1 fceb5f2f69418e10ed3682f2be82bdff3a3efa02
SHA256 2b49dfd1f16e887747bfa1f2dbf1fb7e40c947f09e81493ee31a9ccf8b5391f5
SHA512 ff08c66b9e6d4a2953215bc714f3d32e3decadc211179192acded41dc9f6414fcd44efde52d5216a86b5bb05493578bf570b375fdc8a4905cd2f733d5ee5cd7f

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 85430baed3398695717b0263807cf97c
SHA1 fffbee923cea216f50fce5d54219a188a5100f41
SHA256 a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA512 06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1qi9pr8t.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

MD5 fe3355639648c417e8307c6d051e3e37
SHA1 f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA256 1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA512 8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1qi9pr8t.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

MD5 3d33cdc0b3d281e67dd52e14435dd04f
SHA1 4db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256 f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512 a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1qi9pr8t.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 5491026cb1c1a005fb77549bacdbb2ec
SHA1 d540c9ca2ca5bc0e43803d8939a4fc2dfd2fcfa3
SHA256 e028c24ebecbd923558178f6bbbfd5795cc573aff12844e2e8a5c50d8e488e10
SHA512 8cf3a2f87a2076ed5693b8272360047097a0f93c9e5c9bafa23a21b237bc7a985e931070ad21c0c56ccd773649df4ad5d2f758a20ebbec5aece9d9d91aedf8cd

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1qi9pr8t.default-release\prefs-1.js

MD5 d2e61b5d35e06f31c7daac50c336b30e
SHA1 700f636abf09d39255582d63f6c5d463f931d0f7
SHA256 7fab04483c7f4176c38d66a9aaf878742d67d96279bc44096a41086df70c2366
SHA512 ea10806de6ddf0bd0178eb2733de6216e68bd179c20d164050e27fd79025ec8577f6fc0eb55aeb4f6cdaa1581b5c91d331f1ed924833ba614eb81f3f41fff087

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1qi9pr8t.default-release\cache2\entries\70DBE5F90BD35EEC6D4A07D16DB46EC38E379124

MD5 e857014868865289a2b9cbcc79f96a28
SHA1 0637060f76b997912fb5153314064deb6a6dc9ea
SHA256 85dff5d69032c81ec755566462afe7e55572e637aaafcbc71cd07b5fe9cc4c85
SHA512 0d4ba9d9bf62314d6c20e9f0fa618247ef599ba537bbfc318da076159263e68c241e254243a300051301acc61e3697dab8a597d680d60ce57828ffc2dbbd2bb0

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 a01c5ecd6108350ae23d2cddf0e77c17
SHA1 c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256 345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512 b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1qi9pr8t.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

MD5 49ddb419d96dceb9069018535fb2e2fc
SHA1 62aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA256 2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA512 48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1qi9pr8t.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

MD5 8be33af717bb1b67fbd61c3f4b807e9e
SHA1 7cf17656d174d951957ff36810e874a134dd49e0
SHA256 e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA512 6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1qi9pr8t.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

MD5 33bf7b0439480effb9fb212efce87b13
SHA1 cee50f2745edc6dc291887b6075ca64d716f495a
SHA256 8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512 d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1qi9pr8t.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

MD5 688bed3676d2104e7f17ae1cd2c59404
SHA1 952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA256 33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA512 7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1qi9pr8t.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

MD5 937326fead5fd401f6cca9118bd9ade9
SHA1 4526a57d4ae14ed29b37632c72aef3c408189d91
SHA256 68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512 b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1qi9pr8t.default-release\prefs-1.js

MD5 f1f731231ab576c07febd4cf7ce05790
SHA1 83e6975ab26ac52c3fbda9f4ae6a2f94d3b24cee
SHA256 5f8672e451e61122115a15086a7978961c1179ddb27f0a9eca22fd8a181dc240
SHA512 0e1d83ecc4475180824d2eb589409d6502161701544efd4d01e3ac993e8bd1f5b103d60a10fa4223fd7ebbf8419ab41114e7d646844618e9e718f1829399e98e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1qi9pr8t.default-release\prefs-1.js

MD5 a58f5b952969c8291e69020a833f86ac
SHA1 3d32c0bdd010cb73a22bfbdff9e6f51d6016e063
SHA256 a59a6147e2660c71d3a217a759c2f4ba41c11f50eeed5550ec9ec6a97c82af0d
SHA512 aeee000c27b4069e2d2072abb25e1d8fa9a75c03b8d82313f6109a552094fd086d7f38ea3417fa60f5e6d275ebc4ca5e1d50a0fffe4e2be0b87e7f8cbabc0368

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1qi9pr8t.default-release\addonStartup.json.lz4

MD5 f24254bcaea50213bb4429af5c22d89e
SHA1 0d7c7b17a8473e51778939a21c43b306534ff2b4
SHA256 2b2dd7ae9214891359c6d2f9ba6f70ace68f13b3f6860893f9931f1fc485c096
SHA512 f737def202feb62f6785e47f58a1ddcc29766ddada1104c7d307f14a6c79c94f109c3735ace1ba2d89155c3e576cc1ec7915206e8f6a5e7a5a031618f8cd2f40

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1qi9pr8t.default-release\broadcast-listeners.json

MD5 b379e461bc20a7d1dccbd1efec9ac64e
SHA1 5833ba90b8cc20172a9d73568db45fa69cdab1e8
SHA256 483516af706b2191be418756f6c646290cf16412882b3fe74b5cd7ea652067f9
SHA512 7d617de753a4480e823e31952bdb55a990332238fe9ae95b809006d5e4762c1a2adc169cac48492fc9174b837d2f43f0ff73668df37d0625841b46f0f636f146

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1qi9pr8t.default-release\sessionCheckpoints.json

MD5 c4ab2ee59ca41b6d6a6ea911f35bdc00
SHA1 5942cd6505fc8a9daba403b082067e1cdefdfbc4
SHA256 00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2
SHA512 71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1qi9pr8t.default-release\targeting.snapshot.json

MD5 ba1ebdfafe182f33586b4a88044c6883
SHA1 688bad1fd4c864cea39af17ea45078a4e75df4a1
SHA256 fddb70101a16932fe11de192ef6e22759bab4303b6e523568e79124c97ea8a53
SHA512 9149a36f34b194a6899bec70042623d275716ec16a21ed1cd5362ded133215222d92cdd58bdb3b4bcb358f4af1d527f0ef42721324554357f897079226aef07c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

MD5 c0690e18be9c4c09f934aba46fc0ee9c
SHA1 c7292579ba92aaf65c8fdff8906f6b9ba3349f2f
SHA256 95ade814821340378ac6a83ad03d55985de5e2633aee9d126bde1486687c4ca3
SHA512 34b55d5e3220a46174cdfcc4e9d33d81db7b12cc4a7c42cd5f7d46d12cb235717e8e4f28c276c0a6f914a428c17e1952bf57c282f9d73e3733579924ea26abda

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1qi9pr8t.default-release\bookmarkbackups\bookmarks-2023-07-03_11_qCPSTgKF7O9FuS2EwkSipw==.jsonlz4

MD5 64eb3f395d756ce1bdcab2e5e23c4a8c
SHA1 f69588d375177b3d3d3dcfda9dca5203ae77e155
SHA256 4f24bddf949982aa8b2b31680ded6b148fb2011137d2ecbaac74bd3cff989d2f
SHA512 9d285ec1f45847fec1e6b39fee2849ac5ba86d10bcb6ecad158f7176f2cfafadc534065aac5ec05ef4dc86572dfc97beed68ca067897eb53d6c3a96fb1444199

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1qi9pr8t.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 208c40d8254ab271a6650645e2573c67
SHA1 82522a9b953fedad7741dfb082e6726e813c5981
SHA256 5e9ce8714283e8258e74b08857cd6d0d0a25e4ca52add33e613aa547ebc66214
SHA512 129040598f545324e2818b14fe6345fe965329938700ffa2cc5ce74f1f192c48749c6b69c6fa05e795c1b92fc3d158fc7c8927b6ae72a09253b1dc4fa1ec6709

Analysis: behavioral4

Detonation Overview

Submitted

2023-08-06 17:17

Reported

2023-08-06 17:48

Platform

win10-20230703-en

Max time kernel

314s

Max time network

1581s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\RANSOMWARE-WANNACRY-2.0-master\Ransomware.WannaCry.zip

Signatures

N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\RANSOMWARE-WANNACRY-2.0-master\Ransomware.WannaCry.zip

Network

Country Destination Domain Proto
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 9.57.101.20.in-addr.arpa udp
US 8.8.8.8:53 9.73.50.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2023-08-06 17:17

Reported

2023-08-06 17:21

Platform

win10-20230703-en

Max time kernel

161s

Max time network

170s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe"

Signatures

Wannacry

ransomware worm wannacry

Deletes shadow copies

ransomware

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDE198.tmp C:\Users\Admin\AppData\Local\Temp\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDE191.tmp C:\Users\Admin\AppData\Local\Temp\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\xnnilgeungm117 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\tasksche.exe\"" C:\Windows\SysWOW64\reg.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-488886677-2269338296-1239465872-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]" C:\Users\Admin\AppData\Local\Temp\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-488886677-2269338296-1239465872-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]" C:\Users\Admin\AppData\Local\Temp\@[email protected] N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\taskse.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\taskse.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\taskse.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\taskse.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\taskse.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\taskse.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\@[email protected] N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 792 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe C:\Windows\SysWOW64\attrib.exe
PID 792 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe C:\Windows\SysWOW64\attrib.exe
PID 792 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe C:\Windows\SysWOW64\attrib.exe
PID 792 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe C:\Windows\SysWOW64\icacls.exe
PID 792 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe C:\Windows\SysWOW64\icacls.exe
PID 792 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe C:\Windows\SysWOW64\icacls.exe
PID 792 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe C:\Users\Admin\AppData\Local\Temp\taskdl.exe
PID 792 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe C:\Users\Admin\AppData\Local\Temp\taskdl.exe
PID 792 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe C:\Users\Admin\AppData\Local\Temp\taskdl.exe
PID 792 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe C:\Windows\SysWOW64\cmd.exe
PID 792 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe C:\Windows\SysWOW64\cmd.exe
PID 792 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe C:\Windows\SysWOW64\cmd.exe
PID 4844 wrote to memory of 5004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4844 wrote to memory of 5004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 4844 wrote to memory of 5004 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 792 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe C:\Windows\SysWOW64\attrib.exe
PID 792 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe C:\Windows\SysWOW64\attrib.exe
PID 792 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe C:\Windows\SysWOW64\attrib.exe
PID 792 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
PID 792 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
PID 792 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
PID 792 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe C:\Windows\SysWOW64\cmd.exe
PID 792 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe C:\Windows\SysWOW64\cmd.exe
PID 792 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe C:\Windows\SysWOW64\cmd.exe
PID 1632 wrote to memory of 4960 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
PID 1632 wrote to memory of 4960 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
PID 1632 wrote to memory of 4960 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
PID 3044 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\@[email protected] C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\taskhsvc.exe
PID 3044 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\@[email protected] C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\taskhsvc.exe
PID 3044 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\@[email protected] C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\taskhsvc.exe
PID 792 wrote to memory of 4916 N/A C:\Users\Admin\AppData\Local\Temp\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe C:\Users\Admin\AppData\Local\Temp\taskse.exe
PID 792 wrote to memory of 4916 N/A C:\Users\Admin\AppData\Local\Temp\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe C:\Users\Admin\AppData\Local\Temp\taskse.exe
PID 792 wrote to memory of 4916 N/A C:\Users\Admin\AppData\Local\Temp\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe C:\Users\Admin\AppData\Local\Temp\taskse.exe
PID 792 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
PID 792 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
PID 792 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
PID 792 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe C:\Windows\SysWOW64\cmd.exe
PID 792 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe C:\Windows\SysWOW64\cmd.exe
PID 792 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe C:\Windows\SysWOW64\cmd.exe
PID 792 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\Temp\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe C:\Users\Admin\AppData\Local\Temp\taskdl.exe
PID 792 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\Temp\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe C:\Users\Admin\AppData\Local\Temp\taskdl.exe
PID 792 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\Temp\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe C:\Users\Admin\AppData\Local\Temp\taskdl.exe
PID 4960 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\@[email protected] C:\Windows\SysWOW64\cmd.exe
PID 4960 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\@[email protected] C:\Windows\SysWOW64\cmd.exe
PID 4960 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\@[email protected] C:\Windows\SysWOW64\cmd.exe
PID 3448 wrote to memory of 2724 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3448 wrote to memory of 2724 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3448 wrote to memory of 2724 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3004 wrote to memory of 4996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 3004 wrote to memory of 4996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 3004 wrote to memory of 4996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 3004 wrote to memory of 3432 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 3004 wrote to memory of 3432 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 3004 wrote to memory of 3432 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 4256 wrote to memory of 4488 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4256 wrote to memory of 4488 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4256 wrote to memory of 4488 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4256 wrote to memory of 4488 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4256 wrote to memory of 4488 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4256 wrote to memory of 4488 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4256 wrote to memory of 4488 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4256 wrote to memory of 4488 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4256 wrote to memory of 4488 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4256 wrote to memory of 4488 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

"C:\Users\Admin\AppData\Local\Temp\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +h .

C:\Windows\SysWOW64\icacls.exe

icacls . /grant Everyone:F /T /C /Q

C:\Users\Admin\AppData\Local\Temp\taskdl.exe

taskdl.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 319731691342301.bat

C:\Windows\SysWOW64\cscript.exe

cscript.exe //nologo m.vbs

C:\Windows\SysWOW64\attrib.exe

attrib +h +s F:\$RECYCLE

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c start /b @[email protected] vs

C:\Users\Admin\AppData\Local\Temp\@[email protected]

@[email protected] co

C:\Users\Admin\AppData\Local\Temp\@[email protected]

@[email protected] vs

C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\taskhsvc.exe

TaskData\Tor\taskhsvc.exe

C:\Users\Admin\AppData\Local\Temp\taskse.exe

taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]

C:\Users\Admin\AppData\Local\Temp\@[email protected]

@[email protected]

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "xnnilgeungm117" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\tasksche.exe\"" /f

C:\Users\Admin\AppData\Local\Temp\taskdl.exe

taskdl.exe

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "xnnilgeungm117" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\tasksche.exe\"" /f

C:\Windows\SysWOW64\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4488.0.1931431060\1934899692" -parentBuildID 20221007134813 -prefsHandle 1688 -prefMapHandle 1676 -prefsLen 20936 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {aba85d2a-0407-48d5-8b34-023e4de2a43e} 4488 "\\.\pipe\gecko-crash-server-pipe.4488" 1780 2c65e5cba58 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4488.1.1340618184\531706264" -parentBuildID 20221007134813 -prefsHandle 2120 -prefMapHandle 2116 -prefsLen 21017 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5a2e5213-ad21-4dc9-80d5-6c79556a9f9c} 4488 "\\.\pipe\gecko-crash-server-pipe.4488" 2132 2c65e13c258 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4488.2.1502221219\1580335161" -childID 1 -isForBrowser -prefsHandle 2896 -prefMapHandle 2788 -prefsLen 21055 -prefMapSize 232675 -jsInitHandle 1072 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {15b3801e-f087-4424-9b74-7aa52152dfac} 4488 "\\.\pipe\gecko-crash-server-pipe.4488" 2688 2c65e55de58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4488.3.519217409\1274628932" -childID 2 -isForBrowser -prefsHandle 1056 -prefMapHandle 1080 -prefsLen 26480 -prefMapSize 232675 -jsInitHandle 1072 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c2d874d9-45bd-4414-bd9f-0f79c48093ca} 4488 "\\.\pipe\gecko-crash-server-pipe.4488" 1012 2c653562858 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4488.4.691525086\1340651205" -childID 3 -isForBrowser -prefsHandle 4544 -prefMapHandle 4540 -prefsLen 26539 -prefMapSize 232675 -jsInitHandle 1072 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {74ec03f7-ca19-4dc4-b8a2-aca660fd678b} 4488 "\\.\pipe\gecko-crash-server-pipe.4488" 4556 2c662706a58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4488.5.1757547373\501175582" -childID 4 -isForBrowser -prefsHandle 4956 -prefMapHandle 4952 -prefsLen 26620 -prefMapSize 232675 -jsInitHandle 1072 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fa62308e-6121-4a48-b497-c9625ed324f5} 4488 "\\.\pipe\gecko-crash-server-pipe.4488" 4968 2c65352ea58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4488.6.1646203353\1723652169" -childID 5 -isForBrowser -prefsHandle 5088 -prefMapHandle 5092 -prefsLen 26620 -prefMapSize 232675 -jsInitHandle 1072 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b17a117c-d9ba-4b77-a5ca-61495a46737e} 4488 "\\.\pipe\gecko-crash-server-pipe.4488" 4896 2c65356a258 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4488.7.572769780\471811698" -childID 6 -isForBrowser -prefsHandle 5288 -prefMapHandle 5292 -prefsLen 26620 -prefMapSize 232675 -jsInitHandle 1072 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {65068b25-de58-4c70-a504-8668ee3ddab6} 4488 "\\.\pipe\gecko-crash-server-pipe.4488" 5280 2c664f4de58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4488.8.1559010536\52961814" -childID 7 -isForBrowser -prefsHandle 5692 -prefMapHandle 5724 -prefsLen 26874 -prefMapSize 232675 -jsInitHandle 1072 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {94de32db-bb9e-495e-81c4-ed53c30968dc} 4488 "\\.\pipe\gecko-crash-server-pipe.4488" 5648 2c665c17858 tab

C:\Users\Admin\AppData\Local\Temp\taskdl.exe

taskdl.exe

C:\Users\Admin\AppData\Local\Temp\taskse.exe

taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]

C:\Users\Admin\AppData\Local\Temp\@[email protected]

@[email protected]

C:\Users\Admin\AppData\Local\Temp\taskse.exe

taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]

C:\Users\Admin\AppData\Local\Temp\@[email protected]

@[email protected]

C:\Users\Admin\AppData\Local\Temp\taskdl.exe

taskdl.exe

C:\Users\Admin\AppData\Local\Temp\taskdl.exe

taskdl.exe

C:\Users\Admin\AppData\Local\Temp\taskdl.exe

taskdl.exe

Network

Country Destination Domain Proto
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:51205 tcp
FR 92.222.4.102:9001 tcp
NL 194.109.206.212:443 tcp
SE 109.105.109.162:60784 tcp
US 8.8.8.8:53 162.109.105.109.in-addr.arpa udp
US 51.81.56.74:443 tcp
US 8.8.8.8:53 74.56.81.51.in-addr.arpa udp
N/A 127.0.0.1:51262 tcp
N/A 127.0.0.1:51268 tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 getpocket.cdn.mozilla.net udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 8.8.8.8:53 push.services.mozilla.com udp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
US 34.117.237.239:443 contile.services.mozilla.com tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 34.120.5.221:443 getpocket.cdn.mozilla.net tcp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 shavar.services.mozilla.com udp
US 34.149.100.209:443 firefox.settings.services.mozilla.com tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 34.211.118.46:443 shavar.services.mozilla.com tcp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 34.117.65.55:443 autopush.prod.mozaws.net tcp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 46.118.211.34.in-addr.arpa udp
US 8.8.8.8:53 196.168.217.172.in-addr.arpa udp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9050 tcp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 195.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 131.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 9.57.101.20.in-addr.arpa udp
US 8.8.8.8:53 25.73.42.20.in-addr.arpa udp
N/A 127.0.0.1:9050 tcp

Files

C:\Users\Admin\AppData\Local\Temp\msg\m_finnish.wnry

MD5 35c2f97eea8819b1caebd23fee732d8f
SHA1 e354d1cc43d6a39d9732adea5d3b0f57284255d2
SHA256 1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e
SHA512 908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

memory/792-159-0x0000000010000000-0x0000000010010000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\c.wnry

MD5 8124a611153cd3aceb85a7ac58eaa25d
SHA1 c1d5cd8774261d810dca9b6a8e478d01cd4995d6
SHA256 0ceb451c1dbefaa8231eeb462e8ce639863eb5b8ae4fa63a353eb6e86173119e
SHA512 b9c8dfb5d58c95628528cc729d2394367c5e205328645ca6ef78a3552d9ad9f824ae20611a43a6e01daaffeffdc9094f80d772620c731e4192eb0835b8ed0f17

C:\Users\Admin\AppData\Local\Temp\b.wnry

MD5 c17170262312f3be7027bc2ca825bf0c
SHA1 f19eceda82973239a1fdc5826bce7691e5dcb4fb
SHA256 d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa
SHA512 c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

C:\Users\Admin\AppData\Local\Temp\s.wnry

MD5 ad4c9de7c8c40813f200ba1c2fa33083
SHA1 d1af27518d455d432b62d73c6a1497d032f6120e
SHA256 e18fdd912dfe5b45776e68d578c3af3547886cf1353d7086c8bee037436dff4b
SHA512 115733d08e5f1a514808a20b070db7ff453fd149865f49c04365a8c6502fa1e5c3a31da3e21f688ab040f583cf1224a544aea9708ffab21405dde1c57f98e617

C:\Users\Admin\AppData\Local\Temp\r.wnry

MD5 3e0020fc529b1c2a061016dd2469ba96
SHA1 c3a91c22b63f6fe709e7c29cafb29a2ee83e6ade
SHA256 402751fa49e0cb68fe052cb3db87b05e71c1d950984d339940cf6b29409f2a7c
SHA512 5ca3c134201ed39d96d72911c0498bae6f98701513fd7f1dc8512819b673f0ea580510fa94ed9413ccc73da18b39903772a7cbfa3478176181cee68c896e14cf

C:\Users\Admin\AppData\Local\Temp\msg\m_vietnamese.wnry

MD5 8419be28a0dcec3f55823620922b00fa
SHA1 2e4791f9cdfca8abf345d606f313d22b36c46b92
SHA256 1f21838b244c80f8bed6f6977aa8a557b419cf22ba35b1fd4bf0f98989c5bdf8
SHA512 8fca77e54480aea3c0c7a705263ed8fb83c58974f5f0f62f12cc97c8e0506ba2cdb59b70e59e9a6c44dd7cde6adeeec35b494d31a6a146ff5ba7006136ab9386

C:\Users\Admin\AppData\Local\Temp\msg\m_turkish.wnry

MD5 531ba6b1a5460fc9446946f91cc8c94b
SHA1 cc56978681bd546fd82d87926b5d9905c92a5803
SHA256 6db650836d64350bbde2ab324407b8e474fc041098c41ecac6fd77d632a36415
SHA512 ef25c3cf4343df85954114f59933c7cc8107266c8bcac3b5ea7718eb74dbee8ca8a02da39057e6ef26b64f1dfccd720dd3bf473f5ae340ba56941e87d6b796c9

C:\Users\Admin\AppData\Local\Temp\msg\m_swedish.wnry

MD5 c7a19984eb9f37198652eaf2fd1ee25c
SHA1 06eafed025cf8c4d76966bf382ab0c5e1bd6a0ae
SHA256 146f61db72297c9c0facffd560487f8d6a2846ecec92ecc7db19c8d618dbc3a4
SHA512 43dd159f9c2eac147cbff1dda83f6a83dd0c59d2d7acac35ba8b407a04ec9a1110a6a8737535d060d100ede1cb75078cf742c383948c9d4037ef459d150f6020

C:\Users\Admin\AppData\Local\Temp\msg\m_spanish.wnry

MD5 8d61648d34cba8ae9d1e2a219019add1
SHA1 2091e42fc17a0cc2f235650f7aad87abf8ba22c2
SHA256 72f20024b2f69b45a1391f0a6474e9f6349625ce329f5444aec7401fe31f8de1
SHA512 68489c33ba89edfe2e3aebaacf8ef848d2ea88dcbef9609c258662605e02d12cfa4ffdc1d266fc5878488e296d2848b2cb0bbd45f1e86ef959bab6162d284079

C:\Users\Admin\AppData\Local\Temp\msg\m_slovak.wnry

MD5 c911aba4ab1da6c28cf86338ab2ab6cc
SHA1 fee0fd58b8efe76077620d8abc7500dbfef7c5b0
SHA256 e64178e339c8e10eac17a236a67b892d0447eb67b1dcd149763dad6fd9f72729
SHA512 3491ed285a091a123a1a6d61aafbb8d5621ccc9e045a237a2f9c2cf6049e7420eb96ef30fdcea856b50454436e2ec468770f8d585752d73fafd676c4ef5e800a

C:\Users\Admin\AppData\Local\Temp\msg\m_russian.wnry

MD5 452615db2336d60af7e2057481e4cab5
SHA1 442e31f6556b3d7de6eb85fbac3d2957b7f5eac6
SHA256 02932052fafe97e6acaaf9f391738a3a826f5434b1a013abbfa7a6c1ade1e078
SHA512 7613dc329abe7a3f32164c9a6b660f209a84b774ab9c008bf6503c76255b30ea9a743a6dc49a8de8df0bcb9aea5a33f7408ba27848d9562583ff51991910911f

C:\Users\Admin\AppData\Local\Temp\msg\m_romanian.wnry

MD5 313e0ececd24f4fa1504118a11bc7986
SHA1 e1b9ae804c7fb1d27f39db18dc0647bb04e75e9d
SHA256 70c0f32ed379ae899e5ac975e20bbbacd295cf7cd50c36174d2602420c770ac1
SHA512 c7500363c61baf8b77fce796d750f8f5e6886ff0a10f81c3240ea3ad4e5f101b597490dea8ab6bd9193457d35d8fd579fce1b88a1c8d85ebe96c66d909630730

C:\Users\Admin\AppData\Local\Temp\msg\m_portuguese.wnry

MD5 fa948f7d8dfb21ceddd6794f2d56b44f
SHA1 ca915fbe020caa88dd776d89632d7866f660fc7a
SHA256 bd9f4b3aedf4f81f37ec0a028aabcb0e9a900e6b4de04e9271c8db81432e2a66
SHA512 0d211bfb0ae953081dca00cd07f8c908c174fd6c47a8001fadc614203f0e55d9fbb7fa9b87c735d57101341ab36af443918ee00737ed4c19ace0a2b85497f41a

C:\Users\Admin\AppData\Local\Temp\msg\m_polish.wnry

MD5 e79d7f2833a9c2e2553c7fe04a1b63f4
SHA1 3d9f56d2381b8fe16042aa7c4feb1b33f2baebff
SHA256 519ad66009a6c127400c6c09e079903223bd82ecc18ad71b8e5cd79f5f9c053e
SHA512 e0159c753491cac7606a7250f332e87bc6b14876bc7a1cf5625fa56ab4f09c485f7b231dd52e4ff0f5f3c29862afb1124c0efd0741613eb97a83cbe2668af5de

C:\Users\Admin\AppData\Local\Temp\msg\m_norwegian.wnry

MD5 ff70cc7c00951084175d12128ce02399
SHA1 75ad3b1ad4fb14813882d88e952208c648f1fd18
SHA256 cb5da96b3dfcf4394713623dbf3831b2a0b8be63987f563e1c32edeb74cb6c3a
SHA512 f01df3256d49325e5ec49fd265aa3f176020c8ffec60eb1d828c75a3fa18ff8634e1de824d77dfdd833768acff1f547303104620c70066a2708654a07ef22e19

C:\Users\Admin\AppData\Local\Temp\msg\m_latvian.wnry

MD5 c33afb4ecc04ee1bcc6975bea49abe40
SHA1 fbea4f170507cde02b839527ef50b7ec74b4821f
SHA256 a0356696877f2d94d645ae2df6ce6b370bd5c0d6db3d36def44e714525de0536
SHA512 0d435f0836f61a5ff55b78c02fa47b191e5807a79d8a6e991f3115743df2141b3db42ba8bdad9ad259e12f5800828e9e72d7c94a6a5259312a447d669b03ec44

C:\Users\Admin\AppData\Local\Temp\msg\m_korean.wnry

MD5 6735cb43fe44832b061eeb3f5956b099
SHA1 d636daf64d524f81367ea92fdafa3726c909bee1
SHA256 552aa0f82f37c9601114974228d4fc54f7434fe3ae7a276ef1ae98a0f608f1d0
SHA512 60272801909dbba21578b22c49f6b0ba8cd0070f116476ff35b3ac8347b987790e4cc0334724244c4b13415a246e77a577230029e4561ae6f04a598c3f536c7e

C:\Users\Admin\AppData\Local\Temp\msg\m_japanese.wnry

MD5 b77e1221f7ecd0b5d696cb66cda1609e
SHA1 51eb7a254a33d05edf188ded653005dc82de8a46
SHA256 7e491e7b48d6e34f916624c1cda9f024e86fcbec56acda35e27fa99d530d017e
SHA512 f435fd67954787e6b87460db026759410fbd25b2f6ea758118749c113a50192446861a114358443a129be817020b50f21d27b1ebd3d22c7be62082e8b45223fc

C:\Users\Admin\AppData\Local\Temp\msg\m_italian.wnry

MD5 30a200f78498990095b36f574b6e8690
SHA1 c4b1b3c087bd12b063e98bca464cd05f3f7b7882
SHA256 49f2c739e7d9745c0834dc817a71bf6676ccc24a4c28dcddf8844093aab3df07
SHA512 c0da2aae82c397f6943a0a7b838f60eeef8f57192c5f498f2ecf05db824cfeb6d6ca830bf3715da7ee400aa8362bd64dc835298f3f0085ae7a744e6e6c690511

C:\Users\Admin\AppData\Local\Temp\msg\m_indonesian.wnry

MD5 3788f91c694dfc48e12417ce93356b0f
SHA1 eb3b87f7f654b604daf3484da9e02ca6c4ea98b7
SHA256 23e5e738aad10fb8ef89aa0285269aff728070080158fd3e7792fe9ed47c51f4
SHA512 b7dd9e6dc7c2d023ff958caf132f0544c76fae3b2d8e49753257676cc541735807b4befdf483bcae94c2dcde3c878c783b4a89dca0fecbc78f5bbf7c356f35cd

C:\Users\Admin\AppData\Local\Temp\msg\m_greek.wnry

MD5 fb4e8718fea95bb7479727fde80cb424
SHA1 1088c7653cba385fe994e9ae34a6595898f20aeb
SHA256 e13cc9b13aa5074dc45d50379eceb17ee39a0c2531ab617d93800fe236758ca9
SHA512 24db377af1569e4e2b2ebccec42564cea95a30f1ff43bcaf25a692f99567e027bcef4aacef008ec5f64ea2eef0c04be88d2b30bcadabb3919b5f45a6633940cb

C:\Users\Admin\AppData\Local\Temp\msg\m_german.wnry

MD5 3d59bbb5553fe03a89f817819540f469
SHA1 26781d4b06ff704800b463d0f1fca3afd923a9fe
SHA256 2adc900fafa9938d85ce53cb793271f37af40cf499bcc454f44975db533f0b61
SHA512 95719ae80589f71209bb3cb953276538040e7111b994d757b0a24283aefe27aadbbe9eef3f1f823ce4cabc1090946d4a2a558607ac6cac6faca5971529b34dac

C:\Users\Admin\AppData\Local\Temp\msg\m_french.wnry

MD5 4e57113a6bf6b88fdd32782a4a381274
SHA1 0fccbc91f0f94453d91670c6794f71348711061d
SHA256 9bd38110e6523547aed50617ddc77d0920d408faeed2b7a21ab163fda22177bc
SHA512 4f1918a12269c654d44e9d394bc209ef0bc32242be8833a2fba437b879125177e149f56f2fb0c302330dec328139b34982c04b3fefb045612b6cc9f83ec85aa9

C:\Users\Admin\AppData\Local\Temp\msg\m_finnish.wnry

MD5 35c2f97eea8819b1caebd23fee732d8f
SHA1 e354d1cc43d6a39d9732adea5d3b0f57284255d2
SHA256 1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e
SHA512 908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

C:\Users\Admin\AppData\Local\Temp\msg\m_filipino.wnry

MD5 08b9e69b57e4c9b966664f8e1c27ab09
SHA1 2da1025bbbfb3cd308070765fc0893a48e5a85fa
SHA256 d8489f8c16318e524b45de8b35d7e2c3cd8ed4821c136f12f5ef3c9fc3321324
SHA512 966b5ed68be6b5ccd46e0de1fa868cfe5432d9bf82e1e2f6eb99b2aef3c92f88d96f4f4eec5e16381b9c6db80a68071e7124ca1474d664bdd77e1817ec600cb4

C:\Users\Admin\AppData\Local\Temp\msg\m_english.wnry

MD5 fe68c2dc0d2419b38f44d83f2fcf232e
SHA1 6c6e49949957215aa2f3dfb72207d249adf36283
SHA256 26fd072fda6e12f8c2d3292086ef0390785efa2c556e2a88bd4673102af703e5
SHA512 941fa0a1f6a5756ed54260994db6158a7ebeb9e18b5c8ca2f6530c579bc4455918df0b38c609f501ca466b3cc067b40e4b861ad6513373b483b36338ae20a810

C:\Users\Admin\AppData\Local\Temp\msg\m_dutch.wnry

MD5 7a8d499407c6a647c03c4471a67eaad7
SHA1 d573b6ac8e7e04a05cbbd6b7f6a9842f371d343b
SHA256 2c95bef914da6c50d7bdedec601e589fbb4fda24c4863a7260f4f72bd025799c
SHA512 608ef3ff0a517fe1e70ff41aeb277821565c5a9bee5103aa5e45c68d4763fce507c2a34d810f4cd242d163181f8341d9a69e93fe32aded6fbc7f544c55743f12

C:\Users\Admin\AppData\Local\Temp\msg\m_danish.wnry

MD5 2c5a3b81d5c4715b7bea01033367fcb5
SHA1 b548b45da8463e17199daafd34c23591f94e82cd
SHA256 a75bb44284b9db8d702692f84909a7e23f21141866adf3db888042e9109a1cb6
SHA512 490c5a892fac801b853c348477b1140755d4c53ca05726ac19d3649af4285c93523393a3667e209c71c80ac06ffd809f62dd69ae65012dcb00445d032f1277b3

C:\Users\Admin\AppData\Local\Temp\msg\m_czech.wnry

MD5 537efeecdfa94cc421e58fd82a58ba9e
SHA1 3609456e16bc16ba447979f3aa69221290ec17d0
SHA256 5afa4753afa048c6d6c39327ce674f27f5f6e5d3f2a060b7a8aed61725481150
SHA512 e007786ffa09ccd5a24e5c6504c8de444929a2faaafad3712367c05615b7e1b0fbf7fbfff7028ed3f832ce226957390d8bf54308870e9ed597948a838da1137b

C:\Users\Admin\AppData\Local\Temp\msg\m_croatian.wnry

MD5 17194003fa70ce477326ce2f6deeb270
SHA1 e325988f68d327743926ea317abb9882f347fa73
SHA256 3f33734b2d34cce83936ce99c3494cd845f1d2c02d7f6da31d42dfc1ca15a171
SHA512 dcf4ccf0b352a8b271827b3b8e181f7d6502ca0f8c9dda3dc6e53441bb4ae6e77b49c9c947cc3ede0bf323f09140a0c068a907f3c23ea2a8495d1ad96820051c

C:\Users\Admin\AppData\Local\Temp\msg\m_chinese (traditional).wnry

MD5 2efc3690d67cd073a9406a25005f7cea
SHA1 52c07f98870eabace6ec370b7eb562751e8067e9
SHA256 5c7f6ad1ec4bc2c8e2c9c126633215daba7de731ac8b12be10ca157417c97f3a
SHA512 0766c58e64d9cda5328e00b86f8482316e944aa2c26523a3c37289e22c34be4b70937033bebdb217f675e40db9fecdce0a0d516f9065a170e28286c2d218487c

C:\Users\Admin\AppData\Local\Temp\msg\m_chinese (simplified).wnry

MD5 0252d45ca21c8e43c9742285c48e91ad
SHA1 5c14551d2736eef3a1c1970cc492206e531703c1
SHA256 845d0e178aeebd6c7e2a2e9697b2bf6cf02028c50c288b3ba88fe2918ea2834a
SHA512 1bfcf6c0e7c977d777f12bd20ac347630999c4d99bd706b40de7ff8f2f52e02560d68093142cc93722095657807a1480ce3fb6a2e000c488550548c497998755

C:\Users\Admin\AppData\Local\Temp\msg\m_bulgarian.wnry

MD5 95673b0f968c0f55b32204361940d184
SHA1 81e427d15a1a826b93e91c3d2fa65221c8ca9cff
SHA256 40b37e7b80cf678d7dd302aaf41b88135ade6ddf44d89bdba19cf171564444bd
SHA512 7601f1883edbb4150a9dc17084012323b3bfa66f6d19d3d0355cf82b6a1c9dce475d758da18b6d17a8b321bf6fca20915224dbaedcb3f4d16abfaf7a5fc21b92

C:\Users\Admin\AppData\Local\Temp\taskse.exe

MD5 8495400f199ac77853c53b5a3f278f3e
SHA1 be5d6279874da315e3080b06083757aad9b32c23
SHA256 2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d
SHA512 0669c524a295a049fa4629b26f89788b2a74e1840bcdc50e093a0bd40830dd1279c9597937301c0072db6ece70adee4ace67c3c8a4fb2db6deafd8f1e887abe4

C:\Users\Admin\AppData\Local\Temp\u.wnry

MD5 7bf2b57f2a205768755c07f238fb32cc
SHA1 45356a9dd616ed7161a3b9192e2f318d0ab5ad10
SHA256 b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25
SHA512 91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

C:\Users\Admin\AppData\Local\Temp\t.wnry

MD5 5dcaac857e695a65f5c3ef1441a73a8f
SHA1 7b10aaeee05e7a1efb43d9f837e9356ad55c07dd
SHA256 97ebce49b14c46bebc9ec2448d00e1e397123b256e2be9eba5140688e7bc0ae6
SHA512 06eb5e49d19b71a99770d1b11a5bb64a54bf3352f36e39a153469e54205075c203b08128dc2317259db206ab5323bdd93aaa252a066f57fb5c52ff28deedb5e2

C:\Users\Admin\AppData\Local\Temp\taskdl.exe

MD5 4fef5e34143e646dbf9907c4374276f5
SHA1 47a9ad4125b6bd7c55e4e7da251e23f089407b8f
SHA256 4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79
SHA512 4550dd1787deb353ebd28363dd2cdccca861f6a5d9358120fa6aa23baa478b2a9eb43cef5e3f6426f708a0753491710ac05483fac4a046c26bec4234122434d5

C:\Users\Admin\AppData\Local\Temp\taskdl.exe

MD5 4fef5e34143e646dbf9907c4374276f5
SHA1 47a9ad4125b6bd7c55e4e7da251e23f089407b8f
SHA256 4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79
SHA512 4550dd1787deb353ebd28363dd2cdccca861f6a5d9358120fa6aa23baa478b2a9eb43cef5e3f6426f708a0753491710ac05483fac4a046c26bec4234122434d5

C:\Users\Admin\AppData\Local\Temp\319731691342301.bat

MD5 3867f2ec82a7d77c9ffefb1aac8b7903
SHA1 06fccf19b9c498b5afa2b35da00e3ab28d56f785
SHA256 4e25c23aa5babc853889d3e1e79bb01ca7650837b250314a8d50f2e2c4b6730f
SHA512 b413994e5b9f0ecb956055c7befff14845b56bb658fd8280d3213fdfa175ff76bc56e082174f2475fdf2d1f9eff618ebfd80ee2b67c091eaf1fd9c94697da5aa

C:\Users\Admin\AppData\Local\Temp\@[email protected]

MD5 7bf2b57f2a205768755c07f238fb32cc
SHA1 45356a9dd616ed7161a3b9192e2f318d0ab5ad10
SHA256 b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25
SHA512 91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

C:\Users\Admin\AppData\Local\Temp\m.vbs

MD5 82a1fc4089755cb0b5a498ffdd52f20f
SHA1 0a8c0da8ef0354f37241e2901cf82ec9ce6474aa
SHA256 7fbdc49f4b4ba21949eca0b16c534b4882da97e94e5ca131cec1629e60439dfa
SHA512 1573a0c7333accef2695efefe1b57cba8f8d66a0061c24420ee0a183343a9a319995267d306ee85084c95580f9855bcdf9dee559b28a200b27fc3cc353315e78

C:\Users\Admin\AppData\Local\Temp\@[email protected]

MD5 7bf2b57f2a205768755c07f238fb32cc
SHA1 45356a9dd616ed7161a3b9192e2f318d0ab5ad10
SHA256 b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25
SHA512 91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

C:\Users\Admin\AppData\Local\Temp\@[email protected]

MD5 7a2726bb6e6a79fb1d092b7f2b688af0
SHA1 b3effadce8b76aee8cd6ce2eccbb8701797468a2
SHA256 840ab19c411c918ea3e7526d0df4b9cb002de5ea15e854389285df0d1ea9a8e5
SHA512 4e107f661e6be183659fdd265e131a64cce2112d842226305f6b111d00109a970fda0b5abfb1daa9f64428e445e3b472332392435707c9aebbfe94c480c72e54

C:\Users\Admin\AppData\Local\Temp\@[email protected]

MD5 c63fa76e3420f475ced04dff64541b76
SHA1 fb8edb677fb6be8464e6e1c42821b231a920a02c
SHA256 0c22d564270c750546711940a1fc27fea811ba5ac0ae822431973b73d8503022
SHA512 fc489717a0b3b07306625f094c30eab73a49580e612830b8af57e404b4803b092c50be4a1ecbda9cf79ba484b8d04e102fc07cf62533469267df9506b6083b2e

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\@[email protected]

MD5 c63fa76e3420f475ced04dff64541b76
SHA1 fb8edb677fb6be8464e6e1c42821b231a920a02c
SHA256 0c22d564270c750546711940a1fc27fea811ba5ac0ae822431973b73d8503022
SHA512 fc489717a0b3b07306625f094c30eab73a49580e612830b8af57e404b4803b092c50be4a1ecbda9cf79ba484b8d04e102fc07cf62533469267df9506b6083b2e

C:\Users\Default\Desktop\@[email protected]

MD5 c17170262312f3be7027bc2ca825bf0c
SHA1 f19eceda82973239a1fdc5826bce7691e5dcb4fb
SHA256 d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa
SHA512 c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

C:\Users\Admin\AppData\Local\Temp\@[email protected]

MD5 7bf2b57f2a205768755c07f238fb32cc
SHA1 45356a9dd616ed7161a3b9192e2f318d0ab5ad10
SHA256 b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25
SHA512 91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

C:\Users\Admin\AppData\Local\Temp\@[email protected]

MD5 7bf2b57f2a205768755c07f238fb32cc
SHA1 45356a9dd616ed7161a3b9192e2f318d0ab5ad10
SHA256 b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25
SHA512 91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

C:\Users\Admin\AppData\Local\Temp\00000000.res

MD5 510306437847730faf04daed82ab6aa0
SHA1 35e6f5903ad47e447348a817cd2e14a87332bbe5
SHA256 d55ed84ecfc8a04c1d961df5faaf6a6804d2daf835df6b8377465bf6fc7d1ef9
SHA512 8f31873fd514aad3b320b000f72c8351086cdf13c837541d608a2d1e6e2aef4ea48a776ddbd6d29362fd88472517cc8789f2544e1a747d3056f01dc644771a50

C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\tor.exe

MD5 fe7eb54691ad6e6af77f8a9a0b6de26d
SHA1 53912d33bec3375153b7e4e68b78d66dab62671a
SHA256 e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb
SHA512 8ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f

C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\taskhsvc.exe

MD5 fe7eb54691ad6e6af77f8a9a0b6de26d
SHA1 53912d33bec3375153b7e4e68b78d66dab62671a
SHA256 e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb
SHA512 8ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f

C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\taskhsvc.exe

MD5 fe7eb54691ad6e6af77f8a9a0b6de26d
SHA1 53912d33bec3375153b7e4e68b78d66dab62671a
SHA256 e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb
SHA512 8ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f

\Users\Admin\AppData\Local\Temp\TaskData\Tor\libevent-2-0-5.dll

MD5 90f50a285efa5dd9c7fddce786bdef25
SHA1 54213da21542e11d656bb65db724105afe8be688
SHA256 77a250e81fdaf9a075b1244a9434c30bf449012c9b647b265fa81a7b0db2513f
SHA512 746422be51031cfa44dd9a6f3569306c34bbe8abf9d2bd1df139d9c938d0cba095c0e05222fd08c8b6deaebef5d3f87569b08fb3261a2d123d983517fb9f43ae

\Users\Admin\AppData\Local\Temp\TaskData\Tor\libgcc_s_sjlj-1.dll

MD5 73d4823075762ee2837950726baa2af9
SHA1 ebce3532ed94ad1df43696632ab8cf8da8b9e221
SHA256 9aeccf88253d4557a90793e22414868053caaab325842c0d7acb0365e88cd53b
SHA512 8f4a65bd35ed69f331769aaf7505f76dd3c64f3fa05cf01d83431ec93a7b1331f3c818ac7008e65b6f1278d7e365ed5940c8c6b8502e77595e112f1faca558b5

C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\SSLEAY32.dll

MD5 a12c2040f6fddd34e7acb42f18dd6bdc
SHA1 d7db49f1a9870a4f52e1f31812938fdea89e9444
SHA256 bd70ba598316980833f78b05f7eeaef3e0f811a7c64196bf80901d155cb647c1
SHA512 fbe0970bcdfaa23af624daad9917a030d8f0b10d38d3e9c7808a9fbc02912ee9daed293dbdea87aa90dc74470bc9b89cb6f2fe002393ecda7b565307ffb7ec00

\Users\Admin\AppData\Local\Temp\TaskData\Tor\zlib1.dll

MD5 fb072e9f69afdb57179f59b512f828a4
SHA1 fe71b70173e46ee4e3796db9139f77dc32d2f846
SHA256 66d653397cbb2dbb397eb8421218e2c126b359a3b0decc0f31e297df099e1383
SHA512 9d157fece0dc18afe30097d9c4178ae147cc9d465a6f1d35778e1bff1efca4734dd096e95d35faea32da8d8b4560382338ba9c6c40f29047f1cc0954b27c64f8

\Users\Admin\AppData\Local\Temp\TaskData\Tor\libeay32.dll

MD5 6ed47014c3bb259874d673fb3eaedc85
SHA1 c9b29ba7e8a97729c46143cc59332d7a7e9c1ad8
SHA256 58be53d5012b3f45c1ca6f4897bece4773efbe1ccbf0be460061c183ee14ca19
SHA512 3bc462d21bc762f6eec3d23bb57e2baf532807ab8b46fab1fe38a841e5fde81ed446e5305a78ad0d513d85419e6ec8c4b54985da1d6b198acb793230aeecd93e

\Users\Admin\AppData\Local\Temp\TaskData\Tor\libeay32.dll

MD5 6ed47014c3bb259874d673fb3eaedc85
SHA1 c9b29ba7e8a97729c46143cc59332d7a7e9c1ad8
SHA256 58be53d5012b3f45c1ca6f4897bece4773efbe1ccbf0be460061c183ee14ca19
SHA512 3bc462d21bc762f6eec3d23bb57e2baf532807ab8b46fab1fe38a841e5fde81ed446e5305a78ad0d513d85419e6ec8c4b54985da1d6b198acb793230aeecd93e

\Users\Admin\AppData\Local\Temp\TaskData\Tor\ssleay32.dll

MD5 a12c2040f6fddd34e7acb42f18dd6bdc
SHA1 d7db49f1a9870a4f52e1f31812938fdea89e9444
SHA256 bd70ba598316980833f78b05f7eeaef3e0f811a7c64196bf80901d155cb647c1
SHA512 fbe0970bcdfaa23af624daad9917a030d8f0b10d38d3e9c7808a9fbc02912ee9daed293dbdea87aa90dc74470bc9b89cb6f2fe002393ecda7b565307ffb7ec00

C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\zlib1.dll

MD5 fb072e9f69afdb57179f59b512f828a4
SHA1 fe71b70173e46ee4e3796db9139f77dc32d2f846
SHA256 66d653397cbb2dbb397eb8421218e2c126b359a3b0decc0f31e297df099e1383
SHA512 9d157fece0dc18afe30097d9c4178ae147cc9d465a6f1d35778e1bff1efca4734dd096e95d35faea32da8d8b4560382338ba9c6c40f29047f1cc0954b27c64f8

C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\libgcc_s_sjlj-1.dll

MD5 73d4823075762ee2837950726baa2af9
SHA1 ebce3532ed94ad1df43696632ab8cf8da8b9e221
SHA256 9aeccf88253d4557a90793e22414868053caaab325842c0d7acb0365e88cd53b
SHA512 8f4a65bd35ed69f331769aaf7505f76dd3c64f3fa05cf01d83431ec93a7b1331f3c818ac7008e65b6f1278d7e365ed5940c8c6b8502e77595e112f1faca558b5

\Users\Admin\AppData\Local\Temp\TaskData\Tor\libssp-0.dll

MD5 78581e243e2b41b17452da8d0b5b2a48
SHA1 eaefb59c31cf07e60a98af48c5348759586a61bb
SHA256 f28caebe9bc6aa5a72635acb4f0e24500494e306d8e8b2279e7930981281683f
SHA512 332098113ce3f75cb20dc6e09f0d7ba03f13f5e26512d9f3bee3042c51fbb01a5e4426c5e9a5308f7f805b084efc94c28fc9426ce73ab8dfee16ab39b3efe02a

C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\LIBEAY32.dll

MD5 6ed47014c3bb259874d673fb3eaedc85
SHA1 c9b29ba7e8a97729c46143cc59332d7a7e9c1ad8
SHA256 58be53d5012b3f45c1ca6f4897bece4773efbe1ccbf0be460061c183ee14ca19
SHA512 3bc462d21bc762f6eec3d23bb57e2baf532807ab8b46fab1fe38a841e5fde81ed446e5305a78ad0d513d85419e6ec8c4b54985da1d6b198acb793230aeecd93e

C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\libssp-0.dll

MD5 78581e243e2b41b17452da8d0b5b2a48
SHA1 eaefb59c31cf07e60a98af48c5348759586a61bb
SHA256 f28caebe9bc6aa5a72635acb4f0e24500494e306d8e8b2279e7930981281683f
SHA512 332098113ce3f75cb20dc6e09f0d7ba03f13f5e26512d9f3bee3042c51fbb01a5e4426c5e9a5308f7f805b084efc94c28fc9426ce73ab8dfee16ab39b3efe02a

C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\libevent-2-0-5.dll

MD5 90f50a285efa5dd9c7fddce786bdef25
SHA1 54213da21542e11d656bb65db724105afe8be688
SHA256 77a250e81fdaf9a075b1244a9434c30bf449012c9b647b265fa81a7b0db2513f
SHA512 746422be51031cfa44dd9a6f3569306c34bbe8abf9d2bd1df139d9c938d0cba095c0e05222fd08c8b6deaebef5d3f87569b08fb3261a2d123d983517fb9f43ae

memory/5092-1544-0x0000000072C40000-0x0000000072CC2000-memory.dmp

memory/5092-1547-0x0000000072AE0000-0x0000000072B62000-memory.dmp

memory/5092-1546-0x00000000728C0000-0x0000000072ADC000-memory.dmp

memory/5092-1549-0x0000000072AE0000-0x0000000072B62000-memory.dmp

memory/5092-1551-0x0000000072B70000-0x0000000072B92000-memory.dmp

memory/5092-1550-0x0000000000340000-0x000000000063E000-memory.dmp

memory/5092-1552-0x0000000000340000-0x000000000063E000-memory.dmp

memory/5092-1548-0x0000000072B70000-0x0000000072B92000-memory.dmp

memory/5092-1563-0x0000000072C40000-0x0000000072CC2000-memory.dmp

memory/5092-1564-0x00000000728C0000-0x0000000072ADC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\@[email protected]

MD5 7bf2b57f2a205768755c07f238fb32cc
SHA1 45356a9dd616ed7161a3b9192e2f318d0ab5ad10
SHA256 b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25
SHA512 91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

C:\Users\Admin\AppData\Local\Temp\taskse.exe

MD5 8495400f199ac77853c53b5a3f278f3e
SHA1 be5d6279874da315e3080b06083757aad9b32c23
SHA256 2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d
SHA512 0669c524a295a049fa4629b26f89788b2a74e1840bcdc50e093a0bd40830dd1279c9597937301c0072db6ece70adee4ace67c3c8a4fb2db6deafd8f1e887abe4

C:\Users\Admin\AppData\Local\Temp\taskdl.exe

MD5 4fef5e34143e646dbf9907c4374276f5
SHA1 47a9ad4125b6bd7c55e4e7da251e23f089407b8f
SHA256 4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79
SHA512 4550dd1787deb353ebd28363dd2cdccca861f6a5d9358120fa6aa23baa478b2a9eb43cef5e3f6426f708a0753491710ac05483fac4a046c26bec4234122434d5

C:\Users\Admin\AppData\Local\Temp\c.wnry

MD5 a4b02759c9a62f51e811c93da3f3708f
SHA1 5e1043d704864663b749e74f23037ea3c3e2135f
SHA256 7f30f92aedbae1a46d39769aa8b1b292583b379ac66679bd81ed6e16aba16760
SHA512 80124bc7ded8d68e50c46f03de2dd126b150390cc95f96ef5ce5d54488358260088ba0fe25f228662ea783703dd6026390da8568a5ff31d0bb31d302d7079537

C:\Users\Admin\Desktop\@[email protected]

MD5 c17170262312f3be7027bc2ca825bf0c
SHA1 f19eceda82973239a1fdc5826bce7691e5dcb4fb
SHA256 d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa
SHA512 c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

memory/4268-1572-0x0000000000410000-0x00000000004BE000-memory.dmp

memory/5092-1574-0x0000000000340000-0x000000000063E000-memory.dmp

memory/5092-1576-0x0000000072C20000-0x0000000072C3C000-memory.dmp

memory/5092-1577-0x0000000072BA0000-0x0000000072C17000-memory.dmp

memory/5092-1579-0x0000000072AE0000-0x0000000072B62000-memory.dmp

memory/5092-1580-0x00000000728C0000-0x0000000072ADC000-memory.dmp

memory/5092-1582-0x0000000000340000-0x000000000063E000-memory.dmp

C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new

MD5 82c04676d1f8e8f98b3ab3b470ee2850
SHA1 28587081bb1b8dd4a8eb4cc3a01f29e470d26044
SHA256 aac2bfad34b8be3109d59db300d331bc11383617396c5ae4c35b4c91fea05aae
SHA512 b36f054b5aac1e6e6e4a8a663127d2a2a8da8d38f83fa2d4e9b4e232253993c0d34fde7f3a35d2b24e3b00ec51f5197efe3ffd39ab7c45c3ce4860c96471653a

memory/5092-1597-0x0000000000340000-0x000000000063E000-memory.dmp

memory/5092-1603-0x00000000728C0000-0x0000000072ADC000-memory.dmp

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\q2ft4sxy.default-release\activity-stream.discovery_stream.json.tmp

MD5 3b19b383a4ba42df0771b462e668d3b8
SHA1 7207e59c2859091c4b9f019445d138c07116ced5
SHA256 ca0f01446ec69f0a68817ff8c11ee005a7e1cd8b10920fbc3017615526e1ad04
SHA512 1694d212b6823b3ef034407a3ec686bcb282009807516a3ed73f76014d5517f9fd38e0ab81c245b8b41075b7d80b1831ba62d0ea26461b8dbbb547f1b39d89d1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q2ft4sxy.default-release\prefs-1.js

MD5 c63d5a4c0a35008495674b94d6a085db
SHA1 9d14804acfb7b8c6efc6c39dd3e56b971a0a9dc8
SHA256 d1d2e302d381bf30da39eb355c1f27cf2d7e9fcf70fd61d43244629f4264590b
SHA512 9e9382f0e775e237d43b0d254b453303724c913c4c79f3ae6132e90897520a1a2f0fce66bd213271c06795f1d2b6bf3ed501b0f5e9b05d5222e92c7d42df5e06

memory/5092-1655-0x00000000728C0000-0x0000000072ADC000-memory.dmp

memory/5092-1649-0x0000000000340000-0x000000000063E000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q2ft4sxy.default-release\sessionstore-backups\recovery.jsonlz4

MD5 88ad17a530041c122817f18bfca21c79
SHA1 936ae23b8665ce922b339a91272e116f22b2b43d
SHA256 b316982433f796bbdd513eebfc92b83d482f3a6522de1957ecafa15531742463
SHA512 50900a5863cfce165c5467e4bf832a3d2f6a8b1a07abea21290ecdf7d4a4526d0f809436bb543a0246f069efc1ad0fa98f6f98d893b172ac02afd610e56d7955

memory/5092-1741-0x0000000000340000-0x000000000063E000-memory.dmp

memory/5092-1747-0x00000000728C0000-0x0000000072ADC000-memory.dmp

memory/5092-1768-0x0000000000340000-0x000000000063E000-memory.dmp

memory/5092-1774-0x00000000728C0000-0x0000000072ADC000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q2ft4sxy.default-release\sessionstore-backups\recovery.jsonlz4

MD5 3d99594b10047dca63108e7eb3dd384b
SHA1 1f61eafae49499cca7b914df68ca4ff5168dc438
SHA256 d2cc533010263c1c2b4ba5e9b5059fd587c9698e2884fda12c925a1141b4631f
SHA512 4c68d2befbea020d7cd44e64329cf8b3bf47c19c1bc98fcdf0d03692d50a4e61747ef826eca8ae67bb0ee86896df35c8edb582a1b51c707475d2e0aa9e71470b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q2ft4sxy.default-release\prefs-1.js

MD5 ac4d3fc7059b20f0341b622017fead8a
SHA1 428e6c13217a02c9ff227fc2671daf44d64ea059
SHA256 4415c79bfaeb5b672f0164059524343f0124596eadf3802252777510d6111b02
SHA512 85226ed944db5368ccb55920103731aeac2dc9dd407665768642ecd64ae638e2da89a32fccd11b8f8b4125fb41bba7b977e01aa0d4a1542da79d5bfb75f248f1

memory/5092-1799-0x0000000000340000-0x000000000063E000-memory.dmp

memory/5092-1805-0x00000000728C0000-0x0000000072ADC000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\q2ft4sxy.default-release\sessionstore-backups\recovery.jsonlz4

MD5 6579b53fe946396b1f43e4d714392dc9
SHA1 6959afe1b522706a6ba016413831f2e729a6d697
SHA256 d0197d668ed96f4e7a33cbe2b231fec7a208e2d0d8008e376155aba6d6eb41be
SHA512 89716f5a1e54b8120a1806213fbbea735fe8465559e836f244466c0338f149bee4160f949db0fbc2cf4c1c2d14a10a1bb6f47f349f93debf06ca7d40f202ee19

memory/5092-1819-0x0000000000340000-0x000000000063E000-memory.dmp

memory/5092-1825-0x00000000728C0000-0x0000000072ADC000-memory.dmp

memory/5092-1830-0x0000000000340000-0x000000000063E000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2023-08-06 17:17

Reported

2023-08-06 17:48

Platform

win10-20230703-en

Max time kernel

314s

Max time network

1598s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\RANSOMWARE-WANNACRY-2.0-master.zip

Signatures

N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\RANSOMWARE-WANNACRY-2.0-master.zip

Network

Country Destination Domain Proto
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 13.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 254.23.238.8.in-addr.arpa udp
US 8.8.8.8:53 9.57.101.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-08-06 17:17

Reported

2023-08-06 17:48

Platform

win10-20230703-en

Max time kernel

126s

Max time network

1611s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\RANSOMWARE-WANNACRY-2.0-master\LICENSE

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\RANSOMWARE-WANNACRY-2.0-master\LICENSE

Network

Country Destination Domain Proto
US 8.8.8.8:53 86.8.109.52.in-addr.arpa udp
US 8.8.8.8:53 38.148.119.40.in-addr.arpa udp
US 8.8.8.8:53 67.112.168.52.in-addr.arpa udp

Files

N/A