wannacry | hxxp://github[.]com

Analysis

max time kernel
413s
max time network
417s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09-09-2024 14:08

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

http://github.com

Score

10^/10

wannacry defense_evasion discovery execution impact persistence ransomware spyware stealer worm

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Downloads MZ/PE file

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD1355.tmp	wanncry.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD135C.tmp	wanncry.exe

Executes dropped EXE 29 IoCs

pid	Process
5848	wanncry.exe
4916	taskdl.exe
5980	@[email protected]
3636	@[email protected]
5452	taskhsvc.exe
3752	taskdl.exe
5912	taskse.exe
4760	@[email protected]
5164	taskdl.exe
5216	taskse.exe
5228	@[email protected]
1884	taskse.exe
1332	@[email protected]
412	taskdl.exe
5172	taskse.exe
4168	@[email protected]
3156	taskdl.exe
3508	taskse.exe
512	@[email protected]
4312	taskdl.exe
5812	taskse.exe
5820	@[email protected]
5116	taskdl.exe
2328	taskse.exe
4816	@[email protected]
4872	taskdl.exe
2132	taskse.exe
5936	@[email protected]
2320	taskdl.exe

Loads dropped DLL 9 IoCs

pid	Process
5452	taskhsvc.exe
5452	taskhsvc.exe
5452	taskhsvc.exe
5452	taskhsvc.exe
5452	taskhsvc.exe
5452	taskhsvc.exe
5452	taskhsvc.exe
5452	taskhsvc.exe
5452	taskhsvc.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2164	icacls.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\fnhuhmufqzho584 = "\"C:\\Users\\Admin\\Downloads\\tasksche.exe\""	reg.exe

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
243	yandex.com
365	raw.githubusercontent.com
366	raw.githubusercontent.com
364	camo.githubusercontent.com
367	raw.githubusercontent.com
24	yandex.com
246	yandex.com
247	yandex.com
361	camo.githubusercontent.com
362	camo.githubusercontent.com
363	camo.githubusercontent.com
368	raw.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	wanncry.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\2229298842\349655694.pri	LogonUI.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 2 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File created	C:\Users\Admin\Downloads\wanncry.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\wanncry(1).exe:Zone.Identifier	firefox.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 39 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wanncry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]

Checks processor information in registry 2 TTPs 14 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "58"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings	firefox.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1000	reg.exe

NTFS ADS 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\wanncry.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\wanncry(1).exe:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
5452	taskhsvc.exe
5452	taskhsvc.exe
5452	taskhsvc.exe
5452	taskhsvc.exe
5452	taskhsvc.exe
5452	taskhsvc.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3872	firefox.exe
Token: SeDebugPrivilege	3872	firefox.exe
Token: SeDebugPrivilege	3872	firefox.exe
Token: SeDebugPrivilege	3872	firefox.exe
Token: SeDebugPrivilege	3872	firefox.exe
Token: SeDebugPrivilege	4952	cscript.exe
Token: SeDebugPrivilege	4952	cscript.exe
Token: SeDebugPrivilege	4952	cscript.exe
Token: SeIncreaseQuotaPrivilege	6068	WMIC.exe
Token: SeSecurityPrivilege	6068	WMIC.exe
Token: SeTakeOwnershipPrivilege	6068	WMIC.exe
Token: SeLoadDriverPrivilege	6068	WMIC.exe
Token: SeSystemProfilePrivilege	6068	WMIC.exe
Token: SeSystemtimePrivilege	6068	WMIC.exe
Token: SeProfSingleProcessPrivilege	6068	WMIC.exe
Token: SeIncBasePriorityPrivilege	6068	WMIC.exe
Token: SeCreatePagefilePrivilege	6068	WMIC.exe
Token: SeBackupPrivilege	6068	WMIC.exe
Token: SeRestorePrivilege	6068	WMIC.exe
Token: SeShutdownPrivilege	6068	WMIC.exe
Token: SeDebugPrivilege	6068	WMIC.exe
Token: SeSystemEnvironmentPrivilege	6068	WMIC.exe
Token: SeRemoteShutdownPrivilege	6068	WMIC.exe
Token: SeUndockPrivilege	6068	WMIC.exe
Token: SeManageVolumePrivilege	6068	WMIC.exe
Token: SeImpersonatePrivilege	6068	WMIC.exe
Token: 33	6068	WMIC.exe
Token: 34	6068	WMIC.exe
Token: 35	6068	WMIC.exe
Token: 36	6068	WMIC.exe
Token: SeIncreaseQuotaPrivilege	6068	WMIC.exe
Token: SeSecurityPrivilege	6068	WMIC.exe
Token: SeTakeOwnershipPrivilege	6068	WMIC.exe
Token: SeLoadDriverPrivilege	6068	WMIC.exe
Token: SeSystemProfilePrivilege	6068	WMIC.exe
Token: SeSystemtimePrivilege	6068	WMIC.exe
Token: SeProfSingleProcessPrivilege	6068	WMIC.exe
Token: SeIncBasePriorityPrivilege	6068	WMIC.exe
Token: SeCreatePagefilePrivilege	6068	WMIC.exe
Token: SeBackupPrivilege	6068	WMIC.exe
Token: SeRestorePrivilege	6068	WMIC.exe
Token: SeShutdownPrivilege	6068	WMIC.exe
Token: SeDebugPrivilege	6068	WMIC.exe
Token: SeSystemEnvironmentPrivilege	6068	WMIC.exe
Token: SeRemoteShutdownPrivilege	6068	WMIC.exe
Token: SeUndockPrivilege	6068	WMIC.exe
Token: SeManageVolumePrivilege	6068	WMIC.exe
Token: SeImpersonatePrivilege	6068	WMIC.exe
Token: 33	6068	WMIC.exe
Token: 34	6068	WMIC.exe
Token: 35	6068	WMIC.exe
Token: 36	6068	WMIC.exe
Token: SeBackupPrivilege	4744	vssvc.exe
Token: SeRestorePrivilege	4744	vssvc.exe
Token: SeAuditPrivilege	4744	vssvc.exe
Token: SeTcbPrivilege	5912	taskse.exe
Token: SeTcbPrivilege	5912	taskse.exe
Token: SeTcbPrivilege	5216	taskse.exe
Token: SeTcbPrivilege	5216	taskse.exe
Token: SeDebugPrivilege	3872	firefox.exe
Token: SeTcbPrivilege	1884	taskse.exe
Token: SeTcbPrivilege	1884	taskse.exe
Token: SeTcbPrivilege	5172	taskse.exe
Token: SeTcbPrivilege	5172	taskse.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
3872	firefox.exe
3872	firefox.exe
3872	firefox.exe
3872	firefox.exe
3872	firefox.exe
3872	firefox.exe
3872	firefox.exe
3872	firefox.exe
3872	firefox.exe
3872	firefox.exe
3872	firefox.exe
3872	firefox.exe
3872	firefox.exe
3872	firefox.exe
3872	firefox.exe
3872	firefox.exe
3872	firefox.exe
3872	firefox.exe
3872	firefox.exe
3872	firefox.exe
3872	firefox.exe
3872	firefox.exe
3872	firefox.exe
3872	firefox.exe
3872	firefox.exe
3872	firefox.exe
3872	firefox.exe
3872	firefox.exe
3872	firefox.exe
3872	firefox.exe
3872	firefox.exe
3872	firefox.exe
3872	firefox.exe
3872	firefox.exe
3872	firefox.exe

Suspicious use of SendNotifyMessage 34 IoCs

pid	Process
3872	firefox.exe
3872	firefox.exe
3872	firefox.exe
3872	firefox.exe
3872	firefox.exe
3872	firefox.exe
3872	firefox.exe
3872	firefox.exe
3872	firefox.exe
3872	firefox.exe
3872	firefox.exe
3872	firefox.exe
3872	firefox.exe
3872	firefox.exe
3872	firefox.exe
3872	firefox.exe
3872	firefox.exe
3872	firefox.exe
3872	firefox.exe
3872	firefox.exe
3872	firefox.exe
3872	firefox.exe
3872	firefox.exe
3872	firefox.exe
3872	firefox.exe
3872	firefox.exe
3872	firefox.exe
3872	firefox.exe
3872	firefox.exe
3872	firefox.exe
3872	firefox.exe
3872	firefox.exe
3872	firefox.exe
3872	firefox.exe

Suspicious use of SetWindowsHookEx 25 IoCs

pid	Process
3872	firefox.exe
3872	firefox.exe
3872	firefox.exe
3872	firefox.exe
3872	firefox.exe
3872	firefox.exe
3872	firefox.exe
5980	@[email protected]
3636	@[email protected]
5980	@[email protected]
3636	@[email protected]
4760	@[email protected]
4760	@[email protected]
5228	@[email protected]
1332	@[email protected]
4168	@[email protected]
512	@[email protected]
5820	@[email protected]
4816	@[email protected]
3872	firefox.exe
3872	firefox.exe
3872	firefox.exe
5936	@[email protected]
5384	LogonUI.exe
5384	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2312 wrote to memory of 3872	2312	firefox.exe	83
PID 2312 wrote to memory of 3872	2312	firefox.exe	83
PID 2312 wrote to memory of 3872	2312	firefox.exe	83
PID 2312 wrote to memory of 3872	2312	firefox.exe	83
PID 2312 wrote to memory of 3872	2312	firefox.exe	83
PID 2312 wrote to memory of 3872	2312	firefox.exe	83
PID 2312 wrote to memory of 3872	2312	firefox.exe	83
PID 2312 wrote to memory of 3872	2312	firefox.exe	83
PID 2312 wrote to memory of 3872	2312	firefox.exe	83
PID 2312 wrote to memory of 3872	2312	firefox.exe	83
PID 2312 wrote to memory of 3872	2312	firefox.exe	83
PID 3872 wrote to memory of 4028	3872	firefox.exe	84
PID 3872 wrote to memory of 4028	3872	firefox.exe	84
PID 3872 wrote to memory of 4028	3872	firefox.exe	84
PID 3872 wrote to memory of 4028	3872	firefox.exe	84
PID 3872 wrote to memory of 4028	3872	firefox.exe	84
PID 3872 wrote to memory of 4028	3872	firefox.exe	84
PID 3872 wrote to memory of 4028	3872	firefox.exe	84
PID 3872 wrote to memory of 4028	3872	firefox.exe	84
PID 3872 wrote to memory of 4028	3872	firefox.exe	84
PID 3872 wrote to memory of 4028	3872	firefox.exe	84
PID 3872 wrote to memory of 4028	3872	firefox.exe	84
PID 3872 wrote to memory of 4028	3872	firefox.exe	84
PID 3872 wrote to memory of 4028	3872	firefox.exe	84
PID 3872 wrote to memory of 4028	3872	firefox.exe	84
PID 3872 wrote to memory of 4028	3872	firefox.exe	84
PID 3872 wrote to memory of 4028	3872	firefox.exe	84
PID 3872 wrote to memory of 4028	3872	firefox.exe	84
PID 3872 wrote to memory of 4028	3872	firefox.exe	84
PID 3872 wrote to memory of 4028	3872	firefox.exe	84
PID 3872 wrote to memory of 4028	3872	firefox.exe	84
PID 3872 wrote to memory of 4028	3872	firefox.exe	84
PID 3872 wrote to memory of 4028	3872	firefox.exe	84
PID 3872 wrote to memory of 4028	3872	firefox.exe	84
PID 3872 wrote to memory of 4028	3872	firefox.exe	84
PID 3872 wrote to memory of 4028	3872	firefox.exe	84
PID 3872 wrote to memory of 4028	3872	firefox.exe	84
PID 3872 wrote to memory of 4028	3872	firefox.exe	84
PID 3872 wrote to memory of 4028	3872	firefox.exe	84
PID 3872 wrote to memory of 4028	3872	firefox.exe	84
PID 3872 wrote to memory of 4028	3872	firefox.exe	84
PID 3872 wrote to memory of 4028	3872	firefox.exe	84
PID 3872 wrote to memory of 4028	3872	firefox.exe	84
PID 3872 wrote to memory of 4028	3872	firefox.exe	84
PID 3872 wrote to memory of 4028	3872	firefox.exe	84
PID 3872 wrote to memory of 4028	3872	firefox.exe	84
PID 3872 wrote to memory of 4028	3872	firefox.exe	84
PID 3872 wrote to memory of 4028	3872	firefox.exe	84
PID 3872 wrote to memory of 4028	3872	firefox.exe	84
PID 3872 wrote to memory of 4028	3872	firefox.exe	84
PID 3872 wrote to memory of 4028	3872	firefox.exe	84
PID 3872 wrote to memory of 4028	3872	firefox.exe	84
PID 3872 wrote to memory of 4028	3872	firefox.exe	84
PID 3872 wrote to memory of 4028	3872	firefox.exe	84
PID 3872 wrote to memory of 4028	3872	firefox.exe	84
PID 3872 wrote to memory of 4028	3872	firefox.exe	84
PID 3872 wrote to memory of 3472	3872	firefox.exe	87
PID 3872 wrote to memory of 3472	3872	firefox.exe	87
PID 3872 wrote to memory of 3472	3872	firefox.exe	87
PID 3872 wrote to memory of 3472	3872	firefox.exe	87
PID 3872 wrote to memory of 3472	3872	firefox.exe	87
PID 3872 wrote to memory of 3472	3872	firefox.exe	87
PID 3872 wrote to memory of 3472	3872	firefox.exe	87
PID 3872 wrote to memory of 3472	3872	firefox.exe	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
6132	attrib.exe
5656	attrib.exe

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "http://github.com"
1⤵
- Suspicious use of WriteProcessMemory
PID:2312
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url http://github.com
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3872
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1972 -parentBuildID 20240401114208 -prefsHandle 1908 -prefMapHandle 1900 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d27c4373-873b-487d-9aa1-3d417d58442d} 3872 "\\.\pipe\gecko-crash-server-pipe.3872" gpu
    3⤵
    PID:4028
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2416 -parentBuildID 20240401114208 -prefsHandle 2408 -prefMapHandle 2404 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c7ffd97c-be85-4530-9168-6b469505e707} 3872 "\\.\pipe\gecko-crash-server-pipe.3872" socket
    3⤵
    - Checks processor information in registry
    PID:3472
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2980 -childID 1 -isForBrowser -prefsHandle 3108 -prefMapHandle 2976 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1092 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b8c0aa4e-359a-4934-baad-3f23f989ae4c} 3872 "\\.\pipe\gecko-crash-server-pipe.3872" tab
    3⤵
    PID:3424
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3752 -childID 2 -isForBrowser -prefsHandle 3672 -prefMapHandle 3668 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1092 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b6e42b9c-4322-410d-b66e-a94675051050} 3872 "\\.\pipe\gecko-crash-server-pipe.3872" tab
    3⤵
    PID:1312
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4560 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4572 -prefMapHandle 4568 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {73914445-5c36-49d1-92b6-40808d598e1e} 3872 "\\.\pipe\gecko-crash-server-pipe.3872" utility
    3⤵
    - Checks processor information in registry
    PID:3564
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5348 -childID 3 -isForBrowser -prefsHandle 5344 -prefMapHandle 5320 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1092 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b9915bf3-cd44-4cf0-a1b1-e23742953262} 3872 "\\.\pipe\gecko-crash-server-pipe.3872" tab
    3⤵
    PID:2852
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5480 -childID 4 -isForBrowser -prefsHandle 5488 -prefMapHandle 5492 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1092 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ab4e8270-375f-4043-b974-49a99fd8e5ee} 3872 "\\.\pipe\gecko-crash-server-pipe.3872" tab
    3⤵
    PID:3268
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5672 -childID 5 -isForBrowser -prefsHandle 5680 -prefMapHandle 5684 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1092 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ab30e271-9c4d-4ff7-a765-f824e7ebc57c} 3872 "\\.\pipe\gecko-crash-server-pipe.3872" tab
    3⤵
    PID:2632
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6096 -parentBuildID 20240401114208 -prefsHandle 6084 -prefMapHandle 6080 -prefsLen 29197 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9fc4fa6e-adda-4787-8b32-13cb88ce767a} 3872 "\\.\pipe\gecko-crash-server-pipe.3872" rdd
    3⤵
    PID:1616
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6108 -parentBuildID 20240401114208 -sandboxingKind 1 -prefsHandle 6100 -prefMapHandle 6092 -prefsLen 29197 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8aa5c95d-1b13-4a7f-b04e-c203e2926431} 3872 "\\.\pipe\gecko-crash-server-pipe.3872" utility
    3⤵
    - Checks processor information in registry
    PID:1112
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6412 -childID 6 -isForBrowser -prefsHandle 6448 -prefMapHandle 6444 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1092 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {439ce0f4-3e19-454c-885a-dd62746f7c1e} 3872 "\\.\pipe\gecko-crash-server-pipe.3872" tab
    3⤵
    PID:780
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5872 -childID 7 -isForBrowser -prefsHandle 5456 -prefMapHandle 5376 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1092 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a415b90b-b67b-4025-880d-8f2963dc17f0} 3872 "\\.\pipe\gecko-crash-server-pipe.3872" tab
    3⤵
    PID:3116
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5468 -childID 8 -isForBrowser -prefsHandle 5352 -prefMapHandle 5492 -prefsLen 27566 -prefMapSize 244658 -jsInitHandle 1092 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5aad2e3b-789a-4731-a570-85d30d76448d} 3872 "\\.\pipe\gecko-crash-server-pipe.3872" tab
    3⤵
    PID:2472
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5828 -childID 9 -isForBrowser -prefsHandle 5756 -prefMapHandle 5836 -prefsLen 27566 -prefMapSize 244658 -jsInitHandle 1092 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3d414fd2-2753-43dc-bf25-fe6cd20e1f1d} 3872 "\\.\pipe\gecko-crash-server-pipe.3872" tab
    3⤵
    PID:2904
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5540 -childID 10 -isForBrowser -prefsHandle 5660 -prefMapHandle 5676 -prefsLen 29769 -prefMapSize 244658 -jsInitHandle 1092 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3c424eef-5d15-4588-9f44-9bebcbfa7eaf} 3872 "\\.\pipe\gecko-crash-server-pipe.3872" tab
    3⤵
    PID:2640
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6568 -childID 11 -isForBrowser -prefsHandle 2868 -prefMapHandle 6340 -prefsLen 27998 -prefMapSize 244658 -jsInitHandle 1092 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d30118cf-c9f5-43a0-8198-4c4f611dcf4f} 3872 "\\.\pipe\gecko-crash-server-pipe.3872" tab
    3⤵
    PID:1428
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4744 -childID 12 -isForBrowser -prefsHandle 5332 -prefMapHandle 4396 -prefsLen 27998 -prefMapSize 244658 -jsInitHandle 1092 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6195abe8-0873-497a-9a92-2f41e658695f} 3872 "\\.\pipe\gecko-crash-server-pipe.3872" tab
    3⤵
    PID:2436
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6960 -childID 13 -isForBrowser -prefsHandle 5152 -prefMapHandle 6964 -prefsLen 27998 -prefMapSize 244658 -jsInitHandle 1092 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4673ce9c-f583-435e-8b5e-58ae62044c11} 3872 "\\.\pipe\gecko-crash-server-pipe.3872" tab
    3⤵
    PID:5512
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1328 -childID 14 -isForBrowser -prefsHandle 7004 -prefMapHandle 7016 -prefsLen 27998 -prefMapSize 244658 -jsInitHandle 1092 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7908e211-ff3e-43d0-bdef-2ad01e11bc88} 3872 "\\.\pipe\gecko-crash-server-pipe.3872" tab
    3⤵
    PID:5780
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6688 -childID 15 -isForBrowser -prefsHandle 6604 -prefMapHandle 6996 -prefsLen 28038 -prefMapSize 244658 -jsInitHandle 1092 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7eaec577-96cb-4399-8122-6a8695268da6} 3872 "\\.\pipe\gecko-crash-server-pipe.3872" tab
    3⤵
    PID:4340
- - C:\Users\Admin\Downloads\wanncry.exe
    "C:\Users\Admin\Downloads\wanncry.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Sets desktop wallpaper using registry
    - System Location Discovery: System Language Discovery
    PID:5848
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +h .
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:6132
  - - C:\Windows\SysWOW64\icacls.exe
      icacls . /grant Everyone:F /T /C /Q
      4⤵
      Modifies file permissions
      System Location Discovery: System Language Discovery
      PID:2164
  - - C:\Users\Admin\Downloads\taskdl.exe
      taskdl.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4916
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c 165611725891099.bat
      4⤵
      System Location Discovery: System Language Discovery
      PID:4752
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript.exe //nologo m.vbs
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4952
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +h +s F:\$RECYCLE
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:5656
  - - C:\Users\Admin\Downloads\@[email protected]
      @[email protected] co
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:5980
    - - C:\Users\Admin\Downloads\TaskData\Tor\taskhsvc.exe
        
        TaskData\Tor\taskhsvc.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:5452
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c start /b @[email protected] vs
      4⤵
      System Location Discovery: System Language Discovery
      PID:5140
    - - C:\Users\Admin\Downloads\@[email protected]
        
        @[email protected] vs
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3636
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2220
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:6068
  - - C:\Users\Admin\Downloads\taskdl.exe
      taskdl.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3752
  - - C:\Users\Admin\Downloads\taskse.exe
      taskse.exe C:\Users\Admin\Downloads\@[email protected]
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:5912
  - - C:\Users\Admin\Downloads\@[email protected]
      @[email protected]
      4⤵
      Executes dropped EXE
      Sets desktop wallpaper using registry
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:4760
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "fnhuhmufqzho584" /t REG_SZ /d "\"C:\Users\Admin\Downloads\tasksche.exe\"" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:4800
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "fnhuhmufqzho584" /t REG_SZ /d "\"C:\Users\Admin\Downloads\tasksche.exe\"" /f
        5⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1000
  - - C:\Users\Admin\Downloads\taskdl.exe
      taskdl.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:5164
  - - C:\Users\Admin\Downloads\taskse.exe
      taskse.exe C:\Users\Admin\Downloads\@[email protected]
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:5216
  - - C:\Users\Admin\Downloads\@[email protected]
      @[email protected]
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:5228
  - - C:\Users\Admin\Downloads\taskse.exe
      taskse.exe C:\Users\Admin\Downloads\@[email protected]
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1884
  - - C:\Users\Admin\Downloads\@[email protected]
      @[email protected]
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1332
  - - C:\Users\Admin\Downloads\taskdl.exe
      taskdl.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:412
  - - C:\Users\Admin\Downloads\taskse.exe
      taskse.exe C:\Users\Admin\Downloads\@[email protected]
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:5172
  - - C:\Users\Admin\Downloads\@[email protected]
      @[email protected]
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:4168
  - - C:\Users\Admin\Downloads\taskdl.exe
      taskdl.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3156
  - - C:\Users\Admin\Downloads\taskse.exe
      taskse.exe C:\Users\Admin\Downloads\@[email protected]
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3508
  - - C:\Users\Admin\Downloads\@[email protected]
      @[email protected]
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:512
  - - C:\Users\Admin\Downloads\taskdl.exe
      taskdl.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4312
  - - C:\Users\Admin\Downloads\taskse.exe
      taskse.exe C:\Users\Admin\Downloads\@[email protected]
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:5812
  - - C:\Users\Admin\Downloads\@[email protected]
      @[email protected]
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:5820
  - - C:\Users\Admin\Downloads\taskdl.exe
      taskdl.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:5116
  - - C:\Users\Admin\Downloads\taskse.exe
      taskse.exe C:\Users\Admin\Downloads\@[email protected]
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2328
  - - C:\Users\Admin\Downloads\@[email protected]
      @[email protected]
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:4816
  - - C:\Users\Admin\Downloads\taskdl.exe
      taskdl.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4872
  - - C:\Users\Admin\Downloads\taskse.exe
      taskse.exe C:\Users\Admin\Downloads\@[email protected]
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2132
  - - C:\Users\Admin\Downloads\@[email protected]
      @[email protected]
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:5936
  - - C:\Users\Admin\Downloads\taskdl.exe
      taskdl.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2320
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6720 -childID 16 -isForBrowser -prefsHandle 6468 -prefMapHandle 5332 -prefsLen 28094 -prefMapSize 244658 -jsInitHandle 1092 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {47559b0f-6aa1-4354-b18d-49be305f05d4} 3872 "\\.\pipe\gecko-crash-server-pipe.3872" tab
    3⤵
    PID:5328
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7576 -childID 17 -isForBrowser -prefsHandle 6420 -prefMapHandle 7796 -prefsLen 28094 -prefMapSize 244658 -jsInitHandle 1092 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a47de4dd-280c-45f0-a6a1-61a3523b415a} 3872 "\\.\pipe\gecko-crash-server-pipe.3872" tab
    3⤵
    PID:4464
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7260 -childID 18 -isForBrowser -prefsHandle 7028 -prefMapHandle 1328 -prefsLen 28094 -prefMapSize 244658 -jsInitHandle 1092 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7094ecca-64e6-4597-87d9-cfb1218d03b9} 3872 "\\.\pipe\gecko-crash-server-pipe.3872" tab
    3⤵
    PID:5264
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7328 -childID 19 -isForBrowser -prefsHandle 6756 -prefMapHandle 7140 -prefsLen 28094 -prefMapSize 244658 -jsInitHandle 1092 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7077f857-bca1-4418-926a-9281bac44e33} 3872 "\\.\pipe\gecko-crash-server-pipe.3872" tab
    3⤵
    PID:1804
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7140 -childID 20 -isForBrowser -prefsHandle 6696 -prefMapHandle 7068 -prefsLen 28094 -prefMapSize 244658 -jsInitHandle 1092 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1078f519-7dd2-41a4-91a1-18f0825150c5} 3872 "\\.\pipe\gecko-crash-server-pipe.3872" tab
    3⤵
    PID:5836
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8004 -childID 21 -isForBrowser -prefsHandle 8080 -prefMapHandle 8076 -prefsLen 28094 -prefMapSize 244658 -jsInitHandle 1092 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d5513ae8-8c26-4817-8eb4-04a227b5ac9d} 3872 "\\.\pipe\gecko-crash-server-pipe.3872" tab
    3⤵
    PID:6076
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7892 -childID 22 -isForBrowser -prefsHandle 2672 -prefMapHandle 1568 -prefsLen 28094 -prefMapSize 244658 -jsInitHandle 1092 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {33a0dcd1-85f3-40d2-b4de-fbed9612488f} 3872 "\\.\pipe\gecko-crash-server-pipe.3872" tab
    3⤵
    PID:6052

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4744

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa397c855 /state1:0x41c64e6d
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:5384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\zrrtvxky.default-release\cache2\entries\0992E38D33AC1C83DB8A8AFEDA474A80CCED1172

Filesize
79KB

MD5
54e51456446e7315b84cac7df85b2e61

SHA1
eae30aec55359532eba31e5d68593da2cedef5c0

SHA256
7161aa961935bea1bfdea84b9563fa42d0d4a4a29db5739547e0a7d3a07c4355

SHA512
a3f47d6cba7e62d088d53f67acdf263d6ce8df3a9b0776278d1610ffe16bd14f953bbd43fa4beb24704069fe9b3a4769fbc06e086179160df7e765cab929a341

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\zrrtvxky.default-release\cache2\entries\1A90EE7CB658D028D892A52155A137A13C848FB5

Filesize
14KB

MD5
33a1ed8c27e2eb52b9b3445b12f6549c

SHA1
071f298a08d0671997e2ebfe115800c989f906d2

SHA256
11e17e68d13c865f451a011f6f5e9635d14b1433f9d7519c6995988c9506f4aa

SHA512
98bcbddc13a4526446cf449396b0ab3a5550d1ddd9e2a2980913cef0615e524030a0f3ea31f0a8456cf9d9f3be9e8355976885fc9d1c59399ce9a01adbfddcdc

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\zrrtvxky.default-release\cache2\entries\2492994A253B970917AF5CDF605580B1C2DC16A0

Filesize
791KB

MD5
d8afd7ccb2ce6d54f60229ec6328efd7

SHA1
bf239a16c932d96670c0c993e420f5f20abdabef

SHA256
b631924d5f9b685cb29a656870b6c71db462e9bd6f2d6b6602920d5620540d45

SHA512
2a10f83a2fd6814d509264ada53baa56850dd1f13322c93166bdef5b0d402d8b6cbc104df7b6c63cedd0d0fc39ea5b2dce755a251e35704173eb3963970bceb8

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\zrrtvxky.default-release\cache2\entries\24CF4BB13D4731EEC801D333E1C7B2FAA6587ABD

Filesize
172KB

MD5
29701e461c3cf43b4504c1b6626d51e5

SHA1
61768fa9d7fde1ba2ece09975820afa0f63dccba

SHA256
476b25ca1377ee7c7699a75b62c3cd0f4191b013e50ee41b8ee672102aec10aa

SHA512
391c4bbe67c3713827a91f5883514879c1b71a5b216dfdd3fe5184bbc8c72c9a6bae718c1fba20a721d29fb21a2b59a4c727211e0701fe745e74a707fb1d3486

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\zrrtvxky.default-release\cache2\entries\3CFE3D7A893AE719A2229D03193B1C953688F8F0

Filesize
22KB

MD5
e4da412a6b91e31015da2b35eb7a9a6d

SHA1
720441268b5327b9bb27e4be87e56957d330f3c6

SHA256
74024aeadef3051633007fe339e102cf44eb2d1ddb757370ba4519374ec9d945

SHA512
aeb2b02f283cfd0437f2d0e29c6ce3c908a902572f4cd05bd905d38ac14b550b0d454497800bf5989938d2f1016a3ab5a8ae714f5f7b2e59e970ce33e9164031

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\zrrtvxky.default-release\cache2\entries\4263B1A2D70C7C417487FECC88693B6E7E40E2B7

Filesize
16KB

MD5
33f76463002615ba55d2081171ac17b2

SHA1
75c867fc37164e45a606b919f243d4416efca9a6

SHA256
fde9a94869fd88b6da69d670aa8f8e6643e75f0a164a687e2fdd8c3b52924b59

SHA512
cc71695c05226a7b572e4afa010022d232f05a08dd8da5ac1cff97f626560238e40cc355af2dd071de6c1182874baa0308e4abfb2f0935a60a9be178ff68d831

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\zrrtvxky.default-release\cache2\entries\433B1EE35DC555600170EF141D9C45641865F7C1

Filesize
69KB

MD5
c4a96bb1cf76e16c95efa37ece5c7714

SHA1
6919e2bc51a45b377c895f10a597136d7790a456

SHA256
e4b43ad1555a14bedd7f6873bb90317a377452dd0b2969b8ba61d3151b8a86ff

SHA512
8ca2259feffdef8c02216ac625046443aed4c158b0f6829f96579262c3ac5891de0d5072e8c9a3212e033a143d0b46f1f645d7f92ed9c7727e1bfb3505c7810e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\zrrtvxky.default-release\cache2\entries\478843DDA10C601FE31914D83E341C16B49F3092

Filesize
145KB

MD5
ee3e10501ac27c9990d1a7fde16199f4

SHA1
2f7ef2a900c957805948f7574d76e9db5990c62b

SHA256
21ce37b66640efa5b86614c5de8d80168e541b9668fa04b583339d8c2ca33f2d

SHA512
51bdd649b7c652156e5184ad92b11e3f6cc55d7e56dc48380c1ec0f446c27402dba4d869ca1acd3447a2e4c977f6d79afdec2f35deaafa9ae571db1f0cc70cd6

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\zrrtvxky.default-release\cache2\entries\4BCF7D608B2663D7D1515223C0F13E5D72484770

Filesize
80KB

MD5
7981bc1da1d7943e5f1b70fdb537cadc

SHA1
2e724315110bc09d1fa6ccb6453fd38e43c48894

SHA256
155bc22028597b96831e8d369a654c0a450319e0c4961c3d470481e15c5b31f7

SHA512
428e246e5b4cd1e182731eb521df5d7a92f40b7c24e29f5db0c1f140b66120b35bf0e153240adf6a9de3f556a141fcb94cb9f0735f9919d689fd144c51402a0a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\zrrtvxky.default-release\cache2\entries\4CA2E679CEC293F142684E37B6B4D5F01FB00E81

Filesize
41KB

MD5
f6701ef08a19e62231b89d585c09ac45

SHA1
74215c05b03abbf41fc28b990c56a99950f5bb6c

SHA256
0e45396ba64169bfabc988cb12bbe23ed2bfa62e6933a8c6a5dd21817fe449f4

SHA512
7fae3ec6603f92601db46edd3e5e3fc0ed9ceafc1da7132dd270199d20d0a4b7f217b64c4ce94caf1303a4e03612490946356a7b7fb0ef5d9ee68e6c44cf4269

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\zrrtvxky.default-release\cache2\entries\56E7C24D9A7E9E48F4B0981B0A321D97BB844480

Filesize
66KB

MD5
896e0aaddcf08794d7dc09557de41332

SHA1
afd926ba9e9446345d150d288237e6bba76fada5

SHA256
0eb6488659c3e3309b661cd5ac4c236b5abc9bc3af8ff7b5a826c0ebce8a36af

SHA512
655e107befa3532673c405698cce4cee7e2fb5c0d95da69f216dc263b40f8351e9b7220008bd2cc53a7584ff213bf7b276e724686144b1515ad265ae9e253104

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\zrrtvxky.default-release\cache2\entries\6D89348819C8881868053197CA0754F36784BF5F

Filesize
15KB

MD5
55cbf00459570c980e93ee568e188d8d

SHA1
86622a4214b17aa18172e5a3ad574f330493152b

SHA256
e7af5b8e602d84e1425d6f87bde6ebe849cfb3ec32742d1d5e4fd84b1d41b3e4

SHA512
7b0b5d2d01134f9aa89466212d591bec7ab0681697cbc2ac68232db72cbcfd82c94abf37839045dd8214d5cddbf3dab5b659c333680f82f3d93a00193123dc21

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\zrrtvxky.default-release\cache2\entries\6DA69A746F9687E1FF413119EDE7AAED2F9783B9

Filesize
2.1MB

MD5
1f79a2c1f15963c9e4f6d1cdc8967644

SHA1
ae4555c2708a8cc548a2693757be3b243e194af2

SHA256
eac89535ff1e00db6e2a73ae807f6b982c8762836f73bbdd2b70274dc8bacc83

SHA512
5a6257df5db79ae005f36c7d7d354d3a3e09efce232e9d0851b238a759bf8ed18a2455c9c289a2d667b9b416043f026f862a006808133d4475055ded4b34ffd8

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\zrrtvxky.default-release\cache2\entries\7F30F53457983F11F2D61636C9FB5706ED9AB60D

Filesize
95KB

MD5
5a77a6c78095974d2c8cb0071dbabfb8

SHA1
91c20b6dda6fa805c45789a2859e3eb5edeb30ad

SHA256
4f9d2eea660a86e5be38676ee320146e514b56a7f08a99e8baa483235ef486e7

SHA512
3c6b6b66db71bb191b10f4a5a3bc87f00a880caa2ad56780d2f6a81688eebff2a9231348874512c4447ea0abf9650869d9504d0a9c9345a18bba60899bfd372b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\zrrtvxky.default-release\cache2\entries\9695EF6C5E0CE18BF6742C5C0EE08F02BAE83E2C

Filesize
169KB

MD5
e0e24e613f982d6731c58e2c6bd41a13

SHA1
f43e180eb6c3532df7d421ca5f0b0a33e87f4e7a

SHA256
4180adc8c8259a0af7784c5174e5588f50cf7b191a47dc5fe1d2723daf75ea99

SHA512
4a53c9b5c23c86514099ce76cd2fe1ab28791164e42af4721921f8ef105c0d94e457d589ddf82b5dcb37d6ecbc25e3630b7c994088926b433db5e5a26a1f5d81

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\zrrtvxky.default-release\cache2\entries\A69D164EF5DA46C51B98EEFCD6B10FE41FC8EB55

Filesize
102KB

MD5
d011baa2c00b84a477576548a1043ba0

SHA1
9dc727c9b41ef0050249708e629796b1c9eae627

SHA256
294a625b1b9fb92d004dd22e907c5a0d633eca13b0467737fab9666f36c603e8

SHA512
53a2e9a683e4a52ba6f5bb924f3d394d597ea2072b9b32c41e9641a6e6cd5956efeb012680d28e852c2b38893823bf067806a2ff57d0afcb53dda4d0606d86c6

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\zrrtvxky.default-release\cache2\entries\AC6959268E349C7B5497A3867D6DCDC4D543431E

Filesize
86KB

MD5
286eb1d38bb3ebfe0151c7f763c6cb98

SHA1
a2335e624f5335fbeb2a97e1b125f4cc1361b15f

SHA256
4832205deea396dcac27716e92c2f0717801f7ab4b4bb787f7427f52de15ea68

SHA512
92347f3a226bb847af8355fe0c6c004c149c451cb3a2c917efad3e8abf1dc65737ff5a1a6a13a13ea67edeb448f572e0f1d13f9b60d6aa9e4201f5fe845591d0

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\zrrtvxky.default-release\cache2\entries\AD8185C100979BEE2403BB5F3C0072BB1D314C2E

Filesize
71KB

MD5
d99891cb684071f49b7f95c23a55f8c9

SHA1
72c1a2643dfaeba29e91ffa9131855fc79901686

SHA256
8cb75019765c6f469d659eadf9c95cd17e86a0217b624692df37434dfb73277d

SHA512
e6f0c6925cda0d0df2c16c401350d379f2b435ff1e186698b86b9c4e66c1dca93fed79f85f4eba4b03113b7f41960881fe72dd62d7a4a8f36f7c93062392d1e4

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\zrrtvxky.default-release\cache2\entries\AF6E7B7DB9908D7B867517AC33D094ABD56E38F7

Filesize
81KB

MD5
565879d575809434b8cdc5398868bc94

SHA1
d28adb33fdf1ced3219391fe42bc0bf00ba3f0a7

SHA256
fcf1d26a5475dce328ada059414857768017ed1af981047912299a2a682af13e

SHA512
64835c59f4f319e7dc5b259ebc32ebabc76dc92f60cbc3341ae9e752d397e9a866ddbbeae0ab0616c9b047fe5e3e344fc4e7bc0cfeaf8c117f1d6a8163e2e720

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\zrrtvxky.default-release\cache2\entries\B5F21A7CD6516083D285D775631C9CA21F5983E3

Filesize
38KB

MD5
6bf35a5ecb45329c74568364399e2341

SHA1
2a129efc9924352bff3b2bf137d72a35aa3bed08

SHA256
57761ff378a16efbf3238802e15e6c8607265f85f6ca473751259de3ade3bdfa

SHA512
2cfb0cc359c8e97365834c01098bc7fc09872408902fedad2dc5301ee5e670284897caee7cd8a8ed48f20cdd53f136732410cde3488fc57ee72faf76291152f3

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\zrrtvxky.default-release\cache2\entries\C4852535BD4FCDCAF8800191FCE81035F179663B

Filesize
3.4MB

MD5
98582e6713ed656fb8ee37df2f7e4c15

SHA1
b7ee4f0b62bea68df3fb08717f183801a9c1c2b2

SHA256
840f29321a476c8a5fbf7a110e4a00702c86e9abf2c4fb02b5534b375564b9d8

SHA512
1475ed3f5dbb5409da9087b00f745f1ea92afa86974ab090e5b2b425a8e1b7827d0f933602f318e7f39d751f0c8e88a5920fb7c1d7b35804da1556ef43aba143

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\zrrtvxky.default-release\cache2\entries\DD25D7EF3DFE2B010779C977B25A6C7E8E71029B

Filesize
106KB

MD5
428af0ea92c5966b98c431a1df300ab5

SHA1
22f44f33e838b21278b1afcb61856ec4cd2c884e

SHA256
0c68397dea6c21233325458229e778fd0beb8a9fc9ba5c36586709c95b01fc58

SHA512
1a385371600109bfe60bb6307140cbf750451c1b963448233baf3027d9d334f9f2455b0f636cc8ac93f7eba75054158ceb4ca225dd457cc70a398f96ee2a9b32

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\zrrtvxky.default-release\cache2\entries\E6C22A3DFCD18E3C6145370266896FF76AE3F7EC

Filesize
92KB

MD5
1e85f2c9a4722f5a7a368ff4d693ff80

SHA1
a771d854ec4ac0b4fd2822751f46d186464083c2

SHA256
917989b5941ca1a57418d5c393c03578c2dd22b4f7111322f2efc0f356071f4b

SHA512
dd4ad39be10780eac12405ef5797a90e0551ed00057fc98804bf29c5a6b6ad5773152b26b5427cb95ff048b2f58cf9e91236121d51357454ee443c1b8a320ce2

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\zrrtvxky.default-release\cache2\entries\F2E5EB143D82DFAC8777E8A98874B61B072FCA68

Filesize
72KB

MD5
f59b233c1dc5d1650cfa9d504a42d73b

SHA1
0552ab0b97f48a6511847ce8df4a237525f91aa1

SHA256
9c0e1e5757854f56a68be78987d47dbf1cb84e2ccb3b7d63191a4475fa4b3a31

SHA512
66617456e709d63228af98807cf84a76c980fd1be149d3ef6aed7f79785df3d4573f03c4c52a884dcff836ccd330c35602b6730015a75ef30ca127c62c843cb0

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\zrrtvxky.default-release\cache2\entries\F5A1FBDEF4E6F115791D6C8EF1598942067B8080

Filesize
79KB

MD5
4ea5429abb87cfe97e943204b0486b5a

SHA1
35c61bf4a96f5e32c43791b87e64aefd33dfd083

SHA256
eea57c0bb1d0ecae0606b586d98379aa7d4a451212fb49cec23554f539774e3e

SHA512
8f1b5dc647e02a0579465d18800e3e958feda761bf9acbef65cc991882b604f7d43755802e56c8a2f1e09fa3a2e87d3508734e70aa8309a714ea99f43c437236

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\zrrtvxky.default-release\cache2\entries\FF405EA908A0CDBF948198368567C7EC073C7A02

Filesize
123KB

MD5
987dfe32fc561552a9ac3a9407715c35

SHA1
e9485b4c2027c9d5bf0d48b50bf090e2a637e3bb

SHA256
6a4ff14f1e1bd3a0b215821ea7fd0a26d46d650a05d6bc5d9e06733aef1a34f9

SHA512
1b2ba83276969767bb318eaeccd52c222df59377c9421217caaafd0bd7d21fc709ce507dde8f3f109909f20d6177bad92cd5469a58376665b28891a8b85d4602

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\zrrtvxky.default-release\thumbnails\17842d50133db097e7a12eda1ddc283f.png

Filesize
1KB

MD5
a4e3dec615867334fc01bb2b71796edb

SHA1
6ca3970f02d7ab704f5b82849c2f9163a9bdb9e1

SHA256
5fa0608bb3291da5006676cc5880c90c3d591c29e0f96ffad8a35cc961522560

SHA512
ff4192657fc611ae0938c3962a541eac877a66d372924a8df62aa8e99f6be4431c6b706df232aff96269746a448fa8a23e7d1c8a9d809d74782baa78a0af62e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
19KB

MD5
0374b18df0b005b6328ab481eb622846

SHA1
43588d2e338e01d4e179f0c97ea322ee96ad18f9

SHA256
f60662f4198054a5928e91f74075c902c4c06c648b537165303a26ba0b327e5c

SHA512
65155c40e06a210ab57587b82649c8f6bcbcf8cd044c116523ec1a29ec76589e0e7d66f9bb458cf1b3af6646f5b1efd3ac4e4642185a080aa0219b760d5f42bf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\YM0JYKY1O9SSBG6M1H0M.temp

Filesize
19KB

MD5
0598c0219ab1898bb76067967aa23531

SHA1
961f9099cba62cb401a4059afc4ce753f7956d17

SHA256
a71380e33108f9d9652321ae7377bb8badbf16360f2a7182fd634d328b62f51d

SHA512
f31eccbbab9159cf2aaf5c8e96a5c0036a27c28c1b472fd9bfac1695590876f87f8f32719bea5cf6842b9f45d286708285879ed685b15198145819814caa1d19

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\AlternateServices.bin

Filesize
20KB

MD5
abfabc131d5af3c4d554a8c0a027cb88

SHA1
628df75b40d2edb6cf057455255fb9c8cd4ede21

SHA256
9dbd560fc7428f7df2008d30127d953deddb6ab020251a220c219e351da3e7fa

SHA512
82b318f8beb75624c864fdf6689ac17e137533285a398715a4950dda5979904fbffda1c71874b5f775c77f1e2eef63d5458693b3148f7abcdd22b588105dc20b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\AlternateServices.bin

Filesize
10KB

MD5
70ffa366dc0c1c7a8ce99b4133da3a0c

SHA1
391af8550f382f3bf3adb65f04369f34f05f7058

SHA256
cddbf40f071a7f08d8ba073c97f5c3bd117f68327400f2eb599b71f6bb89b8eb

SHA512
b84e9a51cc2c38f2536dfc06c0adb24b50ee2fb67e16431b2fa820bda53185e42408cf11a5c5a01d131b94053bf4453ab87538ca6a0f9f912479bf0a468e8a92

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\AlternateServices.bin

Filesize
12KB

MD5
a9c73310c3e2923e6719b4ef803f9595

SHA1
35c0744f5e9c9d89bd319580123db3b783668e5b

SHA256
68f1aa85636bdd2bd9fd5020f3941dd821edd13dfe1c962c2ef9a17a85104601

SHA512
89072317c9e4ddb077f7df84f3b1dd4259a61439fbab636807d8b44ea0a1ad1fa301a2bda59ead2c11c6515bddd2d7ad22b33073d60602e2b8600d6eef05a7be

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\cert9.db

Filesize
224KB

MD5
37bceebab66c5cea5ee306631f4c5cbb

SHA1
ef2582b7fd717d18a0e0a6b6237022f5b4b4dd1f

SHA256
038a24b10de637e4102487d346956a831445125b608de2b90fd3f2285650e9af

SHA512
2d6a7fcad65436fbf8f44ff7e1ed033cb1cb21642bb7216e5edb458cdd26a1e826775c3616bc4735fb2cd5dc9efec7550ff4ad518caf923cd6bc9ece728238d8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
6710aa7bbe6c52179d78dd4b98199a9c

SHA1
5865bce7f714b6fdec8f88f6aa5dc616d091da3e

SHA256
3a7b799c279a55ae07f7e6dcff7e00c48cc0ec1afafb9a4f924f26ea38715bf9

SHA512
e66b3cbd956bc8436723fc7403e71a40024ef4d62d89c66375bfffc14417c5f1242c36c7ea80b0ab109ed4c9360c11fa40adedf6ef79a8ac6758e75228f71bfd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\db\data.safe.tmp

Filesize
55KB

MD5
d526eb3751b3776af328e12aeaeaa217

SHA1
9ae6fffa6d04391b611e0d5d61f8f6b28d6f1373

SHA256
a688c4ad73049b2856e403f6c3fce8faa591f340442c115b9ce9e4b53d1541ef

SHA512
daf4926fb70437b58229e191dbb742df0d0b0cf82f0817d7bff09d3f27b27494e3b322a44f3c769bc6ffa9abfc8658b08b4546f900d7419b765546b51d6549ff

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\db\data.safe.tmp

Filesize
63KB

MD5
9a735e289f8c22588d2bb5429a6d6541

SHA1
d11107bcbd29c085d930d01aa557dcb8b4fa8627

SHA256
f87ac006c1f50a6709bf154d8ff46ea09d3190a3bf180eb0aceb660629fcdc9d

SHA512
b3d92a97bc5d1a9b7f3c5ff79e40eb9f5ea3ef6e011698780f08432df70b7139f4b80d4b73ae09dbbf8a2c661a1e30ce950785424e4da90069cd10c7fb7680da

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\db\data.safe.tmp

Filesize
63KB

MD5
57e21000003ec924c9c30154723f9fe3

SHA1
20461ef9b213eb421d47b6438a22abc5bbcf8351

SHA256
46a55437de834fedb09c420b458f438c8a43e461ae4196878ab9aa3e2efafbc3

SHA512
02e291caa94e45cdcc897278a3f153f0308ad6ad5027cf484099fc0501421e33a7db37dfbe3c375796576082b0f01b99ad2cf8878fd7ed0be27201cc94b88954

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\pending_pings\3480f593-38bb-445e-82c3-660606f26dd2

Filesize
40KB

MD5
c537879274ecaf725ee4965ed7c138a7

SHA1
b2104f61caba5cdb710450431913d576accc20f9

SHA256
54f07d5498eb6b7f6c79d0b9463d05b3e94f741c936049b7b6c11a7ccf8fb8a2

SHA512
bced37f99cfcdf48a78aa58a05f3324b118894644601cc1d3eb085475bcec45df89c0cd84d585e365eafdfb497844f1e4137e590db77623700334e4b58f12934

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\pending_pings\4c52844e-5652-4a91-98e5-2781b3f56608

Filesize
982B

MD5
17f2a7d89ead24381dee2c8f3a5bf9f8

SHA1
a11ddf603343b559bea773805e2f22814ae26297

SHA256
932431340f5097b2f6d013b4046c67ae6b03e63381642ddd5b061c24903158e3

SHA512
c3984e591489c99ddf349646c999600bcd0d2426bd71aef4bd77286ba3cdf90c9baa55b2b06ef1634090f511edfbde988caf959f28835119c73e6230d8bf0e20

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\pending_pings\51bb8475-2492-4f47-a16e-767290dbeec7

Filesize
26KB

MD5
728d73683d2251ff0ab42386dbd142e9

SHA1
56dc8d5845dd0ae65dbdb61d385ee3a16738c9d6

SHA256
401787d31b81628c4c03db320ccf6db3f2d2a19a678807eab093d634bee1ac72

SHA512
ffccbd92ab0a0621d7add5188f977db39878451085b57fee5448a9d676c30e6cf849a047fb2df12d7ab8c1fb0a7914653fcabca4cf9416b015b96d0a3cf6c0f1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\pending_pings\b9ee516f-43c1-49cc-aaad-583709b37719

Filesize
847B

MD5
1456fda33aa38887de283b379937d575

SHA1
53222361d4672f75b6579d2aa9512f69ddb056f5

SHA256
47b52b683331c8fc421f5d070d063245f260075ceef9db53a843dfdba3d2c662

SHA512
556989ac790bdb69ac57479f72aacf475b8431b4042fc8e9bb750f1db11fb6495e409422a47c91b8bb83f517e9f099fd37f2179420e777d5a16a84c9f011b627

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\pending_pings\e1dcf5e7-2e36-479b-8e93-99bc938155ff

Filesize
671B

MD5
9b141f5bafa60fb4eb1b2b52dc2cd886

SHA1
d1f9aa30196654666a3270860f6574280a5b2240

SHA256
ebf25228b831ca36cfbc499d156e907666a110cc13ff903af5be103a71437a0a

SHA512
2461e334351d20cf5b9c7a3b208b8e3249d0ad45e1e57ba0f2c76b40a9740dbd736e80f5261c14952ad83789006e01d7dc04bdac55a2f8dd98506e0a1c61f31d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\datareporting\glean\pending_pings\eb13d1f1-3eb6-4a0e-89f8-ffcc1cea4a76

Filesize
3KB

MD5
56beb0f0623f0b03d050d8fb3351acb7

SHA1
610672897798faea5fd0d3aa9641f18c626d0633

SHA256
9713a50e5ad90a3c24eea15d6c8f99c5b81fc87b39bb4253b6740d285f632eec

SHA512
f01d9d20273e7c4ae14090d74b333420367095e97c8a588cef5a471fd534b73badcdbcf906615db37375429f28f10eed3c0b1e8616530c8a82bef257d9520b8c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\downloads.json

Filesize
767B

MD5
1fd4a3080b87692fe42075541f1453b1

SHA1
d436031c8d06de8e6f0ef061b7cfef4091212718

SHA256
a077863fea7ef6678ddbb09605b7d45e090f280221e6a72b85e85e90c1a33469

SHA512
9eb55f43274b385bcc4e791b4e806a3ff119ae77eacd8969a7aeebafbe1f88a1890671ab2ebfbd750811b4c41c4d90c25f2135046300880292eff2cb041ccd81

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\gmp-widevinecdm\4.10.2710.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\prefs-1.js

Filesize
11KB

MD5
c598732e65ab1f4bf1c0a833de0430a6

SHA1
c2ded829979c8d952e8b3bf8f56b69a66f49a897

SHA256
62101043b9d37a610c2b2725c75fd110276e0c39dbe5db08879a1e05caeb46eb

SHA512
62d6041f6b8802be6136605af8a3d458a1ef206543eec91517c0f29d6b958ac4043d34d2298e20207b81acaeb749d560ec078df60842cbb93cc793f38ede2e33

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\prefs-1.js

Filesize
11KB

MD5
74a901d865693817d6dac1066a481de4

SHA1
74b5af1e5392d3e779349b0b7ddf64beb43eb639

SHA256
e8778f0c21b4260b949b97d735a7517f6225f25f363ba15a2730780ace39adfd

SHA512
249c29587ec655128b8d0bd2c81771abbf7fe8fcc6de0dd4c78478a5a59e2c45e48db5437ccf2ca927e3dfe1c5afe56a89c3019cf2caffd60247a8bec1d3886d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\prefs-1.js

Filesize
12KB

MD5
63894cd9f3e0bf257d047e2bca5295ad

SHA1
8436b75d7deca27d9c15100a85fef9287ac50e21

SHA256
8063cdf95b0ea73a39e0b057a682728d59fd0b81ed96815f3a4184f06d0b7837

SHA512
7d9fd8ad0745835921ba877adeb1916242144b16ad17488d3c3c7c9ca8b9921bfdc2b8ddd53081d09e482c074f8f3b55850c4351428a1469b796ab89f9f60f12

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\prefs.js

Filesize
11KB

MD5
7ca6f2948d3c50e262f2810ca09ab0dd

SHA1
5972f59aa75e3c54ec241e2d629c270c52b0af99

SHA256
b15edaf06ec77d75ab67f4994ffe641df5ecd50b1acd7bed159a179d00a22d96

SHA512
95e11d14b3853328512870b92d01967fcd71400a8fc885d7fc0cc941a06dddcf47854f778bb1d4d630c02842f2ac5017969cdc725f50de568211346d3af6a657

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\prefs.js

Filesize
11KB

MD5
00a78dd8dd2072d9bed01ee9f3f412a8

SHA1
b23fc64bbdd2a779b619349efc14bb6191e58b56

SHA256
2074a629cd259aa975fadce0de9114aca24a631d0f4446a393df6562a9fc1918

SHA512
8bf76649864430a303678c96f5fb1bf86c48f6bf876b0703a01f2cf40f68dffbacac776cfd1ab94c2275861d0f99789d89d8373cd45e69166a93068033616d3a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\prefs.js

Filesize
12KB

MD5
921d2beb9a44a26e3b592569db673fbc

SHA1
0eb269a2f6c483de43f57f2f1149d9ace37819f4

SHA256
278ccb5ea17d7f9c5b7f7e5dab1b11586d36054da06e9685aab4786e0a7e2b68

SHA512
e30b8c764a9ba492ac40de94379295ff87c2b89d8f236d63c64d1568a63f3affb3b588451942856647ef87ff3100fabcb34cbdecc2e49f711a8d14f812f4e638

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\serviceworker.txt

Filesize
200B

MD5
8c31210134e12a78bd2c3ce58389972b

SHA1
35cace83bde049b8ddf215ff52a621cccd06eb76

SHA256
825ba563ba2dc2c65a813e598804cd0f3a79ea761ef1c1a3f7603a833c2ba764

SHA512
718eae35fd247872bc2362d61de4621447be932107cf417dab3762f3cdf251345bd08ca6a0f380a151d917bd2b77075261ef59a67fe8c6f23b3fe6c32d447b13

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\sessionstore-backups\recovery.baklz4

Filesize
29KB

MD5
b5691973011244a9da24f38ac8d98108

SHA1
b7a1356cfa8c6c554da5ad314a146690f983e66a

SHA256
f673f4142dca6423527569f0367dd13fe2d016f7e7c532e8cd0d1556935c5204

SHA512
6d00b45934a4c6b37c6d77ef82a3cc9ffa3b6383b9d50ee417421b2fb353eb9342e13b44dd866ee932398b4eb22ad81fadb4e31258e0e5e3298358b3508ed227

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\sessionstore-backups\recovery.baklz4

Filesize
28KB

MD5
0a95e1591676cd5c3319b3ad1a589bc5

SHA1
8a4df4c8645d3b356f6c68b1ca2f97d4755212f7

SHA256
6ab2149dd28f3d0f0e76ac8027d1c4df1e76b3547ff72e23e298a992ebf0da01

SHA512
2879646766945a5a06d4e92ea545bdd90932b51be77e1e6719629f6781d2eb0473b9770ce2532fe5e78c13c67e9e9c8c9065d122092d01904e50ca9916c6a412

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\sessionstore-backups\recovery.baklz4

Filesize
8KB

MD5
3eff3688affe6bb8867338eaa011196e

SHA1
e6ea44314cdcd6784fa87f74c5e1151b0ef75659

SHA256
694093c78e6ccae14a6cf54d7efc377a438de56c9c42508de3ed350ca61016e7

SHA512
0af031f76fb2d4b457d46d3d748ae0f120c225dd86fced6a83e5e787203685ce013bb9c43f345071ca968b9de7e3761c99a1867d1fd2a2d31232508b9b2d3478

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\sessionstore-backups\recovery.baklz4

Filesize
25KB

MD5
3341da618b75e1862fcec37ce8a5a861

SHA1
ff97a30cedda95ab7d011fc8a5c66e0dc2019bf3

SHA256
94e8c3a4418f390f2062068d56232705f4125f6e87a60b0483a2537940233646

SHA512
16cbc66b8dd976c0583b02ca7cad60335ad5d2e4897c113267e27c08f9df7490fd191a681707d8a3e271e631eadb382a2fa2943eab46286da27871834a0e6301

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\sessionstore-backups\recovery.baklz4

Filesize
29KB

MD5
5c09b9d29fc29adc88741fe16640bcf1

SHA1
b7d79bde1d220ee02fe280cc6098ce865f662019

SHA256
5f81f08f77a05607a993b7fdb0adc2668fa9e2c3911b72dc9a37d2eada78fb22

SHA512
c046af9a0f4fe8c03c028ccf68b4132dcbf9487f05115abf35b725acb946481a5f2267e9d887b64b7775a06efc32dd8e0be704d6ccdc89af45d8266f2e91b9e4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\sessionstore-backups\recovery.baklz4

Filesize
29KB

MD5
55590a1cdc54a853306c5d6561cac17a

SHA1
100e54b21b43b9414b2182593e2ed21567a397f4

SHA256
d924846ee028166a6c95c2227e1e8290f86b9afc55e374cae93fa3edb2c108ee

SHA512
cec7c918e9e8ac61149e6ff2f31e6f0c5cab7c6e6ba5bc50353692a370cc9c9bf3a7ec57680e39d0405a0f2a2555c6770edfc27bfaf9eead0c85f0b49d250050

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\sessionstore-backups\recovery.baklz4

Filesize
7KB

MD5
39f7f61b6d5b1ab3e29760fe2becc1cc

SHA1
63dfd00f597aa5177c2b07494b7414a2c9177633

SHA256
38ff006d9b5a712148e60192fc66631ec77ef5e2f494fd2d7b939acfc6d86ecf

SHA512
86f60fd8694c40bc4f1dae8314046434f9d5b7a1a7ddb8bdea40958d8ebadc8758a9adf1e547ff2c566534d58ae924ac7177f73592dd8622bc965dee96f97efd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\sessionstore-backups\recovery.baklz4

Filesize
26KB

MD5
71d8d0c6cf0f2d4e98ed93dbe05000f8

SHA1
2f5b6733833b41f10dfce84940724211f2116bf7

SHA256
c762b682170fc473c48647738e051d06607db8eec3b6743aed9989e3df7c677f

SHA512
b67f3785e001dd2a9b873df5cf93bdb4cc8f909ba16bde275ee9c2b6d554e54c253cb679c321801735fa435181ac5d4b1e336dd63fe10396275d6173c5a9a896

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\sessionstore-backups\recovery.baklz4

Filesize
34KB

MD5
a6498f62fd752236a430c05b84638dfd

SHA1
d249d637eb92498a6e109d173b9f4db71ae06b7b

SHA256
e6a18cdce7c6ce96bb0123d1b55a38bea89b7488593d011248d235a45fd58b39

SHA512
0b35ed8bde2c5039c58a46a76db34372b31901e768e3330efa7b1a1f2b97d03f919895aa979222b951f9115919fb66fc13bf5ccefe356071777ce71d36e417f1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\sessionstore-backups\recovery.baklz4

Filesize
25KB

MD5
04fd770a5b00442a26a8509eb100b8d2

SHA1
5a6d73ea67d06f68311c8da8a1fe3f8950f3db7d

SHA256
3202fdb679bc1201a9764565830db49d7fdec42e6e41080a5c6a7865fd85cbe6

SHA512
637d7fd99bcb5d5e17a4a23b9b2649716eac76565c79b8d48feae8955e27ea95911788ac9c62ba56bf76a05583159666ac45dc86f31638c3018e49e638de4d58

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\sessionstore-backups\recovery.baklz4

Filesize
29KB

MD5
c6425c6689545dba431eac58a811dab4

SHA1
3ad59645ee07447ad69d6bce0a659c062891fed7

SHA256
2ff0469d2098cc53b0fdb6610274acc04ea5ea7736a1ed785beb0f86f8e7505f

SHA512
3801470a0c923f8c04f24c001c439403ddb8ed5c6d0ac71f0b0a670a09f6b67ca4d88bb07fdb43443541d0cf6e62055e135c62e186ff1160b0abebc8f0a010f8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\sessionstore-backups\recovery.baklz4

Filesize
35KB

MD5
ea311d0cd29c739b2f4efcec3a559e4e

SHA1
6c78e68e038fdc69af1943506223b0cd43b22877

SHA256
3a011fe721e51d921e9cd363e3bd2965ed5585bc1a4d7ac71174188eb49e33e5

SHA512
5523fce0def0e869d4ef0a3010809d3e1d1537f1dbf644ca83ea1f3ded7368f9f8f4a5ed2931ae0ccadc3ae2feba440ee2a2e0c8c538c8ebfa57085600c21690

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\sessionstore-backups\recovery.baklz4

Filesize
26KB

MD5
12cfafe51be62cf9d86a67c06d090245

SHA1
3c9667e4aa1f834f8d8924d5165ef3ebacb955e8

SHA256
96f8d38cab04f253ad00cd68a062a1412be609f84d57ef3ddce35298c9996e7d

SHA512
b33ecacf752cf5093f1e03a2f6a8a1aa0b58ce2866c93111cce79ae1456108d3145fd5fa9218cb33df1e41c633a90df367b06f11c86dba57bca85b8ecb01250d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\sessionstore-backups\recovery.baklz4

Filesize
29KB

MD5
d60943583325fc7cecbddb8ba2672cb2

SHA1
1a3188c3e647f70964e7a16d6042b069ac36dece

SHA256
107776dcf4217e90ffa922fc3eb64b380d2387783033cf459bd4326056762b6c

SHA512
27c83c5f63e0ecc8fdb5feab85cae831c4ea885e21bc86a5ecf805c682235f1b212fcba870650c2934f76f165652e8a2219a0eed52ad36b6a052c0990fea8065

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\sessionstore-backups\recovery.baklz4

Filesize
8KB

MD5
1b836bc868525e0ace133c06b9873349

SHA1
fba760275b2c56e9f2d91d8b96d6c012cf07c2b1

SHA256
c929d8611fca43789b6bf0328fbd7649719e19c9fdefbc6ed22ccdc9100ced67

SHA512
8fc019a8c1bdbf12c0eebf8075fb6252e70333b3a87ea9421c67cbbb73a5de4d57d60bc655a67e126904e20808d204b93e06c2193727bc9d69ec1c8527166dd5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\sessionstore-backups\recovery.baklz4

Filesize
29KB

MD5
372a75e10d13b1296ecf158c51007c75

SHA1
95ae200b147441eacbaa0651016a5f1442555e61

SHA256
80d1e4f94d70a4226e39de04c3b3c69c262c69478084294f4bae3965230a55f4

SHA512
90a2e92cfaf39937545bcc45832d753c70dd6f62ac9352e282cb3954a1516653fdce9c630a1e1b765fc1fbf4199ef063005ff21a94a1a3d6e69b8a2d5e89809d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\sessionstore-backups\recovery.baklz4

Filesize
16KB

MD5
3216c033ccb8347e4114a8bea5b67687

SHA1
f1bd74c4231961e4cc7296fa43ddce31c3a53d4c

SHA256
4f36351484956c99ed1738238154f8544b12c01f66fbeeae3beedff11d3a42ca

SHA512
b6a8d7bcd85c3d9d40700507904cb507f03b194ac96985c141beafacdd64f1594713fc63deafb2fb262bc81056e2b67e1ffe6b414bc4e0ba158dd9360abb2834

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\sessionstore-backups\recovery.baklz4

Filesize
30KB

MD5
81e3659c0c76a2a6dbdfc5ffc86a1caa

SHA1
2cfdbed619333e9add8fe323a8e5239720f2c645

SHA256
0d599a86f0a87a04b2907a064c8b8f75cec5f40a70886ee9ab8fbea36b61633b

SHA512
dc11c7d8473b3701c2fb346cd50cf406b38f30bc2cb31823ce4310eb8ff68229c0b69ceac85fe916f2f613f5198054fe58189f43662d322ba4d34048d520254e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\sessionstore-backups\recovery.baklz4

Filesize
35KB

MD5
a01898dc96bfac9231145facd116de90

SHA1
0d47e8e2e2c4cd5dd5906ad20c8211da2c37c66f

SHA256
a203cfd4dc2ed87141ba30dc2d77dccea54b4d3c14143f58bef0ce7d96b7f973

SHA512
1cb6c367e9b75e235ec0147b6b7ff67b9b5a194296f0ee9837ad595862da4a5cccf3a28d1bc3b3ecdc08fa2eb39f621d709bd14b05f38617f9807ec0636fb294

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\storage\default\https+++www.wireshark.org\cache\morgue\251\{41c0089d-16ec-4d88-bd36-385d7698ecfb}.final

Filesize
19KB

MD5
7c84d25d70d0aeddaffa82ea35467635

SHA1
2b1c4a3e9e66f25dc86da048677c97310db5b76b

SHA256
be94498ec0183d3dd928aaed9fcbf43a3b76ea1606b9889fe17f9547d670a666

SHA512
19517f3c295f15b320bc38ac84ea1b04c6abb8e13786e953e2a4d5ae12ab8fecff75a76bf0e84f3482c5a3f7a8057fdf6d7428c6e87c1d728df67cc0ee807438

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\storage\default\https+++yandex.com\ls\usage

Filesize
12B

MD5
24209415e2ebf8119de79bfb33342d60

SHA1
b2231345d8ae4e9a961cdbc105afd52f26e06370

SHA256
312f97f68a516021f4a1ba4040062c1e81abe277a73b36004089172e8b58d40f

SHA512
5738731c6e67c31c52f4fc4b13108675fc113fccd8777f84232e16c8654ffb117dc7194fea0be9023f63c0b6a63d962c4a8deed41d3317477bfcfb7314a6efcd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\storage\default\https+++yandex.com\ls\usage

Filesize
12B

MD5
8d924e98806a2a15a6f11e9b8d499e6d

SHA1
41e3b08a1b370294f36ac41de4046c30a124e6b0

SHA256
4d23b5d35c5e533d9efc4599a740dbb0c8f702e1b106fc4accf89a6d25963bb1

SHA512
2d05c9dc0f2ef75c775a58dc40cad3669eb3b23a7aba921ada114690084ab9d9b889392a4a41774bab3102006da24decb76da1b80702e2a41533757735eebcbe

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zrrtvxky.default-release\storage\default\https+++yandex.com\ls\usage

Filesize
12B

MD5
56aad95bb9cd1b96f05d92608294a983

SHA1
1ecbdf23c0a2d7348efd1ec62bdd8a227b3dfb70

SHA256
04aa480147e520c044a3c5bac40c72d1bfdf9695226ae3542675c608017959f4

SHA512
7032197ded7411b3287db873818a612129fd94d37daa64d20e4cf536632b181c2e2c606e3a218f37abbb13be504103da22a0841d279b0ee7ad609cb067e6fd5c

Download Submit
C:\Users\Admin\Downloads\00000000.res

Filesize
136B

MD5
39ba82e00dec78cae3fcb3703a88ffe1

SHA1
101d6945cc58176926d1cc38d565bbaabaf0c2b7

SHA256
099248a5b2c2469dcc7b2df6344c10ad4d11211107ede74a6c3f5d3afcebdb59

SHA512
f4dc3e5dcee623dc12fd3d16291cfb541ed05c2c4cdf2450ba513adc6ea31e3ba29311b0290b3cc9fa2f79008636aed1ab2d6ca70662ca0daed2c0229745f2fd

Download Submit
C:\Users\Admin\Downloads\165611725891099.bat

Filesize
322B

MD5
c719f3a51e489e5c9fbb334ecbb45ede

SHA1
5b5585065dd339e1e46f9243d3fe3cb511dc5ce6

SHA256
c67348cacc707decd859789c8ed1e8afdb6eb8753d3941d0ee9ecba2f00500b7

SHA512
b2b0ea3a3701b5d689a5cbcc5c16721cf807304ca02375f33c5b507c1a00655917354e32f6e2b96c081125751498484c974c2d3eaa754d6074c9d55aec8c0164

Download Submit
C:\Users\Admin\Downloads\@[email protected]

Filesize
933B

MD5
7a2726bb6e6a79fb1d092b7f2b688af0

SHA1
b3effadce8b76aee8cd6ce2eccbb8701797468a2

SHA256
840ab19c411c918ea3e7526d0df4b9cb002de5ea15e854389285df0d1ea9a8e5

SHA512
4e107f661e6be183659fdd265e131a64cce2112d842226305f6b111d00109a970fda0b5abfb1daa9f64428e445e3b472332392435707c9aebbfe94c480c72e54

Download Submit
C:\Users\Admin\Downloads\@[email protected]

Filesize
585B

MD5
296299fc3a2c1d0ba60ebd71f955d065

SHA1
2971ea3485c6dcc1487d8672b723bec0c46cfcf4

SHA256
533e9c0d772991ca66ebb5a27efc1b93c55129eb73068de04bb44b124c9acd39

SHA512
02ed531f0954e8b93aec1f0367bf7d06a5dfcd510df06883ab20366b440c7de7d916dd4d6ed524e28c4cf32a0431e4553fcd65b403d9d017dfefeaef0d16be75

Download Submit
C:\Users\Admin\Downloads\TaskData\Tor\LIBEAY32.dll

Filesize
3.0MB

MD5
6ed47014c3bb259874d673fb3eaedc85

SHA1
c9b29ba7e8a97729c46143cc59332d7a7e9c1ad8

SHA256
58be53d5012b3f45c1ca6f4897bece4773efbe1ccbf0be460061c183ee14ca19

SHA512
3bc462d21bc762f6eec3d23bb57e2baf532807ab8b46fab1fe38a841e5fde81ed446e5305a78ad0d513d85419e6ec8c4b54985da1d6b198acb793230aeecd93e

Download Submit
C:\Users\Admin\Downloads\TaskData\Tor\libevent-2-0-5.dll

Filesize
702KB

MD5
90f50a285efa5dd9c7fddce786bdef25

SHA1
54213da21542e11d656bb65db724105afe8be688

SHA256
77a250e81fdaf9a075b1244a9434c30bf449012c9b647b265fa81a7b0db2513f

SHA512
746422be51031cfa44dd9a6f3569306c34bbe8abf9d2bd1df139d9c938d0cba095c0e05222fd08c8b6deaebef5d3f87569b08fb3261a2d123d983517fb9f43ae

Download Submit
C:\Users\Admin\Downloads\TaskData\Tor\libgcc_s_sjlj-1.dll

Filesize
510KB

MD5
73d4823075762ee2837950726baa2af9

SHA1
ebce3532ed94ad1df43696632ab8cf8da8b9e221

SHA256
9aeccf88253d4557a90793e22414868053caaab325842c0d7acb0365e88cd53b

SHA512
8f4a65bd35ed69f331769aaf7505f76dd3c64f3fa05cf01d83431ec93a7b1331f3c818ac7008e65b6f1278d7e365ed5940c8c6b8502e77595e112f1faca558b5

Download Submit
C:\Users\Admin\Downloads\TaskData\Tor\libssp-0.dll

Filesize
90KB

MD5
78581e243e2b41b17452da8d0b5b2a48

SHA1
eaefb59c31cf07e60a98af48c5348759586a61bb

SHA256
f28caebe9bc6aa5a72635acb4f0e24500494e306d8e8b2279e7930981281683f

SHA512
332098113ce3f75cb20dc6e09f0d7ba03f13f5e26512d9f3bee3042c51fbb01a5e4426c5e9a5308f7f805b084efc94c28fc9426ce73ab8dfee16ab39b3efe02a

Download Submit
C:\Users\Admin\Downloads\TaskData\Tor\ssleay32.dll

Filesize
694KB

MD5
a12c2040f6fddd34e7acb42f18dd6bdc

SHA1
d7db49f1a9870a4f52e1f31812938fdea89e9444

SHA256
bd70ba598316980833f78b05f7eeaef3e0f811a7c64196bf80901d155cb647c1

SHA512
fbe0970bcdfaa23af624daad9917a030d8f0b10d38d3e9c7808a9fbc02912ee9daed293dbdea87aa90dc74470bc9b89cb6f2fe002393ecda7b565307ffb7ec00

Download Submit
C:\Users\Admin\Downloads\TaskData\Tor\tor.exe

Filesize
3.0MB

MD5
fe7eb54691ad6e6af77f8a9a0b6de26d

SHA1
53912d33bec3375153b7e4e68b78d66dab62671a

SHA256
e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb

SHA512
8ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f

Download Submit
C:\Users\Admin\Downloads\TaskData\Tor\zlib1.dll

Filesize
105KB

MD5
fb072e9f69afdb57179f59b512f828a4

SHA1
fe71b70173e46ee4e3796db9139f77dc32d2f846

SHA256
66d653397cbb2dbb397eb8421218e2c126b359a3b0decc0f31e297df099e1383

SHA512
9d157fece0dc18afe30097d9c4178ae147cc9d465a6f1d35778e1bff1efca4734dd096e95d35faea32da8d8b4560382338ba9c6c40f29047f1cc0954b27c64f8

Download Submit
C:\Users\Admin\Downloads\Wireshark-4.tUhunGt8.4.0-x64.exe.part

Filesize
24.1MB

MD5
35e33eda69b3e78c7928365808304b5e

SHA1
fd719d9285745a1ed5b31b96260d98975abee34b

SHA256
d67b7916c6224493cdaa48edb63a05235a94f231bec6655bd0cc8355bef956fa

SHA512
bccf275a9c365e6960390df3536fcc19e0e2e23b9380dcaeea04e1cea86d500a18a09cc56e689e134dcad93c4cdb119031af11e39b4ac6c549ce61bf26674742

Download Submit
C:\Users\Admin\Downloads\b.wnry

Filesize
1.4MB

MD5
c17170262312f3be7027bc2ca825bf0c

SHA1
f19eceda82973239a1fdc5826bce7691e5dcb4fb

SHA256
d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa

SHA512
c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

Download Submit
C:\Users\Admin\Downloads\c.wnry

Filesize
780B

MD5
8124a611153cd3aceb85a7ac58eaa25d

SHA1
c1d5cd8774261d810dca9b6a8e478d01cd4995d6

SHA256
0ceb451c1dbefaa8231eeb462e8ce639863eb5b8ae4fa63a353eb6e86173119e

SHA512
b9c8dfb5d58c95628528cc729d2394367c5e205328645ca6ef78a3552d9ad9f824ae20611a43a6e01daaffeffdc9094f80d772620c731e4192eb0835b8ed0f17

Download Submit
C:\Users\Admin\Downloads\m.vbs

Filesize
201B

MD5
b067df716aac6db38d973d4ad1337b29

SHA1
541edd1ca3047ca46fef38bd810e5f0f938b8ae2

SHA256
3f7ded679522e917f30aacbfb7c688ef477d7886e722731c812dc486195e220f

SHA512
0cbc1b820abf13e225e7a7636ce1e336d758fa54a9ee6aa09dee7a9748a2cf890f45ba55a7a188b69972b396bac37ddb9a98ba202ff2e203b34a75e515c0759c

Download Submit
C:\Users\Admin\Downloads\msg\m_bulgarian.wnry

Filesize
46KB

MD5
95673b0f968c0f55b32204361940d184

SHA1
81e427d15a1a826b93e91c3d2fa65221c8ca9cff

SHA256
40b37e7b80cf678d7dd302aaf41b88135ade6ddf44d89bdba19cf171564444bd

SHA512
7601f1883edbb4150a9dc17084012323b3bfa66f6d19d3d0355cf82b6a1c9dce475d758da18b6d17a8b321bf6fca20915224dbaedcb3f4d16abfaf7a5fc21b92

Download Submit
C:\Users\Admin\Downloads\msg\m_chinese (simplified).wnry

Filesize
53KB

MD5
0252d45ca21c8e43c9742285c48e91ad

SHA1
5c14551d2736eef3a1c1970cc492206e531703c1

SHA256
845d0e178aeebd6c7e2a2e9697b2bf6cf02028c50c288b3ba88fe2918ea2834a

SHA512
1bfcf6c0e7c977d777f12bd20ac347630999c4d99bd706b40de7ff8f2f52e02560d68093142cc93722095657807a1480ce3fb6a2e000c488550548c497998755

Download Submit
C:\Users\Admin\Downloads\msg\m_chinese (traditional).wnry

Filesize
77KB

MD5
2efc3690d67cd073a9406a25005f7cea

SHA1
52c07f98870eabace6ec370b7eb562751e8067e9

SHA256
5c7f6ad1ec4bc2c8e2c9c126633215daba7de731ac8b12be10ca157417c97f3a

SHA512
0766c58e64d9cda5328e00b86f8482316e944aa2c26523a3c37289e22c34be4b70937033bebdb217f675e40db9fecdce0a0d516f9065a170e28286c2d218487c

Download Submit
C:\Users\Admin\Downloads\msg\m_croatian.wnry

Filesize
38KB

MD5
17194003fa70ce477326ce2f6deeb270

SHA1
e325988f68d327743926ea317abb9882f347fa73

SHA256
3f33734b2d34cce83936ce99c3494cd845f1d2c02d7f6da31d42dfc1ca15a171

SHA512
dcf4ccf0b352a8b271827b3b8e181f7d6502ca0f8c9dda3dc6e53441bb4ae6e77b49c9c947cc3ede0bf323f09140a0c068a907f3c23ea2a8495d1ad96820051c

Download Submit
C:\Users\Admin\Downloads\msg\m_czech.wnry

Filesize
39KB

MD5
537efeecdfa94cc421e58fd82a58ba9e

SHA1
3609456e16bc16ba447979f3aa69221290ec17d0

SHA256
5afa4753afa048c6d6c39327ce674f27f5f6e5d3f2a060b7a8aed61725481150

SHA512
e007786ffa09ccd5a24e5c6504c8de444929a2faaafad3712367c05615b7e1b0fbf7fbfff7028ed3f832ce226957390d8bf54308870e9ed597948a838da1137b

Download Submit
C:\Users\Admin\Downloads\msg\m_danish.wnry

Filesize
36KB

MD5
2c5a3b81d5c4715b7bea01033367fcb5

SHA1
b548b45da8463e17199daafd34c23591f94e82cd

SHA256
a75bb44284b9db8d702692f84909a7e23f21141866adf3db888042e9109a1cb6

SHA512
490c5a892fac801b853c348477b1140755d4c53ca05726ac19d3649af4285c93523393a3667e209c71c80ac06ffd809f62dd69ae65012dcb00445d032f1277b3

Download Submit
C:\Users\Admin\Downloads\msg\m_dutch.wnry

Filesize
36KB

MD5
7a8d499407c6a647c03c4471a67eaad7

SHA1
d573b6ac8e7e04a05cbbd6b7f6a9842f371d343b

SHA256
2c95bef914da6c50d7bdedec601e589fbb4fda24c4863a7260f4f72bd025799c

SHA512
608ef3ff0a517fe1e70ff41aeb277821565c5a9bee5103aa5e45c68d4763fce507c2a34d810f4cd242d163181f8341d9a69e93fe32aded6fbc7f544c55743f12

Download Submit
C:\Users\Admin\Downloads\msg\m_english.wnry

Filesize
36KB

MD5
fe68c2dc0d2419b38f44d83f2fcf232e

SHA1
6c6e49949957215aa2f3dfb72207d249adf36283

SHA256
26fd072fda6e12f8c2d3292086ef0390785efa2c556e2a88bd4673102af703e5

SHA512
941fa0a1f6a5756ed54260994db6158a7ebeb9e18b5c8ca2f6530c579bc4455918df0b38c609f501ca466b3cc067b40e4b861ad6513373b483b36338ae20a810

Download Submit
C:\Users\Admin\Downloads\msg\m_filipino.wnry

Filesize
36KB

MD5
08b9e69b57e4c9b966664f8e1c27ab09

SHA1
2da1025bbbfb3cd308070765fc0893a48e5a85fa

SHA256
d8489f8c16318e524b45de8b35d7e2c3cd8ed4821c136f12f5ef3c9fc3321324

SHA512
966b5ed68be6b5ccd46e0de1fa868cfe5432d9bf82e1e2f6eb99b2aef3c92f88d96f4f4eec5e16381b9c6db80a68071e7124ca1474d664bdd77e1817ec600cb4

Download Submit
C:\Users\Admin\Downloads\msg\m_finnish.wnry

Filesize
37KB

MD5
35c2f97eea8819b1caebd23fee732d8f

SHA1
e354d1cc43d6a39d9732adea5d3b0f57284255d2

SHA256
1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

SHA512
908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

Download Submit
C:\Users\Admin\Downloads\msg\m_french.wnry

Filesize
37KB

MD5
4e57113a6bf6b88fdd32782a4a381274

SHA1
0fccbc91f0f94453d91670c6794f71348711061d

SHA256
9bd38110e6523547aed50617ddc77d0920d408faeed2b7a21ab163fda22177bc

SHA512
4f1918a12269c654d44e9d394bc209ef0bc32242be8833a2fba437b879125177e149f56f2fb0c302330dec328139b34982c04b3fefb045612b6cc9f83ec85aa9

Download Submit
C:\Users\Admin\Downloads\msg\m_german.wnry

Filesize
36KB

MD5
3d59bbb5553fe03a89f817819540f469

SHA1
26781d4b06ff704800b463d0f1fca3afd923a9fe

SHA256
2adc900fafa9938d85ce53cb793271f37af40cf499bcc454f44975db533f0b61

SHA512
95719ae80589f71209bb3cb953276538040e7111b994d757b0a24283aefe27aadbbe9eef3f1f823ce4cabc1090946d4a2a558607ac6cac6faca5971529b34dac

Download Submit
C:\Users\Admin\Downloads\msg\m_greek.wnry

Filesize
47KB

MD5
fb4e8718fea95bb7479727fde80cb424

SHA1
1088c7653cba385fe994e9ae34a6595898f20aeb

SHA256
e13cc9b13aa5074dc45d50379eceb17ee39a0c2531ab617d93800fe236758ca9

SHA512
24db377af1569e4e2b2ebccec42564cea95a30f1ff43bcaf25a692f99567e027bcef4aacef008ec5f64ea2eef0c04be88d2b30bcadabb3919b5f45a6633940cb

Download Submit
C:\Users\Admin\Downloads\msg\m_indonesian.wnry

Filesize
36KB

MD5
3788f91c694dfc48e12417ce93356b0f

SHA1
eb3b87f7f654b604daf3484da9e02ca6c4ea98b7

SHA256
23e5e738aad10fb8ef89aa0285269aff728070080158fd3e7792fe9ed47c51f4

SHA512
b7dd9e6dc7c2d023ff958caf132f0544c76fae3b2d8e49753257676cc541735807b4befdf483bcae94c2dcde3c878c783b4a89dca0fecbc78f5bbf7c356f35cd

Download Submit
C:\Users\Admin\Downloads\msg\m_italian.wnry

Filesize
36KB

MD5
30a200f78498990095b36f574b6e8690

SHA1
c4b1b3c087bd12b063e98bca464cd05f3f7b7882

SHA256
49f2c739e7d9745c0834dc817a71bf6676ccc24a4c28dcddf8844093aab3df07

SHA512
c0da2aae82c397f6943a0a7b838f60eeef8f57192c5f498f2ecf05db824cfeb6d6ca830bf3715da7ee400aa8362bd64dc835298f3f0085ae7a744e6e6c690511

Download Submit
C:\Users\Admin\Downloads\msg\m_japanese.wnry

Filesize
79KB

MD5
b77e1221f7ecd0b5d696cb66cda1609e

SHA1
51eb7a254a33d05edf188ded653005dc82de8a46

SHA256
7e491e7b48d6e34f916624c1cda9f024e86fcbec56acda35e27fa99d530d017e

SHA512
f435fd67954787e6b87460db026759410fbd25b2f6ea758118749c113a50192446861a114358443a129be817020b50f21d27b1ebd3d22c7be62082e8b45223fc

Download Submit
C:\Users\Admin\Downloads\msg\m_korean.wnry

Filesize
89KB

MD5
6735cb43fe44832b061eeb3f5956b099

SHA1
d636daf64d524f81367ea92fdafa3726c909bee1

SHA256
552aa0f82f37c9601114974228d4fc54f7434fe3ae7a276ef1ae98a0f608f1d0

SHA512
60272801909dbba21578b22c49f6b0ba8cd0070f116476ff35b3ac8347b987790e4cc0334724244c4b13415a246e77a577230029e4561ae6f04a598c3f536c7e

Download Submit
C:\Users\Admin\Downloads\msg\m_latvian.wnry

Filesize
40KB

MD5
c33afb4ecc04ee1bcc6975bea49abe40

SHA1
fbea4f170507cde02b839527ef50b7ec74b4821f

SHA256
a0356696877f2d94d645ae2df6ce6b370bd5c0d6db3d36def44e714525de0536

SHA512
0d435f0836f61a5ff55b78c02fa47b191e5807a79d8a6e991f3115743df2141b3db42ba8bdad9ad259e12f5800828e9e72d7c94a6a5259312a447d669b03ec44

Download Submit
C:\Users\Admin\Downloads\msg\m_norwegian.wnry

Filesize
36KB

MD5
ff70cc7c00951084175d12128ce02399

SHA1
75ad3b1ad4fb14813882d88e952208c648f1fd18

SHA256
cb5da96b3dfcf4394713623dbf3831b2a0b8be63987f563e1c32edeb74cb6c3a

SHA512
f01df3256d49325e5ec49fd265aa3f176020c8ffec60eb1d828c75a3fa18ff8634e1de824d77dfdd833768acff1f547303104620c70066a2708654a07ef22e19

Download Submit
C:\Users\Admin\Downloads\msg\m_polish.wnry

Filesize
38KB

MD5
e79d7f2833a9c2e2553c7fe04a1b63f4

SHA1
3d9f56d2381b8fe16042aa7c4feb1b33f2baebff

SHA256
519ad66009a6c127400c6c09e079903223bd82ecc18ad71b8e5cd79f5f9c053e

SHA512
e0159c753491cac7606a7250f332e87bc6b14876bc7a1cf5625fa56ab4f09c485f7b231dd52e4ff0f5f3c29862afb1124c0efd0741613eb97a83cbe2668af5de

Download Submit
C:\Users\Admin\Downloads\msg\m_portuguese.wnry

Filesize
37KB

MD5
fa948f7d8dfb21ceddd6794f2d56b44f

SHA1
ca915fbe020caa88dd776d89632d7866f660fc7a

SHA256
bd9f4b3aedf4f81f37ec0a028aabcb0e9a900e6b4de04e9271c8db81432e2a66

SHA512
0d211bfb0ae953081dca00cd07f8c908c174fd6c47a8001fadc614203f0e55d9fbb7fa9b87c735d57101341ab36af443918ee00737ed4c19ace0a2b85497f41a

Download Submit
C:\Users\Admin\Downloads\msg\m_romanian.wnry

Filesize
50KB

MD5
313e0ececd24f4fa1504118a11bc7986

SHA1
e1b9ae804c7fb1d27f39db18dc0647bb04e75e9d

SHA256
70c0f32ed379ae899e5ac975e20bbbacd295cf7cd50c36174d2602420c770ac1

SHA512
c7500363c61baf8b77fce796d750f8f5e6886ff0a10f81c3240ea3ad4e5f101b597490dea8ab6bd9193457d35d8fd579fce1b88a1c8d85ebe96c66d909630730

Download Submit
C:\Users\Admin\Downloads\msg\m_russian.wnry

Filesize
46KB

MD5
452615db2336d60af7e2057481e4cab5

SHA1
442e31f6556b3d7de6eb85fbac3d2957b7f5eac6

SHA256
02932052fafe97e6acaaf9f391738a3a826f5434b1a013abbfa7a6c1ade1e078

SHA512
7613dc329abe7a3f32164c9a6b660f209a84b774ab9c008bf6503c76255b30ea9a743a6dc49a8de8df0bcb9aea5a33f7408ba27848d9562583ff51991910911f

Download Submit
C:\Users\Admin\Downloads\msg\m_slovak.wnry

Filesize
40KB

MD5
c911aba4ab1da6c28cf86338ab2ab6cc

SHA1
fee0fd58b8efe76077620d8abc7500dbfef7c5b0

SHA256
e64178e339c8e10eac17a236a67b892d0447eb67b1dcd149763dad6fd9f72729

SHA512
3491ed285a091a123a1a6d61aafbb8d5621ccc9e045a237a2f9c2cf6049e7420eb96ef30fdcea856b50454436e2ec468770f8d585752d73fafd676c4ef5e800a

Download Submit
C:\Users\Admin\Downloads\msg\m_spanish.wnry

Filesize
36KB

MD5
8d61648d34cba8ae9d1e2a219019add1

SHA1
2091e42fc17a0cc2f235650f7aad87abf8ba22c2

SHA256
72f20024b2f69b45a1391f0a6474e9f6349625ce329f5444aec7401fe31f8de1

SHA512
68489c33ba89edfe2e3aebaacf8ef848d2ea88dcbef9609c258662605e02d12cfa4ffdc1d266fc5878488e296d2848b2cb0bbd45f1e86ef959bab6162d284079

Download Submit
C:\Users\Admin\Downloads\msg\m_swedish.wnry

Filesize
37KB

MD5
c7a19984eb9f37198652eaf2fd1ee25c

SHA1
06eafed025cf8c4d76966bf382ab0c5e1bd6a0ae

SHA256
146f61db72297c9c0facffd560487f8d6a2846ecec92ecc7db19c8d618dbc3a4

SHA512
43dd159f9c2eac147cbff1dda83f6a83dd0c59d2d7acac35ba8b407a04ec9a1110a6a8737535d060d100ede1cb75078cf742c383948c9d4037ef459d150f6020

Download Submit
C:\Users\Admin\Downloads\msg\m_turkish.wnry

Filesize
41KB

MD5
531ba6b1a5460fc9446946f91cc8c94b

SHA1
cc56978681bd546fd82d87926b5d9905c92a5803

SHA256
6db650836d64350bbde2ab324407b8e474fc041098c41ecac6fd77d632a36415

SHA512
ef25c3cf4343df85954114f59933c7cc8107266c8bcac3b5ea7718eb74dbee8ca8a02da39057e6ef26b64f1dfccd720dd3bf473f5ae340ba56941e87d6b796c9

Download Submit
C:\Users\Admin\Downloads\msg\m_vietnamese.wnry

Filesize
91KB

MD5
8419be28a0dcec3f55823620922b00fa

SHA1
2e4791f9cdfca8abf345d606f313d22b36c46b92

SHA256
1f21838b244c80f8bed6f6977aa8a557b419cf22ba35b1fd4bf0f98989c5bdf8

SHA512
8fca77e54480aea3c0c7a705263ed8fb83c58974f5f0f62f12cc97c8e0506ba2cdb59b70e59e9a6c44dd7cde6adeeec35b494d31a6a146ff5ba7006136ab9386

Download Submit
C:\Users\Admin\Downloads\r.wnry

Filesize
864B

MD5
3e0020fc529b1c2a061016dd2469ba96

SHA1
c3a91c22b63f6fe709e7c29cafb29a2ee83e6ade

SHA256
402751fa49e0cb68fe052cb3db87b05e71c1d950984d339940cf6b29409f2a7c

SHA512
5ca3c134201ed39d96d72911c0498bae6f98701513fd7f1dc8512819b673f0ea580510fa94ed9413ccc73da18b39903772a7cbfa3478176181cee68c896e14cf

Download Submit
C:\Users\Admin\Downloads\s.wnry

Filesize
2.9MB

MD5
ad4c9de7c8c40813f200ba1c2fa33083

SHA1
d1af27518d455d432b62d73c6a1497d032f6120e

SHA256
e18fdd912dfe5b45776e68d578c3af3547886cf1353d7086c8bee037436dff4b

SHA512
115733d08e5f1a514808a20b070db7ff453fd149865f49c04365a8c6502fa1e5c3a31da3e21f688ab040f583cf1224a544aea9708ffab21405dde1c57f98e617

Download Submit
C:\Users\Admin\Downloads\t.wnry

Filesize
64KB

MD5
5dcaac857e695a65f5c3ef1441a73a8f

SHA1
7b10aaeee05e7a1efb43d9f837e9356ad55c07dd

SHA256
97ebce49b14c46bebc9ec2448d00e1e397123b256e2be9eba5140688e7bc0ae6

SHA512
06eb5e49d19b71a99770d1b11a5bb64a54bf3352f36e39a153469e54205075c203b08128dc2317259db206ab5323bdd93aaa252a066f57fb5c52ff28deedb5e2

Download Submit
C:\Users\Admin\Downloads\taskdl.exe

Filesize
20KB

MD5
4fef5e34143e646dbf9907c4374276f5

SHA1
47a9ad4125b6bd7c55e4e7da251e23f089407b8f

SHA256
4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79

SHA512
4550dd1787deb353ebd28363dd2cdccca861f6a5d9358120fa6aa23baa478b2a9eb43cef5e3f6426f708a0753491710ac05483fac4a046c26bec4234122434d5

Download Submit
C:\Users\Admin\Downloads\taskse.exe

Filesize
20KB

MD5
8495400f199ac77853c53b5a3f278f3e

SHA1
be5d6279874da315e3080b06083757aad9b32c23

SHA256
2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d

SHA512
0669c524a295a049fa4629b26f89788b2a74e1840bcdc50e093a0bd40830dd1279c9597937301c0072db6ece70adee4ace67c3c8a4fb2db6deafd8f1e887abe4

Download Submit
C:\Users\Admin\Downloads\u.wnry

Filesize
240KB

MD5
7bf2b57f2a205768755c07f238fb32cc

SHA1
45356a9dd616ed7161a3b9192e2f318d0ab5ad10

SHA256
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

SHA512
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

Download Submit
C:\Users\Admin\Downloads\wanncry.exe

Filesize
3.4MB

MD5
84c82835a5d21bbcf75a61706d8ab549

SHA1
5ff465afaabcbf0150d1a3ab2c2e74f3a4426467

SHA256
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

SHA512
90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244

Download Submit
memory/5452-3168-0x0000000074030000-0x00000000740A7000-memory.dmp

Filesize
476KB

Download
memory/5452-3164-0x00000000742F0000-0x0000000074372000-memory.dmp

Filesize
520KB

Download
memory/5452-3286-0x0000000000770000-0x0000000000A6E000-memory.dmp

Filesize
3.0MB

Download
memory/5452-3270-0x00000000740B0000-0x00000000742CC000-memory.dmp

Filesize
2.1MB

Download
memory/5452-3266-0x0000000000770000-0x0000000000A6E000-memory.dmp

Filesize
3.0MB

Download
memory/5452-3229-0x00000000740B0000-0x00000000742CC000-memory.dmp

Filesize
2.1MB

Download
memory/5452-3225-0x0000000000770000-0x0000000000A6E000-memory.dmp

Filesize
3.0MB

Download
memory/5452-3206-0x00000000740B0000-0x00000000742CC000-memory.dmp

Filesize
2.1MB

Download
memory/5452-3202-0x0000000000770000-0x0000000000A6E000-memory.dmp

Filesize
3.0MB

Download
memory/5452-3165-0x00000000742D0000-0x00000000742EC000-memory.dmp

Filesize
112KB

Download
memory/5452-3180-0x0000000000770000-0x0000000000A6E000-memory.dmp

Filesize
3.0MB

Download
memory/5452-3330-0x00000000740B0000-0x00000000742CC000-memory.dmp

Filesize
2.1MB

Download
memory/5452-3326-0x0000000000770000-0x0000000000A6E000-memory.dmp

Filesize
3.0MB

Download
memory/5452-3162-0x0000000000770000-0x0000000000A6E000-memory.dmp

Filesize
3.0MB

Download
memory/5452-3387-0x0000000000770000-0x0000000000A6E000-memory.dmp

Filesize
3.0MB

Download
memory/5452-3144-0x0000000074000000-0x0000000074022000-memory.dmp

Filesize
136KB

Download
memory/5452-3142-0x00000000740B0000-0x00000000742CC000-memory.dmp

Filesize
2.1MB

Download
memory/5452-3145-0x0000000000770000-0x0000000000A6E000-memory.dmp

Filesize
3.0MB

Download
memory/5452-3143-0x0000000074380000-0x0000000074402000-memory.dmp

Filesize
520KB

Download
memory/5452-3141-0x00000000742F0000-0x0000000074372000-memory.dmp

Filesize
520KB

Download
memory/5452-3167-0x0000000074000000-0x0000000074022000-memory.dmp

Filesize
136KB

Download
memory/5452-3166-0x00000000740B0000-0x00000000742CC000-memory.dmp

Filesize
2.1MB

Download
memory/5452-3163-0x0000000074380000-0x0000000074402000-memory.dmp

Filesize
520KB

Download
memory/5848-1623-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads