wannacry | fe1858ea442d8f264ae1616507184e95f433e723f8f5ea7e7c8ba740cfca8fb1

Resubmissions

10-11-2024 10:00

241110-l1nfdaxpcr 10

10-11-2024 07:46

241110-jl9c7asgqe 10

Analysis

max time kernel
99s
max time network
101s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
10-11-2024 10:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-10_4821592196d7f5466902107a156c7541_wannacry.exe
Size

2.2MB
MD5

4821592196d7f5466902107a156c7541
SHA1

beb4a53494038bcda85ab4dc8813e2b78d1f79cf
SHA256

fe1858ea442d8f264ae1616507184e95f433e723f8f5ea7e7c8ba740cfca8fb1
SHA512

aff0e32a792daa2a2666de75bf894c3550bf6ee4ee06efae1d3ec449e54eeafd89dfbdc6bf9de1a72cb001533ab8d887a857621b97e1c20ee1e3f6cb6bc5106f
SSDEEP

24576:VbLguVQhfdmMSirYbcMNgef0QeQjG/hYoAdN:VnFQqMSPbcBVQej/hIN

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Wannacry family
wannacry
Contacts a large (1934) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in System32 directory 4 IoCs

Processes:

2024-11-10_4821592196d7f5466902107a156c7541_wannacry.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	2024-11-10_4821592196d7f5466902107a156c7541_wannacry.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	2024-11-10_4821592196d7f5466902107a156c7541_wannacry.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	2024-11-10_4821592196d7f5466902107a156c7541_wannacry.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	2024-11-10_4821592196d7f5466902107a156c7541_wannacry.exe

Drops file in Windows directory 1 IoCs

Processes:

2024-11-10_4821592196d7f5466902107a156c7541_wannacry.exe

description ioc process

File created C:\WINDOWS\tasksche.exe 2024-11-10_4821592196d7f5466902107a156c7541_wannacry.exe

description	ioc	process
File created	C:\WINDOWS\tasksche.exe	2024-11-10_4821592196d7f5466902107a156c7541_wannacry.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

2024-11-10_4821592196d7f5466902107a156c7541_wannacry.exe2024-11-10_4821592196d7f5466902107a156c7541_wannacry.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-10_4821592196d7f5466902107a156c7541_wannacry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-10_4821592196d7f5466902107a156c7541_wannacry.exe

Checks processor information in registry 2 TTPs 26 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

POWERPNT.EXEEXCEL.EXEEXCEL.EXEfirefox.exeWINWORD.EXEEXCEL.EXEfirefox.exePOWERPNT.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	POWERPNT.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	POWERPNT.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	POWERPNT.EXE

Enumerates system info in registry 2 TTPs 18 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEPOWERPNT.EXEEXCEL.EXEWINWORD.EXEEXCEL.EXEPOWERPNT.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	POWERPNT.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	POWERPNT.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE

Modifies data under HKEY_USERS 8 IoCs

Processes:

2024-11-10_4821592196d7f5466902107a156c7541_wannacry.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	2024-11-10_4821592196d7f5466902107a156c7541_wannacry.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	2024-11-10_4821592196d7f5466902107a156c7541_wannacry.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	2024-11-10_4821592196d7f5466902107a156c7541_wannacry.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	2024-11-10_4821592196d7f5466902107a156c7541_wannacry.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	2024-11-10_4821592196d7f5466902107a156c7541_wannacry.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	2024-11-10_4821592196d7f5466902107a156c7541_wannacry.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	2024-11-10_4821592196d7f5466902107a156c7541_wannacry.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	2024-11-10_4821592196d7f5466902107a156c7541_wannacry.exe

Suspicious behavior: AddClipboardFormatListener 7 IoCs

Processes:

EXCEL.EXEPOWERPNT.EXEWINWORD.EXEEXCEL.EXEPOWERPNT.EXEEXCEL.EXE

pid process

3696 EXCEL.EXE
5908 POWERPNT.EXE
5184 WINWORD.EXE
5184 WINWORD.EXE
2976 EXCEL.EXE
5092 POWERPNT.EXE
4368 EXCEL.EXE
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

firefox.exe

description pid process

Token: SeDebugPrivilege 3092 firefox.exe
Token: SeDebugPrivilege 3092 firefox.exe

description	pid	process
Token: SeDebugPrivilege	3092	firefox.exe
Token: SeDebugPrivilege	3092	firefox.exe

Suspicious use of FindShellTrayWindow 21 IoCs

Processes:

firefox.exe

pid	process
3092	firefox.exe
3092	firefox.exe
3092	firefox.exe
3092	firefox.exe
3092	firefox.exe
3092	firefox.exe
3092	firefox.exe
3092	firefox.exe
3092	firefox.exe
3092	firefox.exe
3092	firefox.exe
3092	firefox.exe
3092	firefox.exe
3092	firefox.exe
3092	firefox.exe
3092	firefox.exe
3092	firefox.exe
3092	firefox.exe
3092	firefox.exe
3092	firefox.exe
3092	firefox.exe

Suspicious use of SendNotifyMessage 20 IoCs

Processes:

firefox.exe

pid	process
3092	firefox.exe
3092	firefox.exe
3092	firefox.exe
3092	firefox.exe
3092	firefox.exe
3092	firefox.exe
3092	firefox.exe
3092	firefox.exe
3092	firefox.exe
3092	firefox.exe
3092	firefox.exe
3092	firefox.exe
3092	firefox.exe
3092	firefox.exe
3092	firefox.exe
3092	firefox.exe
3092	firefox.exe
3092	firefox.exe
3092	firefox.exe
3092	firefox.exe

Suspicious use of SetWindowsHookEx 60 IoCs

Processes:

EXCEL.EXEfirefox.exePOWERPNT.EXEWINWORD.EXEEXCEL.EXEPOWERPNT.EXEEXCEL.EXE

pid	process
3696	EXCEL.EXE
3696	EXCEL.EXE
3696	EXCEL.EXE
3696	EXCEL.EXE
3696	EXCEL.EXE
3696	EXCEL.EXE
3696	EXCEL.EXE
3696	EXCEL.EXE
3696	EXCEL.EXE
3696	EXCEL.EXE
3696	EXCEL.EXE
3696	EXCEL.EXE
3092	firefox.exe
5908	POWERPNT.EXE
5908	POWERPNT.EXE
5908	POWERPNT.EXE
5908	POWERPNT.EXE
5184	WINWORD.EXE
5184	WINWORD.EXE
5184	WINWORD.EXE
5184	WINWORD.EXE
5184	WINWORD.EXE
5184	WINWORD.EXE
5184	WINWORD.EXE
5184	WINWORD.EXE
5184	WINWORD.EXE
5184	WINWORD.EXE
5184	WINWORD.EXE
5184	WINWORD.EXE
5184	WINWORD.EXE
5184	WINWORD.EXE
5184	WINWORD.EXE
2976	EXCEL.EXE
2976	EXCEL.EXE
2976	EXCEL.EXE
2976	EXCEL.EXE
2976	EXCEL.EXE
2976	EXCEL.EXE
2976	EXCEL.EXE
2976	EXCEL.EXE
2976	EXCEL.EXE
2976	EXCEL.EXE
2976	EXCEL.EXE
2976	EXCEL.EXE
5092	POWERPNT.EXE
5092	POWERPNT.EXE
5092	POWERPNT.EXE
5092	POWERPNT.EXE
4368	EXCEL.EXE
4368	EXCEL.EXE
4368	EXCEL.EXE
4368	EXCEL.EXE
4368	EXCEL.EXE
4368	EXCEL.EXE
4368	EXCEL.EXE
4368	EXCEL.EXE
4368	EXCEL.EXE
4368	EXCEL.EXE
4368	EXCEL.EXE
4368	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 4368 wrote to memory of 3092	4368	firefox.exe	firefox.exe
PID 4368 wrote to memory of 3092	4368	firefox.exe	firefox.exe
PID 4368 wrote to memory of 3092	4368	firefox.exe	firefox.exe
PID 4368 wrote to memory of 3092	4368	firefox.exe	firefox.exe
PID 4368 wrote to memory of 3092	4368	firefox.exe	firefox.exe
PID 4368 wrote to memory of 3092	4368	firefox.exe	firefox.exe
PID 4368 wrote to memory of 3092	4368	firefox.exe	firefox.exe
PID 4368 wrote to memory of 3092	4368	firefox.exe	firefox.exe
PID 4368 wrote to memory of 3092	4368	firefox.exe	firefox.exe
PID 4368 wrote to memory of 3092	4368	firefox.exe	firefox.exe
PID 4368 wrote to memory of 3092	4368	firefox.exe	firefox.exe
PID 3092 wrote to memory of 2292	3092	firefox.exe	firefox.exe
PID 3092 wrote to memory of 2292	3092	firefox.exe	firefox.exe
PID 3092 wrote to memory of 2292	3092	firefox.exe	firefox.exe
PID 3092 wrote to memory of 2292	3092	firefox.exe	firefox.exe
PID 3092 wrote to memory of 2292	3092	firefox.exe	firefox.exe
PID 3092 wrote to memory of 2292	3092	firefox.exe	firefox.exe
PID 3092 wrote to memory of 2292	3092	firefox.exe	firefox.exe
PID 3092 wrote to memory of 2292	3092	firefox.exe	firefox.exe
PID 3092 wrote to memory of 2292	3092	firefox.exe	firefox.exe
PID 3092 wrote to memory of 2292	3092	firefox.exe	firefox.exe
PID 3092 wrote to memory of 2292	3092	firefox.exe	firefox.exe
PID 3092 wrote to memory of 2292	3092	firefox.exe	firefox.exe
PID 3092 wrote to memory of 2292	3092	firefox.exe	firefox.exe
PID 3092 wrote to memory of 2292	3092	firefox.exe	firefox.exe
PID 3092 wrote to memory of 2292	3092	firefox.exe	firefox.exe
PID 3092 wrote to memory of 2292	3092	firefox.exe	firefox.exe
PID 3092 wrote to memory of 2292	3092	firefox.exe	firefox.exe
PID 3092 wrote to memory of 2292	3092	firefox.exe	firefox.exe
PID 3092 wrote to memory of 2292	3092	firefox.exe	firefox.exe
PID 3092 wrote to memory of 2292	3092	firefox.exe	firefox.exe
PID 3092 wrote to memory of 2292	3092	firefox.exe	firefox.exe
PID 3092 wrote to memory of 2292	3092	firefox.exe	firefox.exe
PID 3092 wrote to memory of 2292	3092	firefox.exe	firefox.exe
PID 3092 wrote to memory of 2292	3092	firefox.exe	firefox.exe
PID 3092 wrote to memory of 2292	3092	firefox.exe	firefox.exe
PID 3092 wrote to memory of 2292	3092	firefox.exe	firefox.exe
PID 3092 wrote to memory of 2292	3092	firefox.exe	firefox.exe
PID 3092 wrote to memory of 2292	3092	firefox.exe	firefox.exe
PID 3092 wrote to memory of 2292	3092	firefox.exe	firefox.exe
PID 3092 wrote to memory of 2292	3092	firefox.exe	firefox.exe
PID 3092 wrote to memory of 2292	3092	firefox.exe	firefox.exe
PID 3092 wrote to memory of 2292	3092	firefox.exe	firefox.exe
PID 3092 wrote to memory of 2292	3092	firefox.exe	firefox.exe
PID 3092 wrote to memory of 2292	3092	firefox.exe	firefox.exe
PID 3092 wrote to memory of 2292	3092	firefox.exe	firefox.exe
PID 3092 wrote to memory of 2292	3092	firefox.exe	firefox.exe
PID 3092 wrote to memory of 2292	3092	firefox.exe	firefox.exe
PID 3092 wrote to memory of 2292	3092	firefox.exe	firefox.exe
PID 3092 wrote to memory of 2292	3092	firefox.exe	firefox.exe
PID 3092 wrote to memory of 2292	3092	firefox.exe	firefox.exe
PID 3092 wrote to memory of 2292	3092	firefox.exe	firefox.exe
PID 3092 wrote to memory of 2292	3092	firefox.exe	firefox.exe
PID 3092 wrote to memory of 2292	3092	firefox.exe	firefox.exe
PID 3092 wrote to memory of 2292	3092	firefox.exe	firefox.exe
PID 3092 wrote to memory of 2292	3092	firefox.exe	firefox.exe
PID 3092 wrote to memory of 3476	3092	firefox.exe	firefox.exe
PID 3092 wrote to memory of 3476	3092	firefox.exe	firefox.exe
PID 3092 wrote to memory of 3476	3092	firefox.exe	firefox.exe
PID 3092 wrote to memory of 3476	3092	firefox.exe	firefox.exe
PID 3092 wrote to memory of 3476	3092	firefox.exe	firefox.exe
PID 3092 wrote to memory of 3476	3092	firefox.exe	firefox.exe
PID 3092 wrote to memory of 3476	3092	firefox.exe	firefox.exe
PID 3092 wrote to memory of 3476	3092	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2024-11-10_4821592196d7f5466902107a156c7541_wannacry.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-10_4821592196d7f5466902107a156c7541_wannacry.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1672

C:\Users\Admin\AppData\Local\Temp\2024-11-10_4821592196d7f5466902107a156c7541_wannacry.exe
C:\Users\Admin\AppData\Local\Temp\2024-11-10_4821592196d7f5466902107a156c7541_wannacry.exe -m security
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:3108

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\MoveDebug.xlsx"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3696

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4368
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3092
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1972 -parentBuildID 20240401114208 -prefsHandle 1900 -prefMapHandle 1892 -prefsLen 23681 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4cd03062-a88e-4703-a209-ac35f48628f2} 3092 "\\.\pipe\gecko-crash-server-pipe.3092" gpu
    3⤵
    PID:2292
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2380 -parentBuildID 20240401114208 -prefsHandle 2372 -prefMapHandle 2308 -prefsLen 23717 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a7110c2b-51ea-4605-9571-71bf9e524afc} 3092 "\\.\pipe\gecko-crash-server-pipe.3092" socket
    3⤵
    PID:3476
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3108 -childID 1 -isForBrowser -prefsHandle 3112 -prefMapHandle 3216 -prefsLen 23858 -prefMapSize 244658 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f9759da7-142b-409c-b21e-f6fc784a7fed} 3092 "\\.\pipe\gecko-crash-server-pipe.3092" tab
    3⤵
    PID:5016
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4040 -childID 2 -isForBrowser -prefsHandle 4032 -prefMapHandle 4028 -prefsLen 29091 -prefMapSize 244658 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {93765733-f78e-4b5b-9efc-8fe0d4dee122} 3092 "\\.\pipe\gecko-crash-server-pipe.3092" tab
    3⤵
    PID:224
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4884 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4912 -prefMapHandle 4908 -prefsLen 29091 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {727d5997-9528-4658-ac08-29c5db7fd9bd} 3092 "\\.\pipe\gecko-crash-server-pipe.3092" utility
    3⤵
    - Checks processor information in registry
    PID:5440
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5408 -childID 3 -isForBrowser -prefsHandle 5332 -prefMapHandle 5308 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {14e7bcfb-9199-4b92-964e-67a38c9e5c34} 3092 "\\.\pipe\gecko-crash-server-pipe.3092" tab
    3⤵
    PID:5928
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5440 -childID 4 -isForBrowser -prefsHandle 5580 -prefMapHandle 5584 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1f236038-a617-4554-87ab-28e3539fc950} 3092 "\\.\pipe\gecko-crash-server-pipe.3092" tab
    3⤵
    PID:5940
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5760 -childID 5 -isForBrowser -prefsHandle 5768 -prefMapHandle 5776 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7d95395a-7c4d-4ebb-b631-f36b644a7319} 3092 "\\.\pipe\gecko-crash-server-pipe.3092" tab
    3⤵
    PID:5952

C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /n "C:\Users\Admin\Documents\ConvertDisable.potx"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:5908

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Documents\AssertMount.rtf" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:5184

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Documents\DenyMount.xlsx"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2976

C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\Documents\ExitRegister.ppt" /ou ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:5092

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Documents\MoveClear.xlsx"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

Filesize
471B

MD5
11653bc135563ea466daff1882772382

SHA1
51317ff25023c9f49c7b9196f19dceba366e3595

SHA256
a014d201f4df2deb0a710bf9aa5ebcfe1bef9b900b185fbe12af15c8c044a757

SHA512
af2b67dd9dd714e505239c29187ce8cd59c9575937ab6526618196cac5773b01000eebf6a12b3b62afb4264ccdaaceb01595eb433ba0c94b0148addc6a5d764c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

Filesize
412B

MD5
ea001cde4e556d5a9d0dc411067f9bf6

SHA1
f10de8c70049b9483bf6009ca6c6dbd8b62ae1ca

SHA256
99b223d60ab81d3d42db20312170a33df1be99ee75c9dc70664dc7f872bf629d

SHA512
f8440c7b42a70a9fbda5fff3140b8cc2a31a7f38c07f8de4c658337c6473fa0fc0722ad34b940d97ca7848d0dea607ab883def7e4d792b7ecc0e766219311602

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Excel.CampaignStates.json

Filesize
21B

MD5
f1b59332b953b3c99b3c95a44249c0d2

SHA1
1b16a2ca32bf8481e18ff8b7365229b598908991

SHA256
138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c

SHA512
3c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Excel.GovernedChannelStates.json

Filesize
417B

MD5
c56ff60fbd601e84edd5a0ff1010d584

SHA1
342abb130dabeacde1d8ced806d67a3aef00a749

SHA256
200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c

SHA512
acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Excel.Settings.json

Filesize
87B

MD5
e4e83f8123e9740b8aa3c3dfa77c1c04

SHA1
5281eae96efde7b0e16a1d977f005f0d3bd7aad0

SHA256
6034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31

SHA512
bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Excel.SurveyEventActivityStats.json

Filesize
14B

MD5
6ca4960355e4951c72aa5f6364e459d5

SHA1
2fd90b4ec32804dff7a41b6e63c8b0a40b592113

SHA256
88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3

SHA512
8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\EC12D480-9A3A-4198-880C-AF86829599F5

Filesize
174KB

MD5
4809bb18114a4ec003fafa409eaf9e39

SHA1
6441bd7929bf679ae2ab981894b60dfb2dbefba9

SHA256
dcc8ed1c405f5b01a1a51a48813e278754f558a49dae0b8f6563f8cb457c0146

SHA512
d6fc7a3756d80fd82adbc619b2b3be976dfe55fc682b9ce98dc9992283962bb72719265b1b8b57c720dc0166fd903e19006c5c38bd783819bcba7e2d4328067d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

Filesize
320KB

MD5
d356e2cd5f911b7f0eae0e36b1ca5169

SHA1
5da8e4450b716defce43e473b3c9d8f7d45c0ace

SHA256
bbc44b490dffb69bb837f401b06413104ee084bceef80483dbe414a9b59be275

SHA512
31b8e195fed86e2e1cb2000ca54500e6d7304d88bbf3f05a928ae8e1234c911723257a637d1ec087951d6fb2753eb57ec91f3bb1a912ff43455521c890e52220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\powerpnt.exe_Rules.xml

Filesize
372KB

MD5
8c6ce878c9ce65fa10ecce1128a45a25

SHA1
7cfd67175b4e97c997f2bae6408acbf4da61e42d

SHA256
6a8c47b97a90e1bbed71f878b06d35012b0b59cc8427c28d30d9d60f4f4ee897

SHA512
13e81c87e8712471cc9f75096f6644a34db82fc36d53e9981c940b9677f8ba935b8e5ec2b773d53501aed97a8957eed5d67d969bf2f5d3ccbca2bcfac1677131

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

Filesize
12KB

MD5
8e02778519b92ffd60eab3d073bb84cc

SHA1
db70000b974d0d56650aaf69d0dad8f79837b859

SHA256
30de5ef4fbe3c31fdbb47f6310f0aba44704683ba37f9a46f737acf97ad50f94

SHA512
c318e729aad824e63dbb78abbecb7041d698439ee03e7b1f045d1931b4166acfcbddaae5176831cd0a18355c11c85179c679aa6ade41852d5421ce26ab814d5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

Filesize
15KB

MD5
9ba4fcb2ffba4fc375086d4c55a3f931

SHA1
9125f425b8eeccdf7e17ffc9c157bb2f2a02491d

SHA256
49e6279d2491811b4cab5746a26ba6fd7986f20e13140090dd68657d2164fc9f

SHA512
a1db6c5b124740a5466de8f76440b223bb51fd200244849d8c192585378844ea204787bb97bfec6d50e85a7dab996ff3cfcb4fe380daa3aee2c39bcb5a0d05b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

Filesize
18KB

MD5
d003ecc7484c45bae83c09e3d397322f

SHA1
ba1a4493a01daf2b4b46a911e03dca1d9033444f

SHA256
74a8bd2293a4deb1ce62e3dc35366bdce2075c77a4003e4bf5297bcb131f100f

SHA512
d4e4eebc739bf2476b20a9f0371a19fbc74984cfa7a6128da6c19aec0bd437d90f37238f0e05c0c175480f9e889de572bb8f93c8b8003aea796ecb9d8b5b2c5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db

Filesize
24KB

MD5
085ebd119f5fc6b8f63720fac1166ff5

SHA1
af066018aadec31b8e70a124a158736aca897306

SHA256
b8411fe8ec499074fca9047f6983d920279e84ddf3b02b2dd5c08cf07ec44687

SHA512
adb0522830db26123347cb485c43b156f5c888510e52091ba0fafc22b650ad29630c027746c920321905c28259dce7ff63dded93a79efddd5567c68312117875

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db

Filesize
24KB

MD5
33eea2792b9fa42f418d9d609f692007

SHA1
48c3916a14ef2d9609ec4d2887a337b973cf8753

SHA256
8f7807c324626abc2d3504638958c148e2e3f3e212261f078940cf4c5f0c4fbb

SHA512
b2dbfcdf2599c38c966c5ebce714a5cd50e2f8b411555acf9f02b31b9c29b8ab53a9afa9d32bab87a06e08f8b2c7818d600773f659a058c8af81c50be7f09b95

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\powerpnt.exe.db

Filesize
24KB

MD5
a6064fc9ce640751e063d9af443990da

SHA1
367a3a7d57bfb3e9a6ec356dfc411a5f14dfde2a

SHA256
5f72c11fd2fa88d8b8bfae1214551f8d5ee07b8895df824fa717ebbcec118a6c

SHA512
0e42dd8e341e2334eda1e19e1a344475ed3a0539a21c70ba2247f480c706ab8e2ff6dbeb790614cbde9fb547699b24e69c85c54e99ed77a08fe7e1d1b4b488d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
7439046746f29ccd9ec91cf9ee11aaaa

SHA1
9ab7168aeab65c741c38f262900fb911c483619c

SHA256
6d8a5bf9d70635ecfd9e07af952616bf67e52d461c16cba37bb548201ed13385

SHA512
ce00d570b28a007cda1516d6844e9737ba7c55a4e4564b5cf2b276385e32775b71a2fcfc95ab840288a57ac9d9a05ab73d7bb8663c91d72445a440cb29027893

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
d907ff30b2a44ee7035c05be940084c3

SHA1
07a1faec958300a6b7fd4204afffc8b2b40c46d6

SHA256
93a4b5f74e2122cfc66ea2a880ce95dde9535e78ed360229f3f4a048a05cf2a8

SHA512
831715b886d9f25e97c01a08b920382a79f5e8e796393c85ff25f29a158e08c5ca7cf73d3117856edd6be6d53ea577886b8e69ae1e86b45df031c6705d4f3888

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
375B

MD5
c733a6b1eb5c61cfd197c1ada123d040

SHA1
9ec5c1a9672b1ebfd13c0aed2c74863d4726358f

SHA256
f7ed903ec02a0065187336db74aa0bb751591dffaa061be0d6ac41bbfc16286f

SHA512
5465c8832031ae146101e1dec00826662a29143f3009ecc768a4b1e47b28b5cdf582edd2d56a8bf7048e18b44b84653b77c989a60392d0ddd53ce1a8cdbfc07e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
397B

MD5
e5e0846a862f69d141354ac74d33e43b

SHA1
9f4c13eafa9f76d368d2daa1885db47c7704d469

SHA256
03ce680b1456edb5f320eda12d3e68943d89f2bb8654c73748d376bf2e5000f4

SHA512
f58c8f5bab70b9b5ba8352d1e0025f7f8377826da48df1873b8e76252ec5b683cb72a3fc4e35a9d5cf256039e1da6a85523893df5a932b97c3943dc1215c6af6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
397B

MD5
e7a8d8d1c7e761b2c1676c572b1ef364

SHA1
affc0a7f681e195ed60c59e61d10b4737f1ea220

SHA256
0067984a49240648fc2abb02589b23a8b987cea16da742e83bb7d35eddefcdf8

SHA512
fc5d45efdbe1771232ea75b608dbbbf67279270ba004b2b0dfac8043a3123d9bd27dde80c58aeaf5fd8027fcf916ad4b3e828b773aa857b1818ce11da8e617c7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
394B

MD5
ba62d139be374f41f6d02bf70ef2d203

SHA1
6d97c55b2c14b74422041e8381d05728899ef04e

SHA256
a89b6f0db621c7d9eda7671c3fc6a7fff851bd308e5b5f23a959620a44539f13

SHA512
bc8c66cd1b9bc832704a4910fb495d343f3a9030a0c0e4d5f0b0f42d8f1577e0f8fb7c3731697f11a8930b9bfa836579026d500fb959209f3e420726dc182181

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hohja4eo.default-release\AlternateServices.bin

Filesize
8KB

MD5
b050b7f1da40c2110786c62ecb69a698

SHA1
686b525098f1ff8655d691e1615952dfb21c5466

SHA256
7450eb74460c645230df0b403ba5df3d7895190b735cc04dbaf2cf1e47113e68

SHA512
3db2534642d25f1a3fab3bee3ccca4e860ea2a467cbd6627801e8069342170298a2aa3e1ff2919a05b5177aa10568be52b3f268d4129b60bad10f6744753ab1d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hohja4eo.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
ed09788e3d81eb3746205c16ec6fd361

SHA1
3f9ec1095439f454811f23dccf9f482feed3d1ed

SHA256
08b4e71e15b68c58329fb9c0879a0a08d86dadae4a809b7091780997cb5c0528

SHA512
f0a9c4252affe82912f04036c8bcfd67ca7cf1f5a4b89ef5528b2acf442f498c2a257c79f6a82f539c3a666593f6cbb1b3d1d6b35d8f5780657dab10afb919da

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hohja4eo.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
4d4eec28604a924c6cef654c18e7035c

SHA1
5201aa3cab911a161f631caf23c95a81962eb03d

SHA256
757bce9660e900c0c79901eb121b658b7c8d89ccf6caf2fb6afb08698cc4eab3

SHA512
5d2d8c25b873df62f93ec916992eaa3dbd6df5bad3c8e7822dacefe06e1cca44c656cbf773c1e812f8c8344ea61c57ee7d4302ed47ffc276138438413070f326

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hohja4eo.default-release\datareporting\glean\pending_pings\1963527f-8004-4e0e-bc91-8a00aa3470d7

Filesize
25KB

MD5
5c2c9dd5abcf982eaca8c31bfe248baa

SHA1
b176e86b0581c7779726fbf69a2116efbfb2b907

SHA256
2bbadef687a3b19a8087b7472d6bb57a8dd8422c8f59913fb3eea36af6a289d3

SHA512
866ed075c8ed4795db46b2e566930643b81ee7ae50bb2372628185afbbf79216ced0f39ef5ff50f1a6d0052b5de6b83c4fc749e3f2716ce363d42e3bf29f9776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hohja4eo.default-release\datareporting\glean\pending_pings\bb169fbd-823f-4296-81ee-25196ae2ac3a

Filesize
671B

MD5
100b239ddd93f95c63842b9736fc131e

SHA1
e59b7dd73614f4822e46444ed8eba1cd9d5c3016

SHA256
cd25adbcfecbfb10693e5c19264e10ddb40587e3c66ebb8ad8413ecd42508ede

SHA512
b82feb25a9a07cb8ee385860748e8748b3342e22461fdedf83cd2c57e73147e6fcca4a2773d198eec0481b2333f9f2c8acdb7a1049bc82a59d8f53a3973a0333

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hohja4eo.default-release\datareporting\glean\pending_pings\df42bbd9-aaee-4f95-a929-30835a471da5

Filesize
982B

MD5
eefc7cf441e55d5e8958033a00b4de70

SHA1
47db33542574dc05dc4f6ef73bfc6ebb67f043c2

SHA256
3f32a133094d56f1db151d34b5a2e897c936ca5e1dbabbf76b3a43826ff1090a

SHA512
13a9db65568accdc7fbab44d963b7b1b23fdec755d1f27b03353d4fc5fc032fb0af69d08076262c5228fd492c6b2151c64814003097b812326d7ba85da279cac

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hohja4eo.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hohja4eo.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hohja4eo.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hohja4eo.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hohja4eo.default-release\prefs-1.js

Filesize
11KB

MD5
ec8a7b986fe2068e9a7b50f6ef269189

SHA1
a0dba733c7a1af4e6d89a2bd6632735a40d585cf

SHA256
96fe8f6b948d75a0393482f53cb956459c1918cf0fa30c1d7e35818f95ea73a8

SHA512
56109c1d51b3e85f628dcc8823fe9ed2748e4000d7dd38312404a5c34b85c4e8d281d18fc049a618f43fdae97a5ba94fbf271dfcbd203f02ddc01d936126527c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\hohja4eo.default-release\prefs.js

Filesize
10KB

MD5
1d4f6c5f1d4207f97915febf7d4c9dd0

SHA1
aa571d020544fbb92ca8d2ce7ec62e17b8964a4f

SHA256
c47ede672c42e7877d9c30b86bbcfce25aef776f6ec2f391e579e35c17eb75f1

SHA512
9085bdb6dea276d3f517dbf6d342d73574f0e329c91c8ab537041b3793553c5e395c397dbfdf8d2882c92fee533861d2babe03125e5d3e1fcdabf79f2697ae49

Download Submit
memory/3696-8-0x00007FFFE2930000-0x00007FFFE2B28000-memory.dmp

Filesize
2.0MB

Download
memory/3696-13-0x00007FFFA0430000-0x00007FFFA0440000-memory.dmp

Filesize
64KB

Download
memory/3696-1-0x00007FFFE29CD000-0x00007FFFE29CE000-memory.dmp

Filesize
4KB

Download
memory/3696-4-0x00007FFFA29B0000-0x00007FFFA29C0000-memory.dmp

Filesize
64KB

Download
memory/3696-20-0x00007FFFE2930000-0x00007FFFE2B28000-memory.dmp

Filesize
2.0MB

Download
memory/3696-19-0x00007FFFE2930000-0x00007FFFE2B28000-memory.dmp

Filesize
2.0MB

Download
memory/3696-14-0x00007FFFE2930000-0x00007FFFE2B28000-memory.dmp

Filesize
2.0MB

Download
memory/3696-5-0x00007FFFE2930000-0x00007FFFE2B28000-memory.dmp

Filesize
2.0MB

Download
memory/3696-2-0x00007FFFA29B0000-0x00007FFFA29C0000-memory.dmp

Filesize
64KB

Download
memory/3696-6-0x00007FFFA29B0000-0x00007FFFA29C0000-memory.dmp

Filesize
64KB

Download
memory/3696-0-0x00007FFFA29B0000-0x00007FFFA29C0000-memory.dmp

Filesize
64KB

Download
memory/3696-62-0x00007FFFE2930000-0x00007FFFE2B28000-memory.dmp

Filesize
2.0MB

Download
memory/3696-61-0x00007FFFA29B0000-0x00007FFFA29C0000-memory.dmp

Filesize
64KB

Download
memory/3696-58-0x00007FFFA29B0000-0x00007FFFA29C0000-memory.dmp

Filesize
64KB

Download
memory/3696-59-0x00007FFFA29B0000-0x00007FFFA29C0000-memory.dmp

Filesize
64KB

Download
memory/3696-60-0x00007FFFA29B0000-0x00007FFFA29C0000-memory.dmp

Filesize
64KB

Download
memory/3696-3-0x00007FFFA29B0000-0x00007FFFA29C0000-memory.dmp

Filesize
64KB

Download
memory/3696-7-0x00007FFFE2930000-0x00007FFFE2B28000-memory.dmp

Filesize
2.0MB

Download
memory/3696-21-0x00007FFFE2930000-0x00007FFFE2B28000-memory.dmp

Filesize
2.0MB

Download
memory/3696-18-0x00007FFFE2930000-0x00007FFFE2B28000-memory.dmp

Filesize
2.0MB

Download
memory/3696-11-0x00007FFFE2930000-0x00007FFFE2B28000-memory.dmp

Filesize
2.0MB

Download
memory/3696-16-0x00007FFFE2930000-0x00007FFFE2B28000-memory.dmp

Filesize
2.0MB

Download
memory/3696-10-0x00007FFFE2930000-0x00007FFFE2B28000-memory.dmp

Filesize
2.0MB

Download
memory/3696-17-0x00007FFFA0430000-0x00007FFFA0440000-memory.dmp

Filesize
64KB

Download
memory/3696-15-0x00007FFFE2930000-0x00007FFFE2B28000-memory.dmp

Filesize
2.0MB

Download
memory/3696-9-0x00007FFFE2930000-0x00007FFFE2B28000-memory.dmp

Filesize
2.0MB

Download
memory/3696-12-0x00007FFFE2930000-0x00007FFFE2B28000-memory.dmp

Filesize
2.0MB

Download
memory/5092-588-0x00007FFFA29B0000-0x00007FFFA29C0000-memory.dmp

Filesize
64KB

Download
memory/5092-570-0x00007FFFA29B0000-0x00007FFFA29C0000-memory.dmp

Filesize
64KB

Download
memory/5092-571-0x00007FFFA29B0000-0x00007FFFA29C0000-memory.dmp

Filesize
64KB

Download
memory/5092-568-0x00007FFFA29B0000-0x00007FFFA29C0000-memory.dmp

Filesize
64KB

Download
memory/5092-587-0x00007FFFA29B0000-0x00007FFFA29C0000-memory.dmp

Filesize
64KB

Download
memory/5092-589-0x00007FFFA29B0000-0x00007FFFA29C0000-memory.dmp

Filesize
64KB

Download
memory/5092-590-0x00007FFFA29B0000-0x00007FFFA29C0000-memory.dmp

Filesize
64KB

Download
memory/5092-569-0x00007FFFA29B0000-0x00007FFFA29C0000-memory.dmp

Filesize
64KB

Download
memory/5092-572-0x00007FFFA29B0000-0x00007FFFA29C0000-memory.dmp

Filesize
64KB

Download
memory/5184-481-0x00007FFFA0430000-0x00007FFFA0440000-memory.dmp

Filesize
64KB

Download
memory/5184-482-0x00007FFFA0430000-0x00007FFFA0440000-memory.dmp

Filesize
64KB

Download
memory/5908-360-0x00007FFFA29B0000-0x00007FFFA29C0000-memory.dmp

Filesize
64KB

Download
memory/5908-363-0x00007FFFA29B0000-0x00007FFFA29C0000-memory.dmp

Filesize
64KB

Download
memory/5908-362-0x00007FFFA29B0000-0x00007FFFA29C0000-memory.dmp

Filesize
64KB

Download
memory/5908-361-0x00007FFFA29B0000-0x00007FFFA29C0000-memory.dmp

Filesize
64KB

Download
memory/5908-364-0x00007FFFA29B0000-0x00007FFFA29C0000-memory.dmp

Filesize
64KB

Download
memory/5908-474-0x00007FFFA29B0000-0x00007FFFA29C0000-memory.dmp

Filesize
64KB

Download
memory/5908-473-0x00007FFFA29B0000-0x00007FFFA29C0000-memory.dmp

Filesize
64KB

Download
memory/5908-472-0x00007FFFA29B0000-0x00007FFFA29C0000-memory.dmp

Filesize
64KB

Download
memory/5908-366-0x00007FFFA0430000-0x00007FFFA0440000-memory.dmp

Filesize
64KB

Download
memory/5908-365-0x00007FFFA0430000-0x00007FFFA0440000-memory.dmp

Filesize
64KB

Download
memory/5908-471-0x00007FFFA29B0000-0x00007FFFA29C0000-memory.dmp

Filesize
64KB

Download