cryptolocker | 9646a1e1b53f02e6b7d559ea0128e7c3f9c76378e02e3e8734064a9df7675cc8

Analysis

max time kernel
972s
max time network
974s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
14-11-2024 00:08

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

wildfire-test-pe-file.exe
Size

54KB
MD5

a01913203fc4c42d7e05bc8135ddcc24
SHA1

f6a792542cbe386d559700d452f7aea9617325c8
SHA256

9646a1e1b53f02e6b7d559ea0128e7c3f9c76378e02e3e8734064a9df7675cc8
SHA512

50ff3c475cc7b120d0dc2761a2aae118d4d33efc0185001f3ecc2d3508778eef4d0bd2a9a057593bc5f6ba29462c219204b7be2a426f6944e3e394bae93c7635
SSDEEP

768:9/EAAqxG0QqLccK+xL7scaOZ/IcGs8WbwnWh+6AXT2qEDnXbiPGEDUXnpT0rJmnU:CAc0QqgHW7/ZwcF8c6jELX+PupTNj

Score

10^/10

cryptolocker wannacry defense_evasion discovery evasion execution impact persistence phishing privilege_escalation ransomware spyware stealer trojan worm

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\!Please Read Me!.txt

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1 Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) rar password: wcry123 Run and follow the instructions! �

Wallets

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Signatures

CryptoLocker
Ransomware family with multiple variants.
ransomware cryptolocker
Cryptolocker family
cryptolocker

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

Annabelle.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\Downloads\\Annabelle.exe"	Annabelle.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs 2 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

Annabelle.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Annabelle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	Annabelle.exe

UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1548.002

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

Annabelle.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Annabelle.exe
Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Wannacry family
wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (107) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Annabelle.exe

Disables RegEdit via registry modification 2 IoCs

evasion

Processes:

Annabelle.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Annabelle.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Annabelle.exe

Disables Task Manager via registry modification
evasion
Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490
Downloads MZ/PE file

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs

persistence

Image File Execution Options Injection

T1546.012

Processes:

Annabelle.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe\Debugger = "RIP"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Autoruns64.exe	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wmplayer.exe\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chkdsk.exe\Debugger = "RIP"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wmplayer.exe	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Autoruns.exe\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bcdedit.exe\Debugger = "RIP"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mspaint.exe	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mpg4dmod.dll	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\secpol.msc	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mydocs.dll\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\secpol.msc\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCuiL.exe\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gpedit.msc\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\systemexplorer.exe\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe\Debugger = "RIP"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mydocs.dll	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\usbui.dll	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe\Debugger = "RIP"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\microsoftedge.exe	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UserAccountControlSettings.exe\Debugger = "RIP"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\attrib.exe	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\url.dll\Debugger = "RIP"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\opera.exe	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCuiL.exe	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gpedit.msc	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dllhost.exe\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\opera.exe\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\attrib.exe\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\webcheck.dll\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\control.exe\Debugger = "RIP"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\systemexplorer.exe	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mspaint.exe\Debugger = "RIP"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logoff.exe	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DBGHELP.exe	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rasman.dll	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rasman.dll\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shellstyle.dll\Debugger = "RIP"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll.exe\Debugger = "RIP"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cabinet.dll	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DCIMAN32.exe\Debugger = "RIP"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\url.dll	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\usbui.dll\Debugger = "RIP"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chkdsk.exe	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mpg4dmod.dll\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\microsoftedge.exe\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad++.exe\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\yandex.exe\Debugger = "RIP"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dllhost.exe	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cabinet.dll\Debugger = "RIP"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\yandex.exe	Annabelle.exe

Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

NetSh.exe

pid process

2712 NetSh.exe

pid	process
2712	NetSh.exe

Sets service image path in registry 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

mssql.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mssqlaq\ImagePath = "\\??\\C:\\Users\\Admin\\Downloads\\ac\\mssqlaq.sys"	mssql.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ikkebobyouwjdn\ImagePath = "\\??\\C:\\Users\\Admin\\Downloads\\ac\\ikkebobyouwjdn.sys"	mssql.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\nirdvjrsntmukgy\ImagePath = "\\??\\C:\\Users\\Admin\\Downloads\\ac\\nirdvjrsntmukgy.sys"	mssql.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ytzxnevtnssefxxc\ImagePath = "\\??\\C:\\Users\\Admin\\Downloads\\ac\\ytzxnevtnssefxxc.sys"	mssql.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\qmpjuiysdztzzt\ImagePath = "\\??\\C:\\Users\\Admin\\Downloads\\ac\\qmpjuiysdztzzt.sys"	mssql.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mssql\ImagePath = "\\??\\C:\\Users\\Admin\\Downloads\\ac\\mssql.sys"	mssql.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\aahckmjycdjmlbhbu\ImagePath = "\\??\\C:\\Users\\Admin\\Downloads\\ac\\aahckmjycdjmlbhbu.sys"	mssql.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wpczgfgmpdlaikclp\ImagePath = "\\??\\C:\\Users\\Admin\\Downloads\\ac\\wpczgfgmpdlaikclp.sys"	mssql.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\fzxbxhzlbuzxav\ImagePath = "\\??\\C:\\Users\\Admin\\Downloads\\ac\\fzxbxhzlbuzxav.sys"	mssql.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\yvkktkqzpqgwrevp\ImagePath = "\\??\\C:\\Users\\Admin\\Downloads\\ac\\yvkktkqzpqgwrevp.sys"	mssql.exe

A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing

Drops startup file 2 IoCs

Processes:

WannaCry.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDBABF.tmp	WannaCry.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDBAD6.tmp	WannaCry.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 20 IoCs

Processes:

OneDriveSetup.exeOneDriveSetup.exeFileSyncConfig.exeOneDrive.exeWannaCry.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exeCryptoLocker.exe{34184A33-0407-212E-3320-09040709E2C2}.exe{34184A33-0407-212E-3320-09040709E2C2}.exeAnnabelle.exeDharma.exenc123.exemssql.exemssql2.exePetrWrap(1).exeSearchHost.exe

pid	process
3328	OneDriveSetup.exe
4352	OneDriveSetup.exe
4812	FileSyncConfig.exe
2216	OneDrive.exe
4004	WannaCry.exe
3776	!WannaDecryptor!.exe
3388	!WannaDecryptor!.exe
5160	!WannaDecryptor!.exe
5400	!WannaDecryptor!.exe
5344	!WannaDecryptor!.exe
2976	CryptoLocker.exe
5596	{34184A33-0407-212E-3320-09040709E2C2}.exe
868	{34184A33-0407-212E-3320-09040709E2C2}.exe
2356	Annabelle.exe
4396	Dharma.exe
5824	nc123.exe
2308	mssql.exe
3364	mssql2.exe
5188	PetrWrap(1).exe
5300	SearchHost.exe

Impair Defenses: Safe Mode Boot 1 TTPs 17 IoCs

defense_evasion

Safe Mode Boot

T1562.009

Processes:

mssql.exeAnnabelle.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ikkebobyouwjdn.sys	mssql.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\SAFEBOOT\MINIMAL\IKKEBOBYOUWJDN.SYS	mssql.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\SAFEBOOT\MINIMAL\NIRDVJRSNTMUKGY.SYS	mssql.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\MinimalX = "1"	Annabelle.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\SAFEBOOT\MINIMAL\AAHCKMJYCDJMLBHBU.SYS	mssql.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\SAFEBOOT\MINIMAL\WPCZGFGMPDLAIKCLP.SYS	mssql.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\fzxbxhzlbuzxav.sys	mssql.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ytzxnevtnssefxxc.sys	mssql.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\SAFEBOOT\MINIMAL\QMPJUIYSDZTZZT.SYS	mssql.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\yvkktkqzpqgwrevp.sys	mssql.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\SAFEBOOT\MINIMAL\YVKKTKQZPQGWREVP.SYS	mssql.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\wpczgfgmpdlaikclp.sys	mssql.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\SAFEBOOT\MINIMAL\FZXBXHZLBUZXAV.SYS	mssql.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\SAFEBOOT\MINIMAL\YTZXNEVTNSSEFXXC.SYS	mssql.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\aahckmjycdjmlbhbu.sys	mssql.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\nirdvjrsntmukgy.sys	mssql.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\qmpjuiysdztzzt.sys	mssql.exe

Loads dropped DLL 41 IoCs

Processes:

FileSyncConfig.exeOneDrive.exe

pid	process
4812	FileSyncConfig.exe
4812	FileSyncConfig.exe
4812	FileSyncConfig.exe
4812	FileSyncConfig.exe
4812	FileSyncConfig.exe
2216	OneDrive.exe
2216	OneDrive.exe
2216	OneDrive.exe
2216	OneDrive.exe
2216	OneDrive.exe
2216	OneDrive.exe
2216	OneDrive.exe
2216	OneDrive.exe
2216	OneDrive.exe
2216	OneDrive.exe
2216	OneDrive.exe
2216	OneDrive.exe
2216	OneDrive.exe
2216	OneDrive.exe
2216	OneDrive.exe
2216	OneDrive.exe
2216	OneDrive.exe
2216	OneDrive.exe
2216	OneDrive.exe
2216	OneDrive.exe
2216	OneDrive.exe
2216	OneDrive.exe
2216	OneDrive.exe
2216	OneDrive.exe
2216	OneDrive.exe
2216	OneDrive.exe
2216	OneDrive.exe
2216	OneDrive.exe
2216	OneDrive.exe
2216	OneDrive.exe
2216	OneDrive.exe
2216	OneDrive.exe
2216	OneDrive.exe
2216	OneDrive.exe
2216	OneDrive.exe
2216	OneDrive.exe

Modifies system executable filetype association 2 TTPs 7 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

Processes:

OneDriveSetup.exeOneDrive.exeOneDrive.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}"	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	OneDriveSetup.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Annabelle.exeOneDriveSetup.exeWannaCry.exe{34184A33-0407-212E-3320-09040709E2C2}.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\Software\Microsoft\Windows\CurrentVersion\Run\UpdateBackup = "C:\\Users\\Admin\\Downloads\\Annabelle.exe"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UpdateBackup = "C:\\Users\\Admin\\Downloads\\Annabelle.exe"	Annabelle.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Delete Cached Update Binary = "C:\\Windows\\system32\\cmd.exe /q /c del /q \"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\Update\\OneDriveSetup.exe\""	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Delete Cached Standalone Update Binary = "C:\\Windows\\system32\\cmd.exe /q /c del /q \"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\StandaloneUpdater\\OneDriveSetup.exe\""	OneDriveSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\Downloads\\WannaCry.exe\" /r"	WannaCry.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\Software\Microsoft\Windows\CurrentVersion\Run\CryptoLocker = "C:\\Users\\Admin\\AppData\\Roaming\\{34184A33-0407-212E-3320-09040709E2C2}.exe"	{34184A33-0407-212E-3320-09040709E2C2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UpdateBackup = "C:\\Users\\Admin\\Downloads\\Annabelle.exe"	Annabelle.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

Annabelle.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Annabelle.exe
Drops desktop.ini file(s) 1 IoCs

Processes:

FileSyncConfig.exe

description ioc process

File opened for modification C:\Users\Admin\OneDrive\desktop.ini FileSyncConfig.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Annabelle.exe

description	ioc	process
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	FileSyncConfig.exe

Enumerates connected drives 3 TTPs 47 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

unregmp2.exewmplayer.exeSearchHost.exe

description	ioc	process
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\O:	wmplayer.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\M:	wmplayer.exe
File opened (read-only)	\??\S:	wmplayer.exe
File opened (read-only)	\??\X:	wmplayer.exe
File opened (read-only)	\??\Y:	wmplayer.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\G:	wmplayer.exe
File opened (read-only)	\??\L:	wmplayer.exe
File opened (read-only)	\??\N:	wmplayer.exe
File opened (read-only)	\??\P:	wmplayer.exe
File opened (read-only)	\??\T:	wmplayer.exe
File opened (read-only)	\??\V:	wmplayer.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\Z:	wmplayer.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\B:	wmplayer.exe
File opened (read-only)	\??\I:	wmplayer.exe
File opened (read-only)	\??\D:	SearchHost.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\K:	wmplayer.exe
File opened (read-only)	\??\U:	wmplayer.exe
File opened (read-only)	\??\W:	wmplayer.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\E:	wmplayer.exe
File opened (read-only)	\??\A:	wmplayer.exe
File opened (read-only)	\??\H:	wmplayer.exe
File opened (read-only)	\??\J:	wmplayer.exe
File opened (read-only)	\??\Q:	wmplayer.exe
File opened (read-only)	\??\R:	wmplayer.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

Processes:

flow	ioc
228	raw.githubusercontent.com
229	raw.githubusercontent.com
230	raw.githubusercontent.com
231	raw.githubusercontent.com
274	raw.githubusercontent.com
278	raw.githubusercontent.com

Checks system information in the registry 2 TTPs 6 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

OneDrive.exeOneDriveSetup.exeOneDriveSetup.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	OneDrive.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	OneDrive.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	OneDriveSetup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	OneDriveSetup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	OneDriveSetup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	OneDriveSetup.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

!WannaDecryptor!.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp"	!WannaDecryptor!.exe

Drops file in Windows directory 2 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 4 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

Processes:

firefox.exe

description	ioc	process
File created	C:\Users\Admin\Downloads\CryptoLocker.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\WannaCry.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Annabelle.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Dharma.exe:Zone.Identifier	firefox.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

NetSh.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3644 2724 WerFault.exe wmplayer.exe

pid	pid_target	process	target process
3644	2724	WerFault.exe	wmplayer.exe

System Location Discovery: System Language Discovery 1 TTPs 31 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

!WannaDecryptor!.exe{34184A33-0407-212E-3320-09040709E2C2}.exe{34184A33-0407-212E-3320-09040709E2C2}.exeOneDrive.exetaskkill.exe!WannaDecryptor!.exe!WannaDecryptor!.exePetrWrap(1).exewmplayer.exeunregmp2.exetaskkill.exemssql2.exeWannaCry.exe!WannaDecryptor!.execmd.exewildfire-test-pe-file.exeOneDrive.execmd.exeCryptoLocker.exeFileSyncConfig.exetaskkill.execscript.exenc123.exetaskkill.exe!WannaDecryptor!.exeDharma.exeOneDriveSetup.execmd.exeSearchHost.exeOneDriveSetup.exeWMIC.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{34184A33-0407-212E-3320-09040709E2C2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{34184A33-0407-212E-3320-09040709E2C2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OneDrive.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PetrWrap(1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmplayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unregmp2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssql2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wildfire-test-pe-file.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OneDrive.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CryptoLocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FileSyncConfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nc123.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dharma.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OneDriveSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SearchHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OneDriveSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Taskmgr.exeTaskmgr.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	Taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	Taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	Taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	Taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	Taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	Taskmgr.exe

Checks processor information in registry 2 TTPs 35 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exefirefox.exeOneDrive.exeEXCEL.EXEfirefox.exefirefox.exeOneDrive.exefirefox.exeTaskmgr.exefirefox.exeTaskmgr.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	OneDrive.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	OneDrive.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	OneDrive.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Taskmgr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	OneDrive.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Interacts with shadow copies 3 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Direct Volume Access
T1006

Processes:

vssadmin.exevssadmin.exevssadmin.exe

pid process

2020 vssadmin.exe
5072 vssadmin.exe
4056 vssadmin.exe
Kills process with taskkill 4 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

5608 taskkill.exe
5844 taskkill.exe
660 taskkill.exe
3956 taskkill.exe

pid	process
2020	vssadmin.exe
5072	vssadmin.exe
4056	vssadmin.exe

pid	process
5608	taskkill.exe
5844	taskkill.exe
660	taskkill.exe
3956	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 10 IoCs

adware spyware

Modify Registry

T1112

Processes:

OneDrive.exeOneDrive.exeOneDriveSetup.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	OneDrive.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000"	OneDrive.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	OneDriveSetup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\Software\Microsoft\Internet Explorer\Main	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	OneDrive.exe

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "186"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe

Modifies registry class 64 IoCs

Processes:

OneDriveSetup.exeOneDrive.exeOneDrive.exe

description	ioc	process
Key deleted	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\WOW6432Node\Interface\{2EB31403-EBE0-41EA-AE91-A1953104EA55}\TypeLib	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Interface\{0776ae27-5ab9-4e18-9063-1836da63117a}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\TypeLib\{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}\1.0\HELPDIR	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Interface\{5D5DD08F-A10E-4FEF-BCA7-E73E666FC66C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\WOW6432Node\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32\ThreadingModel = "Apartment"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\WOW6432Node\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\VersionIndependentProgID\ = "StorageProviderUriSource.StorageProviderUriSource"	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Interface\{EE15BBBB-9E60-4C52-ABCB-7540FF3DF6B3}\TypeLib	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Interface\{944903E8-B03F-43A0-8341-872200D2DA9C}	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Interface\{53de12aa-df96-413d-a25e-c75b6528abf2}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileCoAuth.exe"	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\WOW6432Node\Interface\{AEEBAD4E-3E0A-415B-9B94-19C499CD7B6A}\ProxyStubClsid32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\BannerNotificationHandler.BannerNotificationHandler\shell\import	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\TypeLib	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\ContextMenuOptIn	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Interface\{049FED7E-C3EA-4B66-9D92-10E8085D60FB}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\ = "ErrorOverlayHandler Class"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Interface\{9D613F8A-B30E-4938-8490-CB5677701EBF}\TypeLib\Version = "1.0"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Interface\{f0440f4e-4884-4a8F-8a45-ba89c00f96f2}\ = "IUnmapLibraryCallback"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Interface\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\WOW6432Node\Interface\{ACDB5DB0-C9D5-461C-BAAA-5DCE0B980E40}\ProxyStubClsid32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Interface\{466F31F7-9892-477E-B189-FA5C59DE3603}\TypeLib\Version = "1.0"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\WOW6432Node\CLSID\{6bb93b4e-44d8-40e2-bd97-42dbcf18a40f}\LocalServer32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Interface\{5d65dd0d-81bf-4ff4-aeea-6effb445cb3f}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\WOW6432Node\Interface\{8D3F8F15-1DE1-4662-BF93-762EABE988B2}	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Interface\{c1439245-96b4-47fc-b391-679386c5d40f}	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\WOW6432Node\Interface\{8B9F14F4-9559-4A3F-B7D0-312E992B6D98}	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Interface\{2387C6BD-9A36-41A2-88ED-FF731E529384}\ProxyStubClsid32	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\WOW6432Node\Interface\{2F12C599-7AA5-407A-B898-09E6E4ED2D1E}\TypeLib	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\WOW6432Node\Interface\{a7126d4c-f492-4eb9-8a2a-f673dbdd3334}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Interface\{466F31F7-9892-477E-B189-FA5C59DE3603}\TypeLib	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\WOW6432Node\Interface\{f0440f4e-4884-4a8F-8a45-ba89c00f96f2}\ = "IUnmapLibraryCallback"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\FileSyncClient.AutoPlayHandler.1	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Interface\{F0AF7C30-EAE4-4644-961D-54E6E28708D6}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\20.084.0426.0007\\amd64\\FileSyncShell64.dll"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Interface\{F0AF7C30-EAE4-4644-961D-54E6E28708D6}\TypeLib	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Interface\{53de12aa-df96-413d-a25e-c75b6528abf2}	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Interface\{d8c80ebb-099c-4208-afa3-fbc4d11f8a3c}\TypeLib\Version = "1.0"	OneDrive.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Interface\{9D613F8A-B30E-4938-8490-CB5677701EBF}	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\FileSyncClient.FileSyncClient	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\WOW6432Node\Interface\{da82e55e-fa2f-45b3-aec3-e7294106ef52}\TypeLib\Version = "1.0"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\FileSyncClient.AutoPlayHandler.1\CLSID	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Interface\{b5c25645-7426-433f-8a5f-42b7ff27a7b2}\ProxyStubClsid32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\WOW6432Node\Interface\{5d65dd0d-81bf-4ff4-aeea-6effb445cb3f}\TypeLib\Version = "1.0"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\SyncEngineFileInfoProvider.SyncEngineFileInfoProvider	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\WOW6432Node\Interface\{390AF5A7-1390-4255-9BC9-935BFCFA5D57}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\WOW6432Node\Interface\{AF60000F-661D-472A-9588-F062F6DB7A0E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Interface\{c1439245-96b4-47fc-b391-679386c5d40f}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\WOW6432Node\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\ProgID	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\FileSyncClient.FileSyncClient\CurVer	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Interface\{0d4e4444-cb20-4c2b-b8b2-94e5656ecae8}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\WOW6432Node\Interface\{466F31F7-9892-477E-B189-FA5C59DE3603}	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\WOW6432Node\Interface\{ACDB5DB0-C9D5-461C-BAAA-5DCE0B980E40}\TypeLib\ = "{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}"	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\WOW6432Node\Interface\{e9de26a1-51b2-47b4-b1bf-c87059cc02a7}\ProxyStubClsid32	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Interface\{c1439245-96b4-47fc-b391-679386c5d40f}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\WOW6432Node\Interface\{ACDB5DB0-C9D5-461C-BAAA-5DCE0B980E40}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Interface\{02C98E2C-6C9F-49F8-9B57-3A6E1AA09A67}	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\WOW6432Node\Interface\{2F12C599-7AA5-407A-B898-09E6E4ED2D1E}\TypeLib\Version = "1.0"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\WOW6432Node\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Interface\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\ProxyStubClsid32\ = "{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\WOW6432Node\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\TypeLib\ = "{638805C3-4BA3-4AC8-8AAC-71A0BA2BC284}"	OneDrive.exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\WOW6432Node\Interface\{F062BA81-ADFE-4A92-886A-23FD851D6406}	OneDriveSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\WOW6432Node\Interface\{d8c80ebb-099c-4208-afa3-fbc4d11f8a3c}\ProxyStubClsid32	OneDrive.exe

NTFS ADS 7 IoCs

Processes:

CryptoLocker.exefirefox.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe\:Zone.Identifier:$DATA	CryptoLocker.exe
File created	C:\Users\Admin\Downloads\Annabelle.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Dharma.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\PetrWrap:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\PetrWrap(1):Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\CryptoLocker.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\WannaCry.exe:Zone.Identifier	firefox.exe

Suspicious behavior: AddClipboardFormatListener 5 IoCs

Processes:

OneDrive.exeOneDrive.exevlc.exeEXCEL.EXEvlc.exe

pid process

4248 OneDrive.exe
2216 OneDrive.exe
3204 vlc.exe
396 EXCEL.EXE
2800 vlc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

OneDrive.exeOneDriveSetup.exeOneDriveSetup.exeOneDrive.exeTaskmgr.exeTaskmgr.exe

pid	process
4248	OneDrive.exe
4248	OneDrive.exe
3328	OneDriveSetup.exe
3328	OneDriveSetup.exe
3328	OneDriveSetup.exe
3328	OneDriveSetup.exe
4352	OneDriveSetup.exe
4352	OneDriveSetup.exe
4352	OneDriveSetup.exe
4352	OneDriveSetup.exe
4352	OneDriveSetup.exe
4352	OneDriveSetup.exe
4352	OneDriveSetup.exe
4352	OneDriveSetup.exe
4352	OneDriveSetup.exe
4352	OneDriveSetup.exe
4352	OneDriveSetup.exe
4352	OneDriveSetup.exe
4352	OneDriveSetup.exe
4352	OneDriveSetup.exe
4352	OneDriveSetup.exe
4352	OneDriveSetup.exe
2216	OneDrive.exe
2216	OneDrive.exe
1752	Taskmgr.exe
1752	Taskmgr.exe
1752	Taskmgr.exe
1752	Taskmgr.exe
1752	Taskmgr.exe
1752	Taskmgr.exe
1752	Taskmgr.exe
1752	Taskmgr.exe
1752	Taskmgr.exe
1752	Taskmgr.exe
1752	Taskmgr.exe
1752	Taskmgr.exe
1752	Taskmgr.exe
1752	Taskmgr.exe
1752	Taskmgr.exe
900	Taskmgr.exe
900	Taskmgr.exe
900	Taskmgr.exe
900	Taskmgr.exe
900	Taskmgr.exe
900	Taskmgr.exe
900	Taskmgr.exe
900	Taskmgr.exe
900	Taskmgr.exe
900	Taskmgr.exe
900	Taskmgr.exe
900	Taskmgr.exe
900	Taskmgr.exe
900	Taskmgr.exe
900	Taskmgr.exe
900	Taskmgr.exe
900	Taskmgr.exe
900	Taskmgr.exe
900	Taskmgr.exe
900	Taskmgr.exe
900	Taskmgr.exe
900	Taskmgr.exe
900	Taskmgr.exe
900	Taskmgr.exe
900	Taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

Processes:

vlc.exevlc.exeTaskmgr.exe

pid process

3204 vlc.exe
2800 vlc.exe
900 Taskmgr.exe

pid	process
3204	vlc.exe
2800	vlc.exe
900	Taskmgr.exe

Suspicious behavior: LoadsDriver 32 IoCs

Processes:

mssql.exe

pid	process
2308	mssql.exe
2308	mssql.exe
2308	mssql.exe
2308	mssql.exe
2308	mssql.exe
2308	mssql.exe
2308	mssql.exe
2308	mssql.exe
2308	mssql.exe
2308	mssql.exe
2308	mssql.exe
2308	mssql.exe
2308	mssql.exe
2308	mssql.exe
2308	mssql.exe
2308	mssql.exe
2308	mssql.exe
2308	mssql.exe
2308	mssql.exe
2308	mssql.exe
2308	mssql.exe
2308	mssql.exe
2308	mssql.exe
2308	mssql.exe
2308	mssql.exe
2308	mssql.exe
2308	mssql.exe
2308	mssql.exe
2308	mssql.exe
2308	mssql.exe
2308	mssql.exe
2308	mssql.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

firefox.exeOneDriveSetup.exeOneDriveSetup.exeTaskmgr.exewmplayer.exeunregmp2.exefirefox.exeTaskmgr.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	1528	firefox.exe
Token: SeDebugPrivilege	1528	firefox.exe
Token: SeIncreaseQuotaPrivilege	3328	OneDriveSetup.exe
Token: SeIncreaseQuotaPrivilege	4352	OneDriveSetup.exe
Token: SeDebugPrivilege	1752	Taskmgr.exe
Token: SeSystemProfilePrivilege	1752	Taskmgr.exe
Token: SeCreateGlobalPrivilege	1752	Taskmgr.exe
Token: 33	1752	Taskmgr.exe
Token: SeIncBasePriorityPrivilege	1752	Taskmgr.exe
Token: SeShutdownPrivilege	2724	wmplayer.exe
Token: SeCreatePagefilePrivilege	2724	wmplayer.exe
Token: SeShutdownPrivilege	920	unregmp2.exe
Token: SeCreatePagefilePrivilege	920	unregmp2.exe
Token: SeDebugPrivilege	3328	firefox.exe
Token: SeDebugPrivilege	3328	firefox.exe
Token: SeDebugPrivilege	3328	firefox.exe
Token: SeDebugPrivilege	3328	firefox.exe
Token: SeDebugPrivilege	3328	firefox.exe
Token: SeDebugPrivilege	900	Taskmgr.exe
Token: SeSystemProfilePrivilege	900	Taskmgr.exe
Token: SeCreateGlobalPrivilege	900	Taskmgr.exe
Token: SeDebugPrivilege	3956	taskkill.exe
Token: SeDebugPrivilege	660	taskkill.exe
Token: SeDebugPrivilege	5608	taskkill.exe
Token: SeDebugPrivilege	5844	taskkill.exe
Token: SeIncreaseQuotaPrivilege	4824	WMIC.exe
Token: SeSecurityPrivilege	4824	WMIC.exe
Token: SeTakeOwnershipPrivilege	4824	WMIC.exe
Token: SeLoadDriverPrivilege	4824	WMIC.exe
Token: SeSystemProfilePrivilege	4824	WMIC.exe
Token: SeSystemtimePrivilege	4824	WMIC.exe
Token: SeProfSingleProcessPrivilege	4824	WMIC.exe
Token: SeIncBasePriorityPrivilege	4824	WMIC.exe
Token: SeCreatePagefilePrivilege	4824	WMIC.exe
Token: SeBackupPrivilege	4824	WMIC.exe
Token: SeRestorePrivilege	4824	WMIC.exe
Token: SeShutdownPrivilege	4824	WMIC.exe
Token: SeDebugPrivilege	4824	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4824	WMIC.exe
Token: SeRemoteShutdownPrivilege	4824	WMIC.exe
Token: SeUndockPrivilege	4824	WMIC.exe
Token: SeManageVolumePrivilege	4824	WMIC.exe
Token: 33	4824	WMIC.exe
Token: 34	4824	WMIC.exe
Token: 35	4824	WMIC.exe
Token: 36	4824	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4824	WMIC.exe
Token: SeSecurityPrivilege	4824	WMIC.exe
Token: SeTakeOwnershipPrivilege	4824	WMIC.exe
Token: SeLoadDriverPrivilege	4824	WMIC.exe
Token: SeSystemProfilePrivilege	4824	WMIC.exe
Token: SeSystemtimePrivilege	4824	WMIC.exe
Token: SeProfSingleProcessPrivilege	4824	WMIC.exe
Token: SeIncBasePriorityPrivilege	4824	WMIC.exe
Token: SeCreatePagefilePrivilege	4824	WMIC.exe
Token: SeBackupPrivilege	4824	WMIC.exe
Token: SeRestorePrivilege	4824	WMIC.exe
Token: SeShutdownPrivilege	4824	WMIC.exe
Token: SeDebugPrivilege	4824	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4824	WMIC.exe
Token: SeRemoteShutdownPrivilege	4824	WMIC.exe
Token: SeUndockPrivilege	4824	WMIC.exe
Token: SeManageVolumePrivilege	4824	WMIC.exe
Token: 33	4824	WMIC.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

firefox.exeOneDrive.exeOneDrive.exeTaskmgr.exe

pid	process
1528	firefox.exe
1528	firefox.exe
1528	firefox.exe
1528	firefox.exe
1528	firefox.exe
1528	firefox.exe
1528	firefox.exe
1528	firefox.exe
1528	firefox.exe
1528	firefox.exe
1528	firefox.exe
1528	firefox.exe
1528	firefox.exe
1528	firefox.exe
1528	firefox.exe
1528	firefox.exe
1528	firefox.exe
1528	firefox.exe
1528	firefox.exe
1528	firefox.exe
1528	firefox.exe
4248	OneDrive.exe
4248	OneDrive.exe
4248	OneDrive.exe
4248	OneDrive.exe
2216	OneDrive.exe
2216	OneDrive.exe
2216	OneDrive.exe
1752	Taskmgr.exe
1752	Taskmgr.exe
1752	Taskmgr.exe
1752	Taskmgr.exe
1752	Taskmgr.exe
1752	Taskmgr.exe
1752	Taskmgr.exe
1752	Taskmgr.exe
1752	Taskmgr.exe
1752	Taskmgr.exe
1752	Taskmgr.exe
1752	Taskmgr.exe
1752	Taskmgr.exe
1752	Taskmgr.exe
1752	Taskmgr.exe
1752	Taskmgr.exe
1752	Taskmgr.exe
1752	Taskmgr.exe
1752	Taskmgr.exe
1752	Taskmgr.exe
1752	Taskmgr.exe
1752	Taskmgr.exe
1752	Taskmgr.exe
1752	Taskmgr.exe
1752	Taskmgr.exe
1752	Taskmgr.exe
1752	Taskmgr.exe
1752	Taskmgr.exe
1752	Taskmgr.exe
1752	Taskmgr.exe
1752	Taskmgr.exe
1752	Taskmgr.exe
1752	Taskmgr.exe
1752	Taskmgr.exe
1752	Taskmgr.exe
1752	Taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

OneDrive.exeOneDrive.exeTaskmgr.exevlc.exevlc.exeTaskmgr.exe

pid	process
4248	OneDrive.exe
4248	OneDrive.exe
4248	OneDrive.exe
4248	OneDrive.exe
2216	OneDrive.exe
2216	OneDrive.exe
2216	OneDrive.exe
1752	Taskmgr.exe
1752	Taskmgr.exe
1752	Taskmgr.exe
1752	Taskmgr.exe
1752	Taskmgr.exe
1752	Taskmgr.exe
1752	Taskmgr.exe
1752	Taskmgr.exe
1752	Taskmgr.exe
1752	Taskmgr.exe
1752	Taskmgr.exe
1752	Taskmgr.exe
1752	Taskmgr.exe
1752	Taskmgr.exe
1752	Taskmgr.exe
1752	Taskmgr.exe
1752	Taskmgr.exe
1752	Taskmgr.exe
1752	Taskmgr.exe
1752	Taskmgr.exe
1752	Taskmgr.exe
1752	Taskmgr.exe
1752	Taskmgr.exe
1752	Taskmgr.exe
1752	Taskmgr.exe
1752	Taskmgr.exe
1752	Taskmgr.exe
1752	Taskmgr.exe
1752	Taskmgr.exe
1752	Taskmgr.exe
1752	Taskmgr.exe
1752	Taskmgr.exe
1752	Taskmgr.exe
1752	Taskmgr.exe
1752	Taskmgr.exe
1752	Taskmgr.exe
1752	Taskmgr.exe
1752	Taskmgr.exe
1752	Taskmgr.exe
1752	Taskmgr.exe
1752	Taskmgr.exe
3204	vlc.exe
3204	vlc.exe
3204	vlc.exe
2800	vlc.exe
2800	vlc.exe
2800	vlc.exe
900	Taskmgr.exe
900	Taskmgr.exe
900	Taskmgr.exe
900	Taskmgr.exe
900	Taskmgr.exe
900	Taskmgr.exe
900	Taskmgr.exe
900	Taskmgr.exe
900	Taskmgr.exe
900	Taskmgr.exe

Suspicious use of SetWindowsHookEx 58 IoCs

Processes:

firefox.exeOneDrive.exeOneDrive.exevlc.exeEXCEL.EXEvlc.exefirefox.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exemssql.exemssql2.exeSearchHost.exeLogonUI.exe

pid	process
1528	firefox.exe
4248	OneDrive.exe
2216	OneDrive.exe
2216	OneDrive.exe
2216	OneDrive.exe
3204	vlc.exe
396	EXCEL.EXE
396	EXCEL.EXE
396	EXCEL.EXE
396	EXCEL.EXE
396	EXCEL.EXE
396	EXCEL.EXE
396	EXCEL.EXE
396	EXCEL.EXE
396	EXCEL.EXE
396	EXCEL.EXE
396	EXCEL.EXE
396	EXCEL.EXE
2800	vlc.exe
3328	firefox.exe
3328	firefox.exe
3328	firefox.exe
3328	firefox.exe
3328	firefox.exe
3328	firefox.exe
3328	firefox.exe
3776	!WannaDecryptor!.exe
3776	!WannaDecryptor!.exe
3388	!WannaDecryptor!.exe
3388	!WannaDecryptor!.exe
5160	!WannaDecryptor!.exe
5160	!WannaDecryptor!.exe
5400	!WannaDecryptor!.exe
5400	!WannaDecryptor!.exe
5344	!WannaDecryptor!.exe
3328	firefox.exe
3328	firefox.exe
3328	firefox.exe
3328	firefox.exe
3328	firefox.exe
3328	firefox.exe
3328	firefox.exe
3328	firefox.exe
3328	firefox.exe
2308	mssql.exe
3364	mssql2.exe
3328	firefox.exe
3328	firefox.exe
3328	firefox.exe
3328	firefox.exe
3328	firefox.exe
3328	firefox.exe
3328	firefox.exe
3328	firefox.exe
3328	firefox.exe
5300	SearchHost.exe
2308	mssql.exe
3084	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 4476 wrote to memory of 1528	4476	firefox.exe	firefox.exe
PID 4476 wrote to memory of 1528	4476	firefox.exe	firefox.exe
PID 4476 wrote to memory of 1528	4476	firefox.exe	firefox.exe
PID 4476 wrote to memory of 1528	4476	firefox.exe	firefox.exe
PID 4476 wrote to memory of 1528	4476	firefox.exe	firefox.exe
PID 4476 wrote to memory of 1528	4476	firefox.exe	firefox.exe
PID 4476 wrote to memory of 1528	4476	firefox.exe	firefox.exe
PID 4476 wrote to memory of 1528	4476	firefox.exe	firefox.exe
PID 4476 wrote to memory of 1528	4476	firefox.exe	firefox.exe
PID 4476 wrote to memory of 1528	4476	firefox.exe	firefox.exe
PID 4476 wrote to memory of 1528	4476	firefox.exe	firefox.exe
PID 1528 wrote to memory of 4908	1528	firefox.exe	firefox.exe
PID 1528 wrote to memory of 4908	1528	firefox.exe	firefox.exe
PID 1528 wrote to memory of 4908	1528	firefox.exe	firefox.exe
PID 1528 wrote to memory of 4908	1528	firefox.exe	firefox.exe
PID 1528 wrote to memory of 4908	1528	firefox.exe	firefox.exe
PID 1528 wrote to memory of 4908	1528	firefox.exe	firefox.exe
PID 1528 wrote to memory of 4908	1528	firefox.exe	firefox.exe
PID 1528 wrote to memory of 4908	1528	firefox.exe	firefox.exe
PID 1528 wrote to memory of 4908	1528	firefox.exe	firefox.exe
PID 1528 wrote to memory of 4908	1528	firefox.exe	firefox.exe
PID 1528 wrote to memory of 4908	1528	firefox.exe	firefox.exe
PID 1528 wrote to memory of 4908	1528	firefox.exe	firefox.exe
PID 1528 wrote to memory of 4908	1528	firefox.exe	firefox.exe
PID 1528 wrote to memory of 4908	1528	firefox.exe	firefox.exe
PID 1528 wrote to memory of 4908	1528	firefox.exe	firefox.exe
PID 1528 wrote to memory of 4908	1528	firefox.exe	firefox.exe
PID 1528 wrote to memory of 4908	1528	firefox.exe	firefox.exe
PID 1528 wrote to memory of 4908	1528	firefox.exe	firefox.exe
PID 1528 wrote to memory of 4908	1528	firefox.exe	firefox.exe
PID 1528 wrote to memory of 4908	1528	firefox.exe	firefox.exe
PID 1528 wrote to memory of 4908	1528	firefox.exe	firefox.exe
PID 1528 wrote to memory of 4908	1528	firefox.exe	firefox.exe
PID 1528 wrote to memory of 4908	1528	firefox.exe	firefox.exe
PID 1528 wrote to memory of 4908	1528	firefox.exe	firefox.exe
PID 1528 wrote to memory of 4908	1528	firefox.exe	firefox.exe
PID 1528 wrote to memory of 4908	1528	firefox.exe	firefox.exe
PID 1528 wrote to memory of 4908	1528	firefox.exe	firefox.exe
PID 1528 wrote to memory of 4908	1528	firefox.exe	firefox.exe
PID 1528 wrote to memory of 4908	1528	firefox.exe	firefox.exe
PID 1528 wrote to memory of 4908	1528	firefox.exe	firefox.exe
PID 1528 wrote to memory of 4908	1528	firefox.exe	firefox.exe
PID 1528 wrote to memory of 4908	1528	firefox.exe	firefox.exe
PID 1528 wrote to memory of 4908	1528	firefox.exe	firefox.exe
PID 1528 wrote to memory of 4908	1528	firefox.exe	firefox.exe
PID 1528 wrote to memory of 4908	1528	firefox.exe	firefox.exe
PID 1528 wrote to memory of 4908	1528	firefox.exe	firefox.exe
PID 1528 wrote to memory of 4908	1528	firefox.exe	firefox.exe
PID 1528 wrote to memory of 4908	1528	firefox.exe	firefox.exe
PID 1528 wrote to memory of 4908	1528	firefox.exe	firefox.exe
PID 1528 wrote to memory of 4908	1528	firefox.exe	firefox.exe
PID 1528 wrote to memory of 4908	1528	firefox.exe	firefox.exe
PID 1528 wrote to memory of 4908	1528	firefox.exe	firefox.exe
PID 1528 wrote to memory of 4908	1528	firefox.exe	firefox.exe
PID 1528 wrote to memory of 4908	1528	firefox.exe	firefox.exe
PID 1528 wrote to memory of 4908	1528	firefox.exe	firefox.exe
PID 1528 wrote to memory of 4844	1528	firefox.exe	firefox.exe
PID 1528 wrote to memory of 4844	1528	firefox.exe	firefox.exe
PID 1528 wrote to memory of 4844	1528	firefox.exe	firefox.exe
PID 1528 wrote to memory of 4844	1528	firefox.exe	firefox.exe
PID 1528 wrote to memory of 4844	1528	firefox.exe	firefox.exe
PID 1528 wrote to memory of 4844	1528	firefox.exe	firefox.exe
PID 1528 wrote to memory of 4844	1528	firefox.exe	firefox.exe
PID 1528 wrote to memory of 4844	1528	firefox.exe	firefox.exe

System policy modification 1 TTPs 9 IoCs

evasion

Modify Registry

T1112

Processes:

Annabelle.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Annabelle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	Annabelle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Annabelle.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	Annabelle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\WindowsDefenderMAJ = "1"	Annabelle.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System	Annabelle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "1"	Annabelle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Annabelle.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\wildfire-test-pe-file.exe
"C:\Users\Admin\AppData\Local\Temp\wildfire-test-pe-file.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:3992

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:1596

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:2096

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
PID:4184

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4476
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1528
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1996 -parentBuildID 20240401114208 -prefsHandle 1912 -prefMapHandle 1904 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4b46155a-67c6-4a96-bfc2-40c3def9e9d8} 1528 "\\.\pipe\gecko-crash-server-pipe.1528" gpu
    3⤵
    PID:4908
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2392 -parentBuildID 20240401114208 -prefsHandle 2372 -prefMapHandle 2368 -prefsLen 23714 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9440f47a-4fe6-4be4-9b67-7cf20d535ea6} 1528 "\\.\pipe\gecko-crash-server-pipe.1528" socket
    3⤵
    - Checks processor information in registry
    PID:4844
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3312 -childID 1 -isForBrowser -prefsHandle 1388 -prefMapHandle 3292 -prefsLen 23855 -prefMapSize 244658 -jsInitHandle 1284 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8f55bee3-b915-4c73-b5a7-06fdc98243a5} 1528 "\\.\pipe\gecko-crash-server-pipe.1528" tab
    3⤵
    PID:3512
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3688 -childID 2 -isForBrowser -prefsHandle 3680 -prefMapHandle 3676 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1284 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c686dba5-b087-4667-b278-59f57ba13cee} 1528 "\\.\pipe\gecko-crash-server-pipe.1528" tab
    3⤵
    PID:1824
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4604 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 1456 -prefMapHandle 1460 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {56414574-0a4e-4f23-9274-1c505280f8ab} 1528 "\\.\pipe\gecko-crash-server-pipe.1528" utility
    3⤵
    - Checks processor information in registry
    PID:2728
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5364 -childID 3 -isForBrowser -prefsHandle 5312 -prefMapHandle 5340 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1284 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4237db96-f54b-4699-a480-2b1f29fe3e2b} 1528 "\\.\pipe\gecko-crash-server-pipe.1528" tab
    3⤵
    PID:2336
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5508 -childID 4 -isForBrowser -prefsHandle 5584 -prefMapHandle 5580 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1284 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ce8fce36-92f6-463f-be56-774b0a697040} 1528 "\\.\pipe\gecko-crash-server-pipe.1528" tab
    3⤵
    PID:3688
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5724 -childID 5 -isForBrowser -prefsHandle 5488 -prefMapHandle 5492 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1284 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c07bccc8-06f5-4236-9808-9d97ae5774ea} 1528 "\\.\pipe\gecko-crash-server-pipe.1528" tab
    3⤵
    PID:3644

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2568

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe"
1⤵
- Modifies system executable filetype association
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4248
- C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe
  "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe" /update /restart
  2⤵
  - Executes dropped EXE
  - Checks system information in the registry
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3328
- - C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe
    C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe /update /restart /peruser /childprocess /extractFilesWithLessThreadCount /enableExtractCabV2
    3⤵
    - Executes dropped EXE
    - Modifies system executable filetype association
    - Adds Run key to start application
    - Checks system information in the registry
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4352
  - - C:\Users\Admin\AppData\Local\Microsoft\OneDrive\20.084.0426.0007\FileSyncConfig.exe
      "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\20.084.0426.0007\FileSyncConfig.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops desktop.ini file(s)
      System Location Discovery: System Language Discovery
      PID:4812
  - - C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe
      /updateInstalled /background
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies system executable filetype association
      Checks system information in the registry
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Modifies Internet Explorer settings
      Modifies registry class
      Suspicious behavior: AddClipboardFormatListener
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      PID:2216

C:\Windows\System32\Taskmgr.exe
"C:\Windows\System32\Taskmgr.exe"
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1752

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding
1⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2724
- C:\Windows\SysWOW64\unregmp2.exe
  "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
  2⤵
  - System Location Discovery: System Language Discovery
  PID:576
- - C:\Windows\system32\unregmp2.exe
    "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:920
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2724 -s 1632
  2⤵
  - Program crash
  PID:3644

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost
1⤵
- Drops file in Windows directory
PID:2236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 192 -p 2724 -ip 2724
1⤵
PID:2548

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\ExitAssert.wvx"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3204

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\UninstallRepair.xlsx"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:396

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\RestartDisconnect.3g2"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\EditClear.cmd" "
1⤵
PID:2892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\EditClear.cmd" "
1⤵
PID:2884

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:1948
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - Checks processor information in registry
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3328
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1852 -parentBuildID 20240401114208 -prefsHandle 1780 -prefMapHandle 1668 -prefsLen 23678 -prefMapSize 244741 -appDir "C:\Program Files\Mozilla Firefox\browser" - {098b066b-6c9c-4458-975e-8d9cb72d834b} 3328 "\\.\pipe\gecko-crash-server-pipe.3328" gpu
    3⤵
    PID:3440
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2192 -parentBuildID 20240401114208 -prefsHandle 2184 -prefMapHandle 2180 -prefsLen 23678 -prefMapSize 244741 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4e1862e1-6835-4e3b-834b-2c8a9166aaf8} 3328 "\\.\pipe\gecko-crash-server-pipe.3328" socket
    3⤵
    - Checks processor information in registry
    PID:5000
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2960 -childID 1 -isForBrowser -prefsHandle 3176 -prefMapHandle 3184 -prefsLen 24177 -prefMapSize 244741 -jsInitHandle 1084 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {838fe553-88dd-451b-9709-f43f0aab2106} 3328 "\\.\pipe\gecko-crash-server-pipe.3328" tab
    3⤵
    PID:2024
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3804 -childID 2 -isForBrowser -prefsHandle 3796 -prefMapHandle 3792 -prefsLen 29410 -prefMapSize 244741 -jsInitHandle 1084 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a31d87ea-92b9-4bc0-9af0-df4d9eb0588c} 3328 "\\.\pipe\gecko-crash-server-pipe.3328" tab
    3⤵
    PID:4496
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4464 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4436 -prefMapHandle 4456 -prefsLen 29464 -prefMapSize 244741 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ec768ebc-09d7-4821-8677-56dfb6489572} 3328 "\\.\pipe\gecko-crash-server-pipe.3328" utility
    3⤵
    - Checks processor information in registry
    PID:5360
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5208 -childID 3 -isForBrowser -prefsHandle 5152 -prefMapHandle 5176 -prefsLen 27320 -prefMapSize 244741 -jsInitHandle 1084 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e3625a34-6596-4b6a-99eb-c0ba4b3a8011} 3328 "\\.\pipe\gecko-crash-server-pipe.3328" tab
    3⤵
    PID:5908
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5356 -childID 4 -isForBrowser -prefsHandle 5288 -prefMapHandle 5292 -prefsLen 27320 -prefMapSize 244741 -jsInitHandle 1084 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0766b581-1d54-4c1b-857a-87e4382afb34} 3328 "\\.\pipe\gecko-crash-server-pipe.3328" tab
    3⤵
    PID:5920
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5612 -childID 5 -isForBrowser -prefsHandle 5580 -prefMapHandle 5524 -prefsLen 27320 -prefMapSize 244741 -jsInitHandle 1084 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3376f031-3396-4628-98db-51a44bd0520e} 3328 "\\.\pipe\gecko-crash-server-pipe.3328" tab
    3⤵
    PID:5952
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4816 -childID 6 -isForBrowser -prefsHandle 1044 -prefMapHandle 5972 -prefsLen 27320 -prefMapSize 244741 -jsInitHandle 1084 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {920f4a6c-5189-4ee2-9d9b-59bd17533715} 3328 "\\.\pipe\gecko-crash-server-pipe.3328" tab
    3⤵
    PID:5200
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5532 -childID 7 -isForBrowser -prefsHandle 5512 -prefMapHandle 5520 -prefsLen 28107 -prefMapSize 244741 -jsInitHandle 1084 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {486dfeb5-ffb8-406c-8ff6-75a16cb29e69} 3328 "\\.\pipe\gecko-crash-server-pipe.3328" tab
    3⤵
    PID:3696
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2404 -childID 8 -isForBrowser -prefsHandle 3444 -prefMapHandle 3952 -prefsLen 28107 -prefMapSize 244741 -jsInitHandle 1084 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cc64b3a8-db76-4360-b715-792ce6d243e2} 3328 "\\.\pipe\gecko-crash-server-pipe.3328" tab
    3⤵
    PID:2504
- - C:\Users\Admin\Downloads\Annabelle.exe
    "C:\Users\Admin\Downloads\Annabelle.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Modifies Windows Defender Real-time Protection settings
    - UAC bypass
    - Disables RegEdit via registry modification
    - Event Triggered Execution: Image File Execution Options Injection
    - Executes dropped EXE
    - Impair Defenses: Safe Mode Boot
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - System policy modification
    PID:2356
  - - C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:4056
  - - C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:5072
  - - C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:2020
  - - C:\Windows\SYSTEM32\NetSh.exe
      NetSh Advfirewall set allprofiles state off
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:2712
- - C:\Users\Admin\Downloads\Dharma.exe
    "C:\Users\Admin\Downloads\Dharma.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4396
  - - C:\Users\Admin\Downloads\ac\nc123.exe
      "C:\Users\Admin\Downloads\ac\nc123.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:5824
  - - C:\Users\Admin\Downloads\ac\mssql.exe
      "C:\Users\Admin\Downloads\ac\mssql.exe"
      4⤵
      Sets service image path in registry
      Executes dropped EXE
      Impair Defenses: Safe Mode Boot
      Suspicious behavior: LoadsDriver
      Suspicious use of SetWindowsHookEx
      PID:2308
  - - C:\Users\Admin\Downloads\ac\mssql2.exe
      "C:\Users\Admin\Downloads\ac\mssql2.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:3364
  - - C:\Users\Admin\Downloads\ac\EVER\SearchHost.exe
      "C:\Users\Admin\Downloads\ac\EVER\SearchHost.exe"
      4⤵
      Executes dropped EXE
      Enumerates connected drives
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:5300

C:\Windows\System32\Taskmgr.exe
"C:\Windows\System32\Taskmgr.exe"
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:900

C:\Users\Admin\Downloads\WannaCry.exe
"C:\Users\Admin\Downloads\WannaCry.exe"
1⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:4004
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 18791731543755.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5904
- - C:\Windows\SysWOW64\cscript.exe
    cscript //nologo c.vbs
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2896
- C:\Users\Admin\Downloads\!WannaDecryptor!.exe
  !WannaDecryptor!.exe f
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3776
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im MSExchange*
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5844
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im Microsoft.Exchange.*
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5608
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im sqlserver.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3956
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im sqlwriter.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:660
- C:\Users\Admin\Downloads\!WannaDecryptor!.exe
  !WannaDecryptor!.exe c
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3388
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c start /b !WannaDecryptor!.exe v
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5176
- - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
    !WannaDecryptor!.exe v
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5160
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
      4⤵
      System Location Discovery: System Language Discovery
      PID:3800
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4824
- C:\Users\Admin\Downloads\!WannaDecryptor!.exe
  !WannaDecryptor!.exe
  2⤵
  - Executes dropped EXE
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5400

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:6056

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\!Please Read Me!.txt
1⤵
PID:4636

C:\Users\Admin\Downloads\!WannaDecryptor!.exe
"C:\Users\Admin\Downloads\!WannaDecryptor!.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5344

C:\Users\Admin\Downloads\CryptoLocker.exe
"C:\Users\Admin\Downloads\CryptoLocker.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- NTFS ADS
PID:2976
- C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
  "C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" "/rC:\Users\Admin\Downloads\CryptoLocker.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:5596
- - C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
    "C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" /w00000244
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:868

C:\Users\Admin\Downloads\PetrWrap(1).exe
"C:\Users\Admin\Downloads\PetrWrap(1).exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5188

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa38f9855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Image File Execution Options Injection

T1546.012

Netsh Helper DLL

T1546.007

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Image File Execution Options Injection

T1546.012

Netsh Helper DLL

T1546.007

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Direct Volume Access

T1006

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Safe Mode Boot

T1562.009

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\!WannaDecryptor!.exe.lnk

Filesize
590B

MD5
d428775ff66534c1febbb52907abc635

SHA1
aa75060a99a35f637dbdd6628bbaff01f7de3beb

SHA256
bc3cebb0f82781c6bc07fcbda09a62f9ac521dd2b4f3952de9b3b37acb2e457f

SHA512
31bab6e93c8fa4c1fe1ca5d6d6f228ac38d3a26bbe67c44e9b615c78ae3012c5e9eaa4430c6c6483dd38bd5f74731cc14d4786a502f276458fda3c86d5f6671a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
64KB

MD5
d0a14ce9f31e13cc9fdf9723f449a477

SHA1
a4b5786d90926d47cb83c85e13ae06cde7953534

SHA256
ef59357248fd359afef16919c89c65462f1fc035eded67df40d0664e7d43f16c

SHA512
dfdee0838b8c8ee110900c02a80ba660241df57b53b061dcc4ff9fdd8fdfeeb9746496df542dac0c240e90fb014a9ce6d394329c58ed48cbdceae7728255f240

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\20.084.0426.0007\ETWlog.dll

Filesize
23KB

MD5
4514c650d8136a09a1a7771caac9e3cb

SHA1
536eb5965ed6fc834aaf65d3bf705d007fe3f14e

SHA256
f3e7b7946d28db202804f2c51c522f368e3b6e4f1be8dbe8099dbcd6e27f9c32

SHA512
f36a9f31f57b599b8c44bc0e3656a411a4f7e4a837dc47b4d423c98780e0f1ccbcdfaf74a4c67aa35253e855c7f1c5badde7912f3fc3e47348d1e9ea32f35692

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\20.084.0426.0007\FileSyncClient.dll

Filesize
4.2MB

MD5
c4b8d937ae7f739e00a52282d4d55513

SHA1
52ad10dacf437ff0b988963d6c6a9eb67f36ca3f

SHA256
14255fb4a3bed9b664a14a5cbdfd9e08f2c241066391bae2c58f753bb7015ad8

SHA512
5a9da91937603b0007f3269fd82debbc30706caca7dce7f6346f12d723f84de22a93b711b406252ab498d0be662a338b389e756458ecda11adae5b8cb71a8ffa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\20.084.0426.0007\FileSyncConfig.exe

Filesize
363KB

MD5
9129d704b8cdcd7bd4a778ccad71eeac

SHA1
e20170e5e02a9d7525d2afba6c55580db38f9e5c

SHA256
7c999b9effe600451b2e78ae3f69215326c49708beeca3450dea2cb6414ddd44

SHA512
34cf78d71dc5581475b3e3349c4bec4a4402853f41ecd11614fa989a4f4552791c5ae0949db9a67b97ec6089d0020717a2b18215020062a1f4ca54a3b3a00978

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\20.084.0426.0007\FileSyncSessions.dll

Filesize
4.2MB

MD5
6e5853ce88dc7bfbd508c8c6c12eea35

SHA1
109472aac7596e7b9f69e60964ddfa2e7202bc32

SHA256
21c301b46ed3ac447455e514501c86da900a4c9e501d275b226cf5d936e1b09c

SHA512
e5c0ca3f99324c2d961c47c9a2d002fbd5859a59c7e4f2619145645955bb2b2f445cbe59c7fa6bd4cf17a87d89e00e6fd5f232680ded1861d43172a4b1728fe5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\20.084.0426.0007\FileSyncViews.dll

Filesize
2.1MB

MD5
414823ee964f234c706c83b94e4b3787

SHA1
fabe403b6a2163650dcaa8262c1963822ff95000

SHA256
6ec84d4b9787e0b057d2e7e9e34761adcf687d42a04b88a15aa28f68bba8c72e

SHA512
fb00af6a321811f903a13a1f9fd80afed1959d9a9867c88be9a83ee1c4331c15242f379fb77bcc2f2144b5dd2c9f003252422b9273ce456e62fcdf8880d637e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\20.084.0426.0007\LIBEAY32.dll

Filesize
1.2MB

MD5
e5d4c910b25c665739f3bd0b176535ea

SHA1
b3feccb085bd759f843ac8262c45920d7d45de35

SHA256
774aaf1786f05a349e4ac780bac267328f72f32261ec2b34bb1610f26fc980ed

SHA512
d3d2e8401f2eb90ecbb50c0303d81ab52f6ed4cd8e3b460fb72385d3928381bcc1107e1e70c1e07440c548f5e759bdd4eab2aae3b9b21a7c901c12b97152556f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\20.084.0426.0007\LogUploader.dll

Filesize
593KB

MD5
1391dea6c6875015c745fe0f848bd1b3

SHA1
6a4e66322187955897bd97f0dfc8e444e01ba5bf

SHA256
514c37d562241372fcbccb51f6da28106a78c4173b87b6405a8f7136446c3238

SHA512
942d2471f983c5b65e0da7bb41223c031ba8e59de2bc18c7f7da371599cbced84e606d895d40ade45d55ec55cd9d9793faf8ca8a001b369a6960cd896024c460

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\20.084.0426.0007\LoggingPlatform.DLL

Filesize
278KB

MD5
508609c300db17a41fb2931168d286c9

SHA1
18ed2cf22db59c9e3dea86a48fb98fda61624b91

SHA256
6984ed5a866c62208b631834566f2abad7cc433e13b652151f3a021a0d51254d

SHA512
576dbda21c0a34c8e1b9ccd0b213b21a78ed1490e7390c71441518cf9008e34491fbe5f11a656ddcd65b006b5f3e649a805e4020b467493668ccc84dd12702f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\20.084.0426.0007\LogoImages\OneDriveMedTile.contrast-black_scale-100.png

Filesize
1KB

MD5
72747c27b2f2a08700ece584c576af89

SHA1
5301ca4813cd5ff2f8457635bc3c8944c1fb9f33

SHA256
6f028542f6faeaaf1f564eab2605bedb20a2ee72cdd9930bde1a3539344d721b

SHA512
3e7f84d3483a25a52a036bf7fd87aac74ac5af327bb8e4695e39dada60c4d6607d1c04e7769a808be260db2af6e91b789008d276ccc6b7e13c80eb97e2818aba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\20.084.0426.0007\LogoImages\OneDriveMedTile.contrast-black_scale-125.png

Filesize
1KB

MD5
b83ac69831fd735d5f3811cc214c7c43

SHA1
5b549067fdd64dcb425b88fabe1b1ca46a9a8124

SHA256
cbdcf248f8a0fcd583b475562a7cdcb58f8d01236c7d06e4cdbfe28e08b2a185

SHA512
4b2ee6b3987c048ab7cc827879b38fb3c216dab8e794239d189d1ba71122a74fdaa90336e2ea33abd06ba04f37ded967eb98fd742a02463b6eb68ab917155600

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\20.084.0426.0007\LogoImages\OneDriveMedTile.contrast-black_scale-150.png

Filesize
2KB

MD5
771bc7583fe704745a763cd3f46d75d2

SHA1
e38f9d7466eefc6d3d2aaa327f1bd42c5a5c7752

SHA256
36a6aad9a9947ab3f6ac6af900192f5a55870d798bca70c46770ccf2108fd62d

SHA512
959ea603abec708895b7f4ef0639c3f2d270cfdd38d77ac9bab8289918cbd4dbac3c36c11bb52c6f01b0adae597b647bb784bba513d77875979270f4962b7884

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\20.084.0426.0007\LogoImages\OneDriveMedTile.contrast-black_scale-200.png

Filesize
2KB

MD5
09773d7bb374aeec469367708fcfe442

SHA1
2bfb6905321c0c1fd35e1b1161d2a7663e5203d6

SHA256
67d1bb54fcb19c174de1936d08b5dbdb31b98cfdd280bcc5122fb0693675e4f2

SHA512
f500ea4a87a24437b60b0dc3ec69fcc5edbc39c2967743ddb41093b824d0845ffddd2df420a12e17e4594df39f63adad5abb69a29f8456fed03045a6b42388bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\20.084.0426.0007\LogoImages\OneDriveMedTile.contrast-black_scale-400.png

Filesize
6KB

MD5
e01cdbbd97eebc41c63a280f65db28e9

SHA1
1c2657880dd1ea10caf86bd08312cd832a967be1

SHA256
5cb8fd670585de8a7fc0ceede164847522d287ef17cd48806831ea18a0ceac1f

SHA512
ffd928e289dc0e36fa406f0416fb07c2eb0f3725a9cdbb27225439d75b8582d68705ec508e3c4af1fc4982d06d70ef868cafbfc73a637724dee7f34828d14850

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\20.084.0426.0007\LogoImages\OneDriveMedTile.contrast-white_scale-100.png

Filesize
2KB

MD5
19876b66df75a2c358c37be528f76991

SHA1
181cab3db89f416f343bae9699bf868920240c8b

SHA256
a024fc5dbe0973fd9267229da4ebfd8fc41d73ca27a2055715aafe0efb4f3425

SHA512
78610a040bbbb026a165a5a50dfbaf4208ebef7407660eea1a20e95c30d0d42ef1d13f647802a2f0638443ae2253c49945ebe018c3499ddbf00cfdb1db42ced1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\20.084.0426.0007\LogoImages\OneDriveMedTile.contrast-white_scale-125.png

Filesize
3KB

MD5
8347d6f79f819fcf91e0c9d3791d6861

SHA1
5591cf408f0adaa3b86a5a30b0112863ec3d6d28

SHA256
e8b30bfcee8041f1a70e61ca46764416fd1df2e6086ba4c280bfa2220c226750

SHA512
9f658bc77131f4ac4f730ed56a44a406e09a3ceec215b7a0b2ed42d019d8b13d89ab117affb547a5107b5a84feb330329dc15e14644f2b52122acb063f2ba550

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\20.084.0426.0007\LogoImages\OneDriveMedTile.contrast-white_scale-150.png

Filesize
3KB

MD5
de5ba8348a73164c66750f70f4b59663

SHA1
1d7a04b74bd36ecac2f5dae6921465fc27812fec

SHA256
a0bbe33b798c3adac36396e877908874cffaadb240244095c68dff840dcbbf73

SHA512
85197e0b13a1ae48f51660525557cceaeed7d893dd081939f62e6e8921bb036c6501d3bb41250649048a286ff6bac6c9c1a426d2f58f3e3b41521db26ef6a17c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\20.084.0426.0007\LogoImages\OneDriveMedTile.contrast-white_scale-200.png

Filesize
4KB

MD5
f1c75409c9a1b823e846cc746903e12c

SHA1
f0e1f0cf35369544d88d8a2785570f55f6024779

SHA256
fba9104432cbb8ebbd45c18ef1ba46a45dd374773e5aa37d411bb023ded8efd6

SHA512
ed72eb547e0c03776f32e07191ce7022d08d4bcc66e7abca4772cdd8c22d8e7a423577805a4925c5e804ed6c15395f3df8aac7af62f1129e4982685d7e46bd85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\20.084.0426.0007\LogoImages\OneDriveMedTile.contrast-white_scale-400.png

Filesize
8KB

MD5
adbbeb01272c8d8b14977481108400d6

SHA1
1cc6868eec36764b249de193f0ce44787ba9dd45

SHA256
9250ef25efc2a9765cf1126524256fdfc963c8687edfdc4a2ecde50d748ada85

SHA512
c15951cf2dc076ed508665cd7dac2251c8966c1550b78549b926e98c01899ad825535001bd65eeb2f8680cd6753cd47e95606ecf453919f5827ed12bca062887

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\20.084.0426.0007\LogoImages\OneDriveMedTile.scale-100.png

Filesize
2KB

MD5
57a6876000151c4303f99e9a05ab4265

SHA1
1a63d3dd2b8bdc0061660d4add5a5b9af0ff0794

SHA256
8acbdd41252595b7410ca2ed438d6d8ede10bd17fe3a18705eedc65f46e4c1c4

SHA512
c6a2a9124bc6bcf70d2977aaca7e3060380a4d9428a624cc6e5624c75ebb6d6993c6186651d4e54edf32f3491d413714ef97a4cdc42bae94045cd804f0ad7cba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\20.084.0426.0007\LogoImages\OneDriveMedTile.scale-125.png

Filesize
4KB

MD5
d03b7edafe4cb7889418f28af439c9c1

SHA1
16822a2ab6a15dda520f28472f6eeddb27f81178

SHA256
a5294e3c7cd855815f8d916849d87bd2357f5165eb4372f248fdf8b988601665

SHA512
59d99f0b9a7813b28bae3ea1ae5bdbbf0d87d32ff621ff20cbe1b900c52bb480c722dd428578dea5d5351cc36f1fa56b2c1712f2724344f026fe534232812962

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\20.084.0426.0007\LogoImages\OneDriveMedTile.scale-150.png

Filesize
5KB

MD5
a23c55ae34e1b8d81aa34514ea792540

SHA1
3b539dfb299d00b93525144fd2afd7dd9ba4ccbf

SHA256
3df4590386671e0d6fee7108e457eb805370a189f5fdfeaf2f2c32d5adc76abd

SHA512
1423a2534ae71174f34ee527fe3a0db38480a869cac50b08b60a2140b5587b3944967a95016f0b00e3ca9ced1f1452c613bb76c34d7ebd386290667084bce77d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\20.084.0426.0007\LogoImages\OneDriveMedTile.scale-200.png

Filesize
6KB

MD5
13e6baac125114e87f50c21017b9e010

SHA1
561c84f767537d71c901a23a061213cf03b27a58

SHA256
3384357b6110f418b175e2f0910cffe588c847c8e55f2fe3572d82999a62c18e

SHA512
673c3bec7c2cd99c07ebfca0f4ab14cd6341086c8702fe9e8b5028aed0174398d7c8a94583da40c32cd0934d784062ad6db71f49391f64122459f8bb00222e08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\20.084.0426.0007\LogoImages\OneDriveMedTile.scale-400.png

Filesize
15KB

MD5
e593676ee86a6183082112df974a4706

SHA1
c4e91440312dea1f89777c2856cb11e45d95fe55

SHA256
deb0ec0ee8f1c4f7ea4de2c28ff85087ee5ff8c7e3036c3b0a66d84bae32b6bb

SHA512
11d7ed45f461f44fa566449bb50bcfce35f73fc775744c2d45ea80aeb364fe40a68a731a2152f10edc059dea16b8bab9c9a47da0c9ffe3d954f57da0ff714681

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\20.084.0426.0007\LogoImages\OneDriveSmallTile.contrast-black_scale-100.png

Filesize
783B

MD5
f4e9f958ed6436aef6d16ee6868fa657

SHA1
b14bc7aaca388f29570825010ebc17ca577b292f

SHA256
292cac291af7b45f12404f968759afc7145b2189e778b14d681449132b14f06b

SHA512
cd5d78317e82127e9a62366fd33d5420a6f25d0a6e55552335e64dc39932238abd707fe75d4f62472bc28a388d32b70ff08b6aa366c092a7ace3367896a2bd98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\20.084.0426.0007\LogoImages\OneDriveSmallTile.contrast-black_scale-125.png

Filesize
1018B

MD5
2c7a9e323a69409f4b13b1c3244074c4

SHA1
3c77c1b013691fa3bdff5677c3a31b355d3e2205

SHA256
8efeacefb92d64dfb1c4df2568165df6436777f176accfd24f4f7970605d16c2

SHA512
087c12e225c1d791d7ad0bf7d3544b4bed8c4fb0daaa02aee0e379badae8954fe6120d61fdf1a11007cbcdb238b5a02c54f429b6cc692a145aa8fbd220c0cb2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\20.084.0426.0007\LogoImages\OneDriveSmallTile.contrast-black_scale-150.png

Filesize
1KB

MD5
552b0304f2e25a1283709ad56c4b1a85

SHA1
92a9d0d795852ec45beae1d08f8327d02de8994e

SHA256
262b9a30bb8db4fc59b5bc348aa3813c75e113066a087135d0946ad916f72535

SHA512
9559895b66ef533486f43274f7346ad3059c15f735c9ce5351adf1403c95c2b787372153d4827b03b6eb530f75efcf9ae89db1e9c69189e86d6383138ab9c839

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\20.084.0426.0007\LogoImages\OneDriveSmallTile.contrast-black_scale-200.png

Filesize
1KB

MD5
22e17842b11cd1cb17b24aa743a74e67

SHA1
f230cb9e5a6cb027e6561fabf11a909aa3ba0207

SHA256
9833b80def72b73fca150af17d4b98c8cd484401f0e2d44320ecd75b5bb57c42

SHA512
8332fc72cd411f9d9fd65950d58bf6440563dc4bd5ce3622775306575802e20c967f0ee6bab2092769a11e2a4ea228dab91a02534beeb8afde8239dd2b90f23a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\20.084.0426.0007\LogoImages\OneDriveSmallTile.contrast-black_scale-400.png

Filesize
3KB

MD5
3c29933ab3beda6803c4b704fba48c53

SHA1
056fe7770a2ba171a54bd60b3c29c4fbb6d42f0c

SHA256
3a7ef7c0bda402fdaff19a479d6c18577c436a5f4e188da4c058a42ef09a7633

SHA512
09408a000a6fa8046649c61ccef36afa1046869506f019f739f67f5c1c05d2e313b95a60bd43d9be882688df1610ad7979dd9d1f16a2170959b526ebd89b8ef7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\20.084.0426.0007\LogoImages\OneDriveSmallTile.scale-100.png

Filesize
1KB

MD5
1f156044d43913efd88cad6aa6474d73

SHA1
1f6bd3e15a4bdb052746cf9840bdc13e7e8eda26

SHA256
4e11167708801727891e8dd9257152b7391fc483d46688d61f44b96360f76816

SHA512
df791d7c1e7a580e589613b5a56ba529005162d3564fffd4c8514e6afaa5eccea9cea9e1ac43bd9d74ee3971b2e94d985b103176db592e3c775d5feec7aac6d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\20.084.0426.0007\LogoImages\OneDriveSmallTile.scale-125.png

Filesize
2KB

MD5
09f3f8485e79f57f0a34abd5a67898ca

SHA1
e68ae5685d5442c1b7acc567dc0b1939cad5f41a

SHA256
69e432d1eec44bed4aad35f72a912e1f0036a4b501a50aec401c9fa260a523e3

SHA512
0eafeaf735cedc322719049db6325ccbf5e92de229cace927b78a08317e842261b7adbda03ec192f71ee36e35eb9bf9624589de01beaec2c5597a605fc224130

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\20.084.0426.0007\LogoImages\OneDriveSmallTile.scale-150.png

Filesize
3KB

MD5
ed306d8b1c42995188866a80d6b761de

SHA1
eadc119bec9fad65019909e8229584cd6b7e0a2b

SHA256
7e3f35d5eb05435be8d104a2eacf5bace8301853104a4ea4768601c607ddf301

SHA512
972a42f7677d57fcb8c8cb0720b21a6ffe9303ea58dde276cfe2f26ee68fe4cc8ae6d29f3a21a400253de7c0a212edf29981e9e2bca49750b79dd439461c8335

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\20.084.0426.0007\LogoImages\OneDriveSmallTile.scale-200.png

Filesize
4KB

MD5
d9d00ecb4bb933cdbb0cd1b5d511dcf5

SHA1
4e41b1eda56c4ebe5534eb49e826289ebff99dd9

SHA256
85823f7a5a4ebf8274f790a88b981e92ede57bde0ba804f00b03416ee4feda89

SHA512
8b53dec59bba8b4033e5c6b2ff77f9ba6b929c412000184928978f13b475cd691a854fee7d55026e48eab8ac84cf34fc7cb38e3766bbf743cf07c4d59afb98f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\20.084.0426.0007\LogoImages\OneDriveSmallTile.scale-400.png

Filesize
11KB

MD5
096d0e769212718b8de5237b3427aacc

SHA1
4b912a0f2192f44824057832d9bb08c1a2c76e72

SHA256
9a0b901e97abe02036c782eb6a2471e18160b89fd5141a5a9909f0baab67b1ef

SHA512
99eb3d67e1a05ffa440e70b7e053b7d32e84326671b0b9d2fcfcea2633b8566155477b2a226521bf860b471c5926f8e1f8e3a52676cacb41b40e2b97cb3c1173

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\20.084.0426.0007\MSVCP140.dll

Filesize
431KB

MD5
fbb278dd819ee7eaa16cccfe56f65664

SHA1
025d0daaf6fb606b29782644c69615ffb0f0b05b

SHA256
c5ba698d1eaa0083165e0876f2357d9f00694280e57c9c2f81498e46a1569e27

SHA512
1f52a410d718c0e26d95809e273440e6f8a7eb5e16871d194e14b9d3a7a290cd31ef0de9c2b8830bc27246764e981692e40b5e8912c4e1c03801cf58aa4b86ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\20.084.0426.0007\OneDrive.VisualElementsManifest.xml

Filesize
344B

MD5
5ae2d05d894d1a55d9a1e4f593c68969

SHA1
a983584f58d68552e639601538af960a34fa1da7

SHA256
d21077ad0c29a4c939b8c25f1186e2b542d054bb787b1d3210e9cab48ec3080c

SHA512
152949f5b661980f33608a0804dd8c43d70e056ae0336e409006e764664496fef6e60daa09fecb8d74523d3e7928c0dbd5d8272d8be1cf276852d88370954adc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\20.084.0426.0007\OneDrive.exe

Filesize
1.5MB

MD5
405c563037b5dabd5584bb04aa76806a

SHA1
26ae234e0e3995101e6491fbc770bfc7b7a0416b

SHA256
b2c0c62043f419aa2ed1ed5c479ae8be4028d94bdda2da39178b3de6ca692bf4

SHA512
dc805fe0f100b762d5f43995932db440e84d3b2626752af8ba39cfe348c480cf6192565a3238ac0a5b84861d0e03cd5f5fb969c050a580c76a2ad3fa2f08ae1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\20.084.0426.0007\OneDriveTelemetryStable.dll

Filesize
1.3MB

MD5
9997ce1ed9256acc60372eb42297187a

SHA1
b31ce0bb9b6513c23516bed499b0faaf240af227

SHA256
d02119d662b6680581427b7841454f74980cf3710a8540037672f21e7d2ac0f2

SHA512
a2853ca54a6cf276897111b30215c15db7f4a2735ac391f5db2af303233fb7ecc9ac5e8d228763e267f74dffaff36ff3f4fd29a93ee97a337b70798512c9775d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\20.084.0426.0007\Qt5Core.dll

Filesize
4.7MB

MD5
2e79d0da59d10a557283d18638b29ffb

SHA1
62e7bdfa5f9f4f5759b200042e87ff3a3e9de387

SHA256
6a03e547820ea1b08a1543d359a94bc0ef1e341883777b234d07b05cb8f2366a

SHA512
ebfa85a9d311a5c46f2b2a20a16b1196430c12ba38b6fce39c9374f58bc08f042f29de3cc6293594e35658019d034901fef4922f3a1da24b78d9b8d6908309bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\20.084.0426.0007\Qt5Gui.dll

Filesize
4.9MB

MD5
e7f5eabd334e6b5cc8675a24731429fd

SHA1
4790dc85213e6b7365e05f7f6cb0784b4730e3a4

SHA256
6dcbf998ac5c2cf9cd12f45c469424d7093fb6c74054be8a5d97fea2498067ce

SHA512
eac5b1b8d815ea36e0d654e842919e40f730550ae6266d44d44625c442c652b246049196a28886d1aa7616d29e89e0b65b134e8cffdd532d9e688a642aa19534

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\20.084.0426.0007\Qt5Network.dll

Filesize
951KB

MD5
25f26e8a5b95ff5b6ab35492598a38d9

SHA1
453a37abc6bdf399eaf55258fd7a25374d523b0b

SHA256
77570f82c74bed308aa9fbcb8b5e85b0bc58cb4205ecff0e4859d32a1aa2da23

SHA512
3c00214b090dad20c6937dd8e4cdba653b6792858a5525e4bb1700253dd5702dc30fc1ffbb6670a936800bb895a5e6aa7e5378c10fcd53790b05b2779669f65c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\20.084.0426.0007\Qt5Qml.dll

Filesize
2.7MB

MD5
6265e62451c786f1349875bac8da3bb7

SHA1
c738cb32ce7983638915badec8df33764715165d

SHA256
ea994c603044999ff501e79635044ee3a70056bf06caa316c24e7b5abca372f0

SHA512
9518eb40ad0e41910b66c0190759406042098219d59bcd81b840bcb7d647438e77a4c06a0b75f599989abcb860c28fc5abaac786bae3709befe70478a2f8a8e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\20.084.0426.0007\Qt5Quick.dll

Filesize
2.9MB

MD5
eb4bd219b0adf6dc7696cd579e821cf3

SHA1
f0d8a5cbd58f94f27b244c3a382f52748ff2ea81

SHA256
daddbda15097019be7351ba1bea79ddeb4fa6bb911f7138a38b9fce822c3b012

SHA512
1606a78c322778fa88e90edb5145d5225b0900aaeb9aa278fa0c7ae1a7936e2ee140df9fa9474ea9cb23903650f17bd5d23eebf99dfc7d9018fb92ebf88949ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\20.084.0426.0007\Qt5Widgets.dll

Filesize
4.3MB

MD5
ef28ab9aff5ed75da256f711a0c6177e

SHA1
b1c269207fc5b7515bbe95543a6d0603b3b07053

SHA256
71d517f05671b234a7f03211d5f47e784f2660e96d595cbeff98fc106638819b

SHA512
6750057abd96a2b4d478d5f23015f9e8273405fcb540f6bc036526d7b9e3deb3f8799e39c0332d065383011e1cf6d7da906e0b0e4fb08f6c053677bde7f4d6cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\20.084.0426.0007\Qt5WinExtras.dll

Filesize
441KB

MD5
3dcfc068da0c4f929d3595941eab93a4

SHA1
102309dc78d9b53f86cc2551116a180d9d27a68c

SHA256
c93b0205c4b31d526ac5f11a23ceb8cb561f640d11be2c4f5419e1a46b9d254e

SHA512
de7d5e5760d5a218def0b171d86fb9e71508113bdf778209393a902554408c4c97b4128c223d4a5dedd54f2a5c5886a653c49dd67ce5dddea949e9a48edb1af1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\20.084.0426.0007\RemoteAccess.dll

Filesize
680KB

MD5
e5520361f7e46a071f6f3b5dbcf0582c

SHA1
0ba6812dfacd541de14265372e4774ffa380d630

SHA256
8b67af793de5c4e05ceaef8be105c5c3c56cc03f28ed6442e5bf55f2d7eb8d4f

SHA512
891dbe6fb1e6ebea60ca543c1145c1847a1c5fd16e3ad5ae17ec497ff0fa73912afdebacb237814e2c2200cac12d9865bc6b31468a1bcc56f77e01884afb3edc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\20.084.0426.0007\Resources.pri

Filesize
4KB

MD5
7473be9c7899f2a2da99d09c596b2d6d

SHA1
0f76063651fe45bbc0b5c0532ad87d7dc7dc53ac

SHA256
e1252527bc066da6838344d49660e4c6ff2d1ddfda036c5ec19b07fdfb90c8c3

SHA512
a4a5c97856e314eedbad38411f250d139a668c2256d917788697c8a009d5408d559772e0836713853704e6a3755601ae7ee433e07a34bd0e7f130a3e28729c45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\20.084.0426.0007\SyncEngine.dll

Filesize
7.2MB

MD5
9d47919bce1d520c9ad1b441e6e0a295

SHA1
f16bb91a76a8f21720b9a7a1b3bce8c617d99665

SHA256
de0ee0f5a49fe7e37e44503557f925c3150ca938d6ee0dc00f6a704737d538a1

SHA512
5b4521be07b5437e3e06e9d3fd60995969776cb15eb5dc0883e6ac08e4757cba56e9f894a885462f845fa8256402edcc16c01ac254fc5c3645b96b7b40cdeaf6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\20.084.0426.0007\Telemetry.dll

Filesize
192KB

MD5
1847a4d9c7ed403fdb0821888aa09892

SHA1
3d79e771e4ec9d3572c417f3ee6676963da95b76

SHA256
ef72e82857b056f078037a7f62f9a211b29d2ec7d3d6e7cd26d9a40286dffec5

SHA512
cfb2a956fa95b905fa89a395e6988fe519fd3d7e9fcc0c69fb9ca3c0aadbdd240253f4c589635db75b9bdcac697e55178787638181b1e230e9ca366399303894

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\20.084.0426.0007\UpdateRingSettings.dll

Filesize
220KB

MD5
06b59e27778675f0a9453e1fd1c5effe

SHA1
8271fa44803879dc2ac7f3df74364be71892555c

SHA256
020b43e00a21de5117739253f016dd9b26fea93d41a7b3a5ca6d54aef2a8e7b3

SHA512
62b0ccb04242634bafc0de3479204a17d419f039000d34b18228ac2051cd3925145f7735b76e93a6d53a3823ddeef936c297b154d6cf3acab84eeff02a1566c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\20.084.0426.0007\WnsClientApi.dll

Filesize
468KB

MD5
632727e812df13ed8ce9a1ba242d904f

SHA1
46e4c292d178e19e9df8093fc93d4a22112f382b

SHA256
cf416273a5e0ec4a24a0d73c9ed70d8522d7b44efdef71ae8182a4ceb717c378

SHA512
8a181dba8329a4712f203f6fbda53db8babae09c737efdfa1d7c3807b57979f839a4c4c3c362b87ebb9d325ad4af74b024c8baa11ef2fd5916cd6864ae677b3f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\20.084.0426.0007\adal.dll

Filesize
1.4MB

MD5
511a6861bc9a17b77f4020a4a2ee0303

SHA1
8727951d29e708ce55bb3c43a98556eb6b4764dd

SHA256
457feb649b720e64b9e2abea5203b3c8bd9e6fc087acd170e8016b4762fd9c84

SHA512
57d819efaa2c382860cdaf2d4598dd30c54a895ece7e5ea3026d2af29880798bcea8baf64183fc46fc55fe9d2deca769ef9fce50cec8100c31cc6376de854550

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\20.084.0426.0007\ucrtbase.dll

Filesize
1.1MB

MD5
ec602c26406859c727b0b3c19dbcd572

SHA1
56c13e54438e0d5bbfe5f6945927a0252febc823

SHA256
ea19bbbf417608d6d0b4184aeb817f1248362db946980f6ccc4b072a2a15bdd0

SHA512
61c4bab29faf4951f49cfbe64df60391f3af4f239cb3317aa86e1e3f9a5606b973c01f786b117c3718da21484740f7e8380c3c41d71e2dbdd9e298a30372d3b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\20.084.0426.0007\vcruntime140.dll

Filesize
73KB

MD5
e7a1ca8524daf9b92fe46fb109f1f893

SHA1
ad7f229e25c07a3a43e8fa3dd66aa354025a37b9

SHA256
dfa28d4cf680c02ba16a96a2e95dc201d695421dee4a18a04d77a0fceab42a75

SHA512
e3eabcb8d33cfa0ae102ed63b2f6138419b1befc0512f039144d402894c4427bec16490817d799945d608176e876817b2c808076caa6eac5bd80828a45d82163

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe

Filesize
2.6MB

MD5
edf86dd22ffc3a0297cf3eff0c7dc1ab

SHA1
2dd9a9aeffd29fbcbe22a76049c8f3bf4718f214

SHA256
d949181e056270f58710f3baf1f398cbc786df2088a1b5b7600271900a1498e3

SHA512
30a3a63dd585cfce679739a3658da8c697d370c147735b3185c381cd64632f870a4d4c3f268812c27234b5a0d6e833f1ef61904b83d130f1662ca0760e1ef5d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe

Filesize
34.2MB

MD5
cffadaf3f1c6af1b98383eaf0ebd14cd

SHA1
5f09547561626287f4e7a15d996fd356f65299f5

SHA256
503970f46e781d48e2983518a7f985401b6e43860b9244bb1811ba50823df0ed

SHA512
aec26c8b90af331cdd15c47746ff61453fae70b13161e679be4d2091819fa8d553d59a4c1c894dc43579919a0630c46638889aea781f7cb510ddb5f754b35fb8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\logs\Personal\SyncEngine-2024-11-14.016.4248.1.odl

Filesize
186KB

MD5
25b066a4e0abb09b1100e6b2b22bdc89

SHA1
aba5b348d5a46ec681132d570d4b532a5b3e03f4

SHA256
57b817b1188f1127b5892e337baa0f853044c9e00b9fa0800546a34de0d17a59

SHA512
795d60eb098aa8c4b50422d0a140ea2c3d2c7bafa4a04b4d7f1a55ba00e5d8efd75aa08c2b06430489135ac2890e966efd03a4719d44604497bdac7eb35cf978

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\logs\Personal\telemetryCache.otc.session

Filesize
20KB

MD5
5162a190bf0fbd251f004649679688dc

SHA1
b00dbfdae0d41824f534c65d2597cc218b727d84

SHA256
59775728183290400fe743af6352c2a468197aaf731b424f26053a7c3d234f20

SHA512
e542ec431b030da427d4e61eb513b12f0d9a1c2e09fdfbba9e316147d46866d16f353ab2fdccc56539c29bd111b0cf12faa87b527af4eb87d9da3544e0edd7ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\settings\Personal\logUploaderSettings_temp.ini

Filesize
108B

MD5
b29762548003eee20fa25ee7474fd138

SHA1
a1fa6c0c99ce470246ca4946ea5b6802eb6d671a

SHA256
c1de0a2adf02be768b1829d548ad339c4ed8dcc47ae1012ae7e0d180b2e5f9bd

SHA512
3dc7c41ec051de1091a512a3c11f172edeaf003d76291909c9e5d6c75ea0adb03f5e09b8ccd2cec80f8ad0e3cf42b6fa36a17c02b318a9f5bfd3d1d63534d029

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\settings\Personal\logUploaderSettings_temp.ini

Filesize
38B

MD5
cc04d6015cd4395c9b980b280254156e

SHA1
87b176f1330dc08d4ffabe3f7e77da4121c8e749

SHA256
884d272d16605590e511ae50c88842a8ce203a864f56061a3c554f8f8265866e

SHA512
d3cb7853b69649c673814d5738247b5fbaaae5bb7b84e4c7b3ff5c4f1b1a85fc7261a35f0282d79076a9c862e5e1021d31a318d8b2e5a74b80500cb222642940

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\settings\PreSignInSettingsConfig.json

Filesize
28KB

MD5
2b2619016d63eadf428aaa48129d1e74

SHA1
f9046f569a343d48848fa71255812fde212a5116

SHA256
b3d67f848c17ae14428dd09d6bd38dd283bff54b7ce0be9562fd550577531d86

SHA512
e10e92c3a0ac6f25964b4bdaddfb2fdc9eb249565327d2eaa85452974d2a994811d3c075439d9663b43bf2a51c7db7af51aae546f35be70d77338704260cc4a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\setup\logs\DeviceHealthSummaryConfiguration.ini

Filesize
77B

MD5
68525aa90f0168c7dd0a3e88032e42c0

SHA1
f5b32d0eabf9c60cd1b792ad840640f3d8862b17

SHA256
fe19893d03c51b9626864d18bd6d78108256a37121429d2f47224bdc0f43b7df

SHA512
53b73d82470715f2206166f17692487557189c328bb5e37d22f1ef5d3db333d4516758f5b15192d7ff12c46cb0f5d62b21f725f8b10086e689ab782584b43c23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\9ED10DTS\update10[1].xml

Filesize
993B

MD5
2d156736d6d630d65a4a2ad8e06fc600

SHA1
c40dd8e844ccc0b4cc7e04e43e3bc019157941f7

SHA256
f23b17c73fd141c30d85161fb2ba6a331a7feb4cc8260fbb0c521e0f9e402000

SHA512
7bc72eacc6144cc1e262e04392787d0f0f75ef4fd2428ef81583ba8de3bebbe4a8ff59d942f2ca6dba00b8fb268aa756c1e01567fea1dcfb695ee1e3141c3564

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\activity-stream.discovery_stream.json

Filesize
19KB

MD5
fbc970a16feb81905d3fbf34fcbbeb3a

SHA1
d8d64b168215a02a434337de25d11e140bd2f6ed

SHA256
39dc199fbd0fa9f13e60a2bc4244a0a6a0de29cdc22ebbd16be4667fe0c34643

SHA512
8edf6baeadf909b068d88bf59b2c5f471ed44196bf2ecb1a9b450c97c12dcb9f46e6d109475107205f787e86bf8f49a3f834fc8e93ce9e9002824b69902a2561

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\cache2\doomed\30319

Filesize
14KB

MD5
792e03a2b61241163b4484cfe857199d

SHA1
63897143a4e9f762e017f2238e45794d69fef41f

SHA256
4fb1717603a20fbf192f64d733537079741d061446b8c22a26d03c00a497ca13

SHA512
f9504b120ea0c0905810a90058f8e9693a238467e612ef38c71cdfe66756033a6486260171d43aacfac54c478cbf5d751658f4ad3c331f392cb7c9f1b12e364c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\cache2\entries\1FBBF79CD3C19714BC216DB831CF401F7BAACEBD

Filesize
61KB

MD5
81326c6dd5bf4993c82bb44beb23a1eb

SHA1
09aa55e6acb361141af7e4029526ea30f78bdcd0

SHA256
eaf9f07d81eabfcd5fa2495a23fc97879bea06c68730f5c6c5313b47894058ff

SHA512
209b902be84f2e0d99501f912e182874ad357c8b78c607114fca7cc52cf23d56dc90d40465759f68362c77a29486ae4c7deaacd2f9658bc01bb092b453b38094

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\cache2\entries\2B16ACC15AA680352D12943E950AB926A085A466

Filesize
224KB

MD5
82c28f3b0a4aa086b754ab5a3b7927a3

SHA1
d543e41c931cbd23a22e834564ac13bcb7ab5c09

SHA256
cd5f0924794c269650dea589135becacdc1dd2facdea07e61b8989528843b7df

SHA512
ea704e485ff5c389b746274a50b7ed37e7385e9e0e22a5dc545e66e0700ee07399902cecc57a46ca56d5c43221c1163a311373b628a1f6ba7bee3184fe1cbc79

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\cache2\entries\549C94847E35BE89DCE95DF86EA39378F22E5078

Filesize
99KB

MD5
6a5a8678472b77566abc8ab76abfe2b8

SHA1
dfc0213f489f5ba8ffae5d9b3f28eebee056c0b1

SHA256
4694ade2563db9e2ce80e3f7464016c328857dfee559f324127957b1876d251c

SHA512
c58fd7cc4e98fbc536d0054c27d361007286f5b9d370e76c582e336fbffd37b795dd59d919f30435d69f9ed9706a81b5908f43d983add49c4e4203d97cb2003b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\cache2\entries\F7B6C486855E65BCC82EA80487D23FA0EF6FD246

Filesize
49KB

MD5
69d8450539db39ff2dea0e7e4e8ba5f8

SHA1
2992419b51031cf3a7e06c902e917349fe3f774e

SHA256
6a706d99588bf26cf78302808cca76361e5c513dfe92c3b3246204bf5a05036e

SHA512
fe7480cb3e4b325435eed57c4d04ea9b8f6e84c5b3f22f5c8e287a6b985642ace1485b8cee105142bfffb915c67aef3ec64e45b957123c1ddb328a386d876716

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\jumpListCache\TLNMYNb0EGp7OFeeZ9w4txNIEpq1Sm8Q54bv90uOMdg=.ico

Filesize
1KB

MD5
a0d38a2aef7adc85a03cb3f6eb63afa6

SHA1
1f1e5117f97b6bcce7bcc2966d72fe3301b63265

SHA256
de26779e87d81ee9fbac941ae9050a83e9605432ff03f99de9f7d243c492a919

SHA512
70ab845e87446974a412ade5db8b6d7b31031133787165103353351a6590e4638954e38fd19d8e9c5af5b2d4567a413af2c65aaeaf7e96ce82a9e9f6a07e8462

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\jumpListCache\ZL3+SByBEF52BMuBs3YUumtFbUwpJA2nmHVASWXm4b4=.ico

Filesize
25KB

MD5
6b120367fa9e50d6f91f30601ee58bb3

SHA1
9a32726e2496f78ef54f91954836b31b9a0faa50

SHA256
92c62d192e956e966fd01a0c1f721d241b9b6f256b308a2be06187a7b925f9e0

SHA512
c8d55a2c10a2ef484dedded911b8f3c2f5ecb996be6f6f425c5bd4b4f53eb620a2baccd48bac1915a81da9a792971d95ff36c3f216075d93e5fd7a462ecd784f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\startupCache\webext.sc.lz4

Filesize
107KB

MD5
f163de3fa2cbbbaf2c0f239788a07db2

SHA1
78c0f2eed1d717673d28e7bcd9b2db2ef2623378

SHA256
fe173253a456dedc65d6ddcebac3156d3f9e8a4ae0dfe8103627934830b6631d

SHA512
9eacf3d7d3ce260af3f3a8a5cb198ae1e172660735f2d208472b856575567ba06bd697ffe8cfceae84e68c4638c34bc8395be9552020ffd9169af936cf9987b9

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\d25db3c8-ae10-4bb2-96f2-758ba606dcb7.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\aria-debug-4248.log

Filesize
470B

MD5
11a11e8715380dc43e24902642434e11

SHA1
ed7a4eb6ddc530309ba8a80c1ec9c4d2e266a1f7

SHA256
0c7983205ce751014445f03e9a9bececdf4e4e6204cef78cd390fc9e4f32c25f

SHA512
e85a58be2d13e1d5e27821c4f02d634d28dad4dcb36b1f288631598b1708693072538facfcd59afaa9c16b84d8ae2fe4ddfd571faa49ade0121c56d459ca6d2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-18467

Filesize
11.5MB

MD5
928e37519022745490d1af1ce6f336f7

SHA1
b7840242393013f2c4c136ac7407e332be075702

SHA256
6fb303dd8ba36381948127d44bd8541e4a1ab8af07b46526ace08458f2498850

SHA512
8040195ab2b2e15c9d5ffa13a47a61c709738d1cf5e2108e848fedf3408e5bad5f2fc5f523f170f6a80cb33a4f5612d3d60dd343d028e55cfc08cd2f6ed2947c

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Filesize
15.9MB

MD5
0f743287c9911b4b1c726c7c7edcaf7d

SHA1
9760579e73095455fcbaddfe1e7e98a2bb28bfe0

SHA256
716335ba5cd1e7186c40295b199190e2b6655e48f1c1cbe12139ba67faa5e1ac

SHA512
2a6dd6288303700ef9cb06ae1efeb1e121c89c97708e5ecd15ed9b2a35d0ecff03d8da58b30daeadad89bd38dc4649521ada149fb457408e5a2bdf1512f88677

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4708.tmp

Filesize
30.3MB

MD5
5346e26855d9dc1195ca8628e0b493ac

SHA1
11928218082c5961c4ef4ebfca86162c758d3079

SHA256
1dedf8e677531c9829e9702396577e4ecd285ff38ebb09594ebd8649f08af2be

SHA512
5612af8381deefa5fef21484b82d99d94f12805ce8b3e5a3e79e4ef58309d5d30c521d049d7a0ad238594cff6ff518d2c49b38509a48ee93eaed0ed48f856460

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
370B

MD5
220fae717dd4ba75606eeb0d65102694

SHA1
2d5b123f20a0de13090f0f2c48b1504ce0921a63

SHA256
846b60ab1ba55c286888c92c468b99a0c9a11b0c4b00310e0f4626da1b81ef4d

SHA512
1c873c73e1a9e0a8ff3ba46113d545de3346f6a8eb6c93be752e886caded809b52b8200b2e3ddaa9289a1a7cfe9ffef82da22bc9909014fc7e35dbd57fa7cb31

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
19KB

MD5
b2e29e0ff417e43cc4d8d0d195f60277

SHA1
0c121f44f1843604332d318c04362103b10abe65

SHA256
b232917e5de00014c266038d5ea8ef445e55d96e4aca13875b7dace9e09d0a77

SHA512
a0731ddd727eb1f5365f1cac2f19c42e64297eebea7a1a21a03cd70e7c93f2e0ececdd70562e8909dffeb5a93a8d4fc336e9d2b534a60b0bbe94ceecd296a2ae

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
20KB

MD5
607553681899d3cc9e8282932ef85394

SHA1
02e2cfb31b199ff575856404e78cf6455ba79c79

SHA256
df16de86ef0c6ca852250bf4f611ba9a05671aec53bf7587a831f5ea682febba

SHA512
60fd1744348544cdf28df3bd9b5bffac15c73d0386604a95a8d1aa961e88e7e74f18afb25ec2a2ee9412278e1b6ea00dff9305c8828f0a8aa0cf7e682a82b25f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\74d7f43c1561fc1e.customDestinations-ms

Filesize
1KB

MD5
2f4ef42f28a4b9c81a11f243e3505327

SHA1
7ca267fa366ab8663198db9b927fcf1dd0210572

SHA256
376816f781965698458ae57d9b1c16d4a730a94bddf040454c0a7624642ccf1a

SHA512
44b8d470672944796ef604d39d393f2213e3c1ea076614faa65e0a2c63247cbab872e44af4b2fb60a6dfdd4c5364d3024ab471b4897250887d1d30f32451cdf1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\74d7f43c1561fc1e.customDestinations-ms

Filesize
3KB

MD5
f2311413ce02673cecaa0f898230f970

SHA1
4c3e36ec590633d5e6c18deed7e8fd2c419e5a4d

SHA256
44663af0100624b2642fe2ae7b0b7e692eb129cd3f3e2a75fa8e22353c83409d

SHA512
3891b89dd0dba541d6702b5395b325689a4d1a4a5db863a6533ce16d817b7453e2a0097addc1c83d12a4ac0bdca643be6ab90798762cb24ba7062876be463ac6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\AlternateServices.bin

Filesize
12KB

MD5
8e31467b884fc6c42fa095b71164202d

SHA1
f1c9fb02bd99b3898a58332d04dcf3d44a3b3c8d

SHA256
108f8263bb8962698c6631243875e7362225e1533b5cb3f855910fcd7b4c5d23

SHA512
89980050d61f3e03ba1f9447472136ae8c8d080d6d86cbab4c84cfc6179445b5816c5be9a47c8d47141a0d03dc8817652cfa1d424795ac32eeb5a780fc83a5e6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\AlternateServices.bin

Filesize
6KB

MD5
7481021d83ed1790e5f8e5d9224307a5

SHA1
a3be434040b207383942610aeaddacc077be30f6

SHA256
1b6e9c12c4d4195acdcb81f1c40a4a81e56c18a2444021746de13634573ecd4d

SHA512
b3de8cc82bcdfdb069837f85fc0f335c8a4a07a681023ba1b467ddad1a736dd5e7f7ef76c568498a93cb4873a3e35e736eebf62be8811601726d2f7de5dbdbba

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\datareporting\glean\db\data.safe.tmp

Filesize
21KB

MD5
9de8c206875efaf8e97266106ef59ee9

SHA1
86ade6cf287fa6542f9f0e7850cf9364ad268806

SHA256
484b68eecd395b8e5ed619c5aa4bd4b5a4f51e09170b5f8249ecdd2754b915dd

SHA512
ea9b5ab6dbf21283ea00257744be9d05ea040859a99b8766d34acacdd46397f32494bc22934bcfa21357b3b21f90e4400c889f23b1b4b287968a7b74589dd433

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\datareporting\glean\db\data.safe.tmp

Filesize
23KB

MD5
868cb3eeda612c09f3dcc9692176332a

SHA1
dc402f3b10764626ba0e12c07a6eb2645e8c0e0b

SHA256
e1b7bcd527e7c63bb608ce3e4e294d39607590f1a3aef096d725d52ecbd0e76e

SHA512
e7114283df0de549f61a900ca722d83d7941cef8a0dd2604b0e5cb4915d5ba9c90773f8b0332fb1add958d870dcae63012188894debb096bb4fe2aaf873b81ec

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\datareporting\glean\db\data.safe.tmp

Filesize
23KB

MD5
3200d7e1aec2c9d783654b6afea0fea9

SHA1
ad00f7c5b44bdd2ea59b7c767837c302a2bc3802

SHA256
b049713f6b8573bc769a60e0d42b0c0b949d69a01249399d3ae4fc478d113c2c

SHA512
ab09a6c403908eb663a0d4fe1d0632640780e0a0852bda5393c9494605b42a012bed3c0477c68fa1bc03e7c7c4960895a93fffcd3dd842bf1598796806644251

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\datareporting\glean\db\data.safe.tmp

Filesize
21KB

MD5
a84e1398dcaf064ac2504b1aadbc684f

SHA1
4f308d68109d1271d16bcab851ab11cab670b16b

SHA256
212383ac1de8eeb3c0af41bb879ea576ad73d0d56f5e0c72127c3d3c0938932f

SHA512
93256e28017befa0e0cbf886a0b54854aa18ed93f8ab3c75cc8c53e0d673ae248a1ff28409332d0657889fa73532b23f31e9e1efa31654909b5e6274e6c14b91

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\datareporting\glean\db\data.safe.tmp

Filesize
23KB

MD5
84eccc0d99f6c2131e5246eb70254198

SHA1
aa66350735f06221f75184a879f60e79403e1e3e

SHA256
7dbe5d982fdf214ba125f622cf8a4d3cd0f4eb298503b6952bb6adae7cd97ce4

SHA512
aa52240a8f4d1879fe07a2c08208a86dcf8fd7f5701ac658724125fbb123a409d669c91e7cfc4e853e179ee8b58200e1416f1b6b39b4206674700e72d5373301

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\datareporting\glean\db\data.safe.tmp

Filesize
23KB

MD5
b53572a3a949ab76677ec31538c06cf6

SHA1
be61fc6c24485382bc581b26ab9ec569d96381d7

SHA256
de592fe0a83ba0d758113dc8d04d9d01ff0927b648692cd3c8ac9222b1bebdf6

SHA512
d6c573f3416de98b535e1b60a2bf7812f3049c179ba4f5dc4816e864dad2bb64e2f9c0b22778f5f8454f6bc53eb8c801c774de6db5f53e6e38fc31b794fdb1ea

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\datareporting\glean\db\data.safe.tmp

Filesize
23KB

MD5
51daa0cd69dc6125285f611406cf4833

SHA1
151708f3391c958cb11249977fef6b0df3a23ba3

SHA256
0889a0eafe8d91ee3f623be0d8ff4077ce69fae2997c0ce9b0462485231eb25b

SHA512
81385e287c89b11e291f43bfa3eb9f89addccdf7027934489500e8b760906f7548c1f844376ea9c15e0ea596f93e325d5a795a89f8c3e01df267f5c9a7a6c543

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\datareporting\glean\db\data.safe.tmp

Filesize
93KB

MD5
7d23d0dc4c30c5618f9ea9a71ae50db9

SHA1
51ab20a68bc83c87be7dda615d7f813cc8bdc79c

SHA256
99de4d7372b36d876e94decb5ac2d925c7fae6f6af05bf1ca78b6efde729ac45

SHA512
2127aa22a56eb20194a8cff0c1536ee2204a23fea45d2afb4ef22e4d40d1642ee7a5388cf18da6b6032f255370808482b4e33ea63652de8175b1c4689c19f120

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\datareporting\glean\pending_pings\3049e45c-86d2-4ce4-9d1f-9d0496ffb0d8

Filesize
4KB

MD5
2a230b35e2d9de07e7c5099b4ebc9d84

SHA1
0ebee160b73bc51a76ec48908f7fab8de46aa3ce

SHA256
62864cfc63c358e7f0a653ba7acb18bf3973a5e3ae37f952130cc66d7d48206a

SHA512
3a46daf540a84412672f5588cad7978d956a89ebcba7c4da952b13aeb9ada1a9cfe1b49320970b26f904a931f210d51573a7eab33b4789e1a3348f18822a5088

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\datareporting\glean\pending_pings\541b5980-fe65-430c-a601-be883b30d2f1

Filesize
659B

MD5
5ffe725522a73a47b807570978d2dff7

SHA1
141907e7e90db3be6d4bcc5bd24899b42f498446

SHA256
837b8f0b949af79ae14f9f344e9bdeb9c07ea9649b307215f5de8837269f232e

SHA512
ce0b4f6aec6d9393381b39bb1b9ab582e71e019338a1360811a98a9a97b2a5587a5a9af8b90f18afa48fb4027a7da1b36afa997dc6ddac3235e422f19f0066db

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\datareporting\glean\pending_pings\912c96eb-ea7b-4404-8d25-dfb6db48e302

Filesize
659B

MD5
59e9a6d7c44866ec8aa7556cfebf6692

SHA1
60a3a4ff77cd47aa558323357f1e72b6e42b1dae

SHA256
7fd0f043e05fb5971d17e42ff8ce4898f57a399f7c0786a87f86725e50723ad5

SHA512
8887664a9d24bbc6fa658d0449be1e0626d04120b10a056713d2a5aa99113c89385b1fdf35a8aa50d644e9fd0d1be6d5c3e6d4dcb27c837684b540dc765de2fa

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\datareporting\glean\pending_pings\91411dc4-fe0f-4856-a6a2-1879212a070d

Filesize
1KB

MD5
06c0c6b4f564d2e7532c1a653efc3ef9

SHA1
03a4fce0818cf1dc1e4000d70f045c4c9b676c9f

SHA256
c7172af5e537064b0901b229445ff9a4612dbeeff21d4dc25f17857503a5a89c

SHA512
bc4c85e12fccfbf60aa71d957a9ad897dd476ee055f8107dacb4015ffa4e25657738c51ff1803b4bcc7cd2a31fcea7a25a3779bfcb31bd711898be4146352c0c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\datareporting\glean\pending_pings\cc7d5b60-49a3-4c31-8333-45c5fb6330dd

Filesize
982B

MD5
e3dd2d6b4228ab56284172225f974242

SHA1
094c210c677d2868f98ff14defec9b4c328c652d

SHA256
a860583cda90aeb5e17925c50200a8350c55663ca2701c58c471def2cef59189

SHA512
44aafebe86353928ef9d55e62d6bbb0d46fe478e395455c58cacca506ea79a9b88fa07f4e636bb0b6c7309f8c6cbd5fb434c5ad29c364d08f7047d9b94b2afc9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\datareporting\glean\pending_pings\dce70573-4e51-4695-a2ec-da2c002ec2eb

Filesize
842B

MD5
e2f6a59ca783731dfde2e8bae905b17a

SHA1
ba63d0a3ec1829fe949a1b4c29050b426c3d1ca7

SHA256
18048227cdde01e49151a63c704ea304eadeb91b281a66b3abf134d7ecb3f001

SHA512
1afea2534cbcf7b9cf4b90e21f53b7cb06ff9438c89453dfaf8aedd48dc7d74382ce0bcf4d5c1c1bc137dc7a875c6dceebc7b47d8c4eaad4390af082fcbb5204

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\datareporting\glean\pending_pings\e912448a-cba4-420d-9477-acd487e08e79

Filesize
847B

MD5
8ae8847e71a74e80d7be020b32df35ba

SHA1
5da61d0206453dcfbf6d1909f8d03a2e482b666c

SHA256
9706e848d2734a3938a16fe4ee398f70a642f4d2cd59f0b2f7254c84df9aa22e

SHA512
667f35e97d38de6161e44980dd8ef2c9ed38bdfe96e55eb7a5364d27adc009b0423306c2529ce56a1ea73c42f668b6f81d562251a2cc9175501da65d6a5cad0f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\prefs-1.js

Filesize
11KB

MD5
29ec77f002e659ee387e075da1344c0c

SHA1
2655176faab4b7345c1fe7ca686e043a8911ca76

SHA256
dd82475b84d7718c5fd5fac6b33241b819930ec630a74c5e683347ded3ae0647

SHA512
116a2ced381a70ef6ca414ca70856168859f5ea266c07b69e6b1626de4f633c300e79c65d339c95df118057bb4fbf6c1e8808a3e538838dc299e1c7887b25a2b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\prefs-1.js

Filesize
11KB

MD5
dec1cbafd26c2d5309b548d79b276d78

SHA1
2990684e4e3736c2ba8da0fc8d3650c49234477b

SHA256
2bb0e813d1ecc18327d493c1af8cae5d9417477cdac3f85359dcfc701fe5ba26

SHA512
b2137ad1e90522f8ad8dc7d90d798123edb7bc666a320b633ae8ab81cf667374c045b95f455961e26570a4613968acbfe1c701b0b7387bad043a08a87a40007f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\prefs.js

Filesize
10KB

MD5
f791caa75b5f275e8c0feebebc408aa5

SHA1
6824b85d2b42ffd4582d06a6b17f7c0946452767

SHA256
f5642c39ac6abfdf89ba4c85ea9ec5ebc1b84b85ca5c12716c78f7bab7b3ef47

SHA512
292b4a2aaa67a6759138d67c7510cfa9842fdc7722accdb7faaf24fd88988ccfc2f4e6d8413084020205957f5befc257f622322dcc5440ef576458826f2057d0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\prefs.js

Filesize
11KB

MD5
c4093a038b8338b9f70064eb5606dbf0

SHA1
ac89df855216ea8a7c4f74072ec0b0147fd8f24d

SHA256
152f69a406b48390a3b971560aeaa20ac000407e7fae985ba0755acbcdb33739

SHA512
270af22acfc5c13e61f0d5986d8b2031959f7253668ad77c37cc0fa1cc8b86046ccc405c847e1e02a61037c8f610c27c692f2a1a3d356e41b0e784bebf6c704e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\prefs.js

Filesize
12KB

MD5
338ab6a82914c60aa58cba8fb2cbee9d

SHA1
a38999882eb9012fc47ca03d4761ede5812f8287

SHA256
71676d8fd2c843f63e977b50971b21b18c281c7b22ba8deabfb3f2257ddd343b

SHA512
f641575217a3af6ba9e0db6f074c7a28edf61c1d33730751a65468ada73c524e6952bc711c570cdd7bc1ae7eef5602d463ceb58604c1de01070e5db466db2883

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\prefs.js

Filesize
12KB

MD5
c07f4b5877e61a9b0c6b83586c3642f9

SHA1
62c0a8e0bb9098e2f2762d1d7ac03bc715cd6b27

SHA256
314ac3da11e09e013c45f2e846ead3f1b7b0b55225ec6603e2881d5ad382cf1f

SHA512
c16c3ea897e9dd63a7fc1bb071f597da54e229f79b64e5878161a3c33531191ffb1ac5a482db0e0e07137fbd3fb74ac3d8d3766fa21a51da20a5281405f4ec1a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\sessionCheckpoints.json

Filesize
90B

MD5
c4ab2ee59ca41b6d6a6ea911f35bdc00

SHA1
5942cd6505fc8a9daba403b082067e1cdefdfbc4

SHA256
00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2

SHA512
71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\sessionCheckpoints.json

Filesize
53B

MD5
ea8b62857dfdbd3d0be7d7e4a954ec9a

SHA1
b43bc4b3ea206a02ef8f63d5bfad0c96bf2a3b2a

SHA256
792955295ae9c382986222c6731c5870bd0e921e7f7e34cc4615f5cd67f225da

SHA512
076ee83534f42563046d25086166f82e1a3ec61840c113aec67abe2d8195daa247d827d0c54e7e8f8a1bbf2d082a3763577587e84342ec160ff97905243e6d19

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\sessionCheckpoints.json

Filesize
146B

MD5
65690c43c42921410ec8043e34f09079

SHA1
362add4dbd0c978ae222a354a4e8d35563da14b4

SHA256
7343d5a46e2fca762305a4f85c45484a49c1607ede8e8c4bd12bedd2327edb8d

SHA512
c0208d51cf1586e75f22764b82c48ecbb42c1ff54aa412a85af13d686e0119b4e49e98450d25c70e3792d3b9c2cda0c5ab0c6931ebaf548693bb970a35ae62b9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\sessionCheckpoints.json

Filesize
122B

MD5
99601438ae1349b653fcd00278943f90

SHA1
8958d05e9362f6f0f3b616f7bfd0aeb5d37967c9

SHA256
72d74b596f7fc079d15431b51ce565a6465a40f5897682a94a3f1dd19b07959a

SHA512
ffa863d5d6af4a48aadc5c92df4781d3aacbf5d91b43b5e68569952ffec513ff95655b3e54c2161fe27d2274dd4778bad517c7a3972f206381ef292808628c55

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\sessionCheckpoints.json.tmp

Filesize
259B

MD5
c8dc58eff0c029d381a67f5dca34a913

SHA1
3576807e793473bcbd3cf7d664b83948e3ec8f2d

SHA256
4c22e8a42797f14510228f9f4de8eea45c526228a869837bd43c0540092e5f17

SHA512
b8f7c4150326f617b63d6bc72953160804a3749f6dec0492779f6c72b3b09c8d1bd58f47d499205c9a0e716f55fe5f1503d7676a4c85d31d1c1e456898af77b4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\sessionstore-backups\recovery.baklz4

Filesize
4KB

MD5
e9c576c3aaaac6b65a581250fa2efb21

SHA1
782d6d1996bebfdc51b66a5b8e2a35db9e9dc442

SHA256
2167a6d6498d7e3670b7b7a7a5cfe22c7d3f7fb40dfea4e82f9f78c1a6d28541

SHA512
34c70f9a5789b5010bcff1af8b53cda1c17484fc4dcc3b3acb1404b2894c4f12bf8f149034710fd63d0f15e12daf95b6aedcbcf274e6d9983d89ad5981842977

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\sessionstore-backups\recovery.baklz4

Filesize
4KB

MD5
15af24383fc58ef255f03dc42b5e39f1

SHA1
a828bac15761b9bcf4b709923538c4eb953978d0

SHA256
99f36659a8abf44ade0570c49973996a8db8df8d1f6470fba5a428ab05c67b3c

SHA512
45bbb1bafbefb862779d831235cf3a670e813c601ab4f011460dc5eb84299212ca0e0f7c37c0b853393c6bceeb67322f733e10f09286852cef53573151c100ae

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\sessionstore-backups\recovery.baklz4

Filesize
3KB

MD5
336f3d5a37564d64ebea2ae85cb73444

SHA1
fd9af0dfa933eccd1db4931becbd10e676522c62

SHA256
3c9f69c553434c07ea13ab93a84135592c87d5118c9d580a9ec90d6121552f2c

SHA512
09fa504fb45b2087dcc29a22e98822f953dc52e6b65022b1a2090b8c1ce9668ef9f62ae2d1948e90092108d4726cca16e98bb864d53c75f5e388bec0158a5b06

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\sessionstore-backups\recovery.baklz4

Filesize
9KB

MD5
a6e717d4a4e76e4b7248cbf50dc6e98c

SHA1
f24946dd5e3a213a81f15af64906a00aa6ff39c3

SHA256
ac2455521ce836c02caa3c6eb0955f86bbace2b6c0fc784eddfae60ee51fd6a7

SHA512
34995753850d6ba1eadfbb627d3ff89213cb6832889bf9a65e6d7723d36469d621874d586acd03a28a0e7b26232361f4f381b78f887a9bd06c68f101a797ddb0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\sessionstore-backups\recovery.baklz4

Filesize
4KB

MD5
8787155c696f3d49cf0851d4f429d8ca

SHA1
fefc8dc8dd591ebbf2068c10a6cc8d7c6b5bde7c

SHA256
80e69ba3c62c30f33540bf415a4242ea93152caf362dd879370f14857271b425

SHA512
c7901373ce00455add3151eadc2d483b798b3f9eb8337be8639ea8e2f716069a55a1ea556c168dd3df4735019138d29934a33091feb919eeecfd8e4b8c79919b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\sessionstore-backups\recovery.baklz4

Filesize
12KB

MD5
1165c496b9fdae5452fab94b752ac114

SHA1
de33b60d9a63029de902aeaaa8db9d58c4d316a5

SHA256
72b8a9f1144025f0449f9b407a14463ccc7785d026999fdf738b5d9ad91bba31

SHA512
4792d1d560a5432081b062b8f16ff82d7522292ff6171dcd990ba443b2fdf7e1e5445754cbaed614c9a33cd4b5995b5222cb1c333c75f88cf46a62d41b9b7e04

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\sessionstore-backups\recovery.baklz4

Filesize
9KB

MD5
2551839249970db58a6715a72010950c

SHA1
78f35c21539bd231a8a6d60dc32aa0bc290a4a09

SHA256
3be3db9f97293379c4d821ade3db534ae6a257661cd33b79acac2004388f23ce

SHA512
f08525e4f8b4a92e6bd5c22451dc2a6c2225bb954bb24306d28be24a6dcbb3e2667fd591a75b84fde07fd7bf63e1b39764acd30bf03de45c36b1a1d44e34eaba

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\sessionstore-backups\recovery.baklz4

Filesize
9KB

MD5
5c0e77e74b8f3960bf02fb91a431db86

SHA1
b2980494cd00b3ddc2b63ca33b5e661160934224

SHA256
6ff8c442a4f5b04d4830b05363458710297a5857d8c6db4c88ce32540a5846e9

SHA512
3db985441fa5e23e1e65123d01b4568347603137671506fbd1f4db72477ffefa800b2b8a03da1f5089c40cc72b555aa418a535151d80242e56a494bb657e94b5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\sessionstore-backups\recovery.baklz4

Filesize
8KB

MD5
ddce2b1b681bb8d308c5b6c3914734f1

SHA1
27109a67c5f8800a43c0c9bfb1d6d332db85b499

SHA256
53a1c0073092f6fd6df29383a82a9860c05b82130b0489931df8778e470f7dd4

SHA512
b538e0997479b2a743272d793a2f2b025051f5281c256251117b65937b8daa4f9862389248d9496f002cebc93941986b2d31db27e993d82caec1350e5007437e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\sessionstore-backups\recovery.baklz4

Filesize
9KB

MD5
bbb92e8c0f6467d86a1040be55afc0de

SHA1
1a8ad8220e3c042c39a3afee3bcf52093adc4657

SHA256
4717c97e301b9f6776917ba006ff4fc538d7808ad5764ab220f5a16a37ae8731

SHA512
ec645e39a33cfa065339d23acbf81e143b66df419aa5c2650b93718a7c679a10212c3f07753d0032887cb58943a33545fb4e353d494d49a594940a86c55ad80a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\sessionstore-backups\recovery.baklz4

Filesize
9KB

MD5
3470b337785ec0adaf0d778c959d4460

SHA1
8c6d0a9878a3da7c741570b2211ab6655443c547

SHA256
92b1e278d88801df0542b99f06245a863c653f92290cebe46826d93caece1e62

SHA512
2a16b1c114e421add264cbfdfce140d4c9a415f88801ed202c2c8d1729092df9da7a74ab9be566ccc2be54c609948175d7dc678d69928bc7b9616c832e9896f6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\sessionstore-backups\recovery.baklz4

Filesize
9KB

MD5
f2903cd1ab7ea63663af785004feac8c

SHA1
aa1589084c5ad9225cb94d04e67335567d21e8f5

SHA256
882d81a668315f8089cf7f1f4e548f59875e335c47c965a036379791a1740475

SHA512
4c79c74946699a85b57989bf38c68e519f53c534af9b8d9c3447959bea3f7499cd2bf96060ead6b4b3377c7e3a4ab22c1420c8944b0d39781d4282ceb9a59262

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\sessionstore-backups\recovery.baklz4

Filesize
9KB

MD5
67d67e3c6b4d8c94cf605bd5a0d92499

SHA1
f49c6f64ec007d53881d963720cad21d79c8bcfa

SHA256
4b16b3ef45372f49163a771aab249571b54562dceddb4b49511f721858e2bbe7

SHA512
d877a5ca016764097600ff2b878aa3fe414efc6113a8675f0b547136f101fda15890d6dea7f720c7dba219fd457739649ee5784c58abcaa3eaf72a1e140fccc0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\sessionstore-backups\recovery.baklz4

Filesize
9KB

MD5
a4a7334e0f6a82854a30c7410ac899b9

SHA1
072801365ac97fcb0388021a55c19175b39f0584

SHA256
be7d1d9a9febf1e5d4af9891c81912f3c2ed6449225627215ee8a73775429a1d

SHA512
d9f6668b0b96943f26c3c01eca5690f524fd6c5db88139ddcfa6875ef875f77ff84cf412f3e3384a49507cc07da95af3fe52082564ca813be0d7096b798d5e5a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\sessionstore-backups\recovery.baklz4

Filesize
9KB

MD5
48588155fc384f83615ffd470d0a6589

SHA1
f0394e2c693826376afbed339a752168b5f7caba

SHA256
4d3afc2f38f1ed1e1e860702604a5aebeb15f938fcd502f1f163f9de5e901b36

SHA512
ae8795dbb373764ff7020dedd1952bdcc8e767a7fe6802815edd1db8095fd99ce1067723845b99d1a129b85ff8ad57353f892c3dfb952a75b88b1f53ff321f2a

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\ml.xspf.tmp2800

Filesize
304B

MD5
781602441469750c3219c8c38b515ed4

SHA1
e885acd1cbd0b897ebcedbb145bef1c330f80595

SHA256
81970dbe581373d14fbd451ac4b3f96e5f69b79645f1ee1ca715cff3af0bf20d

SHA512
2b0a1717d96edb47bdf0ffeb250a5ec11f7d0638d3e0a62fbe48c064379b473ca88ffbececb32a72129d06c040b107834f1004ccda5f0f35b8c3588034786461

Download Submit
C:\Users\Admin\Desktop\!Please Read Me!.txt.ANNABELLE

Filesize
800B

MD5
81c1845fff664ca86f152adc8fe842ff

SHA1
8c1e93c4a80cadc66690b01734e3faddf886b2d2

SHA256
146bab79fe96119a1be2c3c8a62d188685b5e9cd0817551b5a5377cabcd55c7d

SHA512
c37490ada3296d8e555748bcadce5a7223f6ad255f6c14ae52643640031882591211c9a05dabc988a9fbc437dad8ca6b8af7b996956118774bf8f507b3e9d10b

Download Submit
C:\Users\Admin\Desktop\!WannaDecryptor!.exe.lnk.ANNABELLE

Filesize
592B

MD5
14f2b2f40b2aa4036564440ccec94553

SHA1
77f23083bf0a0e0e6bb737b194566d7de933d354

SHA256
95a43a3d163fcdb4a618982a5f2a44d66e99a641c7bccf552c7986ee593883a3

SHA512
3b7879d7c8714f02bed2ae27a9e1e6aefb472eb06503a37d0a525b940c288e2d2555eaf978593132422caad6862bcef5e61dca7e72c3f0145719450fe9f42fb5

Download Submit
C:\Users\Admin\Downloads\!Please Read Me!.txt

Filesize
797B

MD5
afa18cf4aa2660392111763fb93a8c3d

SHA1
c219a3654a5f41ce535a09f2a188a464c3f5baf5

SHA256
227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0

SHA512
4161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b

Download Submit
C:\Users\Admin\Downloads\Annabelle.exe:Zone.Identifier

Filesize
50B

MD5
dce5191790621b5e424478ca69c47f55

SHA1
ae356a67d337afa5933e3e679e84854deeace048

SHA256
86a3e68762720abe870d1396794850220935115d3ccc8bb134ffa521244e3ef8

SHA512
a669e10b173fce667d5b369d230d5b1e89e366b05ba4e65919a7e67545dd0b1eca8bcb927f67b12fe47cbe22b0c54c54f1e03beed06379240b05b7b990c5a641

Download Submit
C:\Users\Admin\Downloads\CryptoLocker.exe

Filesize
338KB

MD5
04fb36199787f2e3e2135611a38321eb

SHA1
65559245709fe98052eb284577f1fd61c01ad20d

SHA256
d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9

SHA512
533d6603f6e2a77bd1b2c6591a135c4717753d53317c1be06e43774e896d9543bcd0ea6904a0688aa84b2d8424641d68994b1e7dc4aa46d66c36feecb6145444

Download Submit
C:\Users\Admin\Downloads\PetrWrap

Filesize
473KB

MD5
17c25c8a7c141195ee887de905f33d7b

SHA1
7fa8079e8dca773574d01839efc623d3cd8e6a47

SHA256
e079fa28ea51fa98644164caf585ae3231d25372fccca1245902fb57488d4660

SHA512
de95f18101b99d159fe459c5e5651e0db2b1c76e02c9c2741bfd920decc970abc6dc0b41651be0471b4c7c3deb8b5e9a6e956c6515f268f9dfee7b76087a1e2b

Download Submit
C:\Users\Admin\Downloads\TaskHost\t44FD.tmp.ANNABELLE

Filesize
16B

MD5
52488ef3f42a79048b8cbb5503816741

SHA1
56651900d95ee36de389c29b7a7e6dedbb421eff

SHA256
9ce5f9abb2fb204df9fc5db071bdfe0fefeb86da178d8c7b8e4ea29784c48154

SHA512
d42a0c76a4d24d930a9b6ee15205a02a6edec97ca16e9febc6eb47d05ff7d6f2af7c3d430d416bf464dc561289428d412acc856718aa5ead58de51b1e8facd5e

Download Submit
C:\Users\Admin\Downloads\WannaCry.exe

Filesize
224KB

MD5
5c7fb0927db37372da25f270708103a2

SHA1
120ed9279d85cbfa56e5b7779ffa7162074f7a29

SHA256
be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844

SHA512
a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206

Download Submit
C:\Users\Admin\Downloads\ac\EVER\SearchHost.exe

Filesize
1.6MB

MD5
8add121fa398ebf83e8b5db8f17b45e0

SHA1
c8107e5c5e20349a39d32f424668139a36e6cfd0

SHA256
35c4a6c1474eb870eec901cef823cc4931919a4e963c432ce9efbb30c2d8a413

SHA512
8f81c4552ff561eea9802e5319adcd6c7e5bdd1dc4c91e56fda6bdc9b7e8167b222500a0aee5cf27b0345d1c19ac9fa95ae4fd58d4c359a5232bcf86f03d2273

Download Submit
C:\Users\Admin\Downloads\ac\aahckmjycdjmlbhbu.sys

Filesize
674KB

MD5
b2233d1efb0b7a897ea477a66cd08227

SHA1
835a198a11c9d106fc6aabe26b9b3e59f6ec68fd

SHA256
5fd17e3b8827b5bb515343bc4066be0814f6466fb4294501becac284a378c0da

SHA512
6ca61854db877d767ce587ac3d7526cda8254d937a159fd985e0475d062d07ae83e7ff4f9f42c7e1e1cad5e1f408f6849866aa4e9e48b29d80510e5c695cee37

Download Submit
C:\Users\Admin\Downloads\ac\mssql.exe

Filesize
10.2MB

MD5
f6a3d38aa0ae08c3294d6ed26266693f

SHA1
9ced15d08ffddb01db3912d8af14fb6cc91773f2

SHA256
c522e0b5332cac67cde8fc84080db3b8f2e0fe85f178d788e38b35bbe4d464ad

SHA512
814b1130a078dcb6ec59dbfe657724e36aa3db64ed9b2f93d8559b6a50e512365c8596240174141d6977b5ddcf7f281add7886c456dc7463c97f432507e73515

Download Submit
C:\Users\Admin\Downloads\ac\mssql2.exe

Filesize
6.7MB

MD5
f7d94750703f0c1ddd1edd36f6d0371d

SHA1
cc9b95e5952e1c870f7be55d3c77020e56c34b57

SHA256
659e441cadd42399fc286b92bbc456ff2e9ecb24984c0586acf83d73c772b45d

SHA512
af0ced00dc6eeaf6fb3336d9b3abcc199fb42561b8ce24ff2e6199966ad539bc2387ba83a4838301594e50e36844796e96c30a9aa9ad5f03cf06860f3f44e0fa

Download Submit
C:\Users\Admin\Downloads\ac\nc123.exe

Filesize
125KB

MD5
597de376b1f80c06d501415dd973dcec

SHA1
629c9649ced38fd815124221b80c9d9c59a85e74

SHA256
f47e3555461472f23ab4766e4d5b6f6fd260e335a6abc31b860e569a720a5446

SHA512
072565912208e97cc691e1a102e32fd6c243b5a3f8047a159e97aabbe302bddc36f3c52cecde3b506151bc89e0f3b5acf6552a82d83dac6e0180c873d36d3f6b

Download Submit
C:\Users\Admin\Downloads\u.wry

Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
C:\Users\Admin\OneDrive\desktop.ini

Filesize
96B

MD5
c193d420fc5bbd3739b40dbe111cd882

SHA1
a60f6985aa750931d9988c3229242f868dd1ca35

SHA256
e5bfc54e8f2409eba7d560ebe1c9bb5c3d73b18c02913657ed9b20ae14925adc

SHA512
d983334b7dbe1e284dbc79cf971465663ca29cec45573b49f9ecdb851cdb6e5f9a6b49d710a1553bdae58c764887c65ba13fd75dfdd380c5c9ef9c0024aa3ef0

Download Submit
memory/396-1396-0x00007FFBC26B0000-0x00007FFBC26C0000-memory.dmp

Filesize
64KB

Download
memory/396-1401-0x00007FFBBFF30000-0x00007FFBBFF40000-memory.dmp

Filesize
64KB

Download
memory/396-1397-0x00007FFBC26B0000-0x00007FFBC26C0000-memory.dmp

Filesize
64KB

Download
memory/396-1402-0x00007FFBBFF30000-0x00007FFBBFF40000-memory.dmp

Filesize
64KB

Download
memory/396-1431-0x00007FFBC26B0000-0x00007FFBC26C0000-memory.dmp

Filesize
64KB

Download
memory/396-1432-0x00007FFBC26B0000-0x00007FFBC26C0000-memory.dmp

Filesize
64KB

Download
memory/396-1433-0x00007FFBC26B0000-0x00007FFBC26C0000-memory.dmp

Filesize
64KB

Download
memory/396-1399-0x00007FFBC26B0000-0x00007FFBC26C0000-memory.dmp

Filesize
64KB

Download
memory/396-1400-0x00007FFBC26B0000-0x00007FFBC26C0000-memory.dmp

Filesize
64KB

Download
memory/396-1398-0x00007FFBC26B0000-0x00007FFBC26C0000-memory.dmp

Filesize
64KB

Download
memory/396-1430-0x00007FFBC26B0000-0x00007FFBC26C0000-memory.dmp

Filesize
64KB

Download
memory/900-2489-0x0000014F987A0000-0x0000014F987A1000-memory.dmp

Filesize
4KB

Download
memory/900-2490-0x0000014F987A0000-0x0000014F987A1000-memory.dmp

Filesize
4KB

Download
memory/900-2494-0x0000014F987A0000-0x0000014F987A1000-memory.dmp

Filesize
4KB

Download
memory/900-2493-0x0000014F987A0000-0x0000014F987A1000-memory.dmp

Filesize
4KB

Download
memory/900-2495-0x0000014F987A0000-0x0000014F987A1000-memory.dmp

Filesize
4KB

Download
memory/900-2496-0x0000014F987A0000-0x0000014F987A1000-memory.dmp

Filesize
4KB

Download
memory/900-2497-0x0000014F987A0000-0x0000014F987A1000-memory.dmp

Filesize
4KB

Download
memory/900-2498-0x0000014F987A0000-0x0000014F987A1000-memory.dmp

Filesize
4KB

Download
memory/900-2491-0x0000014F987A0000-0x0000014F987A1000-memory.dmp

Filesize
4KB

Download
memory/1752-1279-0x0000023557F20000-0x0000023557F21000-memory.dmp

Filesize
4KB

Download
memory/1752-1280-0x0000023557F20000-0x0000023557F21000-memory.dmp

Filesize
4KB

Download
memory/1752-1284-0x0000023557F20000-0x0000023557F21000-memory.dmp

Filesize
4KB

Download
memory/1752-1290-0x0000023557F20000-0x0000023557F21000-memory.dmp

Filesize
4KB

Download
memory/1752-1289-0x0000023557F20000-0x0000023557F21000-memory.dmp

Filesize
4KB

Download
memory/1752-1288-0x0000023557F20000-0x0000023557F21000-memory.dmp

Filesize
4KB

Download
memory/1752-1287-0x0000023557F20000-0x0000023557F21000-memory.dmp

Filesize
4KB

Download
memory/1752-1286-0x0000023557F20000-0x0000023557F21000-memory.dmp

Filesize
4KB

Download
memory/1752-1285-0x0000023557F20000-0x0000023557F21000-memory.dmp

Filesize
4KB

Download
memory/1752-1278-0x0000023557F20000-0x0000023557F21000-memory.dmp

Filesize
4KB

Download
memory/2308-4983-0x0000000140000000-0x0000000140ACB000-memory.dmp

Filesize
10.8MB

Download
memory/2356-4581-0x0000016879CF0000-0x000001687ACE4000-memory.dmp

Filesize
16.0MB

Download
memory/2356-4595-0x000001687D2E0000-0x000001687E86E000-memory.dmp

Filesize
21.6MB

Download
memory/2724-1357-0x000000000A010000-0x000000000A020000-memory.dmp

Filesize
64KB

Download
memory/2724-1362-0x000000000A010000-0x000000000A020000-memory.dmp

Filesize
64KB

Download
memory/2724-1358-0x000000000A010000-0x000000000A020000-memory.dmp

Filesize
64KB

Download
memory/2724-1359-0x000000000A010000-0x000000000A020000-memory.dmp

Filesize
64KB

Download
memory/2724-1360-0x000000000A010000-0x000000000A020000-memory.dmp

Filesize
64KB

Download
memory/2724-1361-0x000000000A010000-0x000000000A020000-memory.dmp

Filesize
64KB

Download
memory/2724-1364-0x000000000A010000-0x000000000A020000-memory.dmp

Filesize
64KB

Download
memory/2724-1363-0x000000000A010000-0x000000000A020000-memory.dmp

Filesize
64KB

Download
memory/2800-1445-0x00007FFBDF680000-0x00007FFBDF78E000-memory.dmp

Filesize
1.1MB

Download
memory/2800-1442-0x00007FF72AAA0000-0x00007FF72AB98000-memory.dmp

Filesize
992KB

Download
memory/2800-1443-0x00007FFBF35B0000-0x00007FFBF35E4000-memory.dmp

Filesize
208KB

Download
memory/2800-1444-0x00007FFBDFEA0000-0x00007FFBE0156000-memory.dmp

Filesize
2.7MB

Download
memory/3204-1392-0x00007FF72AAA0000-0x00007FF72AB98000-memory.dmp

Filesize
992KB

Download
memory/3204-1393-0x00007FFBE0200000-0x00007FFBE0234000-memory.dmp

Filesize
208KB

Download
memory/3204-1394-0x00007FFBDFE30000-0x00007FFBE00E6000-memory.dmp

Filesize
2.7MB

Download
memory/3204-1395-0x00007FFBDDF40000-0x00007FFBDEFF0000-memory.dmp

Filesize
16.7MB

Download
memory/3364-4985-0x0000000000400000-0x0000000000B02000-memory.dmp

Filesize
7.0MB

Download
memory/3364-4917-0x0000000000400000-0x0000000000B02000-memory.dmp

Filesize
7.0MB

Download
memory/3992-0-0x0000000000BC0000-0x0000000000BD1000-memory.dmp

Filesize
68KB

Download
memory/3992-1-0x0000000000BC0000-0x0000000000BD1000-memory.dmp

Filesize
68KB

Download
memory/4004-2543-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads