wannacry | 275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f

max time kernel
708s
max time network
720s
platform
windows10-ltsc_2021_x64
resource
win10ltsc2021-20250314-de
resource tags

arch:x64arch:x86image:win10ltsc2021-20250314-delocale:de-deos:windows10-ltsc_2021-x64systemwindows
submitted
23/03/2025, 19:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

EICAR.txt
Size

68B
MD5

44d88612fea8a8f36de82e1278abb02f
SHA1

3395856ce81f2b7382dee72602f798b642f14140
SHA256

275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f
SHA512

cc805d5fab1fd71a4ab352a9c533e65fb2d5b885518f4e565e68847223b8e6b85cb48f3afad842726d99239c9e36505c64b0dc9a061d9e507d833277ada336ab

Score

10^/10

wannacry defense_evasion discovery execution impact persistence phishing ransomware worm

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\Aufgaben(1)\Aufgabe 2\!Please Read Me!.txt

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1 Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) rar password: wcry123 Run and follow the instructions! �

Wallets

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit32.exe"	Bilanzbericht 2024.jpg.exe

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Wannacry family
wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Downloads MZ/PE file 3 IoCs

flow	pid	Process
201	1332	firefox.exe
201	1332	firefox.exe
201	1332	firefox.exe

Manipulates Digital Signatures 1 TTPs 12 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	Bilanzbericht 2024.jpg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\trust	Bilanzbericht 2024.jpg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher\CRLs	Bilanzbericht 2024.jpg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher\Certificates	Bilanzbericht 2024.jpg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher	Bilanzbericht 2024.jpg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	Bilanzbericht 2024.jpg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople	Bilanzbericht 2024.jpg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	Bilanzbericht 2024.jpg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	Bilanzbericht 2024.jpg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher\CTLs	Bilanzbericht 2024.jpg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	Bilanzbericht 2024.jpg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	Bilanzbericht 2024.jpg.exe

A potential corporate email address has been identified in the URL: [email protected]
phishing

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD7E41.tmp	Bewerbung.pdf.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD7E57.tmp	Bewerbung.pdf.exe

Executes dropped EXE 4 IoCs

pid	Process
2184	!WannaDecryptor!.exe
6636	!WannaDecryptor!.exe
6696	!WannaDecryptor!.exe
6744	!WannaDecryptor!.exe

Impair Defenses: Safe Mode Boot 1 TTPs 7 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys	Bilanzbericht 2024.jpg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc	Bilanzbericht 2024.jpg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power	Bilanzbericht 2024.jpg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys	Bilanzbericht 2024.jpg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc	Bilanzbericht 2024.jpg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend	Bilanzbericht 2024.jpg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager	Bilanzbericht 2024.jpg.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\dllhost32 = "C:\\Windows\\system32\\dllhost32.exe"	Bilanzbericht 2024.jpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\Downloads\\Aufgaben(1)\\Aufgabe 2\\Bewerbung.pdf.exe\" /r"	Bewerbung.pdf.exe

Drops desktop.ini file(s) 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Public\desktop.ini	firefox.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	firefox.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	firefox.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
159	raw.githubusercontent.com
200	raw.githubusercontent.com
201	raw.githubusercontent.com
203	raw.githubusercontent.com

Drops file in System32 directory 24 IoCs

description	ioc	Process
File created	C:\windows\SysWOW64\chkntfs.exe	Bilanzbericht 2024.jpg.exe
File created	C:\windows\SysWOW64\ntkrnlpa.exe	Bilanzbericht 2024.jpg.exe
File created	C:\windows\SysWOW64\ctfmon.exe	Bilanzbericht 2024.jpg.exe
File created	C:\windows\SysWOW64\systray.exe	Bilanzbericht 2024.jpg.exe
File created	C:\windows\SysWOW64\win.exe	Bilanzbericht 2024.jpg.exe
File created	C:\windows\SysWOW64\wowexec.exe	Bilanzbericht 2024.jpg.exe
File created	C:\Windows\SysWOW64\userinit32.exe	Bilanzbericht 2024.jpg.exe
File created	C:\WINDOWS\SysWOW64\userinit.exe	Bilanzbericht 2024.jpg.exe
File created	C:\windows\SysWOW64\shutdown.exe	Bilanzbericht 2024.jpg.exe
File created	C:\windows\SysWOW64\alg.exe	Bilanzbericht 2024.jpg.exe
File created	C:\windows\SysWOW64\bootok.exe	Bilanzbericht 2024.jpg.exe
File created	C:\windows\SysWOW64\imapi.exe	Bilanzbericht 2024.jpg.exe
File created	C:\Windows\SysWOW64\dllhost32.exe	Bilanzbericht 2024.jpg.exe
File created	C:\windows\SysWOW64\progman.exe	Bilanzbericht 2024.jpg.exe
File created	C:\windows\SysWOW64\regedit.exe	Bilanzbericht 2024.jpg.exe
File created	C:\windows\SysWOW64\ntoskrnl.exe	Bilanzbericht 2024.jpg.exe
File created	C:\windows\SysWOW64\autochk.exe	Bilanzbericht 2024.jpg.exe
File created	C:\windows\SysWOW64\recover.exe	Bilanzbericht 2024.jpg.exe
File created	C:\windows\SysWOW64\chcp.exe	Bilanzbericht 2024.jpg.exe
File created	C:\windows\SysWOW64\dumprep.exe	Bilanzbericht 2024.jpg.exe
File created	C:\windows\SysWOW64\logon.exe	Bilanzbericht 2024.jpg.exe
File created	C:\windows\SysWOW64\MDM.exe	Bilanzbericht 2024.jpg.exe
File created	C:\windows\SysWOW64\services.exe	Bilanzbericht 2024.jpg.exe
File created	C:\windows\SysWOW64\wuauclt.exe	Bilanzbericht 2024.jpg.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp"	!WannaDecryptor!.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\NOTEPAD.EXE	Bilanzbericht 2024.jpg.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 3 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File created	C:\Users\Admin\Downloads\IconDance.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Fagot.a.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\WannaCry.exe:Zone.Identifier	firefox.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Newsletter.docx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bewerbung.pdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bilanzbericht 2024.jpg.exe

Checks processor information in registry 2 TTPs 64 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	Bilanzbericht 2024.jpg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Bilanzbericht 2024.jpg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	Bilanzbericht 2024.jpg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Bilanzbericht 2024.jpg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	Bilanzbericht 2024.jpg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	Bilanzbericht 2024.jpg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	Bilanzbericht 2024.jpg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Bilanzbericht 2024.jpg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	Bilanzbericht 2024.jpg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Enumerates system info in registry 2 TTPs 64 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0	Bilanzbericht 2024.jpg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	Bilanzbericht 2024.jpg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses	Bilanzbericht 2024.jpg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	Bilanzbericht 2024.jpg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus	Bilanzbericht 2024.jpg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000	Bilanzbericht 2024.jpg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2	Bilanzbericht 2024.jpg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1	Bilanzbericht 2024.jpg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral	Bilanzbericht 2024.jpg.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0	Bilanzbericht 2024.jpg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0	Bilanzbericht 2024.jpg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor	Bilanzbericht 2024.jpg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000	Bilanzbericht 2024.jpg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus	Bilanzbericht 2024.jpg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	Bilanzbericht 2024.jpg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0	Bilanzbericht 2024.jpg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	Bilanzbericht 2024.jpg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController	Bilanzbericht 2024.jpg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	Bilanzbericht 2024.jpg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController	Bilanzbericht 2024.jpg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1	Bilanzbericht 2024.jpg.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral	Bilanzbericht 2024.jpg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0	Bilanzbericht 2024.jpg.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	Bilanzbericht 2024.jpg.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses	Bilanzbericht 2024.jpg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0	Bilanzbericht 2024.jpg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1	Bilanzbericht 2024.jpg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Bilanzbericht 2024.jpg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0	Bilanzbericht 2024.jpg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral	Bilanzbericht 2024.jpg.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController	Bilanzbericht 2024.jpg.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus	Bilanzbericht 2024.jpg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0	Bilanzbericht 2024.jpg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	Bilanzbericht 2024.jpg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses	Bilanzbericht 2024.jpg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus	Bilanzbericht 2024.jpg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1	Bilanzbericht 2024.jpg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0	Bilanzbericht 2024.jpg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral	Bilanzbericht 2024.jpg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	Bilanzbericht 2024.jpg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Bilanzbericht 2024.jpg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController	Bilanzbericht 2024.jpg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	Bilanzbericht 2024.jpg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	Bilanzbericht 2024.jpg.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	Bilanzbericht 2024.jpg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController	Bilanzbericht 2024.jpg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor	Bilanzbericht 2024.jpg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor	Bilanzbericht 2024.jpg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Bilanzbericht 2024.jpg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0	Bilanzbericht 2024.jpg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0	Bilanzbericht 2024.jpg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000	Bilanzbericht 2024.jpg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	Bilanzbericht 2024.jpg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0	Bilanzbericht 2024.jpg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2	Bilanzbericht 2024.jpg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	Bilanzbericht 2024.jpg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	Bilanzbericht 2024.jpg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1	Bilanzbericht 2024.jpg.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	Bilanzbericht 2024.jpg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController	Bilanzbericht 2024.jpg.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0	Bilanzbericht 2024.jpg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController	Bilanzbericht 2024.jpg.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor	Bilanzbericht 2024.jpg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1	Bilanzbericht 2024.jpg.exe

Kills process with taskkill 4 IoCs

defense_evasion

pid	Process
5844	taskkill.exe
4456	taskkill.exe
3836	taskkill.exe
4464	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\Software\Microsoft\Internet Explorer\Main	Bilanzbericht 2024.jpg.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "www.blacksnake.com"	Bilanzbericht 2024.jpg.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\application/octet-stream	Bilanzbericht 2024.jpg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\zapfile\shell\print\command	Bilanzbericht 2024.jpg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WSFFile\Shell	Bilanzbericht 2024.jpg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WSFFile\DefaultIcon	Bilanzbericht 2024.jpg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C523F390-9C83-11D3-9094-00104BD0D535}\3.0	Bilanzbericht 2024.jpg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B9164592-D558-4EE7-8B41-F1C9F66D683A}\1.0\0\win32	Bilanzbericht 2024.jpg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4AC9E1DA-5BAD-4AC7-86E3-24F4CDCECA28}\c.0\Flags	Bilanzbericht 2024.jpg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3120BA9F-4FC8-4A4F-AE1E-02114F421D0A}\1.0\HELPDIR	Bilanzbericht 2024.jpg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\SniffedFolderType = "Generic"	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\SniffedFolderType = "Downloads"	firefox.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F2A7EE29-8BF6-4a6d-83F1-098E366C709C}	Bilanzbericht 2024.jpg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9B92EB61-CBC1-11D3-8C2D-00A0CC37B591}\1.2\HelpDir	Bilanzbericht 2024.jpg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8476CE12-AE1F-4198-805C-BA0F9B783F57}	Bilanzbericht 2024.jpg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0002E157-0000-0000-C000-000000000046}\5.3	Bilanzbericht 2024.jpg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	firefox.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9B92EB61-CBC1-11D3-8C2D-00A0CC37B591}\1.2\Flags	Bilanzbericht 2024.jpg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0	Bilanzbericht 2024.jpg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.6	Bilanzbericht 2024.jpg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{CECDDD22-2E72-4832-9606-A9B0E5E344B2}	Bilanzbericht 2024.jpg.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	firefox.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AAB9C2AA-6036-4AE1-A41C-A40AB7F39520}\a.0\0	Bilanzbericht 2024.jpg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{91CE54EE-C67C-4B46-A4FF-99416F27A8BF}\1.0\0\win64	Bilanzbericht 2024.jpg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{91493440-5A91-11CF-8700-00AA0060263B}\2.c\0	Bilanzbericht 2024.jpg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{85ab206a-be8c-4b5a-ab0e-5eaaa13e541d}	Bilanzbericht 2024.jpg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3BAA3119-ECA1-4A32-9A08-595E71AE9DA9}\1.0	Bilanzbericht 2024.jpg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F4334319-8210-469B-8262-DD03623FEB5B}\1.0\0\win32	Bilanzbericht 2024.jpg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	firefox.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BED7F4EA-1A96-11D2-8F08-00A0C9A6186D}\2.0\FLAGS	Bilanzbericht 2024.jpg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6430040A-5EBD-4E63-A56F-C71D5990F827}\1.0\0\win64	Bilanzbericht 2024.jpg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0\Win64	Bilanzbericht 2024.jpg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	firefox.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7999FC20-D3C6-11CF-ACAB-00A024A55AEF}\1.0	Bilanzbericht 2024.jpg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{012F24C1-35B0-11D0-BF2D-0000E8D0D146}\1.0\0\win32	Bilanzbericht 2024.jpg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{ACAB122B-29C0-56A9-8145-AFA2F82A547C}	Bilanzbericht 2024.jpg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5477469E-83B1-11D2-8B49-00A0C9B7C9C4}\2.0\0\win64	Bilanzbericht 2024.jpg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2374F0B1-3220-4c71-B702-AF799F31ABB4}\1.0\0	Bilanzbericht 2024.jpg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}\1.0	Bilanzbericht 2024.jpg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler	Bilanzbericht 2024.jpg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{831FDD16-0C5C-11D2-A9FC-0000F8754DA1}\2.2	Bilanzbericht 2024.jpg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7CD06992-50AA-11D1-B8F0-00A0C9259304}\1.0\0	Bilanzbericht 2024.jpg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}	Bilanzbericht 2024.jpg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	firefox.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\xslfile\BrowseInPlace	Bilanzbericht 2024.jpg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WSFFile\ShellEx\PropertySheetHandlers\WSHProps	Bilanzbericht 2024.jpg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WSFFile\ShellEx\PropertySheetHandlers	Bilanzbericht 2024.jpg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{EF53050B-882E-4776-B643-EDA472E8E3F2}\2.7\0\win64	Bilanzbericht 2024.jpg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B691E011-1797-432E-907A-4D8C69339129}\6.0\0	Bilanzbericht 2024.jpg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AB4D3FA3-21B9-443C-886E-FC4A417D3E4D}	Bilanzbericht 2024.jpg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3050F1C5-98B5-11CF-BB82-00AA00BDCE0B}\4.0	Bilanzbericht 2024.jpg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BACEDF3E-74AB-11D0-B162-00AA00BA3258}\1.0\0	Bilanzbericht 2024.jpg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B7FD5390-D593-5A8B-9AE2-23CE39822FD4}\1.0\0\win64	Bilanzbericht 2024.jpg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B16B5A0E-3B72-5223-8DF0-9117CD64DE77}\1.0\0\win64	Bilanzbericht 2024.jpg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B16B5A0E-3B72-5223-8DF0-9117CD64DE77}\1.0\0\win32	Bilanzbericht 2024.jpg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{ACAB122B-29C0-56A9-8145-AFA2F82A547C}\1.0\0\win32	Bilanzbericht 2024.jpg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AC0714F2-3D04-11D1-AE7D-00A0C90F26F4}\1.0\FLAGS	Bilanzbericht 2024.jpg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}\1.0\0	Bilanzbericht 2024.jpg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{34527502-D3DB-4205-A69B-789B27EE0414}\1.0\0\win64	Bilanzbericht 2024.jpg.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	firefox.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F4FE76BC-62B9-49FC-972F-C81FC3A926DB}\1.0\0\win64	Bilanzbericht 2024.jpg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7CD06992-50AA-11D1-B8F0-00A0C9259304}\1.0\0\win32	Bilanzbericht 2024.jpg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{63390F96-F295-425F-A658-0F0C88E8C3C8}\1.0	Bilanzbericht 2024.jpg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Name-Space Handler	Bilanzbericht 2024.jpg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	firefox.exe

NTFS ADS 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\WannaCry.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Aufgaben(1).zip:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\IconDance.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Fagot.a.exe:Zone.Identifier	firefox.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
5608	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
7072	WMIC.exe
7072	WMIC.exe
7072	WMIC.exe
7072	WMIC.exe
4496	Bilanzbericht 2024.jpg.exe
4496	Bilanzbericht 2024.jpg.exe
4496	Bilanzbericht 2024.jpg.exe
4496	Bilanzbericht 2024.jpg.exe
4496	Bilanzbericht 2024.jpg.exe
4496	Bilanzbericht 2024.jpg.exe
4496	Bilanzbericht 2024.jpg.exe
4496	Bilanzbericht 2024.jpg.exe
4496	Bilanzbericht 2024.jpg.exe
4496	Bilanzbericht 2024.jpg.exe
4496	Bilanzbericht 2024.jpg.exe
4496	Bilanzbericht 2024.jpg.exe
4496	Bilanzbericht 2024.jpg.exe
4496	Bilanzbericht 2024.jpg.exe
4496	Bilanzbericht 2024.jpg.exe
4496	Bilanzbericht 2024.jpg.exe
4496	Bilanzbericht 2024.jpg.exe
4496	Bilanzbericht 2024.jpg.exe
4496	Bilanzbericht 2024.jpg.exe
4496	Bilanzbericht 2024.jpg.exe
4496	Bilanzbericht 2024.jpg.exe
4496	Bilanzbericht 2024.jpg.exe
4496	Bilanzbericht 2024.jpg.exe
4496	Bilanzbericht 2024.jpg.exe
4496	Bilanzbericht 2024.jpg.exe
4496	Bilanzbericht 2024.jpg.exe
4496	Bilanzbericht 2024.jpg.exe
4496	Bilanzbericht 2024.jpg.exe
4496	Bilanzbericht 2024.jpg.exe
4496	Bilanzbericht 2024.jpg.exe
4496	Bilanzbericht 2024.jpg.exe
4496	Bilanzbericht 2024.jpg.exe
4496	Bilanzbericht 2024.jpg.exe
4496	Bilanzbericht 2024.jpg.exe
4496	Bilanzbericht 2024.jpg.exe
4496	Bilanzbericht 2024.jpg.exe
4496	Bilanzbericht 2024.jpg.exe
4496	Bilanzbericht 2024.jpg.exe
4496	Bilanzbericht 2024.jpg.exe
4496	Bilanzbericht 2024.jpg.exe
4496	Bilanzbericht 2024.jpg.exe
4496	Bilanzbericht 2024.jpg.exe
4496	Bilanzbericht 2024.jpg.exe
4496	Bilanzbericht 2024.jpg.exe
4496	Bilanzbericht 2024.jpg.exe
4496	Bilanzbericht 2024.jpg.exe
4496	Bilanzbericht 2024.jpg.exe
4496	Bilanzbericht 2024.jpg.exe
4496	Bilanzbericht 2024.jpg.exe
4496	Bilanzbericht 2024.jpg.exe
4496	Bilanzbericht 2024.jpg.exe
4496	Bilanzbericht 2024.jpg.exe
4496	Bilanzbericht 2024.jpg.exe
4496	Bilanzbericht 2024.jpg.exe
4496	Bilanzbericht 2024.jpg.exe
4496	Bilanzbericht 2024.jpg.exe
4496	Bilanzbericht 2024.jpg.exe
4496	Bilanzbericht 2024.jpg.exe
4496	Bilanzbericht 2024.jpg.exe
4496	Bilanzbericht 2024.jpg.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3252	firefox.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4536	Bewerbung.pdf.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1332	firefox.exe
Token: SeDebugPrivilege	1332	firefox.exe
Token: 33	5648	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5648	AUDIODG.EXE
Token: SeDebugPrivilege	1332	firefox.exe
Token: SeDebugPrivilege	1332	firefox.exe
Token: SeDebugPrivilege	1332	firefox.exe
Token: SeDebugPrivilege	1332	firefox.exe
Token: SeDebugPrivilege	3252	firefox.exe
Token: SeDebugPrivilege	3252	firefox.exe
Token: SeDebugPrivilege	3252	firefox.exe
Token: SeDebugPrivilege	3252	firefox.exe
Token: SeDebugPrivilege	3252	firefox.exe
Token: SeDebugPrivilege	3252	firefox.exe
Token: SeDebugPrivilege	3252	firefox.exe
Token: SeDebugPrivilege	3252	firefox.exe
Token: SeDebugPrivilege	3252	firefox.exe
Token: SeDebugPrivilege	3252	firefox.exe
Token: SeDebugPrivilege	3252	firefox.exe
Token: SeDebugPrivilege	3252	firefox.exe
Token: SeDebugPrivilege	3252	firefox.exe
Token: SeDebugPrivilege	3252	firefox.exe
Token: SeDebugPrivilege	3252	firefox.exe
Token: SeDebugPrivilege	3252	firefox.exe
Token: SeDebugPrivilege	3252	firefox.exe
Token: SeDebugPrivilege	3252	firefox.exe
Token: SeDebugPrivilege	3252	firefox.exe
Token: SeDebugPrivilege	3252	firefox.exe
Token: SeDebugPrivilege	3252	firefox.exe
Token: SeDebugPrivilege	3252	firefox.exe
Token: SeDebugPrivilege	1332	firefox.exe
Token: SeDebugPrivilege	2564	firefox.exe
Token: SeDebugPrivilege	2564	firefox.exe
Token: SeDebugPrivilege	2564	firefox.exe
Token: SeDebugPrivilege	2564	firefox.exe
Token: SeDebugPrivilege	2564	firefox.exe
Token: SeDebugPrivilege	2564	firefox.exe
Token: SeDebugPrivilege	2564	firefox.exe
Token: SeDebugPrivilege	2564	firefox.exe
Token: SeDebugPrivilege	2564	firefox.exe
Token: SeDebugPrivilege	2564	firefox.exe
Token: SeDebugPrivilege	2564	firefox.exe
Token: SeDebugPrivilege	2564	firefox.exe
Token: SeDebugPrivilege	2564	firefox.exe
Token: SeDebugPrivilege	2564	firefox.exe
Token: SeDebugPrivilege	2564	firefox.exe
Token: SeDebugPrivilege	2564	firefox.exe
Token: SeDebugPrivilege	2564	firefox.exe
Token: SeDebugPrivilege	1332	firefox.exe
Token: SeDebugPrivilege	1332	firefox.exe
Token: SeDebugPrivilege	1332	firefox.exe
Token: SeDebugPrivilege	5844	taskkill.exe
Token: SeDebugPrivilege	4464	taskkill.exe
Token: SeDebugPrivilege	3836	taskkill.exe
Token: SeDebugPrivilege	4456	taskkill.exe
Token: SeIncreaseQuotaPrivilege	7072	WMIC.exe
Token: SeSecurityPrivilege	7072	WMIC.exe
Token: SeTakeOwnershipPrivilege	7072	WMIC.exe
Token: SeLoadDriverPrivilege	7072	WMIC.exe
Token: SeSystemProfilePrivilege	7072	WMIC.exe
Token: SeSystemtimePrivilege	7072	WMIC.exe
Token: SeProfSingleProcessPrivilege	7072	WMIC.exe
Token: SeIncBasePriorityPrivilege	7072	WMIC.exe
Token: SeCreatePagefilePrivilege	7072	WMIC.exe

Suspicious use of FindShellTrayWindow 24 IoCs

pid	Process
1332	firefox.exe
1332	firefox.exe
1332	firefox.exe
1332	firefox.exe
1332	firefox.exe
1332	firefox.exe
1332	firefox.exe
1332	firefox.exe
1332	firefox.exe
1332	firefox.exe
1332	firefox.exe
1332	firefox.exe
1332	firefox.exe
1332	firefox.exe
1332	firefox.exe
1332	firefox.exe
1332	firefox.exe
1332	firefox.exe
1332	firefox.exe
1332	firefox.exe
1332	firefox.exe
1332	firefox.exe
1332	firefox.exe
1332	firefox.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1332	firefox.exe
1332	firefox.exe
1332	firefox.exe
1332	firefox.exe
1332	firefox.exe
1332	firefox.exe
1332	firefox.exe
1332	firefox.exe
1332	firefox.exe
1332	firefox.exe
1332	firefox.exe
1332	firefox.exe

Suspicious use of SetWindowsHookEx 61 IoCs

pid	Process
1332	firefox.exe
1332	firefox.exe
1332	firefox.exe
1332	firefox.exe
1332	firefox.exe
1332	firefox.exe
1332	firefox.exe
1332	firefox.exe
1332	firefox.exe
1332	firefox.exe
1332	firefox.exe
1332	firefox.exe
1332	firefox.exe
1332	firefox.exe
1332	firefox.exe
1332	firefox.exe
1332	firefox.exe
1332	firefox.exe
1332	firefox.exe
1332	firefox.exe
1332	firefox.exe
1332	firefox.exe
1332	firefox.exe
1332	firefox.exe
1332	firefox.exe
3252	firefox.exe
3252	firefox.exe
3252	firefox.exe
2564	firefox.exe
1332	firefox.exe
1332	firefox.exe
1332	firefox.exe
1332	firefox.exe
1332	firefox.exe
1332	firefox.exe
1332	firefox.exe
1332	firefox.exe
1332	firefox.exe
1332	firefox.exe
1332	firefox.exe
1332	firefox.exe
1332	firefox.exe
1332	firefox.exe
1332	firefox.exe
1332	firefox.exe
1332	firefox.exe
1332	firefox.exe
1332	firefox.exe
1332	firefox.exe
1332	firefox.exe
1332	firefox.exe
1332	firefox.exe
1332	firefox.exe
2184	!WannaDecryptor!.exe
2184	!WannaDecryptor!.exe
6636	!WannaDecryptor!.exe
6636	!WannaDecryptor!.exe
6696	!WannaDecryptor!.exe
6696	!WannaDecryptor!.exe
6744	!WannaDecryptor!.exe
6744	!WannaDecryptor!.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1092 wrote to memory of 1332	1092	firefox.exe	84
PID 1092 wrote to memory of 1332	1092	firefox.exe	84
PID 1092 wrote to memory of 1332	1092	firefox.exe	84
PID 1092 wrote to memory of 1332	1092	firefox.exe	84
PID 1092 wrote to memory of 1332	1092	firefox.exe	84
PID 1092 wrote to memory of 1332	1092	firefox.exe	84
PID 1092 wrote to memory of 1332	1092	firefox.exe	84
PID 1092 wrote to memory of 1332	1092	firefox.exe	84
PID 1092 wrote to memory of 1332	1092	firefox.exe	84
PID 1092 wrote to memory of 1332	1092	firefox.exe	84
PID 1092 wrote to memory of 1332	1092	firefox.exe	84
PID 1332 wrote to memory of 1888	1332	firefox.exe	85
PID 1332 wrote to memory of 1888	1332	firefox.exe	85
PID 1332 wrote to memory of 1888	1332	firefox.exe	85
PID 1332 wrote to memory of 1888	1332	firefox.exe	85
PID 1332 wrote to memory of 1888	1332	firefox.exe	85
PID 1332 wrote to memory of 1888	1332	firefox.exe	85
PID 1332 wrote to memory of 1888	1332	firefox.exe	85
PID 1332 wrote to memory of 1888	1332	firefox.exe	85
PID 1332 wrote to memory of 1888	1332	firefox.exe	85
PID 1332 wrote to memory of 1888	1332	firefox.exe	85
PID 1332 wrote to memory of 1888	1332	firefox.exe	85
PID 1332 wrote to memory of 1888	1332	firefox.exe	85
PID 1332 wrote to memory of 1888	1332	firefox.exe	85
PID 1332 wrote to memory of 1888	1332	firefox.exe	85
PID 1332 wrote to memory of 1888	1332	firefox.exe	85
PID 1332 wrote to memory of 1888	1332	firefox.exe	85
PID 1332 wrote to memory of 1888	1332	firefox.exe	85
PID 1332 wrote to memory of 1888	1332	firefox.exe	85
PID 1332 wrote to memory of 1888	1332	firefox.exe	85
PID 1332 wrote to memory of 1888	1332	firefox.exe	85
PID 1332 wrote to memory of 1888	1332	firefox.exe	85
PID 1332 wrote to memory of 1888	1332	firefox.exe	85
PID 1332 wrote to memory of 1888	1332	firefox.exe	85
PID 1332 wrote to memory of 1888	1332	firefox.exe	85
PID 1332 wrote to memory of 1888	1332	firefox.exe	85
PID 1332 wrote to memory of 1888	1332	firefox.exe	85
PID 1332 wrote to memory of 1888	1332	firefox.exe	85
PID 1332 wrote to memory of 1888	1332	firefox.exe	85
PID 1332 wrote to memory of 1888	1332	firefox.exe	85
PID 1332 wrote to memory of 1888	1332	firefox.exe	85
PID 1332 wrote to memory of 1888	1332	firefox.exe	85
PID 1332 wrote to memory of 1888	1332	firefox.exe	85
PID 1332 wrote to memory of 1888	1332	firefox.exe	85
PID 1332 wrote to memory of 1888	1332	firefox.exe	85
PID 1332 wrote to memory of 1888	1332	firefox.exe	85
PID 1332 wrote to memory of 1888	1332	firefox.exe	85
PID 1332 wrote to memory of 1888	1332	firefox.exe	85
PID 1332 wrote to memory of 1888	1332	firefox.exe	85
PID 1332 wrote to memory of 1888	1332	firefox.exe	85
PID 1332 wrote to memory of 1888	1332	firefox.exe	85
PID 1332 wrote to memory of 1888	1332	firefox.exe	85
PID 1332 wrote to memory of 1888	1332	firefox.exe	85
PID 1332 wrote to memory of 1888	1332	firefox.exe	85
PID 1332 wrote to memory of 1888	1332	firefox.exe	85
PID 1332 wrote to memory of 1888	1332	firefox.exe	85
PID 1332 wrote to memory of 1556	1332	firefox.exe	86
PID 1332 wrote to memory of 1556	1332	firefox.exe	86
PID 1332 wrote to memory of 1556	1332	firefox.exe	86
PID 1332 wrote to memory of 1556	1332	firefox.exe	86
PID 1332 wrote to memory of 1556	1332	firefox.exe	86
PID 1332 wrote to memory of 1556	1332	firefox.exe	86
PID 1332 wrote to memory of 1556	1332	firefox.exe	86
PID 1332 wrote to memory of 1556	1332	firefox.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\EICAR.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:5608

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1092
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Downloads MZ/PE file
  - Drops desktop.ini file(s)
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - Checks processor information in registry
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1332
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 1976 -prefsLen 27100 -prefMapHandle 1980 -prefMapSize 270279 -ipcHandle 2068 -initialChannelId {d2b50eda-4417-4f40-ba02-b1d75abed02f} -parentPid 1332 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1332" -appDir "C:\Program Files\Mozilla Firefox\browser" - 1 gpu
    3⤵
    PID:1888
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2428 -prefsLen 27136 -prefMapHandle 2432 -prefMapSize 270279 -ipcHandle 2448 -initialChannelId {3efd7caa-8a7f-4614-8401-ea7f4fe07d6b} -parentPid 1332 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1332" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 2 socket
    3⤵
    PID:1556
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3724 -prefsLen 27277 -prefMapHandle 3776 -prefMapSize 270279 -jsInitHandle 3780 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3788 -initialChannelId {2f96576b-7412-4fe2-936f-802a4662737a} -parentPid 1332 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1332" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 3 tab
    3⤵
    - Checks processor information in registry
    PID:4284
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 3936 -prefsLen 27277 -prefMapHandle 3940 -prefMapSize 270279 -ipcHandle 4032 -initialChannelId {50c7c635-da50-40fb-a836-a7360f62ce3b} -parentPid 1332 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1332" -appDir "C:\Program Files\Mozilla Firefox\browser" - 4 rdd
    3⤵
    PID:4980
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 2920 -prefsLen 34776 -prefMapHandle 4480 -prefMapSize 270279 -jsInitHandle 2888 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 4564 -initialChannelId {4673a45e-b180-4f10-ae66-78cf88f451c8} -parentPid 1332 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1332" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 5 tab
    3⤵
    - Checks processor information in registry
    PID:856
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -sandboxingKind 0 -prefsHandle 5076 -prefsLen 34932 -prefMapHandle 5080 -prefMapSize 270279 -ipcHandle 5048 -initialChannelId {393d9ac3-2f21-47bb-bb4c-e51123a46c88} -parentPid 1332 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1332" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 6 utility
    3⤵
    - Checks processor information in registry
    PID:4912
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5424 -prefsLen 32952 -prefMapHandle 5428 -prefMapSize 270279 -jsInitHandle 5432 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3192 -initialChannelId {36ca6d18-b337-482d-ad26-233651710cba} -parentPid 1332 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1332" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 7 tab
    3⤵
    - Checks processor information in registry
    PID:5724
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5456 -prefsLen 32952 -prefMapHandle 5608 -prefMapSize 270279 -jsInitHandle 5616 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5624 -initialChannelId {5a0c30a1-b8c7-466c-b629-489c4a3c04b3} -parentPid 1332 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1332" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 8 tab
    3⤵
    - Checks processor information in registry
    PID:832
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5800 -prefsLen 32952 -prefMapHandle 5804 -prefMapSize 270279 -jsInitHandle 5808 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5816 -initialChannelId {b03fa541-d9e1-4c14-9f25-1d2051d13379} -parentPid 1332 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1332" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 9 tab
    3⤵
    - Checks processor information in registry
    PID:3804
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 6384 -prefsLen 33071 -prefMapHandle 6376 -prefMapSize 270279 -jsInitHandle 6372 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 6504 -initialChannelId {11cdcd82-53bb-445e-99cb-621a0fd7032b} -parentPid 1332 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1332" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 10 tab
    3⤵
    - Checks processor information in registry
    PID:3172
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3096 -prefsLen 33071 -prefMapHandle 2932 -prefMapSize 270279 -jsInitHandle 3192 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5472 -initialChannelId {086a4062-dff0-4fe9-90d7-2097b2be6fa4} -parentPid 1332 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1332" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 11 tab
    3⤵
    - Checks processor information in registry
    PID:2228
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3084 -prefsLen 36542 -prefMapHandle 6760 -prefMapSize 270279 -jsInitHandle 4524 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 6912 -initialChannelId {a1473ef1-3853-4a70-a7ba-4e238ff4f837} -parentPid 1332 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1332" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 12 tab
    3⤵
    - Checks processor information in registry
    PID:2288
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5812 -prefsLen 36542 -prefMapHandle 5948 -prefMapSize 270279 -jsInitHandle 5932 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 7080 -initialChannelId {529d3680-11c1-47cc-8fce-2ff164d7a168} -parentPid 1332 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1332" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 13 tab
    3⤵
    - Checks processor information in registry
    PID:3664
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 7228 -prefsLen 36542 -prefMapHandle 7232 -prefMapSize 270279 -jsInitHandle 7236 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 4524 -initialChannelId {0dc89fab-8ced-4582-833b-d0a2539f9073} -parentPid 1332 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1332" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 14 tab
    3⤵
    - Checks processor information in registry
    PID:4004
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 7492 -prefsLen 36542 -prefMapHandle 7496 -prefMapSize 270279 -jsInitHandle 7500 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5960 -initialChannelId {055d09bd-9924-4464-a026-03ef586cf792} -parentPid 1332 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1332" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 15 tab
    3⤵
    - Checks processor information in registry
    PID:2032
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -sandboxingKind 1 -prefsHandle 7456 -prefsLen 39428 -prefMapHandle 2940 -prefMapSize 270279 -ipcHandle 7468 -initialChannelId {cf999a51-21ae-468c-be87-0538a7f19563} -parentPid 1332 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1332" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 16 utility
    3⤵
    - Checks processor information in registry
    PID:5876
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 7996 -prefsLen 36542 -prefMapHandle 7992 -prefMapSize 270279 -jsInitHandle 7916 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 7896 -initialChannelId {14cf60a9-8dc9-4cef-a85b-0dc1dad1cce1} -parentPid 1332 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1332" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 17 tab
    3⤵
    PID:4488
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 7204 -prefsLen 36598 -prefMapHandle 7364 -prefMapSize 270279 -jsInitHandle 7712 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 8204 -initialChannelId {30d566c3-6464-425b-be44-760d54ae5469} -parentPid 1332 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1332" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 18 tab
    3⤵
    - Checks processor information in registry
    PID:4736
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 6888 -prefsLen 36648 -prefMapHandle 5964 -prefMapSize 270279 -jsInitHandle 6960 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 2908 -initialChannelId {f443d67d-6235-4168-80a1-720551ba1383} -parentPid 1332 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1332" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 19 tab
    3⤵
    - Checks processor information in registry
    PID:952
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 7164 -prefsLen 36648 -prefMapHandle 7152 -prefMapSize 270279 -jsInitHandle 5456 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5964 -initialChannelId {f30e6a65-d476-4e32-8834-167f1f503272} -parentPid 1332 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1332" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 20 tab
    3⤵
    - Checks processor information in registry
    PID:1544
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 7152 -prefsLen 36648 -prefMapHandle 5456 -prefMapSize 270279 -jsInitHandle 8576 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 8588 -initialChannelId {8b3b02f3-1b42-4024-a52f-2c2534dca74d} -parentPid 1332 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1332" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 21 tab
    3⤵
    - Checks processor information in registry
    PID:5740
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 6992 -prefsLen 36648 -prefMapHandle 7948 -prefMapSize 270279 -jsInitHandle 7952 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5492 -initialChannelId {518924a4-075f-43b5-b199-db3e7b9e5db6} -parentPid 1332 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1332" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 22 tab
    3⤵
    - Checks processor information in registry
    PID:3296
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 6676 -prefsLen 36648 -prefMapHandle 6880 -prefMapSize 270279 -jsInitHandle 3168 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 7756 -initialChannelId {955084d9-e7e0-4796-be44-1e7c6c6a9817} -parentPid 1332 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1332" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 23 tab
    3⤵
    - Checks processor information in registry
    PID:3664
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 8580 -prefsLen 36648 -prefMapHandle 8564 -prefMapSize 270279 -jsInitHandle 2608 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 7144 -initialChannelId {746c7aa9-6b33-4266-bd40-a9e20373db9e} -parentPid 1332 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1332" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 24 tab
    3⤵
    - Checks processor information in registry
    PID:552
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 8548 -prefsLen 36648 -prefMapHandle 8544 -prefMapSize 270279 -jsInitHandle 8784 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 8648 -initialChannelId {8cc34864-dcdd-4271-9318-cb6cead8ad77} -parentPid 1332 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1332" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 25 tab
    3⤵
    - Checks processor information in registry
    PID:5556
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -sandboxingKind 4 -prefsHandle 6704 -prefsLen 39534 -prefMapHandle 7068 -prefMapSize 270279 -ipcHandle 5940 -initialChannelId {de497e4d-f869-4a7d-b7eb-7fa03c76be7c} -parentPid 1332 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1332" -appDir "C:\Program Files\Mozilla Firefox\browser" - 26 utility
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:3252
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -sandboxingKind 4 -prefsHandle 7200 -prefsLen 39534 -prefMapHandle 4528 -prefMapSize 270279 -ipcHandle 7448 -initialChannelId {b84c99ad-8db1-4f6e-826b-d36b0e418010} -parentPid 1332 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1332" -appDir "C:\Program Files\Mozilla Firefox\browser" - 27 utility
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2564
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 9008 -prefsLen 36648 -prefMapHandle 5924 -prefMapSize 270279 -jsInitHandle 6504 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 2492 -initialChannelId {456712b9-dd33-4c61-960b-8060cd88c731} -parentPid 1332 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1332" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 28 tab
    3⤵
    - Checks processor information in registry
    PID:1108
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 8872 -prefsLen 36648 -prefMapHandle 8868 -prefMapSize 270279 -jsInitHandle 7740 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5336 -initialChannelId {913e0ccf-54ee-49e6-aa8b-7ae3d3901ad0} -parentPid 1332 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1332" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 29 tab
    3⤵
    - Checks processor information in registry
    PID:344
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 8524 -prefsLen 36648 -prefMapHandle 8672 -prefMapSize 270279 -jsInitHandle 8776 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 8872 -initialChannelId {6017438e-24ca-4602-a220-4c5257818453} -parentPid 1332 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1332" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 30 tab
    3⤵
    - Checks processor information in registry
    PID:5864
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 9096 -prefsLen 36648 -prefMapHandle 9080 -prefMapSize 270279 -jsInitHandle 9180 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 9092 -initialChannelId {2f941cb0-4402-456a-a1c8-178cd18064e1} -parentPid 1332 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1332" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 31 tab
    3⤵
    - Checks processor information in registry
    PID:5368
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 7964 -prefsLen 36648 -prefMapHandle 8544 -prefMapSize 270279 -jsInitHandle 8784 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 7028 -initialChannelId {71a44192-7296-4247-9428-134a22009e65} -parentPid 1332 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1332" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 32 tab
    3⤵
    - Checks processor information in registry
    PID:1944
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 6704 -prefsLen 36648 -prefMapHandle 7056 -prefMapSize 270279 -jsInitHandle 5960 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 7760 -initialChannelId {ac750d95-9752-4d7d-bfdb-c3415340c59e} -parentPid 1332 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1332" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 33 tab
    3⤵
    - Checks processor information in registry
    PID:3008
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3168 -prefsLen 36808 -prefMapHandle 8904 -prefMapSize 270279 -jsInitHandle 6960 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5336 -initialChannelId {d4a1ebc3-0759-4685-b7d9-bcce872b3f5a} -parentPid 1332 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1332" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 34 tab
    3⤵
    - Checks processor information in registry
    PID:1788
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5780 -prefsLen 36808 -prefMapHandle 8684 -prefMapSize 270279 -jsInitHandle 5916 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 8720 -initialChannelId {6b540ecb-e6de-43e7-8d42-61010f3e63b3} -parentPid 1332 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1332" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 35 tab
    3⤵
    - Checks processor information in registry
    PID:5756
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 9420 -prefsLen 36808 -prefMapHandle 9424 -prefMapSize 270279 -jsInitHandle 9428 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 9436 -initialChannelId {2d99e948-f8c3-4ac5-b4c9-6725cb6293b7} -parentPid 1332 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1332" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 36 tab
    3⤵
    - Checks processor information in registry
    PID:1016

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x33c 0x50c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5648

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3752

C:\Users\Admin\Downloads\Aufgaben(1)\Aufgabe 1\Newsletter.docx.exe
"C:\Users\Admin\Downloads\Aufgaben(1)\Aufgabe 1\Newsletter.docx.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:1648

C:\Users\Admin\Downloads\Aufgaben(1)\Aufgabe 2\Bewerbung.pdf.exe
"C:\Users\Admin\Downloads\Aufgaben(1)\Aufgabe 2\Bewerbung.pdf.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
PID:4536
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 298021742757704.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5380
- - C:\Windows\SysWOW64\cscript.exe
    cscript //nologo c.vbs
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4320
- C:\Users\Admin\Downloads\Aufgaben(1)\Aufgabe 2\!WannaDecryptor!.exe
  !WannaDecryptor!.exe f
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2184
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im MSExchange*
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5844
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im Microsoft.Exchange.*
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4464
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im sqlserver.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3836
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im sqlwriter.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4456
- C:\Users\Admin\Downloads\Aufgaben(1)\Aufgabe 2\!WannaDecryptor!.exe
  !WannaDecryptor!.exe c
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:6636
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c start /b !WannaDecryptor!.exe v
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6644
- - C:\Users\Admin\Downloads\Aufgaben(1)\Aufgabe 2\!WannaDecryptor!.exe
    !WannaDecryptor!.exe v
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:6696
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
      4⤵
      System Location Discovery: System Language Discovery
      PID:1552
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:7072
- C:\Users\Admin\Downloads\Aufgaben(1)\Aufgabe 2\!WannaDecryptor!.exe
  !WannaDecryptor!.exe
  2⤵
  - Executes dropped EXE
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:6744

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:7164

C:\Users\Admin\Downloads\Aufgaben(1)\Aufgabe 3\Bilanzbericht 2024.jpg.exe
"C:\Users\Admin\Downloads\Aufgaben(1)\Aufgabe 3\Bilanzbericht 2024.jpg.exe"
1⤵
- Modifies WinLogon for persistence
- Manipulates Digital Signatures
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Impair Defenses

T1562

Safe Mode Boot

T1562.009

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\50jftte4.default-release\activity-stream.contile.json

Filesize
4KB

MD5
8d9484944a9babb3fa1b46800207cf21

SHA1
b4384dc89c4b2af83871a2e97132e72f0044be60

SHA256
d19819645e66825a576ee5b5c218cbd757c8bc61ed4c9f7d1042098588c3ed78

SHA512
4ce89214047292651ec045933d80360fcc370748e60d7036d50a6c4511bf96c921d92bfa03989bdf2b329acf300fbd3e302a600f6bbb116a7372405011a125c6

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\50jftte4.default-release\cache2\doomed\21066

Filesize
208KB

MD5
25fdc1bd5fd9e1258dd6db29653de7bb

SHA1
e5f06a6eaa98ecd227ac8b1b8193dc5aa0e488af

SHA256
5b9e167785a68ef99e66bfd26e3a9d0f685e3cca5ff634f9652cfd2732c278f7

SHA512
973d77b70f4dff2af14d3e0e99e3e5a0309b704e06d8c5ae77fcf17662cc47aaa70acb1090027133780170aef2d239441e90ca94416c97e0fbdac8258526f1e1

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\50jftte4.default-release\cache2\doomed\28036

Filesize
17KB

MD5
f6d558dfef9c340b006f1d04dcc484e4

SHA1
9f8c90f6dd7dd549fce9ee835fd229bf58ee7197

SHA256
6de6db467a4c396301fad467d03e74ab0c39e3f77079347c3a0bb451638d7c73

SHA512
829aa6a08baa52ec7afebd5ff1e7d91cfaf15e76c344378ba2780aee4f6e02880a5d97edc24f93b5a95f5fcf3bbb4d04fff173cc2e37b0c9b62aac46ce1905bf

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\50jftte4.default-release\cache2\entries\17BE87ED87D0D984D3B0321503548B8342908176

Filesize
45KB

MD5
eaf1c3fef445de9c79894fa21b65eaa6

SHA1
15f4e7b3f712ed1216d0bd355d1a12fe4a3b0c01

SHA256
dfa7c9b76ee8482187612d7026c739e4790eb049059bfc118df7ed4b0e8eb025

SHA512
ddee42e597a285b60a6b04634de06d8adc95b74b009b505d8c10ea1dc20f82926edf76bfbf3f39a6a1af135df7b8725b299818c6391f365c7e39ebdbaf5cd8a2

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\50jftte4.default-release\cache2\entries\1A5996C16946393FC0B184220943714409DE2FE0

Filesize
43KB

MD5
0135ad74eb8539ea8804712107f2278d

SHA1
7d83795747632ee4d570589dfbd1a70c6cbdc042

SHA256
0d71f62b9ec2de17880c786efdc532c3aaec2c82035ba10ff26c947202b9fe63

SHA512
191f0568798987cf0c3181c74e1859f290782702ec6bc96b623f36467a26316a168e0dc064b60463ee274e86177c579737d4f14d68d4e33958e85f0ea2e1eb81

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\50jftte4.default-release\cache2\entries\2F879E430745EC79E1888DA9C3EA593AA94D739F

Filesize
96KB

MD5
cef3fbfe6282d4b6afe04ac658202e93

SHA1
c07075011300980e09272e45a15c69f09002a9c0

SHA256
1e4d3cb7696a9547c104e6267af3a5d8051027e5299e1cdc79124bc6a238a5a0

SHA512
3651f98fd75491f6c8d621b2b2c3e4f076518ab531ef2605ce69b69fc1991623a6b854cd6a43596fb62fa85ee91b0bf8f174f846ed45ee0c483a2852ca8c9e0b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\50jftte4.default-release\cache2\entries\311589B5F7E27FD8DAEE1AEB3F2A1C1A3FFED5A9

Filesize
43KB

MD5
130df82b4bf462c5d49938570360e8d5

SHA1
77cc629635f4b6c3ce24e4e0781e039306af1f31

SHA256
93be5d2acfd5a06ddadd812d0b1eecdd75e0af024faf037511c315b6d60dd722

SHA512
17d25415132ded54fbfa9e162fcc760db4bc6ff673261b4ccc764fcfa56e1c0d46d5a133d7fa24a4a7409b9c7ab571eeba51f668ccc8c50d575f21f45682fe9e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\50jftte4.default-release\cache2\entries\33809CDBDD69269236BB05F66DFF2693F384205C

Filesize
60KB

MD5
597660173360aef02a1f381523a6e324

SHA1
e81dc11a6dcab9d291eef2ff5e5ac2b1eb8a6e0d

SHA256
8e15e1e9303dc7b60ae1b78e9f9a547df5f4dc9a0b88951d99e1fb50965357b7

SHA512
e8edad6e3aa6c5509b24d036f3ec654bcc88908e080ef08b0ac31ac7af80e667fe548a2b0751a3361b6747fa86327b615c216c7ed4736eae10b237a44623c10e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\50jftte4.default-release\cache2\entries\35547F305B43F28C7F3664D49C1AD32A7112A1A4

Filesize
141KB

MD5
670cc060093bc3a2c45b9fd0ee0de6e9

SHA1
4d505974e2db9caf0d16976612cba56057130f7d

SHA256
9dcc9b8e585e72c43d44c253275cbee876c33989e7080b8a1161b1d9ef9f3959

SHA512
16fe4609ef19e0644f18f58a3b9dfff186d058e00d9db168b72b0d397ef550eaddad361fd93eb63154e5f7a957eb250ee00d72802f9e2c1fb11f0b9abb16ed4c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\50jftte4.default-release\cache2\entries\3A1FDC6B34A57BABDC117F984BC456C512AF3C8A

