Analysis Overview
SHA256
761e037ee186880d5f7d1f112b839818056f160a9ba60c7fb8d23d926ac0621f
Threat Level: Known bad
The file RANSOMWARE-WANNACRY-2.0-master.zip was found to be: Known bad.
Malicious Activity Summary
Wannacry
Deletes shadow copies
Reads user/profile data of web browsers
Executes dropped EXE
Drops startup file
Modifies file permissions
Loads dropped DLL
Adds Run key to start application
Sets desktop wallpaper using registry
Unsigned PE
Enumerates physical storage devices
Modifies registry class
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Interacts with shadow copies
Suspicious use of SendNotifyMessage
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Modifies registry key
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Views/modifies file attributes
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-08-06 21:06
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-08-06 21:06
Reported
2023-08-06 21:08
Platform
win7-20230712-en
Max time kernel
120s
Max time network
123s
Command Line
Signatures
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\RANSOMWARE-WANNACRY-2.0-master.zip
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2023-08-06 21:06
Reported
2023-08-06 21:08
Platform
win7-20230712-en
Max time kernel
118s
Max time network
120s
Command Line
Signatures
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\RANSOMWARE-WANNACRY-2.0-master\LICENSE
Network
Files
Analysis: behavioral3
Detonation Overview
Submitted
2023-08-06 21:06
Reported
2023-08-06 21:09
Platform
win7-20230712-en
Max time kernel
122s
Max time network
127s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000_CLASSES\.md\ = "md_auto_file" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000_CLASSES\md_auto_file\shell\Read\command | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000_CLASSES\md_auto_file | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000_CLASSES\md_auto_file\ | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000_CLASSES\.md | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000_CLASSES\md_auto_file\shell\Read | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000_CLASSES\md_auto_file\shell | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000_CLASSES\md_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2508 wrote to memory of 1424 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2508 wrote to memory of 1424 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2508 wrote to memory of 1424 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 1424 wrote to memory of 2308 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 1424 wrote to memory of 2308 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 1424 wrote to memory of 2308 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 1424 wrote to memory of 2308 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\RANSOMWARE-WANNACRY-2.0-master\README.md
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\RANSOMWARE-WANNACRY-2.0-master\README.md
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\RANSOMWARE-WANNACRY-2.0-master\README.md"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | 2690853c98d274026b3ec2aa2024855a |
| SHA1 | b49d66ead53d4e4a95dabb446969053d9fbee242 |
| SHA256 | ae8d504ce210479809760b91ae46f92f7b1eed6951db01a11b1212add187841c |
| SHA512 | 101298cf5461f507f7903466fad9ebf0f664e9049f74184106d33b7eb5d16ded2de8049107882a23e9039dc5466c00a793a2849c47d97343e3fcba1e9dbb8600 |
Analysis: behavioral4
Detonation Overview
Submitted
2023-08-06 21:06
Reported
2023-08-06 21:08
Platform
win7-20230712-en
Max time kernel
122s
Max time network
125s
Command Line
Signatures
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\RANSOMWARE-WANNACRY-2.0-master\Ransomware.WannaCry.zip
Network
Files
Analysis: behavioral5
Detonation Overview
Submitted
2023-08-06 21:06
Reported
2023-08-06 21:09
Platform
win7-20230712-en
Max time kernel
150s
Max time network
153s
Command Line
Signatures
Wannacry
Deletes shadow copies
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDBAEE.tmp | C:\Users\Admin\AppData\Local\Temp\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe | N/A |
Executes dropped EXE
Loads dropped DLL
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\lqxrdkefrjbvufm344 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\tasksche.exe\"" | C:\Windows\SysWOW64\reg.exe | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]" | C:\Users\Admin\AppData\Local\Temp\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]" | C:\Users\Admin\AppData\Local\Temp\@[email protected] | N/A |
Enumerates physical storage devices
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\vssadmin.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\taskhsvc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\taskhsvc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\taskhsvc.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\taskse.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\taskse.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\taskse.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\taskse.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\taskse.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\taskse.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\taskse.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\taskse.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\@[email protected] | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\@[email protected] | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\@[email protected] | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\@[email protected] | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\@[email protected] | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\@[email protected] | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\@[email protected] | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\@[email protected] | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\@[email protected] | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\@[email protected] | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\@[email protected] | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\@[email protected] | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
"C:\Users\Admin\AppData\Local\Temp\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe"
C:\Windows\SysWOW64\attrib.exe
attrib +h .
C:\Windows\SysWOW64\icacls.exe
icacls . /grant Everyone:F /T /C /Q
C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c 258821691355992.bat
C:\Windows\SysWOW64\cscript.exe
cscript.exe //nologo m.vbs
C:\Windows\SysWOW64\attrib.exe
attrib +h +s F:\$RECYCLE
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /b @[email protected] vs
C:\Users\Admin\AppData\Local\Temp\@[email protected]
C:\Users\Admin\AppData\Local\Temp\@[email protected]
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\taskhsvc.exe
TaskData\Tor\taskhsvc.exe
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
C:\Users\Admin\AppData\Local\Temp\@[email protected]
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "lqxrdkefrjbvufm344" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\tasksche.exe\"" /f
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "lqxrdkefrjbvufm344" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\tasksche.exe\"" /f
C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
C:\Users\Admin\AppData\Local\Temp\@[email protected]
C:\Users\Admin\Desktop\@[email protected]
"C:\Users\Admin\Desktop\@[email protected]"
C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
C:\Users\Admin\AppData\Local\Temp\@[email protected]
C:\Users\Admin\Desktop\@[email protected]
"C:\Users\Admin\Desktop\@[email protected]"
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
C:\Users\Admin\AppData\Local\Temp\@[email protected]
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2760.0.486386258\302153018" -parentBuildID 20221007134813 -prefsHandle 1220 -prefMapHandle 1188 -prefsLen 17985 -prefMapSize 230913 -appDir "C:\Program Files\Mozilla Firefox\browser" - {dbcb8524-60d7-416d-9986-666c684acda7} 2760 "\\.\pipe\gecko-crash-server-pipe.2760" 1276 12004d58 socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2760.1.1136562480\1159832504" -parentBuildID 20221007134813 -prefsHandle 1620 -prefMapHandle 1604 -prefsLen 19080 -prefMapSize 230913 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7858b213-6346-4311-a2e9-bad4b524e980} 2760 "\\.\pipe\gecko-crash-server-pipe.2760" 1640 14516258 gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2760.2.1550282034\1989429400" -childID 1 -isForBrowser -prefsHandle 1056 -prefMapHandle 1076 -prefsLen 19815 -prefMapSize 230913 -jsInitHandle 876 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e4ec77ee-98ac-4d14-a349-c252dadcd335} 2760 "\\.\pipe\gecko-crash-server-pipe.2760" 2468 d60a58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2760.3.2062173957\1263487456" -childID 2 -isForBrowser -prefsHandle 3132 -prefMapHandle 3128 -prefsLen 20002 -prefMapSize 230913 -jsInitHandle 876 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d7eb9089-2b2f-4412-a88b-e3c10c7507b0} 2760 "\\.\pipe\gecko-crash-server-pipe.2760" 3144 1205cd58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2760.4.1700972203\731185075" -parentBuildID 20221007134813 -prefsHandle 2644 -prefMapHandle 2932 -prefsLen 21994 -prefMapSize 230913 -appDir "C:\Program Files\Mozilla Firefox\browser" - {76e32835-3307-4fe2-9c21-b93718455f9c} 2760 "\\.\pipe\gecko-crash-server-pipe.2760" 2908 1dce0858 rdd
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2760.5.383996666\336750044" -childID 3 -isForBrowser -prefsHandle 3280 -prefMapHandle 3284 -prefsLen 26927 -prefMapSize 230913 -jsInitHandle 876 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c33edda6-f3df-4ad0-9080-b65651e4e9da} 2760 "\\.\pipe\gecko-crash-server-pipe.2760" 3132 1e6de658 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2760.6.515886319\252863999" -childID 4 -isForBrowser -prefsHandle 2428 -prefMapHandle 3784 -prefsLen 27712 -prefMapSize 230913 -jsInitHandle 876 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2306314c-09ae-4904-96af-34f183ff47f2} 2760 "\\.\pipe\gecko-crash-server-pipe.2760" 3832 1c85b058 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2760.7.402546753\2063486497" -childID 5 -isForBrowser -prefsHandle 3732 -prefMapHandle 3744 -prefsLen 27712 -prefMapSize 230913 -jsInitHandle 876 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d6e4a909-8765-49e6-997e-ceaa03086036} 2760 "\\.\pipe\gecko-crash-server-pipe.2760" 3844 1fad0258 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2760.8.45304966\1133481084" -childID 6 -isForBrowser -prefsHandle 4068 -prefMapHandle 4152 -prefsLen 27787 -prefMapSize 230913 -jsInitHandle 876 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9327850b-eadc-47d9-bed2-70b64eb3c229} 2760 "\\.\pipe\gecko-crash-server-pipe.2760" 4108 1fad1158 tab
Network
| Country | Destination | Domain | Proto |
| US | 69.162.139.9:9001 | tcp | |
| US | 154.35.175.225:443 | tcp | |
| CA | 198.96.155.3:5001 | tcp | |
| HU | 92.249.143.119:9001 | tcp | |
| DE | 144.76.162.202:8080 | tcp | |
| N/A | 127.0.0.1:9050 | tcp | |
| N/A | 127.0.0.1:50023 | tcp | |
| N/A | 127.0.0.1:9050 | tcp | |
| N/A | 127.0.0.1:9050 | tcp | |
| N/A | 127.0.0.1:9050 | tcp | |
| N/A | 127.0.0.1:50190 | tcp | |
| N/A | 127.0.0.1:50194 | tcp | |
| US | 8.8.8.8:53 | location.services.mozilla.com | udp |
| US | 8.8.8.8:53 | locprod2-elb-us-west-2.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | locprod2-elb-us-west-2.prod.mozaws.net | udp |
| US | 35.163.74.237:443 | locprod2-elb-us-west-2.prod.mozaws.net | tcp |
| US | 8.8.8.8:53 | getpocket.cdn.mozilla.net | udp |
| US | 34.120.5.221:443 | getpocket.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 34.117.237.239:443 | contile.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | content-signature-2.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 34.160.144.191:443 | prod.content-signature-chains.prod.webservices.mozgcp.net | tcp |
| US | 8.8.8.8:53 | shavar.services.mozilla.com | udp |
| US | 34.210.17.96:443 | shavar.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | push.services.mozilla.com | udp |
| US | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| US | 34.117.65.55:443 | autopush.prod.mozaws.net | tcp |
| US | 8.8.8.8:53 | firefox.settings.services.mozilla.com | udp |
| US | 34.149.100.209:443 | firefox.settings.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
Files
C:\Users\Admin\AppData\Local\Temp\msg\m_finnish.wnry
| MD5 | 35c2f97eea8819b1caebd23fee732d8f |
| SHA1 | e354d1cc43d6a39d9732adea5d3b0f57284255d2 |
| SHA256 | 1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e |
| SHA512 | 908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf |
C:\Users\Admin\AppData\Local\Temp\c.wnry
| MD5 | 383a85eab6ecda319bfddd82416fc6c2 |
| SHA1 | 2a9324e1d02c3e41582bf5370043d8afeb02ba6f |
| SHA256 | 079ce1041cbffe18ff62a2b4a33711eda40f680d0b1d3b551db47e39a6390b21 |
| SHA512 | c661e0b3c175d31b365362e52d7b152267a15d59517a4bcc493329be20b23d0e4eb62d1ba80bb96447eeaf91a6901f4b34bf173b4ab6f90d4111ea97c87c1252 |
C:\Users\Admin\AppData\Local\Temp\b.wnry
| MD5 | c17170262312f3be7027bc2ca825bf0c |
| SHA1 | f19eceda82973239a1fdc5826bce7691e5dcb4fb |
| SHA256 | d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa |
| SHA512 | c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c |
memory/2588-93-0x0000000010000000-0x0000000010010000-memory.dmp
\Users\Admin\AppData\Local\Temp\taskdl.exe
| MD5 | 4fef5e34143e646dbf9907c4374276f5 |
| SHA1 | 47a9ad4125b6bd7c55e4e7da251e23f089407b8f |
| SHA256 | 4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79 |
| SHA512 | 4550dd1787deb353ebd28363dd2cdccca861f6a5d9358120fa6aa23baa478b2a9eb43cef5e3f6426f708a0753491710ac05483fac4a046c26bec4234122434d5 |
\Users\Admin\AppData\Local\Temp\taskdl.exe
| MD5 | 4fef5e34143e646dbf9907c4374276f5 |
| SHA1 | 47a9ad4125b6bd7c55e4e7da251e23f089407b8f |
| SHA256 | 4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79 |
| SHA512 | 4550dd1787deb353ebd28363dd2cdccca861f6a5d9358120fa6aa23baa478b2a9eb43cef5e3f6426f708a0753491710ac05483fac4a046c26bec4234122434d5 |
C:\Users\Admin\AppData\Local\Temp\taskdl.exe
| MD5 | 4fef5e34143e646dbf9907c4374276f5 |
| SHA1 | 47a9ad4125b6bd7c55e4e7da251e23f089407b8f |
| SHA256 | 4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79 |
| SHA512 | 4550dd1787deb353ebd28363dd2cdccca861f6a5d9358120fa6aa23baa478b2a9eb43cef5e3f6426f708a0753491710ac05483fac4a046c26bec4234122434d5 |
C:\Users\Admin\AppData\Local\Temp\taskdl.exe
| MD5 | 4fef5e34143e646dbf9907c4374276f5 |
| SHA1 | 47a9ad4125b6bd7c55e4e7da251e23f089407b8f |
| SHA256 | 4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79 |
| SHA512 | 4550dd1787deb353ebd28363dd2cdccca861f6a5d9358120fa6aa23baa478b2a9eb43cef5e3f6426f708a0753491710ac05483fac4a046c26bec4234122434d5 |
C:\Users\Admin\AppData\Local\Temp\258821691355992.bat
| MD5 | 3867f2ec82a7d77c9ffefb1aac8b7903 |
| SHA1 | 06fccf19b9c498b5afa2b35da00e3ab28d56f785 |
| SHA256 | 4e25c23aa5babc853889d3e1e79bb01ca7650837b250314a8d50f2e2c4b6730f |
| SHA512 | b413994e5b9f0ecb956055c7befff14845b56bb658fd8280d3213fdfa175ff76bc56e082174f2475fdf2d1f9eff618ebfd80ee2b67c091eaf1fd9c94697da5aa |
C:\Users\Admin\AppData\Local\Temp\@[email protected]
| MD5 | 7bf2b57f2a205768755c07f238fb32cc |
| SHA1 | 45356a9dd616ed7161a3b9192e2f318d0ab5ad10 |
| SHA256 | b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25 |
| SHA512 | 91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9 |
C:\Users\Admin\AppData\Local\Temp\258821691355992.bat
| MD5 | 3867f2ec82a7d77c9ffefb1aac8b7903 |
| SHA1 | 06fccf19b9c498b5afa2b35da00e3ab28d56f785 |
| SHA256 | 4e25c23aa5babc853889d3e1e79bb01ca7650837b250314a8d50f2e2c4b6730f |
| SHA512 | b413994e5b9f0ecb956055c7befff14845b56bb658fd8280d3213fdfa175ff76bc56e082174f2475fdf2d1f9eff618ebfd80ee2b67c091eaf1fd9c94697da5aa |
C:\Users\Admin\AppData\Local\Temp\m.vbs
| MD5 | 82a1fc4089755cb0b5a498ffdd52f20f |
| SHA1 | 0a8c0da8ef0354f37241e2901cf82ec9ce6474aa |
| SHA256 | 7fbdc49f4b4ba21949eca0b16c534b4882da97e94e5ca131cec1629e60439dfa |
| SHA512 | 1573a0c7333accef2695efefe1b57cba8f8d66a0061c24420ee0a183343a9a319995267d306ee85084c95580f9855bcdf9dee559b28a200b27fc3cc353315e78 |
C:\Users\Admin\AppData\Local\Temp\@[email protected]
| MD5 | 7bf2b57f2a205768755c07f238fb32cc |
| SHA1 | 45356a9dd616ed7161a3b9192e2f318d0ab5ad10 |
| SHA256 | b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25 |
| SHA512 | 91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9 |
\Users\Admin\AppData\Local\Temp\@[email protected]
| MD5 | 7bf2b57f2a205768755c07f238fb32cc |
| SHA1 | 45356a9dd616ed7161a3b9192e2f318d0ab5ad10 |
| SHA256 | b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25 |
| SHA512 | 91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9 |
C:\Users\Admin\Documents\@[email protected]
| MD5 | f97d2e6f8d820dbd3b66f21137de4f09 |
| SHA1 | 596799b75b5d60aa9cd45646f68e9c0bd06df252 |
| SHA256 | 0e5ece918132a2b1a190906e74becb8e4ced36eec9f9d1c70f5da72ac4c6b92a |
| SHA512 | efda21d83464a6a32fdeef93152ffd32a648130754fdd3635f7ff61cc1664f7fc050900f0f871b0ddd3a3846222bf62ab5df8eed42610a76be66fff5f7b4c4c0 |
C:\Users\Admin\AppData\Local\Temp\@[email protected]
| MD5 | 82052703ad3aaeae2441012a5085380f |
| SHA1 | a644997f2711a35582332ad57a6ccd6779650ee3 |
| SHA256 | d27312f03bcf8e6fae2ab5c1f9fa09095303ad970682aa0f2201ab20d66807ed |
| SHA512 | eb0ae03ad6039ffc74a9312c05edbc0578a8ffdca048b1cb5468c9331aa58cd8e4df4728c809cec16f87c4506139c9fc958252d67d6d5a70eb526c869f233ea8 |
C:\Users\Admin\AppData\Local\Temp\msg\m_vietnamese.wnry
| MD5 | 8419be28a0dcec3f55823620922b00fa |
| SHA1 | 2e4791f9cdfca8abf345d606f313d22b36c46b92 |
| SHA256 | 1f21838b244c80f8bed6f6977aa8a557b419cf22ba35b1fd4bf0f98989c5bdf8 |
| SHA512 | 8fca77e54480aea3c0c7a705263ed8fb83c58974f5f0f62f12cc97c8e0506ba2cdb59b70e59e9a6c44dd7cde6adeeec35b494d31a6a146ff5ba7006136ab9386 |
C:\Users\Admin\AppData\Local\Temp\r.wnry
| MD5 | 3e0020fc529b1c2a061016dd2469ba96 |
| SHA1 | c3a91c22b63f6fe709e7c29cafb29a2ee83e6ade |
| SHA256 | 402751fa49e0cb68fe052cb3db87b05e71c1d950984d339940cf6b29409f2a7c |
| SHA512 | 5ca3c134201ed39d96d72911c0498bae6f98701513fd7f1dc8512819b673f0ea580510fa94ed9413ccc73da18b39903772a7cbfa3478176181cee68c896e14cf |
C:\Users\Admin\AppData\Local\Temp\msg\m_turkish.wnry
| MD5 | 531ba6b1a5460fc9446946f91cc8c94b |
| SHA1 | cc56978681bd546fd82d87926b5d9905c92a5803 |
| SHA256 | 6db650836d64350bbde2ab324407b8e474fc041098c41ecac6fd77d632a36415 |
| SHA512 | ef25c3cf4343df85954114f59933c7cc8107266c8bcac3b5ea7718eb74dbee8ca8a02da39057e6ef26b64f1dfccd720dd3bf473f5ae340ba56941e87d6b796c9 |
C:\Users\Admin\AppData\Local\Temp\@[email protected]
| MD5 | f97d2e6f8d820dbd3b66f21137de4f09 |
| SHA1 | 596799b75b5d60aa9cd45646f68e9c0bd06df252 |
| SHA256 | 0e5ece918132a2b1a190906e74becb8e4ced36eec9f9d1c70f5da72ac4c6b92a |
| SHA512 | efda21d83464a6a32fdeef93152ffd32a648130754fdd3635f7ff61cc1664f7fc050900f0f871b0ddd3a3846222bf62ab5df8eed42610a76be66fff5f7b4c4c0 |
C:\Users\Admin\AppData\Local\Temp\f.wnry
| MD5 | c91588ea785b62c88d2c3cd5f86ddf34 |
| SHA1 | 9367b4894aa5095f0762516087f23785abc12358 |
| SHA256 | 6709a728e1e6fb0c31a600df215b9731572446c4816b97f53cb1b4b26c53e1e6 |
| SHA512 | 0747cd128c9fbd09f2d648b9d9a2ce365e57e882056be05a2dd37e0daaf6e0c3cdc1d53368711ce07fa6492d45c28352555f3c4f98be8f741bb40ee0c8ca6a89 |
C:\Users\Admin\AppData\Local\Temp\00000000.res
| MD5 | 1540f6a4c1a4593065f3d1b915d2b457 |
| SHA1 | cde513b663fe49f2013bb3ac6dbe647516cf7257 |
| SHA256 | 0777bf9dd2ebed112e2c13ac3ebecbe6798809b39f6c074c2e3614fe76a52ced |
| SHA512 | a18daa4a55cae8e02102fe11113eee63c6d22e74599ebabd995ec3fb1a6563102a62bf0ef1cd607a6fe51e9c85ae7ac379a455a352df619587cf134c21758fe2 |
C:\Users\Admin\AppData\Local\Temp\00000000.pky
| MD5 | 4850e193fecea52d7e978e8b901972ba |
| SHA1 | a3140f948bca3c07a1fb660ce9d16fafc6111c16 |
| SHA256 | bc351a51beb3d21254acac1fbd9b88ad2353c6c922ed8b234197dee5a965b3cf |
| SHA512 | a2551b5017ec09ca2e6699c4b12503137af945173ac071f9bfdce3a6a00ab0dd52179eb4f57c7f440ffe341beeacfaeb4f52e004a7d8f6899f176d040e6f1a70 |
C:\Users\Admin\AppData\Local\Temp\00000000.eky
| MD5 | 22dfbbce446ce36082c9da425d59119d |
| SHA1 | 441a691988148c568f490f4e0a54416f0c14022e |
| SHA256 | ba78b1d601bad2dc5b7e3ec5d83f063888ad128aa77a6f8506016597b735b260 |
| SHA512 | 0a4882d432eb360dfda3121bba335e2cf525333441038cbf72a5f9613fc0ba8c9646d4b48d8142a0b66cf553668e42193a48377e293c624d033e5d26d432976f |
C:\Users\Admin\AppData\Local\Temp\u.wnry
| MD5 | 7bf2b57f2a205768755c07f238fb32cc |
| SHA1 | 45356a9dd616ed7161a3b9192e2f318d0ab5ad10 |
| SHA256 | b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25 |
| SHA512 | 91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9 |
C:\Users\Admin\AppData\Local\Temp\taskse.exe
| MD5 | 8495400f199ac77853c53b5a3f278f3e |
| SHA1 | be5d6279874da315e3080b06083757aad9b32c23 |
| SHA256 | 2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d |
| SHA512 | 0669c524a295a049fa4629b26f89788b2a74e1840bcdc50e093a0bd40830dd1279c9597937301c0072db6ece70adee4ace67c3c8a4fb2db6deafd8f1e887abe4 |
C:\Users\Admin\AppData\Local\Temp\taskdl.exe
| MD5 | 4fef5e34143e646dbf9907c4374276f5 |
| SHA1 | 47a9ad4125b6bd7c55e4e7da251e23f089407b8f |
| SHA256 | 4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79 |
| SHA512 | 4550dd1787deb353ebd28363dd2cdccca861f6a5d9358120fa6aa23baa478b2a9eb43cef5e3f6426f708a0753491710ac05483fac4a046c26bec4234122434d5 |
C:\Users\Admin\AppData\Local\Temp\t.wnry
| MD5 | 5dcaac857e695a65f5c3ef1441a73a8f |
| SHA1 | 7b10aaeee05e7a1efb43d9f837e9356ad55c07dd |
| SHA256 | 97ebce49b14c46bebc9ec2448d00e1e397123b256e2be9eba5140688e7bc0ae6 |
| SHA512 | 06eb5e49d19b71a99770d1b11a5bb64a54bf3352f36e39a153469e54205075c203b08128dc2317259db206ab5323bdd93aaa252a066f57fb5c52ff28deedb5e2 |
C:\Users\Admin\AppData\Local\Temp\s.wnry
| MD5 | ad4c9de7c8c40813f200ba1c2fa33083 |
| SHA1 | d1af27518d455d432b62d73c6a1497d032f6120e |
| SHA256 | e18fdd912dfe5b45776e68d578c3af3547886cf1353d7086c8bee037436dff4b |
| SHA512 | 115733d08e5f1a514808a20b070db7ff453fd149865f49c04365a8c6502fa1e5c3a31da3e21f688ab040f583cf1224a544aea9708ffab21405dde1c57f98e617 |
C:\Users\Admin\AppData\Local\Temp\msg\m_swedish.wnry
| MD5 | c7a19984eb9f37198652eaf2fd1ee25c |
| SHA1 | 06eafed025cf8c4d76966bf382ab0c5e1bd6a0ae |
| SHA256 | 146f61db72297c9c0facffd560487f8d6a2846ecec92ecc7db19c8d618dbc3a4 |
| SHA512 | 43dd159f9c2eac147cbff1dda83f6a83dd0c59d2d7acac35ba8b407a04ec9a1110a6a8737535d060d100ede1cb75078cf742c383948c9d4037ef459d150f6020 |
C:\Users\Admin\AppData\Local\Temp\msg\m_spanish.wnry
| MD5 | 8d61648d34cba8ae9d1e2a219019add1 |
| SHA1 | 2091e42fc17a0cc2f235650f7aad87abf8ba22c2 |
| SHA256 | 72f20024b2f69b45a1391f0a6474e9f6349625ce329f5444aec7401fe31f8de1 |
| SHA512 | 68489c33ba89edfe2e3aebaacf8ef848d2ea88dcbef9609c258662605e02d12cfa4ffdc1d266fc5878488e296d2848b2cb0bbd45f1e86ef959bab6162d284079 |
C:\Users\Admin\AppData\Local\Temp\msg\m_slovak.wnry
| MD5 | c911aba4ab1da6c28cf86338ab2ab6cc |
| SHA1 | fee0fd58b8efe76077620d8abc7500dbfef7c5b0 |
| SHA256 | e64178e339c8e10eac17a236a67b892d0447eb67b1dcd149763dad6fd9f72729 |
| SHA512 | 3491ed285a091a123a1a6d61aafbb8d5621ccc9e045a237a2f9c2cf6049e7420eb96ef30fdcea856b50454436e2ec468770f8d585752d73fafd676c4ef5e800a |
C:\Users\Admin\AppData\Local\Temp\msg\m_russian.wnry
| MD5 | 452615db2336d60af7e2057481e4cab5 |
| SHA1 | 442e31f6556b3d7de6eb85fbac3d2957b7f5eac6 |
| SHA256 | 02932052fafe97e6acaaf9f391738a3a826f5434b1a013abbfa7a6c1ade1e078 |
| SHA512 | 7613dc329abe7a3f32164c9a6b660f209a84b774ab9c008bf6503c76255b30ea9a743a6dc49a8de8df0bcb9aea5a33f7408ba27848d9562583ff51991910911f |
C:\Users\Admin\AppData\Local\Temp\msg\m_romanian.wnry
| MD5 | 313e0ececd24f4fa1504118a11bc7986 |
| SHA1 | e1b9ae804c7fb1d27f39db18dc0647bb04e75e9d |
| SHA256 | 70c0f32ed379ae899e5ac975e20bbbacd295cf7cd50c36174d2602420c770ac1 |
| SHA512 | c7500363c61baf8b77fce796d750f8f5e6886ff0a10f81c3240ea3ad4e5f101b597490dea8ab6bd9193457d35d8fd579fce1b88a1c8d85ebe96c66d909630730 |
C:\Users\Admin\AppData\Local\Temp\msg\m_portuguese.wnry
| MD5 | fa948f7d8dfb21ceddd6794f2d56b44f |
| SHA1 | ca915fbe020caa88dd776d89632d7866f660fc7a |
| SHA256 | bd9f4b3aedf4f81f37ec0a028aabcb0e9a900e6b4de04e9271c8db81432e2a66 |
| SHA512 | 0d211bfb0ae953081dca00cd07f8c908c174fd6c47a8001fadc614203f0e55d9fbb7fa9b87c735d57101341ab36af443918ee00737ed4c19ace0a2b85497f41a |
C:\Users\Admin\AppData\Local\Temp\msg\m_polish.wnry
| MD5 | e79d7f2833a9c2e2553c7fe04a1b63f4 |
| SHA1 | 3d9f56d2381b8fe16042aa7c4feb1b33f2baebff |
| SHA256 | 519ad66009a6c127400c6c09e079903223bd82ecc18ad71b8e5cd79f5f9c053e |
| SHA512 | e0159c753491cac7606a7250f332e87bc6b14876bc7a1cf5625fa56ab4f09c485f7b231dd52e4ff0f5f3c29862afb1124c0efd0741613eb97a83cbe2668af5de |
C:\Users\Admin\AppData\Local\Temp\msg\m_norwegian.wnry
| MD5 | ff70cc7c00951084175d12128ce02399 |
| SHA1 | 75ad3b1ad4fb14813882d88e952208c648f1fd18 |
| SHA256 | cb5da96b3dfcf4394713623dbf3831b2a0b8be63987f563e1c32edeb74cb6c3a |
| SHA512 | f01df3256d49325e5ec49fd265aa3f176020c8ffec60eb1d828c75a3fa18ff8634e1de824d77dfdd833768acff1f547303104620c70066a2708654a07ef22e19 |
C:\Users\Admin\AppData\Local\Temp\msg\m_latvian.wnry
| MD5 | c33afb4ecc04ee1bcc6975bea49abe40 |
| SHA1 | fbea4f170507cde02b839527ef50b7ec74b4821f |
| SHA256 | a0356696877f2d94d645ae2df6ce6b370bd5c0d6db3d36def44e714525de0536 |
| SHA512 | 0d435f0836f61a5ff55b78c02fa47b191e5807a79d8a6e991f3115743df2141b3db42ba8bdad9ad259e12f5800828e9e72d7c94a6a5259312a447d669b03ec44 |
C:\Users\Admin\AppData\Local\Temp\msg\m_korean.wnry
| MD5 | 6735cb43fe44832b061eeb3f5956b099 |
| SHA1 | d636daf64d524f81367ea92fdafa3726c909bee1 |
| SHA256 | 552aa0f82f37c9601114974228d4fc54f7434fe3ae7a276ef1ae98a0f608f1d0 |
| SHA512 | 60272801909dbba21578b22c49f6b0ba8cd0070f116476ff35b3ac8347b987790e4cc0334724244c4b13415a246e77a577230029e4561ae6f04a598c3f536c7e |
C:\Users\Admin\AppData\Local\Temp\msg\m_japanese.wnry
| MD5 | b77e1221f7ecd0b5d696cb66cda1609e |
| SHA1 | 51eb7a254a33d05edf188ded653005dc82de8a46 |
| SHA256 | 7e491e7b48d6e34f916624c1cda9f024e86fcbec56acda35e27fa99d530d017e |
| SHA512 | f435fd67954787e6b87460db026759410fbd25b2f6ea758118749c113a50192446861a114358443a129be817020b50f21d27b1ebd3d22c7be62082e8b45223fc |
C:\Users\Admin\AppData\Local\Temp\msg\m_italian.wnry
| MD5 | 30a200f78498990095b36f574b6e8690 |
| SHA1 | c4b1b3c087bd12b063e98bca464cd05f3f7b7882 |
| SHA256 | 49f2c739e7d9745c0834dc817a71bf6676ccc24a4c28dcddf8844093aab3df07 |
| SHA512 | c0da2aae82c397f6943a0a7b838f60eeef8f57192c5f498f2ecf05db824cfeb6d6ca830bf3715da7ee400aa8362bd64dc835298f3f0085ae7a744e6e6c690511 |
C:\Users\Admin\AppData\Local\Temp\msg\m_indonesian.wnry
| MD5 | 3788f91c694dfc48e12417ce93356b0f |
| SHA1 | eb3b87f7f654b604daf3484da9e02ca6c4ea98b7 |
| SHA256 | 23e5e738aad10fb8ef89aa0285269aff728070080158fd3e7792fe9ed47c51f4 |
| SHA512 | b7dd9e6dc7c2d023ff958caf132f0544c76fae3b2d8e49753257676cc541735807b4befdf483bcae94c2dcde3c878c783b4a89dca0fecbc78f5bbf7c356f35cd |
C:\Users\Admin\AppData\Local\Temp\msg\m_greek.wnry
| MD5 | fb4e8718fea95bb7479727fde80cb424 |
| SHA1 | 1088c7653cba385fe994e9ae34a6595898f20aeb |
| SHA256 | e13cc9b13aa5074dc45d50379eceb17ee39a0c2531ab617d93800fe236758ca9 |
| SHA512 | 24db377af1569e4e2b2ebccec42564cea95a30f1ff43bcaf25a692f99567e027bcef4aacef008ec5f64ea2eef0c04be88d2b30bcadabb3919b5f45a6633940cb |
C:\Users\Admin\AppData\Local\Temp\msg\m_german.wnry
| MD5 | 3d59bbb5553fe03a89f817819540f469 |
| SHA1 | 26781d4b06ff704800b463d0f1fca3afd923a9fe |
| SHA256 | 2adc900fafa9938d85ce53cb793271f37af40cf499bcc454f44975db533f0b61 |
| SHA512 | 95719ae80589f71209bb3cb953276538040e7111b994d757b0a24283aefe27aadbbe9eef3f1f823ce4cabc1090946d4a2a558607ac6cac6faca5971529b34dac |
C:\Users\Admin\AppData\Local\Temp\msg\m_french.wnry
| MD5 | 4e57113a6bf6b88fdd32782a4a381274 |
| SHA1 | 0fccbc91f0f94453d91670c6794f71348711061d |
| SHA256 | 9bd38110e6523547aed50617ddc77d0920d408faeed2b7a21ab163fda22177bc |
| SHA512 | 4f1918a12269c654d44e9d394bc209ef0bc32242be8833a2fba437b879125177e149f56f2fb0c302330dec328139b34982c04b3fefb045612b6cc9f83ec85aa9 |
C:\Users\Admin\AppData\Local\Temp\msg\m_finnish.wnry
| MD5 | 35c2f97eea8819b1caebd23fee732d8f |
| SHA1 | e354d1cc43d6a39d9732adea5d3b0f57284255d2 |
| SHA256 | 1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e |
| SHA512 | 908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf |
C:\Users\Admin\AppData\Local\Temp\msg\m_filipino.wnry
| MD5 | 08b9e69b57e4c9b966664f8e1c27ab09 |
| SHA1 | 2da1025bbbfb3cd308070765fc0893a48e5a85fa |
| SHA256 | d8489f8c16318e524b45de8b35d7e2c3cd8ed4821c136f12f5ef3c9fc3321324 |
| SHA512 | 966b5ed68be6b5ccd46e0de1fa868cfe5432d9bf82e1e2f6eb99b2aef3c92f88d96f4f4eec5e16381b9c6db80a68071e7124ca1474d664bdd77e1817ec600cb4 |
C:\Users\Admin\AppData\Local\Temp\msg\m_english.wnry
| MD5 | fe68c2dc0d2419b38f44d83f2fcf232e |
| SHA1 | 6c6e49949957215aa2f3dfb72207d249adf36283 |
| SHA256 | 26fd072fda6e12f8c2d3292086ef0390785efa2c556e2a88bd4673102af703e5 |
| SHA512 | 941fa0a1f6a5756ed54260994db6158a7ebeb9e18b5c8ca2f6530c579bc4455918df0b38c609f501ca466b3cc067b40e4b861ad6513373b483b36338ae20a810 |
C:\Users\Admin\AppData\Local\Temp\msg\m_dutch.wnry
| MD5 | 7a8d499407c6a647c03c4471a67eaad7 |
| SHA1 | d573b6ac8e7e04a05cbbd6b7f6a9842f371d343b |
| SHA256 | 2c95bef914da6c50d7bdedec601e589fbb4fda24c4863a7260f4f72bd025799c |
| SHA512 | 608ef3ff0a517fe1e70ff41aeb277821565c5a9bee5103aa5e45c68d4763fce507c2a34d810f4cd242d163181f8341d9a69e93fe32aded6fbc7f544c55743f12 |
C:\Users\Admin\AppData\Local\Temp\msg\m_danish.wnry
| MD5 | 2c5a3b81d5c4715b7bea01033367fcb5 |
| SHA1 | b548b45da8463e17199daafd34c23591f94e82cd |
| SHA256 | a75bb44284b9db8d702692f84909a7e23f21141866adf3db888042e9109a1cb6 |
| SHA512 | 490c5a892fac801b853c348477b1140755d4c53ca05726ac19d3649af4285c93523393a3667e209c71c80ac06ffd809f62dd69ae65012dcb00445d032f1277b3 |
C:\Users\Admin\AppData\Local\Temp\msg\m_czech.wnry
| MD5 | 537efeecdfa94cc421e58fd82a58ba9e |
| SHA1 | 3609456e16bc16ba447979f3aa69221290ec17d0 |
| SHA256 | 5afa4753afa048c6d6c39327ce674f27f5f6e5d3f2a060b7a8aed61725481150 |
| SHA512 | e007786ffa09ccd5a24e5c6504c8de444929a2faaafad3712367c05615b7e1b0fbf7fbfff7028ed3f832ce226957390d8bf54308870e9ed597948a838da1137b |
C:\Users\Admin\AppData\Local\Temp\msg\m_croatian.wnry
| MD5 | 17194003fa70ce477326ce2f6deeb270 |
| SHA1 | e325988f68d327743926ea317abb9882f347fa73 |
| SHA256 | 3f33734b2d34cce83936ce99c3494cd845f1d2c02d7f6da31d42dfc1ca15a171 |
| SHA512 | dcf4ccf0b352a8b271827b3b8e181f7d6502ca0f8c9dda3dc6e53441bb4ae6e77b49c9c947cc3ede0bf323f09140a0c068a907f3c23ea2a8495d1ad96820051c |
C:\Users\Admin\AppData\Local\Temp\msg\m_chinese (traditional).wnry
| MD5 | 2efc3690d67cd073a9406a25005f7cea |
| SHA1 | 52c07f98870eabace6ec370b7eb562751e8067e9 |
| SHA256 | 5c7f6ad1ec4bc2c8e2c9c126633215daba7de731ac8b12be10ca157417c97f3a |
| SHA512 | 0766c58e64d9cda5328e00b86f8482316e944aa2c26523a3c37289e22c34be4b70937033bebdb217f675e40db9fecdce0a0d516f9065a170e28286c2d218487c |
C:\Users\Admin\AppData\Local\Temp\msg\m_chinese (simplified).wnry
| MD5 | 0252d45ca21c8e43c9742285c48e91ad |
| SHA1 | 5c14551d2736eef3a1c1970cc492206e531703c1 |
| SHA256 | 845d0e178aeebd6c7e2a2e9697b2bf6cf02028c50c288b3ba88fe2918ea2834a |
| SHA512 | 1bfcf6c0e7c977d777f12bd20ac347630999c4d99bd706b40de7ff8f2f52e02560d68093142cc93722095657807a1480ce3fb6a2e000c488550548c497998755 |
C:\Users\Admin\AppData\Local\Temp\msg\m_bulgarian.wnry
| MD5 | 95673b0f968c0f55b32204361940d184 |
| SHA1 | 81e427d15a1a826b93e91c3d2fa65221c8ca9cff |
| SHA256 | 40b37e7b80cf678d7dd302aaf41b88135ade6ddf44d89bdba19cf171564444bd |
| SHA512 | 7601f1883edbb4150a9dc17084012323b3bfa66f6d19d3d0355cf82b6a1c9dce475d758da18b6d17a8b321bf6fca20915224dbaedcb3f4d16abfaf7a5fc21b92 |
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\@[email protected]
| MD5 | 82052703ad3aaeae2441012a5085380f |
| SHA1 | a644997f2711a35582332ad57a6ccd6779650ee3 |
| SHA256 | d27312f03bcf8e6fae2ab5c1f9fa09095303ad970682aa0f2201ab20d66807ed |
| SHA512 | eb0ae03ad6039ffc74a9312c05edbc0578a8ffdca048b1cb5468c9331aa58cd8e4df4728c809cec16f87c4506139c9fc958252d67d6d5a70eb526c869f233ea8 |
\Users\Admin\AppData\Local\Temp\@[email protected]
| MD5 | 7bf2b57f2a205768755c07f238fb32cc |
| SHA1 | 45356a9dd616ed7161a3b9192e2f318d0ab5ad10 |
| SHA256 | b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25 |
| SHA512 | 91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9 |
C:\Users\Admin\AppData\Local\Temp\@[email protected]
| MD5 | 7bf2b57f2a205768755c07f238fb32cc |
| SHA1 | 45356a9dd616ed7161a3b9192e2f318d0ab5ad10 |
| SHA256 | b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25 |
| SHA512 | 91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9 |
\Users\Admin\AppData\Local\Temp\@[email protected]
| MD5 | 7bf2b57f2a205768755c07f238fb32cc |
| SHA1 | 45356a9dd616ed7161a3b9192e2f318d0ab5ad10 |
| SHA256 | b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25 |
| SHA512 | 91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9 |
C:\Users\Default\Desktop\@[email protected]
| MD5 | c17170262312f3be7027bc2ca825bf0c |
| SHA1 | f19eceda82973239a1fdc5826bce7691e5dcb4fb |
| SHA256 | d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa |
| SHA512 | c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c |
\Users\Admin\AppData\Local\Temp\@[email protected]
| MD5 | 7bf2b57f2a205768755c07f238fb32cc |
| SHA1 | 45356a9dd616ed7161a3b9192e2f318d0ab5ad10 |
| SHA256 | b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25 |
| SHA512 | 91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9 |
C:\Users\Admin\AppData\Local\Temp\@[email protected]
| MD5 | 7bf2b57f2a205768755c07f238fb32cc |
| SHA1 | 45356a9dd616ed7161a3b9192e2f318d0ab5ad10 |
| SHA256 | b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25 |
| SHA512 | 91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9 |
\Users\Admin\AppData\Local\Temp\@[email protected]
| MD5 | 7bf2b57f2a205768755c07f238fb32cc |
| SHA1 | 45356a9dd616ed7161a3b9192e2f318d0ab5ad10 |
| SHA256 | b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25 |
| SHA512 | 91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9 |
C:\Users\Admin\AppData\Local\Temp\00000000.res
| MD5 | fa2e9e1f3bbcddff8046c120afdf5ca2 |
| SHA1 | 3b23043773354e03c673c41876a5bbb8a4659326 |
| SHA256 | 45da907b0121161e81e94640c0dda1e6e717b78a310e9e94e73eebb7caa33b2d |
| SHA512 | 0bde18b7f2e84e610ca8a67c6e26d35e5ff0a3b315caa29fbbe0a1cfec196a1b9cc344e122ccd0863a0881edcd3a8c075b5900bbf658e105808b8a39232cd05d |
\Users\Admin\AppData\Local\Temp\TaskData\Tor\taskhsvc.exe
| MD5 | fe7eb54691ad6e6af77f8a9a0b6de26d |
| SHA1 | 53912d33bec3375153b7e4e68b78d66dab62671a |
| SHA256 | e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb |
| SHA512 | 8ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f |
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\taskhsvc.exe
| MD5 | fe7eb54691ad6e6af77f8a9a0b6de26d |
| SHA1 | 53912d33bec3375153b7e4e68b78d66dab62671a |
| SHA256 | e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb |
| SHA512 | 8ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f |
\Users\Admin\AppData\Local\Temp\TaskData\Tor\taskhsvc.exe
| MD5 | fe7eb54691ad6e6af77f8a9a0b6de26d |
| SHA1 | 53912d33bec3375153b7e4e68b78d66dab62671a |
| SHA256 | e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb |
| SHA512 | 8ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f |
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\taskhsvc.exe
| MD5 | fe7eb54691ad6e6af77f8a9a0b6de26d |
| SHA1 | 53912d33bec3375153b7e4e68b78d66dab62671a |
| SHA256 | e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb |
| SHA512 | 8ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f |
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\libevent-2-0-5.dll
| MD5 | 90f50a285efa5dd9c7fddce786bdef25 |
| SHA1 | 54213da21542e11d656bb65db724105afe8be688 |
| SHA256 | 77a250e81fdaf9a075b1244a9434c30bf449012c9b647b265fa81a7b0db2513f |
| SHA512 | 746422be51031cfa44dd9a6f3569306c34bbe8abf9d2bd1df139d9c938d0cba095c0e05222fd08c8b6deaebef5d3f87569b08fb3261a2d123d983517fb9f43ae |
\Users\Admin\AppData\Local\Temp\TaskData\Tor\libevent-2-0-5.dll
| MD5 | 90f50a285efa5dd9c7fddce786bdef25 |
| SHA1 | 54213da21542e11d656bb65db724105afe8be688 |
| SHA256 | 77a250e81fdaf9a075b1244a9434c30bf449012c9b647b265fa81a7b0db2513f |
| SHA512 | 746422be51031cfa44dd9a6f3569306c34bbe8abf9d2bd1df139d9c938d0cba095c0e05222fd08c8b6deaebef5d3f87569b08fb3261a2d123d983517fb9f43ae |
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\libssp-0.dll
| MD5 | 78581e243e2b41b17452da8d0b5b2a48 |
| SHA1 | eaefb59c31cf07e60a98af48c5348759586a61bb |
| SHA256 | f28caebe9bc6aa5a72635acb4f0e24500494e306d8e8b2279e7930981281683f |
| SHA512 | 332098113ce3f75cb20dc6e09f0d7ba03f13f5e26512d9f3bee3042c51fbb01a5e4426c5e9a5308f7f805b084efc94c28fc9426ce73ab8dfee16ab39b3efe02a |
\Users\Admin\AppData\Local\Temp\TaskData\Tor\libssp-0.dll
| MD5 | 78581e243e2b41b17452da8d0b5b2a48 |
| SHA1 | eaefb59c31cf07e60a98af48c5348759586a61bb |
| SHA256 | f28caebe9bc6aa5a72635acb4f0e24500494e306d8e8b2279e7930981281683f |
| SHA512 | 332098113ce3f75cb20dc6e09f0d7ba03f13f5e26512d9f3bee3042c51fbb01a5e4426c5e9a5308f7f805b084efc94c28fc9426ce73ab8dfee16ab39b3efe02a |
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\libgcc_s_sjlj-1.dll
| MD5 | 73d4823075762ee2837950726baa2af9 |
| SHA1 | ebce3532ed94ad1df43696632ab8cf8da8b9e221 |
| SHA256 | 9aeccf88253d4557a90793e22414868053caaab325842c0d7acb0365e88cd53b |
| SHA512 | 8f4a65bd35ed69f331769aaf7505f76dd3c64f3fa05cf01d83431ec93a7b1331f3c818ac7008e65b6f1278d7e365ed5940c8c6b8502e77595e112f1faca558b5 |
memory/1844-875-0x0000000073FF0000-0x0000000074072000-memory.dmp
memory/1844-876-0x0000000073FF0000-0x0000000074072000-memory.dmp
memory/1844-877-0x0000000073D30000-0x0000000073F4C000-memory.dmp
memory/1844-879-0x0000000073C70000-0x0000000073C92000-memory.dmp
memory/1844-881-0x00000000000F0000-0x00000000003EE000-memory.dmp
memory/1844-882-0x0000000073C70000-0x0000000073C92000-memory.dmp
memory/1844-880-0x0000000073D30000-0x0000000073F4C000-memory.dmp
memory/1844-878-0x0000000073CA0000-0x0000000073D22000-memory.dmp
memory/1844-884-0x0000000073CA0000-0x0000000073D22000-memory.dmp
memory/1844-883-0x00000000000F0000-0x00000000003EE000-memory.dmp
memory/1844-894-0x0000000073D30000-0x0000000073F4C000-memory.dmp
memory/1844-895-0x00000000000F0000-0x00000000003EE000-memory.dmp
memory/1844-896-0x0000000073FF0000-0x0000000074072000-memory.dmp
memory/1844-897-0x0000000073FD0000-0x0000000073FEC000-memory.dmp
memory/1844-898-0x0000000073F50000-0x0000000073FC7000-memory.dmp
memory/1844-900-0x0000000073CA0000-0x0000000073D22000-memory.dmp
memory/1844-899-0x0000000073D30000-0x0000000073F4C000-memory.dmp
memory/1844-902-0x00000000000F0000-0x00000000003EE000-memory.dmp
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new
| MD5 | 12a67e2a25c4fca1f9f14da543684232 |
| SHA1 | 4884379ec0028d3774882cce594c2d185c46cd1f |
| SHA256 | a8b67b0af538dbb831b39e3b11b60c9544094cdba114403ad49b7700175ee6e5 |
| SHA512 | a7be54db1a91a4625cda2a60a8336afff020dfb2545903390a796e748bae58c96d0d47318b11dd14efc545805da363dc5bf4e636f6b411ba022c7a71f483abaa |
memory/1844-922-0x00000000000F0000-0x00000000003EE000-memory.dmp
memory/1844-926-0x0000000073D30000-0x0000000073F4C000-memory.dmp
memory/1844-929-0x00000000000F0000-0x00000000003EE000-memory.dmp
memory/1844-933-0x0000000073D30000-0x0000000073F4C000-memory.dmp
memory/1844-943-0x00000000000F0000-0x00000000003EE000-memory.dmp
memory/1844-947-0x0000000073D30000-0x0000000073F4C000-memory.dmp
memory/1844-977-0x00000000000F0000-0x00000000003EE000-memory.dmp
memory/1844-981-0x0000000073D30000-0x0000000073F4C000-memory.dmp
memory/1844-984-0x00000000000F0000-0x00000000003EE000-memory.dmp
memory/1844-988-0x0000000073D30000-0x0000000073F4C000-memory.dmp
memory/1844-995-0x00000000000F0000-0x00000000003EE000-memory.dmp
memory/1844-1002-0x0000000073D30000-0x0000000073F4C000-memory.dmp
memory/1844-1005-0x00000000000F0000-0x00000000003EE000-memory.dmp
memory/1844-1009-0x0000000073D30000-0x0000000073F4C000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g1epp91b.default-release\prefs.js
| MD5 | c1209a01abd6854357439d94e19b5ead |
| SHA1 | 1ae066163d05c3a5d87c06ae49d2fef20fe183af |
| SHA256 | 2650b19cc288ea14fe40d3d4d90e6647e95632a12d0270b341bf6a5dc3aeb3aa |
| SHA512 | c787632bb07876f3047501600ea7fae45c5b4967f88bf0830eb4091bb2cdb3b7396ba57af3a8610744efd8c8f95cf114c154f065abe03b00cc1976cf2b5f065b |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g1epp91b.default-release\prefs.js
| MD5 | a6fbc9005fb37820b8029aa08a9df8bf |
| SHA1 | c9da6f1be1de502fef0bd8f537e913b7051d0c73 |
| SHA256 | ff52bb996088f830000813005a2da8c03d3af787abd1c751ed23a5a317508fdf |
| SHA512 | bfd9fd0585c86dfc5cc61205ced349f53587007d7aee2187e60ddf6adb9863cff038995b6d6899b8b0d8a878cf6668d249b49ef40f3e1800bc6415f39558ba86 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g1epp91b.default-release\activity-stream.discovery_stream.json.tmp
| MD5 | 99e592fc814db5a39ac9d46999d65e52 |
| SHA1 | 31442ffad0121296bf6234b2eba0457b88023f6e |
| SHA256 | bd863f9f1d3babb521fc5b6cb7347486ed261ba6b9789cbc32fc8838f60117dc |
| SHA512 | 73a789b7a1ad4698673d21adc1b306c0707100ea1072be4d484f614749d190af027d86267aca21996fe9d8b43a72b52069bf43769fef79a3226ddab59768136a |
C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\update-config.json
| MD5 | 7d1d7e1db5d8d862de24415d9ec9aca4 |
| SHA1 | f4cdc5511c299005e775dc602e611b9c67a97c78 |
| SHA256 | ffad3b0fb11fc38ea243bf3f73e27a6034860709b39bf251ef3eca53d4c3afda |
| SHA512 | 1688c6725a3607c7b80dfcd6a8bea787f31c21e3368b31cb84635b727675f426b969899a378bd960bd3f27866023163b5460e7c681ae1fcb62f7829b03456477 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g1epp91b.default-release\search.json.mozlz4
| MD5 | bb6e65729186d099afaf2a9690c40d04 |
| SHA1 | 9ff87bc9662659572dfd4ef66bb6736aaa5879e6 |
| SHA256 | f90aea459136b3e4779d58298eddc233c06c6560ab6d58502da4aaeb77064f10 |
| SHA512 | ab92af6e067a6f9b03ac9c6c513c5214846b525d0a4f71a9ae6fc970dc8cec9590f294eae69771f9a3feea8ae01ad5d620aec83d1c89a79644982842f965e392 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g1epp91b.default-release\extensions.json.tmp
| MD5 | 6edf8144c9d92b4e9463df0f89b8e341 |
| SHA1 | ec3903227789f2dbe4a1d833ec89406e9986c13e |
| SHA256 | 1fdd1dc8d9a0ce57e0ffff0a72684c94ad475570e8d534226bba71e1a74b9aa7 |
| SHA512 | 69367fe82c0cf997b2315def0911e3fa955bc15c28418cb428427a5fd3ef6e373949a6523b70cfab6cf47a55ef4b00789b3e441dcfa185d7b5f9bedbe286d8a2 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g1epp91b.default-release\prefs-1.js
| MD5 | 3eded70f89ec65bdf760f2e61ed67ede |
| SHA1 | 99d613ede4edcab50572e8c3be8ac8461a863c4d |
| SHA256 | e5bfc9e41ada09eef2ade0de82a4816f2e5565906c3c82289c10eff4927241ec |
| SHA512 | 4daaf9d490a3f9a26df4ef4db3688aa27daa30d1db9103f5eaa7b5a8e37206000fe171f1c757738419e26f4f2d672a25f205519f8decb2b81fe4a30eea483e09 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g1epp91b.default-release\sessionstore.jsonlz4
| MD5 | 34e7cf60465d39caed3b600b96b89739 |
| SHA1 | b24b537ae8d2bdcd3b60a4fc61b93d1a7f09371b |
| SHA256 | 3c9c5dd7cb97fc1772d1e45e9edf025846112308908bb44dccc54670ab36a979 |
| SHA512 | 3ee580f5c8dceb2b1a37970a8a295311ce2c2d7bfc35520d873153b916d6553734499e005fe4c2057c4a56535566710f7ccdda65629d3f933d0057eb384a4e03 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g1epp91b.default-release\prefs-1.js
| MD5 | fea67899db165b29fbafaaa645cc3cd8 |
| SHA1 | a3367884e72e25f801d663a6e128f202c295fc71 |
| SHA256 | 21a7d67f8c4b28a0a16d852ad3826724a937a4d07ea204a576c51fa32e42e788 |
| SHA512 | 6f9784b457b3ef04c546264efa45b9f64eb93f8364ce98228b045631d3c3c955f72a5ef76e754afd92bf1d09a76e1f3f4cddd16fb7c4d0294e25a52150a81ec2 |