badrabbit | hxxp://enderman[.]ch

Analysis

max time kernel
766s
max time network
780s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
20-12-2024 09:36

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

http://enderman.ch

Score

10^/10

badrabbit mimikatz wannacry bootkit defense_evasion discovery execution impact persistence phishing ransomware worm

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94 Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94

Signatures

BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
ransomware badrabbit
Badrabbit family
badrabbit
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz
Mimikatz family
mimikatz
Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Wannacry family
wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

mimikatz is an open source tool to dump credentials on Windows 1 IoCs

resource	yara_rule
behavioral1/files/0x000400000002500f-470.dat	mimikatz

Blocklisted process makes network request 17 IoCs

flow	pid	Process
562	4704	rundll32.exe
574	4704	rundll32.exe
592	4704	rundll32.exe
630	4704	rundll32.exe
641	4704	rundll32.exe
653	4704	rundll32.exe
667	4704	rundll32.exe
679	4704	rundll32.exe
691	4704	rundll32.exe
704	4704	rundll32.exe
716	4704	rundll32.exe
772	4704	rundll32.exe
829	4704	rundll32.exe
841	4704	rundll32.exe
845	4704	rundll32.exe
847	4704	rundll32.exe
860	4704	rundll32.exe

A potential corporate email address has been identified in the URL: [email protected]
phishing

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD1171.tmp	[email protected]
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD1188.tmp	[email protected]

Executes dropped EXE 59 IoCs

pid	Process
1108	F87F.tmp
3160	taskdl.exe
2324	@[email protected]
4808	@[email protected]
3432	taskhsvc.exe
4572	taskdl.exe
1744	taskse.exe
1364	@[email protected]
824	taskdl.exe
4264	taskse.exe
2340	@[email protected]
5316	taskse.exe
5328	@[email protected]
5352	taskdl.exe
5276	taskse.exe
4992	@[email protected]
1508	taskdl.exe
5900	taskse.exe
1360	@[email protected]
6132	taskdl.exe
5376	taskse.exe
5348	@[email protected]
5744	taskdl.exe
564	taskse.exe
312	@[email protected]
2176	taskdl.exe
3440	taskse.exe
5556	@[email protected]
2760	taskdl.exe
4776	taskse.exe
5568	@[email protected]
5432	taskdl.exe
2644	taskse.exe
5036	@[email protected]
3444	taskdl.exe
5872	taskse.exe
4712	@[email protected]
6064	taskdl.exe
5432	@[email protected]
3868	taskse.exe
3924	taskdl.exe
3960	taskse.exe
5984	@[email protected]
2808	taskdl.exe
4980	taskse.exe
6028	@[email protected]
4748	taskdl.exe
6052	taskse.exe
2832	@[email protected]
5412	taskdl.exe
4960	taskse.exe
4880	@[email protected]
6020	taskdl.exe
2704	taskse.exe
5204	@[email protected]
3084	taskdl.exe
5512	taskse.exe
544	@[email protected]
2636	taskdl.exe

Loads dropped DLL 9 IoCs

pid	Process
4704	rundll32.exe
3432	taskhsvc.exe
3432	taskhsvc.exe
3432	taskhsvc.exe
3432	taskhsvc.exe
3432	taskhsvc.exe
3432	taskhsvc.exe
3432	taskhsvc.exe
3432	taskhsvc.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2384	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\plwzuibnuhpvcwq775 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Temp1_WannaCrypt0r.zip\\tasksche.exe\""	reg.exe

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs

Web Service

T1102

flow	ioc
555	raw.githubusercontent.com
843	raw.githubusercontent.com
844	raw.githubusercontent.com
13	raw.githubusercontent.com
40	raw.githubusercontent.com
544	raw.githubusercontent.com
554	raw.githubusercontent.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	[email protected]

Sets desktop wallpaper using registry 2 TTPs 3 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	[email protected]
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\cscc.dat	rundll32.exe
File created	C:\Windows\dispci.exe	rundll32.exe
File opened for modification	C:\Windows\F87F.tmp	rundll32.exe
File created	C:\Windows\infpub.dat	[email protected]
File opened for modification	C:\Windows\infpub.dat	rundll32.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 4 IoCs

pid	pid_target	Process	procid_target
3300	6040	WerFault.exe	205
2760	1060	WerFault.exe	209
2340	2144	WerFault.exe	212
3872	884	WerFault.exe	218

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	YouAreAnIdiot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	YouAreAnIdiot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	YouAreAnIdiot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	YouAreAnIdiot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]

Checks processor information in registry 2 TTPs 36 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 8 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1092	reg.exe

NTFS ADS 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\MEMZ.zip:Zone.Identifier	firefox.exe
File opened for modification	C:\Users\Admin\Downloads\BadRabbit.zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\WannaCrypt0r.zip:Zone.Identifier	msedge.exe
File created	C:\Users\Admin\Downloads\YouAreAnIdiot.zip:Zone.Identifier	firefox.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2092	schtasks.exe
3552	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1348	msedge.exe
1348	msedge.exe
4092	msedge.exe
4092	msedge.exe
468	identity_helper.exe
468	identity_helper.exe
2036	msedge.exe
2036	msedge.exe
2164	msedge.exe
2164	msedge.exe
4220	msedge.exe
4220	msedge.exe
4220	msedge.exe
4220	msedge.exe
4704	rundll32.exe
4704	rundll32.exe
4704	rundll32.exe
4704	rundll32.exe
1108	F87F.tmp
1108	F87F.tmp
1108	F87F.tmp
1108	F87F.tmp
1108	F87F.tmp
1108	F87F.tmp
824	msedge.exe
824	msedge.exe
3432	taskhsvc.exe
3432	taskhsvc.exe
3432	taskhsvc.exe
3432	taskhsvc.exe
3432	taskhsvc.exe
3432	taskhsvc.exe
3328	[email protected]
3328	[email protected]
3328	[email protected]
3328	[email protected]
3328	[email protected]
3328	[email protected]
3328	[email protected]
3328	[email protected]
3328	[email protected]
3328	[email protected]
3328	[email protected]
3328	[email protected]
3328	[email protected]
3328	[email protected]
3328	[email protected]
3328	[email protected]
3328	[email protected]
3328	[email protected]
3328	[email protected]
3328	[email protected]
3328	[email protected]
3328	[email protected]
3328	[email protected]
3328	[email protected]
3328	[email protected]
3328	[email protected]
3328	[email protected]
3328	[email protected]
3328	[email protected]
3328	[email protected]
3328	[email protected]
3328	[email protected]

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

pid	Process
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4704	rundll32.exe
Token: SeDebugPrivilege	4704	rundll32.exe
Token: SeTcbPrivilege	4704	rundll32.exe
Token: SeDebugPrivilege	1108	F87F.tmp
Token: SeIncreaseQuotaPrivilege	1092	WMIC.exe
Token: SeSecurityPrivilege	1092	WMIC.exe
Token: SeTakeOwnershipPrivilege	1092	WMIC.exe
Token: SeLoadDriverPrivilege	1092	WMIC.exe
Token: SeSystemProfilePrivilege	1092	WMIC.exe
Token: SeSystemtimePrivilege	1092	WMIC.exe
Token: SeProfSingleProcessPrivilege	1092	WMIC.exe
Token: SeIncBasePriorityPrivilege	1092	WMIC.exe
Token: SeCreatePagefilePrivilege	1092	WMIC.exe
Token: SeBackupPrivilege	1092	WMIC.exe
Token: SeRestorePrivilege	1092	WMIC.exe
Token: SeShutdownPrivilege	1092	WMIC.exe
Token: SeDebugPrivilege	1092	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1092	WMIC.exe
Token: SeRemoteShutdownPrivilege	1092	WMIC.exe
Token: SeUndockPrivilege	1092	WMIC.exe
Token: SeManageVolumePrivilege	1092	WMIC.exe
Token: 33	1092	WMIC.exe
Token: 34	1092	WMIC.exe
Token: 35	1092	WMIC.exe
Token: 36	1092	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1092	WMIC.exe
Token: SeSecurityPrivilege	1092	WMIC.exe
Token: SeTakeOwnershipPrivilege	1092	WMIC.exe
Token: SeLoadDriverPrivilege	1092	WMIC.exe
Token: SeSystemProfilePrivilege	1092	WMIC.exe
Token: SeSystemtimePrivilege	1092	WMIC.exe
Token: SeProfSingleProcessPrivilege	1092	WMIC.exe
Token: SeIncBasePriorityPrivilege	1092	WMIC.exe
Token: SeCreatePagefilePrivilege	1092	WMIC.exe
Token: SeBackupPrivilege	1092	WMIC.exe
Token: SeRestorePrivilege	1092	WMIC.exe
Token: SeShutdownPrivilege	1092	WMIC.exe
Token: SeDebugPrivilege	1092	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1092	WMIC.exe
Token: SeRemoteShutdownPrivilege	1092	WMIC.exe
Token: SeUndockPrivilege	1092	WMIC.exe
Token: SeManageVolumePrivilege	1092	WMIC.exe
Token: 33	1092	WMIC.exe
Token: 34	1092	WMIC.exe
Token: 35	1092	WMIC.exe
Token: 36	1092	WMIC.exe
Token: SeBackupPrivilege	2952	vssvc.exe
Token: SeRestorePrivilege	2952	vssvc.exe
Token: SeAuditPrivilege	2952	vssvc.exe
Token: SeTcbPrivilege	1744	taskse.exe
Token: SeTcbPrivilege	1744	taskse.exe
Token: SeTcbPrivilege	4264	taskse.exe
Token: SeTcbPrivilege	4264	taskse.exe
Token: SeDebugPrivilege	3932	firefox.exe
Token: SeDebugPrivilege	3932	firefox.exe
Token: SeTcbPrivilege	5316	taskse.exe
Token: SeTcbPrivilege	5316	taskse.exe
Token: SeDebugPrivilege	5600	firefox.exe
Token: SeDebugPrivilege	5600	firefox.exe
Token: SeTcbPrivilege	5276	taskse.exe
Token: SeTcbPrivilege	5276	taskse.exe
Token: SeTcbPrivilege	5900	taskse.exe
Token: SeTcbPrivilege	5900	taskse.exe
Token: SeTcbPrivilege	5376	taskse.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
3932	firefox.exe
3932	firefox.exe
3932	firefox.exe
3932	firefox.exe
3932	firefox.exe
3932	firefox.exe
3932	firefox.exe
3932	firefox.exe
3932	firefox.exe
3932	firefox.exe
3932	firefox.exe
3932	firefox.exe
3932	firefox.exe
3932	firefox.exe
3932	firefox.exe
3932	firefox.exe
3932	firefox.exe
3932	firefox.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
4092	msedge.exe
5600	firefox.exe
5600	firefox.exe
5600	firefox.exe
5600	firefox.exe
5600	firefox.exe
5600	firefox.exe
5600	firefox.exe
5600	firefox.exe

Suspicious use of SetWindowsHookEx 43 IoCs

pid	Process
2324	@[email protected]
4808	@[email protected]
4808	@[email protected]
2324	@[email protected]
1364	@[email protected]
1364	@[email protected]
2340	@[email protected]
3932	firefox.exe
5328	@[email protected]
5600	firefox.exe
4992	@[email protected]
4992	@[email protected]
1360	@[email protected]
5348	@[email protected]
312	@[email protected]
5556	@[email protected]
5600	firefox.exe
5600	firefox.exe
5600	firefox.exe
5568	@[email protected]
5036	@[email protected]
4712	@[email protected]
5432	@[email protected]
5984	@[email protected]
6028	@[email protected]
2832	@[email protected]
1020	firefox.exe
4880	@[email protected]
5204	@[email protected]
1020	firefox.exe
1020	firefox.exe
1020	firefox.exe
5192	[email protected]
544	@[email protected]
3328	[email protected]
5368	[email protected]
752	[email protected]
5916	[email protected]
996	[email protected]
2708	[email protected]
752	[email protected]
5916	[email protected]
3328	[email protected]

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4092 wrote to memory of 1104	4092	msedge.exe	77
PID 4092 wrote to memory of 1104	4092	msedge.exe	77
PID 4092 wrote to memory of 2056	4092	msedge.exe	78
PID 4092 wrote to memory of 2056	4092	msedge.exe	78
PID 4092 wrote to memory of 2056	4092	msedge.exe	78
PID 4092 wrote to memory of 2056	4092	msedge.exe	78
PID 4092 wrote to memory of 2056	4092	msedge.exe	78
PID 4092 wrote to memory of 2056	4092	msedge.exe	78
PID 4092 wrote to memory of 2056	4092	msedge.exe	78
PID 4092 wrote to memory of 2056	4092	msedge.exe	78
PID 4092 wrote to memory of 2056	4092	msedge.exe	78
PID 4092 wrote to memory of 2056	4092	msedge.exe	78
PID 4092 wrote to memory of 2056	4092	msedge.exe	78
PID 4092 wrote to memory of 2056	4092	msedge.exe	78
PID 4092 wrote to memory of 2056	4092	msedge.exe	78
PID 4092 wrote to memory of 2056	4092	msedge.exe	78
PID 4092 wrote to memory of 2056	4092	msedge.exe	78
PID 4092 wrote to memory of 2056	4092	msedge.exe	78
PID 4092 wrote to memory of 2056	4092	msedge.exe	78
PID 4092 wrote to memory of 2056	4092	msedge.exe	78
PID 4092 wrote to memory of 2056	4092	msedge.exe	78
PID 4092 wrote to memory of 2056	4092	msedge.exe	78
PID 4092 wrote to memory of 2056	4092	msedge.exe	78
PID 4092 wrote to memory of 2056	4092	msedge.exe	78
PID 4092 wrote to memory of 2056	4092	msedge.exe	78
PID 4092 wrote to memory of 2056	4092	msedge.exe	78
PID 4092 wrote to memory of 2056	4092	msedge.exe	78
PID 4092 wrote to memory of 2056	4092	msedge.exe	78
PID 4092 wrote to memory of 2056	4092	msedge.exe	78
PID 4092 wrote to memory of 2056	4092	msedge.exe	78
PID 4092 wrote to memory of 2056	4092	msedge.exe	78
PID 4092 wrote to memory of 2056	4092	msedge.exe	78
PID 4092 wrote to memory of 2056	4092	msedge.exe	78
PID 4092 wrote to memory of 2056	4092	msedge.exe	78
PID 4092 wrote to memory of 2056	4092	msedge.exe	78
PID 4092 wrote to memory of 2056	4092	msedge.exe	78
PID 4092 wrote to memory of 2056	4092	msedge.exe	78
PID 4092 wrote to memory of 2056	4092	msedge.exe	78
PID 4092 wrote to memory of 2056	4092	msedge.exe	78
PID 4092 wrote to memory of 2056	4092	msedge.exe	78
PID 4092 wrote to memory of 2056	4092	msedge.exe	78
PID 4092 wrote to memory of 2056	4092	msedge.exe	78
PID 4092 wrote to memory of 1348	4092	msedge.exe	79
PID 4092 wrote to memory of 1348	4092	msedge.exe	79
PID 4092 wrote to memory of 3000	4092	msedge.exe	80
PID 4092 wrote to memory of 3000	4092	msedge.exe	80
PID 4092 wrote to memory of 3000	4092	msedge.exe	80
PID 4092 wrote to memory of 3000	4092	msedge.exe	80
PID 4092 wrote to memory of 3000	4092	msedge.exe	80
PID 4092 wrote to memory of 3000	4092	msedge.exe	80
PID 4092 wrote to memory of 3000	4092	msedge.exe	80
PID 4092 wrote to memory of 3000	4092	msedge.exe	80
PID 4092 wrote to memory of 3000	4092	msedge.exe	80
PID 4092 wrote to memory of 3000	4092	msedge.exe	80
PID 4092 wrote to memory of 3000	4092	msedge.exe	80
PID 4092 wrote to memory of 3000	4092	msedge.exe	80
PID 4092 wrote to memory of 3000	4092	msedge.exe	80
PID 4092 wrote to memory of 3000	4092	msedge.exe	80
PID 4092 wrote to memory of 3000	4092	msedge.exe	80
PID 4092 wrote to memory of 3000	4092	msedge.exe	80
PID 4092 wrote to memory of 3000	4092	msedge.exe	80
PID 4092 wrote to memory of 3000	4092	msedge.exe	80
PID 4092 wrote to memory of 3000	4092	msedge.exe	80
PID 4092 wrote to memory of 3000	4092	msedge.exe	80

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2948	attrib.exe
4832	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://enderman.ch
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb9a463cb8,0x7ffb9a463cc8,0x7ffb9a463cd8
  2⤵
  PID:1104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,15053413275753125937,321208449765995150,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1812 /prefetch:2
  2⤵
  PID:2056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1900,15053413275753125937,321208449765995150,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2368 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1900,15053413275753125937,321208449765995150,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2672 /prefetch:8
  2⤵
  PID:3000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15053413275753125937,321208449765995150,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1
  2⤵
  PID:3732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15053413275753125937,321208449765995150,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
  2⤵
  PID:112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15053413275753125937,321208449765995150,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4612 /prefetch:1
  2⤵
  PID:3056
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1900,15053413275753125937,321208449765995150,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5076 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1900,15053413275753125937,321208449765995150,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1944 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15053413275753125937,321208449765995150,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5692 /prefetch:1
  2⤵
  PID:2320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15053413275753125937,321208449765995150,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3048 /prefetch:1
  2⤵
  PID:1512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15053413275753125937,321208449765995150,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5568 /prefetch:1
  2⤵
  PID:5004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15053413275753125937,321208449765995150,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5892 /prefetch:1
  2⤵
  PID:4360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15053413275753125937,321208449765995150,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:1
  2⤵
  PID:1000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15053413275753125937,321208449765995150,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6020 /prefetch:1
  2⤵
  PID:3304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1900,15053413275753125937,321208449765995150,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6128 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,15053413275753125937,321208449765995150,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=3060 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15053413275753125937,321208449765995150,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6588 /prefetch:1
  2⤵
  PID:1680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15053413275753125937,321208449765995150,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
  2⤵
  PID:4976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15053413275753125937,321208449765995150,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5380 /prefetch:1
  2⤵
  PID:2856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1900,15053413275753125937,321208449765995150,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6028 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:824

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2176

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1568

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4084

C:\Users\Admin\AppData\Local\Temp\Temp1_BadRabbit.zip\[email protected]
"C:\Users\Admin\AppData\Local\Temp\Temp1_BadRabbit.zip\[email protected]"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4156
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4704
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Delete /F /TN rhaegal
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3272
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Delete /F /TN rhaegal
      4⤵
      System Location Discovery: System Language Discovery
      PID:4568
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 400092000 && exit"
    3⤵
    PID:1692
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 400092000 && exit"
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:2092
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 09:57:00
    3⤵
    - System Location Discovery: System Language Discovery
    PID:988
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 09:57:00
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:3552
- - C:\Windows\F87F.tmp
    "C:\Windows\F87F.tmp" \\.\pipe\{8ECD74C8-887C-4689-8FAB-C1CBDD6B3B0D}
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1108

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\[email protected]
"C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\[email protected]"
1⤵
- Drops startup file
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
PID:4188
- C:\Windows\SysWOW64\attrib.exe
  attrib +h .
  2⤵
  - Views/modifies file attributes
  PID:4832
- C:\Windows\SysWOW64\icacls.exe
  icacls . /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2384
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3160
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 24101734687612.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3892
- - C:\Windows\SysWOW64\cscript.exe
    cscript.exe //nologo m.vbs
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2904
- C:\Windows\SysWOW64\attrib.exe
  attrib +h +s F:\$RECYCLE
  2⤵
  - System Location Discovery: System Language Discovery
  - Views/modifies file attributes
  PID:2948
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  @[email protected] co
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2324
- - C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\TaskData\Tor\taskhsvc.exe
    TaskData\Tor\taskhsvc.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:3432
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c start /b @[email protected] vs
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2292
- - C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
    @[email protected] vs
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4808
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
      4⤵
      System Location Discovery: System Language Discovery
      PID:4948
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1092
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4572
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1744
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1364
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "plwzuibnuhpvcwq775" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\tasksche.exe\"" /f
  2⤵
  PID:4808
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "plwzuibnuhpvcwq775" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\tasksche.exe\"" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:1092
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:824
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4264
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2340
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:5316
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5328
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5352
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:5276
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4992
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1508
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5900
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1360
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:6132
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5376
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5348
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5744
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:564
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:312
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2176
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:3440
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5556
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2760
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4776
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5568
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5432
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2644
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5036
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3444
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5872
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4712
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6064
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3868
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5432
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3924
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:3960
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5984
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2808
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4980
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:6028
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:4748
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6052
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2832
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5412
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4960
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4880
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:6020
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2704
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5204
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3084
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5512
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:544
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:2636

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2952

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:3048
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:3932
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2012 -parentBuildID 20240401114208 -prefsHandle 2064 -prefMapHandle 2072 -prefsLen 21730 -prefMapSize 243020 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5b86c76e-2bf1-41ec-80fe-66dce6e311f8} 3932 "\\.\pipe\gecko-crash-server-pipe.3932" gpu
    3⤵
    PID:3300
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2536 -parentBuildID 20240401114208 -prefsHandle 2532 -prefMapHandle 2528 -prefsLen 21730 -prefMapSize 243020 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {278e932f-c1e7-4d90-8f71-19bee65f9e3f} 3932 "\\.\pipe\gecko-crash-server-pipe.3932" socket
    3⤵
    - Checks processor information in registry
    PID:4328
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3528 -childID 1 -isForBrowser -prefsHandle 3520 -prefMapHandle 3516 -prefsLen 21286 -prefMapSize 243020 -jsInitHandle 1388 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a967d76e-dbb8-43b9-b70f-03b796d52736} 3932 "\\.\pipe\gecko-crash-server-pipe.3932" tab
    3⤵
    PID:32
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4144 -childID 2 -isForBrowser -prefsHandle 4028 -prefMapHandle 4132 -prefsLen 22575 -prefMapSize 243020 -jsInitHandle 1388 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {96516ffd-670f-4a6e-a59a-23c16b3830b4} 3932 "\\.\pipe\gecko-crash-server-pipe.3932" tab
    3⤵
    PID:4496
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4476 -childID 3 -isForBrowser -prefsHandle 4468 -prefMapHandle 4464 -prefsLen 29248 -prefMapSize 243020 -jsInitHandle 1388 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7d4115a3-b408-4cea-921a-d8ec3556ae23} 3932 "\\.\pipe\gecko-crash-server-pipe.3932" tab
    3⤵
    PID:2480
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5168 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 2964 -prefMapHandle 2960 -prefsLen 30166 -prefMapSize 243020 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ec61c7b4-fc30-4098-8f78-64d9b0d32cdd} 3932 "\\.\pipe\gecko-crash-server-pipe.3932" utility
    3⤵
    - Checks processor information in registry
    PID:5232
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5344 -parentBuildID 20240401114208 -prefsHandle 5336 -prefMapHandle 5304 -prefsLen 30166 -prefMapSize 243020 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2693f2bc-4ae3-47f9-a00b-b1dfa5c404c8} 3932 "\\.\pipe\gecko-crash-server-pipe.3932" rdd
    3⤵
    PID:5476
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3616 -childID 4 -isForBrowser -prefsHandle 3576 -prefMapHandle 5064 -prefsLen 28332 -prefMapSize 243020 -jsInitHandle 1388 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4d5ad43e-70e8-49ae-a97f-455a2d997afc} 3932 "\\.\pipe\gecko-crash-server-pipe.3932" tab
    3⤵
    PID:5888
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5640 -childID 5 -isForBrowser -prefsHandle 5720 -prefMapHandle 5716 -prefsLen 28332 -prefMapSize 243020 -jsInitHandle 1388 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {61222da9-2493-4ec8-8503-da9d1b3ec5e9} 3932 "\\.\pipe\gecko-crash-server-pipe.3932" tab
    3⤵
    PID:5900
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5860 -childID 6 -isForBrowser -prefsHandle 5352 -prefMapHandle 5628 -prefsLen 28332 -prefMapSize 243020 -jsInitHandle 1388 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {747f335a-849f-4e58-8729-8d82eac2df04} 3932 "\\.\pipe\gecko-crash-server-pipe.3932" tab
    3⤵
    PID:5912
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6176 -childID 7 -isForBrowser -prefsHandle 6168 -prefMapHandle 6160 -prefsLen 28332 -prefMapSize 243020 -jsInitHandle 1388 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ed464b0b-1181-4a24-9a70-73027617a425} 3932 "\\.\pipe\gecko-crash-server-pipe.3932" tab
    3⤵
    PID:1260

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\05c04eaf9d9f49f4a8fafe36db5882a7 /t 1496 /p 1364
1⤵
PID:4564

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:5424
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:5600
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2000 -parentBuildID 20240401114208 -prefsHandle 1916 -prefMapHandle 1908 -prefsLen 23585 -prefMapSize 244282 -appDir "C:\Program Files\Mozilla Firefox\browser" - {eb28f08d-176c-42a7-8f5e-008d0bf432e0} 5600 "\\.\pipe\gecko-crash-server-pipe.5600" gpu
    3⤵
    PID:3740
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2396 -parentBuildID 20240401114208 -prefsHandle 2372 -prefMapHandle 2360 -prefsLen 23621 -prefMapSize 244282 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c569f98c-e25d-4320-8278-453f7962ee59} 5600 "\\.\pipe\gecko-crash-server-pipe.5600" socket
    3⤵
    - Checks processor information in registry
    PID:5684
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3124 -childID 1 -isForBrowser -prefsHandle 3384 -prefMapHandle 1820 -prefsLen 23761 -prefMapSize 244282 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0e427f3d-d820-4b49-8536-37db995303f7} 5600 "\\.\pipe\gecko-crash-server-pipe.5600" tab
    3⤵
    PID:4996
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3544 -childID 2 -isForBrowser -prefsHandle 3668 -prefMapHandle 3664 -prefsLen 29079 -prefMapSize 244282 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a91225b6-1c0d-4874-bfd4-48aeac8a7887} 5600 "\\.\pipe\gecko-crash-server-pipe.5600" tab
    3⤵
    PID:3552
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4648 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4640 -prefMapHandle 4636 -prefsLen 29133 -prefMapSize 244282 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5a3a28a5-05f0-4262-926e-38c061c729f8} 5600 "\\.\pipe\gecko-crash-server-pipe.5600" utility
    3⤵
    - Checks processor information in registry
    PID:5452
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5172 -childID 3 -isForBrowser -prefsHandle 5100 -prefMapHandle 5096 -prefsLen 27017 -prefMapSize 244282 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {331316f6-fb20-48df-b085-a9107881af14} 5600 "\\.\pipe\gecko-crash-server-pipe.5600" tab
    3⤵
    PID:2424
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5332 -childID 4 -isForBrowser -prefsHandle 5408 -prefMapHandle 5404 -prefsLen 27017 -prefMapSize 244282 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c491d710-7fee-4d56-9c60-688f5aca35a8} 5600 "\\.\pipe\gecko-crash-server-pipe.5600" tab
    3⤵
    PID:3884
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5316 -childID 5 -isForBrowser -prefsHandle 5544 -prefMapHandle 5548 -prefsLen 27017 -prefMapSize 244282 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1ac8f9a4-ec01-4da8-af5f-618c31ce0fdd} 5600 "\\.\pipe\gecko-crash-server-pipe.5600" tab
    3⤵
    PID:4336
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6368 -childID 6 -isForBrowser -prefsHandle 6372 -prefMapHandle 6376 -prefsLen 27017 -prefMapSize 244282 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5d931957-1ed3-4f55-a758-f4572fc96723} 5600 "\\.\pipe\gecko-crash-server-pipe.5600" tab
    3⤵
    PID:4492
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6140 -childID 7 -isForBrowser -prefsHandle 5920 -prefMapHandle 6196 -prefsLen 27017 -prefMapSize 244282 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a98c07c4-67f1-41b6-8ca7-b0609ad7a992} 5600 "\\.\pipe\gecko-crash-server-pipe.5600" tab
    3⤵
    PID:2548
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6004 -childID 8 -isForBrowser -prefsHandle 6360 -prefMapHandle 6340 -prefsLen 27017 -prefMapSize 244282 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d4aaaa2f-9bbb-4c32-b4a8-1d867c74d28d} 5600 "\\.\pipe\gecko-crash-server-pipe.5600" tab
    3⤵
    PID:2980
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3260 -childID 9 -isForBrowser -prefsHandle 4940 -prefMapHandle 6492 -prefsLen 27834 -prefMapSize 244282 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a71ced11-6ef7-4b57-ab47-f81c7b48f7b2} 5600 "\\.\pipe\gecko-crash-server-pipe.5600" tab
    3⤵
    PID:3556
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6264 -childID 10 -isForBrowser -prefsHandle 6256 -prefMapHandle 6324 -prefsLen 27834 -prefMapSize 244282 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0958a7a7-c7ac-4a9d-9945-637b851df5f5} 5600 "\\.\pipe\gecko-crash-server-pipe.5600" tab
    3⤵
    PID:2160
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1424 -childID 11 -isForBrowser -prefsHandle 6724 -prefMapHandle 6728 -prefsLen 27834 -prefMapSize 244282 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aac7e1f6-efe9-4648-86d5-29c573d74ce3} 5600 "\\.\pipe\gecko-crash-server-pipe.5600" tab
    3⤵
    PID:2172
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6772 -parentBuildID 20240401114208 -prefsHandle 6784 -prefMapHandle 6916 -prefsLen 30338 -prefMapSize 244282 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7ed9f1bf-a9b2-4b28-ba4c-8f8eeb6f3420} 5600 "\\.\pipe\gecko-crash-server-pipe.5600" rdd
    3⤵
    PID:1688
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6784 -parentBuildID 20240401114208 -sandboxingKind 1 -prefsHandle 7052 -prefMapHandle 7048 -prefsLen 30338 -prefMapSize 244282 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a751b3a3-9766-45a8-86b8-fda437ed6fc8} 5600 "\\.\pipe\gecko-crash-server-pipe.5600" utility
    3⤵
    - Checks processor information in registry
    PID:5700
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7604 -childID 12 -isForBrowser -prefsHandle 6308 -prefMapHandle 4948 -prefsLen 27834 -prefMapSize 244282 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fc7ce412-a60c-4556-b86f-734fbacf2fb5} 5600 "\\.\pipe\gecko-crash-server-pipe.5600" tab
    3⤵
    PID:3932

C:\Users\Admin\Downloads\YouAreAnIdiot\YouAreAnIdiot.exe
"C:\Users\Admin\Downloads\YouAreAnIdiot\YouAreAnIdiot.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:6040
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 6040 -s 1452
  2⤵
  - Program crash
  PID:3300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 6040 -ip 6040
1⤵
PID:3120

C:\Users\Admin\Downloads\YouAreAnIdiot\YouAreAnIdiot.exe
"C:\Users\Admin\Downloads\YouAreAnIdiot\YouAreAnIdiot.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:1060
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 1428
  2⤵
  - Program crash
  PID:2760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1060 -ip 1060
1⤵
PID:5920

C:\Users\Admin\Downloads\YouAreAnIdiot\YouAreAnIdiot.exe
"C:\Users\Admin\Downloads\YouAreAnIdiot\YouAreAnIdiot.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:2144
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 1428
  2⤵
  - Program crash
  PID:2340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2144 -ip 2144
1⤵
PID:2372

C:\Users\Admin\Downloads\YouAreAnIdiot\YouAreAnIdiot.exe
"C:\Users\Admin\Downloads\YouAreAnIdiot\YouAreAnIdiot.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:884
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 884 -s 1428
  2⤵
  - Program crash
  PID:3872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 884 -ip 884
1⤵
PID:4592

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:4012

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:936

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:1404

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:1316
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of SetWindowsHookEx
  PID:1020
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1856 -parentBuildID 20240401114208 -prefsHandle 1772 -prefMapHandle 1764 -prefsLen 24466 -prefMapSize 244649 -appDir "C:\Program Files\Mozilla Firefox\browser" - {123e474e-8c7a-45ef-a50d-53410cc3a82a} 1020 "\\.\pipe\gecko-crash-server-pipe.1020" gpu
    3⤵
    PID:5084
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2196 -parentBuildID 20240401114208 -prefsHandle 2188 -prefMapHandle 2184 -prefsLen 24466 -prefMapSize 244649 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a97c64a8-5d09-4a37-bded-340afefbff76} 1020 "\\.\pipe\gecko-crash-server-pipe.1020" socket
    3⤵
    PID:5796
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3200 -childID 1 -isForBrowser -prefsHandle 3032 -prefMapHandle 3236 -prefsLen 24965 -prefMapSize 244649 -jsInitHandle 1328 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {38ffd033-d373-48b5-b7dc-28b119878228} 1020 "\\.\pipe\gecko-crash-server-pipe.1020" tab
    3⤵
    PID:704
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3016 -childID 2 -isForBrowser -prefsHandle 3584 -prefMapHandle 2928 -prefsLen 30198 -prefMapSize 244649 -jsInitHandle 1328 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0092228c-9532-4b42-a48e-393c8d2e1cd2} 1020 "\\.\pipe\gecko-crash-server-pipe.1020" tab
    3⤵
    PID:2360
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4796 -childID 3 -isForBrowser -prefsHandle 4788 -prefMapHandle 4784 -prefsLen 27748 -prefMapSize 244649 -jsInitHandle 1328 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {739f1b0d-7c90-4bd8-94f0-d4265b6ad483} 1020 "\\.\pipe\gecko-crash-server-pipe.1020" tab
    3⤵
    PID:1724
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4776 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4804 -prefMapHandle 4764 -prefsLen 30252 -prefMapSize 244649 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {00b1713c-a59b-4296-92fb-d9ef661808e3} 1020 "\\.\pipe\gecko-crash-server-pipe.1020" utility
    3⤵
    - Checks processor information in registry
    PID:5540
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5340 -childID 4 -isForBrowser -prefsHandle 5364 -prefMapHandle 5360 -prefsLen 27748 -prefMapSize 244649 -jsInitHandle 1328 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {625c9074-9a8a-40c2-a776-6315928cea9d} 1020 "\\.\pipe\gecko-crash-server-pipe.1020" tab
    3⤵
    PID:5356
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5492 -childID 5 -isForBrowser -prefsHandle 5500 -prefMapHandle 5504 -prefsLen 27748 -prefMapSize 244649 -jsInitHandle 1328 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8f1099d8-a24c-4b9c-89da-7a0c49a1ff7a} 1020 "\\.\pipe\gecko-crash-server-pipe.1020" tab
    3⤵
    PID:5188
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5700 -childID 6 -isForBrowser -prefsHandle 5300 -prefMapHandle 5284 -prefsLen 27748 -prefMapSize 244649 -jsInitHandle 1328 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {37aeea85-f709-4472-ba0c-071d4b557fa1} 1020 "\\.\pipe\gecko-crash-server-pipe.1020" tab
    3⤵
    PID:4524
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5072 -childID 7 -isForBrowser -prefsHandle 4808 -prefMapHandle 4816 -prefsLen 27748 -prefMapSize 244649 -jsInitHandle 1328 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {840790be-bf4b-4d62-949d-474e854b56f3} 1020 "\\.\pipe\gecko-crash-server-pipe.1020" tab
    3⤵
    PID:5760
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5992 -childID 8 -isForBrowser -prefsHandle 6000 -prefMapHandle 6004 -prefsLen 27748 -prefMapSize 244649 -jsInitHandle 1328 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {01fa9427-725e-4f0b-acd9-002dc1db7743} 1020 "\\.\pipe\gecko-crash-server-pipe.1020" tab
    3⤵
    PID:5772
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6404 -parentBuildID 20240401114208 -prefsHandle 6396 -prefMapHandle 6392 -prefsLen 30252 -prefMapSize 244649 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e7fcce1a-857a-4d29-bec5-7ce7ab0e2fd8} 1020 "\\.\pipe\gecko-crash-server-pipe.1020" rdd
    3⤵
    PID:5656
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6552 -parentBuildID 20240401114208 -sandboxingKind 1 -prefsHandle 6544 -prefMapHandle 6540 -prefsLen 30252 -prefMapSize 244649 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {80d6b13d-556b-43ea-81cf-53ce6919ca34} 1020 "\\.\pipe\gecko-crash-server-pipe.1020" utility
    3⤵
    - Checks processor information in registry
    PID:5984
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5484 -childID 9 -isForBrowser -prefsHandle 5324 -prefMapHandle 4964 -prefsLen 27748 -prefMapSize 244649 -jsInitHandle 1328 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {90287511-ea60-4bfa-bfd8-8accb1b1589f} 1020 "\\.\pipe\gecko-crash-server-pipe.1020" tab
    3⤵
    PID:2980
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6080 -childID 10 -isForBrowser -prefsHandle 2752 -prefMapHandle 4156 -prefsLen 27796 -prefMapSize 244649 -jsInitHandle 1328 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ba099a70-a928-4932-8c46-f0331f3a52ae} 1020 "\\.\pipe\gecko-crash-server-pipe.1020" tab
    3⤵
    PID:5636

C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ.zip\[email protected]
"C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ.zip\[email protected]"
1⤵
- Suspicious use of SetWindowsHookEx
PID:5192
- C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ.zip\[email protected]
  "C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ.zip\[email protected]" /watchdog
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:3328
- C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ.zip\[email protected]
  "C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ.zip\[email protected]" /watchdog
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:5368
- C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ.zip\[email protected]
  "C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ.zip\[email protected]" /watchdog
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:752
- C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ.zip\[email protected]
  "C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ.zip\[email protected]" /watchdog
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5916
- C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ.zip\[email protected]
  "C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ.zip\[email protected]" /watchdog
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:996
- C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ.zip\[email protected]
  "C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ.zip\[email protected]" /main
  2⤵
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2708
- - C:\Windows\SysWOW64\notepad.exe
    "C:\Windows\System32\notepad.exe" \note.txt
    3⤵
    PID:5456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\@[email protected]

Filesize
1KB

MD5
2421f5ffd0daa0f72c569f67490962fa

SHA1
b7a0f1cecc07bcbd564783c4a65487f601d51f98

SHA256
dca7e7bb3f6582ce988b3ad8a644b66c2a8ad63c2540305be1a4099b37673e6f

SHA512
e8e417aa4e33b3e174d7c33679a4394c2cfa18058e07de8ad22be0aad5017501801e046ee5fd8c13b2a52426551d5f0217eaa7693898d93914503c0f3abd89a5

Download Submit
C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\update-config.json

Filesize
102B

MD5
7d1d7e1db5d8d862de24415d9ec9aca4

SHA1
f4cdc5511c299005e775dc602e611b9c67a97c78

SHA256
ffad3b0fb11fc38ea243bf3f73e27a6034860709b39bf251ef3eca53d4c3afda

SHA512
1688c6725a3607c7b80dfcd6a8bea787f31c21e3368b31cb84635b727675f426b969899a378bd960bd3f27866023163b5460e7c681ae1fcb62f7829b03456477

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c0a1774f8079fe496e694f35dfdcf8bc

SHA1
da3b4b9fca9a3f81b6be5b0cd6dd700603d448d3

SHA256
c041da0b90a5343ede7364ccf0428852103832c4efa8065a0cd1e8ce1ff181cb

SHA512
60d9e87f8383fe3afa2c8935f0e5a842624bb24b03b2d8057e0da342b08df18cf70bf55e41fa3ae54f73bc40a274cf6393d79ae01f6a1784273a25fa2761728b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e11c77d0fa99af6b1b282a22dcb1cf4a

SHA1
2593a41a6a63143d837700d01aa27b1817d17a4d

SHA256
d96f9bfcc81ba66db49a3385266a631899a919ed802835e6fb6b9f7759476ea0

SHA512
c8f69f503ab070a758e8e3ae57945c0172ead1894fdbfa2d853e5bb976ed3817ecc8f188eefd5092481effd4ef650788c8ff9a8d9a5ee4526f090952d7c859f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\3c821293-41fb-4e2b-a518-6399f5e8ae3a.tmp

Filesize
5KB

MD5
4a87195564ac52e2287b6907ffdc1c5e

SHA1
522159f85e503d0534638176551203a2d40dab04

SHA256
333860a75a9ece7b0b97c4445bbc23916bc7273231d4a7338ce175938e199be1

SHA512
cd20fae2613cab620919cc646b2953e76988b61249730b50c9c22abbdd0e68301f16e2bff643d9990de7fb5fa9079be2b3f711870eb843faab39fc8964f345bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000f

Filesize
18KB

MD5
7d54dd3fa3c51a1609e97e814ed449a0

SHA1
860bdd97dcd771d4ce96662a85c9328f95b17639

SHA256
7a258cd27f674e03eafc4f11af7076fb327d0202ce7a0a0e95a01fb33c989247

SHA512
17791e03584e77f2a6a03a7e3951bdc3220cd4c723a1f3be5d9b8196c5746a342a85226fcd0dd60031d3c3001c6bdfee0dcc21d7921ea2912225054d7f75c896

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
d469cb93836bda798b88b2bb9f2eb87a

SHA1
6bdc3cb5420e118714481487c637e5d88068aa17

SHA256
65f8a6e00b10b16890f765dad819896ed009d63b4227f34b71b90a6ddc1303fc

SHA512
b8b91b01f74ce6d6d2ce944dfada13057853f1b15d021831b54226d61f2b1e32f2a5c01d3bf7589ddc397945c2d8b106e9f3431de3969dd07e5553c97515179d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
896509812ba835da93abd4d21ecf805c

SHA1
0bed689685deeffe300405082e9569f57a93762d

SHA256
5008f8e6e6ed922edb468039a00c7adc01a295eb6f101ab3c25044e7a1db0dfe

SHA512
ac66f029919596b8d5012822b4d240d648f49f23cb886d33130bc893f24033867c2d7688b2ed6aa9e99dd357b5c628823f650cf3f1d002bcabbebcd8d82254a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
740B

MD5
d49c040d68084259b9d8c89b756ac326

SHA1
560fa737742d03894165c4882d6ab1e8584da7f5

SHA256
8ffd067d8380c85057c44d16754373cea61c6b2106b4f73212f56ce22fa5c7b7

SHA512
398676e20e8aea78550c5c35ba684662656e27f26900bcab2812e41903b525953df271de183889d00ca95f919e084500dff9a4c62d025bdab4e80288dc86b2c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
823B

MD5
2753e726fc35e07468a66fe0cfc4a9c7

SHA1
90089486aeac158523128f425e5444b33618da0a

SHA256
dc88e29065f79acdbe799b4bb0949fa50059ab501295ad8d859a470cf64b0e10

SHA512
d4e6451420dc2403c022e02ff2a71071bed8811c6a508050d881fe31c138067399dc7a4eda7fd1ac72db054721783aad1de8279def4dc3d3a25aa898167e8490

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
823B

MD5
81f5910381afeb6c7461c348a1fe386d

SHA1
3daeb0f2b36d30e86b992937a91508569408b3c3

SHA256
fa6c329c19c2f7d4efb7ed1bd5e1290e56d39580be833b25e824ee95a9c4e8e7

SHA512
5c1204d895cff8deda0ffa94c26d2f73c270e669e1ea75634bde84e0d0f27eab0b16bdfc3ec88cdc1bbfe413e294d024f0e1e282cf4e479c5d2965105a3c2561

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
8a41fdbe038aba90502f8cacc474b72a

SHA1
3535b170d89b87e6bd4367b4fffb3c598d0d393b

SHA256
101a4fe562704fbe90f9e2002a35ce8a9eb04dc10bcb1f34bba70f1b327f0be8

SHA512
563f8821766e319b0261d2a8ab65a76c0786aa58c45e16fbe0e2769218cd62fe0aa378cd14cd9b1d5c891ff059b89220382ce824c2afb8dbe7cee66f2104ea86

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1f6ae156996be0b68a453545b5932234

SHA1
8c0aac3d8a3a17bed9c147f657545cef02accffc

SHA256
b035a4cc67e57a474d3de3a02fc8bb3d1ac924dfb02e0ebf15390c094c536e85

SHA512
920593e946328f4aa941ca1d0b717b1cafede3f3dc2f185596597192381467d84864f6a066fb8d3ff1664b183bb17b70c477dce57781b70ef92cc438af96a588

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
da168b8ff619cbdcdeb9d0ee419fa79c

SHA1
5b4dee2fecafdf37ce4a290daad644d9ad7827ff

SHA256
3c776adb50aaa7604f70cdce113ad65cb0083e71866b5212c951617f893d3953

SHA512
ea7208bb619831bdf48855714d033c6c1bd630e23060906547834c40b87849048da8c2ddce6416e1039d8e0b9d691b75a75dd76258a5219da66cd3dc9c19720b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
d6b532440c170a6ac22cf10184afd570

SHA1
863a360cb65c8535d379c59297e2d959ca2019af

SHA256
077b5d97bc581aba23604e2fbf2a96aeded6e0f398363481d06b2cf498ed1451

SHA512
2eb783ee3b5a680420f8ff100e01e6edb6f900dc0fda89f90b9bd5f62fca6030662e298d14a8c98f7212c98a6cbb7a05aa08fbcd63bc912015020141ee7b1a6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
53862e889e38f1a5b633f3b2dcf48485

SHA1
349496c491dcc316a344275a3aa075606627351e

SHA256
c14c2874f9294714555ce77b3274e6a8fa5040f44971d3e7b912dfe33bd1850a

SHA512
09930a016712364aea662d52da2d5c75849b8ed0f887bea509b85e6780369987d7425b0202418ee96eaa00be7a872d01c1a7c98dfdcb1dcc0b2cc9255ba114f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
4b224c062d49c1764cf6f5b5915d4b7f

SHA1
116aefa3aa58098719537d954ff1ad9f579cc548

SHA256
99cc5c8d4601660b20cf4d7ff430f9e2e06891b5bf31b07d2067254fe0696569

SHA512
47c88a894b507433345edbc17b5246aa0e97771bffe3a8b76ddce588f348ab46b41f92d0e7afd98692df852e8965106c51ce5543b892892a0e02610753eff882

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
bcc9972d2b118c5fe80f4689730204c0

SHA1
79e5ce91fcb94e1818cdb803b2c4605d7c763388

SHA256
cd4a268d05325c95bcb33dfd28853418cdb191b5d5b8ebe2b2d881dada79c066

SHA512
d52399c8426d9bde578563134c69798ef10d1e7a172c11154205596b004142c96dc0bb226abba9d9f16beebafd19f7a597402a5fc78ed96c7d4c84efd508bcc7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
68551f2a1675fca245e6fc91cc1a5ab3

SHA1
7ad18128d6f6ab14d913347e278d464789db46da

SHA256
f66cbcc28b4ae2d76d2a0b7c85db90b61c5d195c10d98e55e08c02b3acbfa42c

SHA512
7a13c6c630cf5a05a512de7635bd8f56d6ba74436d30119b5bcf2951c77f1d4757d3dd0c5dfd848b3c44d398ba0b9c8129bc6395aa906c741a47cc5c7fff42fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
d9df749fb6aded9d44947365b1b2bad3

SHA1
63d84aae0f987ef56a05d2aa8625d308062dc719

SHA256
b66459f06974b7ce71978f34fc09bd134eb78265e462f588239e69f22b0e0031

SHA512
7f84faa9e2affa6b30cece25e3103a15930d027a7a014bbd7868f21b9e562afe610f46b914daa63e66f6bab7eea442fe36f6684f4a92b1a507c4ba1a92b0a7f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ac00bab2ce4b7619ee0d5b447add3df8

SHA1
50e7865e60df5c66ff57746895b98a301dc09846

SHA256
1afa48fa4c694b3bc6be5097baca3e194c4a66a6843bb23df7ae73f18b4828d4

SHA512
32b08af65365bf8c3f22455c9b5893cb64ac791e1769705d929ee8c9410861c03205b3003aa2e9a9013fec970523675a977e58e767ecb6e8d77d1cfe73c8e4f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
f86a8a049dbc4846b9046809ca522b82

SHA1
e6f2d290520915ada94626ff66c4738d57295b91

SHA256
a3e895952bd708d18a326249bc6268ae54af8a765b8a2d5ef40d8c8bd1b4e427

SHA512
22745d71311da08d7f854019c814afbdd45942b28949ad04f734b7a8c810018634fa3d826b67169fab9cb9c87764c5895d4d4e0035e1413a65be106995f1a2b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
eec0d9b99129bf30651ff898897bcde6

SHA1
b3fc03a62030572064c48cd0327ed3d464023bbc

SHA256
2c4f85d15c019158749ccfaf2f25fef1ba1e899506b9b19b2ae362c66d855c94

SHA512
316a04c63537e826dd9aad8f151de23b0d2fdd0ed2a95b3c3a97ea3b5f630020beb62af1edbd209d3b9226942743c88c745b82f161f18fc476aa983d25589ce8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5866b4.TMP

Filesize
1KB

MD5
7edd1a271a417db627f3ca63faa08a26

SHA1
6bbf36a8115ea30df42817a3e12523f0ca4347d8

SHA256
32b7028f9f996ec232df69d54e5d8ac77d366365baab9ec6284329d85e26f2f6

SHA512
b51bf30344c9a6c4ed42ac7370d090fa2a8209e61f234ab6ecbd4472612fc03890cd37d9611c002c35ae500d9490c62ed81b31aa962fc5c4228f451a4977207e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c08518ebcc6b3a09c0a1a5850c2035d7

SHA1
038b5d738d672d7eabb685233bb71eb21a08e1d5

SHA256
66b4043ec612a52df5d80849f9ab06ddbf02bc9252e12de9332657020c52e018

SHA512
2e0ea4b3269502a69d6e58a7fd65483872d4ac3e0280355d521c34fabc68b855f7041d6e85c261d87afa188db65d00272669a06b0ef19a237930ac910f1fdd94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
19c909502e1f5a9376bcace42940c8b0

SHA1
d7204a52d58f04035e952e1d4febd70d138a685d

SHA256
b4de8b9ea346e71d23af04fd39861f0eed34d7b4a6c87ba1c2de9d2e878759bd

SHA512
67b44af5003f07351bdd1d3491c750147a7004c88c3b6ea48c33a03791e20ae3afeece0f64582b60797801312828241fe8e9853a7b2358577a1c3c1bfaf4c4a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
3a5fc2a25d4692a40e8e37b97a0baa4e

SHA1
029ed98af54a71474b4d3af3d1eef91b61f1be90

SHA256
b658e8a3acaacfe0f29555aa36536a7a0c24a594e2bfd1f9d5597024570ea256

SHA512
00f90c1f2b8641848b27484545abdf0a39cd2abd019d90d794597148e810648e790eb1f8891afc7cae0a923923a9d5cb166948ace564e50f3c87749aed0a1208

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
d9f89cda1011cc7aff668227756ca771

SHA1
b13eddbd7da71a9e27054f8325b5b874af605c3b

SHA256
0a4f69fd14030eff43a84dfb34b41dcb1bd83068892c9a5c37ea6de4dcbe2c61

SHA512
af485c021364eee1d8a81352184b39425cc14152f7138bd8167332c597e7630bb79e4ab11e4baee7a1b3d04527b773826909684e3671323c0b34db7dba31d713

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ca090a7f61f6d2f67110a2e53a48e6f3

SHA1
db17ba80be5a723c97ea78e72fd458ec1c9f1b66

SHA256
9c9ddea9808a25a90bb3d9db68b6e5fcb158818ab6cff1fd5d3f042ec90ea22c

SHA512
df1be5e5ac8b3ac709511b0e1c65a96fe2ddc377332940a89ccc469cbfdca6ad19c60ba4ac357ad43858c2413cee6dd3c46d6457eafd05e37cea1d8da26596ed

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\activity-stream.discovery_stream.json

Filesize
24KB

MD5
da12fac4261f86012a9eff6cec5232ab

SHA1
2760e67b4a6f8beab16b7b9065074178343b1daa

SHA256
861795f587079ec4f6549fc5c3c72c361f4c1083abe2638ec03354527a5f5143

SHA512
cdc875b2e9c3f24675ea927ada3aa55b2adcce840a99d44630faebd6141500d90cf73c3ac5b28520bfe46c956fe53c721f9453e3b71610d0e05356d95593e4bf

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\cache2\entries\0496E33B07BB9340090B6FF9A653DA5443DBD403

Filesize
224KB

MD5
6960b4a4a9dbfc01e3bac2992d18ec08

SHA1
fabf9a89bef5b87f1c1c7d52c5cca45f35731e43

SHA256
c325eff1956b7ae547f17ba9195f807a0cbddfb536f66f463e47e39d0102308c

SHA512
8cb86eb25b54d209b214cb9cea819f126ca74aa114d0bfd0f141bddbf5dc787c926ab96768067e65af7d967127969a1c1e81736286237e2296b892a66fc54c8b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\cache2\entries\2681DF1C05D8B1BC372A0505C935A59887AC240D

Filesize
44KB

MD5
5be4db81bada435c64174654f57a268c

SHA1
df741b95a0a2b1cc623b130bec169938c6063b2b

SHA256
cec28607b0d66dc225aa5dda2c81e115dbc5e5c0269e8214802c8350f0f98067

SHA512
306af7165779b805fc1a3e552391a77782117698940d7f2c7f6258c83f00ca188a23ec5b860719d6ca55eb8e37887583544e374ca94714347a07b1efc2616ec2

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\cache2\entries\28C80F7CCCBCA07AD3B3CA41AFF9F6BCFFCB2CF8

Filesize
30KB

MD5
4675a59adfb535d1a2d8330c2c9e2bc6

SHA1
6f2ff09f4922e062518e6ab4973ae5f08209b03c

SHA256
fffa0d66cf3faa7cb72752cb005a85467d639097786e718492eeaedd01a8d93e

SHA512
defb34d2bdd5f67c71499592de5e7a17885a531a6c1111f5aa01827fdf156f857f4aee463f5f1745bb441df64f388afa54ca70a87ebdc79250e85fb7861314ef

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\cache2\entries\29F33E6421384CDE0811BCA0A826AF3AE6BA0BE1

Filesize
37KB

MD5
9ab1fcfdeae59f58e3530e8ee9cce4ec

SHA1
ee40bd7b7a6810adce78ce01e394bca57127b634

SHA256
11552c353fda263b06b6bbe8ee39b93efae47ccffba062ab9b2198cf8bc912a5

SHA512
a17b28660bf6bd52d2111817068b159590fc7a5c7e4167c591d5e7bfd54cd4289335502f08d0b13c14cf515eb7fd918aee424295e796209ffa22405b94e1a8ed

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\cache2\entries\35E25671471609E16A4B568035D2BAA3C9640044

Filesize
50KB

MD5
99cfc5fd93dfe963126cb749194cc72e

SHA1
c1c05a25e33f09e92721d603599a57caa0553271

SHA256
9560e6f853f814d81539e03ac6694bb083e0349dd8b0d6f0786461b0455a057c

SHA512
09400691d20b0033e666c0988ee588aa651404b831b9c30c501093837946f3247798361b17dd6d0556f8df3812274e33c16624ce503ac93d0ad977779c856323

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\cache2\entries\36F7AC2C8235DCEB03AA483F1365138A5295CF34

Filesize
48KB

MD5
07a95e503cc8ba5d56b0cea12b2fd989

SHA1
49f3028677e505c5ff20d6659ab1f8835acdbb2c

SHA256
233e67d8287e1c05aab09d13d0b3ba93587c72b5b34264b869a47ea54095166a

SHA512
089fd2286ce19a374242ffd1dee235d412c38d2d8337f450409a47fb1672411d197db4f4121d293c02048c51700a82b977167be253408f7c6261d22aedf77a1b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\cache2\entries\40A8F58CFC1A23A6BAE836E45F467F9B93975806

Filesize
41KB

MD5
f5a5199d6c262dcc9484441bd70aa73f

SHA1
6b834de9a8b7c169271bc39b8ec2318157db56c8

SHA256
fdcfb0f93efca27a8ec53185de716d23d7a7aaffd0c153c5856d076501f7e887

SHA512
4c27531229836141dfbb0d2f96a69e6f7ccf3962a807865c69447bcb1fe4960e04dca3ff8c84c7714d35ba100ce8c784341beac26f0438d6dc8a7affa92f202e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\cache2\entries\48A773B8B92BFF039D7CB5A9DA03A6DC953D7D7B

Filesize
43KB

MD5
8c52b797b432b5b9afee5d0343b737c8

SHA1
71982a9ea493cbd9f9cde55cc256860562a6fca1

SHA256
e3a2bb4a0bdf862562f116f0b861f67a2eca5b9d9a0f5fa22dc39d746589c47c

SHA512
735b23f448532672164b23949504e54fe5e4a84f4242a4bb50b3c694b8b284283bc99f7fd14a2dd6d413f1578c821b7fa7160e2fa4bc1b65d4c4db29e1fe7611

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\cache2\entries\4A659374F8162DE9561EA239DEEFEF98343DF04A

Filesize
61KB

MD5
f9a15347a91d7a41538c6a2f5f713425

SHA1
49877922fedccf98be7b3a7db480ba3ce279d4b6

SHA256
ae6da382d61a905f7acdc5459952e6e4c49984d18284df8f88c966ffbe35065d

SHA512
0945c2c4b8bf4cd26046e05a519ba719842b5251f6c439f4e13f73dd2c5a2a2115b872638d5d0175480db1d63cfbedc6fe7b3d542f7297383961d746598a06c4

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\cache2\entries\549C94847E35BE89DCE95DF86EA39378F22E5078

Filesize
99KB

MD5
6cc5979677705985fd926be341bb7a81

SHA1
382bd96e86022f73a134a58e374d7fef662b7995

SHA256
d3a57dca9cfaa46cec0610992a397f1c44d7c6322fc4968e15a63b36a98e5b5e

SHA512
3551b95d1106a27ca44f7fa47205c8ba7e5318ad985d036acb4a7b6281d9e650ff5281d39e72fde132c587471dc28e3505246745f8878695698951b37ddf0a05

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\cache2\entries\5B5F81C77EA4A0D4425E62E3D6F82E571526EBF3

Filesize
34KB

MD5
f3cd5370f0b76198112e51b1d4504347

SHA1
de16e51cb202399f5d30eadd7a7555099dc3f4c3

SHA256
04fd8577874b5bf9642c1759e2c17d14ac7f9a1885a5c9d3e2416fbcb627e315

SHA512
e4f9e1de01a0e97de9536b9d032c8b34f025eaff452d30ac5db8621ee24af8eed4c15c11631fe9e450e3727b97c0c8c59d24997401332ae0837e0c0cc45b005b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\cache2\entries\643973A72CB665816E627CECAEEAC7166A356FB8

Filesize
114KB

MD5
cc42eb819c3c5de7e9c4ff7e0310d76d

SHA1
1aaf75bdd7fd754bd5a2936f284661bb0b240bc1

SHA256
a173aee776d0ebd5959bdf1331ab0ec4c9e7c9c546bac9087bb1d3f4f89ffd3b

SHA512
672083571830572142a6c7d43af5bb9a1beafb11137a57ee5e04292dbf5263a978ac90f3af6760a50e3763d11a4bd61816e6d046a550eec4af3c991e2022744f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\cache2\entries\6A99079A6DA2839CD187FEE7A0AB74FC38BA60AB

Filesize
75KB

MD5
0386d95481b4561e835737e1980feb11

SHA1
be89dee4f470790c403c49b068336d5883ba1041

SHA256
1e454182507556086f3f944b7b3f13ac312736d193da62a1b87d3db293ce5697

SHA512
095f388defe0dc0352b597ad6f8724bf81207fefc86f38cd381d088b92735d31ad79b7ce43b038f2ba8ad0b243a406b0adbb8d57ddd4f5c1c56d4694dcab9511

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\cache2\entries\6CB8DA195B83F1EE369C11A33C63581DBAD64D6E

Filesize
96KB

MD5
208632f76046b3442d05479fbedd3b7d

SHA1
02cd92c116bde13bc2e47cf4f99b49f1077665c0

SHA256
9446b56924dc619ceadaf745a283af9e869973a388d25b8341044d4f4aea2772

SHA512
2dcb4559a1204ef673c7f5472997feb98df946226b0256cbea905b2227f504a552cd4f4237b1d49290b9f743398bbb50ac48bd91d97dcfeb3be45dc91db4aaa9

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\cache2\entries\77F17670A6CFC9F4FF7B438AF400023A40138019

Filesize
42KB

MD5
f8da17561244e42f644de61b3e0ec69c

SHA1
320a32a59045e6875209e221b5b871e904468962

SHA256
ad143755285955dca936479f949fd8f1fb4f2d1ab7a80815cbd06ece5115b83c

SHA512
1a822317c4ed577e22c0f7ef2e4ac2519940430d29d4925bffc5476b8906c09ddbec36ae17083b98afbd2efd61bb6e13994d605e938f3f5410314a13c5670aaf

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\cache2\entries\88D98E29E70FF6FCC796CE6166E1AFAEA3FCD363

Filesize
74KB

MD5
ef0c1ffadc2bed03320e4668ef762cb2

SHA1
20a5b8ae320b0398b1e1a9121e6b28a175f6dfbf

SHA256
69e995cc2c76e2c3146366cbabd56ef86438d0b5563a54b8b1502b5a824815cb

SHA512
6982ae1e3f44553cbe87e0d0e82fbdcf759dc5e6334f1de4b66bb97182dbc72f5c61dec3cb5f311c5a55517a0ccdf098c35428bed4a64df213068b7d0b10bd4f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\cache2\entries\94A149694DFC456EFBF58B41D01186DD49CE2962

Filesize
26KB

MD5
111b77a0c1849a5107a68794d67bf27a

SHA1
1e3e484276b658098f4bf7221f318981cad5b873

SHA256
617cf3fed0cca653c87e6caa9c08019886ffe833bf548b4bc768dfb6d5b21372

SHA512
846b8d510b03217a4514ca86fee877a16a0eb63e3435527d94155277282d50e3ec98a98aefb7349d266778ff734112842185ec4957a323341c7f02b5671d6543

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\cache2\entries\9B5DC42D011707A272F4010AE622B8F276F1ED8E

Filesize
45KB

MD5
9e7cccb9ed2d05c13629c3b75c6fcb29

SHA1
ea633c162bad9d86ac24aa3d5199aea24fda07f1

SHA256
d4f5b565a7e79fec6d57cca119ad0098db209d8287cbceb0638ed0ecdb4852c8

SHA512
6c96b54a9bbbaeae99edff953cf76fb38a4fd5e1a0af4adac61387935af8eba1a73f51621857fc4d261d40b8911b01e664c20f09f0d133a43f8e24e4c0125926

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\cache2\entries\A9B08356EBD30B2479D50C01DB7627B8CACDA442

Filesize
40KB

MD5
0648086f26cd70b32348f4d096684832

SHA1
1285242e3336314718506e08dcaacb37b05c605d

SHA256
efe9d3d52d0f3c463970be5e542e262807c11219f1284eb0845915ca7cf6862a

SHA512
9f6b345df9c0ae59dfccb74c86665c4f40df1e19e23ebdee2a47bed58c7903ad0978b85c9b6ff29678330beb586cfa7f0636996768a2b014850c592c57ddd647

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\cache2\entries\AB740295913D6FEAC15A7060502087FA226E19B5

Filesize
69KB

MD5
eab7353fbd3651e0aadd5e5582d185ff

SHA1
4909f5bd8b1e1b7769471e8128a591af3c72d49f

SHA256
7d46b67315e9f7e3a14bd6b347259ae51b0f75c9cf1ba018ce4d22916c651e95

SHA512
b6ae980996c4b732dbf080a62a97c6c800fec0499111eaad5a68f1bd3fc27a5e833ba71c8ff51901f39eb55739de77f134eaa3296d864a1143c6721b202f0996

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\cache2\entries\B187790100BD56D71A8A1504C32496A1DE5913C6

Filesize
29KB

MD5
572a8f782d6da0b06917d22c0730f8d8

SHA1
57f6835c8b1da24c2e32d665c778f35272a6ddfd

SHA256
87d9869a785278529c92e996ce54d6580fe765a613ffb4b934bcf29e85b80dbe

SHA512
8d6e4b738bf66346139bbc55052324e9f674bb8b65231d3671974363b2bff654650458affa558456e8e2687b58c3eda8fb36edf4d2e1ca617adf7db8f836030f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\cache2\entries\B5698C37B0221FC24143C18C07A3C0C8FE58B052

Filesize
117KB

MD5
3bd1696cafe5d1e45d0bab38c4f796b7

SHA1
64033aa092c6ca9dae585b02eba01e9007ae82b2

SHA256
6436d1a141a9a47d07535b3e21fbb43a7ea03821cf44a519ce612e2c47ef3488

SHA512
55c71d4fb1e703cfb2bb84d2eecbdf154d398383e3313a3721d74907bd57a9ef979ae133785dac87751e70f898eaa5f47c062b6a9bd87f4aab5f7d920879d95c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\cache2\entries\BEFE11C9B3FC844F26C5662B326E4F9B52127B12

Filesize
69KB

MD5
c2bb952948046c0dcf6d816b0730d9cd

SHA1
8bf44c6fcb7058870940d253a9b085410862d5e6

SHA256
104be9bd40435615d4103553cca806f7831008b4ecdbfb08491eaab7e65a46fa

SHA512
79a5eedb37ce9d4aa4f539f6ae80befb5f4ac8ab4dcabb41e6ac07692c5e80c47ccb0bbbdae3eb2b04cdc5b2b345a81cb781df6c21fe47ed4e6e8d7d17bf1b2f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\cache2\entries\C161F3410446A09FA8C843AE6C7443964D12B01A

Filesize
47KB

MD5
64ee5ec21f9713ab8b41ec4adfb73230

SHA1
ff1a48591825e6a7d6b9a82b26380f640e4d256d

SHA256
71248ca339b81bc3882e2316bad47e16b4b51ed72c3a12e849c95647a4a307a7

SHA512
30a900347416467da060c9ddb5f49510408ff036f1012f79cf999ca5dd4e96d69d0dd24bb37a353fd195441929c5f9417603b784022ea362868ca745cd309bf7

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\cache2\entries\D94A678A2549B8A6C46FD1D1E3BF56749C7D416E

Filesize
28KB

MD5
6f7ebbbf1d649323b5213e83fae38508

SHA1
19354f91c3a15c90166468880b6e2eceffadb456

SHA256
96649c3c8b37ea51363e38a2f92e62c1a0865a4eba79e21c7918322f58bcd4cb

SHA512
a5085c03e5393b606d79cf58fde76b593e49101e59b81d5f7346bcf755a521b15b60f37df58159a01e189f0a809c2421b2b356a826811439247e605e3205bf62

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\cache2\entries\DD725CFB452B155F219B31EB244119400FCB1F05

Filesize
31KB

MD5
385adcaa4ca9642dee079c18ffa56943

SHA1
dd68a415a2d89ba0d3fdc93a894fe2181f033574

SHA256
b90db692facaa1f7d2ae4d215bdd6d2e54fb261efcd0d97dc169e89fb37f0e6a

SHA512
6bad7751cfb2cf39c0cf72037c4e18ba55aa4be7ca48cc770f919d02271632a93184b8a055ed2775e92b0fced25ea9302aad4e21793ae7b8dff0001f65e17d5c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\cache2\entries\DF456E58304C9DAD83ED69C2CA536AC36867EEA1

Filesize
116KB

MD5
4294ab328bc664efae34ce3a763cfc3a

SHA1
1ccb5245ca1b4897a05beefb7977511ecad6b651

SHA256
7f4b4f80371be485253cbc0d2d26779d98bb1590bc7f28c5af88c81decf0a573

SHA512
59b8a9c26170db6bc4c11f6e79204ce81e578bb47143653e48102089a4d643bcf145305533f6a2fb2e01106ba3dd325ca83fcd81c020f8b2e7a27f563ea8a61d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\cache2\entries\EAF17210F28F22D6EBC808C2C1515A0B71A3E8BA

Filesize
163KB

MD5
6ec828502d2ec335e861ee206fa6466e

SHA1
a81b6af6e1fa7ad4f919a2259e78a4c9750cf29b

SHA256
804e5deeba4a54762dd18eb7b0f722090a912521f23e618435bbe9d6272bb70a

SHA512
3c45ed5653dd7b20fe22d12303de53c7c2a4d169030ce770d91fdf56f8ca05834db23ee100da253323a4a169224f2c476a5c6af76faad6e4318037c742ebe83e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\cache2\entries\F37C1195822A75A463BCDB86AD26C84ED9EF9D34

Filesize
39KB

MD5
d10a0d7496b0cb913acdc1076874a598

SHA1
5941c842326505df0c0c5951c75a3e81c1d49854

SHA256
4be5fe5a7a93e5dd4d2c506ac99c097b3faf6ca686474b6d8a6e3cd4cd967465

SHA512
e36675e0b7f1e8164208adae75fa4944aa50794b74bd1dd1c2a2bcb06f28d8408e20d2f8839c173a148ca0917682e385f95c246b8ffb075036a1967dc6630dd0

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\cache2\entries\F7238E2D6FD33D777BA92C46B87D7C03780BB3E7

Filesize
63KB

MD5
c4243cc046bf8705a71d704c04d30cf2

SHA1
906f8abe9ad25d7cee6833271934d803d938bd36

SHA256
e041ae17be96c153fe607e2d5bdb8df607985bc454191bde6b8db7b1ed5fb443

SHA512
f74d2d0e65a74bf2f9cfae7bc906e2139c323708e5fd1b5c8c0434439915bb690f0d5e456d491944c91d9800a755cc3e0f928b7f1bd9e3abe35e170554f2f8f8

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
15KB

MD5
96c542dec016d9ec1ecc4dddfcbaac66

SHA1
6199f7648bb744efa58acf7b96fee85d938389e4

SHA256
7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

SHA512
cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\eeb834e1-a6a1-4374-9253-f4cd02306a68.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]

Filesize
933B

MD5
7e6b6da7c61fcb66f3f30166871def5b

SHA1
00f699cf9bbc0308f6e101283eca15a7c566d4f9

SHA256
4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e

SHA512
e5a56137f325904e0c7de1d0df38745f733652214f0cdb6ef173fa0743a334f95bed274df79469e270c9208e6bdc2e6251ef0cdd81af20fa1897929663e2c7d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\TaskData\Tor\tor.exe

Filesize
3.0MB

MD5
fe7eb54691ad6e6af77f8a9a0b6de26d

SHA1
53912d33bec3375153b7e4e68b78d66dab62671a

SHA256
e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb

SHA512
8ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\b.wnry

Filesize
1.4MB

MD5
c17170262312f3be7027bc2ca825bf0c

SHA1
f19eceda82973239a1fdc5826bce7691e5dcb4fb

SHA256
d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa

SHA512
c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\c.wnry

Filesize
780B

MD5
93f33b83f1f263e2419006d6026e7bc1

SHA1
1a4b36c56430a56af2e0ecabd754bf00067ce488

SHA256
ef0ed0b717d1b956eb6c42ba1f4fd2283cf7c8416bed0afd1e8805ee0502f2b4

SHA512
45bdd1a9a3118ee4d3469ee65a7a8fdb0f9315ca417821db058028ffb0ed145209f975232a9e64aba1c02b9664c854232221eb041d09231c330ae510f638afac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_bulgarian.wnry

Filesize
46KB

MD5
95673b0f968c0f55b32204361940d184

SHA1
81e427d15a1a826b93e91c3d2fa65221c8ca9cff

SHA256
40b37e7b80cf678d7dd302aaf41b88135ade6ddf44d89bdba19cf171564444bd

SHA512
7601f1883edbb4150a9dc17084012323b3bfa66f6d19d3d0355cf82b6a1c9dce475d758da18b6d17a8b321bf6fca20915224dbaedcb3f4d16abfaf7a5fc21b92

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_chinese (simplified).wnry

Filesize
53KB

MD5
0252d45ca21c8e43c9742285c48e91ad

SHA1
5c14551d2736eef3a1c1970cc492206e531703c1

SHA256
845d0e178aeebd6c7e2a2e9697b2bf6cf02028c50c288b3ba88fe2918ea2834a

SHA512
1bfcf6c0e7c977d777f12bd20ac347630999c4d99bd706b40de7ff8f2f52e02560d68093142cc93722095657807a1480ce3fb6a2e000c488550548c497998755

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_chinese (traditional).wnry

Filesize
77KB

MD5
2efc3690d67cd073a9406a25005f7cea

SHA1
52c07f98870eabace6ec370b7eb562751e8067e9

SHA256
5c7f6ad1ec4bc2c8e2c9c126633215daba7de731ac8b12be10ca157417c97f3a

SHA512
0766c58e64d9cda5328e00b86f8482316e944aa2c26523a3c37289e22c34be4b70937033bebdb217f675e40db9fecdce0a0d516f9065a170e28286c2d218487c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_croatian.wnry

Filesize
38KB

MD5
17194003fa70ce477326ce2f6deeb270

SHA1
e325988f68d327743926ea317abb9882f347fa73

SHA256
3f33734b2d34cce83936ce99c3494cd845f1d2c02d7f6da31d42dfc1ca15a171

SHA512
dcf4ccf0b352a8b271827b3b8e181f7d6502ca0f8c9dda3dc6e53441bb4ae6e77b49c9c947cc3ede0bf323f09140a0c068a907f3c23ea2a8495d1ad96820051c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_czech.wnry

Filesize
39KB

MD5
537efeecdfa94cc421e58fd82a58ba9e

SHA1
3609456e16bc16ba447979f3aa69221290ec17d0

SHA256
5afa4753afa048c6d6c39327ce674f27f5f6e5d3f2a060b7a8aed61725481150

SHA512
e007786ffa09ccd5a24e5c6504c8de444929a2faaafad3712367c05615b7e1b0fbf7fbfff7028ed3f832ce226957390d8bf54308870e9ed597948a838da1137b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_danish.wnry

Filesize
36KB

MD5
2c5a3b81d5c4715b7bea01033367fcb5

SHA1
b548b45da8463e17199daafd34c23591f94e82cd

SHA256
a75bb44284b9db8d702692f84909a7e23f21141866adf3db888042e9109a1cb6

SHA512
490c5a892fac801b853c348477b1140755d4c53ca05726ac19d3649af4285c93523393a3667e209c71c80ac06ffd809f62dd69ae65012dcb00445d032f1277b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_dutch.wnry

Filesize
36KB

MD5
7a8d499407c6a647c03c4471a67eaad7

SHA1
d573b6ac8e7e04a05cbbd6b7f6a9842f371d343b

SHA256
2c95bef914da6c50d7bdedec601e589fbb4fda24c4863a7260f4f72bd025799c

SHA512
608ef3ff0a517fe1e70ff41aeb277821565c5a9bee5103aa5e45c68d4763fce507c2a34d810f4cd242d163181f8341d9a69e93fe32aded6fbc7f544c55743f12

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_english.wnry

Filesize
36KB

MD5
fe68c2dc0d2419b38f44d83f2fcf232e

SHA1
6c6e49949957215aa2f3dfb72207d249adf36283

SHA256
26fd072fda6e12f8c2d3292086ef0390785efa2c556e2a88bd4673102af703e5

SHA512
941fa0a1f6a5756ed54260994db6158a7ebeb9e18b5c8ca2f6530c579bc4455918df0b38c609f501ca466b3cc067b40e4b861ad6513373b483b36338ae20a810

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_filipino.wnry

Filesize
36KB

MD5
08b9e69b57e4c9b966664f8e1c27ab09

SHA1
2da1025bbbfb3cd308070765fc0893a48e5a85fa

SHA256
d8489f8c16318e524b45de8b35d7e2c3cd8ed4821c136f12f5ef3c9fc3321324

SHA512
966b5ed68be6b5ccd46e0de1fa868cfe5432d9bf82e1e2f6eb99b2aef3c92f88d96f4f4eec5e16381b9c6db80a68071e7124ca1474d664bdd77e1817ec600cb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_finnish.wnry

Filesize
37KB

MD5
35c2f97eea8819b1caebd23fee732d8f

SHA1
e354d1cc43d6a39d9732adea5d3b0f57284255d2

SHA256
1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

SHA512
908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_french.wnry

Filesize
37KB

MD5
4e57113a6bf6b88fdd32782a4a381274

SHA1
0fccbc91f0f94453d91670c6794f71348711061d

SHA256
9bd38110e6523547aed50617ddc77d0920d408faeed2b7a21ab163fda22177bc

SHA512
4f1918a12269c654d44e9d394bc209ef0bc32242be8833a2fba437b879125177e149f56f2fb0c302330dec328139b34982c04b3fefb045612b6cc9f83ec85aa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_german.wnry

Filesize
36KB

MD5
3d59bbb5553fe03a89f817819540f469

SHA1
26781d4b06ff704800b463d0f1fca3afd923a9fe

SHA256
2adc900fafa9938d85ce53cb793271f37af40cf499bcc454f44975db533f0b61

SHA512
95719ae80589f71209bb3cb953276538040e7111b994d757b0a24283aefe27aadbbe9eef3f1f823ce4cabc1090946d4a2a558607ac6cac6faca5971529b34dac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_greek.wnry

Filesize
47KB

MD5
fb4e8718fea95bb7479727fde80cb424

SHA1
1088c7653cba385fe994e9ae34a6595898f20aeb

SHA256
e13cc9b13aa5074dc45d50379eceb17ee39a0c2531ab617d93800fe236758ca9

SHA512
24db377af1569e4e2b2ebccec42564cea95a30f1ff43bcaf25a692f99567e027bcef4aacef008ec5f64ea2eef0c04be88d2b30bcadabb3919b5f45a6633940cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_indonesian.wnry

Filesize
36KB

MD5
3788f91c694dfc48e12417ce93356b0f

SHA1
eb3b87f7f654b604daf3484da9e02ca6c4ea98b7

SHA256
23e5e738aad10fb8ef89aa0285269aff728070080158fd3e7792fe9ed47c51f4

SHA512
b7dd9e6dc7c2d023ff958caf132f0544c76fae3b2d8e49753257676cc541735807b4befdf483bcae94c2dcde3c878c783b4a89dca0fecbc78f5bbf7c356f35cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_italian.wnry

Filesize
36KB

MD5
30a200f78498990095b36f574b6e8690

SHA1
c4b1b3c087bd12b063e98bca464cd05f3f7b7882

SHA256
49f2c739e7d9745c0834dc817a71bf6676ccc24a4c28dcddf8844093aab3df07

SHA512
c0da2aae82c397f6943a0a7b838f60eeef8f57192c5f498f2ecf05db824cfeb6d6ca830bf3715da7ee400aa8362bd64dc835298f3f0085ae7a744e6e6c690511

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_japanese.wnry

Filesize
79KB

MD5
b77e1221f7ecd0b5d696cb66cda1609e

SHA1
51eb7a254a33d05edf188ded653005dc82de8a46

SHA256
7e491e7b48d6e34f916624c1cda9f024e86fcbec56acda35e27fa99d530d017e

SHA512
f435fd67954787e6b87460db026759410fbd25b2f6ea758118749c113a50192446861a114358443a129be817020b50f21d27b1ebd3d22c7be62082e8b45223fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_korean.wnry

Filesize
89KB

MD5
6735cb43fe44832b061eeb3f5956b099

SHA1
d636daf64d524f81367ea92fdafa3726c909bee1

SHA256
552aa0f82f37c9601114974228d4fc54f7434fe3ae7a276ef1ae98a0f608f1d0

SHA512
60272801909dbba21578b22c49f6b0ba8cd0070f116476ff35b3ac8347b987790e4cc0334724244c4b13415a246e77a577230029e4561ae6f04a598c3f536c7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_latvian.wnry

Filesize
40KB

MD5
c33afb4ecc04ee1bcc6975bea49abe40

SHA1
fbea4f170507cde02b839527ef50b7ec74b4821f

SHA256
a0356696877f2d94d645ae2df6ce6b370bd5c0d6db3d36def44e714525de0536

SHA512
0d435f0836f61a5ff55b78c02fa47b191e5807a79d8a6e991f3115743df2141b3db42ba8bdad9ad259e12f5800828e9e72d7c94a6a5259312a447d669b03ec44

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_norwegian.wnry

Filesize
36KB

MD5
ff70cc7c00951084175d12128ce02399

SHA1
75ad3b1ad4fb14813882d88e952208c648f1fd18

SHA256
cb5da96b3dfcf4394713623dbf3831b2a0b8be63987f563e1c32edeb74cb6c3a

SHA512
f01df3256d49325e5ec49fd265aa3f176020c8ffec60eb1d828c75a3fa18ff8634e1de824d77dfdd833768acff1f547303104620c70066a2708654a07ef22e19

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_polish.wnry

Filesize
38KB

MD5
e79d7f2833a9c2e2553c7fe04a1b63f4

SHA1
3d9f56d2381b8fe16042aa7c4feb1b33f2baebff

SHA256
519ad66009a6c127400c6c09e079903223bd82ecc18ad71b8e5cd79f5f9c053e

SHA512
e0159c753491cac7606a7250f332e87bc6b14876bc7a1cf5625fa56ab4f09c485f7b231dd52e4ff0f5f3c29862afb1124c0efd0741613eb97a83cbe2668af5de

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_portuguese.wnry

Filesize
37KB

MD5
fa948f7d8dfb21ceddd6794f2d56b44f

SHA1
ca915fbe020caa88dd776d89632d7866f660fc7a

SHA256
bd9f4b3aedf4f81f37ec0a028aabcb0e9a900e6b4de04e9271c8db81432e2a66

SHA512
0d211bfb0ae953081dca00cd07f8c908c174fd6c47a8001fadc614203f0e55d9fbb7fa9b87c735d57101341ab36af443918ee00737ed4c19ace0a2b85497f41a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_romanian.wnry

Filesize
50KB

MD5
313e0ececd24f4fa1504118a11bc7986

SHA1
e1b9ae804c7fb1d27f39db18dc0647bb04e75e9d

SHA256
70c0f32ed379ae899e5ac975e20bbbacd295cf7cd50c36174d2602420c770ac1

SHA512
c7500363c61baf8b77fce796d750f8f5e6886ff0a10f81c3240ea3ad4e5f101b597490dea8ab6bd9193457d35d8fd579fce1b88a1c8d85ebe96c66d909630730

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_russian.wnry

Filesize
46KB

MD5
452615db2336d60af7e2057481e4cab5

SHA1
442e31f6556b3d7de6eb85fbac3d2957b7f5eac6

SHA256
02932052fafe97e6acaaf9f391738a3a826f5434b1a013abbfa7a6c1ade1e078

SHA512
7613dc329abe7a3f32164c9a6b660f209a84b774ab9c008bf6503c76255b30ea9a743a6dc49a8de8df0bcb9aea5a33f7408ba27848d9562583ff51991910911f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_slovak.wnry

Filesize
40KB

MD5
c911aba4ab1da6c28cf86338ab2ab6cc

SHA1
fee0fd58b8efe76077620d8abc7500dbfef7c5b0

SHA256
e64178e339c8e10eac17a236a67b892d0447eb67b1dcd149763dad6fd9f72729

SHA512
3491ed285a091a123a1a6d61aafbb8d5621ccc9e045a237a2f9c2cf6049e7420eb96ef30fdcea856b50454436e2ec468770f8d585752d73fafd676c4ef5e800a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_spanish.wnry

Filesize
36KB

MD5
8d61648d34cba8ae9d1e2a219019add1

SHA1
2091e42fc17a0cc2f235650f7aad87abf8ba22c2

SHA256
72f20024b2f69b45a1391f0a6474e9f6349625ce329f5444aec7401fe31f8de1

SHA512
68489c33ba89edfe2e3aebaacf8ef848d2ea88dcbef9609c258662605e02d12cfa4ffdc1d266fc5878488e296d2848b2cb0bbd45f1e86ef959bab6162d284079

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_swedish.wnry

Filesize
37KB

MD5
c7a19984eb9f37198652eaf2fd1ee25c

SHA1
06eafed025cf8c4d76966bf382ab0c5e1bd6a0ae

SHA256
146f61db72297c9c0facffd560487f8d6a2846ecec92ecc7db19c8d618dbc3a4

SHA512
43dd159f9c2eac147cbff1dda83f6a83dd0c59d2d7acac35ba8b407a04ec9a1110a6a8737535d060d100ede1cb75078cf742c383948c9d4037ef459d150f6020

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_turkish.wnry

Filesize
41KB

MD5
531ba6b1a5460fc9446946f91cc8c94b

SHA1
cc56978681bd546fd82d87926b5d9905c92a5803

SHA256
6db650836d64350bbde2ab324407b8e474fc041098c41ecac6fd77d632a36415

SHA512
ef25c3cf4343df85954114f59933c7cc8107266c8bcac3b5ea7718eb74dbee8ca8a02da39057e6ef26b64f1dfccd720dd3bf473f5ae340ba56941e87d6b796c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_vietnamese.wnry

Filesize
91KB

MD5
8419be28a0dcec3f55823620922b00fa

SHA1
2e4791f9cdfca8abf345d606f313d22b36c46b92

SHA256
1f21838b244c80f8bed6f6977aa8a557b419cf22ba35b1fd4bf0f98989c5bdf8

SHA512
8fca77e54480aea3c0c7a705263ed8fb83c58974f5f0f62f12cc97c8e0506ba2cdb59b70e59e9a6c44dd7cde6adeeec35b494d31a6a146ff5ba7006136ab9386

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\r.wnry

Filesize
864B

MD5
3e0020fc529b1c2a061016dd2469ba96

SHA1
c3a91c22b63f6fe709e7c29cafb29a2ee83e6ade

SHA256
402751fa49e0cb68fe052cb3db87b05e71c1d950984d339940cf6b29409f2a7c

SHA512
5ca3c134201ed39d96d72911c0498bae6f98701513fd7f1dc8512819b673f0ea580510fa94ed9413ccc73da18b39903772a7cbfa3478176181cee68c896e14cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\s.wnry

Filesize
2.9MB

MD5
ad4c9de7c8c40813f200ba1c2fa33083

SHA1
d1af27518d455d432b62d73c6a1497d032f6120e

SHA256
e18fdd912dfe5b45776e68d578c3af3547886cf1353d7086c8bee037436dff4b

SHA512
115733d08e5f1a514808a20b070db7ff453fd149865f49c04365a8c6502fa1e5c3a31da3e21f688ab040f583cf1224a544aea9708ffab21405dde1c57f98e617

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\t.wnry

Filesize
64KB

MD5
5dcaac857e695a65f5c3ef1441a73a8f

SHA1
7b10aaeee05e7a1efb43d9f837e9356ad55c07dd

SHA256
97ebce49b14c46bebc9ec2448d00e1e397123b256e2be9eba5140688e7bc0ae6

SHA512
06eb5e49d19b71a99770d1b11a5bb64a54bf3352f36e39a153469e54205075c203b08128dc2317259db206ab5323bdd93aaa252a066f57fb5c52ff28deedb5e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe

Filesize
20KB

MD5
4fef5e34143e646dbf9907c4374276f5

SHA1
47a9ad4125b6bd7c55e4e7da251e23f089407b8f

SHA256
4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79

SHA512
4550dd1787deb353ebd28363dd2cdccca861f6a5d9358120fa6aa23baa478b2a9eb43cef5e3f6426f708a0753491710ac05483fac4a046c26bec4234122434d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe

Filesize
20KB

MD5
8495400f199ac77853c53b5a3f278f3e

SHA1
be5d6279874da315e3080b06083757aad9b32c23

SHA256
2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d

SHA512
0669c524a295a049fa4629b26f89788b2a74e1840bcdc50e093a0bd40830dd1279c9597937301c0072db6ece70adee4ace67c3c8a4fb2db6deafd8f1e887abe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\u.wnry

Filesize
240KB

MD5
7bf2b57f2a205768755c07f238fb32cc

SHA1
45356a9dd616ed7161a3b9192e2f318d0ab5ad10

SHA256
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

SHA512
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\AlternateServices.bin

Filesize
6KB

MD5
782e95238d4820fe178511e54dce57e3

SHA1
7758c3476c08774a847de549c326e9b4b4c92e39

SHA256
b2a037236ff82db7986bec54a15253adca95bd94b4258c046d5a3c23642162e7

SHA512
f16af1a3a893021ae5030b8b8d1bca61928032d86b4551a138e9378532c70b5d9cd5ad57d706b87992961dd3b465208452f8bef89d0c2d8d7c964fc727ea5951

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\AlternateServices.bin

Filesize
6KB

MD5
34ab89fbead90001968f5ed978b9d125

SHA1
1d705d299dd47fd3764a6d027341174465b0b9f3

SHA256
185e5c4f0a0d7fcefb208e496d0226c2866fd95a41339e6d6b7a511f8f5a58f6

SHA512
7e329f205158c18064972dbb6cbd1c5686ae239c84c119485a362039db23147f28878734815fc321471b0ebe0c2761304ed9d8353e1e3293da6eb51944e5fa1b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\crashes\store.json.mozlz4

Filesize
66B

MD5
a6338865eb252d0ef8fcf11fa9af3f0d

SHA1
cecdd4c4dcae10c2ffc8eb938121b6231de48cd3

SHA256
078648c042b9b08483ce246b7f01371072541a2e90d1beb0c8009a6118cbd965

SHA512
d950227ac83f4e8246d73f9f35c19e88ce65d0ca5f1ef8ccbb02ed6efc66b1b7e683e2ba0200279d7ca4b49831fd8c3ceb0584265b10accff2611ec1ca8c0c6c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\datareporting\glean\db\data.safe.tmp

Filesize
37KB

MD5
b99b2f0955f5318ada9c015d44523fc5

SHA1
e73928c2ce716703cf8d2d4912cb33962e11a757

SHA256
e0932cfdc2caeaeba1d1cf2a6ae91f21fd0f81c2e63ed814e9ac18b2dc026606

SHA512
df55056f87998fbb64acff6b79360f5c1bb22120fdb352c69b336c994d875e96192bb61bc26e9f10be6cb6d74f4e825eacf335a837c5b414f31eef0be041d1cd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\datareporting\glean\db\data.safe.tmp

Filesize
36KB

MD5
5d46789b528931409fd2000e0d82203b

SHA1
d4d2dc35705d6e31983601dea697cd5864a2ae80

SHA256
e5c342daafa6fb6d2f45c153d3bc9b37790de089a71748211a7aeee5631d8e5e

SHA512
1caf6235c23492464da50b6c260b09ba2f8d0dedc7d1fd9b07d3638048d42d7be0d80fe268441eb8428d602ac5a7c1678e7bdac8dd5126f5ee754a36831b50b0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\datareporting\glean\db\data.safe.tmp

Filesize
37KB

MD5
d3b1940edfd8403caf5f2b38116df92d

SHA1
08a97d2a26ad214c909dcab37efb52a8d7068713

SHA256
99a241f91116ea93bcdecb0a80c3b6838c81c1848aca222459a2110fdbcf3a35

SHA512
9fd97efd42d2a4781d9bb3ae15ba22c7a3ed6de829aaba77319ec13568629812cbd0da201700af602a7d80f356d0ddc5cf1d98c625c9720bfee5b6422d661b23

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
db96caf3b607db2aee70d8fbcf3f0cee

SHA1
a4770b0e61f4dcf205c77f7e5dcd26abc250f7be

SHA256
445dae2de4ac827390a48e0530de60a74e70c7689740a16d3026e2abd0d53ac0

SHA512
ea2d123a2c67308eaf92fa1015dfdf4dc129d09a72725208f3876dbe0fc4f288bc7ef87faf09322adf32ff18692d7a91e8eaff0be1c09305492ed81cec38906e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\datareporting\glean\db\data.safe.tmp

Filesize
37KB

MD5
6613bcac5426cd0d7cec26c59fe9fbc9

SHA1
9dea30b6de5b4fa8477672b86cff7931ef902c96

SHA256
d9d6abf6fee8492e1f757cfbcc1f9173f023081c4e5030b1fd3a8a3a8550229a

SHA512
3ad41cf5fcb84ade10c30f1421d988db5e982573b37d40a7fa25f7bf3c6bdb534fa311b7f6b2eca7de4a13318ab629a04f758929424c2047de726168caf2f591

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\datareporting\glean\db\data.safe.tmp

Filesize
37KB

MD5
ab41ac725b3e0b33758802d4b2bd1dfb

SHA1
e8daefd5b9c00a89fe89bf0ba205cfd1ffd4993b

SHA256
55877a191185bd96450ac14b894fbfe0ceae13d5c6105fc8f4d0a871c758a4f7

SHA512
328371384bdcc0b61b7eb55bb23ec9822adeb90551d58a895451248b7861a551fb17efa01302493e0218d25836a4b09963b9375faa3caf4e1e7414bd7e2bd345

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
c5be9e28bca190d048ba85ec1e1579a7

SHA1
9838c1c497656b1471ae8f7daebe463221258899

SHA256
dcb560312bcda9f8e494094df4cd0cdbbf8a36610b1a9d28887d315d2d36ae94

SHA512
23a12e514a48242351837bde06e83ac1e7249c86a878b8e90be25e79919a287a8e519e2876ca6acebe470a0718a030998b0b75a3b789e7a4016652c74c90f0e9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\datareporting\glean\db\data.safe.tmp

Filesize
29KB

MD5
876c80b74135b534269bd8675d9d0d40

SHA1
af917168057991f3d89935847152fa9039377888

SHA256
59278901d398c723285c8ef88154238438770af62cfab613cd22e5ba82b91133

SHA512
e5cb5e02aebec5b00ebc08a5099a0d826188ff872f1dec6d55b5242f45f8eaf6e3b735ab6f1fb33d3ef4f329f9e252a685714dd5e77f4245fb442eb302cb9e3c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\datareporting\glean\db\data.safe.tmp

Filesize
74KB

MD5
299fd98b62c0f8a15dea04fd21e34edf

SHA1
eb637461e9eee115ffc2b625272d49a3c33eba4a

SHA256
75b977ff8567a1a96b75b16078a9fabe64bb9d28ee99642785edabb48aca085f

SHA512
f568893017607e729161e051590b18fcf0d2b75033a39856c7d6dae7795783b186fc6a2d95e32f67ff26ffa2e08b62d9460d761a6340ba1095c05708545f893f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
35d106672814d7fbbcf6ebce47bc339f

SHA1
31bc16091f52a5825036a0c0fc62e9590e1a0572

SHA256
83b98556b6263cb291b16647d82c32e16372c2e1dfb37454bea6ae652f70dfe4

SHA512
07c60a73558d823f5f4b3d27a93c618199f689787fba543d862a63484598251b8512060ba94440ff2613715a03c19151330486f18e6a146169180ad49d991d82

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\datareporting\glean\pending_pings\10352baa-e095-45ce-b952-bacc7c5a9e10

Filesize
2KB

MD5
57e1660839e45ff62334460f5c85c482

SHA1
2c90878375c145a1f1e35bb0f7ea9d4cf029fee9

SHA256
84e6188c0fd499c9253850a7ad60f01449e1d6e5cc98c35d2fd5067946957deb

SHA512
acc9155c1db06820155e75068badb9698dbace1537bd54c67371b885162607d4cfb9bd4ce244e800bcf7d069d3a35e59c82c4df4f4f933b2c37514d857267548

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\datareporting\glean\pending_pings\18f56be7-f77c-43d2-aa73-9fd995a4710d

Filesize
756B

MD5
0a69347738f2d71929fb541224df2b6c

SHA1
c91613c5828276e46e45b5a1ea8099fdb36e2023

SHA256
d69610d15da947afab25b6f42ca09622ff0a686e7013e483d9d3d6561d0ca3a1

SHA512
f1a3f7d4ffea12c5e9f9172fb98424c7938b5d9dda4eec490673dc9dda3cb78e5c69c11f8324c98e004c85e3ed4d3cd89a252022dbe77a55c0a2a46bd86b4d24

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\datareporting\glean\pending_pings\35e8a94a-4e29-4dba-911c-cf9a8995a8cb

Filesize
671B

MD5
a87952a03f07cae4e2d6cc8822f61c7b

SHA1
c8508f1881a21ed32dec71fa54c60b4ecad429f3

SHA256
6ab4626d0f1259a375b7424a182283c5b8cf8ad8e8a74f92da7869c2a371a858

SHA512
97f78dd59475fd9897ab8c3fb893bece555c326249f42c848f730cd03331153b27351e5ec428e789ec82eb9851a826eb3d9e121962af9c74a168cdc1d9e0b338

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\datareporting\glean\pending_pings\40a7b2f7-c72d-4562-b18b-46327deb8790

Filesize
2KB

MD5
020afe2928a7c6091c11ac170df1a054

SHA1
450db9e327a30ace6d1c037df29589b44b048d3e

SHA256
d2680b2f742f5fcbcce8dcfa0e95284758552e6e42dbe211d5d8276d0076d492

SHA512
ee90899740f34f8ab02cbd1c93a06d2d4c34b3aa608ec0ad47ffe57c7e8e0f730d56afa67eb9a16ebaa66386b80d678d5965a6a49ba8c5ef9b4acd91d8139de5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\datareporting\glean\pending_pings\67275c2f-a3ae-4c0e-b281-82cb81d1eb9c

Filesize
847B

MD5
0b8faad57542731d3e22a916f66a10a4

SHA1
e8361c35bd33f53fde5eaa75a44a1ec663e42a99

SHA256
ffb3c37940a6ef44ceb617f8735f2d9285bbaed480450754583664157451982f

SHA512
18cfcf1d465c2f2fb09292e4b9ca6053f85b9faf0e421b3585cd561529d2e656c3b81db62e93ce78af7be733c1879dfa0d31cbb4df75f2d41864768fd8e9d8c5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\datareporting\glean\pending_pings\843b8e14-a501-4bb0-aee9-cc1d4ed8fb3e

Filesize
742B

MD5
4841432c1b4786d693837f9a1fe49db8

SHA1
8bcf9bedc176dee9930197f07e737b90086d29a1

SHA256
a09de03f57afefc89be07183fd10e311b5114e238f5725eb4310dfda08e150ab

SHA512
e628d697d08f54bde50fbbe2314e097703b66bc624e835038a4487072e7751313c97d264f12e224136d698fc3f6d3b77de7004516639122bd61ecd13ce99c699

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\datareporting\glean\pending_pings\a46a91b4-13e9-46a8-b9e6-16c5255651e8

Filesize
689B

MD5
8f532ec7c941fb1eb8455f045e4dd890

SHA1
22eb7322de58282aae3a028078e5cf80924f218c

SHA256
0c588986739a83765ae86d5159558cf408403a47691faaa06f98790376c18b40

SHA512
4f985ca83b2e51aac941721626c96bf0b09340948a128c2bfe5852e1b05432ba6e520865f03bd922e435cf0cfc551d3090cf08133caedf060d9006470bbc9aa7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\datareporting\glean\pending_pings\b8cdd959-87c2-43d0-b9e8-6f59ee9842b0

Filesize
1KB

MD5
12540782ae8e808d3009fd8baf7f8e22

SHA1
8fd51287316934da4b8dd9c0fcc9ce4ea998a5a2

SHA256
56e6cd208f73c64a8b4eb7be1403db354e46801c6fe8a2747c75dd2e868a19ff

SHA512
3e3e2d488c233dd14a5a5564ef55e2789c7a6180c549e3c36e845743beaf3235ab8156182728670ac8f6c043b89c7cf4e1185e9831a8fdc56f315007d4f66806

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\datareporting\glean\pending_pings\e44e0e06-deda-4dcc-8635-86a05d501272

Filesize
982B

MD5
4278519b67a0f63044eb85b4c31d05c1

SHA1
a344911fb34d6c46e63d19546edf235cba5427d7

SHA256
ed01b3ff01504df08d679a03ee3e61bf4a7089f149b1798e55ec04d713a73f9b

SHA512
dcb30ea2ed5676b774b8d168aff75b8106dfd83cb7a29b865836602fd7ba388de22d6a8af68aa1e7321d5be844fd2aafac1fd7dbbd15a70e4b1d88feea2d13f4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\datareporting\glean\pending_pings\ea277c2a-1756-468b-aa97-b10b184e2329

Filesize
27KB

MD5
916cca1f6eee9dc51a66ba5ea49e6d55

SHA1
fce812abca8c3239015429db656e57c9b53255e6

SHA256
a537ba8584616c63323a0ea8920955aa4bc5ec3f262d6df04cbc5d9cf2e33d57

SHA512
fdb78a8e181bc9ddc09085bca96ccfd797e83c487bed875c0a879685840490cda3b904a55b067b6f94dec807de8a9736467a426781d39f518937922df6024546

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\datareporting\glean\pending_pings\f582a5c8-ce26-4678-a3e0-c0ee874a0bd7

Filesize
734B

MD5
fa5e7db96a5ed929816d1f5eeede0f27

SHA1
d691f8ff4147235404ff9846b01185b3481e7470

SHA256
4a28063a366706ac96a9c94757b8acd6e38ab24497e14b9c148e945968f85a5d

SHA512
49c8a399b2393ee4224324a755db3e3de090addb9c035145bada6b7fc37efb3b26d0e3197368cacd973fcd1c890f1008b95b6a4692eae325e8281ed579603882

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\extensions.json

Filesize
37KB

MD5
1a9358e6c6c97a15384cd1a35fcc1645

SHA1
3a7fefb19a9bf903bf6612f7a3c9c1f421fb3b2c

SHA256
ae8f51f021f231d1cc4086f02f9d81c142b7744bea30ad29c6220bd6fed6d5e4

SHA512
56f3a9e1e9f114239391948e86d7be29b48270d20cfe4cd1783a8d79fc1a0421693acdc5db78c4d296eb38b074fac8bb81b75164b7a93bf98242936cfb5bc643

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\key4.db

Filesize
288KB

MD5
12662f3bf5fb53a713847b57e4440b47

SHA1
dbde5573e051a2c873aa21719b4a1ba254774d5a

SHA256
ad594e958972a8b0cd970b681e237023a4971caf329a3c22113b1dee29bf2ebe

SHA512
bdfa8eb60b89e2752b8596469f6a69a4e28c8d198a49f6f66e3f9ec02912e15c388ce63403bd784dc546e7b590d4749649002c9a3fce51f6a0e0a7b11763a66a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\places.sqlite

Filesize
5.0MB

MD5
171a5683882938e629a368e08bffc186

SHA1
04617697eede30db1a9d0997c9a2714e77ae08ff

SHA256
71005b7d9392d45dce02137d069bb4ed795618a10e50bca73e0966433c1807e5

SHA512
62ae49d1d01e4c1e412860e09323c3287a9f81197327ad2367d2e94397bd2010e7c3f6ddcc6581cff0c35a18694299ebcfa8f5eac91de153ed8ef9652ff07ef7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\prefs-1.js

Filesize
10KB

MD5
bce14d68ea603fc1e66cc0b87cf01006

SHA1
56b56f2781361309193e1c7e93443f897a447a6e

SHA256
65bf2e4048478d854724cc8995f7100bf021d39b4f5af33760087d88e0b78cb3

SHA512
c82ae986e5028da204d8d9caba3d46b5acbab925df148dfc87a68690c3e5834643b354b9bf6f753db8a64672fcce00da07006e610f1287a6682dbd70ee77f24e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\prefs-1.js

Filesize
11KB

MD5
41488b040a44505240fd62c9b7e3d164

SHA1
5ed82eaae5c8cc98b28557c4d06021342d8ca325

SHA256
7a7d7e4c7553fe73552d78e7a3bc97a074be65ba7609e2f6aa382110ff7c9dc6

SHA512
a554c70c1845d316b0e94fc11bc8b40e5ebff4605b14b6d439120ed32a74787a044579bdf23a22cf069704f0d665ad74846d6bfadae5779c349dab83030015c7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\prefs-1.js

Filesize
9KB

MD5
d66b3731424162ece1780e042e3596d8

SHA1
0daab26a1e9220d2d48a025f90d7b073d3b14814

SHA256
919a831ba65b9f96799bb6077f5a076463b691f9a81cd4975c3631c7b9f10237

SHA512
2e801bb533fdd26e160cf8c97ecfe90e34625e62713f1bda9f17e9d09d76e70dc26b0bd0d92ac45c4db7627e7e214daa49a00bbcef712d2baa89878468604130

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\prefs-1.js

Filesize
11KB

MD5
b6289dc4011f8e0e11a126ebe5c5c72d

SHA1
b6880d222c6c862810e3cfffd865d21d80c39335

SHA256
2104eddf643b216283d39b97bf9d7d3608beb0dc0b075a20b0d1bb8e2b190b46

SHA512
6597953984d2f2b0d2ae6fdddc20a4f127548474acd09b03fa0d60d8c4d8a503f247f4b5ac79671439d76b4bee2e6d58fa15a17f2e1e27295c2691700f5a796c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\prefs-1.js

Filesize
11KB

MD5
be56c01407394692c04f59852f63090c

SHA1
2cc6901af9ea967eaae73ad7f03348c1d28d02ea

SHA256
888e4c4170be2f14cc16ae967cd013af8036e61f02bc13f3f615e4c5e09acae0

SHA512
6258c333771eb24e3973b60337bf77ff6d068fcee60c361a5f5c938e8a872edc6f0f0388cf337cd2952dfca58bc4744f38f0308065b16754aa61bcb278072c4d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\prefs.js

Filesize
1KB

MD5
31484207f0be484bc567545463d065c8

SHA1
29d39273f940fc7e9b4232e4c485a76698c82673

SHA256
cecad6e8d708e01de96d3401bf19fd8441b72fa4c67faefcea32e6de5bffbf02

SHA512
181eaa219f01f1a1d382832e15fcf0b68800b4ad57017e573d53633651a4bd8f9919c7da86d265d0ee7507a8c543722ac302fd810716781f747d93119a7dbe95

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\prefs.js

Filesize
10KB

MD5
e49dbaffade97d626caceb79c151e193

SHA1
3df4c22e444e53abb5fe6146a17d7bf9bc39c310

SHA256
2ba1aff50bb9da690dedab198074153ae54d77803de381bdbd98bb5bf017fcf6

SHA512
aafa669033d3bd82a02244ef1200a6a8353c235031e3bff38e762f9d6de60b3fadc5121107f45f43117dccdceeb8ac507740c0db6d909a44ec597cf65ebbac8b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\prefs.js

Filesize
10KB

MD5
d8de61e9c5db2d23f6d09cba9848c4fb

SHA1
ea1d2b93147e04500033d84c99d387d38c5120d1

SHA256
b1dad95c1800d9927d73aadb93e956becbbf6e0b002d7ac9abeb2b73c3f11b7d

SHA512
5b4d50c5995551b802918d7c99e1285d38d154e2f37a2255210df6343d2b5cb1cd8a733e90aa25a055b4bc97c2e0bc4af2497f679ebd2f354967a4ed1ee4f676

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\prefs.js

Filesize
11KB

MD5
655cef12767446115a3ce19bd7ddcbf7

SHA1
7a225a82f6711d23ce873888f475a5e6423c4700

SHA256
028bbafb19f98363641f630dd64b763f6bbf9e96237a13f40dcf6639519701bb

SHA512
cbff65887bdb2af5f04343926bd2b1d52d12c51770929549c321575451249957cd3403df64442ca2764b8ce17c0f2e7d47752e2b95d0812436d059c879106cf5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\sessionCheckpoints.json

Filesize
53B

MD5
ea8b62857dfdbd3d0be7d7e4a954ec9a

SHA1
b43bc4b3ea206a02ef8f63d5bfad0c96bf2a3b2a

SHA256
792955295ae9c382986222c6731c5870bd0e921e7f7e34cc4615f5cd67f225da

SHA512
076ee83534f42563046d25086166f82e1a3ec61840c113aec67abe2d8195daa247d827d0c54e7e8f8a1bbf2d082a3763577587e84342ec160ff97905243e6d19

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\sessionCheckpoints.json

Filesize
90B

MD5
c4ab2ee59ca41b6d6a6ea911f35bdc00

SHA1
5942cd6505fc8a9daba403b082067e1cdefdfbc4

SHA256
00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2

SHA512
71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\sessionCheckpoints.json

Filesize
288B

MD5
948a7403e323297c6bb8a5c791b42866

SHA1
88a555717e8a4a33eccfb7d47a2a4aa31038f9c0

SHA256
2fca1f29b73dd5b4159fa1eb16e69276482f5224ba7d2219a547039129a51f0e

SHA512
17e2f65c33f47c8bb4beca31db2aff3d4bbb6c2d36924057f9f847e207bdcb85ffcbb32c80dd06862ffc9b7f0bd3f5e2e65b48bb1bc3363732751101d5596b1a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\sessionCheckpoints.json

Filesize
122B

MD5
99601438ae1349b653fcd00278943f90

SHA1
8958d05e9362f6f0f3b616f7bfd0aeb5d37967c9

SHA256
72d74b596f7fc079d15431b51ce565a6465a40f5897682a94a3f1dd19b07959a

SHA512
ffa863d5d6af4a48aadc5c92df4781d3aacbf5d91b43b5e68569952ffec513ff95655b3e54c2161fe27d2274dd4778bad517c7a3972f206381ef292808628c55

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\sessionCheckpoints.json.tmp

Filesize
259B

MD5
e6c20f53d6714067f2b49d0e9ba8030e

SHA1
f516dc1084cdd8302b3e7f7167b905e603b6f04f

SHA256
50a670fb78ff2712aae2c16d9499e01c15fddf24e229330d02a69b0527a38092

SHA512
462415b8295c1cdcac0a7cb16bb8a027ef36ae2ce0b061071074ac3209332a7eae71de843af4b96bbbd6158ca8fd5c18147bf9a79b8a7768a9a35edce8b784bf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\sessionstore-backups\recovery.baklz4

Filesize
32KB

MD5
fe3a7f3b90f3487b3a50c453eb884332

SHA1
be7fe3d6aa88931a9d2b07e209bbafafc5ff58ca

SHA256
d95ea93629d401cbf219217a3453e1fb17a4ac0aaa783e39159537c85f5a5521

SHA512
2d5a8bfa9ae1caf4444b95560561b4483587b6ad47094a2937dc24cac4a4a510c7174baa7906e8407220c55e40431dbae2c9325fe8c74cad35116346a35ddd02

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\sessionstore-backups\recovery.baklz4

Filesize
32KB

MD5
c2d704257c327da66ea3591b278168a3

SHA1
087f88a37e88b03a19fd8fb275a149cbea57ec15

SHA256
612c907de0e50a2dacd418f22c1b1c9452c281d2937f3d145cc6c4db221dddd6

SHA512
b96ea1b76217e01c98e1f36adb61bd52fd7ac93a8c700151c39334fffac742f9283a47c331514906c67832e1eceeeaafb8639a01d01816d31b2a9bbd6e5d5938

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\sessionstore-backups\recovery.baklz4

Filesize
33KB

MD5
ea8b96ec8aaa411d639006266a0d202e

SHA1
53cf9d98cbf630d6d7e13e218848b7442737fe6f

SHA256
cca1bee68b1c182ef32049098178cbd5157d1f1e64e9888f3156d424cc642cdf

SHA512
01e88f6176459d9c1d1fc3d92987e9066886d6612206fb29977cd67521f688f7d70f7df9f269efc3848ca2a5dfe219cfcd1cc0f59236be8d7148d10b0cd39361

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\sessionstore-backups\recovery.baklz4

Filesize
33KB

MD5
12f32720b3d56356b2a10467e3cc95f1

SHA1
ef5aac1809d4f6f0654b88d1bacda9c771bd437c

SHA256
0d63a168e2f67c236c083a816ec92fe13defa66615de98a25308b148e2265bad

SHA512
aae9116c1cee490a53deefdd3462a9615e07c43284ab95848c7029cb6dcfdea389d6e55a7cca7ea8e3736b912b207288a04bd895d76314bd9c906303d2c3e595

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\sessionstore-backups\recovery.baklz4

Filesize
33KB

MD5
d93c9f467093a4fbf218a9bb3c4c6ef2

SHA1
34b111f7bfd88ab115df10a04e7c27b13b01ecea

SHA256
c6bd69b246fe51ec8a9e73c22123934e3ec2c56b5207f50f31101db3cbd2266e

SHA512
e53dd9010a8248bdc899533288bb1385a639d4fbc1173cd8622999e1e1ba7e7d9082bf3eeb4a5e242e7c7062199074da0f57d81dc10624fc9a1bc5f6d2fe11a5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\sessionstore-backups\recovery.baklz4

Filesize
33KB

MD5
9afb7afec96addc0b5972fe9d9ef8695

SHA1
6d35e11f9a4664a9f50cbaef1d453ea030d185a8

SHA256
6511403808bbc7755dd244748796aef65f0eaba38e651dcd03d16ccf9b6c4287

SHA512
a1f387dd32902072bbc7aeab7a9f269adac1781019dc5f6dafb407b16346c2a11cef9f2e0d594fa3f8025cade7549eef63034c8becb405b5e044ad01ce90a730

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\sessionstore-backups\recovery.baklz4

Filesize
137KB

MD5
8137155be54f5f594ccba6a0757ccd9a

SHA1
f5bcefabf2750fbe7ab2a8611546ee27f1753c01

SHA256
0d1dfc5e9e10277059daf4e37de8d50bcc88e1e0f2b28688fd46681cb3e6a753

SHA512
b4c7bba02664c5ebfa9a3f1ad6a651a9e51714a2bec1ff197656d000b03984d090b807437f0055d1e229dfa5971f9c91ae4fbf0038e2c85106a0afd5da8b37e0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\sessionstore-backups\recovery.baklz4

Filesize
36KB

MD5
d3385f2b5e742f8e0aaf5506d2588ee8

SHA1
5da2406babbc1658ca4f37d26996a9d397e7e5bd

SHA256
ad13a07f2273bd4cccf76c2080f11a14dfac46db22d82b372e9ba7f6a58072d5

SHA512
869b68a4541f75c4440054c9a10096a8c98dc7c9f9e33e0c881e08a40441e1d7fc83c668d32ee6b9a8555829dc84ea16a32170b279027008e3dcf236e16963ad

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\sessionstore-backups\recovery.baklz4

Filesize
73KB

MD5
62cd67513bf3ee6e42270fd58314201e

SHA1
996cd0d971e12a30bcaa4feb8f6cf094e5c85ab6

SHA256
c916554b6c863943de828a655492dce3e44a7d6ac4e487bb7c01c506c94028a1

SHA512
bca6a44a43303355d73c6b0caab8bbd9ecdf827d949cf68439112001294aceda520c024d28444d8ba3d93e4e819d717e14f8e0d0e3e556afb35813df5c58ea3b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\sessionstore-backups\recovery.baklz4

Filesize
75KB

MD5
1d9a5c858964bf434994e8e270dd39a7

SHA1
9eaa064c386c1f2c22bdb279d0dca3503179c724

SHA256
48766f426d66032625b212d528517ae76a66cf49e67fcff66bdbc492a3c6c18b

SHA512
c5055aaad76551674a3da023ab96db014d81e03eeb0b750eb1153f64454f692baf2dda8ac5d2ff0e6e215cdded5958767f90ef31eb8c3fc134c6137839564c37

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\sessionstore-backups\recovery.baklz4

Filesize
75KB

MD5
c9fb14446f1d47b480763709599cff3a

SHA1
f98bb2e55dc6be824910fad6536839930160464a

SHA256
c160e08379bdd45a98f2eb9cbdcaf0967462a5c4b357d6227b81a9dc48446a3a

SHA512
c53572d32a0d26d052705657a18cdc21a21f542a1e97734919dce57a3c4aff2ef31c2445668fbda78d1dc8181c595c7dcbc40be82bc5e1a17dc530824a29aa45

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\sessionstore-backups\recovery.baklz4

Filesize
76KB

MD5
ad7392d0c95cbfc232c0dd48fea8ece4

SHA1
9f23b74df2033557429cabacdfaa255d6e544b39

SHA256
a7e5549ceeba2af733f887b946c6ed6facf7a2c1c5f4f47c87dd98c90df069cf

SHA512
7c1ca41844d7a1f65bb3ffc0f1a00d28d4db72e289bfd781216cae5625500493250a70b0bf7eac4db9455417ef79de3132aea8b07c76c62a03bfdaa6812a7748

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\storage\default\https+++github.com\ls\usage

Filesize
12B

MD5
ebefe8014de6835bec9ee963900065ef

SHA1
4c3ff878759c0478403762073c826c14b82716a9

SHA256
151b8d3b7059e08e399f0b2c4c16af79f1de8d33b77ca77be50887936922c4d9

SHA512
6cae2bff6953e7f2b7e22d0acc5572aa7c422e68cd06e769b42d752e0d66054ab5786818312925080ff3e828f9766e48d77402aa5623ff3af947022827c335c9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite

Filesize
48KB

MD5
3253b7ce2d7a4724c6e2eefeb9bb7d47

SHA1
1e44c3b3e9a540250e4db0f2c6b7884a40771850

SHA256
2ef20b31e2ae62152d61dcc78328284f8687358c34b24e62fe0b0e3a01577681

SHA512
95fb7c04c622bc3da21a0c029fe23b9f6301e18921176a50d67c5205ac75d49f820af9e56d74a2648bde25c438b856115e02ab23ab3e7d4a70beeebd8524fe31

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ohbz3gv9.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
384KB

MD5
43d8b5e920dfc7a58a8b27df40240514

SHA1
be2447441d74a1942866558fe4293c7aa86b9b04

SHA256
e63c0c180ca3d780ddc90291529ca3595e3027b85379999cdc88aa86b130ecf1

SHA512
d60d5451178387830635994f31e7b14a427ed97e1eda47a06218537e185748310fc075be3dd26b83bf8c56a51ed392ada45f1eceb45bffc8dd3b21b4456160d4

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new

Filesize
10.5MB

MD5
f4149b70ea35e3b59cd062b220c3e493

SHA1
c29af8717704f5520273b755e70b970b300f1ecf

SHA256
23dd0c94b5855e6a4ca33fd6f0b106128728d72bd162780c56f68e6f3d36d4e8

SHA512
7000ebf940b6c9d248eae9dc20b21b70b9fe2a5ca3bd3cbb1d3f3dbd1f8d2bd6329e478dd082c2522dae4e24f701b712cc82451a3d76bb1bfcc8c5196115e693

Download Submit
C:\Users\Admin\Downloads\7ewfT4La.zip.part

Filesize
8KB

MD5
69977a5d1c648976d47b69ea3aa8fcaa

SHA1
4630cc15000c0d3149350b9ecda6cfc8f402938a

SHA256
61ca4d8dd992c763b47bebb9b5facb68a59ff0a594c2ff215aa4143b593ae9dc

SHA512
ba0671c72cd4209fabe0ee241b71e95bd9d8e78d77a893c94f87de5735fd10ea8b389cf4c48462910042c312ddff2f527999cd2f845d0c19a8673dbceda369fd

Download Submit
C:\Users\Admin\Downloads\BadRabbit.zip

Filesize
393KB

MD5
61da9939db42e2c3007ece3f163e2d06

SHA1
4bd7e9098de61adecc1bdbd1a01490994d1905fb

SHA256
ea8ccb8b5ec36195af831001b3cc46caedfc61a6194e2568901e7685c57ceefa

SHA512
14d0bc14a10e5bd8022e7ab4a80f98600f84754c2c80e22a8e3d9f9555dde5bad056d925576b29fc1a37e73c6ebca693687b47317a469a7dfdc4ab0f3d97a63e

Download Submit
C:\Users\Admin\Downloads\BadRabbit.zip:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
C:\Users\Admin\Downloads\UPkKPF8g.zip.part

Filesize
223KB

MD5
a7a51358ab9cdf1773b76bc2e25812d9

SHA1
9f3befe37f5fbe58bbb9476a811869c5410ee919

SHA256
817ae49d7329ea507f0a01bb8009b9698bbd2fbe5055c942536f73f4d1d2b612

SHA512
3adc88eec7f646e50be24d2322b146438350aad358b3939d6ec0cd700fa3e3c07f2b75c5cd5e0018721af8e2391b0f32138ab66369869aaaa055d9188b4aa38d

Download Submit
C:\Users\Admin\Downloads\WannaCrypt0r.zip

Filesize
3.3MB

MD5
e58fdd8b0ce47bcb8ffd89f4499d186d

SHA1
b7e2334ac6e1ad75e3744661bb590a2d1da98b03

SHA256
283f40e9d550833bec101a24fd6fd6fbd9937ed32a51392e818ffff662a1d30a

SHA512
95b6567b373efa6aec6a9bfd7af70ded86f8c72d3e8ba75f756024817815b830f54d18143b0be6de335dd0ca0afe722f88a4684663be5a84946bd30343d43a8c

Download Submit
C:\Windows\F87F.tmp

Filesize
60KB

MD5
347ac3b6b791054de3e5720a7144a977

SHA1
413eba3973a15c1a6429d9f170f3e8287f98c21c

SHA256
301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c

SHA512
9a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787

Download Submit
C:\Windows\infpub.dat

Filesize
401KB

MD5
1d724f95c61f1055f0d02c2154bbccd3

SHA1
79116fe99f2b421c52ef64097f0f39b815b20907

SHA256
579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648

SHA512
f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113

Download Submit
memory/3432-2211-0x00000000731A0000-0x0000000073222000-memory.dmp

Filesize
520KB

Download
memory/3432-2185-0x00000000731A0000-0x0000000073222000-memory.dmp

Filesize
520KB

Download
memory/3432-2213-0x0000000072F00000-0x000000007311C000-memory.dmp

Filesize
2.1MB

Download
memory/3432-2209-0x0000000073260000-0x000000007327C000-memory.dmp

Filesize
112KB

Download
memory/3432-2207-0x0000000000510000-0x000000000080E000-memory.dmp

Filesize
3.0MB

Download
memory/3432-2183-0x0000000073280000-0x0000000073302000-memory.dmp

Filesize
520KB

Download
memory/3432-2184-0x0000000072F00000-0x000000007311C000-memory.dmp

Filesize
2.1MB

Download
memory/3432-2210-0x0000000073230000-0x0000000073252000-memory.dmp

Filesize
136KB

Download
memory/3432-2208-0x0000000073280000-0x0000000073302000-memory.dmp

Filesize
520KB

Download
memory/3432-2186-0x0000000073230000-0x0000000073252000-memory.dmp

Filesize
136KB

Download
memory/3432-2187-0x0000000000510000-0x000000000080E000-memory.dmp

Filesize
3.0MB

Download
memory/3432-2212-0x0000000073120000-0x0000000073197000-memory.dmp

Filesize
476KB

Download
memory/4188-879-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/4704-453-0x00000000023A0000-0x0000000002408000-memory.dmp

Filesize
416KB

Download
memory/4704-461-0x00000000023A0000-0x0000000002408000-memory.dmp

Filesize
416KB

Download
memory/4704-464-0x00000000023A0000-0x0000000002408000-memory.dmp

Filesize
416KB

Download
memory/6040-4092-0x00000000055E0000-0x00000000055EA000-memory.dmp

Filesize
40KB

Download
memory/6040-4091-0x00000000053E0000-0x0000000005436000-memory.dmp

Filesize
344KB

Download
memory/6040-4090-0x00000000051D0000-0x00000000051DA000-memory.dmp

Filesize
40KB

Download
memory/6040-4089-0x0000000005240000-0x00000000052D2000-memory.dmp

Filesize
584KB

Download
memory/6040-4088-0x0000000005750000-0x0000000005CF6000-memory.dmp

Filesize
5.6MB

Download
memory/6040-4087-0x00000000050D0000-0x000000000516C000-memory.dmp

Filesize
624KB

Download
memory/6040-4086-0x0000000000610000-0x0000000000682000-memory.dmp

Filesize
456KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads