troldesh | hxxps://github[.]com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/WannaCry[.]exe

Resubmissions

19-08-2024 14:35

240819-ryggyatakm 10

Analysis

max time kernel
149s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
19-08-2024 14:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/WannaCry.exe

Score

10^/10

troldesh defense_evasion discovery persistence ransomware trojan upx

Malware Config

Signatures

Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
ransomware trojan troldesh
Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
1780	Vobus.exe
1552	NoMoreRansom.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1552-688-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1552-689-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1552-691-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1552-693-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1552-690-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1552-711-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1552-712-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1552-715-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1552-748-0x0000000000400000-0x00000000005DE000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\""	NoMoreRansom.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
5	raw.githubusercontent.com
6	raw.githubusercontent.com
61	raw.githubusercontent.com

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 3 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File created	C:\Users\Admin\Downloads\NoMoreRansom.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\$uckyLocker.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Vobus.exe:Zone.Identifier	firefox.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Vobus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NoMoreRansom.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings	firefox.exe

NTFS ADS 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\Vobus.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\NoMoreRansom.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\$uckyLocker.exe:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1552	NoMoreRansom.exe
1552	NoMoreRansom.exe
1552	NoMoreRansom.exe
1552	NoMoreRansom.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	4220	firefox.exe
Token: SeDebugPrivilege	4220	firefox.exe
Token: SeDebugPrivilege	4220	firefox.exe
Token: SeDebugPrivilege	4220	firefox.exe
Token: SeDebugPrivilege	4220	firefox.exe

Suspicious use of FindShellTrayWindow 21 IoCs

pid	Process
4220	firefox.exe
4220	firefox.exe
4220	firefox.exe
4220	firefox.exe
4220	firefox.exe
4220	firefox.exe
4220	firefox.exe
4220	firefox.exe
4220	firefox.exe
4220	firefox.exe
4220	firefox.exe
4220	firefox.exe
4220	firefox.exe
4220	firefox.exe
4220	firefox.exe
4220	firefox.exe
4220	firefox.exe
4220	firefox.exe
4220	firefox.exe
4220	firefox.exe
4220	firefox.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
4220	firefox.exe
4220	firefox.exe
4220	firefox.exe
4220	firefox.exe
4220	firefox.exe
4220	firefox.exe
4220	firefox.exe
1780	Vobus.exe
4220	firefox.exe
4220	firefox.exe
4220	firefox.exe
4220	firefox.exe
4220	firefox.exe
4220	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4204 wrote to memory of 4220	4204	firefox.exe	81
PID 4204 wrote to memory of 4220	4204	firefox.exe	81
PID 4204 wrote to memory of 4220	4204	firefox.exe	81
PID 4204 wrote to memory of 4220	4204	firefox.exe	81
PID 4204 wrote to memory of 4220	4204	firefox.exe	81
PID 4204 wrote to memory of 4220	4204	firefox.exe	81
PID 4204 wrote to memory of 4220	4204	firefox.exe	81
PID 4204 wrote to memory of 4220	4204	firefox.exe	81
PID 4204 wrote to memory of 4220	4204	firefox.exe	81
PID 4204 wrote to memory of 4220	4204	firefox.exe	81
PID 4204 wrote to memory of 4220	4204	firefox.exe	81
PID 4220 wrote to memory of 2348	4220	firefox.exe	82
PID 4220 wrote to memory of 2348	4220	firefox.exe	82
PID 4220 wrote to memory of 2348	4220	firefox.exe	82
PID 4220 wrote to memory of 2348	4220	firefox.exe	82
PID 4220 wrote to memory of 2348	4220	firefox.exe	82
PID 4220 wrote to memory of 2348	4220	firefox.exe	82
PID 4220 wrote to memory of 2348	4220	firefox.exe	82
PID 4220 wrote to memory of 2348	4220	firefox.exe	82
PID 4220 wrote to memory of 2348	4220	firefox.exe	82
PID 4220 wrote to memory of 2348	4220	firefox.exe	82
PID 4220 wrote to memory of 2348	4220	firefox.exe	82
PID 4220 wrote to memory of 2348	4220	firefox.exe	82
PID 4220 wrote to memory of 2348	4220	firefox.exe	82
PID 4220 wrote to memory of 2348	4220	firefox.exe	82
PID 4220 wrote to memory of 2348	4220	firefox.exe	82
PID 4220 wrote to memory of 2348	4220	firefox.exe	82
PID 4220 wrote to memory of 2348	4220	firefox.exe	82
PID 4220 wrote to memory of 2348	4220	firefox.exe	82
PID 4220 wrote to memory of 2348	4220	firefox.exe	82
PID 4220 wrote to memory of 2348	4220	firefox.exe	82
PID 4220 wrote to memory of 2348	4220	firefox.exe	82
PID 4220 wrote to memory of 2348	4220	firefox.exe	82
PID 4220 wrote to memory of 2348	4220	firefox.exe	82
PID 4220 wrote to memory of 2348	4220	firefox.exe	82
PID 4220 wrote to memory of 2348	4220	firefox.exe	82
PID 4220 wrote to memory of 2348	4220	firefox.exe	82
PID 4220 wrote to memory of 2348	4220	firefox.exe	82
PID 4220 wrote to memory of 2348	4220	firefox.exe	82
PID 4220 wrote to memory of 2348	4220	firefox.exe	82
PID 4220 wrote to memory of 2348	4220	firefox.exe	82
PID 4220 wrote to memory of 2348	4220	firefox.exe	82
PID 4220 wrote to memory of 2348	4220	firefox.exe	82
PID 4220 wrote to memory of 2348	4220	firefox.exe	82
PID 4220 wrote to memory of 2348	4220	firefox.exe	82
PID 4220 wrote to memory of 2348	4220	firefox.exe	82
PID 4220 wrote to memory of 2348	4220	firefox.exe	82
PID 4220 wrote to memory of 2348	4220	firefox.exe	82
PID 4220 wrote to memory of 2348	4220	firefox.exe	82
PID 4220 wrote to memory of 2348	4220	firefox.exe	82
PID 4220 wrote to memory of 2348	4220	firefox.exe	82
PID 4220 wrote to memory of 2348	4220	firefox.exe	82
PID 4220 wrote to memory of 2348	4220	firefox.exe	82
PID 4220 wrote to memory of 2348	4220	firefox.exe	82
PID 4220 wrote to memory of 2348	4220	firefox.exe	82
PID 4220 wrote to memory of 2348	4220	firefox.exe	82
PID 4220 wrote to memory of 836	4220	firefox.exe	83
PID 4220 wrote to memory of 836	4220	firefox.exe	83
PID 4220 wrote to memory of 836	4220	firefox.exe	83
PID 4220 wrote to memory of 836	4220	firefox.exe	83
PID 4220 wrote to memory of 836	4220	firefox.exe	83
PID 4220 wrote to memory of 836	4220	firefox.exe	83
PID 4220 wrote to memory of 836	4220	firefox.exe	83
PID 4220 wrote to memory of 836	4220	firefox.exe	83

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/WannaCry.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4204
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/WannaCry.exe
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4220
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1924 -parentBuildID 20240401114208 -prefsHandle 1852 -prefMapHandle 1844 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fef66fbb-9701-4fc3-8e9f-d7993bddaa79} 4220 "\\.\pipe\gecko-crash-server-pipe.4220" gpu
    3⤵
    PID:2348
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2348 -parentBuildID 20240401114208 -prefsHandle 2340 -prefMapHandle 2336 -prefsLen 24598 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4707a4ae-7456-4810-813a-829ba522c144} 4220 "\\.\pipe\gecko-crash-server-pipe.4220" socket
    3⤵
    PID:836
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2560 -childID 1 -isForBrowser -prefsHandle 2840 -prefMapHandle 2776 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1104 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {772ed50a-eea7-4fd5-918b-cb592f783d73} 4220 "\\.\pipe\gecko-crash-server-pipe.4220" tab
    3⤵
    PID:4228
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3664 -childID 2 -isForBrowser -prefsHandle 3656 -prefMapHandle 2960 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1104 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3fbe333d-de3d-4468-aa9d-24508a175cd4} 4220 "\\.\pipe\gecko-crash-server-pipe.4220" tab
    3⤵
    PID:3592
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4744 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4748 -prefMapHandle 4736 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4c74622f-831c-4899-b855-82e99d4720ee} 4220 "\\.\pipe\gecko-crash-server-pipe.4220" utility
    3⤵
    - Checks processor information in registry
    PID:4204
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4880 -childID 3 -isForBrowser -prefsHandle 4872 -prefMapHandle 5556 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1104 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3977fd0c-e39a-4b7a-abf2-9a24c1a861e4} 4220 "\\.\pipe\gecko-crash-server-pipe.4220" tab
    3⤵
    PID:392
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5704 -childID 4 -isForBrowser -prefsHandle 5716 -prefMapHandle 5720 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1104 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a941a025-b230-43b1-8ae6-27ae1c966b9e} 4220 "\\.\pipe\gecko-crash-server-pipe.4220" tab
    3⤵
    PID:72
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5992 -childID 5 -isForBrowser -prefsHandle 5912 -prefMapHandle 5916 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1104 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5767626a-54d4-4b97-bdda-aa4c025c183d} 4220 "\\.\pipe\gecko-crash-server-pipe.4220" tab
    3⤵
    PID:3092
- - C:\Users\Admin\Downloads\Vobus.exe
    "C:\Users\Admin\Downloads\Vobus.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1780
- - C:\Users\Admin\Downloads\NoMoreRansom.exe
    "C:\Users\Admin\Downloads\NoMoreRansom.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1552
- - C:\Users\Admin\Downloads\$uckyLocker.exe
    "C:\Users\Admin\Downloads\$uckyLocker.exe"
    3⤵
    PID:1912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\zgr882s2.default-release\activity-stream.discovery_stream.json

Filesize
33KB

MD5
5ab3c941c90c896ecc3b94f911580fd4

SHA1
30a68f8be7c20c921c37b5ff61da5d390ce20192

SHA256
ea6d17e9969cce4edf3e065697b4faddb9c4f2b5a52940867ba142cd1396bc3f

SHA512
2d39c26771d492b2646b696c0bba989a913751117ec44861d881d01591aa0509f122eac040923025b486435e1e1999169cd269155a7a115f7553aa89af953e77

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Filesize
1.4MB

MD5
63210f8f1dde6c40a7f3643ccf0ff313

SHA1
57edd72391d710d71bead504d44389d0462ccec9

SHA256
2aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f

SHA512
87a89e8ab85be150a783a9f8d41797cfa12f86fdccb48f2180c0498bfd2b1040b730dee4665fe2c83b98d436453680226051b7f1532e1c0e0cda0cf702e80a11

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\AlternateServices.bin

Filesize
8KB

MD5
facf8673d8c084e4f9587a059b5769d1

SHA1
e5dce1eab553eae85eea33c3c96dadf5023680f5

SHA256
1ee30f876fa73096df061bded90318e531e31813b40f022d66facdb1cfb9c9c2

SHA512
0fcd6c016215a4bed2030890c9e006953870d745adbc8d3ab94913d04baa5c1e8363391f3d168a7d9d014eeb4142d6e81217c5aea02a4f409ed4948e286bcc52

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
d81ee191ad2d54c2e45eaec34245d646

SHA1
d5dd89183c2692f19625124b7d5f79276ad84901

SHA256
8d678ffa492069f95bd421012e77c96e95a493f09a8a85391fd147b410a24665

SHA512
95fa23858f960458ca418c7aaffe0caf8584166c8caf2c75d43486e14a83edc2fcce9d1bc33ea0377db041f875c871db2e8b2ed1893074d16c7ead67bdcb5721

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\datareporting\glean\db\data.safe.tmp

Filesize
36KB

MD5
a9e4d9669356d03319b6d45687dd649c

SHA1
2da4e377a24025a4e0ef9aeb682731ef5a9934f5

SHA256
8c7d68f9e98dc6d6b2cd34dd8507fb78821d311b2751f7b4f9f9642452fbeaf3

SHA512
211b49f83daa68aa57b5fbddafb96ba059fb5a4c1e2aba6a0b309ed3ea3c7897e508b0ab02117831e389a24f3278b55d6120b8e0f6b604beab57aa78dbd9108d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
698685285a77fffe367379e6b0e2634f

SHA1
86f4d28245e330367c421c5cd4cc9ea87741c0d8

SHA256
a7f70bde47149a1fd630fde3d5785373ffc0b7a99e65b170c0a53e7c36cb788d

SHA512
adfce9edd8a8952c8a32ee6096d45c39232981e847d0692ea1232c76fa86e9f8ba5535c69ca2bb82cb8543811186b7715200f7795e7538675291c4cf99fc5529

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\datareporting\glean\pending_pings\1171fa65-3d75-4291-a8e0-4f25f8e4a5ba

Filesize
982B

MD5
7b0d6783efa6431ac9a6d94cc88b8ba4

SHA1
05ed5b44907045d0d38c81c3e33fff986b5af22e

SHA256
e5c4c21862fef976e343462272ac2679f99280de45a3c4695a8f92fc143bfa00

SHA512
8763d358f33946a758b49f2ec23903c1b1ad572dfb8fc32b7794cc6d867b5cadd73f1407d4c2685a93d800d6a4b4016063284793a8d8aa9f9b5e69b0b6487513

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\datareporting\glean\pending_pings\1f0ffaa5-934b-4376-bd1d-c2ecfd49ff20

Filesize
24KB

MD5
ad819a07efe3183a5e2140f88e4ddb3e

SHA1
fc8a6b30d94f4d6a1f3c2f47681745b76685a777

SHA256
29cc354cfca51174f3df5b4e59b85dabc283d746968c7d1b8f9adadab6a1427c

SHA512
1533c7249342862ddb7950fb4a5b1e47d8709f75459cb62b5d07320aace7859914611cce6f05d351dbb54e317a0418e21b650a4bfe80e874a8257c53e0f2cfeb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\datareporting\glean\pending_pings\4191bcdc-8d5c-4d53-8470-8d1c02a439c6

Filesize
671B

MD5
c7031c7d7059239ed11204ec4658e081

SHA1
5335bacb96d800ed352c620067fa84ceccde01ae

SHA256
49c402a130f6891b3283eb21714f843642c10b59f75bfde491ea9776b1cf54e3

SHA512
f85e767ca4e49d722ac3b90b677f42849d557c713a74c08c156c048846bbf43bc97769e8a5caba8774a57f294b8097e87c40db47d64376735198d18dfba3de00

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\datareporting\glean\pending_pings\e1ec818f-6aea-4d79-ac42-b7e385f04e63

Filesize
1KB

MD5
3946507f9715aa2cdb6c45a08f89d3f9

SHA1
545ef2c7332701268efde00bdf1f3374ed8816e2

SHA256
fd97c9fe6d2ac8f6ae88ffb6df4d0f24d2ed800030bc8d84b1401befcce9bbf4

SHA512
72f5244f5ba981425be51128d0f96afa4cbc31cffba5eff5750e84e3bd798806a6b7a34658db55846cb1f23506776c1f52ff8213f16e73fbfd1194f874dbe05d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\datareporting\glean\pending_pings\f86bdcb2-3dd4-462e-9871-c53055e1e20b

Filesize
847B

MD5
e275c863420657c88bcb4dde7668fa96

SHA1
a4dea9eadb781428ee6e0f0a43d287706f6473e2

SHA256
0e0227362f3ef484f1a42f6337e37eb817241642a65eb53bd408935ec6ed6680

SHA512
905779218156308c4fae80e40e083913a031b7516f764b8fb562e3b8afbf4463bd2221f07ed6d3717f21becec919563b262e9a6fcc3b3ad0487bdb2aa7964079

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\prefs-1.js

Filesize
11KB

MD5
bd2ae3a91b61186c44e799bf72051022

SHA1
89bdb21162b7c9e445c18e033e84d49a47e582e1

SHA256
29938c26151919a0f2782c4c682dcdb17d4cafac44df68850af1c01f074317ef

SHA512
261db417d63419c7c10edac44d2b987e1ff37afe14a0bebcc7045246d9c1051aec6bba5810aefc7a4b80ff44fe3871404d938bc8124e179aa267973e8808246a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\prefs-1.js

Filesize
12KB

MD5
5e35692663d2a7b3dfe5a24c15c2b520

SHA1
6c278854ca327da799534b5cb00b30035509907a

SHA256
48c9d21f4e3ad2b0df8d8d64a20700bb7060b1d5ed7004dd0a2789b5b522dc44

SHA512
ba94f6869e5e237f200d434758509f9551ff89d00472882b99ad46f905bb4c9fbe376d02b91ba73b8146be6394541df239460d6aacf51efa97e470f49b3c27c2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\prefs-1.js

Filesize
11KB

MD5
21958b72b7c4d720bb6f6b48bbc79af3

SHA1
249bd898f52141ccc8b8a432974bf45df0a6a540

SHA256
61156473ff9395881bf0f6c59294fc939a7be3ee86b9306507eb8fb1e73c4471

SHA512
f1169a73f826210a060d26312c9c83fba7eefe301b192f0cc8f7bbde5dc589bc319403f7144af1f125f822fedc059f82eb5e0fc1949fbbb33abcf1a94d93004e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\prefs.js

Filesize
10KB

MD5
04cd65ad48fc4b20a52bfe74fc8de3c7

SHA1
7b756fa3b100180090bcc33c3f420cf4c50ed219

SHA256
1449f832574259936a53f4b417953cf413172f30d631c50d968435b7bc0d555e

SHA512
5854ac81d02371508a149e0749216d09dae5b693574274897f2febfb9b7ef2fda932e86be4d59841a924c5a1853a0e6e7a95d6740df37b64d3ee1f1d05965299

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\sessionstore-backups\recovery.baklz4

Filesize
3KB

MD5
ae7f907015087647afff81e36528b6a6

SHA1
18f82e1295c8c3995423f1f89d3c0f1de2a9b6f7

SHA256
24467ae4bb61d0c3626df025774cca3a8276d1fbedcbac1a2720f38e8c6d9e44

SHA512
3b970abb603960c0670654065094dcea26993d5076e85e05faa71e66e28800f3b4dacfb25c55b6f5db90aaed7d4642fbf658200881677a8760e027895e44c3ee

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\sessionstore-backups\recovery.baklz4

Filesize
3KB

MD5
d7a60d190e5625787a3586c8a2517ed2

SHA1
4cfa659c16aedb2480bb426b8897afcfddaecfbf

SHA256
4b2ebebfe6872dcbef05dd1b28f1ac449b5f72d4640d0730ed8cf143bb29d8cd

SHA512
e0c11a2b4469109a65be8accc0735d2ec7150196fba783d449b1f04e910ada7b864349dd00cd021b64fb18e729e5ec41521bee877879eb767fdb6c5f45c807dc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\sessionstore-backups\recovery.baklz4

Filesize
3KB

MD5
c361eaabc919880a4ae28794d0194831

SHA1
1330ce23075abbc3662077c0c6a308930c3013c8

SHA256
b3321b6bbc5749f8c000777620e3581ae121f4fb6639592316936816cda4f098

SHA512
ee178d329e2e1812e36b75e543146f84059fe1986988257b46f4c95d478ab855b7d3750d468fdce2a64af7275bbd672b8a699e4b5ff1e9ec4453793f163f5b86

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\sessionstore-backups\recovery.baklz4

Filesize
3KB

MD5
d90e123ae344bf65aae7fee1f37dcd8a

SHA1
a8e0fdff4fc81e276377739b8196a71bfb58c57d

SHA256
8149779e460d701615870b1c4128f0122f3f5c78f798b667f1d817d980ffc0ea

SHA512
9bb9aca2922349a3499c50e1ef7617033c679206855f697c7bca0e61d5e43e540488ca760cc8d1ef4eb219ea8b04e02c6e2c6bb8760630d6d5170b62debbe3a1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\sessionstore-backups\recovery.baklz4

Filesize
3KB

MD5
04c6aab9d0e208f606257554182ad01a

SHA1
aa45f4161e2c531411cafc0de8e0539cc64a6665

SHA256
f9cbca311a86b5a6125490d9f0ce3a4ee12de80c9f5a4582c7ae88af645c1846

SHA512
109960abc3963fbd0c9ecc36320483d4412418689e9d9f60afd0ffa0dd6114acbe36a8399fe5c2e209884d36cc7ade12aef2439d1ead0d5797153b64b152fc87

Download Submit
C:\Users\Admin\Downloads\$uckyLocker.exe

Filesize
414KB

MD5
c850f942ccf6e45230169cc4bd9eb5c8

SHA1
51c647e2b150e781bd1910cac4061a2cee1daf89

SHA256
86e0eac8c5ce70c4b839ef18af5231b5f92e292b81e440193cdbdc7ed108049f

SHA512
2b3890241b8c8690aab0aed347daa778aba20f29f76e8b79b02953b6252324317520b91ea60d3ef73e42ad403f7a6e0e3f2a057799f21ed447dae7096b2f47d9

Download Submit
C:\Users\Admin\Downloads\Vobus.exe

Filesize
384KB

MD5
966bb4bdfe0edb89ec2d43519c6de3af

SHA1
7aa402e5241ff1ca2aeabeeda8928579902ad81a

SHA256
ef12832d67a099282b6aad1bf2858375dd4b53c67638daf12a253bc9f918b77f

SHA512
71b8cf14055caee1322976dc0ac777bdd0f9058ee37d30d7967bdc28d80f66d0d478c939501be5f9c70245e5b161c69ad36721a7c6454fea9abe76786934db66

Download Submit
C:\Users\Admin\Downloads\Vobus.exe:Zone.Identifier

Filesize
50B

MD5
dce5191790621b5e424478ca69c47f55

SHA1
ae356a67d337afa5933e3e679e84854deeace048

SHA256
86a3e68762720abe870d1396794850220935115d3ccc8bb134ffa521244e3ef8

SHA512
a669e10b173fce667d5b369d230d5b1e89e366b05ba4e65919a7e67545dd0b1eca8bcb927f67b12fe47cbe22b0c54c54f1e03beed06379240b05b7b990c5a641

Download Submit
memory/1552-748-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1552-687-0x0000000002350000-0x000000000241E000-memory.dmp

Filesize
824KB

Download
memory/1552-711-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1552-712-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1552-690-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1552-688-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1552-693-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1552-691-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1552-715-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1552-689-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1912-783-0x0000000073C6E000-0x0000000073C6F000-memory.dmp

Filesize
4KB

Download
memory/1912-784-0x0000000000810000-0x000000000087E000-memory.dmp

Filesize
440KB

Download
memory/1912-785-0x0000000005950000-0x0000000005EF6000-memory.dmp

Filesize
5.6MB

Download
memory/1912-786-0x00000000053A0000-0x0000000005432000-memory.dmp

Filesize
584KB

Download
memory/1912-788-0x0000000073C60000-0x0000000074411000-memory.dmp

Filesize
7.7MB

Download
memory/1912-787-0x0000000005320000-0x000000000532A000-memory.dmp

Filesize
40KB

Download