badrabbit | hxxps://github[.]com/Da2dalus/The-MALWARE-Repo

Resubmissions

25/02/2025, 00:10

250225-agcnzswq19 10

24/02/2025, 22:06

24/02/2025, 21:59

24/02/2025, 21:19

24/02/2025, 21:13

24/02/2025, 16:47

Analysis

max time kernel
899s
max time network
556s
platform
windows11-21h2_x64
resource
win11-20250217-en
resource tags

arch:x64arch:x86image:win11-20250217-enlocale:en-usos:windows11-21h2-x64system
submitted
24/02/2025, 16:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo

Score

10^/10

badrabbit mimikatz wannacry defense_evasion discovery execution impact persistence ransomware spyware stealer worm

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\!Please Read Me!.txt

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1 Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) rar password: wcry123 Run and follow the instructions! �

Wallets

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Signatures

BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
ransomware badrabbit
Badrabbit family
badrabbit
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz
Mimikatz family
mimikatz
Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Wannacry family
wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

mimikatz is an open source tool to dump credentials on Windows 1 IoCs

resource	yara_rule
behavioral1/files/0x001a00000002b067-2577.dat	mimikatz

Blocklisted process makes network request 4 IoCs

flow	pid	Process
288	4556	rundll32.exe
299	4556	rundll32.exe
311	4556	rundll32.exe
322	4556	rundll32.exe

Downloads MZ/PE file 3 IoCs

flow	pid	Process
57	4792	firefox.exe
57	4792	firefox.exe
57	4792	firefox.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDDD37.tmp	WannaCry.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDDD4D.tmp	WannaCry.exe

Executes dropped EXE 8 IoCs

pid	Process
4620	Happy99.exe
868	WannaCry.exe
668	!WannaDecryptor!.exe
4796	!WannaDecryptor!.exe
2312	!WannaDecryptor!.exe
1580	!WannaDecryptor!.exe
1836	BadRabbit.exe
3784	4C4.tmp

Loads dropped DLL 1 IoCs

pid	Process
4556	rundll32.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\Downloads\\WannaCry.exe\" /r"	WannaCry.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
43	raw.githubusercontent.com
57	raw.githubusercontent.com

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\wsock32.dll	Happy99.exe
File created	C:\Windows\SysWOW64\Ska.exe	Happy99.exe
File opened for modification	C:\Windows\SysWOW64\Ska.exe	Happy99.exe
File created	C:\Windows\SysWOW64\Ska.dll	Happy99.exe
File created	C:\Windows\SysWOW64\wsock32.ska	Happy99.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298619118-249045975-4264763259-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp"	!WannaDecryptor!.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\cscc.dat	rundll32.exe
File created	C:\Windows\dispci.exe	rundll32.exe
File opened for modification	C:\Windows\4C4.tmp	rundll32.exe
File created	C:\Windows\infpub.dat	BadRabbit.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 5 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File created	C:\Users\Admin\Downloads\Happy99.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\BadRabbit.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\WannaCry.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\WannaCry(1).exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\WannaCry(2).exe:Zone.Identifier	firefox.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Happy99.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BadRabbit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Kills process with taskkill 4 IoCs

defense_evasion

pid	Process
3296	taskkill.exe
2920	taskkill.exe
1164	taskkill.exe
4616	taskkill.exe

NTFS ADS 5 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\WannaCry(2).exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Happy99.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\BadRabbit.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\WannaCry.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\WannaCry(1).exe:Zone.Identifier	firefox.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1196	schtasks.exe
1132	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4556	rundll32.exe
4556	rundll32.exe
4556	rundll32.exe
4556	rundll32.exe
3784	4C4.tmp
3784	4C4.tmp
3784	4C4.tmp
3784	4C4.tmp
3784	4C4.tmp
3784	4C4.tmp

Suspicious use of AdjustPrivilegeToken 58 IoCs

description	pid	Process
Token: SeDebugPrivilege	4792	firefox.exe
Token: SeDebugPrivilege	4792	firefox.exe
Token: SeDebugPrivilege	4792	firefox.exe
Token: SeDebugPrivilege	4792	firefox.exe
Token: SeDebugPrivilege	4792	firefox.exe
Token: SeDebugPrivilege	3296	taskkill.exe
Token: SeDebugPrivilege	2920	taskkill.exe
Token: SeDebugPrivilege	4616	taskkill.exe
Token: SeDebugPrivilege	1164	taskkill.exe
Token: SeShutdownPrivilege	4556	rundll32.exe
Token: SeDebugPrivilege	4556	rundll32.exe
Token: SeTcbPrivilege	4556	rundll32.exe
Token: SeDebugPrivilege	3784	4C4.tmp
Token: SeIncreaseQuotaPrivilege	4860	WMIC.exe
Token: SeSecurityPrivilege	4860	WMIC.exe
Token: SeTakeOwnershipPrivilege	4860	WMIC.exe
Token: SeLoadDriverPrivilege	4860	WMIC.exe
Token: SeSystemProfilePrivilege	4860	WMIC.exe
Token: SeSystemtimePrivilege	4860	WMIC.exe
Token: SeProfSingleProcessPrivilege	4860	WMIC.exe
Token: SeIncBasePriorityPrivilege	4860	WMIC.exe
Token: SeCreatePagefilePrivilege	4860	WMIC.exe
Token: SeBackupPrivilege	4860	WMIC.exe
Token: SeRestorePrivilege	4860	WMIC.exe
Token: SeShutdownPrivilege	4860	WMIC.exe
Token: SeDebugPrivilege	4860	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4860	WMIC.exe
Token: SeRemoteShutdownPrivilege	4860	WMIC.exe
Token: SeUndockPrivilege	4860	WMIC.exe
Token: SeManageVolumePrivilege	4860	WMIC.exe
Token: 33	4860	WMIC.exe
Token: 34	4860	WMIC.exe
Token: 35	4860	WMIC.exe
Token: 36	4860	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4860	WMIC.exe
Token: SeSecurityPrivilege	4860	WMIC.exe
Token: SeTakeOwnershipPrivilege	4860	WMIC.exe
Token: SeLoadDriverPrivilege	4860	WMIC.exe
Token: SeSystemProfilePrivilege	4860	WMIC.exe
Token: SeSystemtimePrivilege	4860	WMIC.exe
Token: SeProfSingleProcessPrivilege	4860	WMIC.exe
Token: SeIncBasePriorityPrivilege	4860	WMIC.exe
Token: SeCreatePagefilePrivilege	4860	WMIC.exe
Token: SeBackupPrivilege	4860	WMIC.exe
Token: SeRestorePrivilege	4860	WMIC.exe
Token: SeShutdownPrivilege	4860	WMIC.exe
Token: SeDebugPrivilege	4860	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4860	WMIC.exe
Token: SeRemoteShutdownPrivilege	4860	WMIC.exe
Token: SeUndockPrivilege	4860	WMIC.exe
Token: SeManageVolumePrivilege	4860	WMIC.exe
Token: 33	4860	WMIC.exe
Token: 34	4860	WMIC.exe
Token: 35	4860	WMIC.exe
Token: 36	4860	WMIC.exe
Token: SeBackupPrivilege	2792	vssvc.exe
Token: SeRestorePrivilege	2792	vssvc.exe
Token: SeAuditPrivilege	2792	vssvc.exe

Suspicious use of FindShellTrayWindow 21 IoCs

pid	Process
4792	firefox.exe
4792	firefox.exe
4792	firefox.exe
4792	firefox.exe
4792	firefox.exe
4792	firefox.exe
4792	firefox.exe
4792	firefox.exe
4792	firefox.exe
4792	firefox.exe
4792	firefox.exe
4792	firefox.exe
4792	firefox.exe
4792	firefox.exe
4792	firefox.exe
4792	firefox.exe
4792	firefox.exe
4792	firefox.exe
4792	firefox.exe
4792	firefox.exe
4792	firefox.exe

Suspicious use of SetWindowsHookEx 42 IoCs

pid	Process
4792	firefox.exe
4792	firefox.exe
4792	firefox.exe
4792	firefox.exe
4792	firefox.exe
4792	firefox.exe
4792	firefox.exe
4792	firefox.exe
4792	firefox.exe
4792	firefox.exe
4792	firefox.exe
4792	firefox.exe
4792	firefox.exe
4792	firefox.exe
4792	firefox.exe
4792	firefox.exe
4792	firefox.exe
4792	firefox.exe
4792	firefox.exe
4792	firefox.exe
4792	firefox.exe
4792	firefox.exe
4792	firefox.exe
4792	firefox.exe
4792	firefox.exe
4792	firefox.exe
4792	firefox.exe
4792	firefox.exe
4792	firefox.exe
4792	firefox.exe
4792	firefox.exe
4792	firefox.exe
4792	firefox.exe
4792	firefox.exe
668	!WannaDecryptor!.exe
668	!WannaDecryptor!.exe
4796	!WannaDecryptor!.exe
4796	!WannaDecryptor!.exe
2312	!WannaDecryptor!.exe
2312	!WannaDecryptor!.exe
1580	!WannaDecryptor!.exe
1580	!WannaDecryptor!.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 800 wrote to memory of 4792	800	firefox.exe	81
PID 800 wrote to memory of 4792	800	firefox.exe	81
PID 800 wrote to memory of 4792	800	firefox.exe	81
PID 800 wrote to memory of 4792	800	firefox.exe	81
PID 800 wrote to memory of 4792	800	firefox.exe	81
PID 800 wrote to memory of 4792	800	firefox.exe	81
PID 800 wrote to memory of 4792	800	firefox.exe	81
PID 800 wrote to memory of 4792	800	firefox.exe	81
PID 800 wrote to memory of 4792	800	firefox.exe	81
PID 800 wrote to memory of 4792	800	firefox.exe	81
PID 800 wrote to memory of 4792	800	firefox.exe	81
PID 4792 wrote to memory of 1656	4792	firefox.exe	82
PID 4792 wrote to memory of 1656	4792	firefox.exe	82
PID 4792 wrote to memory of 1656	4792	firefox.exe	82
PID 4792 wrote to memory of 1656	4792	firefox.exe	82
PID 4792 wrote to memory of 1656	4792	firefox.exe	82
PID 4792 wrote to memory of 1656	4792	firefox.exe	82
PID 4792 wrote to memory of 1656	4792	firefox.exe	82
PID 4792 wrote to memory of 1656	4792	firefox.exe	82
PID 4792 wrote to memory of 1656	4792	firefox.exe	82
PID 4792 wrote to memory of 1656	4792	firefox.exe	82
PID 4792 wrote to memory of 1656	4792	firefox.exe	82
PID 4792 wrote to memory of 1656	4792	firefox.exe	82
PID 4792 wrote to memory of 1656	4792	firefox.exe	82
PID 4792 wrote to memory of 1656	4792	firefox.exe	82
PID 4792 wrote to memory of 1656	4792	firefox.exe	82
PID 4792 wrote to memory of 1656	4792	firefox.exe	82
PID 4792 wrote to memory of 1656	4792	firefox.exe	82
PID 4792 wrote to memory of 1656	4792	firefox.exe	82
PID 4792 wrote to memory of 1656	4792	firefox.exe	82
PID 4792 wrote to memory of 1656	4792	firefox.exe	82
PID 4792 wrote to memory of 1656	4792	firefox.exe	82
PID 4792 wrote to memory of 1656	4792	firefox.exe	82
PID 4792 wrote to memory of 1656	4792	firefox.exe	82
PID 4792 wrote to memory of 1656	4792	firefox.exe	82
PID 4792 wrote to memory of 1656	4792	firefox.exe	82
PID 4792 wrote to memory of 1656	4792	firefox.exe	82
PID 4792 wrote to memory of 1656	4792	firefox.exe	82
PID 4792 wrote to memory of 1656	4792	firefox.exe	82
PID 4792 wrote to memory of 1656	4792	firefox.exe	82
PID 4792 wrote to memory of 1656	4792	firefox.exe	82
PID 4792 wrote to memory of 1656	4792	firefox.exe	82
PID 4792 wrote to memory of 1656	4792	firefox.exe	82
PID 4792 wrote to memory of 1656	4792	firefox.exe	82
PID 4792 wrote to memory of 1656	4792	firefox.exe	82
PID 4792 wrote to memory of 1656	4792	firefox.exe	82
PID 4792 wrote to memory of 1656	4792	firefox.exe	82
PID 4792 wrote to memory of 1656	4792	firefox.exe	82
PID 4792 wrote to memory of 1656	4792	firefox.exe	82
PID 4792 wrote to memory of 1656	4792	firefox.exe	82
PID 4792 wrote to memory of 1656	4792	firefox.exe	82
PID 4792 wrote to memory of 1656	4792	firefox.exe	82
PID 4792 wrote to memory of 1656	4792	firefox.exe	82
PID 4792 wrote to memory of 1656	4792	firefox.exe	82
PID 4792 wrote to memory of 1656	4792	firefox.exe	82
PID 4792 wrote to memory of 1656	4792	firefox.exe	82
PID 4792 wrote to memory of 4912	4792	firefox.exe	83
PID 4792 wrote to memory of 4912	4792	firefox.exe	83
PID 4792 wrote to memory of 4912	4792	firefox.exe	83
PID 4792 wrote to memory of 4912	4792	firefox.exe	83
PID 4792 wrote to memory of 4912	4792	firefox.exe	83
PID 4792 wrote to memory of 4912	4792	firefox.exe	83
PID 4792 wrote to memory of 4912	4792	firefox.exe	83
PID 4792 wrote to memory of 4912	4792	firefox.exe	83

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://github.com/Da2dalus/The-MALWARE-Repo"
1⤵
- Suspicious use of WriteProcessMemory
PID:800
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://github.com/Da2dalus/The-MALWARE-Repo
  2⤵
  - Downloads MZ/PE file
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - Checks processor information in registry
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4792
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1940 -parentBuildID 20240401114208 -prefsHandle 1800 -prefMapHandle 1780 -prefsLen 27583 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9cff5bc1-2c93-408a-937f-e18c87cf7b44} 4792 "\\.\pipe\gecko-crash-server-pipe.4792" gpu
    3⤵
    PID:1656
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2408 -parentBuildID 20240401114208 -prefsHandle 2312 -prefMapHandle 2308 -prefsLen 28503 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {975a75b7-a234-4b98-a925-0fd575ff2fe8} 4792 "\\.\pipe\gecko-crash-server-pipe.4792" socket
    3⤵
    - Checks processor information in registry
    PID:4912
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3060 -childID 1 -isForBrowser -prefsHandle 1496 -prefMapHandle 2888 -prefsLen 22684 -prefMapSize 244628 -jsInitHandle 972 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d53bc6d4-814b-4928-a6ea-b9fef4e7cfb7} 4792 "\\.\pipe\gecko-crash-server-pipe.4792" tab
    3⤵
    PID:4028
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3624 -childID 2 -isForBrowser -prefsHandle 3616 -prefMapHandle 2668 -prefsLen 32993 -prefMapSize 244628 -jsInitHandle 972 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {98f38c3c-e003-41f9-8f15-c3909e342003} 4792 "\\.\pipe\gecko-crash-server-pipe.4792" tab
    3⤵
    PID:5012
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4300 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4292 -prefMapHandle 4288 -prefsLen 32993 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fb7a2866-76b1-4634-83c8-e1b8d858e56b} 4792 "\\.\pipe\gecko-crash-server-pipe.4792" utility
    3⤵
    - Checks processor information in registry
    PID:3716
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5672 -childID 3 -isForBrowser -prefsHandle 5656 -prefMapHandle 5664 -prefsLen 27083 -prefMapSize 244628 -jsInitHandle 972 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {959d8547-f6f4-4a7a-8fe7-08eaa68c1215} 4792 "\\.\pipe\gecko-crash-server-pipe.4792" tab
    3⤵
    PID:4116
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5684 -childID 4 -isForBrowser -prefsHandle 5676 -prefMapHandle 5660 -prefsLen 27083 -prefMapSize 244628 -jsInitHandle 972 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e7163f65-f389-4eb4-9786-51e88f7aec21} 4792 "\\.\pipe\gecko-crash-server-pipe.4792" tab
    3⤵
    PID:4908
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5672 -childID 5 -isForBrowser -prefsHandle 6024 -prefMapHandle 6028 -prefsLen 27083 -prefMapSize 244628 -jsInitHandle 972 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e0434d70-89f8-4871-9cf2-c439aa1e571c} 4792 "\\.\pipe\gecko-crash-server-pipe.4792" tab
    3⤵
    PID:3900
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5252 -childID 6 -isForBrowser -prefsHandle 5268 -prefMapHandle 5272 -prefsLen 27966 -prefMapSize 244628 -jsInitHandle 972 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6544b22a-35f3-48ae-89bf-d5b363326286} 4792 "\\.\pipe\gecko-crash-server-pipe.4792" tab
    3⤵
    PID:3168

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4576

C:\Users\Admin\Downloads\Happy99.exe
"C:\Users\Admin\Downloads\Happy99.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4620

C:\Users\Admin\Downloads\WannaCry.exe
"C:\Users\Admin\Downloads\WannaCry.exe"
1⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:868
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 23371740415812.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1488
- - C:\Windows\SysWOW64\cscript.exe
    cscript //nologo c.vbs
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3520
- C:\Users\Admin\Downloads\!WannaDecryptor!.exe
  !WannaDecryptor!.exe f
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:668
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im MSExchange*
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3296
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im Microsoft.Exchange.*
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2920
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im sqlserver.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1164
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im sqlwriter.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4616
- C:\Users\Admin\Downloads\!WannaDecryptor!.exe
  !WannaDecryptor!.exe c
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4796
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c start /b !WannaDecryptor!.exe v
  2⤵
  - System Location Discovery: System Language Discovery
  PID:800
- - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
    !WannaDecryptor!.exe v
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2312
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
      4⤵
      System Location Discovery: System Language Discovery
      PID:1164
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4860
- C:\Users\Admin\Downloads\!WannaDecryptor!.exe
  !WannaDecryptor!.exe
  2⤵
  - Executes dropped EXE
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1580

C:\Users\Admin\Downloads\BadRabbit.exe
"C:\Users\Admin\Downloads\BadRabbit.exe"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1836
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4556
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Delete /F /TN rhaegal
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1508
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Delete /F /TN rhaegal
      4⤵
      System Location Discovery: System Language Discovery
      PID:3400
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1123808056 && exit"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1780
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1123808056 && exit"
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:1196
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 17:08:00
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3092
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 17:08:00
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:1132
- - C:\Windows\4C4.tmp
    "C:\Windows\4C4.tmp" \\.\pipe\{EF1DB4B7-5DF1-43CF-B4B8-6576D82A9E5E}
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3784

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\t35pww33.default-release\activity-stream.discovery_stream.json.tmp

Filesize
25KB

MD5
a9d14b6fed9753684919a5031e116522

SHA1
30c1c6124ad0701bfb11f87a3fab8f0d75b1aa01

SHA256
5a3acc36de65582ecaabc90b85164314b7c5cbb8d6d3aa516f8bd68948bc46a8

SHA512
c59d8ce953057e7d70a9b39fd34839256a4067236fde3d25d3aff7837ad5a2acedc8ae53c008e2856594b3ef79d1ab6d2f3770ab76c7c7a4ef4a2f988b388106

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\t35pww33.default-release\cache2\doomed\716

Filesize
59KB

MD5
295cacb8f2189d82a0c8c4af95cf931b

SHA1
4f66ec664884fceea8e53c2a8a3c555835d6de7e

SHA256
3fc3de5a1f180d0a5e83e73fe16430a30a7878648e40932145b53fd1c2607764

SHA512
460f880e4360558016f968a094a46fb6ca9ad9cbc8d296ba17033ffa3171eccd3604f1880959ece4af5ca1c4ac74cc59037c3b615b73a84504d042800210aef1

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\t35pww33.default-release\cache2\entries\311589B5F7E27FD8DAEE1AEB3F2A1C1A3FFED5A9

Filesize
103KB

MD5
20d5d01205c9c6062116e7633a1a7b80

SHA1
6423777ed368438d6b3f3cc3823167e83ba3bacb

SHA256
52caa2da6c60c96bb0b65bf9c3094ec213f84a1ce2aee5614c3a1a89fa2f24f6

SHA512
09ce1a16893e1dc5dd2455bd201e21614561873b508e3fdb909e17482d541a6ebdceb56fad5e86ecbd0f5e16efdebde3f4cef075a700e16448a44fb527c9c634

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\t35pww33.default-release\cache2\entries\37FEF4E469180263DE81143336481DEEA2EA6114

Filesize
213KB

MD5
dc09789647780aff7ebaacd391701f07

SHA1
1612b57b850ae28a9ef8dccc03718e7a644ada07

SHA256
6a887353255999bcf8eb13b50a6477d7cdb30e4513c16a58d2d5146218daa48e

SHA512
5e88223216e6aae0bd8a20babf411414007ad331e1b01216e5879fb78794674e01f8724ebc4b8122a2294dc76478597658cde549b3ec0e565ce9009fbcee8b49

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\t35pww33.default-release\cache2\entries\45B52D8C8914C42BBDEC58DE6C16E43B33677180

Filesize
94KB

MD5
2d7f88437ebbde2d364d1089e2ee8053

SHA1
4b406a3711e121a202cf306f051bf97ef370b971

SHA256
cb977dc274f6a487f13e31412fcee90c74caf6b98523e342cba024b27d1260ea

SHA512
075b072019dc72aeee7ed4f8bd471b9a7e5aaef1f6f743737466d5f67abb5b99feedea5bf6171086e3f79102bcbf36422a4080739b9b7353736258403bb9e7bf

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\t35pww33.default-release\cache2\entries\46D75857881A488354908DD139F1D8A677350972

Filesize
311KB

MD5
bf09d08fde744a3660f35db2e7bd7f5b

SHA1
52289607debdeb1511ebcea77cff070e74954a36

SHA256
3eee8a5fbb1c6aca49047c7967d3eafc1ef5b70c19a50cfcb2f394be7ea2f653

SHA512
3cb902b8ed13e956008716c10b7f17138cf073fef5fe8aa4b2b0e95b2046211a23c0549b8d21093692b069950e7e782cba92e81c64c2b2a372f1f73b5a26a622

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\t35pww33.default-release\cache2\entries\48A773B8B92BFF039D7CB5A9DA03A6DC953D7D7B

Filesize
106KB

MD5
c5739bd805721d100edd0fc8c9815c05

SHA1
3dd07894a34c657a9733603f9db837f92b15f7de

SHA256
1e0635102b92f5787208fd5234c8776f230dac7f8c07bb7039ed13121609f86d

SHA512
4dc2ef7e6e473476e8da6dd1807f92061a0c21657c95e2cf676689e6321ecf78d176034fcbf63fd054aca143aee9972cc2e5f72abc473b2a8e9f171088fe35f5

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\t35pww33.default-release\cache2\entries\5550607365EAA56324B321291458A282E073A2E3

Filesize
97KB

MD5
d6230d3614677e84ce8e1a8326cfbe9e

SHA1
790746f2fa488646839e30b08e6e9289b630d522

SHA256
37471adf150887d53e3baf2bcf3fc1c630fc979895d55f159a971d0b17f4d046

SHA512
cd8def41488b052afbd8f21e62f96e4d7164cc95cf793e49e33705949d219688c8c2b7a5d8503c0f5acd725fb4cc1ea85f68775632f562f3af07df9c1851f517

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\t35pww33.default-release\cache2\entries\AB3B829517434EFA2FD3AF0A0BD74A71B44DF878

Filesize
74KB

MD5
8c2c1e3e69c167f5721f1902be873989

SHA1
7fc90285ae6d2d800903a1c30cf2139e80feca62

SHA256
458bafb77a157f2fbfdc9cdf8487dea939c5f8f17f6a7fd75edb86f782e49020

SHA512
c90950cdc6a5515070fd083c59d5f244470aa27f1237438db2100478c3f4df40bba93270d357ef01ff0e559b698339f7edec520759b0b1646d16ef2c48e3d735

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\t35pww33.default-release\cache2\entries\AD3CC0891E9946D0DB23F053C6BC26CF8D29F1F8

Filesize
103KB

MD5
5cb3a58b05cbb3773c4fd39e49d38dbb

SHA1
7f5c2dab861a4eda1d4f62d62b8e878f2f829d37

SHA256
680f15275c5b0324868e9373f3fb8d729fdd4e5f1ba8814f57656c330b849cf2

SHA512
5ee3306568d0a80c81658dde32edacc960266faaa7b55780961e8144c7e55498932b9e2d04607a39b3c74540600c998c7f8e70808b3b8eee7897d6c9928fec71

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\t35pww33.default-release\cache2\entries\DA2624531BAB239256172FD7304575193E6592E2

Filesize
107KB

MD5
36ca0b7297b2ffc3d231d2f09eb97df3

SHA1
20c05718660121edbafa6373ad6b28c3e2d75f19

SHA256
b0713dcb73fdfcdc42c847aa65315d7424a760b4d6bff1d8b94aeaaa69b300f8

SHA512
2cc02dab6552f743defa91e5069022fd37dccb25a5787f171b6c3284b3cea7fb4e136cbd53253c8d25fa8c65d1a34a77be74d79ec7a3c492a905162f4232f501

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\t35pww33.default-release\cache2\entries\F2093F74FEC17377ADD0F6EB40A925F233BFD56A

Filesize
100KB

MD5
ff904a080cdd6fb8fa34a0b15197badb

SHA1
b255098a32c9d3b555822cf194cf540f22c16374

SHA256
941dab117edfbc655492c40e88771d8497d30519ab6b9474a4548750c814327a

SHA512
5077e9f71922eb6429c25e8132e705c03da9085ac5a91e60fbe648d00ae198ec1b395f6257c4ed3287a5289087bd3a8425a6591de72f5b265d62cd0dc3f4694b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\t35pww33.default-release\jumpListCache\4ZaJAbuelIwwGTX+fgYDMFwLChMXTOhO1SX86k2mxMs=.ico

Filesize
25KB

MD5
6b120367fa9e50d6f91f30601ee58bb3

SHA1
9a32726e2496f78ef54f91954836b31b9a0faa50

SHA256
92c62d192e956e966fd01a0c1f721d241b9b6f256b308a2be06187a7b925f9e0

SHA512
c8d55a2c10a2ef484dedded911b8f3c2f5ecb996be6f6f425c5bd4b4f53eb620a2baccd48bac1915a81da9a792971d95ff36c3f216075d93e5fd7a462ecd784f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\t35pww33.default-release\AlternateServices.bin

Filesize
8KB

MD5
14b045e3424a6bb208c8d69c7d06ebaf

SHA1
16ef2b404aca4de8d0786e61017624f6d2df575b

SHA256
5061ba9c6746dc50e5bc52aaa25957cebce7d58ce52b568e03bd7190140644b7

SHA512
c105fa5663ba628c73bad18e8c03d5555d86b44acf8ebe5eb19b2a2352c2fa696e4ea70d169d4ee78b15fdab81f30ad2e25b3e868da31ffc63ea7cb1b1ed1ab9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\t35pww33.default-release\cert9.db

Filesize
224KB

MD5
1d619c83fcd534b9c0246ac637fde9d3

SHA1
1e522ee8f650e266117c5e40fc28356cf76af0d3

SHA256
47a04d66702d500144878fa9aad0b7a8d0f58e92492b8ca52f7814fa14525fc4

SHA512
5b337f6c67c1ad2b9719ec625beef4ddf79fa77832113b110cb56544e36b92f2ec0c9cd281a4a5a667cb446ae69196e9f6201e7f2984e9ab71e3869f46fa9760

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\t35pww33.default-release\datareporting\glean\db\data.safe.tmp

Filesize
7KB

MD5
3d9151821cea19fede744552b2730a4c

SHA1
d32b1645fe347434d73ba6fc190231826bf2f3e0

SHA256
0dc1ffb6180a6c2c0c7ef0e370fb4b905d1440c773c81e5d6cdb05cf1562c0be

SHA512
558d91c4b4b753406ff178bfb8732b18413d0fcca7ef19a1b0a1b3921fe6ccdded7ad136d2f4c8a932b15ed19aa3c29980837712b2bbb04a838288e07037d433

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\t35pww33.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
a8a6f9ca37dc3a6bef46b5639ad5e4a8

SHA1
25535e6eb868b704ccd68d2b8338c4e795e72d50

SHA256
9792968fa691f3a21ea5334d61ba8df1dccbd1f78abc7a4c2721d6a7d5a65c7d

SHA512
6543632fef6fc8e0a15b570acf5caaca44e6621a61c788ec84a6b074d31e6408ac7f2b6e543f9993f03c0bf4790eb05750daa0961363c00b8f3abbf1be8e4cad

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\t35pww33.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
fbac63299893950096b86495fd9515ed

SHA1
98627d55fce5ac971111ff1f6c5afbc71f6297a9

SHA256
918aef5b39563181200194797dcd3f573af66bcb490a8f2f4dc14b3e99bff361

SHA512
c19c50e6de3dae45c6eac61f5b0cdb68b7fa8c3e9656e5eed3796613cd8cfba586ce36f506e9bbac3ba6252847ae107e9f442534cdaebe83711e9695dd85dfda

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\t35pww33.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
91bd6c563ad77d63f0a4c70a97a86ab7

SHA1
5c63760e9b66d86ec05dd2bfc1ddd7f61e03209d

SHA256
8ed66bfe02d7ae63560e45dc61410ebc0f37015b6fcc19fe3b008002f185990e

SHA512
361e537ae928555e7194fd34c77aeb4bb620c84f07d6e1057fbe053e037d206844db2949ea8dfa09f1efffbf86fd2378d72fc6a1fb1a5932d3e67b41c9712f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\t35pww33.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
19e3e5ad66cf8d462d395f2b59fe0802

SHA1
8913bf1e4511beb14d145da9412b13d78143ebfa

SHA256
75f858619845476545265baf1cd89c93fdeba362b1a94b0256677c2a88f9f0fc

SHA512
ea3877cb9c5b734cce2c3a54842e406ceee4e7a3a1fcc4f6dc8332be111267283157caaa23b963486bfce8d717be480fea6ea4719ac6f5d9d24792e382275972

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\t35pww33.default-release\datareporting\glean\pending_pings\a753b32c-2757-4504-a822-5f480a8d6fa6

Filesize
27KB

MD5
f3aa2b58c6e0ec796838d280a1cb8a8c

SHA1
ffefc7f09a8ed5432b88b3640c2ae0f796d3fa78

SHA256
0de00a0124a85d91db53b7e9be630880fa5be79538f1bd93b7f7a7941feee70d

SHA512
cddce8882e1f32dd2a1d49ed45e48e6d13a41e65c9dbec3b1a845f02f7d7b73a8e6456fe80f70e7c2dba24a14f4ccfa4cabd32bc8782624c4e4b9068c918af1c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\t35pww33.default-release\datareporting\glean\pending_pings\b51a5217-c29b-4249-bac5-138c0cd693a5

Filesize
671B

MD5
5898a4ad2f80a622b2867ae90b0d77d7

SHA1
a9c28c09ae9adbeb602cac40ca15bf03f15aaf76

SHA256
1c9bb37e4645ef408e45659f86a98728a0232584a4292cb75d19baa77df3b96a

SHA512
3ed56a319742a3bda4428871b49a8210eeefe6e7ff9e7cd8b5da7024e14780a606aee3fa6a6650a1bbf5f528a5eadacc59a3536d2e3189fdf86dbbccd055ff25

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\t35pww33.default-release\datareporting\glean\pending_pings\f0ac4f30-9b0d-4ee7-9f34-c78fd0fa329c

Filesize
982B

MD5
910fae5627207f0033bc12a8a6873088

SHA1
a27eccdde1685367daded741a50f14d847e0bed4

SHA256
c479a6d3edf818d8cf5e4079b089344c9aa870166287f945c00331bbc0c0f73a

SHA512
9d38f983dd35eca595198eba79ba315a3cdd8c4ec16b9fe47d7ea36f87c2a8950d4648f8070ab4cbe8dc7ac8c9b536c8daf680774f169f83451b786e8630bd28

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\t35pww33.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\t35pww33.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\t35pww33.default-release\gmp-widevinecdm\4.10.2710.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\t35pww33.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\t35pww33.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\t35pww33.default-release\prefs-1.js

Filesize
9KB

MD5
ebe97bc04974eb4e3296fc6f543640a1

SHA1
2051cbb6b6c199556a995436bdb72e8b354bae39

SHA256
006c5e5679074b103e3ea2f045c754a084012c590d41d52d4bcaccbe30b08e27

SHA512
0d238eb2c7b4e7498ae525339101684b11e496649f0ba7991aac8b00f5a58cd9f19642e2f82b05c4949ad6503223d945ef86da88b7a81d4d4e320f160b4125d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\t35pww33.default-release\prefs-1.js

Filesize
10KB

MD5
bfdead96beef818b4ee9585944778ad8

SHA1
625a11646f304f42d149212062b6cc8f6141e66d

SHA256
d8587dc030e365cdc2c3c42999918489bfa651609f61819a34090fad7af5d153

SHA512
c29027f83f5949f809e3f48509676044887c6e9a9873365835ed504220cb7b1135b0ed6bec6326181eb90e23a57603734f9e36f9133a7bb51370f8a6ebf0f92d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\t35pww33.default-release\prefs-1.js

Filesize
11KB

MD5
0cf8785f79492158372d92b42c7c14f4

SHA1
04cd7d07010fc4eedafc509bfc7e42d62278d87a

SHA256
d38f5ae3957d95be1dbd5044cd4d135d83dbca87940d49868d68470660955019

SHA512
a6e01fe67c9513c27df1032e2f009c7a29a0db8f9cfb50741602eb8ce4b5c025fc0f75d18d2ca9efc3715804feec2484ce75cd2ebd49541c2e3d472d3f2d0071

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\t35pww33.default-release\prefs.js

Filesize
10KB

MD5
ce0d75c5def575b1af37a407f9e0ec69

SHA1
86b755cd564fdbd63fd579cb869aa2a069c3cf6a

SHA256
a5a0b48a19c83cfa95e9cdf9adbbe3699ec16e6e14db2736fcef314de0854aa4

SHA512
f725c170b1e9f87aadf219de8acbaef0044912d97ae84acfc4656b6700e7e027357d28499c00f81ccf545d9e532c88b1304f207fe481f46a846035f307ba0bc9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\t35pww33.default-release\sessionCheckpoints.json

Filesize
228B

MD5
a0821bc1a142e3b5bca852e1090c9f2c

SHA1
e51beb8731e990129d965ddb60530d198c73825f

SHA256
db037b650f36ff45da5df59bc07b0c5948f9e9b7b148ead4454ab84cb04fd0e2

SHA512
997528e2ecd24a7e697d95cd1a2a7de46a3d80b37fd67fac4fb0da0db756b60a24648b7074255dc38f7651302f70894a53c3d789f3d7cd9f80fb91bd0cade4be

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\t35pww33.default-release\sessionstore-backups\recovery.baklz4

Filesize
3KB

MD5
7f775e2d9cb5568ab4c31a560489d95b

SHA1
4f81e40a4ecd87a6dff3f700c4f74b98537ea2b1

SHA256
eec1d7587ce5b642f5f523a149bc6c71bd5ac7358278efa52cfdd874fc35037e

SHA512
575ca4b9abd3b2a0c1965f6d02973648105ceb5a101532a3dad7544e5959ddf8be461078c78726b5818762fd1dfb3b363e5a6f9c4513a3cd4102fc55a015ae0c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\t35pww33.default-release\sessionstore-backups\recovery.baklz4

Filesize
3KB

MD5
77420282e7502fdf3ac29c110e2b45f8

SHA1
7f88fe21c7f8fb123d87f13e43b784f3e4b9cbb8

SHA256
0138d13319b5080fc06e6e6ce4fbee6f9c3be2a38527d88ed42de53549240d32

SHA512
779565bde8984c414333f5aeffbe118b7758b9cdc569331bf94bd0f9a5f8eb5e8c901060c55ed7810f3cf91e426a471c5faff9da8783bedab2d4eee4209e16e5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\t35pww33.default-release\sessionstore-backups\recovery.baklz4

Filesize
4KB

MD5
d081e1abf0ebd560c132fa03811322b9

SHA1
8b5216b40b322507f81f9a513f82bf635f0cc4ce

SHA256
83d89b6d7c2c07e36b792f8c9f8b54f1872443f021d293f1b18dd657650e5e27

SHA512
10d6501e544fc6414d9234c662be2c6f357d94f87124c80467150920633a5af2d614345af764c8e73dc6065d4bf804f70757171f63f2729582293417ec325a0e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\t35pww33.default-release\sessionstore-backups\recovery.baklz4

Filesize
3KB

MD5
db967eaae344258d6f058e35428cc680

SHA1
bca3b2e9c0706dd50e3a4906e9d8614d058eb8af

SHA256
56cbee24c3540b2b43881553cd642282df1e439cd9dbddddb7c34a120e7be019

SHA512
909b03caa971c77848ca5ba482da894b86a29f7b753f91f6e93d86232db3976ff2908c04353b2c79cb72853c322b1e1930c761df260fa884eead0e6dbbf91dcf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\t35pww33.default-release\sessionstore-backups\recovery.baklz4

Filesize
4KB

MD5
b7f701babd4a3a134686c9a9f0d58992

SHA1
7646d5cfc9bc452592622ceb77dfacb81b2ae7cd

SHA256
d5b0a139566fca3386f62cc56c2d48ca3a393cd5c119d3cc4f8ec8b097c98f01

SHA512
9581a073023820c62cb72e28a37634455b2dc7217dabcd4b86563f13c8e51e88d9b81556f9291a3146162bbc082446f78a419f5526436a33d3730a20719b93ae

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\t35pww33.default-release\sessionstore-backups\recovery.baklz4

Filesize
4KB

MD5
6851fee16e1736cb3d5d1164ec991463

SHA1
7bde37a3f1db58537b259cfab7d7c521b2ef8cb1

SHA256
eef0b32c2ab10d6b951f8b4e69f4b4f5e0cbf1bdc4e388dac13aeadabed67c90

SHA512
d78c76b8e24b22fa7af131cf4d40d7a72ba1fd4b847f1707b06f0ef3104ab8a102b13ba26559a925a891fa172f34a87d7fd533538c1ef5e63f8ee7c7f1f504e7

Download Submit
C:\Users\Admin\Downloads\!Please Read Me!.txt

Filesize
797B

MD5
afa18cf4aa2660392111763fb93a8c3d

SHA1
c219a3654a5f41ce535a09f2a188a464c3f5baf5

SHA256
227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0

SHA512
4161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b

Download Submit
C:\Users\Admin\Downloads\!WannaDecryptor!.exe.lnk

Filesize
590B

MD5
ba01da659cd15d9429dddb82ac039a4f

SHA1
e90ae3781796ca35610ae415e34b631ea5ee4910

SHA256
c5a4a9c72775b2b356613aacfe202d823a499c54f63cb5cd26f4a3545f9175b0

SHA512
48f2c4335ba58ef33842928e46249e06a02133ddb7a146fb237e13e9b29f1218380a9530db6c1b5e486aa44f1d3bbd45917ac97f1608c1234966b52a4a397b15

Download Submit
C:\Users\Admin\Downloads\00000000.res

Filesize
136B

MD5
1b492c5f0c7f2b22e3bb75df93d99036

SHA1
759a87a178e1ac9d95509ca4c5f7042cf8895521

SHA256
aa631d533e5729e75a1dae7ede1d8cc2bf3c4837655955001279063def6862db

SHA512
5c1c04070558fa052b8ac0b399f8480e53515b51d4fce6912b78ca156d05f2a646d2b4b6cd4673cab5724dd0577fab44775fb03c0b874418d3d3c90893f537e8

Download Submit
C:\Users\Admin\Downloads\00000000.res

Filesize
136B

MD5
aaa8a84d273de9014d0d72fe91390540

SHA1
90b359974f9cc4c0831fedd227a6039ef93f9a28

SHA256
6c6780278c177f76e04eee2e0095e08bac4952d8bcf3788af44f15618752595e

SHA512
a80a49a93206a6eb03e84d049f63ad20727d32f14af534845dd8624ee41837b53694489a8891ba61df13a6f1e6e3a0ae35bc7eb42940a6a6574620e0f01541a3

Download Submit
C:\Users\Admin\Downloads\00000000.res

Filesize
136B

MD5
1ba419a0946abdcaba422508cd44b696

SHA1
0e47cbc3fda14738460a45843a37ae6532a42651

SHA256
9d5f81ce854079cec653e13fe18a139769ff4630f137b01c71728b097a1d8858

SHA512
82a2cbe73789bbb93001bb716d5132a18588ae71fcb74779258b1295df55b397352729d96982ffac1385225e6cf628776ae271782b82c5483b254004af56abf2

Download Submit
C:\Users\Admin\Downloads\23371740415812.bat

Filesize
318B

MD5
a261428b490a45438c0d55781a9c6e75

SHA1
e9eefce11cefcbb7e5168bfb8de8a3c3ac45c41e

SHA256
4288d655b7de7537d7ea13fdeb1ba19760bcaf04384cd68619d9e5edb5e31f44

SHA512
304887938520ffcc6966da83596ccc8688b7eace9572982c224f3fb9c59e6fb2dcaa021a19d2aae47346e954c0d0d8145c723b7143dece11ac7261dc41ba3d40

Download Submit
C:\Users\Admin\Downloads\BadRabbit.exe

Filesize
431KB

MD5
fbbdc39af1139aebba4da004475e8839

SHA1
de5c8d858e6e41da715dca1c019df0bfb92d32c0

SHA256
630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da

SHA512
74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87

Download Submit
C:\Users\Admin\Downloads\Happy99.exe

Filesize
9KB

MD5
02dd0eaa9649a11e55fa5467fa4b8ef8

SHA1
a4a945192cb730634168f79b6e4cd298dbe3d168

SHA256
4ebe3e1af5e147c580ecce052fe7d7d0219d5e5a2f5e6d8a7f7291735923db18

SHA512
3bf69de674737ca15d6ff7ce73396194f3631dc4b8d32cc570adeeacdc210acee50fd64c97172ce7cc77f166c681d2ccd55955b3aca9188813b7ff6f49280441

Download Submit
C:\Users\Admin\Downloads\Happy99.exe:Zone.Identifier

Filesize
50B

MD5
dce5191790621b5e424478ca69c47f55

SHA1
ae356a67d337afa5933e3e679e84854deeace048

SHA256
86a3e68762720abe870d1396794850220935115d3ccc8bb134ffa521244e3ef8

SHA512
a669e10b173fce667d5b369d230d5b1e89e366b05ba4e65919a7e67545dd0b1eca8bcb927f67b12fe47cbe22b0c54c54f1e03beed06379240b05b7b990c5a641

Download Submit
C:\Users\Admin\Downloads\WannaCry.exe

Filesize
224KB

MD5
5c7fb0927db37372da25f270708103a2

SHA1
120ed9279d85cbfa56e5b7779ffa7162074f7a29

SHA256
be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844

SHA512
a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206

Download Submit
C:\Users\Admin\Downloads\c.vbs

Filesize
201B

MD5
02b937ceef5da308c5689fcdb3fb12e9

SHA1
fa5490ea513c1b0ee01038c18cb641a51f459507

SHA256
5d57b86aeb52be824875008a6444daf919717408ec45aff4640b5e64610666f1

SHA512
843eeae13ac5fdc216b14e40534543c283ecb2b6c31503aba2d25ddd215df19105892e43cf618848742de9c13687d21e8c834eff3f2b69a26df2509a6f992653

Download Submit
C:\Users\Admin\Downloads\c.wry

Filesize
628B

MD5
0ab7b0d9582b19dc13a30de44995bf41

SHA1
e753e017aec3ad71e11df0105e54009a224f5b17

SHA256
b85dfef406cbf0997883e517425bedd3456200027e771a2f84e33afacbd578c2

SHA512
dcb8d4b838118a4e37d8ed0506b10ae06ac146d81838b4a96c027b03240ee3400726f9d8f9d4233cf8f31eb446069938ebbe3d10b9efc1cdb4253d1b002c1bdb

Download Submit
C:\Users\Admin\Downloads\m.wry

Filesize
42KB

MD5
980b08bac152aff3f9b0136b616affa5

SHA1
2a9c9601ea038f790cc29379c79407356a3d25a3

SHA256
402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9

SHA512
100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496

Download Submit
C:\Users\Admin\Downloads\u.wry

Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
C:\Windows\4C4.tmp

Filesize
60KB

MD5
347ac3b6b791054de3e5720a7144a977

SHA1
413eba3973a15c1a6429d9f170f3e8287f98c21c

SHA256
301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c

SHA512
9a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787

Download Submit
C:\Windows\infpub.dat

Filesize
401KB

MD5
1d724f95c61f1055f0d02c2154bbccd3

SHA1
79116fe99f2b421c52ef64097f0f39b815b20907

SHA256
579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648

SHA512
f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113

Download Submit
memory/868-1149-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download
memory/4556-2560-0x0000000002B70000-0x0000000002BD8000-memory.dmp

Filesize
416KB

Download
memory/4556-2568-0x0000000002B70000-0x0000000002BD8000-memory.dmp

Filesize
416KB

Download
memory/4556-2571-0x0000000002B70000-0x0000000002BD8000-memory.dmp

Filesize
416KB

Download