Analysis
-
max time kernel
216s -
max time network
220s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
15-09-2024 08:35
Static task
static1
Behavioral task
behavioral1
Sample
wanakiwi.zip
Resource
win10v2004-20240802-en
Behavioral task
behavioral2
Sample
wanakiwi.exe
Resource
win10v2004-20240802-en
Errors
General
-
Target
wanakiwi.zip
-
Size
354KB
-
MD5
e4f370b101104c15269a3b888ed98e08
-
SHA1
ad5b797c7cc788a21403ca0cc959bb548580c84f
-
SHA256
40da854572ad619f1e48ebc62e7ac42fc46b2f3fbdd0dd9069eb451b79f578f4
-
SHA512
5fd22a7bc6ae20461aab75d0806309d0ed5f926219437a2a252dd96a4dcae616c0b7faa91a7f12d693c75ef9e36c26f0f876cf3fa82d85d419bfe08b1b8ab6ef
-
SSDEEP
6144:khQbV921g4F8OnnPl66sLG2kFCUMPX3icAmBEtHxxxXww9yz8rgot:zYNmC0pPnAmB8tweyre
Malware Config
Extracted
C:\Users\Admin\Downloads\WannaCrypt0r\@[email protected]
wannacry
13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD5150.tmp [email protected] File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD5157.tmp [email protected] -
Executes dropped EXE 22 IoCs
pid Process 1056 [email protected] 5804 taskdl.exe 5168 @[email protected] 3300 @[email protected] 2616 taskhsvc.exe 5852 taskse.exe 6060 @[email protected] 6120 taskdl.exe 5224 wanakiwi.exe 4336 wanakiwi.exe 4200 taskdl.exe 860 taskse.exe 5184 @[email protected] 5088 wanakiwi.exe 224 wanakiwi.exe 4928 @[email protected] 1512 @[email protected] 5244 taskse.exe 2032 @[email protected] 4496 taskdl.exe 1676 wanakiwi.exe 5856 wanakiwi.exe -
Loads dropped DLL 8 IoCs
pid Process 2616 taskhsvc.exe 2616 taskhsvc.exe 2616 taskhsvc.exe 2616 taskhsvc.exe 2616 taskhsvc.exe 2616 taskhsvc.exe 2616 taskhsvc.exe 2616 taskhsvc.exe -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 4072 icacls.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wkwthgmgqegtew611 = "\"C:\\Users\\Admin\\Downloads\\WannaCrypt0r\\tasksche.exe\"" reg.exe -
File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
flow ioc 311 raw.githubusercontent.com 207 raw.githubusercontent.com 208 raw.githubusercontent.com 209 raw.githubusercontent.com 210 raw.githubusercontent.com -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]" [email protected] Set value (str) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]" @[email protected] -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\rescache\_merged\2229298842\1034423747.pri LogonUI.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 27 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language @[email protected] Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language [email protected] Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language @[email protected] Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language @[email protected] Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wanakiwi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskhsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language @[email protected] Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language @[email protected] Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language @[email protected] Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language @[email protected] -
Checks processor information in registry 2 TTPs 28 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe -
Modifies data under HKEY_USERS 15 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "126" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings firefox.exe Key created \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings firefox.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 3564 reg.exe -
NTFS ADS 1 IoCs
description ioc Process File created C:\Users\Admin\Downloads\WannaCrypt0r.zip:Zone.Identifier firefox.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2616 taskhsvc.exe 2616 taskhsvc.exe 2616 taskhsvc.exe 2616 taskhsvc.exe 2616 taskhsvc.exe 2616 taskhsvc.exe 5224 wanakiwi.exe 5224 wanakiwi.exe 5224 wanakiwi.exe 5224 wanakiwi.exe 5224 wanakiwi.exe 5224 wanakiwi.exe 5224 wanakiwi.exe 5224 wanakiwi.exe 5224 wanakiwi.exe 5224 wanakiwi.exe 5224 wanakiwi.exe 5224 wanakiwi.exe 5224 wanakiwi.exe 5224 wanakiwi.exe 5224 wanakiwi.exe 5224 wanakiwi.exe 5224 wanakiwi.exe 5224 wanakiwi.exe 5224 wanakiwi.exe 5224 wanakiwi.exe 5224 wanakiwi.exe 5224 wanakiwi.exe 5224 wanakiwi.exe 5224 wanakiwi.exe 4336 wanakiwi.exe 4336 wanakiwi.exe 4336 wanakiwi.exe 4336 wanakiwi.exe 4336 wanakiwi.exe 4336 wanakiwi.exe 4336 wanakiwi.exe 4336 wanakiwi.exe 4336 wanakiwi.exe 4336 wanakiwi.exe 4336 wanakiwi.exe 4336 wanakiwi.exe 4336 wanakiwi.exe 4336 wanakiwi.exe 4336 wanakiwi.exe 4336 wanakiwi.exe 4336 wanakiwi.exe 4336 wanakiwi.exe 4336 wanakiwi.exe 4336 wanakiwi.exe 4336 wanakiwi.exe 4336 wanakiwi.exe 4336 wanakiwi.exe 4336 wanakiwi.exe 5088 wanakiwi.exe 5088 wanakiwi.exe 5088 wanakiwi.exe 5088 wanakiwi.exe 5088 wanakiwi.exe 5088 wanakiwi.exe 5088 wanakiwi.exe 5088 wanakiwi.exe 5088 wanakiwi.exe 5088 wanakiwi.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1696 firefox.exe Token: SeDebugPrivilege 1696 firefox.exe Token: SeDebugPrivilege 5608 firefox.exe Token: SeDebugPrivilege 5608 firefox.exe Token: SeDebugPrivilege 5608 firefox.exe Token: SeRestorePrivilege 4376 7zG.exe Token: 35 4376 7zG.exe Token: SeSecurityPrivilege 4376 7zG.exe Token: SeSecurityPrivilege 4376 7zG.exe Token: SeIncreaseQuotaPrivilege 3568 WMIC.exe Token: SeSecurityPrivilege 3568 WMIC.exe Token: SeTakeOwnershipPrivilege 3568 WMIC.exe Token: SeLoadDriverPrivilege 3568 WMIC.exe Token: SeSystemProfilePrivilege 3568 WMIC.exe Token: SeSystemtimePrivilege 3568 WMIC.exe Token: SeProfSingleProcessPrivilege 3568 WMIC.exe Token: SeIncBasePriorityPrivilege 3568 WMIC.exe Token: SeCreatePagefilePrivilege 3568 WMIC.exe Token: SeBackupPrivilege 3568 WMIC.exe Token: SeRestorePrivilege 3568 WMIC.exe Token: SeShutdownPrivilege 3568 WMIC.exe Token: SeDebugPrivilege 3568 WMIC.exe Token: SeSystemEnvironmentPrivilege 3568 WMIC.exe Token: SeRemoteShutdownPrivilege 3568 WMIC.exe Token: SeUndockPrivilege 3568 WMIC.exe Token: SeManageVolumePrivilege 3568 WMIC.exe Token: 33 3568 WMIC.exe Token: 34 3568 WMIC.exe Token: 35 3568 WMIC.exe Token: 36 3568 WMIC.exe Token: SeIncreaseQuotaPrivilege 3568 WMIC.exe Token: SeSecurityPrivilege 3568 WMIC.exe Token: SeTakeOwnershipPrivilege 3568 WMIC.exe Token: SeLoadDriverPrivilege 3568 WMIC.exe Token: SeSystemProfilePrivilege 3568 WMIC.exe Token: SeSystemtimePrivilege 3568 WMIC.exe Token: SeProfSingleProcessPrivilege 3568 WMIC.exe Token: SeIncBasePriorityPrivilege 3568 WMIC.exe Token: SeCreatePagefilePrivilege 3568 WMIC.exe Token: SeBackupPrivilege 3568 WMIC.exe Token: SeRestorePrivilege 3568 WMIC.exe Token: SeShutdownPrivilege 3568 WMIC.exe Token: SeDebugPrivilege 3568 WMIC.exe Token: SeSystemEnvironmentPrivilege 3568 WMIC.exe Token: SeRemoteShutdownPrivilege 3568 WMIC.exe Token: SeUndockPrivilege 3568 WMIC.exe Token: SeManageVolumePrivilege 3568 WMIC.exe Token: 33 3568 WMIC.exe Token: 34 3568 WMIC.exe Token: 35 3568 WMIC.exe Token: 36 3568 WMIC.exe Token: SeBackupPrivilege 4560 vssvc.exe Token: SeRestorePrivilege 4560 vssvc.exe Token: SeAuditPrivilege 4560 vssvc.exe Token: SeRestorePrivilege 3864 7zG.exe Token: 35 3864 7zG.exe Token: SeSecurityPrivilege 3864 7zG.exe Token: SeSecurityPrivilege 3864 7zG.exe Token: SeTcbPrivilege 5852 taskse.exe Token: SeTcbPrivilege 5852 taskse.exe Token: SeDebugPrivilege 5224 wanakiwi.exe Token: SeDebugPrivilege 4336 wanakiwi.exe Token: SeTcbPrivilege 860 taskse.exe Token: SeTcbPrivilege 860 taskse.exe -
Suspicious use of FindShellTrayWindow 44 IoCs
pid Process 1696 firefox.exe 1696 firefox.exe 1696 firefox.exe 1696 firefox.exe 1696 firefox.exe 1696 firefox.exe 1696 firefox.exe 1696 firefox.exe 1696 firefox.exe 1696 firefox.exe 1696 firefox.exe 1696 firefox.exe 1696 firefox.exe 1696 firefox.exe 1696 firefox.exe 1696 firefox.exe 1696 firefox.exe 1696 firefox.exe 1696 firefox.exe 1696 firefox.exe 1696 firefox.exe 5608 firefox.exe 5608 firefox.exe 5608 firefox.exe 5608 firefox.exe 5608 firefox.exe 5608 firefox.exe 5608 firefox.exe 5608 firefox.exe 5608 firefox.exe 5608 firefox.exe 5608 firefox.exe 5608 firefox.exe 5608 firefox.exe 5608 firefox.exe 5608 firefox.exe 5608 firefox.exe 5608 firefox.exe 5608 firefox.exe 5608 firefox.exe 5608 firefox.exe 5608 firefox.exe 4376 7zG.exe 3864 7zG.exe -
Suspicious use of SendNotifyMessage 40 IoCs
pid Process 1696 firefox.exe 1696 firefox.exe 1696 firefox.exe 1696 firefox.exe 1696 firefox.exe 1696 firefox.exe 1696 firefox.exe 1696 firefox.exe 1696 firefox.exe 1696 firefox.exe 1696 firefox.exe 1696 firefox.exe 1696 firefox.exe 1696 firefox.exe 1696 firefox.exe 1696 firefox.exe 1696 firefox.exe 1696 firefox.exe 1696 firefox.exe 1696 firefox.exe 5608 firefox.exe 5608 firefox.exe 5608 firefox.exe 5608 firefox.exe 5608 firefox.exe 5608 firefox.exe 5608 firefox.exe 5608 firefox.exe 5608 firefox.exe 5608 firefox.exe 5608 firefox.exe 5608 firefox.exe 5608 firefox.exe 5608 firefox.exe 5608 firefox.exe 5608 firefox.exe 5608 firefox.exe 5608 firefox.exe 5608 firefox.exe 5608 firefox.exe -
Suspicious use of SetWindowsHookEx 20 IoCs
pid Process 1696 firefox.exe 5608 firefox.exe 5608 firefox.exe 5608 firefox.exe 5608 firefox.exe 5608 firefox.exe 5608 firefox.exe 5608 firefox.exe 5168 @[email protected] 5168 @[email protected] 3300 @[email protected] 3300 @[email protected] 6060 @[email protected] 6060 @[email protected] 5184 @[email protected] 4928 @[email protected] 1512 @[email protected] 2032 @[email protected] 180 LogonUI.exe 180 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1732 wrote to memory of 1696 1732 firefox.exe 94 PID 1732 wrote to memory of 1696 1732 firefox.exe 94 PID 1732 wrote to memory of 1696 1732 firefox.exe 94 PID 1732 wrote to memory of 1696 1732 firefox.exe 94 PID 1732 wrote to memory of 1696 1732 firefox.exe 94 PID 1732 wrote to memory of 1696 1732 firefox.exe 94 PID 1732 wrote to memory of 1696 1732 firefox.exe 94 PID 1732 wrote to memory of 1696 1732 firefox.exe 94 PID 1732 wrote to memory of 1696 1732 firefox.exe 94 PID 1732 wrote to memory of 1696 1732 firefox.exe 94 PID 1732 wrote to memory of 1696 1732 firefox.exe 94 PID 1696 wrote to memory of 3120 1696 firefox.exe 95 PID 1696 wrote to memory of 3120 1696 firefox.exe 95 PID 1696 wrote to memory of 3120 1696 firefox.exe 95 PID 1696 wrote to memory of 3120 1696 firefox.exe 95 PID 1696 wrote to memory of 3120 1696 firefox.exe 95 PID 1696 wrote to memory of 3120 1696 firefox.exe 95 PID 1696 wrote to memory of 3120 1696 firefox.exe 95 PID 1696 wrote to memory of 3120 1696 firefox.exe 95 PID 1696 wrote to memory of 3120 1696 firefox.exe 95 PID 1696 wrote to memory of 3120 1696 firefox.exe 95 PID 1696 wrote to memory of 3120 1696 firefox.exe 95 PID 1696 wrote to memory of 3120 1696 firefox.exe 95 PID 1696 wrote to memory of 3120 1696 firefox.exe 95 PID 1696 wrote to memory of 3120 1696 firefox.exe 95 PID 1696 wrote to memory of 3120 1696 firefox.exe 95 PID 1696 wrote to memory of 3120 1696 firefox.exe 95 PID 1696 wrote to memory of 3120 1696 firefox.exe 95 PID 1696 wrote to memory of 3120 1696 firefox.exe 95 PID 1696 wrote to memory of 3120 1696 firefox.exe 95 PID 1696 wrote to memory of 3120 1696 firefox.exe 95 PID 1696 wrote to memory of 3120 1696 firefox.exe 95 PID 1696 wrote to memory of 3120 1696 firefox.exe 95 PID 1696 wrote to memory of 3120 1696 firefox.exe 95 PID 1696 wrote to memory of 3120 1696 firefox.exe 95 PID 1696 wrote to memory of 3120 1696 firefox.exe 95 PID 1696 wrote to memory of 3120 1696 firefox.exe 95 PID 1696 wrote to memory of 3120 1696 firefox.exe 95 PID 1696 wrote to memory of 3120 1696 firefox.exe 95 PID 1696 wrote to memory of 3120 1696 firefox.exe 95 PID 1696 wrote to memory of 3120 1696 firefox.exe 95 PID 1696 wrote to memory of 3120 1696 firefox.exe 95 PID 1696 wrote to memory of 3120 1696 firefox.exe 95 PID 1696 wrote to memory of 3120 1696 firefox.exe 95 PID 1696 wrote to memory of 3120 1696 firefox.exe 95 PID 1696 wrote to memory of 3120 1696 firefox.exe 95 PID 1696 wrote to memory of 3120 1696 firefox.exe 95 PID 1696 wrote to memory of 3120 1696 firefox.exe 95 PID 1696 wrote to memory of 3120 1696 firefox.exe 95 PID 1696 wrote to memory of 3120 1696 firefox.exe 95 PID 1696 wrote to memory of 3120 1696 firefox.exe 95 PID 1696 wrote to memory of 3120 1696 firefox.exe 95 PID 1696 wrote to memory of 3120 1696 firefox.exe 95 PID 1696 wrote to memory of 3120 1696 firefox.exe 95 PID 1696 wrote to memory of 3120 1696 firefox.exe 95 PID 1696 wrote to memory of 3120 1696 firefox.exe 95 PID 1696 wrote to memory of 3080 1696 firefox.exe 96 PID 1696 wrote to memory of 3080 1696 firefox.exe 96 PID 1696 wrote to memory of 3080 1696 firefox.exe 96 PID 1696 wrote to memory of 3080 1696 firefox.exe 96 PID 1696 wrote to memory of 3080 1696 firefox.exe 96 PID 1696 wrote to memory of 3080 1696 firefox.exe 96 PID 1696 wrote to memory of 3080 1696 firefox.exe 96 PID 1696 wrote to memory of 3080 1696 firefox.exe 96 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 4132 attrib.exe 5916 attrib.exe
Processes
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\wanakiwi.zip1⤵PID:3000
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1996 -parentBuildID 20240401114208 -prefsHandle 1912 -prefMapHandle 1904 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0663308a-a27f-4dee-ab22-6d47d309cefa} 1696 "\\.\pipe\gecko-crash-server-pipe.1696" gpu3⤵PID:3120
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2396 -parentBuildID 20240401114208 -prefsHandle 2372 -prefMapHandle 2368 -prefsLen 23716 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {854907fa-1c70-49ab-9deb-a23a857ff077} 1696 "\\.\pipe\gecko-crash-server-pipe.1696" socket3⤵
- Checks processor information in registry
PID:3080
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3344 -childID 1 -isForBrowser -prefsHandle 3336 -prefMapHandle 3332 -prefsLen 23857 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3987187b-d2a2-4b15-8021-55afb0ae7a39} 1696 "\\.\pipe\gecko-crash-server-pipe.1696" tab3⤵PID:2512
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4332 -childID 2 -isForBrowser -prefsHandle 4328 -prefMapHandle 4324 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {88c502a4-95ec-4ffc-88e3-8c08c6e9295e} 1696 "\\.\pipe\gecko-crash-server-pipe.1696" tab3⤵PID:4916
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4828 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4844 -prefMapHandle 4840 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e1c6d721-0c41-4658-933d-cd968008b5b7} 1696 "\\.\pipe\gecko-crash-server-pipe.1696" utility3⤵
- Checks processor information in registry
PID:3760
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2776 -childID 3 -isForBrowser -prefsHandle 5296 -prefMapHandle 5276 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e8a1cb5a-a58d-4712-ab56-ed523622fced} 1696 "\\.\pipe\gecko-crash-server-pipe.1696" tab3⤵PID:3064
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5444 -childID 4 -isForBrowser -prefsHandle 5400 -prefMapHandle 5300 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3cf54308-8cf9-43f8-ac23-dcb4a6f3e0c0} 1696 "\\.\pipe\gecko-crash-server-pipe.1696" tab3⤵PID:1332
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5608 -childID 5 -isForBrowser -prefsHandle 5616 -prefMapHandle 5620 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {10b8319d-c1d5-49e1-9fd6-79f18817b11f} 1696 "\\.\pipe\gecko-crash-server-pipe.1696" tab3⤵PID:1248
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6192 -childID 6 -isForBrowser -prefsHandle 6196 -prefMapHandle 4904 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {976be508-76a3-4c97-93db-12fbd67b3f75} 1696 "\\.\pipe\gecko-crash-server-pipe.1696" tab3⤵PID:1988
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6408 -childID 7 -isForBrowser -prefsHandle 6400 -prefMapHandle 6396 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {45a4b481-26df-4db6-a838-687ddaa1a820} 1696 "\\.\pipe\gecko-crash-server-pipe.1696" tab3⤵PID:1252
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6636 -parentBuildID 20240401114208 -prefsHandle 6560 -prefMapHandle 6568 -prefsLen 29357 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {aed6157b-28f0-4b44-ac46-1683aabe7733} 1696 "\\.\pipe\gecko-crash-server-pipe.1696" rdd3⤵PID:5332
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6640 -parentBuildID 20240401114208 -sandboxingKind 1 -prefsHandle 6548 -prefMapHandle 6552 -prefsLen 29357 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {17986cc1-180f-4453-be47-ba22df26c8e5} 1696 "\\.\pipe\gecko-crash-server-pipe.1696" utility3⤵
- Checks processor information in registry
PID:5340
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5588 -childID 8 -isForBrowser -prefsHandle 5908 -prefMapHandle 6868 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6d7a3dab-e4e5-4538-8992-7d56ff7504e9} 1696 "\\.\pipe\gecko-crash-server-pipe.1696" tab3⤵PID:5136
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4188
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵PID:5560
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:5608 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1976 -parentBuildID 20240401114208 -prefsHandle 1892 -prefMapHandle 1884 -prefsLen 24253 -prefMapSize 244945 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3113143a-2b38-4fbc-8c0b-1fa5f4382496} 5608 "\\.\pipe\gecko-crash-server-pipe.5608" gpu3⤵PID:3032
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2380 -parentBuildID 20240401114208 -prefsHandle 2348 -prefMapHandle 2344 -prefsLen 24289 -prefMapSize 244945 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a18c91e1-079f-408b-817f-e291e158b7ef} 5608 "\\.\pipe\gecko-crash-server-pipe.5608" socket3⤵
- Checks processor information in registry
PID:4284
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2980 -childID 1 -isForBrowser -prefsHandle 2972 -prefMapHandle 2968 -prefsLen 24430 -prefMapSize 244945 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {03f4e20e-b4f4-41fb-ac6e-5ad7a8dea8d5} 5608 "\\.\pipe\gecko-crash-server-pipe.5608" tab3⤵PID:5796
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3996 -childID 2 -isForBrowser -prefsHandle 3988 -prefMapHandle 2812 -prefsLen 29663 -prefMapSize 244945 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {75b163d9-6960-446a-aebb-528b810c5085} 5608 "\\.\pipe\gecko-crash-server-pipe.5608" tab3⤵PID:2064
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4568 -childID 3 -isForBrowser -prefsHandle 4560 -prefMapHandle 4556 -prefsLen 27296 -prefMapSize 244945 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {37e2c96e-bba8-4d74-8675-4539cf870388} 5608 "\\.\pipe\gecko-crash-server-pipe.5608" tab3⤵PID:5932
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4968 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4960 -prefMapHandle 4956 -prefsLen 29717 -prefMapSize 244945 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b3cf52eb-b82c-4ab1-8d1d-5bd43a40187e} 5608 "\\.\pipe\gecko-crash-server-pipe.5608" utility3⤵
- Checks processor information in registry
PID:440
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5392 -childID 4 -isForBrowser -prefsHandle 5400 -prefMapHandle 5380 -prefsLen 27296 -prefMapSize 244945 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7dcbf641-7af3-40d1-b26b-d54dc6d7a358} 5608 "\\.\pipe\gecko-crash-server-pipe.5608" tab3⤵PID:3708
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5156 -childID 5 -isForBrowser -prefsHandle 5560 -prefMapHandle 5564 -prefsLen 27296 -prefMapSize 244945 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f03c7f37-f0ea-4fd3-8036-f2b0f3369b39} 5608 "\\.\pipe\gecko-crash-server-pipe.5608" tab3⤵PID:3016
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5744 -childID 6 -isForBrowser -prefsHandle 5284 -prefMapHandle 5272 -prefsLen 27296 -prefMapSize 244945 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {47467bb8-ab1b-4a9b-a813-0baf816c93d4} 5608 "\\.\pipe\gecko-crash-server-pipe.5608" tab3⤵PID:960
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4616 -childID 7 -isForBrowser -prefsHandle 5152 -prefMapHandle 5560 -prefsLen 27296 -prefMapSize 244945 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e66025ca-0793-4b25-b52e-99575977963f} 5608 "\\.\pipe\gecko-crash-server-pipe.5608" tab3⤵PID:4148
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6192 -childID 8 -isForBrowser -prefsHandle 6200 -prefMapHandle 6216 -prefsLen 27296 -prefMapSize 244945 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {95c9a843-c55e-440f-8dbf-d993f9efee00} 5608 "\\.\pipe\gecko-crash-server-pipe.5608" tab3⤵PID:1748
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6524 -parentBuildID 20240401114208 -prefsHandle 6516 -prefMapHandle 6512 -prefsLen 29717 -prefMapSize 244945 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f8d83351-6aee-43e1-9abd-b9eb014a4d38} 5608 "\\.\pipe\gecko-crash-server-pipe.5608" rdd3⤵PID:5180
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6532 -parentBuildID 20240401114208 -sandboxingKind 1 -prefsHandle 6660 -prefMapHandle 6656 -prefsLen 29717 -prefMapSize 244945 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c51a5835-9903-4bd2-b262-3d8f8a199e2c} 5608 "\\.\pipe\gecko-crash-server-pipe.5608" utility3⤵
- Checks processor information in registry
PID:6024
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4748 -childID 9 -isForBrowser -prefsHandle 5708 -prefMapHandle 5536 -prefsLen 27296 -prefMapSize 244945 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a4a8bb09-0700-4d91-9682-d6e5b4c9eddd} 5608 "\\.\pipe\gecko-crash-server-pipe.5608" tab3⤵PID:1568
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6848 -childID 10 -isForBrowser -prefsHandle 5668 -prefMapHandle 5680 -prefsLen 27296 -prefMapSize 244945 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c2e723ee-ec9b-4c70-8547-fb646a9f7e5c} 5608 "\\.\pipe\gecko-crash-server-pipe.5608" tab3⤵PID:5260
-
-
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\WannaCrypt0r\" -spe -an -ai#7zMap21574:86:7zEvent289171⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4376
-
C:\Users\Admin\Downloads\WannaCrypt0r\[email protected]"C:\Users\Admin\Downloads\WannaCrypt0r\[email protected]"1⤵
- Drops startup file
- Executes dropped EXE
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
PID:1056 -
C:\Windows\SysWOW64\attrib.exeattrib +h .2⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:4132
-
-
C:\Windows\SysWOW64\icacls.exeicacls . /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:4072
-
-
C:\Users\Admin\Downloads\WannaCrypt0r\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5804
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 201851726389484.bat2⤵
- System Location Discovery: System Language Discovery
PID:6040 -
C:\Windows\SysWOW64\cscript.execscript.exe //nologo m.vbs3⤵
- System Location Discovery: System Language Discovery
PID:5264
-
-
-
C:\Windows\SysWOW64\attrib.exeattrib +h +s F:\$RECYCLE2⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:5916
-
-
C:\Users\Admin\Downloads\WannaCrypt0r\@[email protected]2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5168 -
C:\Users\Admin\Downloads\WannaCrypt0r\TaskData\Tor\taskhsvc.exeTaskData\Tor\taskhsvc.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2616
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c start /b @[email protected] vs2⤵
- System Location Discovery: System Language Discovery
PID:5976 -
C:\Users\Admin\Downloads\WannaCrypt0r\@[email protected]3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3300 -
C:\Windows\SysWOW64\cmd.execmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet4⤵
- System Location Discovery: System Language Discovery
PID:5752 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3568
-
-
-
-
-
C:\Users\Admin\Downloads\WannaCrypt0r\taskse.exetaskse.exe C:\Users\Admin\Downloads\WannaCrypt0r\@[email protected]2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5852
-
-
C:\Users\Admin\Downloads\WannaCrypt0r\@[email protected]2⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:6060
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "wkwthgmgqegtew611" /t REG_SZ /d "\"C:\Users\Admin\Downloads\WannaCrypt0r\tasksche.exe\"" /f2⤵
- System Location Discovery: System Language Discovery
PID:6088 -
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "wkwthgmgqegtew611" /t REG_SZ /d "\"C:\Users\Admin\Downloads\WannaCrypt0r\tasksche.exe\"" /f3⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:3564
-
-
-
C:\Users\Admin\Downloads\WannaCrypt0r\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6120
-
-
C:\Users\Admin\Downloads\WannaCrypt0r\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4200
-
-
C:\Users\Admin\Downloads\WannaCrypt0r\taskse.exetaskse.exe C:\Users\Admin\Downloads\WannaCrypt0r\@[email protected]2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:860
-
-
C:\Users\Admin\Downloads\WannaCrypt0r\@[email protected]2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5184
-
-
C:\Users\Admin\Downloads\WannaCrypt0r\taskse.exetaskse.exe C:\Users\Admin\Downloads\WannaCrypt0r\@[email protected]2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5244
-
-
C:\Users\Admin\Downloads\WannaCrypt0r\@[email protected]2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2032
-
-
C:\Users\Admin\Downloads\WannaCrypt0r\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4496
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4560
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\wanakiwi\" -spe -an -ai#7zMap11632:74:7zEvent312991⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3864
-
C:\Users\Admin\Desktop\wanakiwi\wanakiwi.exe"C:\Users\Admin\Desktop\wanakiwi\wanakiwi.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5224
-
C:\Users\Admin\Desktop\wanakiwi\wanakiwi.exe"C:\Users\Admin\Desktop\wanakiwi\wanakiwi.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4336
-
C:\Users\Admin\Desktop\wanakiwi\wanakiwi.exe"C:\Users\Admin\Desktop\wanakiwi\wanakiwi.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5088
-
C:\Users\Admin\Desktop\wanakiwi\wanakiwi.exe"C:\Users\Admin\Desktop\wanakiwi\wanakiwi.exe"1⤵
- Executes dropped EXE
PID:224
-
C:\Users\Admin\Desktop\@[email protected]"C:\Users\Admin\Desktop\@[email protected]"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4928
-
C:\Users\Public\Desktop\@[email protected]"C:\Users\Public\Desktop\@[email protected]"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1512
-
C:\Users\Admin\Desktop\wanakiwi\wanakiwi.exe"C:\Users\Admin\Desktop\wanakiwi\wanakiwi.exe"1⤵
- Executes dropped EXE
PID:1676
-
C:\Users\Admin\Desktop\wanakiwi\wanakiwi.exe"C:\Users\Admin\Desktop\wanakiwi\wanakiwi.exe"1⤵
- Executes dropped EXE
PID:5856
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3978855 /state1:0x41c64e6d1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:180
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
File and Directory Permissions Modification
2Windows File and Directory Permissions Modification
1Hide Artifacts
1Hidden Files and Directories
1Indicator Removal
1File Deletion
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\@[email protected]
Filesize696B
MD574c4a723b053eb80a7f7b04634693ee0
SHA1ec15802d91a23cec205bb7b6848b5f257e9ceb53
SHA2569325fab36b9930831ec1466ca0fb92198792a6c8044a2b7d18ad6bad72b09e80
SHA51270caf748874a49278b843bc04fd872fde647e2f17272ecad42305af8b52e113a0f780b664c13ff3cae2332c46f22f48df9f10cc0887380ddc308acf4b0ac0e50
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\activity-stream.discovery_stream.json
Filesize36KB
MD5e9a2c49b7585675cd80299c113273c9f
SHA1b3f95fe99190424b177ca1fe55e759bae5c48e42
SHA256dcd306586693e6a3da3aea3f5ec771c3567144f41a2534bb90f6eded82222831
SHA51295a26ebd2f63085de416e4c5527ca7015461b0adab7ac7ea2c4d9f48fb12d3935b0dcecf3523b59364f1f1b97e1cb9b266c28e933ef49e880f58a314eecdc532
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\cache2\entries\12A7881005195A37E2C8F6FF6CD3D85EBBA79522
Filesize15KB
MD5be93ce977783081ee3608b332862fc62
SHA1e2bcb4269a19bfc05c215183801ee34f1eeb761b
SHA25676fc1710a7aa652308b3ba2396f55043106eb8c4f1743c013c09545db778579a
SHA512e04aec03b8738d059ed0a85f6a34d8c42d97b9794122eb404a3ca6a68db4dbe67858026d196fb17316282348aeb81fa156f078f5956f9db31b08b5900f691b5b
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\cache2\entries\16D3E6A057A124E8E3BC96689FCEB5904949EBB5
Filesize14KB
MD5aab2f0dc489f5ce3fe17f44ac22e280b
SHA1dc489db717de8f08ee6cdb6351d1f7cbad04ed6f
SHA2567246d99431118ef40db86ddca651982cec5a5b6a089aa55474833f0369e0b37c
SHA51233cbbb1b7e93f2425d94b8290eb7fb3e44c853d82f744bba605611a84c8d8e576d2e823d883d9a5c093cf7ba0586755d6c230f2c90f9f82c7b6668fafccd7990
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\cache2\entries\254256B27E0C48CF9B80B695F0B3B8CA84610495
Filesize9KB
MD5b718d943e75c4e1bd817551971fcf708
SHA159c59521f4cb0f6114212b0f8ca67b5856557f25
SHA2569e6a5a15778884ad506da4764f879551f9ce1172fbd03cd893a38efa38595356
SHA5121a1893256c4b8f7b9e163b728ca36db59e2ececaae1061d9e5bb7ff6b8f4a449db778b5f976db4bcafab5c360a977505afb9a66c5a6aa5045bd79b360b0140ab
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\cache2\entries\299B4E352333008A61316AF9B2567C39F7C455F9
Filesize93KB
MD520a8292f0316ba79a10bb94ded93c713
SHA1741662fc9a46bda564a5d5db98fdefd85a71d86c
SHA256fe1a2fa31315a539c3c99a88b76b106e1c10e48837e10078e2f18b15c242c28d
SHA512469764c0cfaf992ea712c572dd620154be3a2bfcd5bee7e4f26c71b88db3f04eaa1388646d4beaecc0fe67995401e64ae1109a6786a3bccc1c72ebbe12b80072
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\cache2\entries\32CDC3544254379FA0CE0BC8E82887486A808831
Filesize14KB
MD55449891ba2030fcc792ba68f3eaaadb5
SHA1dc5b84911e691d0c3646b07ff8e874159ada46d4
SHA256fbba0f1e890808b0efefe764d531557118fc495e54e3222ec573bfcacdb1a420
SHA51249edbe343b94ca791657e0b331dc278be879348ceca4756a29e56daa0ffaf2f5af05f0282eba6b6bcc3f2f8a7b3feec2c369e736e0afc6d0ea425b681d722409
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\cache2\entries\35BA330A3D65A7F0DB733CEB542BE64BAA68B8E0
Filesize23KB
MD58fbd2b63267037cfd119fef69379fdbf
SHA16876d78d8ee5a9c110b4ecaeafcaebcd77481f4e
SHA25643088e370ff6ff83ccf5a369d855d31968a3e18e44bd9f0705eee1659aeed3ad
SHA51229c3a5d8bce9cb99c072d2d270644746322eb83e51e7e882ce04723238628acb9a4f1ba3e547a1a6ab2f48f989ab4221ef02ed0d587873af39d13f67582dd04b
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\cache2\entries\36E9B20E0F20ACB334FD8E9BC09DE23CA92CA161
Filesize47KB
MD5b0876a71139ffd6effc69d8139104fcd
SHA1fff3a2e15b41b15daf91a33717a9da315f99e534
SHA2566f1c46b2ddc3970badefefb5af86e7ba97ebae12ec0dcc4074625f475a3032fd
SHA5126be2ff1bec652cf69c185fb331778e3cffddd15ca613dee2342cd1d98b360a303b907344531d59ab2aa2553e70c00d1ff8e5b0defdfa6a097ecf83533cc8b4e7
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\cache2\entries\569310489AA355180F229B54E68092E3E2C0B048
Filesize17KB
MD5382da254e008f3af69cfe6cc7f3b2cf6
SHA178b739aefc8f2f17d1fea2234d5bea4f43ff11cc
SHA256cc0ffad22288cd9193137a7e390fe8548cac103880587d91207b589273544a04
SHA5125e93f16e77b17a3b8d8c0de03a15665774bab95cf7cb54b9f09f5b42efbdacb6a592ff1b5209c6f1972af45cfa10a51dfe77954c90d716bdf3fad0d4b7c7dce8
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\cache2\entries\6586F7B38489859730F9ADC10B28BFE43E7639AA
Filesize16KB
MD593e827a37d29c9e7c915d008258467f2
SHA1110b57de662f768dbc6e0eea9e9593b20f51e380
SHA2567a734bbf6422f65fca9505e52987bf69e92c6982520d948d1250896e7baf9a7a
SHA51250e9b3f344873554e63ae2be90dddb5b189e7c68014cbe1077181cd5e755618091bcd5c971df595f3f3ba283b070d3337cadd42341859d13f94a227e0e444931
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\cache2\entries\6686795D100028C4FD88FD2B1D7974E74F293236
Filesize30KB
MD58212d5855a32bb54d13e0c0e4aef7755
SHA1be36b5c4ed350d4d243ff268580782a865f31de6
SHA2568f61faa4665b1f33da03f3ee9b8ccfa5a1664e0ebc4d1b2642329c0a3f9e385c
SHA512ee13f71f4dbb7b04390cc8fdd509b9230c0c46cd5e3534fe484196e939a113e6e226dce838ad4cc8fd0a4635b51ef5d283ea9911498fcb443c12b3fe9e061cb6
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\cache2\entries\6AC9BD0802E051FCD579CC69A96979DE29682F3D
Filesize341B
MD5984101e4f1fd39fcb1eaa2dd3ba62ec0
SHA1a349b91e7818b2aa56bf5f48165b656190a5f87a
SHA2569871db46dbd64d9d5aabd9cfe14b61eaa8f93bb283945d7cf5525e9eeb4f05fb
SHA512d5c5957146b2f1e35d0362c16d78457f4aea554a5244e92bfa927f3bee784a916b25f6c5e91ad933b58513418cef08ee436a5047939b97eeff67c7f9d2aecfbc
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\cache2\entries\6B4DB52338644A6A772A175E61E5FE1628EBC513
Filesize13KB
MD51b793e28893296fb6136baffad49e670
SHA1771078e2c2d09010bed2f4ef35244bd6b8d807f1
SHA2565020e6d5558359687fec76612016ed23ec791b11def2fe2806a6c5c771796506
SHA512197db236592ffd334fc0c2feeab97c5ca88d83c93505e21c1810e644605f279bcc8131f569a8d25c0858e8daf82591a2875df0391cbdd705f5bc36bd6f9e52d9
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\cache2\entries\6D89348819C8881868053197CA0754F36784BF5F
Filesize15KB
MD5ff6e5308808f588bc67b237183d02cbc
SHA11f8bb38b3c8fac10def5423c0119e87a7af50467
SHA2568b4b2b799c68563a7b7e87e3ef54719ce6256fd99ed8f9d592a16b3c8b7bed25
SHA512fdbe6518963971ff230b91c21b284e2443f0d5171c2bd6797b7c41a8687234b2e8acaa9432575afcdaa7b62bd1f57633f4024065436f8d24ca1eef90d30d83b3
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\cache2\entries\71BF779DFBCE1307F42244F92E6190F178BC7120
Filesize16KB
MD539fcd5ff361d3a32d773dfb7a3cc77a5
SHA13f13b057efc3b4751c94fe4fea516ceaf155c158
SHA2568c41e60ca99c2ea48e9900b3c75a39c9504263cd197680ca1ae9d3a92253d27e
SHA51278792c9b39c5bd1987a35c32d764a4fdee7e567dd6f04a80abbbdafaba6bc71282acf261190939f191e6e52e749dc3759805c248bf44eb2d064f9eea51ba5b48
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\cache2\entries\73C7F1E668813518B669C33D69033779C04F9F54
Filesize11KB
MD598c078b615877264c9d9fa3080fac334
SHA1f95ec606b012eebb10858791f98c00611cef959b
SHA256c5a2eec239ec4bbca412cf54007ca972278f664a7ec148e63a594bf375088b94
SHA51254785179bbd4e0e4b49e29ed8c1d2d1e7fc84485287a38125e5e979928ce7e7aad9bdacdce59b78dcfb67077076b2d7d51ca608db9f44273082630eea5900722
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\cache2\entries\7F30F53457983F11F2D61636C9FB5706ED9AB60D
Filesize95KB
MD5f05004deec6ffe17067accdd3ff39351
SHA1c980a3c38eec5bc6a681805dc62bdee528545deb
SHA256f3ce242e4d2cf1393c4b8fec89491673a7ab4c71e9f67c2dad2afe4cf8b536cf
SHA512528e2b42b67b894dea0e73de7d1010ab4873082e40a0e423e6e716127a71a776c1341165568de75314f697795c68210d26a925b0cb7812291f5f80b49fa4350c
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\cache2\entries\8560096652A022B72F28E970060DB183FE096D89
Filesize80KB
MD539b9e1a78506228699d17da0b797edf8
SHA1dc3ba42c943b08856474ee388cfa27f9d2dd81ed
SHA256a4d1270f32c0a5ae50c3a712691dde4dad873fc8fb5514ccd0516f1efefa50ff
SHA5124118deefd08c908edac496632f738c3b120b17ee4cc15ec640e9b2d6e4e6e130bec29efda6ff3a38fdfbf551a8084d7c034d9fa57e41cb4470c304bde6fa9d3d
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\cache2\entries\9A7F8872B335617C85443C8249C30C8F3D8C08B3
Filesize12KB
MD5f31be8f865f1e684cc35f377cfd30f97
SHA1c656697fcd5053024601b4e191a4ab4e74d1a611
SHA256f01acf3f882a5de779792a6bf0e6a756f0004387840a62f75a5b98650260837e
SHA512c25793aae0b0f58e20bf13ad23bcd6a6d205ed22c2fd065bc11b2c67287272063ad19aefe07e86127e8bb41f855a80a69cbb8bdeb5f7800ddd4458957e5526dd
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\cache2\entries\A40BA588E6E8CCA1F2FF225A12C5837FA4ADFAA6
Filesize12KB
MD5be6d574c69142e0cadc08d758ca0a031
SHA1f826635cf091f581c9b28103a98e5f9191477612
SHA25668b3c0969773830ffb2750feb93628814b5162b93cfc34e90af4a6ca0f2bfade
SHA5120d215505358347bc6039641e42d64a3f5cee2e9c1a7d51d2ed8cdf0c2e1d68fbfa03a88df5284c1a51ae9747e9cc3ad5bb77d6e64934163d3714f88040e62a50
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\cache2\entries\A7185B128F37007861637E9F7A1F3A17CC67A193
Filesize14KB
MD5ae5e0403fab9392002efc569495fc213
SHA1335f537cd244fbcd3017c25949f0b90edbfcaa5e
SHA256976186a1a2d94593b8a18936a261c25dc96eeab29abc4069a46ce5a3ab078d6e
SHA5125bd809abb14a9d0e121603f476cd4506fe16927548e6d1a411eb33f1787467db0923b536eb87e2a9a71954b0da8537fc99a2d3b1cc94918034f3c7a261220884
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\cache2\entries\A8B37F2C0AD843488FC6EF5D4771F29F5E92F9BF
Filesize14KB
MD55d33913c933aaaf00cea4e725e6d45bf
SHA16e5351842103ce96877035b3bed027e89d1e5bba
SHA25684580f2e57281cb720fc3e3789896ae5d8ca2ff0592e780e828e76f1aaae7909
SHA512fcf36a9b818e87ae076113b5c8e32b60e275d194aeb355c5f146063dfab558c73506967fe22500744e0eeb21fe251cd42fafa33b6e3b5aa6cd8551b716fcc1c1
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\cache2\entries\BA53031A0BA9F7163BD9B09B6CC867294FA2A699
Filesize17KB
MD53026ea6cda2e6a08080c8479e22cd98b
SHA160601c4c6786025d10891042a7336ede2019a7d2
SHA256f3a055d785bfd20d91261d49d62f17fa8846f29e5c934df9c6dcebf0f8a540ce
SHA512e8a4541a327c7b0622ae98195bdff485e9f2ff30f3530b41f129071ad6dcd3d67d8ff6de5d30dcfd6cd26ae2d40e7fc8f4c73422bfb71af59303d5ee84d98129
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\cache2\entries\BE91A47AE98719A666A0AE5DBC6C5CAFCB6513CF
Filesize14KB
MD5196a144df79a9082a42f0edfd3e76b2e
SHA16faef000f0b75d4cd38ddbb7ffbfb439b1dd84f8
SHA2560d5eb2741509b03043d53d8853dcd784dc690397f812089ae9272cc3acf93dc2
SHA5125ecb39dd0b3f44cd5e9195431538878ce7345a7411173d2ce617007e456880243f31aaf629cd8045ba3f9b653b50079544f94d585b51d0941eb9e3af15785d66
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\cache2\entries\C1B1C93A2BB99933371A4D301755C89FF654B778
Filesize47KB
MD558facab4f0d6c8ba731a7227235f20e1
SHA15c57f4ec6e31ae89766b2ba9d296129754d0af9a
SHA2563680569a2c51f4f7972a01642b6fe6262ebb352cc9b0e0f16f6ca0fad9968470
SHA5121d15b66f8c8d9f21617ce4ab5b5d99f43f0949b4c9b7172645fcc134d1fc84d741ac7036686ef589a29ae0995cd444aa54191c5999190ed25eae461f720e916b
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\cache2\entries\D0F48A0632B6C451791F4257697E861961F06A6F
Filesize148KB
MD5de2091f19e180ea967595f4e69822a95
SHA10cd6175a92533baed3fee1652b51297b548b3754
SHA256331c258bd346aac75d3dec7ac5e045506aeccbe17464a57468aa477dcd3568a8
SHA5128fe2036c35233457882cc812f58e59636eb39e49dc67bb77ab15946ed1770d151dd75a2af7b9134ba5e3f86166ffff9860ce1f7365a2f6cd8b0a3f5f06a15c76
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\cache2\entries\DCEBCB1AB42B452EB3865AC25EF0B47565E4D1BC
Filesize14KB
MD5daaa097ce6ece51d32d350cd4c612fb7
SHA1cff9772a3d21d26db6a6ba77ba218e96560bad3a
SHA25646c11fff7fad943113a86925aa8c5e6feabd6ae4fbd7dfa3f86cb591cf65f143
SHA5121f2373437fdd57b92225ed6a1e74ae6aaf8db1459bbd541cfe0d171939af1ef84267d53002fa1205f7ae92e0f09c40ba7307aa4fa6ae54409f1a3a1659a02dd2
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\cache2\entries\E0CF0B7585914EF83EA2FA7D1D3E9B51D3A99B70
Filesize14KB
MD5462fef900274f8c90fb33a617d6e2728
SHA115c5dee545def3a90e66f9b23f4f5a947f4872f7
SHA2562527ace4732de3a805522cbb6ade1de83d0e7f9b2baee18adff9dbc3ee3e03b4
SHA512c05177f1acb242040eefaf73205246b87ed28439417f6f243f67d1f40b624345fbcc617a5fe8e57132ec53ec38796d161be28f368e5620dfcbfd0f40bca801ca
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\cache2\entries\E5598E170C71E64E82F578D0B0308297497C8C1A
Filesize74KB
MD5a4dd5a5b3ddf8e97f8dc689aaa0b8f3b
SHA15c8bac3018db5627bad7f6b257c043a23bf2dc66
SHA256ae3686a01201ff370fd4ede77026b31a05f5c39af8adc8f3e47a3f842cf04eab
SHA512b0225a278333cb494c66423e2deb39ac524b225e37e15a6179f35220ee1f11cd6e838a9284fb1fd60033778c900ba605cde7bfa93263450f37a5b2fcaee5d27a
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\cache2\entries\E986C21546BBCDA139DEEE3380FB6334077134D9
Filesize12KB
MD5e59cb5307dafd53d42317c998daa2229
SHA1bd9ff17fd3b52bcd338755fb99f8fcfb63f78f78
SHA256f281045c0cc2c26c7ac18804229876be0a552a76ba63d739f707d6ec1eb43c0c
SHA5121924f4bba813267e9a22b7fff6c51aa6ba9287a080e6dd7a326630faa2ba8742d11b2d41301d9379121a9e95728970332d52bc0023875e16b062f68b798bc413
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\cache2\entries\EDE1C69677261F337966A25727F604E03E3DB6A2
Filesize15KB
MD5422e041e804f8bbbe9170eb84aba1a24
SHA158fe7f73cac07b6a1ef93822d3ef1763ccf2940e
SHA256994c8928c8a2737733f258ddf39b24f6058eb882b16545e0b8905e838cecd50c
SHA512608a5deb4f27664ab1b72c7bb9c84d34c0f2e05a1605700bc24fff8735f7f5b7ec692a603b41b869c8f087a7e55ba0f90e352edc461c158a23141036f3da8ccd
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\cache2\entries\EFCEDDEBAD67290629B5104614094B988BB2D047
Filesize15KB
MD525667b7777bc6201952cbdbc9f0d8068
SHA154aa316dbadbc5eb1c51722284924debb2ed6157
SHA256e6c651501f7ffb743c512777d1348b391698e8c04b16b26729feecc08eb09b5d
SHA5121ce4576f05e85322d1ead1a58e496943dbbd2f86e840b6d471b9b440318952634a89f3508915cf826f5dee4b6f0c110748d3153de757de37b60eabdb042254b4
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\cache2\entries\F5A1FBDEF4E6F115791D6C8EF1598942067B8080
Filesize79KB
MD5d0e4eb8f76de22940374ca04abecde50
SHA15408bf79cfe3261f94b2eac15c17f52f68e522d6
SHA256a4d27b6061f742eb6fce73dd40424b0ca6643a24eabc70b353a9ef4d1d8cf0e4
SHA512d25b811f4bba2d184d11220026b852e2a787e54d7babfa7d5f4c189e8152b3ca03d487add4a56f70b3bb9942324002de67cf517a40d1c32b0563da5ca785fe5a
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\cache2\entries\FA3488F3C0AFF2AF0DDB34B33BB5C858E7FB7309
Filesize123KB
MD5d47fdcf8a95cd9bb47390f259f35b601
SHA122dc4b851918c0f96bad9a93b2a7f5f7159d2ecc
SHA256b72c21bfd1984872c9477a9f2db4397b4d5196b916265077f4a29a2fbe2aa3bc
SHA512b649dddb5bbcbc770290345b7b6790163e68966a5feff56e2272db43b5d688b58e4a59c127902922d4b8acd0dcba7db29aad9d6d6db84f7e4540865019c0c03f
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\startupCache\scriptCache.bin
Filesize8.6MB
MD551e2b60b435eb60f5ffd1134e4066e6f
SHA1a289984f92fa293f5f8ea3dd6137390469055dd0
SHA2568c5bbf7ab0d3abbc7b3eb7856e887450aa8c966cc03c986a1b015fc6e68f6320
SHA512ae88ba80ec0f78f74790597a2e7db2b2efedc9fa238be8e655599de1adf90fe40f11aafe80a83f26387295fd078e72eb400c64d998441569122944cf9afc8bf8
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\startupCache\urlCache.bin
Filesize3KB
MD5381ebab660959c2e0ed5bbfefb7b0b3c
SHA13fd8178b4355be47aa9b2c73b7cda5ad8787aaaa
SHA256db2639a6659506e3a902f25f7feee7aea79fd8623a6c4a45b8c6fac4b8818b0e
SHA512099574b2a61e20186f2f1a316642decc678feca0f621c1ea8a49e11129ace0d2529bfd6179e1175697b6d14bcf3e00ae1683d1d14cc75472e20e86b56df9aee5
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\startupCache\webext.sc.lz4
Filesize107KB
MD5b9bc02ce84aa85e3651c9092f4c264a5
SHA11437d42cdd7c3a38231dfc87718ca53d64954280
SHA25673f44c8d845e89e6f4e43ec6281f5b131866f3af8d3940a20fc9a91b6a96836f
SHA512ea352df32e80859ac474906fbe5e690842eb11fb3f71d3e30f4f8b9acb94fd7fbd1370792edd472db89e2a9b18a46a82aad220680e5d252d247828c410678d5c
-
Filesize
3.3MB
MD5e58fdd8b0ce47bcb8ffd89f4499d186d
SHA1b7e2334ac6e1ad75e3744661bb590a2d1da98b03
SHA256283f40e9d550833bec101a24fd6fd6fbd9937ed32a51392e818ffff662a1d30a
SHA51295b6567b373efa6aec6a9bfd7af70ded86f8c72d3e8ba75f756024817815b830f54d18143b0be6de335dd0ca0afe722f88a4684663be5a84946bd30343d43a8c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\AlternateServices.bin
Filesize23KB
MD5862254c271e0b4800ffff46b6e17d70a
SHA196ff45e67c2742efecb3c83207495c8f48e62bbe
SHA25605bb3ec9aad3fdd41e9b78458e3961e7daf8454f0d5e5059ae5fd552fba83219
SHA512b1a8c35934d6e7d160190034b2ad6bc3ed787fac773e8d368726ddc16b4e1f115f30e8635dd0654b70666e0c637eebfab2c1f7190b6c6f13aa822d9586888007
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\AlternateServices.bin
Filesize26KB
MD540221a1151d69a4971fb95848fd625e0
SHA1dd73feb50ddaa979af1c1d345e7e5df676fe6dc3
SHA256d7869b178d23d1f6d1c29e27db0c1340bfa44dd0ff146c5e684d865fd8d63b16
SHA5125e9978e71cbf584b37139231c72559fba310100ad7d00ed4a07baa26e1039b726ff4dac6fbf41c6df5d714150908792e471b123b8daf0da711fe1f6f90af5cc2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\AlternateServices.bin
Filesize10KB
MD51e96a8a84c8561f5a9e64c3ecfc38f3a
SHA1348004ef6862f248111987d892455e6fce0f4775
SHA2569e12c0f0bcfe4b40e386896ed647f91f3a537226956dde39c3f0075924a6ba1b
SHA5122f15d00c91564edc881eb80fa9deeb85d642a870ead92245120a1dac3fa50c0ca07b1daf6716e63d36c4a731874ffedfbe8af56e89755ff9e4520df4bb2660b4
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\AlternateServices.bin
Filesize21KB
MD5dffb40ef17173cb3520d9f8690212e43
SHA1ce788afd9438f99954f0484dddf7e85727e055bb
SHA25626eed0b844005a073c1a6d4e51a0b650d392b252378e1f9886a90c4ec8d549d0
SHA512e1bf67a37df91a6c47784f18b9fed14410e43252db30e6434176ae45429a87587a4b0af04c97bc716a64ad174324f23289ca0a92d9df2b038cbac039cc1c03a1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\SiteSecurityServiceState.bin
Filesize1KB
MD54def81bd3dd0ae71fe4bf9bdfe6fa613
SHA19176a6c7400ee4fe26433161ba98091f8e936f6c
SHA256c7339e21120cf6884917d9789e7477fb99f78f8fefa41b0d03a877a5265fd047
SHA5123ad779966b16410d507c2199a765aca2cbee4bd36af1ef1938f351f9bf14bc0773b55ed0b4bcdd94abf1563bce57c7e28388ec4f6dfc3a3e1977a613717aabb6
-
Filesize
224KB
MD5212002268ff047a360e5b92c8100a6bf
SHA1d76da88d249e8ac177db139dc2d8ab756c3f7372
SHA256dcbf145d3335110e214338b4ce34760b4b99c4317c767f649fc29f97f764e291
SHA5123d1bf28404d255b5de30a3173c6d0655e07ebdbbbc84be846e0619e5271e380534144e4698f19a9517386483260e558360ab63528af11fded69769e70b810a49
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\content-prefs.sqlite
Filesize256KB
MD5b41ed219e2c8dac47f2701562d092621
SHA190d507eae3ec943a121dbe5a080412e40470b54f
SHA256cfed019635a1e14f74ae78f2c03fb96b40ac3da37b67489bd98c144afc200f1f
SHA5125c6027ec701055efb3b6c055727af5ed261e8f1d5ba954e64e8a34e5c791679b1e4a6ef49896ab8089ec151fd758ba41efc7333611af42b851606a0544a9b947
-
Filesize
512KB
MD5d1b88be1b76e87dda09596329052e03c
SHA1af38424bee42464365e7b0c78639b42dea65627c
SHA256ffae699eb4aa56177f6309b871e09655c328027e352e4e3defba0108322d3b42
SHA512ba2e990b481453661a2f21c2c64c8521541699604470b32eb851391c97d4248b9f72227fdeb92589ddabf0fa033c97cd33ea22290bac11df67502ca50f7009df
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\db\data.safe.bin
Filesize49KB
MD53cdae9cfe1e2d2889d259e84cfea219f
SHA1f10a4d277db78d23d0d86ca9aa5dc1a670b0161c
SHA256d1d84aa92a0ab79cd9ebfe75cf47f39b45bf61439741faa895b6aa932b3832cc
SHA5124e0bbd4016f05902f50578f26a06993acebbe58d1d3301c7c414e18a269b9c9490b75dd7cee7182c6d01013b47df3eba92b2149b5649b9f58a97b177f1892c3e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD53dd028edf6beeae9b9c9814a1b3bf7c4
SHA1794b25aa8fc6f2570113fec335d07bc4befdc81a
SHA25604cd35229ca3b5dfeee404fe6c9b09a4bc68f2e4b70f70c68106ff71be09a00c
SHA512cc5acf59d6abb901d7d0ad6af7cb78fdc4e9da6fd3760c887a77bc57f16a884a294e0ba840cdf2300b5f30f8b719834119910a2f325ed7b8bb0e7a3674c29857
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\db\data.safe.tmp
Filesize48KB
MD5295bd560ca75cb25ebba145bea8ea87b
SHA1a9f69ceb4ee4a49d35c8962c0f516791ffb1797a
SHA25695c539e1be1f084dfb7c6c7a264431d6f1c6be7da498135820ef793916271335
SHA5128ef9a6fb48c3d3bd5fe16d4a32452d1f1ed229753c43eeb6762c607bdc4c469f704b6ae2d6b1277e263410c50b2ed3469bfe85621f82360a164f411dba827f12
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\db\data.safe.tmp
Filesize48KB
MD596c368c64e0de2769056d464a795cb66
SHA1d8320eeff1e3f9456291fb9ad1d2dc4552c1cd8a
SHA256e6d3c046a2770c1e7b058b4959de67166355c38170f76644bb83cbe88f2d1ad4
SHA512fe1774daf9577f507bec463ec253676f8db26f8906de1365d84838d9fdc9ac7da4dce13e6003963673a46e111257fb533e6427308e604fad8a4d0d13827db086
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\db\data.safe.tmp
Filesize48KB
MD5934a6a06280fdf8ba09f6d3201acee53
SHA1d166e4493cfd6cd6eb1623edbf42062db05be711
SHA256a2e3e69b49c421bf2013fdc13e9bcc7f89dc8308506c803917876aea5b81fbf5
SHA512d1d2db473918793a5726d40c69656ff4dff54bc9b2767c29f39847d35e9fd3d206e304b6ee3853f68943af523b6b86e4a7dcc7f1646b8562cefc11dadaa37c11
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\db\data.safe.tmp
Filesize28KB
MD50ccba951f4ed68b539abc2afab26afd5
SHA1808f714482386dcaad8428426fa49ba8f1595791
SHA2566a42d0e37928a8d55f14934dd1de10824602195a13d6b4d4d7f28cc58cc38f5d
SHA5128aee6444ec88bc71548a7fc88516db2114e1a4d64ee9fb727612dad0a7a1d430a8dca94ab7237e81d7ab22ca693a69a43e67e644e67f57eed909161ac871f7c8
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\db\data.safe.tmp
Filesize7KB
MD591e1504493060418daffc4758d02943b
SHA19334f12c4920256f59ffc14b5ab5b365e60131ce
SHA2567dd2f93c68e4faf38bb28135a700d0203ab1515a13ad0a058193726845cdfeb4
SHA512d05e1d3663e08f8a62d57a549e9587f5485c268fa619c18186dfde0c2bc00ae67a1567e43be5c4dff6b25b7098d7ac68e21880bf850a3e84724666e4ae460323
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\db\data.safe.tmp
Filesize50KB
MD56b512908cd68e4b93f2e795bbd325206
SHA1ba54c3afec1050f60d1b6ca1b224b43911d002b9
SHA256cebedd20162d75842576f5da0627519692f8ead0ed868c7231404a1aeb39d8aa
SHA5120ae58a712a87dfb07906c558d79202226977d672a6dc91906550a2defa8d3ec8691f2d82019c50f300ae73bc350d72f168c7e229368ee42fae04e9fb96fd4bf9
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD5d0abf23d48a343b50d2373d0a65ba22b
SHA177dab920d72ccc9f1f72c303f45f7b30ea12f353
SHA256e54d0955a572b7e73519bb7bcab33041581b94347d1be65eef0826b192f9ffc2
SHA512543481fb2b4dec704f461fe37aee1b6334aeefe26895588d14f0e839ba685bd079b2b4c2938885323ba59ad0fa177345d1798aa1c328d1514c8ce23ffddc5d83
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\events\events
Filesize512B
MD575881696a79935555ae579797c166237
SHA17b7f1d9eadb21fefb3695a8b4f16cde31c5d51d9
SHA256ba926b052cba268e63136f12ca859a23ef32f2e6821611f02336edf9d5745e92
SHA512a3567feef98c42bae75c371872b059c297324a848d48255db3d1cb71fd65505ac15754dbdfcbf567acc1a4b77b943e1d86f18bfbe976a492f3cd14e8a7294eb9
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\events\pageload
Filesize400B
MD52b619dfacecaf19e616560ce5d12ac56
SHA154fde31f374f91f47e4fa716d0380be63e4dae51
SHA2565fcea9a6a1304da5e0b944247723d9d53787855240d553bb598acfd8690472ae
SHA5123de3ec811441db380e907264400381ce6b57a4f4ebdc88e6dafd81b7433ae54c47841e15a2163f1da8a0f10591754bee3697fab7e54832b06273010932df88a1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\pending_pings\0d105101-fc2d-417c-acfc-8bf06cf24e9b
Filesize735B
MD506e7f8ccf6b30a77753827b4bd3694d6
SHA1743be59f5951301e57dfe5278d1469a25d7bf258
SHA2561a91ece039955f89c0c9915337644693f2544417f6e470a5f53411735185ec79
SHA512ebdc31367124863f68514131c2bede3f8e0de99f931f84f1bbe98daded396376a2da2a92de2bfcff9e30125d4dc6afce42b257606fdd5bc3f5fd283231dcdf35
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\pending_pings\10824215-bfd9-4067-89b1-09d67c7cf6b5
Filesize20KB
MD5d85f8c3807f0ddc5ea7a655ac2606ae3
SHA1f521f2fc89d79a1102b0d51744b7b8021481474e
SHA2562078e6e45a0c9bbc410251dd6978c74fb4abb6ba8a107c587ce41d58fddc8b2c
SHA51231a09580d40d839a5bd0e726c9c63891b7e2f4d2e61fd18ea25e52c29d92c3192538da8791d9a3bdacb094b8ac709695deeac88d12499c73288834f295b78d18
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\pending_pings\1c0a1516-0c1c-4310-a7c3-21871fddb18d
Filesize26KB
MD5cbad13faec9ea10b41e672a87d42c1b4
SHA10be1c988b2594d53e5ca7abcf1f545acf2c61797
SHA2569221e977c023933b4d6c7b2cf916ebe0b6dbceb8a0bbe9d88f6192e04b838929
SHA5124b103fa61587d66fea86e1b9f94e2442c7c5906755e228e833dc19cf8fe501f364fc1c5afe5991b00ef3ea8fb225fe3d1d8cbbbc8b863298642aa1a694df2256
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\pending_pings\8a01eb95-dc4f-4bd8-b682-3772a6133bbd
Filesize1KB
MD5e329dc8b0a01cdfadd55f96f8bbb5940
SHA1b79607b6335bf6845c91d5a429e5707dda1a7bbc
SHA256aaa189a6def6cf837b61200544888f04fce08ee9d74a44684ccda6c4e1f30308
SHA5120bb368c21fde0d73f25f6fc23c3a22e11243565976ab38f3d0d5e849d93bbcb107b3a99a8ae227829beb441b53219c247bc208370547aa3795ce5a94ccc6d410
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\pending_pings\cadfd83e-886f-42a1-908f-bdcbe2eed673
Filesize671B
MD5903d1fa0142f5f6080e9f46728c4857f
SHA1c385a4ce8a20e1874fe26bb64bede07e6ea9d2f9
SHA256476f27841d195dbc0156a797429e9374f4dac06537d5bba68b24daaf04ac5d9d
SHA5126bce80af72949b2227fc2573e2a3a2ecd474e88b0ae3ec285b95ee92ba127431801b49ccb5c08525287361d2027fae29d2d3d01a6c3e78c11a9463d422b44f56
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\pending_pings\d82e815a-c419-449c-99b0-489bccc71829
Filesize789B
MD56df9852d1899553a1393d1466a657ad1
SHA17f515282de6e9f25ee79cace5be08418665e8cb5
SHA256fec17be560b6a1837d17d6fcff61e3c2fc665196b77028e4a016b5c0e2ad0932
SHA5120936143634460194e5ab91bb5b6b72d3b44353f3f1329d73fd51a49c1b31de053e9771be5b919701a5b1002e68b0e6feff67d92ff1205922eeedb039b86e468d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\datareporting\glean\pending_pings\f657838d-d8a9-4e1c-ae77-869a1aef4593
Filesize982B
MD5dcc0de3434df1b28d1f186a8d0c016e7
SHA12294e8615ffb9f365f6c209fb4f2fc840b20a3c8
SHA256b8f83ed459be5cf864921acc878993697da0ef00e88b3073ce873a880bf2362e
SHA512f1b5f1b20b90b5d5e4962d65b590a69e9d3a121e4dec0c3f4f671e4bd41022718fc3fea0391b1fd1018c27e61a26f2619b512e0c12cf2681fafa6264720de836
-
Filesize
37KB
MD56336c3b6727e141bbc0e7dc5899e3d6c
SHA186eaabb72dd496c0d8e264161a174b280ecd7510
SHA256fae1fdfed5a1488cfe5f80545807eba3ec1b41b95e619dfa9c057b556c8813e0
SHA512a9a192dfe709e5854a7305aad59e5214e9073883e6a8a157895ffce632b7885f3f4f973a3bc650b00174839ca43c16901af1382ce3eed4c4c7f589f80b56520a
-
Filesize
5.0MB
MD537ec2879f8ddb2b4acbf969e1346678b
SHA1eaa2536aea1d6a81bed95c07091a075ae5f234d4
SHA25600490f11818f091a406417ef633c586a122a7db0ff33478c8e0bc6c9e860ef6e
SHA512aa006f70b4aaf8443026b5dc0ae57a0cb16114ded6c0d9bf2ef5a3728a30259abce6e2826242b69dec9876580b2af1293e403257ebc1ee55258371d2f759d8b0
-
Filesize
96KB
MD51d0ab923d1b17663f16f0bbb72a5bd2a
SHA111f4cd54804b842d23137a095078b0993ee6f090
SHA256a025cf719a6be18cb2b75372608ab700e96981e174edeb87e6eabdc5d492cc54
SHA5121b6ee1deab258de0516f92fd8108e964c7ee39b92696bcae40c71c4724c150f61cac865c613d484f32b1f5cb0066eb6bf9d434adee142f85726bf3a6c2e12926
-
Filesize
5.0MB
MD53ae512093c12a2694c20a72b089bdbef
SHA18aad114cc58a9e959341fe183bd335333ab54a42
SHA25603467bea506fc5d0d77c6a7213d88f8a5ab0c73bea2e97b905a91d959f602984
SHA512127bba3cc833790ddb04fda62fe50e1c54e88dc6c292158f10b9781662773dd25d16781095404e0b4996e14db33205cd4bcfce87e33fa7258db988f8981f2f25
-
Filesize
5.0MB
MD5d5028513823dc9eb24ab511da8c32bea
SHA19cb45045d57b91e502cb3cfc87392c54fd4db9f4
SHA256760d0b7eedc76218028ced7b1461493b569025380ce6b6cc59be4fccbb2ffa04
SHA512fdfd2e39151bdf61afe2ddf97241e7ce50539d132cec7d06eb4f53879bd1ff5609efbdb52bb54031f1eb3081b627c7ecfe76993ded32afaf5a4649191362b928
-
Filesize
11KB
MD58ce42ae987b263d43bb0afb090f0b4c3
SHA1253de806435ffc62e68977034a89152194d92ab4
SHA256d10a158b6d7205db7270519667bcd89d189958e9fe635d9f7d549fe818221fd4
SHA512d1c35ec736e2de2d75e49311715bb5aeb58ba410b9f0f49360bbe8c25e7e0aa6c3c0ce6b3d890e7c86993ad50b4ecb069628dbab449da22809d1c4c74db9041f
-
Filesize
11KB
MD5b1e98bb8733581f64f6eec0888f4c0b3
SHA1a7e1955722deae3b5c5a655413e4ecaf37137619
SHA2562184aab6fc0c1226acc48605283d0ef2434da7038b9217e30fe4cde3309f0526
SHA5120e3ec2d6aac03e1fc9d80bbf989051d6ddd173cf12dd16fea2e8045ac236b768196c8e1028682c2e33a26dbb027f3a3def8ef2b1f0ef07c19e24c02b453bd412
-
Filesize
11KB
MD52d28a2fd90a33610f06641b3932589d1
SHA1750f5446dccea9f9b98ac3bd9814ddde21179d53
SHA2565c56eb28b672c869dfe7be60bf57e872563dc7410c0f600bba56833233d90400
SHA51208c8c850fd5a93ba22f3a1d96b88f0ed1e30675ca7942383db4c1c668798439958246e894eb772344ed6d0ea3a525d5af81fb4a56efd90ab1244f96b602d07f5
-
Filesize
11KB
MD5c8b40b11f74ed920aa6b4a3c4e395547
SHA158a80ad470f7575a7d0aac3e84f6f3ec3daf3ea0
SHA25619bee0e0542d674d9813c85f8bd36ebbd9942430e93fa3b7657fe115f331955e
SHA512643268b3ae5bf4b208cac2ca672f948eb9d93993b7fdd5e676f72a07038e24cb5f7d08e4b8f3b302cbb647e44fc5c2f182effafc43a3b4274a0f734e71e5fb83
-
Filesize
11KB
MD528fef3027286fd3f3bbbf27d1d4486ac
SHA19e153518cb34b5d8e408fd0d327b862058d842de
SHA25602409f04ace122aa4113bbaef9c9b02a26f3c2fa663d9c360bdfdaac7ee90bc0
SHA51211d73357e1281c2073966975837bd430234c4b1a45f4c014c2cb46ea22eb5bdf56c2e2af63cd03c3a926d41c391b38474c88b744b7d34cbd275fe0769db30545
-
Filesize
64KB
MD576786a4c0dd19d88d6d3ed95a293bf2f
SHA1b0d6d676127a7694fc6e71ee57fcc2ffaa621ff7
SHA2561a2564c1ba20b8038d35c2319258d94dc15d97914dcf753b31c48b79940dfd31
SHA5128cd3298e2ebba763d3c80ac4b17e44af7eb63b46304967d0c6316d314baf8611c05f7b9979c2c5c329ac167aea0246e8c9f057ffbb272481c13fd5e4b4bcb2d0
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\sessionCheckpoints.json
Filesize53B
MD5ea8b62857dfdbd3d0be7d7e4a954ec9a
SHA1b43bc4b3ea206a02ef8f63d5bfad0c96bf2a3b2a
SHA256792955295ae9c382986222c6731c5870bd0e921e7f7e34cc4615f5cd67f225da
SHA512076ee83534f42563046d25086166f82e1a3ec61840c113aec67abe2d8195daa247d827d0c54e7e8f8a1bbf2d082a3763577587e84342ec160ff97905243e6d19
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\sessionCheckpoints.json
Filesize90B
MD5c4ab2ee59ca41b6d6a6ea911f35bdc00
SHA15942cd6505fc8a9daba403b082067e1cdefdfbc4
SHA25600ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2
SHA51271ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\sessionCheckpoints.json
Filesize146B
MD565690c43c42921410ec8043e34f09079
SHA1362add4dbd0c978ae222a354a4e8d35563da14b4
SHA2567343d5a46e2fca762305a4f85c45484a49c1607ede8e8c4bd12bedd2327edb8d
SHA512c0208d51cf1586e75f22764b82c48ecbb42c1ff54aa412a85af13d686e0119b4e49e98450d25c70e3792d3b9c2cda0c5ab0c6931ebaf548693bb970a35ae62b9
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\sessionCheckpoints.json
Filesize288B
MD5948a7403e323297c6bb8a5c791b42866
SHA188a555717e8a4a33eccfb7d47a2a4aa31038f9c0
SHA2562fca1f29b73dd5b4159fa1eb16e69276482f5224ba7d2219a547039129a51f0e
SHA51217e2f65c33f47c8bb4beca31db2aff3d4bbb6c2d36924057f9f847e207bdcb85ffcbb32c80dd06862ffc9b7f0bd3f5e2e65b48bb1bc3363732751101d5596b1a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\sessionCheckpoints.json
Filesize122B
MD599601438ae1349b653fcd00278943f90
SHA18958d05e9362f6f0f3b616f7bfd0aeb5d37967c9
SHA25672d74b596f7fc079d15431b51ce565a6465a40f5897682a94a3f1dd19b07959a
SHA512ffa863d5d6af4a48aadc5c92df4781d3aacbf5d91b43b5e68569952ffec513ff95655b3e54c2161fe27d2274dd4778bad517c7a3972f206381ef292808628c55
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\sessionstore.jsonlz4
Filesize4KB
MD5de4e9d8d9c1034bfed5c3ff4ebdbaaf2
SHA10e44431d09bebd8805cce120e5efb76670b41d4a
SHA2568d121eb4af50aae5edd9cec0cd582a5cbf2bbaa7a9a1f9e5416c8fbc9a3ce1bb
SHA51238485d6d01fe2135204af84f5b9441b2572bad866a029156ea1622f3403ed4a000fde08772f9a27de494277152ed015b4f410559c571960fc03ecff9af0299d1
-
Filesize
4KB
MD5cc621161d1065a19ccd545c11ee8fdf0
SHA13d6c7d8fb444dfd34315dedb92f2ac6eede87568
SHA25634b47cdb679237c7ccdfdb7891ae5d51d1ba3dcc96efebcadde2ca5468c4d514
SHA5127f5a882765a2ba0fc28f249aee202ce6ba5f7bffc0863479de7ed0ce4756f072f9477a69e0e1fd2b5c04e52f1439710ba1b2be615e98ffca063ca40f9cb2f61a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\storage\default\https+++github.com\.metadata-v2
Filesize48B
MD5d8675c53124f6bb283ecc55df3bbd75f
SHA13140a341b497550d423f21467bbd68f870bd3501
SHA256d181d5481b1c0d5122763bd08b927dd8d504524dcf8e748e08684eca3e00f829
SHA5124dae107b48b7f19dc513e91bcaa68f0b7e14fa7118896ea91a19acf62fad2ae9b113ecbe64e900a3351194c6192c47f71c152dbca025ebe1fdcd2e460fa04709
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\storage\default\https+++github.com\ls\data.sqlite
Filesize12KB
MD530fefee9735b4b72046e389c10098a4a
SHA148f96a0982416f2ddcdb9e01902041671f5d9a37
SHA256145cb86fdea912f087e99b6e753d67568c800e1e63ea9c1120058b3927d8cc5c
SHA51277c60a4c29d207c6e1544acd774176da4c6c6ba8e0ac8d08b77aceecfd1a1aad0c81b8607c6d555515c981763fcc01ee24be59b60cb15fbd1fa02cdca7252762
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\storage\default\https+++github.com\ls\usage
Filesize12B
MD5195332f2c92d358733afd1523b48cd7a
SHA19b9b76e7d1960bc09a10dca42d50b0a93ca0e173
SHA25603f617d955a46a6575b0a0fb3b921be88a8cbc4298ba725c31ab0519c2bcac70
SHA512a46121bb9068043b24b177a349fa6902449cedc392d79eefc77a0fa3335020fb08f78745382dcd325085accc86a78600971f4064ec737648620e6fd17544740f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\storage\default\https+++www.youtube.com^partitionKey=%28https%2Cmalwarewatch.org%29\.metadata-v2
Filesize97B
MD5831a7a698a902f040f18045e12cebd62
SHA1974a13c3073cdff812e17cfc5115f92d4dbd6315
SHA256b6b110d85021253f23d97448f9eab403be17ad86ef770dfd4d9cb9831a20eb95
SHA512a3020493b2f46c3149574dbac6549fd3e65890a7d81afbcc17e6257ebfeae5f9e9edbe2c718619bc70b6dec55d4ddfff82338748cac0a15d43d93ebf385c1ea3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\storage\default\https+++www.youtube.com^partitionKey=%28https%2Cmalwarewatch.org%29\cache\.padding
Filesize8B
MD57dea362b3fac8e00956a4952a3d4f474
SHA105fe405753166f125559e7c9ac558654f107c7e9
SHA256af5570f5a1810b7af78caf4bc70a660f0df51e42baf91d4de5b2328de0e83dfc
SHA5121b7409ccf0d5a34d3a77eaabfa9fe27427655be9297127ee9522aa1bf4046d4f945983678169cb1a7348edcac47ef0d9e2c924130e5bcc5f0d94937852c42f1b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\storage\default\https+++www.youtube.com^partitionKey=%28https%2Cmalwarewatch.org%29\cache\caches.sqlite
Filesize64KB
MD52366c83e0d361f11a90118dcec27f068
SHA165242444afd6cea7f4cb18119178dccd54913acd
SHA256e2011cea22ad0828ce84493394cc1e89990eafef77fa28ffb559ee89b267912d
SHA512dbd628d46e816ee8fb135bb88037c5df3596c03f3c25afcd1b9cb589396a9f5bdb53d62cfd6e5060b12ac80ba347df47673e6030dea96bd48abbb2e20b739844
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\storage\default\https+++www.youtube.com^partitionKey=%28https%2Cmalwarewatch.org%29\ls\usage
Filesize12B
MD5a4b57866747aa8bc0828ccb259689903
SHA1b77c045f5580c81a6cd07a5e5d2271064aa52233
SHA256395c2160a5f25f4ebff4939482f032465544c7d1105b8f93b529552a1f8f7b88
SHA512f5e9b04e525e1bb7a913c3e02504f98b1f860cbc487029075c668cfb560bcf85855d7e48ad19586368becbb6157872b70a083a40081c2c109314ccbe9e5825b0
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\storage\default\https+++www.youtube.com^userContextId=5&partitionKey=%28https%2Cmalwarewatch.org%29\idb\2171031483YattIedMb.sqlite
Filesize48KB
MD5d523105fcf82e5afcd610b7b760950b7
SHA1d991bbf07b3113bddfa6e8a37e6c3c7dfcfeb6cf
SHA25611d93ff77c5c197e3340333a1112d4c684e8a0f7349564abf4fc1f62fd8d396a
SHA5129500220bc1d4dd9f8d0e44883db596fa9cf90403d15fe8657bac18c4b324582b78e2f5f93e2e30b33f16b3f56657a34c0242a8201f05d653e8583d23114b0dde
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite
Filesize48KB
MD514dc17130da536e1b80b27db0f3af5b7
SHA1a56fafa691be67c212371d50ae5556899c938e02
SHA256022df7442484d1319d189d4664904342ccaf86d75de326d2a62b1bc7dbe78042
SHA5121d4f75fd26cba64d058750217d8bb74bd955dbf1180e58d5f12c952a96387809dba4ce5a56730a56eff93b5dab634f7e42182dbee40269ce6c3bd8e0f56b0f54
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize376KB
MD53e82010059e72a23d3dbd3256645ba97
SHA18d828495cba2bbbaea53c0cb60cf36d2a4332734
SHA25615b0de8369a2381ac007adfe7c9973162149557277cf196aeb4051fd29d0d012
SHA512408c356828af117e80756ad17723757f81b42b47542615417ce1cc8ee5fa320cd1880c138a8e5a556d7de406099d0c67de097f1b67bb3e0914821d529891b483
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5dqhm7h.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize584KB
MD541f0da9c5cd3658bc04f65c7e2347e8d
SHA14cd4d62f1baf3b51df63a11b4d989a45a6b1dd12
SHA256738d317bda543000b216ab0394a59797ab38b138d15e7add061290a80de3c835
SHA5127250b20c573c73ecc4792c1abd57aa8651b659bbad87f077672f3c7af89c858a1c85dad59184dfb821972dc194f9cc2371684ecb6d47e8d2fc1df91952974f9a
-
Filesize
120B
MD58d689c06cb844185099c0398a280537e
SHA157073c7526ec37e94bb9db44fedc6d50276f7a6b
SHA25696729e9b38f216605ff10715f96f364be32f02e2de23ede7e74b78244605124d
SHA5123c7df326c695143915df1068cb2c0f58e93e4881b2c4d94b33948b80e954fbd4cf944ae53b4d15002b79fcdb8e88f8e9cf4c89ca50f56b7cfd8a13ea7dd6fff8
-
Filesize
13.2MB
MD5c91d7a1930f4604c0864b4b1c43250dc
SHA13bc0a026f31fdfba10acb60ee33e20e60d8b12c2
SHA256235b4fe47137ba514de200c48a112ee4a3299f76382716c612c006a5218075d8
SHA51200c0eb476644c9e8cae683041a37cadc098165eaf92aab7fe1344bc7969c1b0c3b3f3589c063c2eff00e142729cbcb9d4b7a642b7ca415e5b4f99b328c05a46e
-
C:\Users\Admin\Downloads\WannaCrypt0r\@[email protected]
Filesize933B
MD57e6b6da7c61fcb66f3f30166871def5b
SHA100f699cf9bbc0308f6e101283eca15a7c566d4f9
SHA2564a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e
SHA512e5a56137f325904e0c7de1d0df38745f733652214f0cdb6ef173fa0743a334f95bed274df79469e270c9208e6bdc2e6251ef0cdd81af20fa1897929663e2c7d3
-
C:\Users\Admin\Downloads\WannaCrypt0r\@[email protected]
Filesize240KB
MD57bf2b57f2a205768755c07f238fb32cc
SHA145356a9dd616ed7161a3b9192e2f318d0ab5ad10
SHA256b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25
SHA51291a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9
-
Filesize
3.0MB
MD5fe7eb54691ad6e6af77f8a9a0b6de26d
SHA153912d33bec3375153b7e4e68b78d66dab62671a
SHA256e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb
SHA5128ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f
-
Filesize
37KB
MD535c2f97eea8819b1caebd23fee732d8f
SHA1e354d1cc43d6a39d9732adea5d3b0f57284255d2
SHA2561adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e
SHA512908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf
-
C:\Users\Default\Desktop\@[email protected]
Filesize1.4MB
MD5c17170262312f3be7027bc2ca825bf0c
SHA1f19eceda82973239a1fdc5826bce7691e5dcb4fb
SHA256d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa
SHA512c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c