cryptolocker | hxxps://github[.]com/Da2dalus/The-MALWARE-Repo

Analysis

max time kernel
229s
max time network
230s
platform
windows11-21h2_x64
resource
win11-20250217-en
resource tags

arch:x64arch:x86image:win11-20250217-enlocale:en-usos:windows11-21h2-x64system
submitted
23/02/2025, 22:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo

Score

10^/10

cryptolocker wannacry defense_evasion discovery execution impact persistence ransomware spyware stealer worm

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\!Please Read Me!.txt

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1 Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) rar password: wcry123 Run and follow the instructions! �

Wallets

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Signatures

CryptoLocker
Ransomware family with multiple variants.
ransomware cryptolocker
Cryptolocker family
cryptolocker
Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Wannacry family
wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Downloads MZ/PE file 2 IoCs

flow	pid	Process
47	1684	firefox.exe
70	1180	firefox.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD54F.tmp	WannaCry.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD556.tmp	WannaCry.exe

Executes dropped EXE 10 IoCs

pid	Process
4704	CryptoLocker.exe
2116	{34184A33-0407-212E-3320-09040709E2C2}.exe
400	{34184A33-0407-212E-3320-09040709E2C2}.exe
4304	CryptoLocker.exe
1960	CryptoLocker.exe
4144	WannaCry.exe
900	!WannaDecryptor!.exe
876	!WannaDecryptor!.exe
3348	!WannaDecryptor!.exe
3384	!WannaDecryptor!.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000\Software\Microsoft\Windows\CurrentVersion\Run\CryptoLocker = "C:\\Users\\Admin\\AppData\\Roaming\\{34184A33-0407-212E-3320-09040709E2C2}.exe"	{34184A33-0407-212E-3320-09040709E2C2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\Downloads\\WannaCry.exe\" /r"	WannaCry.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
47	raw.githubusercontent.com
70	raw.githubusercontent.com
3	raw.githubusercontent.com
19	raw.githubusercontent.com
46	raw.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp"	!WannaDecryptor!.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 3 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File created	C:\Users\Admin\Downloads\CryptoLocker.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\CryptoLocker.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\WannaCry.exe:Zone.Identifier	firefox.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CryptoLocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{34184A33-0407-212E-3320-09040709E2C2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CryptoLocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{34184A33-0407-212E-3320-09040709E2C2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CryptoLocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks processor information in registry 2 TTPs 24 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Kills process with taskkill 4 IoCs

defense_evasion

pid	Process
4112	taskkill.exe
3732	taskkill.exe
4164	taskkill.exe
3044	taskkill.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "135"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe

Modifies registry class 34 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = 00000000ffffffff	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 = 19002f433a5c000000000000000000000000000000000000000000	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0100000000000000ffffffff	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0 = 8c00310000000000575ab9b2110050524f4752417e310000740009000400efbec5525961575ab9b22e0000003f0000000000010000000000000000004a00000000000f14d400500072006f006700720061006d002000460069006c0065007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370038003100000018000000	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\MRUListEx = ffffffff	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\NodeSlot = "3"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000_Classes\Local Settings	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-580533235-1933962784-2718464258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	OpenWith.exe

NTFS ADS 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe\:Zone.Identifier:$DATA	CryptoLocker.exe
File created	C:\Users\Admin\Downloads\CryptoLocker.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\WannaCry.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\CryptoLocker.exe:Zone.Identifier	firefox.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2508	OpenWith.exe

Suspicious use of AdjustPrivilegeToken 58 IoCs

description	pid	Process
Token: SeDebugPrivilege	1684	firefox.exe
Token: SeDebugPrivilege	1684	firefox.exe
Token: SeDebugPrivilege	1180	firefox.exe
Token: SeDebugPrivilege	1180	firefox.exe
Token: SeDebugPrivilege	2964	cscript.exe
Token: SeDebugPrivilege	2964	cscript.exe
Token: SeDebugPrivilege	2964	cscript.exe
Token: SeDebugPrivilege	4164	taskkill.exe
Token: SeDebugPrivilege	3044	taskkill.exe
Token: SeDebugPrivilege	4112	taskkill.exe
Token: SeDebugPrivilege	3732	taskkill.exe
Token: SeIncreaseQuotaPrivilege	4284	WMIC.exe
Token: SeSecurityPrivilege	4284	WMIC.exe
Token: SeTakeOwnershipPrivilege	4284	WMIC.exe
Token: SeLoadDriverPrivilege	4284	WMIC.exe
Token: SeSystemProfilePrivilege	4284	WMIC.exe
Token: SeSystemtimePrivilege	4284	WMIC.exe
Token: SeProfSingleProcessPrivilege	4284	WMIC.exe
Token: SeIncBasePriorityPrivilege	4284	WMIC.exe
Token: SeCreatePagefilePrivilege	4284	WMIC.exe
Token: SeBackupPrivilege	4284	WMIC.exe
Token: SeRestorePrivilege	4284	WMIC.exe
Token: SeShutdownPrivilege	4284	WMIC.exe
Token: SeDebugPrivilege	4284	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4284	WMIC.exe
Token: SeRemoteShutdownPrivilege	4284	WMIC.exe
Token: SeUndockPrivilege	4284	WMIC.exe
Token: SeManageVolumePrivilege	4284	WMIC.exe
Token: SeImpersonatePrivilege	4284	WMIC.exe
Token: 33	4284	WMIC.exe
Token: 34	4284	WMIC.exe
Token: 35	4284	WMIC.exe
Token: 36	4284	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4284	WMIC.exe
Token: SeSecurityPrivilege	4284	WMIC.exe
Token: SeTakeOwnershipPrivilege	4284	WMIC.exe
Token: SeLoadDriverPrivilege	4284	WMIC.exe
Token: SeSystemProfilePrivilege	4284	WMIC.exe
Token: SeSystemtimePrivilege	4284	WMIC.exe
Token: SeProfSingleProcessPrivilege	4284	WMIC.exe
Token: SeIncBasePriorityPrivilege	4284	WMIC.exe
Token: SeCreatePagefilePrivilege	4284	WMIC.exe
Token: SeBackupPrivilege	4284	WMIC.exe
Token: SeRestorePrivilege	4284	WMIC.exe
Token: SeShutdownPrivilege	4284	WMIC.exe
Token: SeDebugPrivilege	4284	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4284	WMIC.exe
Token: SeRemoteShutdownPrivilege	4284	WMIC.exe
Token: SeUndockPrivilege	4284	WMIC.exe
Token: SeManageVolumePrivilege	4284	WMIC.exe
Token: SeImpersonatePrivilege	4284	WMIC.exe
Token: 33	4284	WMIC.exe
Token: 34	4284	WMIC.exe
Token: 35	4284	WMIC.exe
Token: 36	4284	WMIC.exe
Token: SeBackupPrivilege	4164	vssvc.exe
Token: SeRestorePrivilege	4164	vssvc.exe
Token: SeAuditPrivilege	4164	vssvc.exe

Suspicious use of FindShellTrayWindow 54 IoCs

pid	Process
1684	firefox.exe
1684	firefox.exe
1684	firefox.exe
1684	firefox.exe
1684	firefox.exe
1684	firefox.exe
1684	firefox.exe
1684	firefox.exe
1684	firefox.exe
1684	firefox.exe
1684	firefox.exe
1684	firefox.exe
1684	firefox.exe
1684	firefox.exe
1684	firefox.exe
1684	firefox.exe
1684	firefox.exe
1684	firefox.exe
1684	firefox.exe
1684	firefox.exe
1684	firefox.exe
1180	firefox.exe
1180	firefox.exe
1180	firefox.exe
1180	firefox.exe
1180	firefox.exe
1180	firefox.exe
1180	firefox.exe
1180	firefox.exe
1180	firefox.exe
1180	firefox.exe
1180	firefox.exe
1180	firefox.exe
1180	firefox.exe
1180	firefox.exe
1180	firefox.exe
1180	firefox.exe
1180	firefox.exe
1180	firefox.exe
1180	firefox.exe
1180	firefox.exe
1180	firefox.exe
1180	firefox.exe
1180	firefox.exe
1180	firefox.exe
1180	firefox.exe
1180	firefox.exe
1180	firefox.exe
1180	firefox.exe
1180	firefox.exe
1180	firefox.exe
1180	firefox.exe
1180	firefox.exe
1180	firefox.exe

Suspicious use of SetWindowsHookEx 38 IoCs

pid	Process
1684	firefox.exe
1684	firefox.exe
1684	firefox.exe
1684	firefox.exe
1180	firefox.exe
1180	firefox.exe
1180	firefox.exe
1180	firefox.exe
1180	firefox.exe
1180	firefox.exe
1180	firefox.exe
900	!WannaDecryptor!.exe
900	!WannaDecryptor!.exe
876	!WannaDecryptor!.exe
876	!WannaDecryptor!.exe
3348	!WannaDecryptor!.exe
3348	!WannaDecryptor!.exe
3384	!WannaDecryptor!.exe
3384	!WannaDecryptor!.exe
2508	OpenWith.exe
2508	OpenWith.exe
2508	OpenWith.exe
2508	OpenWith.exe
2508	OpenWith.exe
2508	OpenWith.exe
2508	OpenWith.exe
2508	OpenWith.exe
2508	OpenWith.exe
2508	OpenWith.exe
2508	OpenWith.exe
2508	OpenWith.exe
2508	OpenWith.exe
2508	OpenWith.exe
2508	OpenWith.exe
2508	OpenWith.exe
2508	OpenWith.exe
2508	OpenWith.exe
4524	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3724 wrote to memory of 1684	3724	firefox.exe	81
PID 3724 wrote to memory of 1684	3724	firefox.exe	81
PID 3724 wrote to memory of 1684	3724	firefox.exe	81
PID 3724 wrote to memory of 1684	3724	firefox.exe	81
PID 3724 wrote to memory of 1684	3724	firefox.exe	81
PID 3724 wrote to memory of 1684	3724	firefox.exe	81
PID 3724 wrote to memory of 1684	3724	firefox.exe	81
PID 3724 wrote to memory of 1684	3724	firefox.exe	81
PID 3724 wrote to memory of 1684	3724	firefox.exe	81
PID 3724 wrote to memory of 1684	3724	firefox.exe	81
PID 3724 wrote to memory of 1684	3724	firefox.exe	81
PID 1684 wrote to memory of 4180	1684	firefox.exe	82
PID 1684 wrote to memory of 4180	1684	firefox.exe	82
PID 1684 wrote to memory of 4180	1684	firefox.exe	82
PID 1684 wrote to memory of 4180	1684	firefox.exe	82
PID 1684 wrote to memory of 4180	1684	firefox.exe	82
PID 1684 wrote to memory of 4180	1684	firefox.exe	82
PID 1684 wrote to memory of 4180	1684	firefox.exe	82
PID 1684 wrote to memory of 4180	1684	firefox.exe	82
PID 1684 wrote to memory of 4180	1684	firefox.exe	82
PID 1684 wrote to memory of 4180	1684	firefox.exe	82
PID 1684 wrote to memory of 4180	1684	firefox.exe	82
PID 1684 wrote to memory of 4180	1684	firefox.exe	82
PID 1684 wrote to memory of 4180	1684	firefox.exe	82
PID 1684 wrote to memory of 4180	1684	firefox.exe	82
PID 1684 wrote to memory of 4180	1684	firefox.exe	82
PID 1684 wrote to memory of 4180	1684	firefox.exe	82
PID 1684 wrote to memory of 4180	1684	firefox.exe	82
PID 1684 wrote to memory of 4180	1684	firefox.exe	82
PID 1684 wrote to memory of 4180	1684	firefox.exe	82
PID 1684 wrote to memory of 4180	1684	firefox.exe	82
PID 1684 wrote to memory of 4180	1684	firefox.exe	82
PID 1684 wrote to memory of 4180	1684	firefox.exe	82
PID 1684 wrote to memory of 4180	1684	firefox.exe	82
PID 1684 wrote to memory of 4180	1684	firefox.exe	82
PID 1684 wrote to memory of 4180	1684	firefox.exe	82
PID 1684 wrote to memory of 4180	1684	firefox.exe	82
PID 1684 wrote to memory of 4180	1684	firefox.exe	82
PID 1684 wrote to memory of 4180	1684	firefox.exe	82
PID 1684 wrote to memory of 4180	1684	firefox.exe	82
PID 1684 wrote to memory of 4180	1684	firefox.exe	82
PID 1684 wrote to memory of 4180	1684	firefox.exe	82
PID 1684 wrote to memory of 4180	1684	firefox.exe	82
PID 1684 wrote to memory of 4180	1684	firefox.exe	82
PID 1684 wrote to memory of 4180	1684	firefox.exe	82
PID 1684 wrote to memory of 4180	1684	firefox.exe	82
PID 1684 wrote to memory of 4180	1684	firefox.exe	82
PID 1684 wrote to memory of 4180	1684	firefox.exe	82
PID 1684 wrote to memory of 4180	1684	firefox.exe	82
PID 1684 wrote to memory of 4180	1684	firefox.exe	82
PID 1684 wrote to memory of 4180	1684	firefox.exe	82
PID 1684 wrote to memory of 4180	1684	firefox.exe	82
PID 1684 wrote to memory of 4180	1684	firefox.exe	82
PID 1684 wrote to memory of 4180	1684	firefox.exe	82
PID 1684 wrote to memory of 4180	1684	firefox.exe	82
PID 1684 wrote to memory of 4180	1684	firefox.exe	82
PID 1684 wrote to memory of 236	1684	firefox.exe	83
PID 1684 wrote to memory of 236	1684	firefox.exe	83
PID 1684 wrote to memory of 236	1684	firefox.exe	83
PID 1684 wrote to memory of 236	1684	firefox.exe	83
PID 1684 wrote to memory of 236	1684	firefox.exe	83
PID 1684 wrote to memory of 236	1684	firefox.exe	83
PID 1684 wrote to memory of 236	1684	firefox.exe	83
PID 1684 wrote to memory of 236	1684	firefox.exe	83

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://github.com/Da2dalus/The-MALWARE-Repo"
1⤵
- Suspicious use of WriteProcessMemory
PID:3724
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://github.com/Da2dalus/The-MALWARE-Repo
  2⤵
  - Downloads MZ/PE file
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - Checks processor information in registry
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1684
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1980 -parentBuildID 20240401114208 -prefsHandle 1920 -prefMapHandle 1912 -prefsLen 27661 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {96d5c782-6a6b-4b16-9f4d-80fdce6d948b} 1684 "\\.\pipe\gecko-crash-server-pipe.1684" gpu
    3⤵
    PID:4180
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2412 -parentBuildID 20240401114208 -prefsHandle 2404 -prefMapHandle 2392 -prefsLen 28581 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e6d5f4d1-7628-4747-8275-eb9cb97f7ea2} 1684 "\\.\pipe\gecko-crash-server-pipe.1684" socket
    3⤵
    - Checks processor information in registry
    PID:236
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1544 -childID 1 -isForBrowser -prefsHandle 2860 -prefMapHandle 2872 -prefsLen 22746 -prefMapSize 244658 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b23243e5-e591-4c95-86a7-7c7f80145d05} 1684 "\\.\pipe\gecko-crash-server-pipe.1684" tab
    3⤵
    PID:4872
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3560 -childID 2 -isForBrowser -prefsHandle 3488 -prefMapHandle 2636 -prefsLen 33071 -prefMapSize 244658 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7d621cb5-6dac-451e-8875-7ecc3cc2ffdd} 1684 "\\.\pipe\gecko-crash-server-pipe.1684" tab
    3⤵
    PID:2924
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4660 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4628 -prefMapHandle 4620 -prefsLen 33071 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b3f242b1-8e69-4edc-beac-3d7a3a5739d8} 1684 "\\.\pipe\gecko-crash-server-pipe.1684" utility
    3⤵
    - Checks processor information in registry
    PID:5008
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5312 -childID 3 -isForBrowser -prefsHandle 5240 -prefMapHandle 5284 -prefsLen 27145 -prefMapSize 244658 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {72b255dc-8bbf-482a-89ff-9841b046b579} 1684 "\\.\pipe\gecko-crash-server-pipe.1684" tab
    3⤵
    PID:4984
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5464 -childID 4 -isForBrowser -prefsHandle 5472 -prefMapHandle 5184 -prefsLen 27145 -prefMapSize 244658 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4aea4016-2fd0-4dc6-bfaf-aa211edb7f93} 1684 "\\.\pipe\gecko-crash-server-pipe.1684" tab
    3⤵
    PID:1240
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5652 -childID 5 -isForBrowser -prefsHandle 5732 -prefMapHandle 5728 -prefsLen 27145 -prefMapSize 244658 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {60be3037-08ae-4e45-b596-de2d3fe3e7af} 1684 "\\.\pipe\gecko-crash-server-pipe.1684" tab
    3⤵
    PID:1176

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1644

C:\Users\Admin\Downloads\CryptoLocker.exe
"C:\Users\Admin\Downloads\CryptoLocker.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- NTFS ADS
PID:4704
- C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
  "C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" "/rC:\Users\Admin\Downloads\CryptoLocker.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:2116
- - C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
    "C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" /w0000023C
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:400

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:3144
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Downloads MZ/PE file
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - Checks processor information in registry
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:1180
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1944 -parentBuildID 20240401114208 -prefsHandle 1884 -prefMapHandle 1876 -prefsLen 28056 -prefMapSize 244938 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bd27b96d-5ab4-4ede-93ca-2c4353830f6f} 1180 "\\.\pipe\gecko-crash-server-pipe.1180" gpu
    3⤵
    PID:4376
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2396 -parentBuildID 20240401114208 -prefsHandle 2380 -prefMapHandle 2376 -prefsLen 27934 -prefMapSize 244938 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d2553037-9ae7-4bc2-b1f6-12c68b31c7e5} 1180 "\\.\pipe\gecko-crash-server-pipe.1180" socket
    3⤵
    - Checks processor information in registry
    PID:3148
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3244 -childID 1 -isForBrowser -prefsHandle 3248 -prefMapHandle 3252 -prefsLen 23160 -prefMapSize 244938 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {25a1ffb9-ec88-41f7-ac46-b71dfc584266} 1180 "\\.\pipe\gecko-crash-server-pipe.1180" tab
    3⤵
    PID:856
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4020 -childID 2 -isForBrowser -prefsHandle 2780 -prefMapHandle 3156 -prefsLen 33308 -prefMapSize 244938 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e5ddcd3a-7c3d-4703-92c9-1b76a6e4ac20} 1180 "\\.\pipe\gecko-crash-server-pipe.1180" tab
    3⤵
    PID:1084
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4752 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4768 -prefMapHandle 4764 -prefsLen 33362 -prefMapSize 244938 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3dbc7812-5a05-4a89-a255-4806e873a3d2} 1180 "\\.\pipe\gecko-crash-server-pipe.1180" utility
    3⤵
    - Checks processor information in registry
    PID:1472
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5340 -childID 3 -isForBrowser -prefsHandle 5408 -prefMapHandle 5336 -prefsLen 27506 -prefMapSize 244938 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2438ee76-8060-41f5-beb7-088426467ed4} 1180 "\\.\pipe\gecko-crash-server-pipe.1180" tab
    3⤵
    PID:3284
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5244 -childID 4 -isForBrowser -prefsHandle 5428 -prefMapHandle 5424 -prefsLen 27506 -prefMapSize 244938 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {26225a9c-a910-492f-8357-3de57fe4a99e} 1180 "\\.\pipe\gecko-crash-server-pipe.1180" tab
    3⤵
    PID:1336
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5616 -childID 5 -isForBrowser -prefsHandle 5340 -prefMapHandle 5712 -prefsLen 27506 -prefMapSize 244938 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {187c999b-dd2c-4d2b-bad3-4ab8a5d5c829} 1180 "\\.\pipe\gecko-crash-server-pipe.1180" tab
    3⤵
    PID:4960
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5736 -childID 6 -isForBrowser -prefsHandle 5748 -prefMapHandle 6000 -prefsLen 27506 -prefMapSize 244938 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a50753b0-85dd-4516-b1ee-b106d9522809} 1180 "\\.\pipe\gecko-crash-server-pipe.1180" tab
    3⤵
    PID:4820
- - C:\Users\Admin\Downloads\CryptoLocker.exe
    "C:\Users\Admin\Downloads\CryptoLocker.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4304
- - C:\Users\Admin\Downloads\WannaCry.exe
    "C:\Users\Admin\Downloads\WannaCry.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:4144
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c 300951740349357.bat
      4⤵
      System Location Discovery: System Language Discovery
      PID:1736
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript //nologo c.vbs
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2964
  - - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
      !WannaDecryptor!.exe f
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:900
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im MSExchange*
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3732
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im Microsoft.Exchange.*
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4112
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im sqlserver.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3044
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im sqlwriter.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4164
  - - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
      !WannaDecryptor!.exe c
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:876
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c start /b !WannaDecryptor!.exe v
      4⤵
      System Location Discovery: System Language Discovery
      PID:1600
    - - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
        
        !WannaDecryptor!.exe v
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3348
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2768
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4284
  - - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
      !WannaDecryptor!.exe
      4⤵
      Executes dropped EXE
      Sets desktop wallpaper using registry
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:3384

C:\Users\Admin\Downloads\CryptoLocker.exe
"C:\Users\Admin\Downloads\CryptoLocker.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1960

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4164

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2508

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39c4855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\!WannaDecryptor!.exe.lnk

Filesize
590B

MD5
5cf4c233d4fe941cef83f26db45cf55d

SHA1
6eb9c14a496496d2e54cde9ec1be03488326f8e2

SHA256
d74b8b1fa2e2005711f479e78b6809930ed9521536f8f19175b8a4e31f4fe186

SHA512
256525c852e0aa6c88d09237f5f2b5942177d9113ac08d1bae4b53225d8b88d5de1f91abfa8d011f2793d8cd822394833af2ef76ab34215f5349aa03a69d0998

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db

Filesize
1024KB

MD5
34b64938ce2c38451baa65aeecad1bb2

SHA1
99f2ecb283861b3c392ccf36043efdc02c01802f

SHA256
d59f8ca4e497c2aafb16ee38e6dbeccbd317705c563a06e12a753f358cfaaa9f

SHA512
7af23bbbea59b515a9d0aafdaf38cdcb136232d3175cc63f59db4ebafe1196e0213743e6c93f37c92ff171c539ac74c06885317775ed46fc0394405eec5de063

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db

Filesize
1024KB

MD5
1b4c220ec63a7cac6eaf8d28b3300146

SHA1
71cc6f7ff585e2cc9c6db2b2b8d0c9e929a26363

SHA256
23491423a8d9642b8e13f43ad486fc31d49ac2e2716082250bdda1a26c0f0f95

SHA512
59390cf86703910e9cf176b372f2b160f561d5d0b742f2657913de3528ddfd0be9829cc0c410915bdc5b8a80a7006c3ff0fd29913fc7ab9f57c6f79521502db0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

Filesize
7KB

MD5
47d3c897c8a842014cc857275c539e26

SHA1
76d7d4c72a0fb41674cebc4bcbfdc79457b7aeb6

SHA256
3050b2005d56ecb293354a80e10a96dced610c64e8f6471509ed9f3987745533

SHA512
97c47d03e9202972b64fe3cb56784084d6b281f39ca0d233fe0bfa210389dc6249a332f17277ffb547b8978e7db26586b56cb7cd08869d981b39b912ba85b1c5

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5xpqxrlq.default-release\activity-stream.discovery_stream.json.tmp

Filesize
24KB

MD5
29b9a191c4da0a2a828f317e8103cb3e

SHA1
4b7283e10352e3422f8852d5c3e2ec97d905ff59

SHA256
45cca966e1a4a85bcc4421021b6f37b4f04c7a16047cd6e09e2fd9777013346d

SHA512
cc7ad0ceaa10741d115331608fa99ed08e963e727ac595c9507189534b1272462533de88efa122dafa1d07b5d4bd528d412655fe4780c9e2904ecb4abed9a09a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5xpqxrlq.default-release\activity-stream.discovery_stream.json.tmp

Filesize
21KB

MD5
b37ee5f5feb9521349cd0dbf03a3f55b

SHA1
bb9c6c5f80114fa2f541609bb10157059509c194

SHA256
41caf1546a7931e2047308e8e8a120f301edbfef806f39e0da40bc56bc321990

SHA512
28b1a445941f7e41e9c85f721d03bf41a0aed8aae3ea17a3aa920472eb0f736bdae19d788081b503d1b4d08ebdff8da0fbdae972b963cd45010580fb87bbc002

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5xpqxrlq.default-release\cache2\entries\09C295E217E646F3EAC7DC73D0EC442FEDCBA33F

Filesize
47KB

MD5
dd9b836446143868d25accbe38eb5bfc

SHA1
557896697efe576733743232a8de77efdeac230c

SHA256
2cdbdd518c7fdf481abd81a59d44f07cafba65d0fcbd8d8c729ccd1e506aaf36

SHA512
8cb793cd805b66455ca4bf9bfeff34637e4568139b0c98129292763096fa410843ac1c910286527df2efd982620dfda65ac8bc359af0f3b10ef0c232d690f758

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5xpqxrlq.default-release\cache2\entries\0AD48CCCFED71D622CD5EA652F441003DD8917AC

Filesize
16KB

MD5
b226fdf73bcdddc48f72120a21ced0dc

SHA1
4eb0017836dd912ba476aaf630c7db0f30ff27ef

SHA256
aa5aa3bbcc16e0886dd5568c55c201c7674140233be1f030ef8a3037cc132821

SHA512
ad87ae189b682f2428509ff792d85d5b2aac09df5b164a7998284d1e363443dddf9f100b69dab513e7cf03380ebcd4df924ba104806ee59c2da9b2c0c8b7eb84

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5xpqxrlq.default-release\cache2\entries\0DDA50E47C3B1638095AFFB5BF8E5028FA90E3AE

Filesize
15KB

MD5
39ba3bba229ab3afe284f7863d0f5933

SHA1
392ee81b88db695ce0f5c90a2195ac0e0e64206a

SHA256
df712d396b0dba8b8549da94e711f14dcac0317fd694b5a35d8fa66e6f436616

SHA512
d1a76df5c9744774aa1c2b914d8d32d20eb6c742cffe7d218d2dec773a052995ddae63ac3c93bd8101b74860f31cb90fd2969b64a7ec9ec472a2f612cf46b199

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5xpqxrlq.default-release\cache2\entries\10BCCB73BCFA9110AA42E9E1004A6D17D4128977

Filesize
15KB

MD5
279eb0f5cca8ece747936a6e14590819

SHA1
5680b40ce14228f5341d8567fd1375ab96e9dd6a

SHA256
17cd14ac94b0b13697206f0d3e9f988e448c198d0e1efa6d98fe5edfd051ce8a

SHA512
045ddf503cd2885a95f9ecfac6c615e71c509664100da8bce4554d0c3775ab8e0516f36623a44426e84a17a93aea6f80cb33d3005685d657f3b1c69eb3b4725d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5xpqxrlq.default-release\cache2\entries\254256B27E0C48CF9B80B695F0B3B8CA84610495

Filesize
9KB

MD5
e3c3b995599ae24ebe4d46d7235549d4

SHA1
2af157d61d5526c5a4399a0f68af2d193aff22a5

SHA256
449fbf80f2911e3c4dc4bd28498b7449876e00e23d644b31c3dad725a1d499da

SHA512
a11b1004920b7ebc0b43f8077b52ea614befeabd1305b81d88e2a6ec5f8224655d89497f44cc949b5fe9f461b8b9bbc5789d053e1fa3e9df547e7e3d67f141e9

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5xpqxrlq.default-release\cache2\entries\311589B5F7E27FD8DAEE1AEB3F2A1C1A3FFED5A9

Filesize
103KB

MD5
9c6d47128b76da9089b533c53c82729f

SHA1
21591168dd8d7a349abe0f91f02cd413a5b36ae5

SHA256
846fd9dc84d558dd2ddec661b951a972cd082de05010200e1421663db056821a

SHA512
dadc73151a640e1398a7e60dad4642db54a1d61cbf9618c1031ae1a208cb41024966d68c55c949d91ae14b831313a8bfc84e701749a8ea6d98448fc6d57e91fb

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5xpqxrlq.default-release\cache2\entries\45B52D8C8914C42BBDEC58DE6C16E43B33677180

Filesize
40KB

MD5
857253408793a0f0fc658799a4170722

SHA1
c6a3836dedd2eb55a412315bc9ae897141eac749

SHA256
12743fe41094f2f9c22f8010509760361c7c403907c9e7bcd542f68a4adc4f49

SHA512
65c74f065eaa9e0104e57101f838928f9c1d694b5b8892861def3fd3d55fe9d2b873330f7cf03ff595f9495fd32452b6d1f24f729ca91ea767d10befda3213dd

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5xpqxrlq.default-release\cache2\entries\46D75857881A488354908DD139F1D8A677350972

Filesize
311KB

MD5
5b716353cf0196b11e62c07bbfb896d3

SHA1
f5a36d5d963ec47e598dd4fc244fedcded65ecf0

SHA256
67c64d362348e2f43b5714f8e0507c95239ed86221341b59405de02f09b4e5f0

SHA512
bf084af16d2ef78293934245e56fb8104bbf312e30357193bce7d3fc2217c9d78dd810b4cc31d696cef3e68155b04509817eef4e91201f9d0a0dd242c3251c4a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5xpqxrlq.default-release\cache2\entries\48A773B8B92BFF039D7CB5A9DA03A6DC953D7D7B

Filesize
106KB

MD5
37442f1f074be7e2cbc281356ba64657

SHA1
0e160a16c7a9a77dbfd580579bdbeb749f43223a

SHA256
612c0ceefbd7f2b136146fb70197e67e562c863f47c05ebc887e162c14839b99

SHA512
a0836ff8b0ac5778bca5fffeeac4200547656082d7aa1e1eee69c3a33cc7be52a2b24d1520a6d7099e0318e49f19705c628e076d5a5304cc16867b32cfe2ba10

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5xpqxrlq.default-release\cache2\entries\4A60037773EB0A765C644134CD4086966064E9DF

Filesize
14KB

MD5
943a74af0bc70162c055ae6c03fbd6b4

SHA1
184049df82499ec8e7cfefb3fa9ca413e37f359f

SHA256
cfa32d1c8047fea6805682c5e9b0eb85384675e0a77955bd296d92e5fb5ad4cf

SHA512
ec2f0578308fecfadfca183e1eb77f4bfc0b4b6093787d47350bb5efeaeb9a38e22fbe8851c72296917bb6eef97420ebb70aeeb3e6acef34fe7adec9b493245f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5xpqxrlq.default-release\cache2\entries\5550607365EAA56324B321291458A282E073A2E3

Filesize
97KB

MD5
1e6ee99b50d67b89a39c5b44c734249d

SHA1
708d13d31dfefd562b14df848a283c6163d7a982

SHA256
96bff5218417759c71f9be7fa17831b73eb86670819760cc77c2de621d2b0ba7

SHA512
4e293e7649d5efbf6d1cbb1e5fc665f0e6ebe9b971be8939a40e2536580150192d4e21a403403e513ffdaa03dbac1e4db1341e9d3788f989230fb1c33505a34a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5xpqxrlq.default-release\cache2\entries\63B30A375179319E8B2239756F17271B3FC2C925

Filesize
12KB

MD5
52c0d96d947e7283a1483c74d401fa54

SHA1
4a836115d0ee196ada06e40db618b7d7dde5bc84

SHA256
824b2c135a6c96540cfefeaaba31d4314911ff945ad96a34784afd3d8d336a8e

SHA512
b139ec16169274cad26e16e8358722e3e94b3fda73764733abb801e6caa387e6a4c144c95800f159558c7b36fbaf18739ea138c4e8ac7717126d527db4617491

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5xpqxrlq.default-release\cache2\entries\6AC9BD0802E051FCD579CC69A96979DE29682F3D

Filesize
259B

MD5
0afc0ead4025f698249756f44acc474e

SHA1
fce73e18847242dc05311c24ccd5065ad433ce0d

SHA256
1194c6c579169f863053013b01f234a42a18f1498e3d897a4794e2cde8d9c3d1

SHA512
4bb7e9c27444408191e358748ddf9c1f8414f1bbc8d972baa250d85e24385b1b14c99e6ebfdbe93853c85f0053d41fb57cea80b5b24d2420ffe6a9049bfee36a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5xpqxrlq.default-release\cache2\entries\6D89348819C8881868053197CA0754F36784BF5F

Filesize
13KB

MD5
3c973500308839a75fa54cf9dc5be2ac

SHA1
1e9798ab522f7b8a8b7cd4c2030264d107260201

SHA256
121f44e48c85e589ac55e46f1b7c56969f8fb39ccec35fa3cc13be2c6f0511b7

SHA512
f90d56c2bb3d75671ea07b3b0aaf51d79d18cc025d3d9ca2a6c4213dfa9512d9b8b99beb630c482d7cb0975595db5f33419b55f0a07b95d9069e8ee42e686ade

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5xpqxrlq.default-release\cache2\entries\740B4DBE8783DC64F44F2F100E5A6A68CD50C55F

Filesize
18KB

MD5
da7328c8661c584769d0b582fdc57b52

SHA1
5b7350fffe30e1c2f97316731fd6ecfea96ffa8d

SHA256
50a1e6fbce0420d06656a96095a4a75e1aa7b1c97a72215d333de7430594137e

SHA512
23d967332977b877c86f5d4369cff0c0d05f73370070873e8f44791483435ab81746f84eca74db4b00497242cad353099e212f496441958d61d230d280b3ca3c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5xpqxrlq.default-release\cache2\entries\774C381EBF38F1A9CC99737328FC180D78B63CBE

Filesize
18KB

MD5
7d701ed1181c27ce8cfd32304cf1799f

SHA1
98a7f870cd4763733c70de85946a5656e48b3720

SHA256
d9b7bf2cf86535083feeec8576a44b71658fcee29776e49d7df5ae4f40dad77f

SHA512
9363f79beaded9f71442024f59729511b230b39b12ec0fbc64f08ce7e424c9fd4a4e6ca1fbc05bdb599d4520ce3e449a65e410811079a0320e63e5bb5ff7c767

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5xpqxrlq.default-release\cache2\entries\802543BDD9EB7AEFD8A9AF068C18E39C77CDF1DA

Filesize
15KB

MD5
06a8bb0f59b8df8699c752851d71d62e

SHA1
c91c65d809372ab9b90a2e0b83edf550744ef859

SHA256
0dff56f2b7da873879c729fb8a47c197163642c10b834098c4feab27a5f2eda8

SHA512
9945105923f76231c1352e3abed906851d94903f3b0311a356b9bba1f30dbb05a8ce344c16ee16964b9d9e40cfb300e759917230565f86af54b63bb3898547c6

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5xpqxrlq.default-release\cache2\entries\80AC33A1E2DAE32BEDA49B650A4340A38765BEC7

Filesize
15KB

MD5
26f0466c449d1f47aff4d751488de70e

SHA1
7474bc78b9caad0e86b5663eb21184f2923df130

SHA256
1e9370a10dbd1e262bd716c63376d8aaa6de5b7d9886b28ee3bfb4c852d06e4c

SHA512
50d1d2fc5fffd7cd6bffdc83410464ed1ab7ab46cd45f29d2da2d76ef2f462a4e0080e8bda05882e501f4716c40ca83db9c4f7b7162484ab2f34e98ae1978455

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5xpqxrlq.default-release\cache2\entries\90FF1D51F018B289670A8A2A5E35975DC704E7B4

Filesize
11KB

MD5
9134add6f976dd4d0f2c9d110673896d

SHA1
e06593ff2601a0022d9c8fd099fd876c7c570569

SHA256
48cb0df96c6d22e9999b945f519f62929758cc1ea815f106a7153abd7de3b64e

SHA512
6b07e5c70f61fe5902dc70f14f0a84e61cf70741910018bf17ee868cb394a37265ca8cdceb4a3b896d046ccf94071a427106e773ee3512d0845f83eb587be687

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5xpqxrlq.default-release\cache2\entries\9A7F8872B335617C85443C8249C30C8F3D8C08B3

Filesize
13KB

MD5
32c2b310ca65d69897b14c41d45266de

SHA1
7938b1a7011ac16966596c9b80866a5c7f4f1cd6

SHA256
7366b53bbd43c1c2a521620bc93b62dccf405b527078dc1d103000c6075f2b69

SHA512
f9fe5ddaf42a77d079ecfdbf209f9b06ecfe711d1a85205288a63ffe8950124c1cb2d825dd6c18a0bc3daa8c7b8106a3e38cce99b442039988bf3f59950a1b11

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5xpqxrlq.default-release\cache2\entries\A981B7CD1266C5D21F8FBCC00B005CA330563213

Filesize
13KB

MD5
ddb2eae1dd854dee6c9a6a767870b1c5

SHA1
1a764e7b828edb0be0d6f4f7b93a4f488c2c260b

SHA256
ea13581a2d5dd80773e4dfa1a75418b471648908d82371e24f8b363b74867ef1

SHA512
36ebb2afebcae0d15b568d026177ed2f9b64cd244b369c97441e196a33505d02e145c228e35bde9e20ee642a5b256b48e01566af08dac61a0c1d019be0ac10e1

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5xpqxrlq.default-release\cache2\entries\AB3B829517434EFA2FD3AF0A0BD74A71B44DF878

Filesize
34KB

MD5
06db956ed1b975eec061737692a82041

SHA1
632b34f9692332411e57dda62ec57e7a5752e7f8

SHA256
5f63b75b6a32071f90aef3ef50793c738a8dd2509977b226e0a422ec1d094666

SHA512
5cbb36bb66f4450cd806f2fad6f8f92ccd6f137cc41c2f7a4e107613fc4b401dee14f6489fc183d19dc383b9b8fa10dbe20d2a3ff5835a5d9a96e57a2cab1abe

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5xpqxrlq.default-release\cache2\entries\AD3CC0891E9946D0DB23F053C6BC26CF8D29F1F8

Filesize
47KB

MD5
a44b15ce7e75c876390541380562b08c

SHA1
9989dab64c919b7e8b99fddaf69d0ff42a7110aa

SHA256
4cb3fd6c428719baa4a8d54bac8711db7260b5f6050128361d08c81462b206ca

SHA512
7add7e160e77877b76a9a93e234b1dab8abf1a8c9858c5e5f3d45b4114fcaa680f318b04a3582c34282b98799e96ad7795dea39cd47fd2971db0c569a9e29fb2

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5xpqxrlq.default-release\cache2\entries\ADF5BD09EB688DAB1F35EE02E8C35329D0E4AD89

Filesize
13KB

MD5
4a051cacfaeb092552e05c58838bbf0e

SHA1
3d4728dc3d4220ea7e21e438f2b0e068f04aea4a

SHA256
b67177742000a2d8b8662885de767a1140b424c628e7edf9d614c36d1f86bfee

SHA512
e29f377162db257e5c7159f70664530baf76d2c8a5df11e18829b0bda71129ce2d6bc606355fece3e3eaf7210a65746881e6bfd04fce12affee9ed19749e89ab

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5xpqxrlq.default-release\cache2\entries\B0BB1D7272B70455667A6547DE2B0E99B1E44C24

Filesize
24KB

MD5
929a0f104046e4f4da55548c20414a8d

SHA1
24fe7dc1f90a9b9fdfd201066416dcf0a5655ff5

SHA256
9ab9f8e81415a5a8d728d4f68605447f65dd597898ec343da889ce466613be1e

SHA512
25a0c84e479971372b98f700e5dfab510a46ecdb8257d0974aa7fbeb1f5b29f774556fb51ed09e60ec5b715b28473e4d8d1093b1649dda3212f504f4e5b4df65

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5xpqxrlq.default-release\cache2\entries\C91D4ABF4A4992FE23A9F152AB2D8AA6EDB61DCF

Filesize
31KB

MD5
9ebc51f7729845af8f633e9dbd4956af

SHA1
d23342e554706ebd7ff0259e41f387b94b279974

SHA256
096dbb513e8cf906806222db67c651cbb2c3f262cf7a577d97e8ecc9d2826456

SHA512
a17a23e3b22400ed0a555724c42243e24b10e1855ef5fb05544fcb2c38560a2906a9ac2ceb57c3a5afdac689d09235ca4b71141bd6aff1d3a29ca4393c804528

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5xpqxrlq.default-release\cache2\entries\CC8D8C6677E5F8509962F5040F70C5E398E5545A

Filesize
48KB

MD5
e134da71c6364bff97aaf58a48f8e367

SHA1
6bd677d67bc0f6ef7973e7470345d8bd5b32ebf6

SHA256
c48a667f54c7f13e5b9397a0bd18a596686e081cbd033b40aa2b1a6c7d1d5db6

SHA512
e124457db3c42683fdd886ea0a8b82e1b1b57a2b5c24c554f295fb35270734cc077f71ae5b2e31db2e2e9587a3c1fb27b746138cfd3d5afcbc2e7c64963edb6e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5xpqxrlq.default-release\cache2\entries\DA2624531BAB239256172FD7304575193E6592E2

Filesize
43KB

MD5
b33c786e1f2ac2e83ebb909e2943bcb8

SHA1
5988450cd0e5df6195671edab82ab0ecdbb414e1

SHA256
a14c8a8c3b9f71df47441e00b022c31a896bbe7d8dc2ea6c8c3756bc483c5c54

SHA512
ae967978f6db9f59b2f04dc572313a196540a7e7e407fe854ef7015be78a8d9fa72eba9e67de1c519c0a9d0a86c30cc365ad5510cc323486959dd6bf324d30f3

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5xpqxrlq.default-release\cache2\entries\F6262B06A6B6C9761376E797A61F8103E6E5923C

Filesize
204KB

MD5
d4c0f2ca30f50ef048a24855cd7fa611

SHA1
6c226c87ac701f27bd4edfa78e9ab7ff20b84c22

SHA256
49fa111fed745aba9f448f71abb21cffe209a3d3ccbd7d0a3e3ca38e51c4f456

SHA512
28e2b8484d39127dc2c35e1688d165721083ab091191f57c8caaa8e424b9f03e34adadc94de722fde8ffeea319be6ca71c386f82552f6a17db78d77160ebb631

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5xpqxrlq.default-release\cache2\entries\FDA2A919D9B46EF945B5071D60B78A3A763A50FE

Filesize
13KB

MD5
ecd01e480aad28b167375520a2111b04

SHA1
176e0ae4fdc9f5947a9c5c1b81ce3186e9e50589

SHA256
9f478d9db33481d9d0672f820da301e1d9cf2df286b2f5abb4987c8c02be54ef

SHA512
c013ef09fb04e06224dce7bcc39a0a99be05bbcb3ecd3de2808ec37348175dbd90ac684854c751a24c82719cd023dc7ba3aef03d64344f1689da4bb28dc208dc

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5xpqxrlq.default-release\startupCache\scriptCache-child.bin

Filesize
469KB

MD5
15405b40b11396456243a08ab4c1f30d

SHA1
eda1aaf4281a3f6ac05af57ae91e37f6faf3048f

SHA256
2aa3c813af62320d33d79d971fe48ef775ff66a716658e428b043e2425e721b1

SHA512
e7aadce7de8ac6ca2243cfba8ab242ee6b7e7590445c4d8bee16d39cbfc2b74f0095230ba2bf70db70eede4a3cf1be98372bf79c3bb0db2826608a5da4520618

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5xpqxrlq.default-release\startupCache\scriptCache.bin

Filesize
8.9MB

MD5
c2cf00ab359ab5de77257a18b51bb2ae

SHA1
51bb5c3f0a85699823db72dc62182828daf2aef5

SHA256
a4e59ce375c3d8c980e34a7eeb901cb00b1128e6eed056cf02373765f33ee067

SHA512
5e5c88a13ecf8e82b771f898ef22ad0553c4dc7f047a51cd8aa0021b1585c42c47450e09451c129f6ddd4031cfaf03732a8bb077c7c4c5c18d2893934520fa3a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5xpqxrlq.default-release\startupCache\urlCache.bin

Filesize
3KB

MD5
c2bfbd653ebdd9cb5d51b7190f50b7b3

SHA1
37f88a7fb70606b27987a036e30b6ccde39ec48e

SHA256
872837adf97b45a00250683a1d4f3bcde3bc4fec6d6ae8c52c5aab0f8617a5e3

SHA512
770344d6215d46dfe599aecc2bcf1337af162e2b2b20f00b383394951def2cdceb653d96921fd0ca365eccdf5bdfb6ee2c8504d9f869934d947e16e4d7a46486

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5xpqxrlq.default-release\startupCache\webext.sc.lz4

Filesize
107KB

MD5
ad1d00a2d376ad47e46dcdb098b4059b

SHA1
cc5a3bb74ea5d0ec4a777a8cd0308397130fcfba

SHA256
a52ef0a93bb50c50e5dfd6c519103e25570ff2428b9ea12a795dd7bab5a23e31

SHA512
cd7ae79835996956ad0395758a261408e79284828a69578174a45bb8f8c39f24588fb667b45156ec605b597fe97ba989e4ee1704929d3c44dd5ddef12a9a0ef0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5xpqxrlq.default-release\AlternateServices.bin

Filesize
8KB

MD5
b8767a203fe734c602e2caa0f697d48a

SHA1
779a8ceb240ca50af3871dfeb445005e050893e6

SHA256
a43e373c588a9331945b93c0796166e18291be7dafbe35223bc8e73f8fe5c5de

SHA512
30883f9099465c49e0347ac1e9c217da32ffea6de03c52222566e6c0afae6ef9e6223fe5dd841f9ab5cd4a37219391fc890596f0f1802f9d9a93d3a4bd2817d5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5xpqxrlq.default-release\SiteSecurityServiceState.bin

Filesize
2KB

MD5
4fc2ba2729db8ba3099f24c27b6efb7b

SHA1
649005e777753f8e497c63c1c478f7ca6fa1ab2a

SHA256
7fdff49f0a110c1626b826407ad4222f99e902e7de31c12e965ce56a5c7952fe

SHA512
e9780b8ce179eef5f71f8a0d89fdc240ed5413318c478a6c2477bd1ad84492f504d67f4d0253fcba0f144274b7c557a2ed09195cb93169231af0df42e21faf7f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5xpqxrlq.default-release\cert9.db

Filesize
224KB

MD5
21303deb181e7c332d3802981fdaa11b

SHA1
4714ac4520d37ccb0d7967029f136b6961b46bd4

SHA256
2a6c8900cbac83a0927c1c750f82fb5893493fb0afde2b9cdf828db20bf7a1c6

SHA512
5bb4fa67363a6bb74b6fae44522ae87576b0ee53a346a07137e138ca415c92f42dff61ba38307ab3213855efa366c134fc5b2f8ff85192b3dbb9a4d69198dc60

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5xpqxrlq.default-release\content-prefs.sqlite

Filesize
256KB

MD5
b41ed219e2c8dac47f2701562d092621

SHA1
90d507eae3ec943a121dbe5a080412e40470b54f

SHA256
cfed019635a1e14f74ae78f2c03fb96b40ac3da37b67489bd98c144afc200f1f

SHA512
5c6027ec701055efb3b6c055727af5ed261e8f1d5ba954e64e8a34e5c791679b1e4a6ef49896ab8089ec151fd758ba41efc7333611af42b851606a0544a9b947

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5xpqxrlq.default-release\cookies.sqlite

Filesize
512KB

MD5
9267895857697f1445116b68b44e11a4

SHA1
88980f361757c1d079886618175c7199bf0c8771

SHA256
955ccf861519622d89aa40cc28950a4ac96021ae9ddb47f08aa9a56f618368a9

SHA512
6ff36945734b39a0df2b72cad0d808bd15f2128b064c854a9d3961560a92d5207052397ea6e06256b39ca1765d087089df50d0baac44b00631629ac0bdbf052b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5xpqxrlq.default-release\datareporting\glean\db\data.safe.bin

Filesize
46KB

MD5
5ec85ffe3f8d2735c595c34baaf5690e

SHA1
e4ee5460b2c8bc436045eba36534aec793574f65

SHA256
8cb1ab122a62e01b387566ef6967e2e040790dbb0226a2ef05e1b9ae18407185

SHA512
bb1d8d3aab817e90f23e1ce28f9c0a73866f98d0c27da1d29b5688c577831e3bc786cd98ab27bb73576aaa1f371b574d58fbf534949166c626e6935383c3c30a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5xpqxrlq.default-release\datareporting\glean\db\data.safe.tmp

Filesize
7KB

MD5
18aa640c8eb1f106e9e76064b71611ac

SHA1
61d8cf61ab2ebf98c717716d81267b1bce4c8e83

SHA256
b79f6ee56785c3688f38bd7478c913abdd81dd343e67147965e557ae4517e3ca

SHA512
118ba293d4a69d88f3ed0e6bb8d8805269ae2b27fcd3c54cb6aa2ed8060290436d3ad8abccd620bdc98e4eb069c7ff371ba7772be383b897cbaa3add99195e08

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5xpqxrlq.default-release\datareporting\glean\db\data.safe.tmp

Filesize
25KB

MD5
576a66e19df9ef1dde9be28b34482b65

SHA1
3fbe89e6218155a19795d57e73bc9863f42226cb

SHA256
56d6322883bc630297647a541b22bfc4cc384a2a22c27077a4de9dce40ee00d4

SHA512
8b4e8193dfe73eadb04a3cc73323dfb1a682ec8a577f70cfae64edc91f947c4cad81ce62ce2d5bec72d4777d161a002688372c3de8a9011acd4dfde12fe48150

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5xpqxrlq.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
547b2afbdf8488f8f0ecb28ad18acee5

SHA1
238894a5461eb4be42f623588c83e59f1c1ff913

SHA256
a0f884e6a8307c2fafc0cc164a8093f05a26844e070719c68648fb4359c8ce8d

SHA512
bf6746f051b515d46af35e6609154844eb807d380449063990a686780b9419cc83ef72acd81a51561e4922516635f624886da3361b3d41fa6ff0d3bf44db7864

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5xpqxrlq.default-release\datareporting\glean\db\data.safe.tmp

Filesize
45KB

MD5
adc9c41c4759b83f7bb6147e40343098

SHA1
02202a3081b3d955027a016d62ab0157afe1e09c

SHA256
52ff8c9dd3aee3b6c15ccc5b38fe89a735cb6cf223832d440277fe3134c606d5

SHA512
51cd0166c9e23a3e4c206d3f5e0e8668c8c3070201cdae1678ed094c915e8d58d092b16d33248dc907ff2da209c9f785f35eeac34f2dd3dc1c59906e64d2b215

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5xpqxrlq.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
872f2fd4257d932527fcb3dbf692fa17

SHA1
ce690b48e0bc9e628a103d484274d45aa4030140

SHA256
9bc5af7d963d8d4939ff2a499eca18914538b1849381e1b63578c434c4040e2a

SHA512
5349e8229b27a32dbe15086adb8584fb379be7328e4c52451ea2642838b02c02ca2bf89ca25174d3c1182ce7869f1ae51008ce8f1be0bf19d4cdf2091cbe6750

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5xpqxrlq.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
1a95ddb7e5c8d83114a8c4b7a4ffebf4

SHA1
60b163c636c1fb1c28ba6407064bbfabe8edac3a

SHA256
4c6b8fc3a9814b16b9ea115c73fcefd02582033ff18afb0aa72bcfee2a245b19

SHA512
f3bec0eb6cea0ca0f5fd86188714b2ec3b2673a590edcee4315d3c96fce7657eed7367072525302fd31aa9caa43991cc06de803b36f62eaaeaecbb367af96a86

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5xpqxrlq.default-release\datareporting\glean\db\data.safe.tmp

Filesize
7KB

MD5
797ba9864758fe58e02fd12145d84915

SHA1
95d0cd0bee61023cdb883dc5d2a0f43a77e46208

SHA256
3ae80a119d736c066a6f675a7648b6739c662905aa4d3780846de09eeceb4b64

SHA512
352c9989fe0bbd548ff04d60c55ecc9789ebca56fd0bada898396794e29a60b9d524c5109695544acf1ebb890d7174987aa72270349336c8bd6a40297695c004

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5xpqxrlq.default-release\datareporting\glean\events\events

Filesize
438B

MD5
dd71a56677fed8a60ef2902c5e282261

SHA1
f08d3fc01cd1724d7428aa00c35feb09a55bb6df

SHA256
d1b5c312b95801507b7dc6ce09a47dd270e1752b559e0012339c9fdcf0957ecd

SHA512
29184b942431957de313ce6dd06a7bfd309546e257f00e045e66288e020098797233f4c9825d65e85a1e6d55b883a8bece8713384eab94d3791a5d00ed4beac8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5xpqxrlq.default-release\datareporting\glean\events\pageload

Filesize
358B

MD5
389b73e8d4dc03379c69c2af65092fab

SHA1
e8e6c89e416cc211ec3c5de17ad553d1d2f0eb6e

SHA256
b72afd7ec9e12cae37ce59fe0221debfbfee98953727e358e8ae56704d616004

SHA512
bd197ecbc6863a9294e6362d39451f5417814b88b51c1207db937eb9f48abefae53cdbbacc4d6a706ae13df478bfe011f5a9d8bbe958e9934dd722b4738cf3a3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5xpqxrlq.default-release\datareporting\glean\pending_pings\1d3acb08-26a9-4175-b663-784474d835c8

Filesize
748B

MD5
1ccc068c6a5efd6a74f9d2f3b8071353

SHA1
0c8f57526a72596538a65ff62359d522aa35b2a4

SHA256
c8142cf27ca5bde10798fe2d47207fc5f2d95324e1acb602c361b43dd0fa3cd8

SHA512
d9fe5debdd84e35c103e7244ca2d8d79a677917086812d2e1de5298f9dc954998c7dceed0c01b4ba97db11e99912c601b78acbb03b720af8e9e286e25e08c058

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5xpqxrlq.default-release\datareporting\glean\pending_pings\32773994-66ce-4597-bae0-6e710aec5979

Filesize
1KB

MD5
71f515991cb68fa66b0491d816918594

SHA1
9f2417812ab2adbca6aa12f0114ff3216edfd39d

SHA256
d065dc80fb0cd91c8668d0c3dde3d64f7396c2dbab9b7761b4b0e1932c9021c0

SHA512
fe83aed9d33165269c2cdc7ab5ebca407c33adada02f8ce7fd0caf801313ffc08d38886315f8b0aa9307bd89d88276a6ddb2653435ab9eea45b18d9e17b09a3a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5xpqxrlq.default-release\datareporting\glean\pending_pings\473e3720-ba24-467d-88bb-7c3a08884ce0

Filesize
735B

MD5
ee88139cdcfb9c4663e7dcc8237c16f4

SHA1
724f07fb92f6ddf98bd35ae071281fdafc891ba1

SHA256
05355d5f452ad7c5afb169fbf9e4a5899c018dbfe4560a67cf421fbbd44a8991

SHA512
8dd92c6ce7bd7fa70e821f9eee5d9ba19e106f36d4347173905c21d83105c8bcad15eb71eacdad63d796b715566e1af4f75b3de570f0e35a674327054eb5aa01

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5xpqxrlq.default-release\datareporting\glean\pending_pings\4b5cacf9-3ebd-4f68-9fc4-ab661df2ce62

Filesize
29KB

MD5
90ef75b1c55faeb63d90ae4fdb36bde6

SHA1
6f34b6ac08c5168102528240214a2857f9103fea

SHA256
39f739e5e740d2aceeadbfbaf9913e92d78638cc4a608a2f364f4a4a8270cd33

SHA512
91e70c5be191ed4303d5a4f2ccf60ffb9a97723dff80e6393228f8704a7d47fe1962645d1578cb10e99a5832c6073ad218906e3652b8492926716863ea090897

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5xpqxrlq.default-release\datareporting\glean\pending_pings\517b467e-5bb5-4140-95e1-fdbb3cd9aa4d

Filesize
671B

MD5
c4c74826915ca4674e5528b6083d40b4

SHA1
7c112d046d16a5f17b5df14e9bea0fbad6b03e74

SHA256
2063e48c0bbc8bd5febc21c43b415baa832e5f2e43bc3bd347f292bef1032822

SHA512
3f6848a86c89283e98714900ad7108a1687b600b0dabbee2b1706f9f70e88647519ba6b98e807b3d0015ab512d06ec40ca5a25310ac8ad372a4a58a9a6ea2db9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5xpqxrlq.default-release\datareporting\glean\pending_pings\925ff7f2-cb5c-41e2-b546-7ddb049bb34a

Filesize
11KB

MD5
ed42f7b389c6098443b5f5d7d87255d9

SHA1
a6bc1cbd21c3f3b435c97191a93e628ba58edd84

SHA256
2effe351c04bb1a54fab82cc562580c18fa211ae433225e5d942703e54fbfe38

SHA512
906f843aa125c739a4f35d03fa01e4a698d3186438eb8f0807c07748c8ba53066891cd73980690cc298ea0e0c68018b1accacbbedffcc851d483dee5f198b7e0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5xpqxrlq.default-release\datareporting\glean\pending_pings\eb074858-e0aa-40dd-b272-06783686fd72

Filesize
982B

MD5
7c2bf232b4be1e903bbf045430e39d11

SHA1
6aa6fd4e17cd5edec9eb01a55f94a8f6af0ea8a1

SHA256
1f6a022a3456ceea577cc63e1d5dd45f5637cf04ed5d356fcae0f7bc44fa966d

SHA512
5083c3077a6740ec35d72d36e0c287955e26b07411ebaa2850a3b744418413d3e7b8b35bf18d7ea062ef23777674245f8cc23141ce395bf5713670faf2e6739d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5xpqxrlq.default-release\extensions.json

Filesize
37KB

MD5
c87f7b818b1b28832067c39a0150352c

SHA1
865b376a597a5657c30e48a48a0391758764c676

SHA256
1535e9a8093e81b0e4acea8c96f7bf8507d663ab996b9dcff5f2628f83c98a62

SHA512
a6961691852668b0a7948941294387311805f0580a56e88723f152460755ceb9ae5ab4fa9a8581715f7dada67c9fcf5a4959bbf3403239cacba592da1ff57374

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5xpqxrlq.default-release\favicons.sqlite

Filesize
5.0MB

MD5
82c1ca00b8e4fa2bbea5a53e42dd2bfd

SHA1
b60ff320f229969bc446bf74f4ad6ce3b2e18263

SHA256
6548c83099115569035b7b52885af5e96c1b4096c106117bc9c17b981f1dc6bf

SHA512
d1a8320e24016e8317f6db0caf9f6ed2815af54998c53702be2f5ee7622e3d25881621256088a2f0b051b4420ebda0c9c37882b940b5ff8319fe957d50c9b1bc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5xpqxrlq.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5xpqxrlq.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5xpqxrlq.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5xpqxrlq.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5xpqxrlq.default-release\permissions.sqlite

Filesize
96KB

MD5
904b924a63d5077c47fae83ad0b9f6c6

SHA1
53f1ad0d0d4cdac938424577767d8fe5c06b74c6

SHA256
1d54c87a339c0ad5942b3f19feb8149939c6c412dccc7ab73cf0a661277a4135

SHA512
ff7bdac947b7ab21836d408cdc3fa49aa6f8c31f7dbe8234c85d2b4fafafdb9d70a862246078286af65fb4a1d70f9c20cfb77e97b8b2d98a93ad161ba6a5e387

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5xpqxrlq.default-release\places.sqlite

Filesize
5.0MB

MD5
1f09dc0aeb6161deea5616f73653ac12

SHA1
b8140a8f0abe82d5dd0fed61794b05bafffb0123

SHA256
bc0b41841430d4e518402cd53be9ed0bfe02f28e63ec5ab3e967cdeef3ad933c

SHA512
4dc313fc5810498d2baa7f7cd11ba0f300553b4d4f1c5530a8385c2dc8678ddf27413ec1fc792bed9b91a632d6df518fb550b3bf3be1cba56b5d05847c233ae6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5xpqxrlq.default-release\places.sqlite

Filesize
5.0MB

MD5
776cbce111f36fe973f79e223ee98e66

SHA1
80816aa5b301128c60abb0107928983bb6744232

SHA256
a338b4a34b7fb848a2ba076983f069254a82a3ca3a30081edf208f6b0268d6e0

SHA512
f26f972e03085e82c1e258257dbb8ba12c6969963b29697cdc5c2b3804c44f5360ad440607f1a50b78f67ac063c795306fb2e4a49acced1dcb1d8c4b1db8c7e9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5xpqxrlq.default-release\places.sqlite-wal

Filesize
864KB

MD5
e59ffbdfd94a892345847fa751c7502f

SHA1
01e1190b373fe709f351b18fad2d4898e0e4083d

SHA256
002ea6c87972825fe267f0af3504af9a1fee2abe6e7027a3a506ace0339b2bed

SHA512
3b7727a43a7e2a5b671a5c47ec84d86d5b919a4365c530632ea57c3801d6da88699384ee08d2235e6609595dd34c162237d7fcd213c2564afcd6118aaa26a067

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5xpqxrlq.default-release\prefs-1.js

Filesize
11KB

MD5
31cb999558e1010209ae1d537d24374d

SHA1
edeb6aed84dff2d69ec02b59d293a67202e9415a

SHA256
6b2e26a8f3a70c6c27dbb1ae2d6bb90aff8814a5c7dfcefc4cd6b0b53947d6cf

SHA512
f8b5563eeac7f694ddb883bdd802c5125e59954624a75aaf8537dc102f36b7f5051e28b85b6776a7caefa0b335a0aa1fd932bf42c1fc8fe43386d880c48097de

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5xpqxrlq.default-release\prefs-1.js

Filesize
9KB

MD5
70efd55e9955e152afcf56bc4c4cc604

SHA1
40305d99095e2ae7a26fd60d123309e331785619

SHA256
63327e2bea60ee6b311b198ef0b6fd8f23102a5f4482ee4516b935bdcf010f75

SHA512
d9bd4c3f3babf94649e5f3b0b765c28b1bb4dc009d5db2b7fb8b18ce00dc114fa8ef75c49bda038e4f350bbc2a3f7272986b3b9b37a6da2d89fec91dd2fb454c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5xpqxrlq.default-release\prefs-1.js

Filesize
10KB

MD5
b7475c4e827e598a0c9b36fd6b37848d

SHA1
34ea7d0824c77b38ca6093db733c6badfb7080a1

SHA256
a710720df76866985610892ccbe2cbca4579e6672ec9b50fc71b26bf27976bf9

SHA512
93854f766eefed8d4afa80d4f26dd48ab14400f551620c64b0e2c46081b6beb84d4dbed2033d07eee677e3d46e5ecb98f1681fac4346a7344d897e0d4b770fc9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5xpqxrlq.default-release\prefs-1.js

Filesize
11KB

MD5
c015b22bbddab922cbe49fbe9d721728

SHA1
6010a604e8f8fec813c6881d1af762b176faf923

SHA256
d42ff90b13f72545c89df775385eeaa51305029cc01ce36b758e1a43980a6798

SHA512
155abefeeb9c1de5293cab810e168a544fc682726b8d6dca720bbea332fd0670c8d719744806655f89ecaf446028b1bbf1d523ac3abe60bbb8bfb1d42af64486

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5xpqxrlq.default-release\prefs.js

Filesize
10KB

MD5
9223b65b142725b585b590b549f4c67e

SHA1
2a0822c6d790f77be185c2137b755c70bb18ea71

SHA256
f72961e20c62d67362a3d60cc038cc24db150af1ec176b424cdb3d9bf07c7298

SHA512
313e9343ee14dbebebfb655ed40b0cc2002549c75c73e3cb84723aa60891e850df4cff88fe451f388b1886f9f3d36927e474c9b6248ed8504b6ce3ca9cdd99e6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5xpqxrlq.default-release\prefs.js

Filesize
10KB

MD5
f278afed64c95907d676d6db26aca26b

SHA1
20b94af49d67ba2cabcfac99bcc6bbe75f4c595a

SHA256
9dc638ec5782764bda81005480304145a687c6977b5618780da947d040411db9

SHA512
d0ce3f9160d014e07a99a0adbb36a1ec0612fd6c7675725f23d2e9e04e1493a5af6ae3ef872b2425b1f9886621973dac50cef419c21bc544a3043d9895b13596

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5xpqxrlq.default-release\protections.sqlite

Filesize
64KB

MD5
76786a4c0dd19d88d6d3ed95a293bf2f

SHA1
b0d6d676127a7694fc6e71ee57fcc2ffaa621ff7

SHA256
1a2564c1ba20b8038d35c2319258d94dc15d97914dcf753b31c48b79940dfd31

SHA512
8cd3298e2ebba763d3c80ac4b17e44af7eb63b46304967d0c6316d314baf8611c05f7b9979c2c5c329ac167aea0246e8c9f057ffbb272481c13fd5e4b4bcb2d0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5xpqxrlq.default-release\sessionCheckpoints.json

Filesize
53B

MD5
ea8b62857dfdbd3d0be7d7e4a954ec9a

SHA1
b43bc4b3ea206a02ef8f63d5bfad0c96bf2a3b2a

SHA256
792955295ae9c382986222c6731c5870bd0e921e7f7e34cc4615f5cd67f225da

SHA512
076ee83534f42563046d25086166f82e1a3ec61840c113aec67abe2d8195daa247d827d0c54e7e8f8a1bbf2d082a3763577587e84342ec160ff97905243e6d19

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5xpqxrlq.default-release\sessionCheckpoints.json

Filesize
122B

MD5
99601438ae1349b653fcd00278943f90

SHA1
8958d05e9362f6f0f3b616f7bfd0aeb5d37967c9

SHA256
72d74b596f7fc079d15431b51ce565a6465a40f5897682a94a3f1dd19b07959a

SHA512
ffa863d5d6af4a48aadc5c92df4781d3aacbf5d91b43b5e68569952ffec513ff95655b3e54c2161fe27d2274dd4778bad517c7a3972f206381ef292808628c55

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5xpqxrlq.default-release\sessionCheckpoints.json

Filesize
146B

MD5
65690c43c42921410ec8043e34f09079

SHA1
362add4dbd0c978ae222a354a4e8d35563da14b4

SHA256
7343d5a46e2fca762305a4f85c45484a49c1607ede8e8c4bd12bedd2327edb8d

SHA512
c0208d51cf1586e75f22764b82c48ecbb42c1ff54aa412a85af13d686e0119b4e49e98450d25c70e3792d3b9c2cda0c5ab0c6931ebaf548693bb970a35ae62b9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5xpqxrlq.default-release\sessionCheckpoints.json

Filesize
90B

MD5
c4ab2ee59ca41b6d6a6ea911f35bdc00

SHA1
5942cd6505fc8a9daba403b082067e1cdefdfbc4

SHA256
00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2

SHA512
71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5xpqxrlq.default-release\sessionCheckpoints.json

Filesize
288B

MD5
948a7403e323297c6bb8a5c791b42866

SHA1
88a555717e8a4a33eccfb7d47a2a4aa31038f9c0

SHA256
2fca1f29b73dd5b4159fa1eb16e69276482f5224ba7d2219a547039129a51f0e

SHA512
17e2f65c33f47c8bb4beca31db2aff3d4bbb6c2d36924057f9f847e207bdcb85ffcbb32c80dd06862ffc9b7f0bd3f5e2e65b48bb1bc3363732751101d5596b1a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5xpqxrlq.default-release\sessionstore-backups\recovery.baklz4

Filesize
3KB

MD5
9bdf9806b489f5b77b260eb4c8a2aab7

SHA1
da456d202308bfc189980f897c0dfd71dbd1927f

SHA256
ffd24480088b70702edad99d7ff6c212bca0d74d59252dcdf609f0f47fec04b2

SHA512
eba6c2869cb90d0f8cab5e871ef6985bfee19cc72e548550d04833781e9aa3a5df5615a3b3247f15f9444f18ce3fd4e3afafc12281d11ea106727af5a12c05d5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5xpqxrlq.default-release\sessionstore-backups\recovery.baklz4

Filesize
4KB

MD5
90589047191a7a20e303faa831ebc88e

SHA1
d62c761e3492a336ce00cda477370e858edb5ab7

SHA256
16ec12bf2a6e54f7c6a2caee90a9e1ea48f21799c1cd7844260cdecc833fbfe6

SHA512
29162d2e50021503e981b8536008a13f696e6afec0ce8ba129509e6b5016a09adfc037c00536ca23e99351fed70cf9ac51720374e235332f91c39fdeaa7fdb53

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5xpqxrlq.default-release\sessionstore-backups\recovery.baklz4

Filesize
16KB

MD5
31a847a699b2964e9d8a5e57b5b78aa5

SHA1
566226363460ecc5c4fdd6cfef292c45fc8ad72b

SHA256
3c6cfeb6adf906525ccc293579459a962afbd4049858f9d9dcae0a10a7c211c6

SHA512
9076ebbd68c17dc367e980bb5d16d58b0483bbab88adf912fadd056e89cb857fd0bc5329a4817084d610bf7a41553cafa28864f551b547eead22ad0d301d577d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5xpqxrlq.default-release\sessionstore-backups\recovery.baklz4

Filesize
3KB

MD5
4e5925ffd8c4426935a6dd1bf6821011

SHA1
1d0424c4c9be244e44b38e69b30043d12eff0c29

SHA256
9f47f27b5884b57c24821e28cc972571e9b638391ce7025982f45bdbd569da5c

SHA512
04a6da0d7f97dbc971af807d6ff56f460f49ae92e33f1b19e6be9b2c11d55cf623976487f0d730f622db11afb5547c1780cd89a95bc70670511be2ca67a5205f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5xpqxrlq.default-release\sessionstore-backups\recovery.baklz4

Filesize
16KB

MD5
86540fc2324a4d26f37284c659c6ee4d

SHA1
1adaee0831f47348fcb9d3786122ada39e51193b

SHA256
d0dd59824c6a996ba83f67f634a98d7b02fcd5af652fb472927df6a8cd122db8

SHA512
913689210040791d953e61a91561458cfaa5b18c2305e0693ea9a3373f0e1d5246e21bb7de5feb12cb99ea9bba6e76f3276505f4d2d815bd48f97cfc428f88fa

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5xpqxrlq.default-release\sessionstore.jsonlz4

Filesize
3KB

MD5
8878988bb5aee391c60cdb7b96fd466d

SHA1
29796e21418783a1de1cb55b9bc03d6fc141a905

SHA256
e6c07c2e8b6c5f75707b7f8c45cf8bc4a60b3dd1153d843468ea681bc1c34a16

SHA512
ebe34c30477ce08521616ef2b204b932b1127712e5cc978a28cf8422dddad501164a43a4a6315267d60de5bb879c13a46afe5536567c8af89948851c6e84a8d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5xpqxrlq.default-release\storage.sqlite

Filesize
4KB

MD5
f5352fa2ecf77f88d8eb4c1fe5c53ef1

SHA1
40291dab00b12a179949b9c9751a1e1db0e47465

SHA256
c9af7301b89cc04ae9959dad699021b6518744217fe0cca4046ae2649e0775db

SHA512
063c679a7c7c9b1a90b7231613aaedddec135f21239c86b1bf3cc544e369be781d829e3eb36c74346d45f73f9850c6db4cba0dc3a68ec8751bd5c4671aa18599

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5xpqxrlq.default-release\storage\default\https+++github.com\.metadata-v2

Filesize
48B

MD5
5cc3c96fbf778c36622cd783a1417d8c

SHA1
67e15862348998b2cac284aac413ba51c3de3cf0

SHA256
b73e763d1d1ef75a495582ebf545e8b91d50063f8867a2461744cdd8c3338da4

SHA512
fa48645271a0535af2a204ddb7d0edd8ffebbaa536d7cdb02e408ad561048c0848f05395d80ee77a81092d16c9046fb079ff0403565fbb1d224bc257f4f0f8cb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5xpqxrlq.default-release\storage\default\https+++github.com\ls\data.sqlite

Filesize
8KB

MD5
7a1ec6267f7376f60fdcffc0c325fdcb

SHA1
95af6845667ff7779f0ad88df7df147d65403c61

SHA256
a630b50d9bbaa7ca571a6b31ea7a6de719b1f94683335fb06d1f5fb60e3c2253

SHA512
6c0b42a17859384a50996810946f0db714dd9d4d02dcce7841bbb0f4d508ac16ecd254bdce04bd4916a465087abb101e0ad8b37beb836c08f0fcbc7f8e4bbb49

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5xpqxrlq.default-release\storage\default\https+++github.com\ls\usage

Filesize
12B

MD5
9556296fc4661781f78d34d6676f91e4

SHA1
e6d2c66de4260ae259f6a041ff8fc90b0862975c

SHA256
546aff5c1aac978fc3c2338c5ec738dfae2f262828b3c6339fe6a0a65ad95f65

SHA512
b5c3c9760318c5680f182bbbf23925f9e3ef478f240d4f439b1417a83d75bafd5814e749ae1500f4146dffdb63521fb692d3088acbe8d3c440d0588b5eae2561

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5xpqxrlq.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite

Filesize
48KB

MD5
18a758d01dec2e1386d8c54a1ae731bc

SHA1
029ed0f94c37a4c85b0419efacdfdf6f0093dbdf

SHA256
90628285df1c73a2eead3410af126b4a75369fceae45046c99c54825e11fcf81

SHA512
793195b2dd13ba09b5037fc828731029b6fa7b61626bc3ee9a5d3d97bb28d329c882004c156d191638c60e14ed5e638473e37bc167810db68bc6676a51fca125

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5xpqxrlq.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
656KB

MD5
0ff0ac105de7ba6d1c5185815d19557b

SHA1
6050c11c42677d74998fcc29d7d3e56e72653c17

SHA256
c718593a7a9dadc0541de23bc58f308db7cf4211a228068ef6adcca3f8902b3e

SHA512
a90f638e409b10ea63985ef9842a3fab6d8ecd23b188d74ffbddecb7734178c36db74462c8b14173f7005032b8be8e959587bd8c52cdfe8128aef2e1f54a3230

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5xpqxrlq.default-release\xulstore.json

Filesize
120B

MD5
8d689c06cb844185099c0398a280537e

SHA1
57073c7526ec37e94bb9db44fedc6d50276f7a6b

SHA256
96729e9b38f216605ff10715f96f364be32f02e2de23ede7e74b78244605124d

SHA512
3c7df326c695143915df1068cb2c0f58e93e4881b2c4d94b33948b80e954fbd4cf944ae53b4d15002b79fcdb8e88f8e9cf4c89ca50f56b7cfd8a13ea7dd6fff8

Download Submit
C:\Users\Admin\Downloads\!Please Read Me!.txt

Filesize
797B

MD5
afa18cf4aa2660392111763fb93a8c3d

SHA1
c219a3654a5f41ce535a09f2a188a464c3f5baf5

SHA256
227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0

SHA512
4161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b

Download Submit
C:\Users\Admin\Downloads\CryptoLocker.exe

Filesize
338KB

MD5
04fb36199787f2e3e2135611a38321eb

SHA1
65559245709fe98052eb284577f1fd61c01ad20d

SHA256
d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9

SHA512
533d6603f6e2a77bd1b2c6591a135c4717753d53317c1be06e43774e896d9543bcd0ea6904a0688aa84b2d8424641d68994b1e7dc4aa46d66c36feecb6145444

Download Submit
C:\Users\Admin\Downloads\CryptoLocker.exe:Zone.Identifier

Filesize
50B

MD5
dce5191790621b5e424478ca69c47f55

SHA1
ae356a67d337afa5933e3e679e84854deeace048

SHA256
86a3e68762720abe870d1396794850220935115d3ccc8bb134ffa521244e3ef8

SHA512
a669e10b173fce667d5b369d230d5b1e89e366b05ba4e65919a7e67545dd0b1eca8bcb927f67b12fe47cbe22b0c54c54f1e03beed06379240b05b7b990c5a641

Download Submit
C:\Users\Admin\Downloads\WannaCry.exe

Filesize
224KB

MD5
5c7fb0927db37372da25f270708103a2

SHA1
120ed9279d85cbfa56e5b7779ffa7162074f7a29

SHA256
be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844

SHA512
a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206

Download Submit
C:\Users\Admin\Downloads\u.wry

Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
memory/4144-1331-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads