wannacry | hxxps://github[.]com/NTFS123/MalwareDatabase

Analysis

max time kernel
1052s
max time network
1017s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
21-06-2024 23:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/NTFS123/MalwareDatabase

Score

10^/10

wannacry defense_evasion execution impact persistence ransomware worm

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\!Please Read Me!.txt

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1 Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) rar password: wcry123 Run and follow the instructions! �

Wallets

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (64) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops startup file 2 IoCs

Processes:

Trojan.Ransom.WannaCry.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDABF1.tmp	Trojan.Ransom.WannaCry.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDAC17.tmp	Trojan.Ransom.WannaCry.exe

Executes dropped EXE 4 IoCs

Processes:

!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe

pid process

4904 !WannaDecryptor!.exe
1088 !WannaDecryptor!.exe
4028 !WannaDecryptor!.exe
2732 !WannaDecryptor!.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Trojan.Ransom.WannaCry.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\Desktop\\Trojan.Ransom.WannaCry.exe\" /r"	Trojan.Ransom.WannaCry.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs

Web Service

T1102

Processes:

flow	ioc
125	raw.githubusercontent.com
126	raw.githubusercontent.com
127	raw.githubusercontent.com
176	raw.githubusercontent.com
177	raw.githubusercontent.com
178	raw.githubusercontent.com
179	raw.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

!WannaDecryptor!.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp"	!WannaDecryptor!.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Kills process with taskkill 4 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

5004 taskkill.exe
3052 taskkill.exe
1580 taskkill.exe
2596 taskkill.exe

pid	process
5004	taskkill.exe
3052	taskkill.exe
1580	taskkill.exe
2596	taskkill.exe

Modifies registry class 2 IoCs

Processes:

firefox.exemsedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3808065738-1666277613-1125846146-1000\{05175451-9AC0-4A72-988E-6511BBE3BB2A}	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

taskmgr.exe

pid	process
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

taskmgr.exe

pid process

3880 taskmgr.exe

Suspicious use of AdjustPrivilegeToken 60 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskmgr.exeWMIC.exevssvc.exefirefox.exe

description	pid	process
Token: SeDebugPrivilege	2596	taskkill.exe
Token: SeDebugPrivilege	3052	taskkill.exe
Token: SeDebugPrivilege	1580	taskkill.exe
Token: SeDebugPrivilege	5004	taskkill.exe
Token: SeDebugPrivilege	3880	taskmgr.exe
Token: SeSystemProfilePrivilege	3880	taskmgr.exe
Token: SeCreateGlobalPrivilege	3880	taskmgr.exe
Token: SeIncreaseQuotaPrivilege	3984	WMIC.exe
Token: SeSecurityPrivilege	3984	WMIC.exe
Token: SeTakeOwnershipPrivilege	3984	WMIC.exe
Token: SeLoadDriverPrivilege	3984	WMIC.exe
Token: SeSystemProfilePrivilege	3984	WMIC.exe
Token: SeSystemtimePrivilege	3984	WMIC.exe
Token: SeProfSingleProcessPrivilege	3984	WMIC.exe
Token: SeIncBasePriorityPrivilege	3984	WMIC.exe
Token: SeCreatePagefilePrivilege	3984	WMIC.exe
Token: SeBackupPrivilege	3984	WMIC.exe
Token: SeRestorePrivilege	3984	WMIC.exe
Token: SeShutdownPrivilege	3984	WMIC.exe
Token: SeDebugPrivilege	3984	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3984	WMIC.exe
Token: SeRemoteShutdownPrivilege	3984	WMIC.exe
Token: SeUndockPrivilege	3984	WMIC.exe
Token: SeManageVolumePrivilege	3984	WMIC.exe
Token: 33	3984	WMIC.exe
Token: 34	3984	WMIC.exe
Token: 35	3984	WMIC.exe
Token: 36	3984	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3984	WMIC.exe
Token: SeSecurityPrivilege	3984	WMIC.exe
Token: SeTakeOwnershipPrivilege	3984	WMIC.exe
Token: SeLoadDriverPrivilege	3984	WMIC.exe
Token: SeSystemProfilePrivilege	3984	WMIC.exe
Token: SeSystemtimePrivilege	3984	WMIC.exe
Token: SeProfSingleProcessPrivilege	3984	WMIC.exe
Token: SeIncBasePriorityPrivilege	3984	WMIC.exe
Token: SeCreatePagefilePrivilege	3984	WMIC.exe
Token: SeBackupPrivilege	3984	WMIC.exe
Token: SeRestorePrivilege	3984	WMIC.exe
Token: SeShutdownPrivilege	3984	WMIC.exe
Token: SeDebugPrivilege	3984	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3984	WMIC.exe
Token: SeRemoteShutdownPrivilege	3984	WMIC.exe
Token: SeUndockPrivilege	3984	WMIC.exe
Token: SeManageVolumePrivilege	3984	WMIC.exe
Token: 33	3984	WMIC.exe
Token: 34	3984	WMIC.exe
Token: 35	3984	WMIC.exe
Token: 36	3984	WMIC.exe
Token: SeBackupPrivilege	3928	vssvc.exe
Token: SeRestorePrivilege	3928	vssvc.exe
Token: SeAuditPrivilege	3928	vssvc.exe
Token: SeDebugPrivilege	612	firefox.exe
Token: SeDebugPrivilege	612	firefox.exe
Token: SeDebugPrivilege	612	firefox.exe
Token: SeDebugPrivilege	612	firefox.exe
Token: SeDebugPrivilege	612	firefox.exe
Token: SeDebugPrivilege	612	firefox.exe
Token: SeDebugPrivilege	612	firefox.exe
Token: SeDebugPrivilege	612	firefox.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

taskmgr.exe

pid	process
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

taskmgr.exe

pid	process
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe
3880	taskmgr.exe

Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exefirefox.exe

pid	process
4904	!WannaDecryptor!.exe
4904	!WannaDecryptor!.exe
1088	!WannaDecryptor!.exe
1088	!WannaDecryptor!.exe
4028	!WannaDecryptor!.exe
4028	!WannaDecryptor!.exe
2732	!WannaDecryptor!.exe
2732	!WannaDecryptor!.exe
612	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Trojan.Ransom.WannaCry.execmd.execmd.exe!WannaDecryptor!.execmd.exemsedge.exefirefox.exefirefox.exe

description	pid	process	target process
PID 3964 wrote to memory of 2224	3964	Trojan.Ransom.WannaCry.exe	cmd.exe
PID 3964 wrote to memory of 2224	3964	Trojan.Ransom.WannaCry.exe	cmd.exe
PID 3964 wrote to memory of 2224	3964	Trojan.Ransom.WannaCry.exe	cmd.exe
PID 2224 wrote to memory of 4732	2224	cmd.exe	cscript.exe
PID 2224 wrote to memory of 4732	2224	cmd.exe	cscript.exe
PID 2224 wrote to memory of 4732	2224	cmd.exe	cscript.exe
PID 3964 wrote to memory of 4904	3964	Trojan.Ransom.WannaCry.exe	!WannaDecryptor!.exe
PID 3964 wrote to memory of 4904	3964	Trojan.Ransom.WannaCry.exe	!WannaDecryptor!.exe
PID 3964 wrote to memory of 4904	3964	Trojan.Ransom.WannaCry.exe	!WannaDecryptor!.exe
PID 3964 wrote to memory of 3052	3964	Trojan.Ransom.WannaCry.exe	taskkill.exe
PID 3964 wrote to memory of 3052	3964	Trojan.Ransom.WannaCry.exe	taskkill.exe
PID 3964 wrote to memory of 3052	3964	Trojan.Ransom.WannaCry.exe	taskkill.exe
PID 3964 wrote to memory of 5004	3964	Trojan.Ransom.WannaCry.exe	taskkill.exe
PID 3964 wrote to memory of 5004	3964	Trojan.Ransom.WannaCry.exe	taskkill.exe
PID 3964 wrote to memory of 5004	3964	Trojan.Ransom.WannaCry.exe	taskkill.exe
PID 3964 wrote to memory of 2596	3964	Trojan.Ransom.WannaCry.exe	taskkill.exe
PID 3964 wrote to memory of 2596	3964	Trojan.Ransom.WannaCry.exe	taskkill.exe
PID 3964 wrote to memory of 2596	3964	Trojan.Ransom.WannaCry.exe	taskkill.exe
PID 3964 wrote to memory of 1580	3964	Trojan.Ransom.WannaCry.exe	taskkill.exe
PID 3964 wrote to memory of 1580	3964	Trojan.Ransom.WannaCry.exe	taskkill.exe
PID 3964 wrote to memory of 1580	3964	Trojan.Ransom.WannaCry.exe	taskkill.exe
PID 3964 wrote to memory of 1088	3964	Trojan.Ransom.WannaCry.exe	!WannaDecryptor!.exe
PID 3964 wrote to memory of 1088	3964	Trojan.Ransom.WannaCry.exe	!WannaDecryptor!.exe
PID 3964 wrote to memory of 1088	3964	Trojan.Ransom.WannaCry.exe	!WannaDecryptor!.exe
PID 3964 wrote to memory of 4856	3964	Trojan.Ransom.WannaCry.exe	cmd.exe
PID 3964 wrote to memory of 4856	3964	Trojan.Ransom.WannaCry.exe	cmd.exe
PID 3964 wrote to memory of 4856	3964	Trojan.Ransom.WannaCry.exe	cmd.exe
PID 4856 wrote to memory of 4028	4856	cmd.exe	!WannaDecryptor!.exe
PID 4856 wrote to memory of 4028	4856	cmd.exe	!WannaDecryptor!.exe
PID 4856 wrote to memory of 4028	4856	cmd.exe	!WannaDecryptor!.exe
PID 3964 wrote to memory of 2732	3964	Trojan.Ransom.WannaCry.exe	!WannaDecryptor!.exe
PID 3964 wrote to memory of 2732	3964	Trojan.Ransom.WannaCry.exe	!WannaDecryptor!.exe
PID 3964 wrote to memory of 2732	3964	Trojan.Ransom.WannaCry.exe	!WannaDecryptor!.exe
PID 4028 wrote to memory of 1416	4028	!WannaDecryptor!.exe	cmd.exe
PID 4028 wrote to memory of 1416	4028	!WannaDecryptor!.exe	cmd.exe
PID 4028 wrote to memory of 1416	4028	!WannaDecryptor!.exe	cmd.exe
PID 1416 wrote to memory of 3984	1416	cmd.exe	WMIC.exe
PID 1416 wrote to memory of 3984	1416	cmd.exe	WMIC.exe
PID 1416 wrote to memory of 3984	1416	cmd.exe	WMIC.exe
PID 2976 wrote to memory of 1376	2976	msedge.exe	msedge.exe
PID 2976 wrote to memory of 1376	2976	msedge.exe	msedge.exe
PID 3000 wrote to memory of 612	3000	firefox.exe	firefox.exe
PID 3000 wrote to memory of 612	3000	firefox.exe	firefox.exe
PID 3000 wrote to memory of 612	3000	firefox.exe	firefox.exe
PID 3000 wrote to memory of 612	3000	firefox.exe	firefox.exe
PID 3000 wrote to memory of 612	3000	firefox.exe	firefox.exe
PID 3000 wrote to memory of 612	3000	firefox.exe	firefox.exe
PID 3000 wrote to memory of 612	3000	firefox.exe	firefox.exe
PID 3000 wrote to memory of 612	3000	firefox.exe	firefox.exe
PID 3000 wrote to memory of 612	3000	firefox.exe	firefox.exe
PID 3000 wrote to memory of 612	3000	firefox.exe	firefox.exe
PID 3000 wrote to memory of 612	3000	firefox.exe	firefox.exe
PID 612 wrote to memory of 4712	612	firefox.exe	firefox.exe
PID 612 wrote to memory of 4712	612	firefox.exe	firefox.exe
PID 612 wrote to memory of 4712	612	firefox.exe	firefox.exe
PID 612 wrote to memory of 4712	612	firefox.exe	firefox.exe
PID 612 wrote to memory of 4712	612	firefox.exe	firefox.exe
PID 612 wrote to memory of 4712	612	firefox.exe	firefox.exe
PID 612 wrote to memory of 4712	612	firefox.exe	firefox.exe
PID 612 wrote to memory of 4712	612	firefox.exe	firefox.exe
PID 612 wrote to memory of 4712	612	firefox.exe	firefox.exe
PID 612 wrote to memory of 4712	612	firefox.exe	firefox.exe
PID 612 wrote to memory of 4712	612	firefox.exe	firefox.exe
PID 612 wrote to memory of 4712	612	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/NTFS123/MalwareDatabase
1⤵
PID:4664

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=3924 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:1
1⤵
PID:4740

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=3644 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:1
1⤵
PID:4316

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4928 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8
1⤵
PID:3048

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5476 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8
1⤵
PID:3700

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --mojo-platform-channel-handle=5360 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:1
1⤵
PID:4892

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --no-appcompat-clear --mojo-platform-channel-handle=5472 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8
1⤵
PID:4012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --mojo-platform-channel-handle=3896 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:1
1⤵
PID:2476

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6376 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8
1⤵
PID:208

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6576 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8
1⤵
PID:4160

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=6840 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8
1⤵
PID:1580

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=6700 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8
1⤵
PID:4740

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=6340 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8
1⤵
PID:1424

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --mojo-platform-channel-handle=6352 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:1
1⤵
PID:4616

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5884 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8
1⤵
PID:4700

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=6940 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8
1⤵
PID:2596

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4564

C:\Users\Admin\Desktop\.exe
"C:\Users\Admin\Desktop\.exe"
1⤵
PID:5036

C:\Users\Admin\Desktop\Trojan.Ransom.WannaCry.exe
"C:\Users\Admin\Desktop\Trojan.Ransom.WannaCry.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3964

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 238381719014520.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:2224

C:\Windows\SysWOW64\cscript.exe
cscript //nologo c.vbs
3⤵
PID:4732

C:\Users\Admin\Desktop\!WannaDecryptor!.exe
!WannaDecryptor!.exe f
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4904

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im MSExchange*
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3052

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Microsoft.Exchange.*
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5004

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im sqlserver.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2596

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im sqlwriter.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1580

C:\Users\Admin\Desktop\!WannaDecryptor!.exe
!WannaDecryptor!.exe c
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1088

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /b !WannaDecryptor!.exe v
2⤵
- Suspicious use of WriteProcessMemory
PID:4856

C:\Users\Admin\Desktop\!WannaDecryptor!.exe
!WannaDecryptor!.exe v
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4028

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
4⤵
- Suspicious use of WriteProcessMemory
PID:1416

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:3984

C:\Users\Admin\Desktop\!WannaDecryptor!.exe
!WannaDecryptor!.exe
2⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious use of SetWindowsHookEx
PID:2732

C:\Users\Admin\Desktop\Trojan.Ransom.WannaCry.exe
"C:\Users\Admin\Desktop\Trojan.Ransom.WannaCry.exe"
1⤵
PID:800

C:\Users\Admin\Desktop\.exe
"C:\Users\Admin\Desktop\.exe"
1⤵
PID:4924

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3880

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --mojo-platform-channel-handle=5368 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:1
1⤵
PID:2768

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6304 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8
1⤵
PID:4876

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=5920 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8
1⤵
PID:4756

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3928

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2976

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.52 --initial-client-data=0x234,0x238,0x240,0x23c,0x260,0x7ffc9b282e98,0x7ffc9b282ea4,0x7ffc9b282eb0
2⤵
PID:1376

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2296 --field-trial-handle=2300,i,3873757263937701938,1927759491208156345,262144 --variations-seed-version /prefetch:2
2⤵
PID:412

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2436 --field-trial-handle=2300,i,3873757263937701938,1927759491208156345,262144 --variations-seed-version /prefetch:3
2⤵
PID:3104

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=2460 --field-trial-handle=2300,i,3873757263937701938,1927759491208156345,262144 --variations-seed-version /prefetch:8
2⤵
PID:3724

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4428 --field-trial-handle=2300,i,3873757263937701938,1927759491208156345,262144 --variations-seed-version /prefetch:8
2⤵
PID:5272

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4428 --field-trial-handle=2300,i,3873757263937701938,1927759491208156345,262144 --variations-seed-version /prefetch:8
2⤵
PID:5284

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4516 --field-trial-handle=2300,i,3873757263937701938,1927759491208156345,262144 --variations-seed-version /prefetch:8
2⤵
PID:5616

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4444 --field-trial-handle=2300,i,3873757263937701938,1927759491208156345,262144 --variations-seed-version /prefetch:8
2⤵
PID:5620

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4680 --field-trial-handle=2300,i,3873757263937701938,1927759491208156345,262144 --variations-seed-version /prefetch:8
2⤵
PID:5508

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAABEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=4624 --field-trial-handle=2300,i,3873757263937701938,1927759491208156345,262144 --variations-seed-version /prefetch:8
2⤵
PID:5952

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4720 --field-trial-handle=2300,i,3873757263937701938,1927759491208156345,262144 --variations-seed-version /prefetch:8
2⤵
PID:3996

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1412 --field-trial-handle=2300,i,3873757263937701938,1927759491208156345,262144 --variations-seed-version /prefetch:8
2⤵
PID:5280

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3000

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:612

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="612.0.185257069\2087519554" -parentBuildID 20221007134813 -prefsHandle 1852 -prefMapHandle 1812 -prefsLen 18084 -prefMapSize 231738 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {696b40c4-0b6f-4b36-8d2f-f75367c0038a} 612 "\\.\pipe\gecko-crash-server-pipe.612" 1924 2aad3e06e58 socket
3⤵
PID:4712

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="612.1.812320892\1965477695" -parentBuildID 20221007134813 -prefsHandle 2476 -prefMapHandle 2432 -prefsLen 19120 -prefMapSize 231738 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b7dbbef5-5ac3-498a-b227-7694a9a1f841} 612 "\\.\pipe\gecko-crash-server-pipe.612" 2200 2aad4a0f258 gpu
3⤵
PID:5060

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="612.2.1087064114\306279018" -childID 1 -isForBrowser -prefsHandle 3548 -prefMapHandle 3528 -prefsLen 19749 -prefMapSize 231738 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6686f8c8-472a-4e66-a90a-1bf6db783966} 612 "\\.\pipe\gecko-crash-server-pipe.612" 3460 2aad6856c58 tab
3⤵
PID:4528

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="612.3.2026397920\1594883081" -childID 2 -isForBrowser -prefsHandle 4308 -prefMapHandle 4296 -prefsLen 19937 -prefMapSize 231738 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {37bccb27-af92-48c2-9a9f-a824cc64ec3f} 612 "\\.\pipe\gecko-crash-server-pipe.612" 4288 2aad816f858 tab
3⤵
PID:2800

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="612.4.827840246\222830353" -childID 3 -isForBrowser -prefsHandle 4104 -prefMapHandle 4156 -prefsLen 26639 -prefMapSize 231738 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d344cc22-aa73-47f9-9c1c-d1de303e73b5} 612 "\\.\pipe\gecko-crash-server-pipe.612" 2120 2aad914ab58 tab
3⤵
PID:4940

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="612.5.1018860650\1581063163" -parentBuildID 20221007134813 -prefsHandle 5028 -prefMapHandle 5024 -prefsLen 27584 -prefMapSize 231738 -appDir "C:\Program Files\Mozilla Firefox\browser" - {818c7044-f25d-44a8-8fdf-0078d1ee8725} 612 "\\.\pipe\gecko-crash-server-pipe.612" 5040 2aac705f858 rdd
3⤵
PID:5164

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="612.6.1421824773\371863377" -childID 4 -isForBrowser -prefsHandle 5252 -prefMapHandle 5256 -prefsLen 27663 -prefMapSize 231738 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {50217e9c-622f-4ab6-9c98-4634c7ff422c} 612 "\\.\pipe\gecko-crash-server-pipe.612" 5272 2aad91bdb58 tab
3⤵
PID:5444

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="612.7.1726336166\1791663956" -childID 5 -isForBrowser -prefsHandle 5392 -prefMapHandle 5396 -prefsLen 27663 -prefMapSize 231738 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f5010816-fcdf-4412-b30a-606031f30e65} 612 "\\.\pipe\gecko-crash-server-pipe.612" 5384 2aadac91c58 tab
3⤵
PID:5456

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="612.8.1697840855\173770590" -childID 6 -isForBrowser -prefsHandle 5584 -prefMapHandle 5588 -prefsLen 27663 -prefMapSize 231738 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6b23998a-e5e3-4aee-8513-e1cb5eec3232} 612 "\\.\pipe\gecko-crash-server-pipe.612" 5576 2aadacd9e58 tab
3⤵
PID:5464

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="612.9.1632707634\1154490927" -childID 7 -isForBrowser -prefsHandle 4348 -prefMapHandle 2976 -prefsLen 27945 -prefMapSize 231738 -jsInitHandle 1320 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d8c23e8b-539a-4a7a-a154-78377e030c6a} 612 "\\.\pipe\gecko-crash-server-pipe.612" 4232 2aad91bfc58 tab
3⤵
PID:6056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\update-config.json

Filesize
102B

MD5
7d1d7e1db5d8d862de24415d9ec9aca4

SHA1
f4cdc5511c299005e775dc602e611b9c67a97c78

SHA256
ffad3b0fb11fc38ea243bf3f73e27a6034860709b39bf251ef3eca53d4c3afda

SHA512
1688c6725a3607c7b80dfcd6a8bea787f31c21e3368b31cb84635b727675f426b969899a378bd960bd3f27866023163b5460e7c681ae1fcb62f7829b03456477

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
1b62ac9b8695ce31f2168f4f07ebffb8

SHA1
3867dd9b5f76d68880249c2d1fa90e1ecae10162

SHA256
7902dcd3ad70bc79117127d0c6ae12b489767ff9c6b9b15f3773c0c5f8a10fde

SHA512
3dd3de6e3efb4bcfcb86aa10b29ff6a6531acf81a2d6b9f1c7ad07d8e784e9799aea511dbf28a2967739d919b9ee4bea1c9d24b65f864430c76df8c92452e53e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
511863cdc88ca83ae54f1381a44ba119

SHA1
23d75453a5c37c8bb77bab5ec9b8b7a718b86829

SHA256
921611afe7ceced435281923c1dd868253f656906651b2fe942257bcf11331b9

SHA512
0202456171441bc613bb6b3a5c5038ed7859debfa48e51d638add9144cd86108d91fa56094f0f723bdd64fcd5b31829dcb4a13830a754a229ef981acbeb0827d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
e8d296f67f030b4e744c72fd4e7af353

SHA1
0e68a5ac6e26b0398908b9a6e38f9151720a6fc5

SHA256
f83c22a262bbe196125f94a2681afe9a4ecb0ed66732fce0c863896a8963ff97

SHA512
0cbd9af90495c4357af8bc7822c95a77f880d88dd3987d279486abe4df59a5d7cd824b2842370d4c614f6b915b78f0b7a75448f69b04107dcbcbda5fc609f88e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
12KB

MD5
85a8e7d596fa5679e45a08b61cd6d508

SHA1
d9df0c1633400aa2abcf806962f1dca4f8dab98c

SHA256
9b6f59fe1ad4ac1818d10bf2e70acbac160ca704adb00d5034f3735657eeea3c

SHA512
e7acd8c03aff8f2ed79c372bbdbc88fa404bd7391562a181ab93175c4657f51e57268e2623b80c68066aa8201b4ec4e6bf5bda1488614992eb28ba0f718e8db3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
30KB

MD5
dfe3bb3fe1371133cfd30cd865824cfa

SHA1
88bb2c95c28f5acb555a65a54a5930023f4b0b06

SHA256
1b69b3903f81e8e6ea37dc3c4bfdf643a44590613a4b82909aad992f3c0acc99

SHA512
d0edb65d71a85e4a744c90d1b8cac6c3159d7e1232b03a4157c74d624cd0bfa8e5a5f9c7ed2d6e01327e7093b8f06152aebeb562c7589da2eb2eebf8a6d80b2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
80KB

MD5
ed4d47888f0d38a9718ca8a498498925

SHA1
0cf6292930028cc982cf0ab6aaaff6bcc29eb74a

SHA256
047ea0f01cf99a9f2a78366cb54473a7eb7a838ea7c7b5f02c1dbba92929bf4e

SHA512
89da111313da91b0d75975088969c71f2ed5c96e72cc8029802ca241e7ef22ae6b1d5cf36b9cdc3cc0b33226bf2504daa4057a9fe0b7fa827178d0e7bb7a0b01

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
90KB

MD5
a769b213bffb34a3488746cd34f6a911

SHA1
a8182748bfdfa3fe02af7c4d01ffd09a2035bd9e

SHA256
67a9f9299e180f0ad84f2b466a73899bbd6fc37c434e79af9d3e7ddd1a0cbdee

SHA512
72b21b28ea831a5ce830881d7d13a23d4edf7da79d79f3199cbe1f7f51dc6ca3e973bb6ab8b367a2e7cd5ef0d4ec80f1c00b58a167dd49d8e921a10ebd518ce2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_1280.db

Filesize
24B

MD5
2dd3f3c33e7100ec0d4dbbca9774b044

SHA1
b254d47f2b9769f13b033cae2b0571d68d42e5eb

SHA256
5a00cc998e0d0285b729964afd20618cbaecfa7791fecdb843b535491a83ae21

SHA512
c719d8c54a3a749a41b8fc430405db7fcde829c150f27c89015793ca06018ad9d6833f20ab7e0cfda99e16322b52a19c080e8c618f996fc8923488819e6e14bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_1920.db

Filesize
24B

MD5
635e15cb045ff4cf0e6a31c827225767

SHA1
f1eaaa628678441481309261fabc9d155c0dd6cb

SHA256
67219e5ad98a31e8fa8593323cd2024c1ca54d65985d895e8830ae356c7bdf1d

SHA512
81172ae72153b24391c19556982a316e16e638f5322b11569d76b28e154250d0d2f31e83e9e832180e34add0d63b24d36dd8a0cee80e8b46d96639bff811fa58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_2560.db

Filesize
24B

MD5
2d84ad5cfdf57bd4e3656bcfd9a864ea

SHA1
b7b82e72891e16d837a54f94960f9b3c83dc5552

SHA256
d241584a3fd4a91976fafd5ec427e88f6e60998954dec39e388af88316af3552

SHA512
0d9bc1ee51a4fb91b24e37f85afbf88376c88345483d686c6cff84066544287c98534aa701d7d4d52e53f10a3bea73ee8bc38d18425fde6d66352f8b76c0cbb5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_768.db

Filesize
24B

MD5
d192f7c343602d02e3e020807707006e

SHA1
82259c6cb5b1f31cc2079a083bc93c726bfc4fbf

SHA256
bb4d233c90bdbee6ef83e40bff1149ea884efa790b3bef496164df6f90297c48

SHA512
aec90cf52646b5b0ef00ceb2a8d739befe456d08551c031e8dec6e1f549a6535c1870adb62eec0a292787ae6a7876388dd1b2c884cba8cc6e2d7993790102f43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.db

Filesize
24B

MD5
2a8875d2af46255db8324aad9687d0b7

SHA1
7a066fa7b69fb5450c26a1718b79ad27a9021ca9

SHA256
54097cccae0cfce5608466ba5a5ca2a3dfeac536964eec532540f3b837f5a7c7

SHA512
2c39f05a4dffd30800bb7fbb3ff2018cf4cc96398460b7492f05ce6afd59079fd6e3eb7c4f8384a35a954a22b4934c162a38534ad76cfb2fd772bcf10e211f7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_custom_stream.db

Filesize
24B

MD5
f732bf1006b6529cffba2b9f50c4b07f

SHA1
d3e8d4af812bbc4f4013c53c4ffab992d1d714e3

SHA256
77739084a27cb320f208ac1927d3d9c3cac42748dbdf6229684ef18352d95067

SHA512
064d56217aeb2980a3bfaa1e252404613624d600c3a08b5cf0adcb259596a1c60ee903fdc2650972785e5ae9b7b51890ded01ec4da7b4de94ebda08aeaf662df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_exif.db

Filesize
24B

MD5
fc94fe7bd3975e75cefad79f5908f7b3

SHA1
78e7da8d08e8898e956521d3b1babbf6524e1dca

SHA256
ee1ed3b49720b22d5fda63d3c46d62a96ca8838c76ab2d2f580b1e7745521aa5

SHA512
4ceaf9021b30734f4ce8b4d4a057539472e68c0add199cf9c3d1c1c95320da3884caf46943fc9f7281607ab7fa6476027860ebed8bbaa9c44b3f4056b5e074d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_sr.db

Filesize
24B

MD5
379523b9f5d5b954e719b664846dbf8f

SHA1
930823ec80b85edd22baf555cad21cdf48f066aa

SHA256
3c9002caedf0c007134a7e632c72588945a4892b6d7ad3977224a6a5a7457bf4

SHA512
eca44de86bbc3309fa6eab400154d123dcd97dc1db79554ce58ce2426854197e2365f5eee42bac6e6e9455561b206f592e159ef82faf229212864894e6021e98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide.db

Filesize
24B

MD5
5f243bf7cc0a348b6d31460a91173e71

SHA1
5696b34625f027ec01765fc2be49efcfd882bf8e

SHA256
1b1aed169f2acfae4cf230701bda91229cb582ff2ce29a413c5b8fe3b890d289

SHA512
9e08dfbbf20668b86df696a0d5969e04e6ee4a67e997ff392099bc7ff184b1b8965502215744be7fe423668b69099242bba54df3f0bfe4e70acdc7cad8195b02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide_alternate.db

Filesize
24B

MD5
db7c049e5e4e336d76d5a744c28c54c8

SHA1
a4db9c8586b9e4fa24416eb0d00f06a9ebd16b02

SHA256
e8830e7ac4088cf3dd464caec33a0035d966a7de5ae4efc3580d59a41916ff7b

SHA512
b614037fb1c7d19d704bf15f355672114d25080223e7ee4424ad2cb7b89782219e7877b373bbc7fa44f3ad8df8a27eef4e8ccc765d44ec02a61e3b7fae88ae69

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4s2odj76.default-release\activity-stream.discovery_stream.json.tmp

Filesize
26KB

MD5
8d8b7bb936a40f03eea1081e3fb163d7

SHA1
56c761d415b4025a8cf5c8629f25b554540cb129

SHA256
ba9b278ebbd6a788a9b9dfada6b76f77f749870979e67de88eee5d193bf93908

SHA512
5d1d538576410a6cc1f08b68b3680de676d1f48229d091909c08f03676b4198a48702d8e9b9f3931ec6976577ba243dc61d2fd0cf20ad39d425902740852ffc5

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4s2odj76.default-release\cache2\entries\BC0DEF32A0157EF46FE3978BA10BDBC89D00D071

Filesize
213KB

MD5
ebeaf6e6bcff82351d16bbe0f63cc569

SHA1
df2aa8f75aafd410ebf5614083f1331a6c4bea73

SHA256
6df08b70ac844c1acc72aefbd9b4efc7c8ca50728205e5c4fdd23658c914538b

SHA512
9bc075014d5f815ca5ebcf62508ea9bbcb5b6e61fbbc16a2198d78a3a52b1a10e7765d2a0ef7bcaca741d831288700d3d0c762999e22ddb08e34a2a0cb9a2158

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
7KB

MD5
0e828496497b4f0058a4fbdeccf69522

SHA1
2ecb0e5381a3394d1eaf4128dc926ebf2b41d506

SHA256
8d2cb47a82067992acae15aed29f2b7fbfb930d42a4cdd3e6dd978c0ff179027

SHA512
7462029f0c7d2fcd4d465dad5c2dc617c7bdc7913d3d667a51c7a394a12e01f39e4f6017666b04362fe2d165adcbfd784fc81499dfeb786da37fa4bb57f08634

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\datareporting\glean\db\data.safe.bin

Filesize
9KB

MD5
abc826c3ec1d3d48b832d510452c3910

SHA1
b96caf0de1a69cba806c9067e0e2bb0d172960a5

SHA256
f79064333ad184391e62343ed5abc4f9a462c11b2b63f047ddf35128f600f335

SHA512
5def6fd17c81c8e77ae850dd766665923e74fd4f6a05c58e75d490dfaeee9b56de6045410bbb71f3814ea74e95ca6347d3cc9c16a469da84f18ac2ecf2ebc63c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\datareporting\glean\pending_pings\a93eea16-4369-4e44-b3c6-20099c808eeb

Filesize
734B

MD5
eded9411c67d679d1bccebcc1fcb3620

SHA1
68d1f3eb7f950e8fe965f9caa91bb34d897ac805

SHA256
a1fab3217184c1e3ef2291f9c550433d49a811a18de12e6b1525ee1136e5871c

SHA512
f56a39cbb44d64176f37130f33150082cc54e45bbb96143bc88b8a5ddb5277904c53a0f75c0f6df48551d3a3ba178ceb352c05969367a32172453b6e5398d6e6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\extensions.json.tmp

Filesize
42KB

MD5
d316758c0849b1c7cfe7b59e81343bca

SHA1
f2e3aab01effc7f70d27f669f0ba922d93b726f7

SHA256
0125a1b596661914a43205a9d30bd64516c82f38d913ebcfabe24cdd4eb095da

SHA512
e2c1d8de66bb369448d35c93a34f35b8ea9d72dbf05a169b77ea263c91a5d4c311fe3e5a1a8a3b847ee837d16381106b5458bb13bf01dc45311c3e198e087823

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\key4.db

Filesize
288KB

MD5
fa953c16fdbd75ab9471bc02fd360056

SHA1
26242b4c8850547fa428b21eaf900beceb297a88

SHA256
42c3398cd82b9ce54b1b20f4450ec3f2b0432bdcf92918f7ab56e21d326202e6

SHA512
80e0585c124bdbd90b31f9e570ffc3d17045e81ef30254ce4d83808fad5b91b3c275789bc127e79343d754565a767e8b79cfed40a3046d715f8b9a2cf233b36e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\prefs-1.js

Filesize
5KB

MD5
0a76b1c3e984e946a91db0865ef27648

SHA1
60c0e73f233ee8271f59589807ea49a485e10baa

SHA256
a8583a1515cbd32c5d9cbd342f2a6f193dc7ef60f5b2cbd621662dfd76a0d6c2

SHA512
d29addeeb44889741e57707652383634fa0a301646e45459d71aa988245c824aaff69e866868b4f6be657a94efcdaa16eed1916067d35376308b044c8df18710

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\prefs-1.js

Filesize
6KB

MD5
e2934584ed2c6f5bb9a892723dfdc2cb

SHA1
563bb3317b3dd87213f2593563b1a9833e380dee

SHA256
f77ff59f1e618b1d46757b46cc26c2b42bd5bd4774d8441f8144d95aaf0c3356

SHA512
6e224eb1a231358ae248323377388014964746d3d4d77057cfebbafc96ca55b9782403d23f1cf5af8c13fcc820fa65a47e291998556181eee0162d6bd95f5cbe

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\prefs-1.js

Filesize
6KB

MD5
7e5312877a3c09ce83a67dbc626a2c89

SHA1
722cf8fb6a703d7de83ea022e896bed9251adcbe

SHA256
34f214c7ab92f3ca16413a62f16810b7401f1028f0a9ce5552839ce8e7e5977f

SHA512
553c39cf07deee40fc053532b2743e31a280ace83a3f862b809a11a9c9d173be004ab53a34298190d230b4fab666326bbfc70a7077e4db2a5f9cb6f75ee1f3c6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\prefs.js

Filesize
2KB

MD5
925e4f55748e96947d12181822fd00e6

SHA1
ce72ce2731762ffcab32946f6844fb1b3711d983

SHA256
fa427e14c8b72115f73c0be201d964cfc2ed625ddaeeb892f8f1ef3c87fe9a4d

SHA512
387e2b715bc42c0d4cecc886399e9252fc7178b0adfc9675bd145c972beba0c5ee4fff5945fc5a53ab5fb64855adde1df292f8fc167604c09bf93a76d4b625b8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\prefs.js

Filesize
2KB

MD5
5699b712513f6aff0c4be9d32de4340a

SHA1
e0555f56ec3c4f8b181499ad843146409a40025e

SHA256
07b6bbf35bf2d48218305d78f4d29dcbc6c1942d8ac7a083f295e337207d4e1b

SHA512
54f40f4ecb944af6a75e1905847359133c99e7445dd8e29f6bbde59d5105170a7dbbc87d8fda5c9adefc9c4887ed9114136cc1077aee37e859dcf6cbe419cd31

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
5936108fab75963c500de6dde2a74da1

SHA1
828149aab2f2551d5486c88b5db550f98510ab79

SHA256
77b0ae3054ef4f9a0cc8d35a1b4ba6670b86c3e8947ed0ca493da4181b65ef70

SHA512
139a14879b3a3b393b4c5026e0d9f43d125bbd34d66f35b81288c3113c4abb93db33286d20fc73b8e2a8edd1d9111e65d75257ee50a8a35c12f7872b88becd60

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
fe0504bef5a0b40f1d700185647db9a3

SHA1
71aee53fe95b6630b39a3d25f9854809c9738a4f

SHA256
10189ea7ef76a5e9e578f49261fbf96366b80d70f2e50da7dcff635169a5550e

SHA512
93513931d928f8135d11c226b785b38a5e6e8796fa3bdbc26cabced56c5d51129b6e4a483c7aa6cce7fc3b2d574cc1d2fa73de2b051e252cbc3fd67c9e37bfca

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
99d99d8bb3aff1924fd73777fdb69a00

SHA1
871ee40e9ad98a526f537e8a99f679aca2c0c74a

SHA256
9e0b4bab4b1ff417ef1000aa65f841a4f62953f76159b643ffe4fe48cbd4c890

SHA512
c4268f469fdf1afb243346fce6157f3dabfb5c53bfece48ca22888ff340ac90e08d070a5c152bc16195aabde4aea41618d4814b0125d0e45149bf1013c4afaac

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
184KB

MD5
b01efd0877d8bb4a5d754d6d5a5922cf

SHA1
6dfaecd4219afbb206185171c64c777e9c73ae21

SHA256
ef1ebedd446ce18b79317f09953ff8a6069f92749188b45945567c315388aa90

SHA512
6f5fce89b6dc7e6979fdb01493c0811bcd55cb945d7665cd9a23e93419a5aa28207b3f614461103f04b0406741e8020c35252fda5529e41e3e918e42fd89c086

Download Submit
C:\Users\Admin\Desktop\!Please Read Me!.txt

Filesize
797B

MD5
afa18cf4aa2660392111763fb93a8c3d

SHA1
c219a3654a5f41ce535a09f2a188a464c3f5baf5

SHA256
227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0

SHA512
4161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b

Download Submit
C:\Users\Admin\Desktop\!WannaDecryptor!.exe.lnk

Filesize
588B

MD5
52f90a6d311692b710caf121b6cbf189

SHA1
1da7633680fc3f84d238407dc91e8bcb840dd759

SHA256
aa3675738ef72a095a45369087cf9074e3559a5b17285dec599a1dda4085057d

SHA512
e9aa80a38e92a0bd1e8a1ccfc2a33310586b27b9a7ff1db5bc4491987ab3141e30f2e3c8cc97b71742d27913c079d1a139c85f39538fc819fc17e941ee6b20b5

Download Submit
C:\Users\Admin\Desktop\00000000.eky

Filesize
1KB

MD5
6c4527571525c0dabb66d4dc40d29c93

SHA1
26e96ae0355578dd6b00b1fd985898b57a4088af

SHA256
a33ca9628b341b2b341fb52ecaa6cae589406e0cbf3dbf4fa521503184b4f95b

SHA512
138926289ab20de3f0cce2a3ab119ba2ce674cb19d2e1d82e2f14c45ed24f89a7b37c55155fdc54c112b113ccad79d13b52bfcb727ad8f4a76f34fb5893698a0

Download Submit
C:\Users\Admin\Desktop\00000000.res

Filesize
136B

MD5
a8d8cd93b1e2a7afb631230a6312ab18

SHA1
410c92c472a43f8825d680382a1d129c970db687

SHA256
87cd593146143171699cff9e457283d11cf88cf5446934def19cbb71854105df

SHA512
bd5a4eb5e3c28ab4abbf909a68c06cbeeda65b2b8214fc316845e0337e6ae43d7933eb7aa6fafb41ccbfd97c163ea12d326f147879f6242f43b7ba29fdcd90d9

Download Submit
C:\Users\Admin\Desktop\00000000.res

Filesize
136B

MD5
c589b66e542b2dad089d10a6fc066646

SHA1
d55ddb35180c4083248d166e7eb1fee95be74534

SHA256
041d8e8e676f8cf647b06fe1fd8379f50e282d251f0d7f7e98462044e178f998

SHA512
338b5a33c7bba369754c30b922e42a58501a0dd23612aac2baa41139af67a5e33845ec2652476d238f7c4b0c43e6b0507d56c75de239d47376adb066afc70296

Download Submit
C:\Users\Admin\Desktop\00000000.res

Filesize
136B

MD5
06afe1d5e1d72b014efdad8bbbde92b5

SHA1
da74cc76652ac2081a73e9792fde0440fffb6b22

SHA256
c24f97c01f931f01179d2d0a6ff1b3d1f066606f04e6c08a854850b772ebb128

SHA512
83f8c1b7e4605c697734bc6072292c88095d54b0ff6664f223f5308bf28d535dbbbef3f7bdec725099a30d84acb40ae14ae2cc21f701c3148d2b93f8d7fd68a6

Download Submit
C:\Users\Admin\Desktop\00000000.res

Filesize
136B

MD5
c72fbe8dbd688766497e542bae13625f

SHA1
69fa81c9658cc2f7a8c866f26933efec2c6cd198

SHA256
4904b332f305a64152f8bccaafc3b5066733d070ea82ec3a4bb0f25555ea5336

SHA512
14d1d2345b5631f91873e44e8b53292529addb2a225321b597e3a6ae91c4f58a1fa643edeb79d6101238888389b609113210a993205dacd363da79d274acf076

Download Submit
C:\Users\Admin\Desktop\00000000.res

Filesize
136B

MD5
8ec1caa9ad9de90c868ac91d2ee1e4e0

SHA1
d32478e1c47ee14dfeb66b8283d9c9f4a8a83784

SHA256
95a5048c87c551baddd9ec92aa297cee9fc5479cac2d6b9e73cea8c8a2be3c36

SHA512
1d3e9fb56b951e857f528bd58691baeb83b9f6278541c3a58fbc4a7c31ebf2f453f25cd3952c73db42b985b91f2bca486aae72db78ee2da56fd74aee2148ace6

Download Submit
C:\Users\Admin\Desktop\238381719014520.bat

Filesize
314B

MD5
a112cca9dc4d4389853960a4090375ee

SHA1
a41ef3b4ca3e316d1bc4095aedf80b07ccc2d045

SHA256
16cc3752392a4575db02c89c72f0808bd7e6b37ed5c69490a248b9309907c7b3

SHA512
470af17cc72848693327b30794a6f6d00ae77693780645259b5ed02256e3b1a9dd895489eca7e6a0dd558ce40e6e18ee3c3666fe0119935e6a1ca1bcb7e0ccd0

Download Submit
C:\Users\Admin\Desktop\c.vbs

Filesize
197B

MD5
67ac56e98bdb0c90862e8472916f11ab

SHA1
f961a11be9a04743f3e053a2bf46c12b9471fd28

SHA256
6e20336f20c42fc21f30dc362dfea245333b195597a42bb7c87143283be8ea10

SHA512
24267afc873e725d2c07bf51ce5b7e40026966a94919624baeb0d605770b9e64164948f9330b7e1910a913651b58132bffc76ceb4f0f8a5cecb9a56349bbc1da

Download Submit
C:\Users\Admin\Desktop\c.wry

Filesize
628B

MD5
663e55df21852bc8870b86bc38e58262

SHA1
1c691bf030ecfce78a9476fbdef3afe61724e6a9

SHA256
bf22e8e18db1638673f47591a13d18ee58d8c6019314bab5a90be82ae3dc9538

SHA512
6a54be1fa549633a2fd888c559207437b8f6efda98bb18d491c8749f39e9754f1e680fa8e2d623777b5f665b2c04d19385c75ce4e61fb251db16018963a9a6f9

Download Submit
C:\Users\Admin\Desktop\c.wry

Filesize
628B

MD5
f4d41dbfea26a00d04d9d10c246f16e1

SHA1
767a21b282eb477ac3113f0c9897a7fd51b36151

SHA256
9680a08573a466a8284aca8b39baaf34a7258313b21c0725d48f2e650ae2753a

SHA512
540eca179e86a71f57c617444b9c330d2e971af68440c7d326e62548d1d5ab5c60dba86780b6b510fde52e7033f0965138c56616bc146c09527c45f9a633da3c

Download Submit
C:\Users\Admin\Desktop\m.wry

Filesize
42KB

MD5
980b08bac152aff3f9b0136b616affa5

SHA1
2a9c9601ea038f790cc29379c79407356a3d25a3

SHA256
402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9

SHA512
100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496

Download Submit
C:\Users\Admin\Desktop\r.wry

Filesize
729B

MD5
880e6a619106b3def7e1255f67cb8099

SHA1
8b3a90b2103a92d9facbfb1f64cb0841d97b4de7

SHA256
c9e9dc06f500ae39bfeb4671233cc97bb6dab58d97bb94aba4a2e0e509418d35

SHA512
c35ca30e0131ae4ee3429610ce4914a36b681d2c406f67816f725aa336969c2996347268cb3d19c22abaa4e2740ae86f4210b872610a38b4fa09ee80fcf36243

Download Submit
C:\Users\Admin\Desktop\t.wry

Filesize
68KB

MD5
5557ee73699322602d9ae8294e64ce10

SHA1
1759643cf8bfd0fb8447fd31c5b616397c27be96

SHA256
a7dd727b4e0707026186fcab24ff922da50368e1a4825350bd9c4828c739a825

SHA512
77740de21603fe5dbb0d9971e18ec438a9df7aaa5cea6bd6ef5410e0ab38a06ce77fbaeb8fc68e0177323e6f21d0cee9410e21b7e77e8d60cc17f7d93fdb3d5e

Download Submit
C:\Users\Admin\Desktop\u.wry

Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
\??\pipe\crashpad_2976_JTUEKTKSISCVAWYR

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/3880-998-0x000001C309A30000-0x000001C309A31000-memory.dmp

Filesize
4KB

Download
memory/3880-1012-0x000001C309A30000-0x000001C309A31000-memory.dmp

Filesize
4KB

Download
memory/3880-1017-0x000001C309A30000-0x000001C309A31000-memory.dmp

Filesize
4KB

Download
memory/3880-1016-0x000001C309A30000-0x000001C309A31000-memory.dmp

Filesize
4KB

Download
memory/3880-1011-0x000001C309A30000-0x000001C309A31000-memory.dmp

Filesize
4KB

Download
memory/3880-1015-0x000001C309A30000-0x000001C309A31000-memory.dmp

Filesize
4KB

Download
memory/3880-997-0x000001C309A30000-0x000001C309A31000-memory.dmp

Filesize
4KB

Download
memory/3880-1014-0x000001C309A30000-0x000001C309A31000-memory.dmp

Filesize
4KB

Download
memory/3880-1013-0x000001C309A30000-0x000001C309A31000-memory.dmp

Filesize
4KB

Download
memory/3880-996-0x000001C309A30000-0x000001C309A31000-memory.dmp

Filesize
4KB

Download
memory/3964-12-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download