wannacry | ef0da4eca8aa731469dde63dbee451bc6b0d5814bc140c747a7029b9bb2a8cef

Analysis

max time kernel
391s
max time network
395s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
28-08-2024 22:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fabric-api-0.100.8+1.20.6 (1).jar
Size

2.1MB
MD5

054a7f0b6e6e705c601e47f7e8a162fe
SHA1

f8a4b3a551fc5bde9a2d3e4bcac9cb21a081c828
SHA256

ef0da4eca8aa731469dde63dbee451bc6b0d5814bc140c747a7029b9bb2a8cef
SHA512

414f19f903a093c39006e1919a81bea43c3b6728b88e358dc2611ab44b8087e25abc504c66926f245342fa2a245c07462ed62897f15d6c84006b7acf6214ca46
SSDEEP

49152:Ji5dJ1lub85+wiDRKf/+OOgS1/yJ9ksEsuSK6bZnM5Lz0awC9uy:YPubY+XDRm/LOgKqrksnK4ZSz0w

Score

10^/10

wannacry defense_evasion discovery execution impact persistence ransomware spyware stealer worm

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94 Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Downloads MZ/PE file

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDB67D.tmp	WannaCry.EXE
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDB684.tmp	WannaCry.EXE

Executes dropped EXE 36 IoCs

pid	Process
5236	WannaCry.EXE
4980	taskdl.exe
1248	@[email protected]
5796	@[email protected]
3172	taskhsvc.exe
4204	taskdl.exe
3620	taskse.exe
2116	@[email protected]
1384	taskdl.exe
5976	taskse.exe
4536	@[email protected]
3312	taskse.exe
4616	taskdl.exe
2664	@[email protected]
2772	taskse.exe
2284	@[email protected]
5052	taskdl.exe
1484	taskse.exe
2868	@[email protected]
5276	taskdl.exe
2392	taskse.exe
2996	@[email protected]
1604	taskdl.exe
5224	@[email protected]
2436	taskse.exe
1864	taskdl.exe
5380	taskse.exe
2764	@[email protected]
5608	taskdl.exe
5176	@[email protected]
1676	@[email protected]
5844	@[email protected]
1980	@[email protected]
2760	@[email protected]
652	@[email protected]
2704	@[email protected]

Loads dropped DLL 7 IoCs

pid	Process
3172	taskhsvc.exe
3172	taskhsvc.exe
3172	taskhsvc.exe
3172	taskhsvc.exe
3172	taskhsvc.exe
3172	taskhsvc.exe
3172	taskhsvc.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
6000	icacls.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qxnzxcsps696 = "\"C:\\Users\\Admin\\Downloads\\tasksche.exe\""	reg.exe

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
20	camo.githubusercontent.com
29	raw.githubusercontent.com
90	camo.githubusercontent.com
99	raw.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	WannaCry.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\WannaCry.EXE:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 46 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe

Checks processor information in registry 2 TTPs 20 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2842058299-443432012-2465494467-1000\{0FDEE196-3918-4635-BB4A-6BB0DB8D5822}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings	firefox.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
492	reg.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\WannaCry.EXE:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 668244.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
5088	msedge.exe
5088	msedge.exe
4328	msedge.exe
4328	msedge.exe
5548	identity_helper.exe
5548	identity_helper.exe
6096	msedge.exe
6096	msedge.exe
2548	msedge.exe
2548	msedge.exe
4864	msedge.exe
4864	msedge.exe
3172	taskhsvc.exe
3172	taskhsvc.exe
3172	taskhsvc.exe
3172	taskhsvc.exe
3172	taskhsvc.exe
3172	taskhsvc.exe
2032	msedge.exe
2032	msedge.exe
2032	msedge.exe
2032	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2116	@[email protected]
2344	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 25 IoCs

pid	Process
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe

Suspicious use of AdjustPrivilegeToken 63 IoCs

description	pid	Process
Token: SeDebugPrivilege	764	firefox.exe
Token: SeDebugPrivilege	764	firefox.exe
Token: SeIncreaseQuotaPrivilege	6096	WMIC.exe
Token: SeSecurityPrivilege	6096	WMIC.exe
Token: SeTakeOwnershipPrivilege	6096	WMIC.exe
Token: SeLoadDriverPrivilege	6096	WMIC.exe
Token: SeSystemProfilePrivilege	6096	WMIC.exe
Token: SeSystemtimePrivilege	6096	WMIC.exe
Token: SeProfSingleProcessPrivilege	6096	WMIC.exe
Token: SeIncBasePriorityPrivilege	6096	WMIC.exe
Token: SeCreatePagefilePrivilege	6096	WMIC.exe
Token: SeBackupPrivilege	6096	WMIC.exe
Token: SeRestorePrivilege	6096	WMIC.exe
Token: SeShutdownPrivilege	6096	WMIC.exe
Token: SeDebugPrivilege	6096	WMIC.exe
Token: SeSystemEnvironmentPrivilege	6096	WMIC.exe
Token: SeRemoteShutdownPrivilege	6096	WMIC.exe
Token: SeUndockPrivilege	6096	WMIC.exe
Token: SeManageVolumePrivilege	6096	WMIC.exe
Token: 33	6096	WMIC.exe
Token: 34	6096	WMIC.exe
Token: 35	6096	WMIC.exe
Token: 36	6096	WMIC.exe
Token: SeIncreaseQuotaPrivilege	6096	WMIC.exe
Token: SeSecurityPrivilege	6096	WMIC.exe
Token: SeTakeOwnershipPrivilege	6096	WMIC.exe
Token: SeLoadDriverPrivilege	6096	WMIC.exe
Token: SeSystemProfilePrivilege	6096	WMIC.exe
Token: SeSystemtimePrivilege	6096	WMIC.exe
Token: SeProfSingleProcessPrivilege	6096	WMIC.exe
Token: SeIncBasePriorityPrivilege	6096	WMIC.exe
Token: SeCreatePagefilePrivilege	6096	WMIC.exe
Token: SeBackupPrivilege	6096	WMIC.exe
Token: SeRestorePrivilege	6096	WMIC.exe
Token: SeShutdownPrivilege	6096	WMIC.exe
Token: SeDebugPrivilege	6096	WMIC.exe
Token: SeSystemEnvironmentPrivilege	6096	WMIC.exe
Token: SeRemoteShutdownPrivilege	6096	WMIC.exe
Token: SeUndockPrivilege	6096	WMIC.exe
Token: SeManageVolumePrivilege	6096	WMIC.exe
Token: 33	6096	WMIC.exe
Token: 34	6096	WMIC.exe
Token: 35	6096	WMIC.exe
Token: 36	6096	WMIC.exe
Token: SeBackupPrivilege	5336	vssvc.exe
Token: SeRestorePrivilege	5336	vssvc.exe
Token: SeAuditPrivilege	5336	vssvc.exe
Token: SeTcbPrivilege	3620	taskse.exe
Token: SeTcbPrivilege	3620	taskse.exe
Token: SeTcbPrivilege	5976	taskse.exe
Token: SeTcbPrivilege	5976	taskse.exe
Token: SeTcbPrivilege	3312	taskse.exe
Token: SeTcbPrivilege	3312	taskse.exe
Token: SeTcbPrivilege	2772	taskse.exe
Token: SeTcbPrivilege	2772	taskse.exe
Token: SeTcbPrivilege	1484	taskse.exe
Token: SeTcbPrivilege	1484	taskse.exe
Token: SeTcbPrivilege	2392	taskse.exe
Token: SeTcbPrivilege	2392	taskse.exe
Token: SeTcbPrivilege	2436	taskse.exe
Token: SeTcbPrivilege	2436	taskse.exe
Token: SeTcbPrivilege	5380	taskse.exe
Token: SeTcbPrivilege	5380	taskse.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
764	firefox.exe
764	firefox.exe
764	firefox.exe
764	firefox.exe
764	firefox.exe
764	firefox.exe
764	firefox.exe
764	firefox.exe
764	firefox.exe
764	firefox.exe
764	firefox.exe
764	firefox.exe
764	firefox.exe
764	firefox.exe
764	firefox.exe
764	firefox.exe
764	firefox.exe
764	firefox.exe
764	firefox.exe
764	firefox.exe
764	firefox.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe

Suspicious use of SendNotifyMessage 16 IoCs

pid	Process
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe
4328	msedge.exe

Suspicious use of SetWindowsHookEx 48 IoCs

pid	Process
1056	MiniSearchHost.exe
764	firefox.exe
1248	@[email protected]
1248	@[email protected]
5796	@[email protected]
5796	@[email protected]
2116	@[email protected]
2116	@[email protected]
4536	@[email protected]
2664	@[email protected]
2284	@[email protected]
2868	@[email protected]
2344	OpenWith.exe
2344	OpenWith.exe
2344	OpenWith.exe
2344	OpenWith.exe
2344	OpenWith.exe
2344	OpenWith.exe
2344	OpenWith.exe
2344	OpenWith.exe
2344	OpenWith.exe
2344	OpenWith.exe
2344	OpenWith.exe
2996	@[email protected]
2344	OpenWith.exe
2344	OpenWith.exe
2344	OpenWith.exe
2344	OpenWith.exe
2344	OpenWith.exe
2344	OpenWith.exe
2344	OpenWith.exe
2344	OpenWith.exe
2344	OpenWith.exe
2344	OpenWith.exe
2344	OpenWith.exe
2344	OpenWith.exe
2344	OpenWith.exe
2344	OpenWith.exe
2792	firefox.exe
5224	@[email protected]
2764	@[email protected]
5176	@[email protected]
1676	@[email protected]
5844	@[email protected]
1980	@[email protected]
2760	@[email protected]
652	@[email protected]
2704	@[email protected]

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2352 wrote to memory of 764	2352	firefox.exe	89
PID 2352 wrote to memory of 764	2352	firefox.exe	89
PID 2352 wrote to memory of 764	2352	firefox.exe	89
PID 2352 wrote to memory of 764	2352	firefox.exe	89
PID 2352 wrote to memory of 764	2352	firefox.exe	89
PID 2352 wrote to memory of 764	2352	firefox.exe	89
PID 2352 wrote to memory of 764	2352	firefox.exe	89
PID 2352 wrote to memory of 764	2352	firefox.exe	89
PID 2352 wrote to memory of 764	2352	firefox.exe	89
PID 2352 wrote to memory of 764	2352	firefox.exe	89
PID 2352 wrote to memory of 764	2352	firefox.exe	89
PID 764 wrote to memory of 1044	764	firefox.exe	90
PID 764 wrote to memory of 1044	764	firefox.exe	90
PID 764 wrote to memory of 1044	764	firefox.exe	90
PID 764 wrote to memory of 1044	764	firefox.exe	90
PID 764 wrote to memory of 1044	764	firefox.exe	90
PID 764 wrote to memory of 1044	764	firefox.exe	90
PID 764 wrote to memory of 1044	764	firefox.exe	90
PID 764 wrote to memory of 1044	764	firefox.exe	90
PID 764 wrote to memory of 1044	764	firefox.exe	90
PID 764 wrote to memory of 1044	764	firefox.exe	90
PID 764 wrote to memory of 1044	764	firefox.exe	90
PID 764 wrote to memory of 1044	764	firefox.exe	90
PID 764 wrote to memory of 1044	764	firefox.exe	90
PID 764 wrote to memory of 1044	764	firefox.exe	90
PID 764 wrote to memory of 1044	764	firefox.exe	90
PID 764 wrote to memory of 1044	764	firefox.exe	90
PID 764 wrote to memory of 1044	764	firefox.exe	90
PID 764 wrote to memory of 1044	764	firefox.exe	90
PID 764 wrote to memory of 1044	764	firefox.exe	90
PID 764 wrote to memory of 1044	764	firefox.exe	90
PID 764 wrote to memory of 1044	764	firefox.exe	90
PID 764 wrote to memory of 1044	764	firefox.exe	90
PID 764 wrote to memory of 1044	764	firefox.exe	90
PID 764 wrote to memory of 1044	764	firefox.exe	90
PID 764 wrote to memory of 1044	764	firefox.exe	90
PID 764 wrote to memory of 1044	764	firefox.exe	90
PID 764 wrote to memory of 1044	764	firefox.exe	90
PID 764 wrote to memory of 1044	764	firefox.exe	90
PID 764 wrote to memory of 1044	764	firefox.exe	90
PID 764 wrote to memory of 1044	764	firefox.exe	90
PID 764 wrote to memory of 1044	764	firefox.exe	90
PID 764 wrote to memory of 1044	764	firefox.exe	90
PID 764 wrote to memory of 1044	764	firefox.exe	90
PID 764 wrote to memory of 1044	764	firefox.exe	90
PID 764 wrote to memory of 1044	764	firefox.exe	90
PID 764 wrote to memory of 1044	764	firefox.exe	90
PID 764 wrote to memory of 1044	764	firefox.exe	90
PID 764 wrote to memory of 1044	764	firefox.exe	90
PID 764 wrote to memory of 1044	764	firefox.exe	90
PID 764 wrote to memory of 1044	764	firefox.exe	90
PID 764 wrote to memory of 1044	764	firefox.exe	90
PID 764 wrote to memory of 1044	764	firefox.exe	90
PID 764 wrote to memory of 1044	764	firefox.exe	90
PID 764 wrote to memory of 1044	764	firefox.exe	90
PID 764 wrote to memory of 1044	764	firefox.exe	90
PID 764 wrote to memory of 4904	764	firefox.exe	91
PID 764 wrote to memory of 4904	764	firefox.exe	91
PID 764 wrote to memory of 4904	764	firefox.exe	91
PID 764 wrote to memory of 4904	764	firefox.exe	91
PID 764 wrote to memory of 4904	764	firefox.exe	91
PID 764 wrote to memory of 4904	764	firefox.exe	91
PID 764 wrote to memory of 4904	764	firefox.exe	91
PID 764 wrote to memory of 4904	764	firefox.exe	91

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4436	attrib.exe
4600	attrib.exe

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar "C:\Users\Admin\AppData\Local\Temp\fabric-api-0.100.8+1.20.6 (1).jar"
1⤵
PID:2300

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1056

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2352
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:764
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1948 -parentBuildID 20240401114208 -prefsHandle 1876 -prefMapHandle 1852 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {89f519dc-2734-4cf1-9f29-ed4e48cdb487} 764 "\\.\pipe\gecko-crash-server-pipe.764" gpu
    3⤵
    PID:1044
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2352 -parentBuildID 20240401114208 -prefsHandle 2344 -prefMapHandle 2340 -prefsLen 23714 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e1516573-063b-4094-a430-a15dff1e8f83} 764 "\\.\pipe\gecko-crash-server-pipe.764" socket
    3⤵
    - Checks processor information in registry
    PID:4904
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3260 -childID 1 -isForBrowser -prefsHandle 3188 -prefMapHandle 2944 -prefsLen 23855 -prefMapSize 244658 -jsInitHandle 1344 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4223407d-f532-4f3b-af9b-a818b7b9d0b0} 764 "\\.\pipe\gecko-crash-server-pipe.764" tab
    3⤵
    PID:1128
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3964 -childID 2 -isForBrowser -prefsHandle 3956 -prefMapHandle 3952 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1344 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f5d1e81a-4538-4962-8e80-6443d6b4280a} 764 "\\.\pipe\gecko-crash-server-pipe.764" tab
    3⤵
    PID:1436
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4664 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4460 -prefMapHandle 4580 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1a8f159c-ea72-4739-9f89-e1595562c542} 764 "\\.\pipe\gecko-crash-server-pipe.764" utility
    3⤵
    - Checks processor information in registry
    PID:5160
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5400 -childID 3 -isForBrowser -prefsHandle 5364 -prefMapHandle 5380 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1344 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cfdd451f-77d5-49cc-b0b9-c591345fdc5d} 764 "\\.\pipe\gecko-crash-server-pipe.764" tab
    3⤵
    PID:5844
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5556 -childID 4 -isForBrowser -prefsHandle 5572 -prefMapHandle 5516 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1344 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bceb8aa6-5634-487f-b2b3-eb72d060eb7a} 764 "\\.\pipe\gecko-crash-server-pipe.764" tab
    3⤵
    PID:5868
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5808 -childID 5 -isForBrowser -prefsHandle 5728 -prefMapHandle 5732 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1344 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {378877ae-3702-46f9-871f-cafef448396b} 764 "\\.\pipe\gecko-crash-server-pipe.764" tab
    3⤵
    PID:5880
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6128 -childID 6 -isForBrowser -prefsHandle 5264 -prefMapHandle 6156 -prefsLen 30902 -prefMapSize 244658 -jsInitHandle 1344 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6523f959-aed6-4234-ac79-2cff702b999e} 764 "\\.\pipe\gecko-crash-server-pipe.764" tab
    3⤵
    PID:4148

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffaa9be3cb8,0x7ffaa9be3cc8,0x7ffaa9be3cd8
  2⤵
  PID:2168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1896,12164863441667886472,9112392341798747957,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1912 /prefetch:2
  2⤵
  PID:1488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1896,12164863441667886472,9112392341798747957,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1860 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1896,12164863441667886472,9112392341798747957,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2560 /prefetch:8
  2⤵
  PID:2904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12164863441667886472,9112392341798747957,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:5724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12164863441667886472,9112392341798747957,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:2404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12164863441667886472,9112392341798747957,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4952 /prefetch:1
  2⤵
  PID:3928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12164863441667886472,9112392341798747957,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4968 /prefetch:1
  2⤵
  PID:3224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12164863441667886472,9112392341798747957,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4628 /prefetch:1
  2⤵
  PID:5268
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1896,12164863441667886472,9112392341798747957,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5200 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12164863441667886472,9112392341798747957,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3524 /prefetch:1
  2⤵
  PID:6064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1896,12164863441667886472,9112392341798747957,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5360 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1896,12164863441667886472,9112392341798747957,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3568 /prefetch:8
  2⤵
  PID:4724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1896,12164863441667886472,9112392341798747957,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3512 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:2548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12164863441667886472,9112392341798747957,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4700 /prefetch:1
  2⤵
  PID:1188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12164863441667886472,9112392341798747957,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4896 /prefetch:1
  2⤵
  PID:5160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12164863441667886472,9112392341798747957,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3580 /prefetch:1
  2⤵
  PID:4696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12164863441667886472,9112392341798747957,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:1
  2⤵
  PID:6136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1896,12164863441667886472,9112392341798747957,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5736 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1896,12164863441667886472,9112392341798747957,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3588 /prefetch:8
  2⤵
  PID:4468
- C:\Users\Admin\Downloads\WannaCry.EXE
  "C:\Users\Admin\Downloads\WannaCry.EXE"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  PID:5236
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h .
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:4436
- - C:\Windows\SysWOW64\icacls.exe
    icacls . /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:6000
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4980
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 89281724884615.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5864
  - - C:\Windows\SysWOW64\cscript.exe
      cscript.exe //nologo m.vbs
      4⤵
      System Location Discovery: System Language Discovery
      PID:3836
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +s F:\$RECYCLE
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:4600
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected] co
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1248
  - - C:\Users\Admin\Downloads\TaskData\Tor\taskhsvc.exe
      TaskData\Tor\taskhsvc.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:3172
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c start /b @[email protected] vs
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1176
  - - C:\Users\Admin\Downloads\@[email protected]
      @[email protected] vs
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:5796
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3760
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:6096
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4204
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3620
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - Sets desktop wallpaper using registry
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2116
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "qxnzxcsps696" /t REG_SZ /d "\"C:\Users\Admin\Downloads\tasksche.exe\"" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2952
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "qxnzxcsps696" /t REG_SZ /d "\"C:\Users\Admin\Downloads\tasksche.exe\"" /f
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:492
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1384
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:5976
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4536
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3312
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4616
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2664
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2772
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2284
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5052
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1484
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2868
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5276
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2392
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2996
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1604
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2436
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5224
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1864
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:5380
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2764
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12164863441667886472,9112392341798747957,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6320 /prefetch:1
  2⤵
  PID:4308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12164863441667886472,9112392341798747957,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6340 /prefetch:1
  2⤵
  PID:6124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12164863441667886472,9112392341798747957,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4848 /prefetch:1
  2⤵
  PID:4604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12164863441667886472,9112392341798747957,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6608 /prefetch:1
  2⤵
  PID:5576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1896,12164863441667886472,9112392341798747957,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5792 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12164863441667886472,9112392341798747957,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4600 /prefetch:1
  2⤵
  PID:1480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12164863441667886472,9112392341798747957,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5716 /prefetch:1
  2⤵
  PID:104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12164863441667886472,9112392341798747957,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5192 /prefetch:1
  2⤵
  PID:996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12164863441667886472,9112392341798747957,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5876 /prefetch:1
  2⤵
  PID:3592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12164863441667886472,9112392341798747957,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6356 /prefetch:1
  2⤵
  PID:2804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12164863441667886472,9112392341798747957,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6948 /prefetch:1
  2⤵
  PID:3504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12164863441667886472,9112392341798747957,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7048 /prefetch:1
  2⤵
  PID:3364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1896,12164863441667886472,9112392341798747957,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4820 /prefetch:8
  2⤵
  PID:6044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12164863441667886472,9112392341798747957,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6932 /prefetch:1
  2⤵
  PID:3360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12164863441667886472,9112392341798747957,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7060 /prefetch:1
  2⤵
  PID:5264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12164863441667886472,9112392341798747957,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6352 /prefetch:1
  2⤵
  PID:4864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,12164863441667886472,9112392341798747957,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6968 /prefetch:1
  2⤵
  PID:2836

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5908

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4592

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5336

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2344
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Public\Desktop\@[email protected]"
  2⤵
  PID:1628
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Public\Desktop\@[email protected]
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    PID:2792
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2072 -parentBuildID 20240401114208 -prefsHandle 2128 -prefMapHandle 1996 -prefsLen 21730 -prefMapSize 243020 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1887b2db-35e8-459c-b373-e3c721732dc1} 2792 "\\.\pipe\gecko-crash-server-pipe.2792" gpu
      4⤵
      PID:3312
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2508 -parentBuildID 20240401114208 -prefsHandle 2500 -prefMapHandle 2496 -prefsLen 21730 -prefMapSize 243020 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {79d969b7-7204-49b8-bc42-04b3186eb4b6} 2792 "\\.\pipe\gecko-crash-server-pipe.2792" socket
      4⤵
      PID:1360
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3696 -childID 1 -isForBrowser -prefsHandle 3688 -prefMapHandle 3684 -prefsLen 22395 -prefMapSize 243020 -jsInitHandle 1412 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {18caac03-a200-4643-93db-0dc9193e312d} 2792 "\\.\pipe\gecko-crash-server-pipe.2792" tab
      4⤵
      PID:1136
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2964 -childID 2 -isForBrowser -prefsHandle 3904 -prefMapHandle 3908 -prefsLen 23777 -prefMapSize 243020 -jsInitHandle 1412 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3ebf850c-5caf-4d53-9cc0-3b7d7eacb685} 2792 "\\.\pipe\gecko-crash-server-pipe.2792" tab
      4⤵
      PID:4764
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3988 -childID 3 -isForBrowser -prefsHandle 4500 -prefMapHandle 4496 -prefsLen 29588 -prefMapSize 243020 -jsInitHandle 1412 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {19da3ff6-9626-42e2-b3de-51298bb1fc33} 2792 "\\.\pipe\gecko-crash-server-pipe.2792" tab
      4⤵
      PID:728
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5040 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 5152 -prefMapHandle 5148 -prefsLen 30186 -prefMapSize 243020 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {23a88f95-4568-4e74-8944-1371225d5ad5} 2792 "\\.\pipe\gecko-crash-server-pipe.2792" utility
      4⤵
      Checks processor information in registry
      PID:1812
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5360 -parentBuildID 20240401114208 -prefsHandle 5368 -prefMapHandle 5356 -prefsLen 30359 -prefMapSize 243020 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f538a5c1-19d6-45c3-afd3-b65704151920} 2792 "\\.\pipe\gecko-crash-server-pipe.2792" rdd
      4⤵
      PID:492
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5716 -childID 4 -isForBrowser -prefsHandle 5736 -prefMapHandle 5732 -prefsLen 28495 -prefMapSize 243020 -jsInitHandle 1412 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {559720a2-0eaf-402f-a7c1-0cfcbabe534b} 2792 "\\.\pipe\gecko-crash-server-pipe.2792" tab
      4⤵
      PID:3092
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5708 -childID 5 -isForBrowser -prefsHandle 5748 -prefMapHandle 5744 -prefsLen 28495 -prefMapSize 243020 -jsInitHandle 1412 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {27d99580-bc51-42fb-a9ba-b3778cc063a6} 2792 "\\.\pipe\gecko-crash-server-pipe.2792" tab
      4⤵
      PID:5672
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5696 -childID 6 -isForBrowser -prefsHandle 5868 -prefMapHandle 5716 -prefsLen 28495 -prefMapSize 243020 -jsInitHandle 1412 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4b81d49e-9109-4cac-a1af-04fd5b3a35bc} 2792 "\\.\pipe\gecko-crash-server-pipe.2792" tab
      4⤵
      PID:2892

C:\Users\Public\Desktop\@[email protected]
"C:\Users\Public\Desktop\@[email protected]"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5176

C:\Users\Public\Desktop\@[email protected]
"C:\Users\Public\Desktop\@[email protected]"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1676

C:\Users\Public\Desktop\@[email protected]
"C:\Users\Public\Desktop\@[email protected]"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5844

C:\Users\Public\Desktop\@[email protected]
"C:\Users\Public\Desktop\@[email protected]"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1980

C:\Users\Public\Desktop\@[email protected]
"C:\Users\Public\Desktop\@[email protected]"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2760

C:\Users\Public\Desktop\@[email protected]
"C:\Users\Public\Desktop\@[email protected]"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:652

C:\Users\Public\Desktop\@[email protected]
"C:\Users\Public\Desktop\@[email protected]"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\update-config.json

Filesize
102B

MD5
7d1d7e1db5d8d862de24415d9ec9aca4

SHA1
f4cdc5511c299005e775dc602e611b9c67a97c78

SHA256
ffad3b0fb11fc38ea243bf3f73e27a6034860709b39bf251ef3eca53d4c3afda

SHA512
1688c6725a3607c7b80dfcd6a8bea787f31c21e3368b31cb84635b727675f426b969899a378bd960bd3f27866023163b5460e7c681ae1fcb62f7829b03456477

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
228fefc98d7fb5b4e27c6abab1de7207

SHA1
ada493791316e154a906ec2c83c412adf3a7061a

SHA256
448d09169319374935a249b1fc76bcf2430b4e1436611f3c2f3331b6eafe55a2

SHA512
fa74f1cc5da8db978a7a5b8c9ebff3cd433660db7e91ce03c44a1d543dd667a51659ba79270d3d783d52b9e45d76d0f9467458df1482ded72ea79c873b2a5e56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
026e0c65239e15ba609a874aeac2dc33

SHA1
a75e1622bc647ab73ab3bb2809872c2730dcf2df

SHA256
593f20dfb73d2b81a17bfcc1f246848080dfc96898a1a62c5ddca62105ed1292

SHA512
9fb7644c87bdd3430700f42137154069badbf2b7a67e5ac6c364382bca8cba95136d460f49279b346703d4b4fd81087e884822a01a2a38901568a3c3e3387569

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
64KB

MD5
d6b36c7d4b06f140f860ddc91a4c659c

SHA1
ccf16571637b8d3e4c9423688c5bd06167bfb9e9

SHA256
34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92

SHA512
2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
67KB

MD5
ed124bdf39bbd5902bd2529a0a4114ea

SHA1
b7dd9d364099ccd4e09fd45f4180d38df6590524

SHA256
48232550940208c572ebe487aa64ddee26e304ba3e310407e1fc31a5c9deed44

SHA512
c4d180292afa484ef9556d15db1d3850416a85ad581f6f4d5eb66654991fa90f414029b4ce13ed142271a585b46b3e53701735ee3e0f45a78b67baa9122ba532

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
41KB

MD5
f3d0a156d6ecb39d1805d60a28c8501d

SHA1
d26dd641e0b9d7c52b19bc9e89b53b291fb1915c

SHA256
e8be4436fcedf9737ea35d21ec0dcc36c30a1f41e02b3d40aa0bfa2be223a4a3

SHA512
076acfd19e4a43538f347ab460aa0b340a2b60d33f8be5f9b0ef939ef4e9f365277c4ff886d62b7edb20a299aacf50976321f9f90baba8ccd97bc5ac24a580bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
63KB

MD5
710d7637cc7e21b62fd3efe6aba1fd27

SHA1
8645d6b137064c7b38e10c736724e17787db6cf3

SHA256
c0997474b99524325dfedb5c020436e7ea9f9c9a1a759ed6daf7bdd4890bdc2b

SHA512
19aa77bed3c441228789cf8f931ca6194cc8d4bc7bb85d892faf5eaeda67d22c8c3b066f8ceda8169177da95a1fe111bd3436ceeaf4c784bd2bf96617f4d0c44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
84KB

MD5
74e33b4b54f4d1f3da06ab47c5936a13

SHA1
6e5976d593b6ee3dca3c4dbbb90071b76e1cd85c

SHA256
535fc48679c38decd459ad656bdd6914e539754265244d0cc7b1da6bddf3e287

SHA512
79218e8ee50484af968480ff9b211815c97c3f3035414e685aa5d15d9b4152682d87b66202339f212bf3b463a074bf7a4431107b50303f28e2eb4b17843991c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
1.2MB

MD5
540af416cc54fd550dcdd8d00b632572

SHA1
644a9d1dfcf928c1e4ed007cd50c2f480a8b7528

SHA256
e4e53d750c57e4d92ab9de185bb37f5d2cc5c4fcc6a2be97386af78082115cbb

SHA512
7692e046e49fcde9c29c7d6ea06ed4f16216ec9fb7ea621d3cc4493364743c03925e74244785588d1a4bfc2bedd32b41e7e66e244990d4076e781d7f4bbb270f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
be1dd9c120a53650bbfdf97c4c26d47e

SHA1
31efe88f8dea9b35ff4f36c9b32b09969adc4f0e

SHA256
3ef78facdaf813c54367fd637e84e5f94f0964f48c3d28fb4af2d510cc625da1

SHA512
f08aa321d74e702e6a870eab8864db7fb958e0074568a5d03c582305da598caba8e551a543f0ae744469e97b1d1528aacfd1ab7c8bfae3ae6d8135662a9833e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
4def66df72aa18e11b29cd4c8a9d4c97

SHA1
1fa312364510b17248675238f3ae296e9b48d3d8

SHA256
23473bf51372144ba84db90bf4de5fe94b2fd651fa37e17a6d4c45920a2760e9

SHA512
945ff259d3b2cab3560eaa1bfdec4d9b3d9ea88dbd04bb10e935d0cad59bc53e103ec5ecf01aa47a779c61cf1df94e098b13eaade1d0c95f818ceffa51786af1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
880B

MD5
00b0959ed14ccc18c89b57b0957d3be3

SHA1
be77bc818ccff4f402d1dee76de15521cbe38e2f

SHA256
f5a318b1a8f6d130a3fb214e2a5fc1b1dc7c6d800104ee9b875bfc54b2ff5511

SHA512
1be9d5814d087540d9203152e4d177f858dca6b7deadf95f2e8cefa62b91828ef497719a1e2a921af79150c0f529eccb6cbfa79db4142a475f77cdab037ab8bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
7635833031fb8be16881fb7d9b896996

SHA1
0748bdf024b8993b6c5dd44bcffb1604b980c926

SHA256
94613d3d3764840067e2bb751396dc0cad3a6a764ae4da58e4b97bd415c90387

SHA512
340d893638a786885c6e19f90e0463a9a3fb6213fe3e10fa7bf92670cca9e8fd810b81d17ed4a866001c2a707d3bbe14eaf5640ed69c103399a2e5951b46c9f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
afca8270f3d0176983781f771314c2b3

SHA1
b1e11068e618a6e7c74e6bfe85b31601be8307e0

SHA256
93616ecc0c482d1860320ac043bbf8283d450d161afda25f5f7b930a4d8c3c01

SHA512
932c20ebc5ca95891c1741ae7867164b4fbee54511924f6aa97da4f01d5ebf83429ef9a0e23eb743129ba32f546a26a0830bd6727cdcdbfba50b4c797e02abd8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7fb4439ef9b480c776034ca3839178d8

SHA1
3f1a53e58ddc7741349404dd4df6783168841654

SHA256
769dd87a1c9802a97d16be2c4e23d15b6ee014099b1fa1e994a9c2df2df237c4

SHA512
a369b6bc1add6d45f4ad80a5592fcd5578a4430fc61f987c863b2a54c336a78de2d74e73e1b14d67b0841f69cb12d44eb91a2d08f12bad8ad40e9d71df39be3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f3a3a5dc610aeac1a7e2e0147e60e3d2

SHA1
69ed449bced5d8ee06422e7d8b15d3547d14da2d

SHA256
9ee580dd6915707c0f38b1c799ba284a721fc8d661756bbe5178990702b435ed

SHA512
ced630bccf548fac9e7d8afe60d015fe5672434167cdd3b8bdc1f99f751d309f87509ac8fa029292b27da492f00a6bdf5d663cc36bac0cd5bd05111079002bd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c0950f2a78ff661c7afea14ece1f90a9

SHA1
1a14ce1141f6b288a04ce686c32a2a7e49752a7b

SHA256
07b687f46d6b3984d3e8c0413eaed0794c259410f1942fcfe3fc212230b7e056

SHA512
f58345922d6e4b96d1fe817600a63d43d0fc3cad4fda44808df69e3ae0fc926d03e6fc2852d8b051bc16fadbab3d7070544cdcd41792eea76e09b50f5c757553

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
b9276235590b2a40e531ea5c8d2fa40a

SHA1
2c21cb8d73b8e2cd811635377c00b4276a6974e3

SHA256
f53d7a0bc6dba193930cd87cee1572aafb225a333f9575e94f99bf6687f77fcc

SHA512
3d79f85da0a4c069ee604373acd11a4a913781d686657cf5f1d183d1c22bb0c12ca381454125f88faa4724ace12aa9f8d2cac66962fbd4bea2d35e26ddef484a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
d2b9960cc475ce280282abf43c532705

SHA1
5d4e029cd3f5027317942e22f9337c27c8157b63

SHA256
a70b65f9d93ec4e0fddb87ee49dfda1d0ebcd649b5336f7503b5d97613b7b61d

SHA512
b782c3d7812c9ed91eab414845370cd89ca6293f1fea0b5447c03198a791fb9a677de9ca555a00a98dc51e4ba29392006ceb83e02811fee6dbcb2264e20e9572

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
f8f759618e4f48a949b5798655c492d2

SHA1
991d9b283a3683409dcab14b8ce544b8533ff06b

SHA256
9cac87a168ea6c72c5920da58baad1b893f0ccbacc34d68cf58d3d11c2301c4f

SHA512
997bf2e45ee37f0f30b7575a3fbc5236868236a5f930abc72ee128a8a5e2aa44487bf1458db0b8cbea966d30461726dc7bc9af9fc1326a10fcd02b201d19e214

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
47970888376f10b45c3404b886ec2cce

SHA1
5ba585367e8179c3e4ba89fe3620539dc171d565

SHA256
55c79cfd0f5115ec9f2efa9133fcbd11782f48129abd20e50cc3cf781e05a10c

SHA512
5c5880f0af2f20a146304e95c51792a1e28bb587f41a9be73b034088efcd2748fe468be0ad0c9c95c85ecf36ec71a27efa6d29980f5afd09cd04306b83f5e279

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
9dafb2baf2f73cb7e2ebab41f61bd630

SHA1
ab415a8f1a613100f1356b04f550cb23c76c1917

SHA256
edec375c7e4c4b9693bf633a3b34376080c9b11cf821389e25f69b40cc1c5717

SHA512
abcd526a9a229e23f018bf2d8ccc6903e3e72e168809104c3328b82c694f7e5174bfae92ee54c07bff111ee32b0b70bb0ae6139278277f9e3f547a78645c728d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
5aa2b0995b4b78eaf7a1206148c83c42

SHA1
70d077c7d2b025a2c9236ef477c7c5483e7764cc

SHA256
cd2aae1bc5179d3413f6bfe9f72f74cf4eb7c47731046c3b63e1c68d40e2a1a1

SHA512
f027429427928123a9cdf4478d56734ad9e80cf5207210e07e0db43e1a7d79cf5ccb561ae0ecd76e87db4eec62313fdc2a6f67c289d9ab61f997c0b549651de2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
f4a9ab2b8452dbeb2d082d1db93d85fd

SHA1
710d409c13a0ec77c523b01c76e4dac8f2395a9f

SHA256
5cef1211f5f40c39b4a6821209f798d51969dcd559d409a37753405e91872287

SHA512
ddf835c458114efeb46e9dadac1e46eda13b23c88877d8003b00aeeb8ef5356e97162c445c70cd9e5ea19254b60adc964c04f31d58b5cc82015bc9ad3235f5d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
20bab6ddb82cd4ea34fbb3fa062db656

SHA1
a1ca1ee7073bcb58596c031052df17c2394bc694

SHA256
e2c53dccd7c551633088243ca8f66f61d088886940d85a11e1af5386b21ce20f

SHA512
faef3ca209aa18d33b37df7fd8f10d008841eff18094a271942c734ca49c7ad7f974e292b31fb1d5de98afb084791669f2641fb7addda952e8b9f6a443cf0a29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
95ff1c732579691a2e0e6f649e0a0ac4

SHA1
90b1c469e1e459d5aa279581b772e3fd5c8d5a5f

SHA256
b37eca9195dc0fe3a070dde0e909f7b0d74c6f5a5d882e615ad7c78c69fe0adb

SHA512
1d93723fe2c5aa98302c72d0d2b855246f386646b78c2f849462d05c4970861f2d20b3850be681edda1a0e1ba249de657aeb280ff91db6cd771fbe6d3c2e308e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5955e6.TMP

Filesize
1KB

MD5
29a0c76b29f5cad95c94de6f1885d8fa

SHA1
dde50331562c8c658f8a6023bc0480e0f0a6d1e7

SHA256
b2b3a4dabfa8ea80b8174b543baa72fa3df3b00e1f4dfe8e2a819becedba4e68

SHA512
14a3be6d2c8f5859e4852e8f82d3490de1b1210cc25037f8a5439cb70299a20da3f563d30633d8056b966962e7a7a179820ddf992a82e797dffc858f8f29e895

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\de122717-7e73-4ea6-aa69-990c1745c262.tmp

Filesize
5KB

MD5
ea18637a6a0b2029955650124fb6d35a

SHA1
c3ddbc698b796e9d63205cd2b125b0c406fd109b

SHA256
196a7c7412aebd266e1044a05310f4beec3bce8836b0e0cc9bd53be717fe30ea

SHA512
8725d69dc9c1a1e76f7e55ffa6b2836264dd8868dc6a5f340cc1d5a036e03d2cfef95b14066fedf9bbf066df98f1f49b1f2a2e4796ec294e54974cef582781a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ce98e909fd2c3cc5dfb1c4be22cc471d

SHA1
eef34b5689028b3f0122063b06d68b86168e1a9b

SHA256
f8c959f53b91f5b145913fd681a1ff2e1611804aa4bfc9fd90d5efc3d2457564

SHA512
1292ccf606fa4061f120d3837b86b75ea900ee9b7bea1e4f4ac958e24197471e4773cc4a4ffeb0687a4aa75938151453206a65654d58ce74dfea85b5094cea2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
62b18af5c47af7e194d9d102e7419509

SHA1
738f6c06fe9f056661e89aa7c9fadeddae671c2f

SHA256
25d7fb63ce0af46913c46f196a3b91830b30b70352d03e2b4dd57db3096781ce

SHA512
448255507e0f6213afdb6596a322c7f2689efe20c178268259694ed43d90e46863b54666deb482b4e8f6014d0fc2928daaa6c5a709254fb869298f55842f8053

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
a1f60f5fae4ff7083bf7ea1c5965fd0b

SHA1
aa6b7de2ae916284db6e3753a8648ce906823bce

SHA256
5ef77a80693d3880617efbaa0b882825a49c85622ecb53bdbbda3515b81245b4

SHA512
a8646c0adb9cb5542b1e6d0929bf061b323cd6639043a9899456c0f78713f86651e0f12c88f4543b4e2a27e66782c80739c39991757e1d14fa26969169b0ac5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
4b33179fe54949b5d6d8c03c7a96c805

SHA1
baff6c8436160c6f88cde3248774d84d92f5ed14

SHA256
6aa0228e879bdece5ebd7704def2dbbff559271f3d0f85901dc44521f13abbcd

SHA512
5e66c967a836d1fef2fe2fb79c56a0a1d52c7bf37200a90cc832e0120614643510d9399ba6ddeb67437a8eaeb5c74df3e2de1ada42a26fc1341976d2630d0173

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
a1fdde97008f6ab204cb4a111b894b1d

SHA1
cb85756c479d52f85fa85c1a9f4967555be749da

SHA256
5488b704a974d14cd54e740dcc985c77a3b5f8f47613a59884368135239743c6

SHA512
0a21332f2832e362f52295201a739a84df77d21c84ac258a643df12be42c82052ed274e2898d1dc5253b9f298f6bb16eebd7d5e5d229e7aea7e9ec9a5a2b46ea

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\r5m741b5.default-release\activity-stream.discovery_stream.json

Filesize
23KB

MD5
e65a04b4dadd790730f4103f6a596431

SHA1
d3504b8faf1f4a5dd39b1112bb51919bcb873c37

SHA256
fa7de7ec111fa00a14eedc78ca71df5ca2b0432e5d3057741e69578813a1546b

SHA512
08104481b4fd5042476762ef1c51e8b0bc7282e8e81b94eac573623c3757105fbd34b0085521a1ada3016356196a8307477bc7ebc76ddd3fad135ceaac70ad37

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\r5m741b5.default-release\activity-stream.discovery_stream.json.tmp

Filesize
18KB

MD5
f7b3e51689f568c8762229f6ff6b5c8d

SHA1
4662e0530892cc6e4877cf5c28a4a75d4d0e56d2

SHA256
e46034107167a94f36bc2da98516dbb8f3932ea9f5ebf8a9d9a1f0161b96a878

SHA512
6d7dc2ea7cc05d9e23325475648e148a695bcd3d62547c9e33227b909b7c1ebbdc5e28a4fcdb844c27e2eb21778b7afe86a12bb563cb6bbd3a6f394fcc2eafda

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\r5m741b5.default-release\cache2\entries\58EFA56DB4BFFECB0EDA547894BC9A057159E22F

Filesize
13KB

MD5
1d6cba8672e0e181eaf1dc41ef8720aa

SHA1
c816c47227cc3bda317fb09b1b0ed3cbd1095891

SHA256
a4fbdb5a1b895cc92fa80ffdbd035e18e86891496739d57fdaec6bfeaed17665

SHA512
00ddf59bccc52b0f7684d611f956f636b00b8d2fc1bd2a16921947fa88fef0d9e1c001f9b814f4bfc5a654565cd0595b9e60fdcf54ad618a9540cbd923d5bb01

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
41ce6cd728e8893a0387cd1d5aaf201d

SHA1
c6c5257c73d52968b03fa7a332f61f050229999c

SHA256
c6ff6212cd4c01ff44605a8339568c3ed2b9dd85c7956873ee9db592e24b654d

SHA512
73c40effe3fa0c521cdd5347e85ac142666a5a7b982d96c80f4c08c079d2f5a8d58c12644af20f27b8480040eb74b28d0696be16fc9566c02bf2d60d08839c27

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
9bef7c41d0bb3a44a18c637e03b43e7e

SHA1
f093796be97df77af8a2595d56816f813d2f6558

SHA256
ffb02e89bbf055faff78823c2dfff35172c48a095d8f698bcdb447a86408ebf8

SHA512
7f543a259b79eb4ac25db95bd1059d746acfc192f3d5ddb44d3a63990a2cd31d6b404c0ec3b659457de58a5bad5254680764eaa6a7f6dc35076971f2542750fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\AlternateServices.bin

Filesize
11KB

MD5
9430eebd009061f66290eb7f02eb3a7d

SHA1
b82e79b25e583affd38a32ceafe2140fd1bcc620

SHA256
ce629eaade2ead252375d2e32fb57af835ea438aa619bc8d04e9a0b1c642a262

SHA512
9864882d0d94aff6f07d4556c73e36414da423ac77acd185c28a1d4bed7a2c703df7b27de5f41ccfc7bc2758ca2a3317136788f7d21fea7709361855a8c67c53

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\AlternateServices.bin

Filesize
7KB

MD5
b68c2e8ef3ee16ea6be1b1b50a9e2544

SHA1
625d5d39fe6f3f15232c19868caa08411f54818b

SHA256
0cc5f3c3e068dddb9e4a453cc05a54a2db627a730b8b86955fd3d16947355c68

SHA512
7309f981746bc596594ad43135819b51a6b5097806c11d0fa3e69f9cb5278540c46ec502f060ba4e205a7f96b1961a6aef0a2b465ca36d83dfcb4ed990f0570b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\db\data.safe.tmp

Filesize
30KB

MD5
aa0a93fbaf45c0d9d14a6ce8715d0839

SHA1
1617ed38ea2d9a583e8ae6f2b509af6756ac43ba

SHA256
d3732ba184f128b62a089ab2a91394b20c8c5def9d8eeeab499a48e3bfeccbff

SHA512
fe45af2229266c73475b3c6110f0fb87830c90d8dbd2e8cefaa677621d9e8be982340dc88d2f82bd89215a5784d46fda2f4c0882e7930c768b189d663230d5f0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
6c1a873e578a97a183fc1ac0b2dd5ffe

SHA1
c77ecb1111f09125b7ef3a43467a60f434f4c8c7

SHA256
4d84c71bb8f4357eda5c82e8fd0cf04283fd3ecc5cb3516c2dfaffc7fba2026f

SHA512
307dcaf4b2a2daf0d89a1af518d5c8a7f2f9ad7de389e6e3f995c4e6bb96ad932f646b7b1d3997231e2e3376dd228aadb31b2538a67dede681a363ed236a2a45

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\db\data.safe.tmp

Filesize
15KB

MD5
8213ffd496cc54486e26de05a31e22c8

SHA1
9e76ac70d775d371f831bc19ede9a785c70f2aa2

SHA256
43352a3a9d8feaf1c6a1d37327f0ddf460e6b57959efcc9cdd70dd5417f11860

SHA512
a5f8dd61c170c2ae74c2d7d6421aadd67246a4f5f8ca9e49f2b03e5f72c2240a47b6682e7a73ba65128376a62de7c861a9accfa7ab275c2274b31e0873cad83c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
e1de589d10d691896eb4702f6cf68421

SHA1
e61dcf63ebac29379f194dcb1e5e4aff86bdbdfa

SHA256
3a245c0e4ca9704023a14e4d2ddd0f89116e1374108f639a7d001fc1fbc15222

SHA512
48a00a395289a48fa0f34d93c981c28a73cc42c0d447f6a54265e93d8b93673a278ca4d3e5ea946052eb3682ec58964c62ea8ca635cb0b33dfd2a80276220fe0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\db\data.safe.tmp

Filesize
15KB

MD5
8da975a83e3f8186b123eb970ceb34e3

SHA1
047b85966921c0822f14628408c08b91ac56db2f

SHA256
5aac082ef9c5df05f3f3fea6d402ad374491d9965c9f3f0822e46961802a7186

SHA512
f46b5ebce1f0a0fb2b6520405cf0cd463e3dd19e9d45d9fce24b23aa85fa677ea864133332103aa6b98d8dc027951da143009f50e846ae2b017fbcebe48928bd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\db\data.safe.tmp

Filesize
30KB

MD5
6d98a9daea1940f450486fd0d15c334e

SHA1
ff5db9d4d26ae9f545775e63fcd4916c1089d70b

SHA256
068b325bb1bb2f4a033299a31cc68c6110ddba21214dfc6448ebe668c4077031

SHA512
c5abbf69fc6d5b31334e7e512df26adecce54033cdbf30d8ded0ab077e58850f3a76809c7daa262c4513e8ec4343e5eec4624da3ad2e7c5130d38912c13ac97e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\db\data.safe.tmp

Filesize
30KB

MD5
8c881713eda4dd3c97449d7fc84415ed

SHA1
8c84e5ede88855479f2727ef464a48de7b225563

SHA256
1eed2b36d6f756783ec7f1d5694a3feb8f2eca3b817f0ebfce6110d710b7d3c2

SHA512
e2d5ff0811dd6e14af894cc870052dc66bb12dac1bdf234f8f484a64237a4cd3ec3788ba0555dc7927e182e0e51dec481eaabb23ce286f48f69574872c608b8e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\pending_pings\0923ac9b-8a4a-43ab-9a1a-a946f455e4e6

Filesize
2KB

MD5
d84a00037f4489b1b44c725cdf8c1c39

SHA1
666973835bdd6b24c382e6d821c29676c294f6ab

SHA256
450390026b38210232540031d38a146effbf7a158718e3ea2d1a94982b67e1f3

SHA512
f9ea656dda1cdf102bcd3f3a3e2046ab144aaf4cbf62052f9aef69131a65b167c073f5608c70b93a038c2748abab768f7231ddfd64c9ceca07033b171782f561

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\pending_pings\1f2c4bff-a608-499d-8385-82de70a239b1

Filesize
982B

MD5
b6a2ed096e37ad884b60073c5856049c

SHA1
d7ee7ff5c97569aa647e4bc545db0224e05cfc8f

SHA256
6976e0cbbd4440947cea47d392ef5dfc13e09563210d53da91c3887066428c86

SHA512
e131222adde62971e5fed46533ebd65af8346cf8f8e0a2a0850ff14c29cdb6321ce5f81e984ca7d27b13ce32cb3aaabe2cf5c71aceae7a74d4a65ef580e610f6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\pending_pings\2352106e-3379-4875-a1ea-223646811ab4

Filesize
26KB

MD5
09e76754cee8c7b6bb34b2c6c270e9d1

SHA1
910a737d671aa741f3c64bb9b978944d59d02d62

SHA256
bcbe26d46b2215cddbe60bc9461100a19f4d2248e77a1ea6b38a9f6ebe2bba6f

SHA512
0d8a16276f700cb7206da8f07245b21e1ff25812424b802463eca7599deca55de10adda89a5b7ff9c6a5d22bb75f9c7da3c74be718798d556606297d5088b4c5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\pending_pings\877f621a-fd60-4cd5-ba95-7e3a6b787325

Filesize
671B

MD5
c5a3f219481e65e6ba66724a4f26522c

SHA1
7ac29b4f540902846111c69f3ee265d7c21cd84b

SHA256
04891d4fb85569bbe559c43669b3fb1b9666bd4ad272fef7f7ed0b750f45334e

SHA512
8938d22985afb7e5d0635d99f9a3f1b15eaef40ad9f06952cd406498e90310cac748e046bb1878987b6eaaca0b1cf319a80a6f526b834aba3b86eee19f7a20c2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\pending_pings\bfce59c5-af70-4d6d-a4a7-63a41bf919f6

Filesize
742B

MD5
597f728147e8b09deadb48570bfb1c9c

SHA1
2159e4339b5372a0275a4e55ac44ea92460078f6

SHA256
2f2f09a8f419f5d6233f72cd7d888e0e6f0245a0fd1767726b25b2b6ef3dde0c

SHA512
05baa0ad20c240a2fa66df5e7906b2a33eb6e2e5c1ee0978bce5908c3e198af1346cbf6b9348557d460f94f4db34fed0b9ba42c2fca302a5cb7d84976de0560c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\datareporting\glean\pending_pings\d67f4514-3ef8-4045-a78d-23b278cfc56f

Filesize
734B

MD5
fc66efeeccbd4b34549451c39f7c0409

SHA1
c1ef2983e088ccf7356e823c79fdd9c56de3b6ae

SHA256
8bd60f1280ef207cd3d4cb795da65f70888216d404f5278db5e2e5177bc0f345

SHA512
d1b68e6424cbad71a7c7b9980461ce9ae037f67e39b67ea31508adf816058c9bb78aec73613918b3bf47e9e6bbb276a25d62c226a062eea88e356e571946a3ce

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\extensions.json

Filesize
37KB

MD5
c0055d42957c8d47f2fcec680520bd05

SHA1
8beebb72f7ad3411ae651c7bd41e18a8435cdc3a

SHA256
99dce4c8db3297500080c5107e8dd1d13c106cae5f5dc122c64cfa2d5e485b6b

SHA512
845a9620d6790211dd3a1b928dd642877d8ae1e2f644f5708d2ad008fcc4c9a2883474b90e58b7e83991366a83a89f4d8e8e03a8c791b688228faba71dda0f83

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\gmp-widevinecdm\4.10.2710.0\LICENSE.txt.tmp

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll.lib.tmp

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll.sig.tmp

Filesize
1KB

MD5
36e5ee071a6f2f03c5d3889de80b0f0d

SHA1
cf6e8ddb87660ef1ef84ae36f97548a2351ac604

SHA256
6be809d16e0944386e45cf605eae0cd2cf46f111d1a6fe999fec813d2c378683

SHA512
99b61896659e558a79f0e9be95286ebf01d31d13b71df6db4923406e88b3ba72584ef2b62e073b2f5e06901af2c7d1b92d3d12187fe5b4b29c9dd2678444f34e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\prefs-1.js

Filesize
12KB

MD5
db55d84996afcac730ddafa5799ff398

SHA1
40038c7c38e99b734f313b5a3b2640b097246c9a

SHA256
81bb187b376b87c45ec5c193a9425c0a70a476d74ff7fd01eb65e51b1a571331

SHA512
f5125d0f6cd0f09e529a3d237a305a22cb1c3b22eb2b4dc5e5034a2308d62ef4bf3bd0b237b9742319ade8f0753a6d39b589238a7787e1c5f461b595e3124495

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\prefs-1.js

Filesize
15KB

MD5
9abf2edff1f62e9804d86c16763ee2eb

SHA1
a28936cb37adbaee16e47318b2f6d1468a94cbe7

SHA256
abbf4dbae8ff94cfedb8f65220a87a95bcc72498331d4bd52e8fe35c881289af

SHA512
bd656ae1b64e44fefe5f29dacd9c6c89639681fdf6cc1fc4f4a946e71fc47161cd7032175c41bfc34035e69bc09a7d40ab7731f1b2c7f49788b7066c793bd6fe

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\prefs-1.js

Filesize
10KB

MD5
75d7c7e1d1c4e7aa59826d6b57a3367a

SHA1
301eac24d93ba9dbf90c3b1c99ff8c569b517a5a

SHA256
90b678789744774b4c69a6a35e41c052acc7466b7a9ea216ab9a32fceba59995

SHA512
970020581c829ab61efd89ae84f2f22159e14696a090d4157b74402f52b94f68a49be56d1930ca4086d60794a10e5a15d5ccd6c5f4ca354684ec67f23314ca74

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\prefs-1.js

Filesize
10KB

MD5
1ed19a652409d2624bf5b20252038d41

SHA1
717be43e28d7c0a2dc46fa0b72bf6404564b1af5

SHA256
7ec1b43d13d887164f8e60b752ed908e55e809324c95b87d45792d61c1c5452c

SHA512
43b9eb3a5774b58190e901b17ed81d4bc738a40fa13093136a154053f4a6624b0bfc9f20fc7d27908903aeafd0ec655e8d08ab78b81eb9e7035a9ea558954ccc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\prefs-1.js

Filesize
11KB

MD5
1a405721115716d02548e2342c93160d

SHA1
c888845decf141868ae1d6f7cbeaf73a9059839f

SHA256
f859caef7611d71bc0f6742542e66396d60874d690bc622fa6b008ea52838157

SHA512
280c5db968d49e22c124aa1276a11cbd895317f1be35d931ced91e5cac44002cc836d1cb5fb2f3801f21dff2b73b63ddd7aebc2c3202e2b1a3f7d18a56df0203

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\prefs.js

Filesize
10KB

MD5
ae43df45ba9fbd22c5bdbdeeb28be164

SHA1
04f95862115e9b9475f08c09c9cd30ef3d69fe81

SHA256
2dfabec05e77d6a053e1d328e223edb1d036a16485651eb43b79406ed4371199

SHA512
ae65249dc7cdb6af3e39a888ba039a85ddc305867db98148983a81417b3347a052516c818c29542b1ba75afc49ab09d4bc6710076a1cd9fe849e9f8876553082

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\prefs.js

Filesize
2KB

MD5
941fffdf2ab49a17d31548c806e28c22

SHA1
867d3aa2bf7b4828a057bf6b9f9e74df17aae68a

SHA256
e9bccb482a186e54d9ff2fa0bb40a3a7570d4e2cbd37f73d5154bce257375a2b

SHA512
2326a6d7013093c2f3cd63d72e22be7944b6fd0379f814825bd06982d24c4d557e0dafc67de07c15f22c95c1b38ac00f1a2c62e55070af8a38216e518aeee080

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\prefs.js

Filesize
11KB

MD5
9f22741426273fde1da0c0e27356dc24

SHA1
614dd05f55eeda72e56f8f1894d6cb55a1bb9d8b

SHA256
f18f6b241c4b581ed16ed211c859f8d9c4e75762749e3d06376cf910106a4e39

SHA512
989e9c76eb33b2c15688dbe78b654a9a2a25f5d32239fa79ccb5811a054f209f4d731f11062639981b8731bfc256ce0e1b9bd3390b33c61f4996dea91b7b21e3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\prefs.js

Filesize
10KB

MD5
9566d4b3a2985dca8a6d7bd8efa6420c

SHA1
0677dd01e477cf3b5bca29d523a5e96df9d72a47

SHA256
7c3a0f7ebeb7d21839ec3688b691fb4f4def5b1a479717fd3a566dc84e6d4d45

SHA512
958d95c58a1752ac8c05f45be4376a1e6dd7b209712fcd6178452f164df3ea0ef4b742291255ebbe2856f94a24e4df268082425a0be5b067f58eb6b3b88fcadd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\prefs.js

Filesize
11KB

MD5
28fa07bee878ce632fad75e52be90d70

SHA1
58861786e6395099f1abc134e6d142239b5b3233

SHA256
40198995a96b4afe36b7ccf1ad97d2788de2af6f382eb36f9c5dd7c164731c24

SHA512
e7f30e43f55d46003205d4fafae6af9b38beaf2f711b4edbc7026e2b23f927b8dc4ca036b43ad4ecba641ec8bcad2e9642cd3f6765f0c3189746294ac3f354dc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\sessionCheckpoints.json

Filesize
53B

MD5
ea8b62857dfdbd3d0be7d7e4a954ec9a

SHA1
b43bc4b3ea206a02ef8f63d5bfad0c96bf2a3b2a

SHA256
792955295ae9c382986222c6731c5870bd0e921e7f7e34cc4615f5cd67f225da

SHA512
076ee83534f42563046d25086166f82e1a3ec61840c113aec67abe2d8195daa247d827d0c54e7e8f8a1bbf2d082a3763577587e84342ec160ff97905243e6d19

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\sessionCheckpoints.json

Filesize
90B

MD5
c4ab2ee59ca41b6d6a6ea911f35bdc00

SHA1
5942cd6505fc8a9daba403b082067e1cdefdfbc4

SHA256
00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2

SHA512
71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\sessionCheckpoints.json.tmp

Filesize
288B

MD5
910f3331aa73246ceaa9e1c7fd064654

SHA1
6d8c663beff7ede9b6b85cf25582264078910e13

SHA256
8483cb8ad1e406195deaf61c4f8270053514aa365d44865637ce927909daade7

SHA512
94e3f0e82c8c1f0d075a07445814b6b95d0d916fe397b7d059920f818e818fd75f309a60636b3b4345e22b3bf2446b35574a055cef8b5d681c33febb0549add4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\sessionstore-backups\recovery.baklz4

Filesize
2KB

MD5
49d7bbe0a807ddd1abc4a40740c96c23

SHA1
981c22bcfcdc755ed0ee75ece39e878a65a15bf8

SHA256
92b1cc02b8095ae4781fd475b337f202e8f9c752f84f19d82b05c0b90f1707ee

SHA512
b3eb9011d8087accbf64f2c83cb489ea20b42bf1582a455cdbebe26a6a336f74f1a1477a6d849add88c6db4a66874cdfba309d4a10b191655823a7ee2329e657

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
70431cb374704cbae32f68cf5e07ba26

SHA1
977c588d3e9006119efad416309e8b2e662699fc

SHA256
f1984aa3c0a80175a57b74291aea30a72665bc07342f302c3e2544a547aa44b0

SHA512
30693dda115df1b021a51f50b4e1f8743e12f2de2cc3e9b5cd136af7d4c93e2ccee49c734aef2926fbc03e9ff359b577f2f80df8c0f51d038cefda4bbe16955c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\sessionstore-backups\upgrade.jsonlz4-20240401114208

Filesize
2KB

MD5
300603a6f622bcf2b43079be0224aa9d

SHA1
d6fe908288f6f1bbbc3f849d130c31128027ba2e

SHA256
db1653e5fcea9d0d4572ea9a0dee420e4ea83cc62f26089b78a24a9157d9a695

SHA512
567237aedebdf3aba38b2bcfb2b2166cea9cc7138d5f85fc35bab90953b286b27b3056e0eb2ab2cf6f124b352a736a0b12b36da1aabc83b7e4d83d7c91e02d13

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
1.4MB

MD5
7f93432420a0aebbd3776673f6e094d8

SHA1
6c6e87b224e46c84f474561418f7f256266001d7

SHA256
c13a271bf353f6d52d17a09311413be75e13ae37b890381def3a8712f1e45b32

SHA512
44d861c665c3ff952e7fa50be1ef148a97b8c06999d970b241d3e37d11f10f62d3cc67824669f1655e8a263c024d757ca75778c69bde522d3294dc3416e88960

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r5m741b5.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
2.9MB

MD5
947ded01b9f0fc5bc9dea6f631fe652e

SHA1
4c77aa9e715420a85c11c3805eb70a7a517c8aa4

SHA256
59095e8b12966f4294e2b59c0048723ba8f01caa13a565e1781a7df63c0ed052

SHA512
10b43494b816857439f772bd00c5f84c8c117f3751beb0cba64bd7a73047c903ac0371ff66041c217a9df8e8556f754525bf4581c94d65cc4e1b6b1da4a1390a

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new

Filesize
7.9MB

MD5
1a810e1112fe177e86f44216a631ac84

SHA1
fdc7932b9f27d8ee9e548e9ce010bfe02bcd73de

SHA256
a76895e8c03f8cf7f7a55268f9a42210ecbdd4f9db78dba356d3d54af9d51d50

SHA512
87d3c08353eecb9e1668b282201de23bf800f08e576d10c5b1b7365458a2c69b4ac916856f62fae9ca18802c1060740d7659096d84d781fe58f5ffa747ff63d1

Download Submit
C:\Users\Admin\Downloads\89281724884615.bat

Filesize
322B

MD5
c719f3a51e489e5c9fbb334ecbb45ede

SHA1
5b5585065dd339e1e46f9243d3fe3cb511dc5ce6

SHA256
c67348cacc707decd859789c8ed1e8afdb6eb8753d3941d0ee9ecba2f00500b7

SHA512
b2b0ea3a3701b5d689a5cbcc5c16721cf807304ca02375f33c5b507c1a00655917354e32f6e2b96c081125751498484c974c2d3eaa754d6074c9d55aec8c0164

Download Submit
C:\Users\Admin\Downloads\@[email protected]

Filesize
933B

MD5
7e6b6da7c61fcb66f3f30166871def5b

SHA1
00f699cf9bbc0308f6e101283eca15a7c566d4f9

SHA256
4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e

SHA512
e5a56137f325904e0c7de1d0df38745f733652214f0cdb6ef173fa0743a334f95bed274df79469e270c9208e6bdc2e6251ef0cdd81af20fa1897929663e2c7d3

Download Submit
C:\Users\Admin\Downloads\@[email protected]

Filesize
585B

MD5
3fc8fc8e1050238b407abeaa2091cfeb

SHA1
e9c9b0cac678d3bdfe0ec6fee8e6347ae8d37715

SHA256
a841f4b5ea42c52909c8041ed5f675d89934d8c825ecf3b7b5dca3862c53f728

SHA512
e571eb312486c64a9f0bfe3a9fa93372f7c6b363de2a8ab469cb824ec98c249319cd45db4edef85770e3c72de12e28627544645195c5161b2c2042516771ed3a

Download Submit
C:\Users\Admin\Downloads\TaskData\Tor\tor.exe

Filesize
3.0MB

MD5
fe7eb54691ad6e6af77f8a9a0b6de26d

SHA1
53912d33bec3375153b7e4e68b78d66dab62671a

SHA256
e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb

SHA512
8ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 668244.crdownload

Filesize
243KB

MD5
b752188ac4fa675fd7da9eb2679f1293

SHA1
39a5393d0b39d44241dd57577cb64bfc174a793a

SHA256
dc6a3620060a6273f2f61a73d4c56d3728b06cd6dd8887bd9b2291f52b664ee5

SHA512
26f1cd1215bd2e35b620f2b635d9b40230124fe7774fb78f1c59a4180d6edff10edd72ecdc9fab0e04681875b48b7d260da70fff82df0372fc6257020f950fc4

Download Submit
C:\Users\Admin\Downloads\WannaCry.EXE

Filesize
3.4MB

MD5
84c82835a5d21bbcf75a61706d8ab549

SHA1
5ff465afaabcbf0150d1a3ab2c2e74f3a4426467

SHA256
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

SHA512
90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244

Download Submit
C:\Users\Admin\Downloads\WannaCry.EXE:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\b.wnry

Filesize
1.4MB

MD5
c17170262312f3be7027bc2ca825bf0c

SHA1
f19eceda82973239a1fdc5826bce7691e5dcb4fb

SHA256
d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa

SHA512
c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

Download Submit
C:\Users\Admin\Downloads\c.wnry

Filesize
780B

MD5
93f33b83f1f263e2419006d6026e7bc1

SHA1
1a4b36c56430a56af2e0ecabd754bf00067ce488

SHA256
ef0ed0b717d1b956eb6c42ba1f4fd2283cf7c8416bed0afd1e8805ee0502f2b4

SHA512
45bdd1a9a3118ee4d3469ee65a7a8fdb0f9315ca417821db058028ffb0ed145209f975232a9e64aba1c02b9664c854232221eb041d09231c330ae510f638afac

Download Submit
C:\Users\Admin\Downloads\m.vbs

Filesize
201B

MD5
b067df716aac6db38d973d4ad1337b29

SHA1
541edd1ca3047ca46fef38bd810e5f0f938b8ae2

SHA256
3f7ded679522e917f30aacbfb7c688ef477d7886e722731c812dc486195e220f

SHA512
0cbc1b820abf13e225e7a7636ce1e336d758fa54a9ee6aa09dee7a9748a2cf890f45ba55a7a188b69972b396bac37ddb9a98ba202ff2e203b34a75e515c0759c

Download Submit
C:\Users\Admin\Downloads\msg\m_bulgarian.wnry

Filesize
46KB

MD5
95673b0f968c0f55b32204361940d184

SHA1
81e427d15a1a826b93e91c3d2fa65221c8ca9cff

SHA256
40b37e7b80cf678d7dd302aaf41b88135ade6ddf44d89bdba19cf171564444bd

SHA512
7601f1883edbb4150a9dc17084012323b3bfa66f6d19d3d0355cf82b6a1c9dce475d758da18b6d17a8b321bf6fca20915224dbaedcb3f4d16abfaf7a5fc21b92

Download Submit
C:\Users\Admin\Downloads\msg\m_chinese (simplified).wnry

Filesize
53KB

MD5
0252d45ca21c8e43c9742285c48e91ad

SHA1
5c14551d2736eef3a1c1970cc492206e531703c1

SHA256
845d0e178aeebd6c7e2a2e9697b2bf6cf02028c50c288b3ba88fe2918ea2834a

SHA512
1bfcf6c0e7c977d777f12bd20ac347630999c4d99bd706b40de7ff8f2f52e02560d68093142cc93722095657807a1480ce3fb6a2e000c488550548c497998755

Download Submit
C:\Users\Admin\Downloads\msg\m_chinese (traditional).wnry

Filesize
77KB

MD5
2efc3690d67cd073a9406a25005f7cea

SHA1
52c07f98870eabace6ec370b7eb562751e8067e9

SHA256
5c7f6ad1ec4bc2c8e2c9c126633215daba7de731ac8b12be10ca157417c97f3a

SHA512
0766c58e64d9cda5328e00b86f8482316e944aa2c26523a3c37289e22c34be4b70937033bebdb217f675e40db9fecdce0a0d516f9065a170e28286c2d218487c

Download Submit
C:\Users\Admin\Downloads\msg\m_croatian.wnry

Filesize
38KB

MD5
17194003fa70ce477326ce2f6deeb270

SHA1
e325988f68d327743926ea317abb9882f347fa73

SHA256
3f33734b2d34cce83936ce99c3494cd845f1d2c02d7f6da31d42dfc1ca15a171

SHA512
dcf4ccf0b352a8b271827b3b8e181f7d6502ca0f8c9dda3dc6e53441bb4ae6e77b49c9c947cc3ede0bf323f09140a0c068a907f3c23ea2a8495d1ad96820051c

Download Submit
C:\Users\Admin\Downloads\msg\m_czech.wnry

Filesize
39KB

MD5
537efeecdfa94cc421e58fd82a58ba9e

SHA1
3609456e16bc16ba447979f3aa69221290ec17d0

SHA256
5afa4753afa048c6d6c39327ce674f27f5f6e5d3f2a060b7a8aed61725481150

SHA512
e007786ffa09ccd5a24e5c6504c8de444929a2faaafad3712367c05615b7e1b0fbf7fbfff7028ed3f832ce226957390d8bf54308870e9ed597948a838da1137b

Download Submit
C:\Users\Admin\Downloads\msg\m_danish.wnry

Filesize
36KB

MD5
2c5a3b81d5c4715b7bea01033367fcb5

SHA1
b548b45da8463e17199daafd34c23591f94e82cd

SHA256
a75bb44284b9db8d702692f84909a7e23f21141866adf3db888042e9109a1cb6

SHA512
490c5a892fac801b853c348477b1140755d4c53ca05726ac19d3649af4285c93523393a3667e209c71c80ac06ffd809f62dd69ae65012dcb00445d032f1277b3

Download Submit
C:\Users\Admin\Downloads\msg\m_dutch.wnry

Filesize
36KB

MD5
7a8d499407c6a647c03c4471a67eaad7

SHA1
d573b6ac8e7e04a05cbbd6b7f6a9842f371d343b

SHA256
2c95bef914da6c50d7bdedec601e589fbb4fda24c4863a7260f4f72bd025799c

SHA512
608ef3ff0a517fe1e70ff41aeb277821565c5a9bee5103aa5e45c68d4763fce507c2a34d810f4cd242d163181f8341d9a69e93fe32aded6fbc7f544c55743f12

Download Submit
C:\Users\Admin\Downloads\msg\m_english.wnry

Filesize
36KB

MD5
fe68c2dc0d2419b38f44d83f2fcf232e

SHA1
6c6e49949957215aa2f3dfb72207d249adf36283

SHA256
26fd072fda6e12f8c2d3292086ef0390785efa2c556e2a88bd4673102af703e5

SHA512
941fa0a1f6a5756ed54260994db6158a7ebeb9e18b5c8ca2f6530c579bc4455918df0b38c609f501ca466b3cc067b40e4b861ad6513373b483b36338ae20a810

Download Submit
C:\Users\Admin\Downloads\msg\m_filipino.wnry

Filesize
36KB

MD5
08b9e69b57e4c9b966664f8e1c27ab09

SHA1
2da1025bbbfb3cd308070765fc0893a48e5a85fa

SHA256
d8489f8c16318e524b45de8b35d7e2c3cd8ed4821c136f12f5ef3c9fc3321324

SHA512
966b5ed68be6b5ccd46e0de1fa868cfe5432d9bf82e1e2f6eb99b2aef3c92f88d96f4f4eec5e16381b9c6db80a68071e7124ca1474d664bdd77e1817ec600cb4

Download Submit
C:\Users\Admin\Downloads\msg\m_finnish.wnry

Filesize
37KB

MD5
35c2f97eea8819b1caebd23fee732d8f

SHA1
e354d1cc43d6a39d9732adea5d3b0f57284255d2

SHA256
1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

SHA512
908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

Download Submit
C:\Users\Admin\Downloads\msg\m_french.wnry

Filesize
37KB

MD5
4e57113a6bf6b88fdd32782a4a381274

SHA1
0fccbc91f0f94453d91670c6794f71348711061d

SHA256
9bd38110e6523547aed50617ddc77d0920d408faeed2b7a21ab163fda22177bc

SHA512
4f1918a12269c654d44e9d394bc209ef0bc32242be8833a2fba437b879125177e149f56f2fb0c302330dec328139b34982c04b3fefb045612b6cc9f83ec85aa9

Download Submit
C:\Users\Admin\Downloads\msg\m_german.wnry

Filesize
36KB

MD5
3d59bbb5553fe03a89f817819540f469

SHA1
26781d4b06ff704800b463d0f1fca3afd923a9fe

SHA256
2adc900fafa9938d85ce53cb793271f37af40cf499bcc454f44975db533f0b61

SHA512
95719ae80589f71209bb3cb953276538040e7111b994d757b0a24283aefe27aadbbe9eef3f1f823ce4cabc1090946d4a2a558607ac6cac6faca5971529b34dac

Download Submit
C:\Users\Admin\Downloads\msg\m_greek.wnry

Filesize
47KB

MD5
fb4e8718fea95bb7479727fde80cb424

SHA1
1088c7653cba385fe994e9ae34a6595898f20aeb

SHA256
e13cc9b13aa5074dc45d50379eceb17ee39a0c2531ab617d93800fe236758ca9

SHA512
24db377af1569e4e2b2ebccec42564cea95a30f1ff43bcaf25a692f99567e027bcef4aacef008ec5f64ea2eef0c04be88d2b30bcadabb3919b5f45a6633940cb

Download Submit
C:\Users\Admin\Downloads\msg\m_indonesian.wnry

Filesize
36KB

MD5
3788f91c694dfc48e12417ce93356b0f

SHA1
eb3b87f7f654b604daf3484da9e02ca6c4ea98b7

SHA256
23e5e738aad10fb8ef89aa0285269aff728070080158fd3e7792fe9ed47c51f4

SHA512
b7dd9e6dc7c2d023ff958caf132f0544c76fae3b2d8e49753257676cc541735807b4befdf483bcae94c2dcde3c878c783b4a89dca0fecbc78f5bbf7c356f35cd

Download Submit
C:\Users\Admin\Downloads\msg\m_italian.wnry

Filesize
36KB

MD5
30a200f78498990095b36f574b6e8690

SHA1
c4b1b3c087bd12b063e98bca464cd05f3f7b7882

SHA256
49f2c739e7d9745c0834dc817a71bf6676ccc24a4c28dcddf8844093aab3df07

SHA512
c0da2aae82c397f6943a0a7b838f60eeef8f57192c5f498f2ecf05db824cfeb6d6ca830bf3715da7ee400aa8362bd64dc835298f3f0085ae7a744e6e6c690511

Download Submit
C:\Users\Admin\Downloads\msg\m_japanese.wnry

Filesize
79KB

MD5
b77e1221f7ecd0b5d696cb66cda1609e

SHA1
51eb7a254a33d05edf188ded653005dc82de8a46

SHA256
7e491e7b48d6e34f916624c1cda9f024e86fcbec56acda35e27fa99d530d017e

SHA512
f435fd67954787e6b87460db026759410fbd25b2f6ea758118749c113a50192446861a114358443a129be817020b50f21d27b1ebd3d22c7be62082e8b45223fc

Download Submit
C:\Users\Admin\Downloads\msg\m_korean.wnry

Filesize
89KB

MD5
6735cb43fe44832b061eeb3f5956b099

SHA1
d636daf64d524f81367ea92fdafa3726c909bee1

SHA256
552aa0f82f37c9601114974228d4fc54f7434fe3ae7a276ef1ae98a0f608f1d0

SHA512
60272801909dbba21578b22c49f6b0ba8cd0070f116476ff35b3ac8347b987790e4cc0334724244c4b13415a246e77a577230029e4561ae6f04a598c3f536c7e

Download Submit
C:\Users\Admin\Downloads\msg\m_latvian.wnry

Filesize
40KB

MD5
c33afb4ecc04ee1bcc6975bea49abe40

SHA1
fbea4f170507cde02b839527ef50b7ec74b4821f

SHA256
a0356696877f2d94d645ae2df6ce6b370bd5c0d6db3d36def44e714525de0536

SHA512
0d435f0836f61a5ff55b78c02fa47b191e5807a79d8a6e991f3115743df2141b3db42ba8bdad9ad259e12f5800828e9e72d7c94a6a5259312a447d669b03ec44

Download Submit
C:\Users\Admin\Downloads\msg\m_norwegian.wnry

Filesize
36KB

MD5
ff70cc7c00951084175d12128ce02399

SHA1
75ad3b1ad4fb14813882d88e952208c648f1fd18

SHA256
cb5da96b3dfcf4394713623dbf3831b2a0b8be63987f563e1c32edeb74cb6c3a

SHA512
f01df3256d49325e5ec49fd265aa3f176020c8ffec60eb1d828c75a3fa18ff8634e1de824d77dfdd833768acff1f547303104620c70066a2708654a07ef22e19

Download Submit
C:\Users\Admin\Downloads\msg\m_polish.wnry

Filesize
38KB

MD5
e79d7f2833a9c2e2553c7fe04a1b63f4

SHA1
3d9f56d2381b8fe16042aa7c4feb1b33f2baebff

SHA256
519ad66009a6c127400c6c09e079903223bd82ecc18ad71b8e5cd79f5f9c053e

SHA512
e0159c753491cac7606a7250f332e87bc6b14876bc7a1cf5625fa56ab4f09c485f7b231dd52e4ff0f5f3c29862afb1124c0efd0741613eb97a83cbe2668af5de

Download Submit
C:\Users\Admin\Downloads\msg\m_portuguese.wnry

Filesize
37KB

MD5
fa948f7d8dfb21ceddd6794f2d56b44f

SHA1
ca915fbe020caa88dd776d89632d7866f660fc7a

SHA256
bd9f4b3aedf4f81f37ec0a028aabcb0e9a900e6b4de04e9271c8db81432e2a66

SHA512
0d211bfb0ae953081dca00cd07f8c908c174fd6c47a8001fadc614203f0e55d9fbb7fa9b87c735d57101341ab36af443918ee00737ed4c19ace0a2b85497f41a

Download Submit
C:\Users\Admin\Downloads\msg\m_romanian.wnry

Filesize
50KB

MD5
313e0ececd24f4fa1504118a11bc7986

SHA1
e1b9ae804c7fb1d27f39db18dc0647bb04e75e9d

SHA256
70c0f32ed379ae899e5ac975e20bbbacd295cf7cd50c36174d2602420c770ac1

SHA512
c7500363c61baf8b77fce796d750f8f5e6886ff0a10f81c3240ea3ad4e5f101b597490dea8ab6bd9193457d35d8fd579fce1b88a1c8d85ebe96c66d909630730

Download Submit
C:\Users\Admin\Downloads\msg\m_russian.wnry

Filesize
46KB

MD5
452615db2336d60af7e2057481e4cab5

SHA1
442e31f6556b3d7de6eb85fbac3d2957b7f5eac6

SHA256
02932052fafe97e6acaaf9f391738a3a826f5434b1a013abbfa7a6c1ade1e078

SHA512
7613dc329abe7a3f32164c9a6b660f209a84b774ab9c008bf6503c76255b30ea9a743a6dc49a8de8df0bcb9aea5a33f7408ba27848d9562583ff51991910911f

Download Submit
C:\Users\Admin\Downloads\msg\m_slovak.wnry

Filesize
40KB

MD5
c911aba4ab1da6c28cf86338ab2ab6cc

SHA1
fee0fd58b8efe76077620d8abc7500dbfef7c5b0

SHA256
e64178e339c8e10eac17a236a67b892d0447eb67b1dcd149763dad6fd9f72729

SHA512
3491ed285a091a123a1a6d61aafbb8d5621ccc9e045a237a2f9c2cf6049e7420eb96ef30fdcea856b50454436e2ec468770f8d585752d73fafd676c4ef5e800a

Download Submit
C:\Users\Admin\Downloads\msg\m_spanish.wnry

Filesize
36KB

MD5
8d61648d34cba8ae9d1e2a219019add1

SHA1
2091e42fc17a0cc2f235650f7aad87abf8ba22c2

SHA256
72f20024b2f69b45a1391f0a6474e9f6349625ce329f5444aec7401fe31f8de1

SHA512
68489c33ba89edfe2e3aebaacf8ef848d2ea88dcbef9609c258662605e02d12cfa4ffdc1d266fc5878488e296d2848b2cb0bbd45f1e86ef959bab6162d284079

Download Submit
C:\Users\Admin\Downloads\msg\m_swedish.wnry

Filesize
37KB

MD5
c7a19984eb9f37198652eaf2fd1ee25c

SHA1
06eafed025cf8c4d76966bf382ab0c5e1bd6a0ae

SHA256
146f61db72297c9c0facffd560487f8d6a2846ecec92ecc7db19c8d618dbc3a4

SHA512
43dd159f9c2eac147cbff1dda83f6a83dd0c59d2d7acac35ba8b407a04ec9a1110a6a8737535d060d100ede1cb75078cf742c383948c9d4037ef459d150f6020

Download Submit
C:\Users\Admin\Downloads\msg\m_turkish.wnry

Filesize
41KB

MD5
531ba6b1a5460fc9446946f91cc8c94b

SHA1
cc56978681bd546fd82d87926b5d9905c92a5803

SHA256
6db650836d64350bbde2ab324407b8e474fc041098c41ecac6fd77d632a36415

SHA512
ef25c3cf4343df85954114f59933c7cc8107266c8bcac3b5ea7718eb74dbee8ca8a02da39057e6ef26b64f1dfccd720dd3bf473f5ae340ba56941e87d6b796c9

Download Submit
C:\Users\Admin\Downloads\msg\m_vietnamese.wnry

Filesize
91KB

MD5
8419be28a0dcec3f55823620922b00fa

SHA1
2e4791f9cdfca8abf345d606f313d22b36c46b92

SHA256
1f21838b244c80f8bed6f6977aa8a557b419cf22ba35b1fd4bf0f98989c5bdf8

SHA512
8fca77e54480aea3c0c7a705263ed8fb83c58974f5f0f62f12cc97c8e0506ba2cdb59b70e59e9a6c44dd7cde6adeeec35b494d31a6a146ff5ba7006136ab9386

Download Submit
C:\Users\Admin\Downloads\r.wnry

Filesize
864B

MD5
3e0020fc529b1c2a061016dd2469ba96

SHA1
c3a91c22b63f6fe709e7c29cafb29a2ee83e6ade

SHA256
402751fa49e0cb68fe052cb3db87b05e71c1d950984d339940cf6b29409f2a7c

SHA512
5ca3c134201ed39d96d72911c0498bae6f98701513fd7f1dc8512819b673f0ea580510fa94ed9413ccc73da18b39903772a7cbfa3478176181cee68c896e14cf

Download Submit
C:\Users\Admin\Downloads\s.wnry

Filesize
2.9MB

MD5
ad4c9de7c8c40813f200ba1c2fa33083

SHA1
d1af27518d455d432b62d73c6a1497d032f6120e

SHA256
e18fdd912dfe5b45776e68d578c3af3547886cf1353d7086c8bee037436dff4b

SHA512
115733d08e5f1a514808a20b070db7ff453fd149865f49c04365a8c6502fa1e5c3a31da3e21f688ab040f583cf1224a544aea9708ffab21405dde1c57f98e617

Download Submit
C:\Users\Admin\Downloads\t.wnry

Filesize
64KB

MD5
5dcaac857e695a65f5c3ef1441a73a8f

SHA1
7b10aaeee05e7a1efb43d9f837e9356ad55c07dd

SHA256
97ebce49b14c46bebc9ec2448d00e1e397123b256e2be9eba5140688e7bc0ae6

SHA512
06eb5e49d19b71a99770d1b11a5bb64a54bf3352f36e39a153469e54205075c203b08128dc2317259db206ab5323bdd93aaa252a066f57fb5c52ff28deedb5e2

Download Submit
C:\Users\Admin\Downloads\taskdl.exe

Filesize
20KB

MD5
4fef5e34143e646dbf9907c4374276f5

SHA1
47a9ad4125b6bd7c55e4e7da251e23f089407b8f

SHA256
4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79

SHA512
4550dd1787deb353ebd28363dd2cdccca861f6a5d9358120fa6aa23baa478b2a9eb43cef5e3f6426f708a0753491710ac05483fac4a046c26bec4234122434d5

Download Submit
C:\Users\Admin\Downloads\taskse.exe

Filesize
20KB

MD5
8495400f199ac77853c53b5a3f278f3e

SHA1
be5d6279874da315e3080b06083757aad9b32c23

SHA256
2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d

SHA512
0669c524a295a049fa4629b26f89788b2a74e1840bcdc50e093a0bd40830dd1279c9597937301c0072db6ece70adee4ace67c3c8a4fb2db6deafd8f1e887abe4

Download Submit
C:\Users\Admin\Downloads\u.wnry

Filesize
240KB

MD5
7bf2b57f2a205768755c07f238fb32cc

SHA1
45356a9dd616ed7161a3b9192e2f318d0ab5ad10

SHA256
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

SHA512
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

Download Submit
memory/2300-12-0x000001D6E4080000-0x000001D6E42F0000-memory.dmp

Filesize
2.4MB

Download
memory/2300-11-0x000001D6E4060000-0x000001D6E4061000-memory.dmp

Filesize
4KB

Download
memory/2300-2-0x000001D6E4080000-0x000001D6E42F0000-memory.dmp

Filesize
2.4MB

Download
memory/3172-4863-0x0000000000CB0000-0x0000000000FAE000-memory.dmp

Filesize
3.0MB

Download
memory/3172-4832-0x0000000000CB0000-0x0000000000FAE000-memory.dmp

Filesize
3.0MB

Download
memory/3172-4788-0x0000000073570000-0x00000000735F2000-memory.dmp

Filesize
520KB

Download
memory/3172-4782-0x0000000000CB0000-0x0000000000FAE000-memory.dmp

Filesize
3.0MB

Download
memory/3172-4784-0x00000000738E0000-0x00000000738FC000-memory.dmp

Filesize
112KB

Download
memory/3172-4786-0x0000000073820000-0x00000000738A2000-memory.dmp

Filesize
520KB

Download
memory/3172-4789-0x00000000734F0000-0x0000000073567000-memory.dmp

Filesize
476KB

Download
memory/3172-4802-0x0000000000CB0000-0x0000000000FAE000-memory.dmp

Filesize
3.0MB

Download
memory/3172-4809-0x0000000000CB0000-0x0000000000FAE000-memory.dmp

Filesize
3.0MB

Download
memory/3172-4824-0x0000000073600000-0x000000007381C000-memory.dmp

Filesize
2.1MB

Download
memory/3172-4820-0x0000000000CB0000-0x0000000000FAE000-memory.dmp

Filesize
3.0MB

Download
memory/3172-4785-0x00000000738B0000-0x00000000738D2000-memory.dmp

Filesize
136KB

Download
memory/3172-4724-0x0000000073820000-0x00000000738A2000-memory.dmp

Filesize
520KB

Download
memory/3172-4878-0x0000000073600000-0x000000007381C000-memory.dmp

Filesize
2.1MB

Download
memory/3172-4874-0x0000000000CB0000-0x0000000000FAE000-memory.dmp

Filesize
3.0MB

Download
memory/3172-4726-0x0000000073570000-0x00000000735F2000-memory.dmp

Filesize
520KB

Download
memory/3172-4725-0x0000000073600000-0x000000007381C000-memory.dmp

Filesize
2.1MB

Download
memory/3172-4727-0x00000000738B0000-0x00000000738D2000-memory.dmp

Filesize
136KB

Download
memory/3172-4787-0x0000000073600000-0x000000007381C000-memory.dmp

Filesize
2.1MB

Download
memory/3172-4728-0x0000000000CB0000-0x0000000000FAE000-memory.dmp

Filesize
3.0MB

Download
memory/3172-5061-0x0000000000CB0000-0x0000000000FAE000-memory.dmp

Filesize
3.0MB

Download
memory/5236-3151-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download