Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
31/03/2024, 09:16
240331-k8y2eahd2s 1031/03/2024, 09:07
240331-k3d42shh42 1020/03/2024, 19:30
240320-x7y18shg5v 10Analysis
-
max time kernel
533s -
max time network
413s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
31/03/2024, 09:07
Behavioral task
behavioral1
Sample
2024-03-20_1b2fdf47aaaccaf622e33cb4dd63e8e2_wannacry.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
2024-03-20_1b2fdf47aaaccaf622e33cb4dd63e8e2_wannacry.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-03-20_1b2fdf47aaaccaf622e33cb4dd63e8e2_wannacry.exe
-
Size
372KB
-
MD5
1b2fdf47aaaccaf622e33cb4dd63e8e2
-
SHA1
1130c9d40bc5ab004918a509811f914605594961
-
SHA256
24266d8af5e54a179ca62fe8ba586a9bced5e39565ad05f33583a3fc8f509613
-
SHA512
f494e23997ba85df3fcdaaaeb1d6c056de6f7b6a22ecf8df4797b302016deafea0d2030058680baa521cae93cf5921b3bd58d1750274819f866a868beff2739c
-
SSDEEP
3072:doeNsCr9h4ca2aHBSCAb2+IPdG1UlcaVSptR4jiYFD:nNr9h4ca7SCdI12cTtRcf
Malware Config
Signatures
-
Chaos
Ransomware family first seen in June 2021.
-
Chaos Ransomware 5 IoCs
resource yara_rule behavioral1/memory/1772-0-0x00000000008D0000-0x0000000000932000-memory.dmp family_chaos behavioral1/files/0x000a000000012252-5.dat family_chaos behavioral1/memory/2652-8-0x0000000000FA0000-0x0000000001002000-memory.dmp family_chaos behavioral1/memory/2652-11-0x000000001AE30000-0x000000001AEB0000-memory.dmp family_chaos behavioral1/memory/1532-1149-0x0000000140000000-0x00000001405E8000-memory.dmp family_chaos -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 1528 bcdedit.exe 1408 bcdedit.exe -
Renames multiple (193) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
pid Process 1764 wbadmin.exe -
Drops startup file 3 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini svchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\meleaicara.txt svchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 2652 svchost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 34 IoCs
description ioc Process File opened for modification C:\Users\Admin\Searches\desktop.ini svchost.exe File opened for modification C:\Users\Public\Videos\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini svchost.exe File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini svchost.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Videos\desktop.ini svchost.exe File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Links\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini svchost.exe File opened for modification C:\Users\Public\Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Public\Desktop\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini svchost.exe File opened for modification C:\Users\Public\Music\desktop.ini svchost.exe File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini svchost.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-2248906074-2862704502-246302768-1000\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Documents\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Music\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini svchost.exe File opened for modification C:\Users\Public\Documents\desktop.ini svchost.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: perfmon.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tlsx3binf.jpg" svchost.exe -
Drops file in Windows directory 7 IoCs
description ioc Process File created C:\Windows\pss\desktop.ini.cursoDFIR.Startup msconfig.exe File created C:\Windows\pss\boot.backup msconfig.exe File opened for modification C:\Windows\pss\svchost.url.Startup msconfig.exe File created C:\Windows\pss\svchost.url.Startup msconfig.exe File opened for modification C:\Windows\pss\meleaicara.txt.Startup msconfig.exe File created C:\Windows\pss\meleaicara.txt.Startup msconfig.exe File opened for modification C:\Windows\pss\desktop.ini.cursoDFIR.Startup msconfig.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 11 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz perfmon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 perfmon.exe -
Enumerates system info in registry 2 TTPs 32 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Component Information csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 csrss.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Configuration Data csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0 csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Identifier csrss.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 csrss.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0 csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Configuration Data csrss.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Component Information csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Identifier csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Configuration Data csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Component Information csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Configuration Data csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Component Information csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Identifier csrss.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Identifier csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\1\KeyboardController csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Component Information csrss.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Configuration Data csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Identifier csrss.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 csrss.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral csrss.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2404 vssadmin.exe -
Modifies data under HKEY_USERS 46 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\ColorName = "NormalColor" winlogon.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft utilman.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech utilman.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AudioOutput\DefaultTokenId = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech\\AudioOutput\\TokenEnums\\MMAudioOut\\" utilman.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LoadedBefore = "1" winlogon.exe Key created \REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm utilman.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AudioOutput\TokenEnums utilman.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AudioOutput\TokenEnums\MMAudioOut\{0.0.0.00000000}.{8064d2fe-e02b-49ca-b0d4-b85553918655}\Attributes\Vendor = "Microsoft" utilman.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AudioOutput\TokenEnums\MMAudioOut\{0.0.0.00000000}.{8064d2fe-e02b-49ca-b0d4-b85553918655}\Attributes\Technology = "MMSys" utilman.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager winlogon.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\CurrentUserLexicon\{C9E37C15-DF92-4727-85D6-72E5EEB6995A}\Files utilman.exe Key created \REGISTRY\USER\.DEFAULT\System utilman.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick utilman.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AudioOutput\TokenEnums\MMAudioOut\{0.0.0.00000000}.{8064d2fe-e02b-49ca-b0d4-b85553918655} utilman.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AudioOutput\TokenEnums\MMAudioOut\{0.0.0.00000000}.{8064d2fe-e02b-49ca-b0d4-b85553918655}\DeviceId = "{0.0.0.00000000}.{8064d2fe-e02b-49ca-b0d4-b85553918655}" utilman.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LastLoadedDPI = "96" winlogon.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\CurrentUserLexicon\ = "Current User Lexicon" utilman.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\CurrentUserLexicon\{C9E37C15-DF92-4727-85D6-72E5EEB6995A}\Files\Datafile = "%1a%\\Microsoft\\Speech\\Files\\UserLexicons\\SP_0C7BF35DD75A4C0B9B7C29DCE1506329.dat" utilman.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\CurrentUserLexicon\Generation = "0" utilman.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AppLexicons utilman.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties utilman.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AudioOutput\TokenEnums\MMAudioOut utilman.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\ThemeActive = "1" winlogon.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\DllName = "%SystemRoot%\\resources\\themes\\Aero\\Aero.msstyles" winlogon.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\Voices\DefaultTokenId = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech\\Voices\\Tokens\\MS-Anna-1033-20-DSK" utilman.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\CurrentUserLexicon\AppLexicons utilman.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet utilman.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control utilman.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LastUserLangID = "1033" winlogon.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\PhoneConverters utilman.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\PhoneConverters\DefaultTokenId = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech\\PhoneConverters\\Tokens\\English" utilman.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AudioOutput\TokenEnums\MMAudioOut\{0.0.0.00000000}.{8064d2fe-e02b-49ca-b0d4-b85553918655}\ = "Speakers (High Definition Audio Device)" utilman.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AudioOutput\TokenEnums\MMAudioOut\{0.0.0.00000000}.{8064d2fe-e02b-49ca-b0d4-b85553918655}\CLSID = "{A8C680EB-3D32-11D2-9EE7-00C04F797396}" utilman.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AudioOutput\TokenEnums\MMAudioOut\{0.0.0.00000000}.{8064d2fe-e02b-49ca-b0d4-b85553918655}\DeviceName = "Speakers (High Definition Audio Device)" utilman.exe Set value (data) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCached\MachinePreferredUILanguages = 65006e002d00550053000000 winlogon.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\SizeName = "NormalSize" winlogon.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\CurrentUserLexicon\{C9E37C15-DF92-4727-85D6-72E5EEB6995A} utilman.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AudioOutput utilman.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm utilman.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AudioOutput\TokenEnums\MMAudioOut\{0.0.0.00000000}.{8064d2fe-e02b-49ca-b0d4-b85553918655}\Attributes utilman.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\Voices utilman.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE utilman.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\CurrentUserLexicon utilman.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\CurrentUserLexicon\CLSID = "{C9E37C15-DF92-4727-85D6-72E5EEB6995A}" utilman.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties\PrivateProperties utilman.exe Set value (int) \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm\wheel = "1" utilman.exe -
Modifies registry class 10 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\cursoDFIR_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\cursoDFIR_auto_file\shell\open\command rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_Classes\Local Settings rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\cursoDFIR_auto_file\ rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\.cursoDFIR\ = "cursoDFIR_auto_file" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\cursoDFIR_auto_file\shell\open\command\ = "\"C:\\Program Files\\Mozilla Firefox\\firefox.exe\" -osint -url \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_Classes\Local Settings firefox.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\cursoDFIR_auto_file rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\.cursoDFIR rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\cursoDFIR_auto_file\shell\open rundll32.exe -
Opens file in notepad (likely ransom note) 3 IoCs
pid Process 208 Notepad.exe 1360 NOTEPAD.EXE 852 NOTEPAD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2652 svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1772 2024-03-20_1b2fdf47aaaccaf622e33cb4dd63e8e2_wannacry.exe 1772 2024-03-20_1b2fdf47aaaccaf622e33cb4dd63e8e2_wannacry.exe 2652 svchost.exe 2652 svchost.exe 2652 svchost.exe 2652 svchost.exe 2652 svchost.exe 2652 svchost.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 1532 taskmgr.exe 1684 msconfig.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1772 2024-03-20_1b2fdf47aaaccaf622e33cb4dd63e8e2_wannacry.exe Token: SeDebugPrivilege 2652 svchost.exe Token: SeBackupPrivilege 1456 vssvc.exe Token: SeRestorePrivilege 1456 vssvc.exe Token: SeAuditPrivilege 1456 vssvc.exe Token: SeIncreaseQuotaPrivilege 352 WMIC.exe Token: SeSecurityPrivilege 352 WMIC.exe Token: SeTakeOwnershipPrivilege 352 WMIC.exe Token: SeLoadDriverPrivilege 352 WMIC.exe Token: SeSystemProfilePrivilege 352 WMIC.exe Token: SeSystemtimePrivilege 352 WMIC.exe Token: SeProfSingleProcessPrivilege 352 WMIC.exe Token: SeIncBasePriorityPrivilege 352 WMIC.exe Token: SeCreatePagefilePrivilege 352 WMIC.exe Token: SeBackupPrivilege 352 WMIC.exe Token: SeRestorePrivilege 352 WMIC.exe Token: SeShutdownPrivilege 352 WMIC.exe Token: SeDebugPrivilege 352 WMIC.exe Token: SeSystemEnvironmentPrivilege 352 WMIC.exe Token: SeRemoteShutdownPrivilege 352 WMIC.exe Token: SeUndockPrivilege 352 WMIC.exe Token: SeManageVolumePrivilege 352 WMIC.exe Token: 33 352 WMIC.exe Token: 34 352 WMIC.exe Token: 35 352 WMIC.exe Token: SeIncreaseQuotaPrivilege 352 WMIC.exe Token: SeSecurityPrivilege 352 WMIC.exe Token: SeTakeOwnershipPrivilege 352 WMIC.exe Token: SeLoadDriverPrivilege 352 WMIC.exe Token: SeSystemProfilePrivilege 352 WMIC.exe Token: SeSystemtimePrivilege 352 WMIC.exe Token: SeProfSingleProcessPrivilege 352 WMIC.exe Token: SeIncBasePriorityPrivilege 352 WMIC.exe Token: SeCreatePagefilePrivilege 352 WMIC.exe Token: SeBackupPrivilege 352 WMIC.exe Token: SeRestorePrivilege 352 WMIC.exe Token: SeShutdownPrivilege 352 WMIC.exe Token: SeDebugPrivilege 352 WMIC.exe Token: SeSystemEnvironmentPrivilege 352 WMIC.exe Token: SeRemoteShutdownPrivilege 352 WMIC.exe Token: SeUndockPrivilege 352 WMIC.exe Token: SeManageVolumePrivilege 352 WMIC.exe Token: 33 352 WMIC.exe Token: 34 352 WMIC.exe Token: 35 352 WMIC.exe Token: SeBackupPrivilege 2792 wbengine.exe Token: SeRestorePrivilege 2792 wbengine.exe Token: SeSecurityPrivilege 2792 wbengine.exe Token: SeDebugPrivilege 780 firefox.exe Token: SeDebugPrivilege 780 firefox.exe Token: SeDebugPrivilege 1532 taskmgr.exe Token: 33 2748 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2748 AUDIODG.EXE Token: 33 2748 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2748 AUDIODG.EXE Token: SeDebugPrivilege 308 perfmon.exe Token: SeSystemProfilePrivilege 308 perfmon.exe Token: SeCreateGlobalPrivilege 308 perfmon.exe Token: 33 308 perfmon.exe Token: SeIncBasePriorityPrivilege 308 perfmon.exe Token: SeBackupPrivilege 1684 msconfig.exe Token: SeRestorePrivilege 1684 msconfig.exe Token: SeRestorePrivilege 1684 msconfig.exe Token: SeRestorePrivilege 1684 msconfig.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 780 firefox.exe 780 firefox.exe 780 firefox.exe 780 firefox.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 780 firefox.exe 780 firefox.exe 780 firefox.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe 1532 taskmgr.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1684 msconfig.exe 1684 msconfig.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1772 wrote to memory of 2652 1772 2024-03-20_1b2fdf47aaaccaf622e33cb4dd63e8e2_wannacry.exe 28 PID 1772 wrote to memory of 2652 1772 2024-03-20_1b2fdf47aaaccaf622e33cb4dd63e8e2_wannacry.exe 28 PID 1772 wrote to memory of 2652 1772 2024-03-20_1b2fdf47aaaccaf622e33cb4dd63e8e2_wannacry.exe 28 PID 2652 wrote to memory of 2336 2652 svchost.exe 30 PID 2652 wrote to memory of 2336 2652 svchost.exe 30 PID 2652 wrote to memory of 2336 2652 svchost.exe 30 PID 2336 wrote to memory of 2404 2336 cmd.exe 32 PID 2336 wrote to memory of 2404 2336 cmd.exe 32 PID 2336 wrote to memory of 2404 2336 cmd.exe 32 PID 2336 wrote to memory of 352 2336 cmd.exe 35 PID 2336 wrote to memory of 352 2336 cmd.exe 35 PID 2336 wrote to memory of 352 2336 cmd.exe 35 PID 2652 wrote to memory of 2372 2652 svchost.exe 37 PID 2652 wrote to memory of 2372 2652 svchost.exe 37 PID 2652 wrote to memory of 2372 2652 svchost.exe 37 PID 2372 wrote to memory of 1528 2372 cmd.exe 39 PID 2372 wrote to memory of 1528 2372 cmd.exe 39 PID 2372 wrote to memory of 1528 2372 cmd.exe 39 PID 2372 wrote to memory of 1408 2372 cmd.exe 40 PID 2372 wrote to memory of 1408 2372 cmd.exe 40 PID 2372 wrote to memory of 1408 2372 cmd.exe 40 PID 2652 wrote to memory of 1596 2652 svchost.exe 41 PID 2652 wrote to memory of 1596 2652 svchost.exe 41 PID 2652 wrote to memory of 1596 2652 svchost.exe 41 PID 1596 wrote to memory of 1764 1596 cmd.exe 43 PID 1596 wrote to memory of 1764 1596 cmd.exe 43 PID 1596 wrote to memory of 1764 1596 cmd.exe 43 PID 2652 wrote to memory of 852 2652 svchost.exe 47 PID 2652 wrote to memory of 852 2652 svchost.exe 47 PID 2652 wrote to memory of 852 2652 svchost.exe 47 PID 1680 wrote to memory of 1380 1680 rundll32.exe 50 PID 1680 wrote to memory of 1380 1680 rundll32.exe 50 PID 1680 wrote to memory of 1380 1680 rundll32.exe 50 PID 1380 wrote to memory of 780 1380 firefox.exe 51 PID 1380 wrote to memory of 780 1380 firefox.exe 51 PID 1380 wrote to memory of 780 1380 firefox.exe 51 PID 1380 wrote to memory of 780 1380 firefox.exe 51 PID 1380 wrote to memory of 780 1380 firefox.exe 51 PID 1380 wrote to memory of 780 1380 firefox.exe 51 PID 1380 wrote to memory of 780 1380 firefox.exe 51 PID 1380 wrote to memory of 780 1380 firefox.exe 51 PID 1380 wrote to memory of 780 1380 firefox.exe 51 PID 1380 wrote to memory of 780 1380 firefox.exe 51 PID 1380 wrote to memory of 780 1380 firefox.exe 51 PID 1380 wrote to memory of 780 1380 firefox.exe 51 PID 780 wrote to memory of 2656 780 firefox.exe 53 PID 780 wrote to memory of 2656 780 firefox.exe 53 PID 780 wrote to memory of 2656 780 firefox.exe 53 PID 780 wrote to memory of 2656 780 firefox.exe 53 PID 780 wrote to memory of 2656 780 firefox.exe 53 PID 780 wrote to memory of 2656 780 firefox.exe 53 PID 780 wrote to memory of 2656 780 firefox.exe 53 PID 780 wrote to memory of 2656 780 firefox.exe 53 PID 780 wrote to memory of 2656 780 firefox.exe 53 PID 780 wrote to memory of 2656 780 firefox.exe 53 PID 780 wrote to memory of 2656 780 firefox.exe 53 PID 780 wrote to memory of 2656 780 firefox.exe 53 PID 780 wrote to memory of 2656 780 firefox.exe 53 PID 780 wrote to memory of 2656 780 firefox.exe 53 PID 780 wrote to memory of 2656 780 firefox.exe 53 PID 780 wrote to memory of 2656 780 firefox.exe 53 PID 780 wrote to memory of 2656 780 firefox.exe 53 PID 780 wrote to memory of 2656 780 firefox.exe 53 PID 780 wrote to memory of 2656 780 firefox.exe 53 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-03-20_1b2fdf47aaaccaf622e33cb4dd63e8e2_wannacry.exe"C:\Users\Admin\AppData\Local\Temp\2024-03-20_1b2fdf47aaaccaf622e33cb4dd63e8e2_wannacry.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete3⤵
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:2404
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
PID:352
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no3⤵
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures4⤵
- Modifies boot configuration data using bcdedit
PID:1528
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no4⤵
- Modifies boot configuration data using bcdedit
PID:1408
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet3⤵
- Suspicious use of WriteProcessMemory
PID:1596 -
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet4⤵
- Deletes backup catalog
PID:1764
-
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\meleaicara.txt3⤵
- Opens file in notepad (likely ransom note)
PID:852
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1456
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2792
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:2988
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵PID:676
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Windows Explorer.lnk.cursoDFIR1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Windows Explorer.lnk.cursoDFIR"2⤵
- Suspicious use of WriteProcessMemory
PID:1380 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Windows Explorer.lnk.cursoDFIR"3⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:780 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="780.0.1046664796\1583614084" -parentBuildID 20221007134813 -prefsHandle 1384 -prefMapHandle 1516 -prefsLen 18084 -prefMapSize 231738 -appDir "C:\Program Files\Mozilla Firefox\browser" - {74225a2d-8a3a-44c5-a4a2-50d9aeb94d4c} 780 "\\.\pipe\gecko-crash-server-pipe.780" 1412 f5eec58 socket4⤵
- Checks processor information in registry
PID:2656
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="780.1.1601989058\1115634708" -parentBuildID 20221007134813 -prefsHandle 1576 -prefMapHandle 1560 -prefsLen 18674 -prefMapSize 231738 -appDir "C:\Program Files\Mozilla Firefox\browser" - {eff806d6-c496-4341-a6ff-d3ac7f901ede} 780 "\\.\pipe\gecko-crash-server-pipe.780" 1608 13a6cd58 gpu4⤵PID:3032
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="780.2.502564822\711807374" -childID 1 -isForBrowser -prefsHandle 2332 -prefMapHandle 1948 -prefsLen 20508 -prefMapSize 231738 -jsInitHandle 848 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bbcfb029-f1f9-4ac3-83cf-a6eaed604797} 780 "\\.\pipe\gecko-crash-server-pipe.780" 2352 1808d258 tab4⤵PID:1672
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="780.3.2091218554\1641418166" -childID 2 -isForBrowser -prefsHandle 2792 -prefMapHandle 2520 -prefsLen 20615 -prefMapSize 231738 -jsInitHandle 848 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f24645b2-7f96-4067-a4b2-2edf79c82ecc} 780 "\\.\pipe\gecko-crash-server-pipe.780" 2640 1b703558 tab4⤵PID:2020
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="780.4.1948653173\1257622670" -childID 3 -isForBrowser -prefsHandle 2844 -prefMapHandle 2840 -prefsLen 20692 -prefMapSize 231738 -jsInitHandle 848 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b7e542ca-3b0c-4b05-b4f8-187bdfa2c8eb} 780 "\\.\pipe\gecko-crash-server-pipe.780" 3080 1bb81558 tab4⤵PID:2132
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="780.5.245674310\2139562577" -parentBuildID 20221007134813 -prefsHandle 3052 -prefMapHandle 2744 -prefsLen 21627 -prefMapSize 231738 -appDir "C:\Program Files\Mozilla Firefox\browser" - {db8ddccf-673f-40c7-bbd6-6d827970b1e4} 780 "\\.\pipe\gecko-crash-server-pipe.780" 3108 1d0d7658 rdd4⤵PID:2004
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="780.6.748069679\1092184462" -childID 4 -isForBrowser -prefsHandle 1076 -prefMapHandle 3512 -prefsLen 27895 -prefMapSize 231738 -jsInitHandle 848 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {be265d91-c9f1-49ae-b7fa-28f43af77d4b} 780 "\\.\pipe\gecko-crash-server-pipe.780" 952 1c3ac258 tab4⤵PID:2680
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="780.7.1749288035\1773537972" -childID 5 -isForBrowser -prefsHandle 3796 -prefMapHandle 3792 -prefsLen 27895 -prefMapSize 231738 -jsInitHandle 848 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {85907a5f-c39e-46fe-8233-baad05e29613} 780 "\\.\pipe\gecko-crash-server-pipe.780" 3808 1fd1ca58 tab4⤵PID:1240
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="780.8.989285524\1917635000" -childID 6 -isForBrowser -prefsHandle 3740 -prefMapHandle 3736 -prefsLen 27895 -prefMapSize 231738 -jsInitHandle 848 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9a3ae372-cde4-4546-a057-ac0ed71b4c17} 780 "\\.\pipe\gecko-crash-server-pipe.780" 3764 217fb558 tab4⤵PID:3044
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="780.9.404268204\433675358" -childID 7 -isForBrowser -prefsHandle 3148 -prefMapHandle 1504 -prefsLen 28089 -prefMapSize 231738 -jsInitHandle 848 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {907f8611-051f-4ad4-bd4a-6d4b0fe10806} 780 "\\.\pipe\gecko-crash-server-pipe.780" 3480 22ea4258 tab4⤵PID:2364
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\UseWatch.vbe"1⤵PID:1576
-
C:\Windows\System32\Notepad.exe"C:\Windows\System32\Notepad.exe" C:\Users\Admin\Desktop\UseWatch.vbe1⤵
- Opens file in notepad (likely ransom note)
PID:208
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\Desktop\PushRegister.bat" "1⤵PID:2036
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\Desktop\PushRegister.bat" "1⤵PID:1664
-
C:\Windows\System32\NOTEPAD.EXE"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\PushRegister.bat1⤵
- Opens file in notepad (likely ransom note)
PID:1360
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1532 -
C:\Windows\System32\perfmon.exe"C:\Windows\System32\perfmon.exe" /res2⤵
- Enumerates connected drives
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:308
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x51c1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2748
-
C:\Windows\system32\msconfig.exe"C:\Windows\system32\msconfig.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1684
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵PID:992
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
- Enumerates system info in registry
PID:668
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
- Modifies data under HKEY_USERS
PID:2520 -
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x02⤵PID:1272
-
-
C:\Windows\system32\utilman.exeutilman.exe /debug2⤵
- Modifies data under HKEY_USERS
PID:2108
-
-
C:\Windows\system32\utilman.exeutilman.exe /debug2⤵PID:2444
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}1⤵PID:1828
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\update-config.json
Filesize102B
MD57d1d7e1db5d8d862de24415d9ec9aca4
SHA1f4cdc5511c299005e775dc602e611b9c67a97c78
SHA256ffad3b0fb11fc38ea243bf3f73e27a6034860709b39bf251ef3eca53d4c3afda
SHA5121688c6725a3607c7b80dfcd6a8bea787f31c21e3368b31cb84635b727675f426b969899a378bd960bd3f27866023163b5460e7c681ae1fcb62f7829b03456477
-
Filesize
10KB
MD5dd2ea4e9dc818609977179e64dd0cc86
SHA160916a8a58fe75839b1dfe693aa2b2dd33f1af45
SHA25627494967d3bff9f2fd27a8d76230d962b43c574b914efa91ac503871fec983fc
SHA512615fca356fd4b7f0049821a2a42542ee8b1f5b53dbfa987a5f1f85d1b4a0c4040659caa1b06237dc28f06b32805e9346ba40080174d8874a5d7efc127009c7b5
-
Filesize
242KB
MD5541f52e24fe1ef9f8e12377a6ccae0c0
SHA1189898bb2dcae7d5a6057bc2d98b8b450afaebb6
SHA25681e3a4d43a73699e1b7781723f56b8717175c536685c5450122b30789464ad82
SHA512d779d78a15c5efca51ebd6b96a7ccb6d718741bdf7d9a37f53b2eb4b98aa1a78bc4cfa57d6e763aab97276c8f9088940ac0476690d4d46023ff4bf52f3326c88
-
Filesize
88KB
MD52cc86b681f2cd1d9f095584fd3153a61
SHA12a0ac7262fb88908a453bc125c5c3fc72b8d490e
SHA256d412fbbeb84e2a6882b2f0267b058f2ceb97f501e440fe3f9f70fac5c2277b9c
SHA51214ba32c3cd5b1faf100d06f78981deebbbb673299a355b6eaec88e6cb5543725242c850235a541afa8abba4a609bb2ec26e4a0526c6b198016b08d8af868b986
-
Filesize
4KB
MD58984b5957870d496040fdbb43fa6bd0b
SHA1a6ab0c6f092d06e5d6eec6e22d0c684c380bf03c
SHA256e0a0cb3dfde00c28430cdd289af8d85f88e8f4e0424155503df2206f7e6bdcb9
SHA512baec49d8ed69b7a5cc102e3d6944946ec4a7c680ae0d3248f53a71b1c9f1095f8e55804a39276115abd7f7c4e22af7c60018b61b4051fff2a6eae5352b190222
-
Filesize
2KB
MD567eb52cffe974798d863b5ad571f1805
SHA13186827d85a4a938c4bbc12f612ca7c6e8257348
SHA25647558d92aa23de8010893de3a894dd973ddc47a1d61606eaea846734038d2b22
SHA5124ce84a8820f955de48281d50ae4799cf7190a691956ab112627937699ee1619bea0254e75ac06f8a038352edc676a370dec52199f7b6eecffbe9afab8e58891f
-
Filesize
48KB
MD5343fa15c150a516b20cc9f787cfd530e
SHA1369e8ac39d762e531d961c58b8c5dc84d19ba989
SHA256d632e9dbacdcd8f6b86ba011ed6b23f961d104869654caa764216ea57a916524
SHA5127726bd196cfee176f3d2002e30d353f991ffeafda90bac23d0b44c84c104aa263b0c78f390dd85833635667a3ca3863d2e8cd806dad5751f7984b2d34cafdc57
-
Filesize
4KB
MD5612a650d1c773ee52d62546e66ff5918
SHA1a7479722bea44f8719b651ba69aa337d60da4290
SHA2569e0774deea09130ce23833cc3f0118e8dd06750e3570a230b199c87cdf354c00
SHA5125882a9d5340d0197c660d0774f22a82f03a0fc73d14476c47d3ab86dfea8f80850bfb8af7a9433b120f4728da4889083086666145b3e2390966e6816ad981483
-
C:\Users\Admin\AppData\Local\Temp\Microsoft .NET Framework 4.7.2 Setup_20240215_065836078-MSI_netfx_Full_x64.msi.txt
Filesize12.7MB
MD58083ae1f12665b3b120b1eb1d0b89d80
SHA14ce6e57d87d1e6fe1a243a53b0ff7348f3885348
SHA25655238c9203616a99b2ef4895e599038637e6cebf25e3b87de00cf8eb23d12119
SHA512243969677cfff633f13825a95603f4f57485f9cc3e2759e1120f31e381a225d956a3a5689d4402333681a36bac0021f15040231806193798dbae77053ecb17f0
-
Filesize
1.1MB
MD53c9886a9768b2833c0f73bbbacb3dc0b
SHA15817bc7cad7261be81e04c2804d0e2da9b3c3e3e
SHA256985288e4ca1ec3a1c6880ac1f63d8741dd1448774759dfd2940e4e426595675c
SHA5128cd5bed699ff43587dc277e192025f5fffb6d4a7ba41dd728f4b9062d6013810b3ddd6f51faf4941de81e17b7e2d963e96280cf058f636d35b5b80916d59b2cd
-
Filesize
10KB
MD5dbef78447120e830587017c581f994f1
SHA1ea5214b9503e9a3b5335053b9f2e85c1bd26f3ce
SHA256a380116d80066949811b29c5b53c20488c1ca6b05a955c1698aff58fc18ebf94
SHA512eda079a1c4e25d18099accf11860b7c78c9c303c855d87ddfd1750a41e47571db6acf929921a20be693a18d948799279c3f7be47574a2004810021271d735b3b
-
Filesize
8KB
MD54aae089d3731c3f9dca27587e61cc4a2
SHA197b570c80cce9d68fbdd728f8524d92bce4a5c35
SHA256ed8f2f1786d5c57aee9c8228286f41b1665f46b88b882557675350d5108b438c
SHA5126ec755dc7f6531bf0ecec25f8fbf5f712ccf46f93b954f8acf522b33b4bd13f3781e73f1122a81bd5165c507b0a58222a3cafe6fbd25f5d606b4414a9a4009fc
-
Filesize
203KB
MD514f24f96c09e8c66b808a10a8c8ffd36
SHA1901e49d308fda41d4edb87f5641464f2f9300d50
SHA256b31dc564dc036a8fdc5b97437a5884eccf27c86dd5f36c071c2eea768a9c850c
SHA51246897d3e0d045234a7bc2a71afcced681f8122dfee6ece0dab8dfdd5044cc12acda7a46aefbc1d876c64d9a1a461588c3238207b931e51e0e6fd6564501d8496
-
Filesize
4KB
MD5b0e6190d9f9626343fe2ecfec07009c4
SHA1fc81ba4096d168613f756dc28e097c13b1214157
SHA25674aa2c86c3f4e6ae86c0241b892427f577983aabb7907f444b168d4b2fc12b25
SHA5125591d54d756ab3185b54ff2f4364d357a0e19ee5b7e6b5af8692f2812090edb78b64e544e0e5772ddbe50e8eca9db05869967f4e6c76099e9cde13f3ed3c8c36
-
Filesize
1KB
MD53e751dd1c7171ac1b1a95928a030b4d6
SHA1053a393325871a817a54e8dfb35fbee92b43d03d
SHA25603d74f432b3aa4c0af2534ee24a5414cb5d3a0ca18aabb3283922d42ae3d25b8
SHA512a11c7b4a0079afde9eb2bb249ae841e148a6fa1e5a1cf0193cded58d92c650abbd2529602955653c40ac7c9da7cd0a612849149c3ada24e209ff30d9515c6601
-
Filesize
2KB
MD5cd364656d676dcb2ae2c3b824faaf6af
SHA1b18aa000cede85239b73930431d40a6c3b3d61db
SHA256846a303c83227cb8751267f3210cb2ddb7105691187ce4b5e8e43f75c2f41bb8
SHA512e2ad5f7a1fc77ac432df0c31e0e091f3c570bb0823eb00c5256b57fea0b2f0ea9504edb4258bf2c8d48d67d7222696eeff2042cf0ad962761384f08fcaf07be2
-
Filesize
424KB
MD59ca6e692e739c82dd5ad02614af5cec7
SHA189b021b55c479fbc73e9c5fd7650c6b905d80e30
SHA25688f70b721cc70516a6c9579cbc22d03019a534a4943806d4accb33cc8b8712f6
SHA51239c2c74ad3c8c46faa7a60a216aac78394b5c35b147fba555e63e010a323975e245d59e70d183ad1073cd57ed23c0935183e0025f553f53743e077ac2238919f
-
Filesize
411KB
MD5f09a57e7508292f0ad75954d0a836f0b
SHA1d4af8a37a45b9ca20c2ad249dc144641b605af16
SHA2560a47266da8d7a6256f5694c3949c58386ebfc2059dfd8ccaf75b6d2e6ccb93e5
SHA512ee31fd43514a861fbf46662bcbbec3acfc30d52447dc0e77cdee14e597718dbd1303699a349ff025993c5623e8980248f207ff8f098bc6e273dcd38e5ca2792a
-
Filesize
11KB
MD5a86bef926c64218a92b1e367280f13ea
SHA1127977242e93cae1c0984955921a2c272ec951c3
SHA256b9ff3d028811ee534adc79f0d1fa46b3e1007851d13157c688b554dc92dc8106
SHA512a66ed04e67372e4dc6fc1bdd1eb65b101c928e8f76aff9bf3d9b355c19b11aaee5850182c6ab4499491f2725003fe6a8d907a3b1d2ae8988244a3ad04e60bc9f
-
Filesize
11KB
MD5eefc10b40e969688394467bdf5b99719
SHA199f7f734147a20e826cf7747a9c7a19d55674703
SHA256468f9abdb23cd7b712ab707b484dc81cddd798f22431950ec48f51f0578894ed
SHA512ff1c5843bf1f5f1ab17008bf4dcc22df8d6f2c998dfedff9f00a326321e48d2e9453d78284a7a514fc4499994f6bfdba5568a514c218c0108edd7875665179da
-
Filesize
7KB
MD5017cd05ce0595f704130481ace8330ae
SHA177f6f0bfb856fe00a5b2ab5f7feb7a510d75c19b
SHA256374792939cbb7e4e681876cce3bbbf5510f7ed6ebbc6dcd6a0f23685e2ba3d16
SHA5128773f53ecca1afa2aa7ec11ea70730faa4e749390003afc71b23bc438c6c42c8cef25f702a3f531c2652d2a6a63252ab5cc6d49e8c9d6dc439265d4b7347b743
-
Filesize
2KB
MD51262b937c7d2dc02bf4e4f2ecea92707
SHA1b7aef9e98246c4779f7b2b4915a26cc1d9a15e1c
SHA256a1bf324f83cc37d991cef460c11093ed8e2b2b3234a78cf56c53626f2ad6f89d
SHA5122d53a138e3e562636dfa914d63af7939fe004bf68487c7c4770a06a314c18e6851af88744a6a7e737d45907d117f9664e18b79b0a52a7ae47c542bf882d7f923
-
Filesize
170KB
MD561698f2ba07bda2ba323140f20b28e28
SHA1d3e46602b6e042abdfb6a8630ccaff23801cd104
SHA25651c06f89c259219fd364b1a36991964e772e968873496a4d61532d488b2cb8c0
SHA512eb7f3dc17e49d2c2191fd6eb235e22ef3aa63157f90da42af3e6653e174e129e663b9c1eac8798d770a99ecdad4230754f07c84a96a73d85e6c8ef14aeb1cfeb
-
Filesize
4KB
MD536cf8d512a14fd2c5263e06775f2da47
SHA13e8ae2e7855ac773837272177b985f1705f65667
SHA256c3d0d9bf10e08fc22138cb4fd1d0fdf59f37cd2e12e3ff779ece43259f861cc9
SHA512e61afb7cf48065a5ad087dcd9ae7ae2c46552cb68c1bd1bd8f9df51b8f0eb040e6e69423d45b09166d16959e7bd1e247d7dd02552da8ec40d9bc805883e58725
-
Filesize
13B
MD5b2a4bc176e9f29b0c439ef9a53a62a1a
SHA11ae520cbbf7e14af867232784194366b3d1c3f34
SHA2567b4f72a40bd21934680f085afe8a30bf85acff1a8365af43102025c4ccf52b73
SHA512e04b85d8d45d43479abbbe34f57265b64d1d325753ec3d2ecadb5f83fa5822b1d999b39571801ca39fa32e4a0a7caab073ccd003007e5b86dac7b1c892a5de3f
-
Filesize
347B
MD543fd8c74a05e69fcc98c3be846cefc6d
SHA1c68596e4ff22303554fd794acd6af6459662af74
SHA256652b487a621a37881267e48d53e093b46e9569b4f07ef19dafdc30584d0b1a0b
SHA5124f0ecc2a84de318991c4811ab2d4913d9f37e62f11010c90f4d683d633c6a3994c72699f688b6fefd61ad5ced5e105929220d2b77b26a2b60b15d858df484cae
-
Filesize
33KB
MD5911e0621aed2a8edf8257715ee5720e9
SHA17f2acf54a1d930124c370ed8121f9d9ddc84fbda
SHA256e815c601b1f22ac40367c9cdfdbe406d2beb044bc56a4afb02820e7dfd94bb9b
SHA512506e7c2cef915cd25efef34d14307975f781e75dca4bfe42293c4eee77f41f301709f37982553765fc9537e8b05125ebcef768deaf63d4068e3c7dc736876be5
-
Filesize
33KB
MD58c85ed8e9f2126e4ff15a56799fc4601
SHA18bb728a94e3317aa83d0960c9594fb87fdbc03c4
SHA2563c1a6598ce9a1abb0e3c3a7b7567a2838cbc1da97ff2bab42eccdbac81a2d743
SHA512f607e47ecda755629fa6c342555c03fd6c38fcd72ddbb3206db496684dafbbf56f3284c091cc42cfc9918263e80fd12529c8b0ad20e61fc3aaa0872b41c3f7fd
-
Filesize
44KB
MD57efb3afa9b0020dae9617286965ea9a0
SHA19498767d9c9e93081214f5c5d5601cd05b684d48
SHA256571349bdfc080fd8016a5b95701237430005de8e56d5d83b24b97b8f2de9b5ad
SHA5128c9fce2198413e80c0ced7efb2d8a47df2d53f6204b77461f23be3f99dd2ef757fabafe0bc45c352240f735b1ca86cf3cf3b8c6dc3ebf6aff195a5958847f434
-
Filesize
35KB
MD57b5937f5aaa26ab8422abce59ef8b09a
SHA11617cef3fff1393c1ae504e54ee02fa3e94360a2
SHA256d6de194f8aab14f1baebb5ad7a0572549a512e451aa05491e5920934c7139b24
SHA512bc4d3584c9766fc0d06886c272c9154daa160b498fee9658b46eddeb7045662e6393c9b0b202b32cc400305e0e2aeef6fce0c2c8eea96d020ee7992dfd9a11d9
-
Filesize
36KB
MD589ffe085212c1cdff095edcb120d4d07
SHA1ec9cde39af80adee8ff715ed35403b2630d47007
SHA2563a5963e359893feccadd54ad3be2b9819091d68291e29bfd5eec83ce88f15d52
SHA51241ff13092c5dce904c0f3428ba05b0f6026516c0ba8c3c5f899f5425f321b5c26f41d1ded7cd915119f8eb1355238a2bf2e68a22b62524482143767020301639
-
Filesize
145KB
MD59d10f99a6712e28f8acd5641e3a7ea6b
SHA1835e982347db919a681ba12f3891f62152e50f0d
SHA25670964a0ed9011ea94044e15fa77edd9cf535cc79ed8e03a3721ff007e69595cc
SHA5122141ee5c07aa3e038360013e3f40969e248bed05022d161b992df61f21934c5574ed9d3094ffd5245f5afd84815b24f80bda30055cf4d374f9c6254e842f6bd5
-
Filesize
50KB
MD5eb64652f342b854da1db665837635599
SHA190ff51ef1df4397cee8a3b921fab1d8424f5eabc
SHA25684c6f9155126be9be7083af76281737765829f9c93ab23a969158890823a9620
SHA512436ec6f46d718698a1a3471df4b9f659f1eefcd106bb2df0b01d7f53fbb5fcca3018245ba7fc4d155d3129d892995b45dac4ac58d853f485f4111571b7b98eab
-
Filesize
843B
MD57605a867c98dae3e416af54ecf727337
SHA17bca73655955707ffec29d836489d66aa21e287e
SHA256fefa73a1587f292faff831805d5bc16799c532b3d60a3710a0e74e6a8ddecdd9
SHA51213e06075cd9ac1c54cecb94c0fb04f37780c565b0675a1a3c977265e9c414e42eb188640390453daddf889e1f74d5a2b67f488d605d00fdb676daf5ec251cf1f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Windows Explorer.lnk.cursoDFIR
Filesize1KB
MD5215f8748405ede5a7f29f526a370ca71
SHA198d2a3d02e5307f746af1e98f8546e2ffdd6511f
SHA256ba75528215bc328bb7eaab2d6db0f7a90b9f76907a0dab928d7ddff26e3d5eeb
SHA512357640cbd2caef4d69c33a21d924c5e5d98035453ce5104b22b54f9aa59a50d52b1b8723ae3b54849067b40bf4959b13438bcc0a079fe5e8ee73b2032a662d9b
-
Filesize
436B
MD5781370d500adc3b2ce577c4cf4c32ec6
SHA1dd5c623e805aa4c6e949be10819a2b8a004a40a3
SHA25637903a1d3128ebf2a2d5c24decfe2f5a42539ca1483e76916aa8b7a613507ee8
SHA5129e7d98c7fb741a66916665a25798dbcae8c33217ae2817a20f7ec9b7a5daf2866081c6b4ad0c773c85077040de838aaa4dd81beaf6ed7e30a9e0fbb11abce8e4
-
Filesize
142B
MD51a09a38485cbf1d59c29d8e3213e1ab9
SHA19cbe6ebd07b13a0d4b2565dc15a273629aa97251
SHA2560a3bdc40dc0d243784bc5fa887b79110350b3d3200684f3ba99880fcea40e3b8
SHA512a33c228196a4b3f14e40ac6ccb6c43002de28063594c472db852bedac20a6725f4e7601b9f32516e2c6bea35f83746973b3f1d200d9e5d668bda7553b62ac616
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fr88izmi.default-release\datareporting\glean\db\data.safe.bin
Filesize2KB
MD539f7701d56dbfe0372567891858bb6b9
SHA10c9fb5d0d13a57394767203e0c88388d8e4070d9
SHA256ce41133d0701904677b68019119283e024f0019f33f56b65d2c2816e41521588
SHA51272c7a0ef5d1fc7542246b245fc17201d94866622e0f42db45a770e11cd5f1e0e3b4c772f97f7f97a38c596d526288d977f115f07a0e30d2ed84526295938835b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fr88izmi.default-release\datareporting\glean\db\data.safe.bin
Filesize2KB
MD539b966016dffbb82838f7c560f9bb018
SHA18c3a8c1d7e3c0b1f2c95cd414f00e6ae5c28d041
SHA256d32d94b970e180f23cee76973c9bc17d6e40b22a139c0b81c42929aa41ca26e4
SHA512816914a0f2cbcb8e0e21b51f016c1298f49bc1cf9ca7cb39d1350f92fb64637417b224e2b0270e0c07fef70d337946a6fc590454e357df58e082e4476159756e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fr88izmi.default-release\datareporting\glean\pending_pings\9969a273-732e-484e-9cdc-906aca90ae1d
Filesize586B
MD53e73ba5be8554eb834057854c2680a6d
SHA193f7c29628440440a682e1a80505c38a6916e3b7
SHA25667eaf33e23d3f9589cfe48d362b358e4866de3129a570f312efccdd8555c90dd
SHA5121b279a66413fac9a707b3b7465e0636f8389ddc884629143cc9ae1a838a90da976713502180e8eb86b0c02d56d6a7e124d78e679fd92b1d0626f47216657a363
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fr88izmi.default-release\datareporting\glean\pending_pings\d9d99bb9-7baa-4ce4-95df-bcddbab28e7e
Filesize655B
MD54e3d9c16745b7afdfc064ee896283447
SHA10e3e7c3b0a13ffc3902bb5e92a8ce85003d92649
SHA2566a4bd5d5b5f556ad122dd0507005f31f1016dcdf6c0fa403f01f1f525b815c03
SHA5127362fd7069b691778cbcab4a38790bd722cbd015e1d1cc39b4a21fb2486a94eafc47c227fa328cf867d9e676b662fd8c6123ec03997c6db29bd5e9c73275e86c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fr88izmi.default-release\extensions.json.tmp
Filesize36KB
MD59a35fd934109d038d30c655743b6c735
SHA1d85514ca730bbaa4d4eeddc9a55e72968db6cdd5
SHA256341bdf64eb5b7fea09ba0d5f00889e3efda2b111287163068bce0773e70c0f23
SHA512bb1dae25277f2e139ec25e691fafb86e016a183fd9c9d48c80653a74113c67d603d33dfb2afd6ab0710756094f932c08d593d8196c2fb8f77c3f5658cbd7f22e
-
Filesize
4KB
MD5bcd60ce7132784332fb1edeba922bcdf
SHA14773de279405c65bb7725f71da8fcb791c307b02
SHA2561af23776455734e0c3f7cef8fc07047aa719a9d4fd9f6f1fc6420a165685ab15
SHA5126a0381a5d562062449fd3d8ed7c9c3a048223ae9493ccbedc36ebc69b0b89a319ea224a9ea7406e716718f664f18fec0d9fac0a9547bc7b6c8b7cde348138be7
-
Filesize
6KB
MD5778ad96bf6ea42a14287a3f11d20bd49
SHA12b47c28c7679ccafeecf0a7a8424343f87f39895
SHA256643f341843590149568127693950dcabaf071c4d751d0ff3b444b85c50c9b8d8
SHA51251e7e98e966f04da71f459fbfd8c4296f1e3f4db6631e20b312a81cd624ce027a169d2cf3ffef2966d5c16affdbe5d92addf263442b205795423a729d5d50570
-
Filesize
6KB
MD5d5b413b46fb6f5f8e61d380cb74715e5
SHA1d8bd45ece32d5411df3e5d45d7a3d7940244c8a3
SHA25609084b81d50a0b72c817bfb2b1459876417a6f0da53bd39b1d0addf4d15ddfed
SHA512bd8df23e6450863fd1a9a028f581e1063b1248148f15f304728eb5a3e232f84cbf57144988f1f6554d9f0e681552ef4e0ed0624aa06cee28f1ccae000ff816ec
-
Filesize
3KB
MD5e679d9a7abe762b337ffd412644dd9fe
SHA19b1b6633aa54154c1ddd80b5edda0630d40ebc39
SHA256a03b148b4b778ada36e3c589ca04193004006645b7d3c6ddcdc90bd7668e1a4c
SHA5122a5aab7e359862dc5169cc230842588df886530f47c88d6916783fd8170dd5823ae9bac7bc271b26c441a6789d5dc5cfd34a63daafec57a37ac1380a0fd062ce
-
Filesize
280B
MD541d220d4783f67d2b57beec20c135229
SHA16e97765e77920b6010fac2cb4abf1e3cea106541
SHA2565d1881e74d76b95bad59439bb5c7676258a4ae6b6d853074e93b5247cf1715dc
SHA512dc30ddc4c8cfe598de5e24bc88cebbe4256fbb21a0b1db6c2ec15311053e7d8be6a93a0bcfcfd8a02543f8b9cf9b15a5840154b272a2df71d59d7dfd80984ac0
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fr88izmi.default-release\sessionstore-backups\recovery.jsonlz4
Filesize944B
MD5f33d7e5a8706da41125641d3d68579b0
SHA13d2a0f49d10f7552aa539a4fd7ecd0f93a445ebe
SHA256f98879dff699cdfd92419ff2eb66eb3baaa969dbe59108e263b5ee0108fd19b1
SHA5127139031f23caa6f5eb1ca73241b5ee878b609a482fdebbbd41081d9f6801c90a7afdbac98a6faba4fdd3ca3fa9dab5fd14b219e6f1b1334ee9378c7195c82a2e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fr88izmi.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD536b4ac97a8ae873305909b5ce40a20d2
SHA1b9bc537734e303420d6a8cb846b290633f069904
SHA2568cf302f7a405708645e6861067884fe60d18ef1cade279e340bc27b457ce498d
SHA512b3ae1853056a54a708370da03c3574e459f2a12c596ed84fa3a8e6b9e4e40a6e8b1fe005821161d47e12d5219c489b1e3fb352a1c8bde3d41ea759c1df8ed385
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fr88izmi.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD5d3bc5fce2b93d5c607dcd35af57eacdf
SHA15d1f764f04da24921d9bc3d7a230cc9b8f3a2eb6
SHA256a3d664a16bcf274ee37b018b518c6927fd78c42f8220f9f8285fd5ce0977130a
SHA5120495467196692c114823244f90e21533ab1fdf1a3cc2f7413257dbd646ba6c9b63034e9291fdaa217c6a9af1e99503a7b6a7270f03da68b8b509bdb954086216
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fr88izmi.default-release\sessionstore-backups\recovery.jsonlz4
Filesize3KB
MD58465935030cebe5f75eb4fdf576e6cdd
SHA1e413013ddb1979a295901157ae5a2c7d44469580
SHA256872728936aee863cab9095eef0f7e865a563b4e8dcdf2815074a8d77cd928613
SHA5126521e175b9a95e1f7479b88e55432e6b8f9a6867b7a2f09257cc86faa5124dae5e070fe4457c8757c1260d3066728a7c2a4ce9be48efa7ac8667d9f16b25732d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fr88izmi.default-release\sessionstore-backups\recovery.jsonlz4
Filesize4KB
MD50ccf2f912e673458243faaadf7250e95
SHA19e1ea18d0a9d6fc5911f487ca974a97158a9965e
SHA2565dbdc602078c32c0a9cbdfa2faba3566efc9802ac4e766ad5f5dfbff25447317
SHA5123e6b7c197d4a6bda48bd26127a851301ca2c14f31de84810960219ecbe81d3b1fbc2372942c55adbf68cbc8a1f4cb3c96c527d1f176abdc49b66584b4459c29a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fr88izmi.default-release\sessionstore-backups\recovery.jsonlz4
Filesize6KB
MD5415f9ccba06e656fd7b90278422a98ce
SHA1b97acc042b72ce6de77a3b682826f03f5993bb5e
SHA256401808ec062aeb3c024764f62d2adcdf14f449c867c69467b1de51f74c759468
SHA512b19519371e0f014fc005e7ad7d2cc800b3ab58fd24a38f83e4378d8794d668dbdcdc0ac86b27ef5cbba6b094ecf18a55b690f9f037fb239c675fab2c33467d1a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fr88izmi.default-release\sessionstore.jsonlz4
Filesize6KB
MD55d216b135f4bce306569568277b3ee9e
SHA18156338581fe6accea500cd6c5da0e34e73dd3c2
SHA2568ce24d1159704824be25412fd1ab479134911e4ceed0d602746f544058fb8d4e
SHA5129b1dfcb1a7b620352f0b9b8a09fc5bf666fa7b2b75c4c8c0162a29177ca970f2e0e08205453487ac67c7b1df7285c79586f15f49db7c38b7ab8800fbfb8e6a8d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fr88izmi.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize48KB
MD50cdc538a70bd121b50db0d27d311a3e6
SHA1abc5da0caec8761610fb68e2c24214906aa4e1cc
SHA2569f8e61251dc5f845e2a044bd15ac66af82666dbacf13e409e07c573282dfdfad
SHA512166fc2c7249675eb4965fd425a6dd0a99e3ed5c826cb6ccaeef7fc17fb4563c7623fc6c9b9464de1e853311544068bd3cfa59abbefffc75fee1fa9abe50e0c73
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fr88izmi.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize144KB
MD57dca3c4db46daa9beb9ee9fbd8bc8753
SHA1210abe6ddef5bfe16e2f60687b53610bd89044a1
SHA256c169940f2774bc7f89ecc1beb23662318fadbd8fe916983c61f657315a66e80f
SHA512e968a3d418e4c4b899507f3ca96dfcb16c57debf07feb92c523dc5abb869e70ab356c254afa08d45b0496f111c81def84a99576e826be2049bf05fe85a902b8c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\fr88izmi.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize176KB
MD549bf0d65c16231ce109cae782408ed2d
SHA18ab4862da37839831f76577458354d4000439c65
SHA25653aa8e2f301df45be1e7e1412655e8c085fb080b53d03d47d6b35ed610848d0b
SHA512ce04e503fa1e51c7025e3da7a253237110db4928dfb4bb6ed1bd8d7b9854f6466a05ef2652164fad0ebf7d5619cdbecbdfc07f26edbcce4c02d4fcd840280896
-
Filesize
372KB
MD51b2fdf47aaaccaf622e33cb4dd63e8e2
SHA11130c9d40bc5ab004918a509811f914605594961
SHA25624266d8af5e54a179ca62fe8ba586a9bced5e39565ad05f33583a3fc8f509613
SHA512f494e23997ba85df3fcdaaaeb1d6c056de6f7b6a22ecf8df4797b302016deafea0d2030058680baa521cae93cf5921b3bd58d1750274819f866a868beff2739c
-
Filesize
337B
MD52453eac3dfe17fe5b3e88b03f449d805
SHA124c16cbbf4f2b8ea43d1cbea09a51eaa2c0d6b13
SHA2562464de8fc12e32477f09621b90d707ab9fcca3b9d8b1b1caf367f5496021091f
SHA512d5750b142533e1fab2deaae7563edb7da723ef69cc93f91c1e91659da92167d9f9d0b34a7ed828761563068a510857f62d893c0028cc826f3252fc993c420a0a