wannacry | be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844

Resubmissions

03-04-2024 22:56

240403-2w382afg77 10

03-04-2024 22:32

240403-2fx23sfc57 10

Analysis

max time kernel
145s
max time network
149s
platform
windows10-1703_x64
resource
win10-20240214-en
resource tags

arch:x64arch:x86image:win10-20240214-enlocale:en-usos:windows10-1703-x64system
submitted
03-04-2024 22:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WannaCry.exe
Size

224KB
MD5

5c7fb0927db37372da25f270708103a2
SHA1

120ed9279d85cbfa56e5b7779ffa7162074f7a29
SHA256

be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844
SHA512

a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206
SSDEEP

3072:Y059femWRwTs/dbelj0X8/j84pcRXPlU3Upt3or4H84lK8PtpLzLsR/EfcZ:+5RwTs/dSXj84mRXPemxdBlPvLzLeZ

Score

10^/10

wannacry persistence ransomware spyware stealer worm

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\!Please Read Me!.txt

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1 Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) rar password: wcry123 Run and follow the instructions! �

Wallets

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Drops startup file 2 IoCs

Processes:

WannaCry.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD8D95.tmp	WannaCry.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD8D9C.tmp	WannaCry.exe

Executes dropped EXE 4 IoCs

Processes:

!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe

pid process

2928 !WannaDecryptor!.exe
4928 !WannaDecryptor!.exe
1192 !WannaDecryptor!.exe
3140 !WannaDecryptor!.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

WannaCry.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\WannaCry.exe\" /r"	WannaCry.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

!WannaDecryptor!.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp"	!WannaDecryptor!.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

4740 vssadmin.exe
Kills process with taskkill 4 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

696 taskkill.exe
5028 taskkill.exe
3436 taskkill.exe
2580 taskkill.exe
Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\Local Settings firefox.exe

pid	process
4740	vssadmin.exe

pid	process
696	taskkill.exe
5028	taskkill.exe
3436	taskkill.exe
2580	taskkill.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\Local Settings	firefox.exe

Suspicious use of AdjustPrivilegeToken 52 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exevssvc.exeWMIC.exefirefox.exe

description	pid	process
Token: SeDebugPrivilege	5028	taskkill.exe
Token: SeDebugPrivilege	3436	taskkill.exe
Token: SeDebugPrivilege	2580	taskkill.exe
Token: SeDebugPrivilege	696	taskkill.exe
Token: SeBackupPrivilege	1928	vssvc.exe
Token: SeRestorePrivilege	1928	vssvc.exe
Token: SeAuditPrivilege	1928	vssvc.exe
Token: SeIncreaseQuotaPrivilege	3420	WMIC.exe
Token: SeSecurityPrivilege	3420	WMIC.exe
Token: SeTakeOwnershipPrivilege	3420	WMIC.exe
Token: SeLoadDriverPrivilege	3420	WMIC.exe
Token: SeSystemProfilePrivilege	3420	WMIC.exe
Token: SeSystemtimePrivilege	3420	WMIC.exe
Token: SeProfSingleProcessPrivilege	3420	WMIC.exe
Token: SeIncBasePriorityPrivilege	3420	WMIC.exe
Token: SeCreatePagefilePrivilege	3420	WMIC.exe
Token: SeBackupPrivilege	3420	WMIC.exe
Token: SeRestorePrivilege	3420	WMIC.exe
Token: SeShutdownPrivilege	3420	WMIC.exe
Token: SeDebugPrivilege	3420	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3420	WMIC.exe
Token: SeRemoteShutdownPrivilege	3420	WMIC.exe
Token: SeUndockPrivilege	3420	WMIC.exe
Token: SeManageVolumePrivilege	3420	WMIC.exe
Token: 33	3420	WMIC.exe
Token: 34	3420	WMIC.exe
Token: 35	3420	WMIC.exe
Token: 36	3420	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3420	WMIC.exe
Token: SeSecurityPrivilege	3420	WMIC.exe
Token: SeTakeOwnershipPrivilege	3420	WMIC.exe
Token: SeLoadDriverPrivilege	3420	WMIC.exe
Token: SeSystemProfilePrivilege	3420	WMIC.exe
Token: SeSystemtimePrivilege	3420	WMIC.exe
Token: SeProfSingleProcessPrivilege	3420	WMIC.exe
Token: SeIncBasePriorityPrivilege	3420	WMIC.exe
Token: SeCreatePagefilePrivilege	3420	WMIC.exe
Token: SeBackupPrivilege	3420	WMIC.exe
Token: SeRestorePrivilege	3420	WMIC.exe
Token: SeShutdownPrivilege	3420	WMIC.exe
Token: SeDebugPrivilege	3420	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3420	WMIC.exe
Token: SeRemoteShutdownPrivilege	3420	WMIC.exe
Token: SeUndockPrivilege	3420	WMIC.exe
Token: SeManageVolumePrivilege	3420	WMIC.exe
Token: 33	3420	WMIC.exe
Token: 34	3420	WMIC.exe
Token: 35	3420	WMIC.exe
Token: 36	3420	WMIC.exe
Token: SeDebugPrivilege	3208	firefox.exe
Token: SeDebugPrivilege	3208	firefox.exe
Token: SeDebugPrivilege	3208	firefox.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

firefox.exe

pid process

3208 firefox.exe
3208 firefox.exe
3208 firefox.exe
3208 firefox.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

firefox.exe

pid process

3208 firefox.exe
3208 firefox.exe
3208 firefox.exe

pid	process
3208	firefox.exe
3208	firefox.exe
3208	firefox.exe
3208	firefox.exe

pid	process
3208	firefox.exe
3208	firefox.exe
3208	firefox.exe

Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exefirefox.exe

pid	process
2928	!WannaDecryptor!.exe
2928	!WannaDecryptor!.exe
4928	!WannaDecryptor!.exe
4928	!WannaDecryptor!.exe
1192	!WannaDecryptor!.exe
1192	!WannaDecryptor!.exe
3140	!WannaDecryptor!.exe
3140	!WannaDecryptor!.exe
3208	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

WannaCry.execmd.execmd.exe!WannaDecryptor!.execmd.exefirefox.exefirefox.exe

description	pid	process	target process
PID 192 wrote to memory of 664	192	WannaCry.exe	cmd.exe
PID 192 wrote to memory of 664	192	WannaCry.exe	cmd.exe
PID 192 wrote to memory of 664	192	WannaCry.exe	cmd.exe
PID 664 wrote to memory of 656	664	cmd.exe	cscript.exe
PID 664 wrote to memory of 656	664	cmd.exe	cscript.exe
PID 664 wrote to memory of 656	664	cmd.exe	cscript.exe
PID 192 wrote to memory of 2928	192	WannaCry.exe	!WannaDecryptor!.exe
PID 192 wrote to memory of 2928	192	WannaCry.exe	!WannaDecryptor!.exe
PID 192 wrote to memory of 2928	192	WannaCry.exe	!WannaDecryptor!.exe
PID 192 wrote to memory of 696	192	WannaCry.exe	taskkill.exe
PID 192 wrote to memory of 696	192	WannaCry.exe	taskkill.exe
PID 192 wrote to memory of 696	192	WannaCry.exe	taskkill.exe
PID 192 wrote to memory of 2580	192	WannaCry.exe	taskkill.exe
PID 192 wrote to memory of 2580	192	WannaCry.exe	taskkill.exe
PID 192 wrote to memory of 2580	192	WannaCry.exe	taskkill.exe
PID 192 wrote to memory of 3436	192	WannaCry.exe	taskkill.exe
PID 192 wrote to memory of 3436	192	WannaCry.exe	taskkill.exe
PID 192 wrote to memory of 3436	192	WannaCry.exe	taskkill.exe
PID 192 wrote to memory of 5028	192	WannaCry.exe	taskkill.exe
PID 192 wrote to memory of 5028	192	WannaCry.exe	taskkill.exe
PID 192 wrote to memory of 5028	192	WannaCry.exe	taskkill.exe
PID 192 wrote to memory of 4928	192	WannaCry.exe	!WannaDecryptor!.exe
PID 192 wrote to memory of 4928	192	WannaCry.exe	!WannaDecryptor!.exe
PID 192 wrote to memory of 4928	192	WannaCry.exe	!WannaDecryptor!.exe
PID 192 wrote to memory of 1700	192	WannaCry.exe	cmd.exe
PID 192 wrote to memory of 1700	192	WannaCry.exe	cmd.exe
PID 192 wrote to memory of 1700	192	WannaCry.exe	cmd.exe
PID 1700 wrote to memory of 1192	1700	cmd.exe	!WannaDecryptor!.exe
PID 1700 wrote to memory of 1192	1700	cmd.exe	!WannaDecryptor!.exe
PID 1700 wrote to memory of 1192	1700	cmd.exe	!WannaDecryptor!.exe
PID 192 wrote to memory of 3140	192	WannaCry.exe	!WannaDecryptor!.exe
PID 192 wrote to memory of 3140	192	WannaCry.exe	!WannaDecryptor!.exe
PID 192 wrote to memory of 3140	192	WannaCry.exe	!WannaDecryptor!.exe
PID 1192 wrote to memory of 4868	1192	!WannaDecryptor!.exe	cmd.exe
PID 1192 wrote to memory of 4868	1192	!WannaDecryptor!.exe	cmd.exe
PID 1192 wrote to memory of 4868	1192	!WannaDecryptor!.exe	cmd.exe
PID 4868 wrote to memory of 4740	4868	cmd.exe	vssadmin.exe
PID 4868 wrote to memory of 4740	4868	cmd.exe	vssadmin.exe
PID 4868 wrote to memory of 4740	4868	cmd.exe	vssadmin.exe
PID 4868 wrote to memory of 3420	4868	cmd.exe	WMIC.exe
PID 4868 wrote to memory of 3420	4868	cmd.exe	WMIC.exe
PID 4868 wrote to memory of 3420	4868	cmd.exe	WMIC.exe
PID 3188 wrote to memory of 3208	3188	firefox.exe	firefox.exe
PID 3188 wrote to memory of 3208	3188	firefox.exe	firefox.exe
PID 3188 wrote to memory of 3208	3188	firefox.exe	firefox.exe
PID 3188 wrote to memory of 3208	3188	firefox.exe	firefox.exe
PID 3188 wrote to memory of 3208	3188	firefox.exe	firefox.exe
PID 3188 wrote to memory of 3208	3188	firefox.exe	firefox.exe
PID 3188 wrote to memory of 3208	3188	firefox.exe	firefox.exe
PID 3188 wrote to memory of 3208	3188	firefox.exe	firefox.exe
PID 3188 wrote to memory of 3208	3188	firefox.exe	firefox.exe
PID 3188 wrote to memory of 3208	3188	firefox.exe	firefox.exe
PID 3188 wrote to memory of 3208	3188	firefox.exe	firefox.exe
PID 3208 wrote to memory of 5048	3208	firefox.exe	firefox.exe
PID 3208 wrote to memory of 5048	3208	firefox.exe	firefox.exe
PID 3208 wrote to memory of 5048	3208	firefox.exe	firefox.exe
PID 3208 wrote to memory of 5048	3208	firefox.exe	firefox.exe
PID 3208 wrote to memory of 5048	3208	firefox.exe	firefox.exe
PID 3208 wrote to memory of 5048	3208	firefox.exe	firefox.exe
PID 3208 wrote to memory of 5048	3208	firefox.exe	firefox.exe
PID 3208 wrote to memory of 5048	3208	firefox.exe	firefox.exe
PID 3208 wrote to memory of 5048	3208	firefox.exe	firefox.exe
PID 3208 wrote to memory of 5048	3208	firefox.exe	firefox.exe
PID 3208 wrote to memory of 5048	3208	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\WannaCry.exe
"C:\Users\Admin\AppData\Local\Temp\WannaCry.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:192

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 15711712183554.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:664

C:\Windows\SysWOW64\cscript.exe
cscript //nologo c.vbs
3⤵
PID:656

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
!WannaDecryptor!.exe f
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2928

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im MSExchange*
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:696

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Microsoft.Exchange.*
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2580

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im sqlserver.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3436

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im sqlwriter.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5028

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
!WannaDecryptor!.exe c
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4928

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /b !WannaDecryptor!.exe v
2⤵
- Suspicious use of WriteProcessMemory
PID:1700

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
!WannaDecryptor!.exe v
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1192

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
4⤵
- Suspicious use of WriteProcessMemory
PID:4868

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
5⤵
- Interacts with shadow copies
PID:4740

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:3420

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
!WannaDecryptor!.exe
2⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious use of SetWindowsHookEx
PID:3140

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1928

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3188

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3208

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3208.0.983170963\1166076843" -parentBuildID 20221007134813 -prefsHandle 1704 -prefMapHandle 1696 -prefsLen 18084 -prefMapSize 231738 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0f1d0787-5509-439c-8e9e-b7ff520bc823} 3208 "\\.\pipe\gecko-crash-server-pipe.3208" 1776 1eea6e06e58 socket
3⤵
PID:5048

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3208.1.1052522916\905828863" -parentBuildID 20221007134813 -prefsHandle 2276 -prefMapHandle 1792 -prefsLen 19118 -prefMapSize 231738 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e3271181-b055-447c-a1a3-85df185f3270} 3208 "\\.\pipe\gecko-crash-server-pipe.3208" 2296 1eea7df6658 gpu
3⤵
PID:4612

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3208.2.713177578\1291723385" -childID 1 -isForBrowser -prefsHandle 3328 -prefMapHandle 3324 -prefsLen 19793 -prefMapSize 231738 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8cc4587b-967a-40a0-b765-dc8b52f9fee3} 3208 "\\.\pipe\gecko-crash-server-pipe.3208" 3344 1eea86a4558 tab
3⤵
PID:664

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3208.3.619358175\1805154110" -childID 2 -isForBrowser -prefsHandle 3704 -prefMapHandle 3700 -prefsLen 19980 -prefMapSize 231738 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ce6240d2-cdc7-4ed7-8f20-bc39e49353bc} 3208 "\\.\pipe\gecko-crash-server-pipe.3208" 3580 1eeabb6de58 tab
3⤵
PID:4440

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3208.4.2107503196\435486930" -childID 3 -isForBrowser -prefsHandle 4020 -prefMapHandle 4016 -prefsLen 26438 -prefMapSize 231738 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {881a447a-ca8b-4d6f-98b6-b5adeafb5a96} 3208 "\\.\pipe\gecko-crash-server-pipe.3208" 3972 1ee9ba68458 tab
3⤵
PID:4456

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3208.5.1028536509\2059833534" -parentBuildID 20221007134813 -prefsHandle 4516 -prefMapHandle 4512 -prefsLen 26849 -prefMapSize 231738 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0df86bab-2686-4e66-a974-7c5e6ccafbac} 3208 "\\.\pipe\gecko-crash-server-pipe.3208" 4528 1eead1d9e58 rdd
3⤵
PID:424

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3208.6.1410711943\327447649" -childID 4 -isForBrowser -prefsHandle 4992 -prefMapHandle 4976 -prefsLen 27294 -prefMapSize 231738 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d47ef6ca-687b-49a6-9aae-e257015b519d} 3208 "\\.\pipe\gecko-crash-server-pipe.3208" 5000 1eea88c6258 tab
3⤵
PID:4696

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3208.7.510648373\1096063208" -childID 5 -isForBrowser -prefsHandle 3076 -prefMapHandle 3080 -prefsLen 27294 -prefMapSize 231738 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {829fe8fb-4a17-4022-aa45-1f8b6b322767} 3208 "\\.\pipe\gecko-crash-server-pipe.3208" 5020 1eea88c6858 tab
3⤵
PID:4080

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3208.8.1013493196\142598844" -childID 6 -isForBrowser -prefsHandle 5312 -prefMapHandle 5316 -prefsLen 27294 -prefMapSize 231738 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {10a0a382-b05c-41b1-ba17-4b900049fd2f} 3208 "\\.\pipe\gecko-crash-server-pipe.3208" 5304 1eea88c7158 tab
3⤵
PID:3736

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3208.9.1880640220\2103088816" -childID 7 -isForBrowser -prefsHandle 5312 -prefMapHandle 5700 -prefsLen 30787 -prefMapSize 231738 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c97bbe68-9549-436c-822a-350397cac032} 3208 "\\.\pipe\gecko-crash-server-pipe.3208" 1504 1eeb02e4e58 tab
3⤵
PID:5376

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3208.10.659345666\1714401692" -parentBuildID 20221007134813 -sandboxingKind 1 -prefsHandle 5956 -prefMapHandle 5952 -prefsLen 30787 -prefMapSize 231738 -appDir "C:\Program Files\Mozilla Firefox\browser" - {95b12c77-cb2b-49cd-8f61-7f0b99bc699f} 3208 "\\.\pipe\gecko-crash-server-pipe.3208" 5964 1eeb02e3358 utility
3⤵
PID:5408

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3208.11.533792429\1029419017" -childID 8 -isForBrowser -prefsHandle 6124 -prefMapHandle 3472 -prefsLen 30962 -prefMapSize 231738 -jsInitHandle 1288 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {18156c0d-563f-4a1c-9555-9aae019cd4c1} 3208 "\\.\pipe\gecko-crash-server-pipe.3208" 3396 1eeaf388358 tab
3⤵
PID:5732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\update-config.json

Filesize
102B

MD5
7d1d7e1db5d8d862de24415d9ec9aca4

SHA1
f4cdc5511c299005e775dc602e611b9c67a97c78

SHA256
ffad3b0fb11fc38ea243bf3f73e27a6034860709b39bf251ef3eca53d4c3afda

SHA512
1688c6725a3607c7b80dfcd6a8bea787f31c21e3368b31cb84635b727675f426b969899a378bd960bd3f27866023163b5460e7c681ae1fcb62f7829b03456477

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yq8h7er1.default-release\cache2\entries\A72798DEF4F924983D5A0DB82D383C613B515FF2

Filesize
13KB

MD5
90e9016e7365ee80fa3a62d2d9642a02

SHA1
05385986f1ae360a6b7402f6abc8e34496e054e0

SHA256
132ff48a7cf22d3644324ae1284f008467d238a99c049067198213fb0f27f05b

SHA512
d9b31ab4f30ec52a8e2b7335e2afe1bd68475db35227620785541de02cb94db1ebfaab7d1ebc2b778ce357e0b12d1f09552275eba80f1e44204693960bd80dbd

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yq8h7er1.default-release\cache2\entries\C72D4296C2EBC6FD41A9F780CD0C8F30F0FF937C

Filesize
13KB

MD5
af06c0d0ce3d8384e682d676f3a8e480

SHA1
49f44434b6101189d530188f085b938985539b61

SHA256
db0225f4c14932a722b892b8684dbdbc4e5f16fca23b1abf4be9b24da468fbe8

SHA512
b25e799c7dc2e6616df6397fb8cb62de790cec7824a0d7ff571d08e301c7c2458ec04d6628011c9455d9c4b12c2b920d9dceefab3346a1ed54a7dab59d9cf5cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\!Please Read Me!.txt

Filesize
797B

MD5
afa18cf4aa2660392111763fb93a8c3d

SHA1
c219a3654a5f41ce535a09f2a188a464c3f5baf5

SHA256
227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0

SHA512
4161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe.lnk

Filesize
1KB

MD5
ac977466d8faef311551eb0690f7f4f3

SHA1
140e5d9f1d799b46b64ca52d70732f46543fe6e0

SHA256
9e1386f62bbd3b324a6c218a921dd993532bab0903306dfbcc7495544801d776

SHA512
446f1686e41155701617c1a229127447492dc764588c0474c4621a81b6f191958830d3404cef13c07b6c4348d74a5d15597af2c9cda584845f05dac9d446105c

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000000.res

Filesize
136B

MD5
19c2cfbd196b8d0b9c15cae269bf93ef

SHA1
64352e460bd326a047ea6077e0aab8cafc4e3627

SHA256
fc4930cd9e4205b59a49be04088912a25bb50256ea0a8efa395825f1ab1cb0a7

SHA512
ff2705f924222fab70769123ccc3d79a90baf152ba064e325d1961ce2be058a96b8e50caad98c8fb6b2a227e739acd00a6b1d380c587a492a2ba7e7e9ae623cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000000.res

Filesize
136B

MD5
2ed7a03abaaf861f43750cd874ae9a7f

SHA1
c9cbde1155fe60e487cb23657cbd6903e1fca6c7

SHA256
adea9b53d5bb516dbcc9ae17f9ffcbc9110eba8679009c3162bf9b154f839b93

SHA512
7385a48d5f998e0d031888a969fdbbefde5df0df1ea46bdcf540aaa9fc4faadad1eae1b9f72c895c9910f3fc73dc05e110a822f7af34c836ca83c76530c2a716

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000000.res

Filesize
136B

MD5
0603fb8db3dca43eacd6b733f13ffcb5

SHA1
2a430f8673c7948e8c37da1a98fe4b7ead67f8d0

SHA256
3e8cd9a2e58642a86d31a4a6e95e461aab01d6245421fd19a9c114c68df11122

SHA512
aa4fc947c6829d55c2fd477a930b2d7a798010d644a171a6262812687c6268c7c70a09a57694b952bf2a4d851870caebd2c89682dd80749a71e9ff2366e3598c

Download Submit
C:\Users\Admin\AppData\Local\Temp\15711712183554.bat

Filesize
336B

MD5
3540e056349c6972905dc9706cd49418

SHA1
492c20442d34d45a6d6790c720349b11ec591cde

SHA256
73872a89440a2cba9d22bf4961c3d499ea2c72979c30c455f942374292fedadc

SHA512
c949d147100aef59e382c03abf7b162ae62a4d43456eebd730fbedcf5f95f5e1a24f6e349690d52d75331878a6ee8f6b88a7162ee9cf2a49e142196b12d0133c

Download Submit
C:\Users\Admin\AppData\Local\Temp\c.vbs

Filesize
219B

MD5
5f6d40ca3c34b470113ed04d06a88ff4

SHA1
50629e7211ae43e32060686d6be17ebd492fd7aa

SHA256
0fb5039a2fe7e90cdf3f22140d7f2103f94689b15609efe0edcc8430dd772fc1

SHA512
4d4aa1abd2c9183202fd3f0a65b37f07ee0166ba6561f094c13c8ea59752c7bdd960e37c49583746d4464bc3b1dc0b63a1fe36a37ce7e5709cd76ed433befe35

Download Submit
C:\Users\Admin\AppData\Local\Temp\c.wry

Filesize
628B

MD5
fb000cd3fedb3d2bc263c8f3ffc48b8e

SHA1
974345aed4a0faa00ed8cb4176a38f3ac025fbe2

SHA256
54250aa0cc97c5adbdb5ce50e4c14d3209078b6d55267f37b340e38cd66a64e9

SHA512
aac1c6c94b21e79712eb73fc03946cfdbd48b8acbb6ff4dc146d95eff787a5f34514a25175cdcd14829b00c596ba4f5b2bb6157b1a931d850a6c8cb800cb54db

Download Submit
C:\Users\Admin\AppData\Local\Temp\m.wry

Filesize
42KB

MD5
980b08bac152aff3f9b0136b616affa5

SHA1
2a9c9601ea038f790cc29379c79407356a3d25a3

SHA256
402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9

SHA512
100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.wry

Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yq8h7er1.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
ddcc69b9c71f8592f8ca2603458e78c3

SHA1
e452a7f8aeae99612f4a63ac5f9146164e18f73c

SHA256
64214151ed8055361a63d426e39bd3738fc06647d30ee15527c20dba0049b76c

SHA512
71a9e94848f8600030d27b22439be0b775bbbfd164d15e80d77d1759c1093e56c7c10e57dbff69164c85166c835fca5179a1a6a3694f9ac93ea910a96ec9084b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yq8h7er1.default-release\datareporting\glean\pending_pings\238d3b9b-e4ce-43dc-a3c2-970fbbf2da4a

Filesize
746B

MD5
513f2e4a9beefce73a4a4b50c01a7a33

SHA1
12916087a42e1c71a72e03f3429bd210038c02e3

SHA256
88c94f02a1000fdbb873bb52dc5b144ad70e4ca66e6cd6065b40196627daea03

SHA512
3c3e49577c3a42622e344d8951e6ab49ba1d84249014cd7df0b4c8f6b528f36644e21a4d2ed2592ab670753ecaf226a78df46de2687c8c299cbe0a1679a92acf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yq8h7er1.default-release\datareporting\glean\pending_pings\5fffc9c7-f388-4f06-8afa-6900c32fd3d3

Filesize
9KB

MD5
414d2198cbd3a855f1bc5fe2f67c1a5e

SHA1
11b41e991ceff9cc2a01173a311ba138a1480767

SHA256
5f9ddc2fed7617ec096ebd2ddc0217c79599b0689533649f4e48d0deb35c208d

SHA512
f9becf91c9cde5b04dd701a80257922c22be00e956de737747fd54c3c5caf7b9df0badb9db1066d540a0082bb93bc8ff153909ea347c0f44eeb1e53c56017274

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yq8h7er1.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yq8h7er1.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yq8h7er1.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yq8h7er1.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yq8h7er1.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yq8h7er1.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yq8h7er1.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yq8h7er1.default-release\prefs-1.js

Filesize
6KB

MD5
4894bc56e85267a5fbee635396d212fe

SHA1
e1eafe8f5e806453d1a289df34ff646778a59923

SHA256
77801a3ccf8ed7ec50e3515cead8a98f197320fe3375a277a54f6b8cbbe6eed6

SHA512
eae4466e58ca37a51ea155c7f6fc66548b593bf7ce9a842e656229fae7c25aee9b6c13f433b9e1ab53dc7cde0495566ecdca3d9af57dd588a713cdeb61a779e6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yq8h7er1.default-release\prefs-1.js

Filesize
6KB

MD5
98791a2e35d311c21df07cdda648e523

SHA1
64f87ba250e96882954ab22b8dc489a2180f798a

SHA256
34f79b90c45611537f9f9f03f0103112e99ff5f2769f9419c9b8da221057aa01

SHA512
a70c912e92fb801a8f810b40a0ddec3103fed3bc57730ecc34ecca5e41354c19270da27478e9cbf9dcdcb6501821c46edcd34f76fffd8ed1e7fa959a79db4043

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yq8h7er1.default-release\prefs.js

Filesize
5KB

MD5
2262f4fea1f386b6fc8c9a12e27f3557

SHA1
2bea1cc30c86630eacac1937133c8c94d205f7c1

SHA256
4f571fc69d8454758231916bd70a9dae0925b0e9076d74c6d8f240e5e6e563ba

SHA512
8102864a58ae0d6c88b31118eace8f6fb9779c1440e3d90a527e9c71d35f83a3dc44d919628bab175b0b9fab6fd51cc83604a7a69b27c9837324c67bf0398fa2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yq8h7er1.default-release\prefs.js

Filesize
5KB

MD5
210ce8af22fc588ea013a50605dcaff0

SHA1
f01795d186a3bb56c10203db3abfeb556b42e415

SHA256
002ea3fdd4364d26a23922373a5c0ccddf61685d9f273324cb8ab89c6f2ce4ce

SHA512
d37e54445d48e1abf8d4479be3db90b0a04041dda721bdca1cfef1413b8e498f74f94fde28fe304c850f4a98851dcc7557afa48dff5dfe6067a8abcbc4c1f684

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yq8h7er1.default-release\prefs.js

Filesize
2KB

MD5
603b5eb90d883a07ee0937f64fbb053b

SHA1
061aa94bbe8cfe97a0bbddc3bc14cec07eb381d5

SHA256
28e6eccc2b86251fadcfc9695abf68dc5be61af1ced95c02cd66ce3c2dc87abf

SHA512
f139f7db8b4ed4cc88a1ea395d77a742a5cd19afa097507343f005887e32f401721c9cf61dd81ea91b90449446869c64f60be40421cfef11eb526dae246f61ec

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yq8h7er1.default-release\search.json.mozlz4

Filesize
280B

MD5
41d220d4783f67d2b57beec20c135229

SHA1
6e97765e77920b6010fac2cb4abf1e3cea106541

SHA256
5d1881e74d76b95bad59439bb5c7676258a4ae6b6d853074e93b5247cf1715dc

SHA512
dc30ddc4c8cfe598de5e24bc88cebbe4256fbb21a0b1db6c2ec15311053e7d8be6a93a0bcfcfd8a02543f8b9cf9b15a5840154b272a2df71d59d7dfd80984ac0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yq8h7er1.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
2KB

MD5
3ce1accf6e00d1f6442dfd3cc4d2ad27

SHA1
33d07b2c0fff2a320d544a141efb77c5f57490ae

SHA256
80f2d4fe409cd67080e906bf0bec6a5d23ce4c85885724f36f43ef9874169fc6

SHA512
5ab13b55c01f5ff411bfdcc2f4fb5bedb210c81c3d60c95162641851c9c285c1130136b54ba96b9e5bb8918df8f3e3b1c5af8ece7369c10eb7320fc31f380fdb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yq8h7er1.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
fa4ec41a4d03d57b4487a4c75e221f93

SHA1
30daf181acf134f22191419a3428d76e41728928

SHA256
f87d44d6af07442460fac2ea0a08ecd5094562ac724e622a1cb1a8600ce823db

SHA512
11b1f3ac6888b49c267b2333291450252fe39979cb8502772e0dddb9495746ae690a2a965ad57ff7eeac41eb8c0d134d339a7697a1abd76fdd2df8a6809192dc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yq8h7er1.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
2KB

MD5
fc1fb763a94603b7440efdcbe67565fd

SHA1
9a0325d69834cc622151149600aaf4db15d505f2

SHA256
c7a4dcaf1129cee75b859048edb46041ff1daa88d831c0b6ccfc64df8bf2c6f7

SHA512
6b6378238d1adb901ff8c9ef463f0880aa405b7e282b5a1ebcbba5787ac7a36562a2a1ae14cbcf43aeec6cf24eb63f8cad27e0b0c95ecade9466cea9c5e778a6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yq8h7er1.default-release\storage\default\https+++www.pornhub.com\cache\morgue\144\{af91f3eb-2537-43f8-9f78-ce2e3e6cbf90}.final

Filesize
456B

MD5
4849126d62348e96de9f534891ee372c

SHA1
04208116ad7cb0edcb2c7c754042554104172d10

SHA256
92930e52c17a5e42a09f648d090ba0e48384fe2b6f4f6b3e3fc70bd8a0e6ac5d

SHA512
bd7769637a8707a21027e442faf6911019a2c731bff17fc11b9da0b74490162ea4eba2fca41942a7c114cc75ab1941f208c1fcc789bdc0a594b5ed269f6e6f25

Download Submit
memory/192-6-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download