Filesize
95KB

MD5
818fee73f260cbc71ac22f5bb60e775a

SHA1
3c376733b77e830adec4868ec181b96c1563aff5

SHA256
2f54d4127f081fd589ef21653317bea3c016c1593ab156ba53a52b6fe03edc39

SHA512
910ecc8330ed748d35a8ae8b0c1e29a54da5059245576f9362336b84cde433ada68c909779ffd7f86b479125c44a57ba029fc4856e870635b887b4452010ea11

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\50jftte4.default-release\cache2\entries\4C3BAACB5222888D0F9C6C99BCB711EEE930961C

Filesize
63KB

MD5
758934e23ffb53d23823c72f5276d1b3

SHA1
fbee5a71c8acf131e67ed32c51160a25fde563f1

SHA256
8291bcc866bcc0c2febb46c68aff75fc7e90a66009413091e5b5b118e95257ed

SHA512
7fa423856bcd6f4c379d371a4518d2df2ff186cecdbb87397185b74d8553c7bbca3bd56cb875a9b53d29a7fda1fb73a544ea478cd958a561a6f666126274ec09

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\50jftte4.default-release\cache2\entries\5ACB46A5A72DCA2C675A19F9DCC5C68E4EEE16B7

Filesize
34KB

MD5
38de13093cdd47951a298df3882f1992

SHA1
9b1646af706c5ca1366c1f8d9da3d79bc21130ae

SHA256
15e196094c0e769deab559496fbc5fece002e29d052129fbf23098e97823452f

SHA512
d089514cd28adef2eaa1476c5a3b68c079536b68f94885db2185875310ed0d93590fd4ea0a48ca25b5f36bae9cc197a442c837e029e2d05f40160263158d651d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\50jftte4.default-release\cache2\entries\5B23235D54208C34AFF88FC6F18585FD8A8F8FAD

Filesize
32KB

MD5
3f49d1bfb58c4b64e701eb7f3b9127c8

SHA1
dc50d33517d4d12540bd4e3da14ea76e572da5fc

SHA256
13b8f5a4b416aafbb5feeff957675b8c165f61480ee2b82853e4e55989acfda6

SHA512
cd72b591c7beb7948280e1b5037bbd78ca368c553854556a3273315cea6ea0052a502691176befec9f6a78d0930b489b2bbd044ad95b6832d9fb54898af1d23c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\50jftte4.default-release\cache2\entries\5BAA6A06AF4FC2E3C16BE0B26FAD120D7305F877

Filesize
750KB

MD5
b4bbe122d2f4a1ed24506c2db230c311

SHA1
3424fb66f6ac0cae83beb9ef3442c664e9b5b70f

SHA256
f49ff612c670b4d07c2f631a20de66eb03361d8831f76c45e8ddc6fcd29b6e84

SHA512
3f00e54487b749fe1cae425ca765c16d09124db9d2d8022460ba66ee9a1ac144a7e1420b6fba3fdb7f8cd855c4654d11e0fccf83d4d2ed30613f88fecefb04fe

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\50jftte4.default-release\cache2\entries\5C039B71EB21CC1D01F51A14EBCE8BE82359407C

Filesize
35KB

MD5
3938f91da426d5f8b90360c25c2e327c

SHA1
2a5b32850005af5423f4b14ec00d8dd08f2a837d

SHA256
1184b6042c9c5d76b43bae9f3b4af991aa43a8dc2fe78fbfbcf55cbf8b160aa2

SHA512
6b952b99a9fd7853fc69f22299b4b8d2485f75a935b7b946f0ad878791dd7d5f23b31b23e35bf4cbaee14d6a28997b752b5317ce4bb597eb97c019da6123ab38

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\50jftte4.default-release\cache2\entries\5C6C79B40D78F89E42ACAA4B440A679881E9480C

Filesize
59KB

MD5
69798192fa64b4c9e73d6ce12431b9ba

SHA1
8b23604255304b082a5984b0cad72abbcb5ebbb0

SHA256
c19ae62d439d0fa6eeece911d75456c7aaf5835e773967794e2cd0fab4ff2625

SHA512
3bfcba5546d2097cd4e3ae9633a08e3d9e7fbbe12f0c20361dfb86916cb4e631e84f4ae251ee74ce1958370f8ade21c63f0a57942878fdbd02f0f7387a5b2d55

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\50jftte4.default-release\cache2\entries\5D54264AFEE8A63F08960C6CCC139E605A2F5285

Filesize
42KB

MD5
0197365a94a72ad112352fcf24d1ddcc

SHA1
c5e5e5892458f401341376e5acb16c3a7a399e43

SHA256
670aa524e38455c04e0055eb03ec3f702ddae0f2ca6e2c292a5fce637efc37f4

SHA512
5b92170652ef31040022784c11fba9eb924614ebeba6a9bd156765a5028b6a8621b4bdb18d8babcb9f3c200ab18c7a920b4df3b6672a16366481cf3fd1592e0d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\50jftte4.default-release\cache2\entries\76FD3AD3416B5CDCE9D51818E1FF7D3DF4B5F3E7

Filesize
120KB

MD5
bc9ec387dce03c9ffb88adf8a1e974ec

SHA1
c1773f92d421cc9cd8ec0e77632776f5d0e6a716

SHA256
da994d0876d05781d68b02ccfe7a9e988a136140d34dbd13491407294500ac36

SHA512
46a4e14dc9c34a4ba4d65e301cf252cc77beaf7bd12f62f878a363774b0eb62aeea491be633e47668898cc2351f08820c515a937afc9432214cacf1d42cbba52

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\50jftte4.default-release\cache2\entries\7CC3ED926E7FB548C6A7417575FA0933AD427798

Filesize
34KB

MD5
e65e7910009ef8fce8b8ae08af05299f

SHA1
e97a716220f539fae039fcc4dcc9c1b8d536a7d7

SHA256
335c76dd5cce83418b9ea3a15b5c48de5565e47daaa14829761eeea231e2961a

SHA512
f66638b366be195f37b658950284592dd334866a9865ee69384e231f16a8defd070cb1440c7b6b3f50d363ba3b49a47c04188b53e7991eda86aa7824a2e786a6

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\50jftte4.default-release\cache2\entries\86A3928809A646D078F526F26F559FA770863052

Filesize
33KB

MD5
d21c458a269357f71ef4172ab726ec07

SHA1
0d8ed20b46833980ce694b31f450bcf6b174b62d

SHA256
f1ad54c9f2a9834cea4e38ab316ca6f58affd136a5359df356eb1022a353d766

SHA512
3dd66b8688e9c8d562dcddd59833034e8a56d19fa1426e30b48eb0e68306f8376b9287f488edfc17acb9fd10af042641175dd79a42802636ec65bb485c020c33

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\50jftte4.default-release\cache2\entries\8D11864F69B6D9276086D87F1C72386DC26A1DF7

Filesize
47KB

MD5
650fd1c6f0967cc2fd43f982e68603a8

SHA1
8aae1b8c4dfb6cf35683356cd3be8a0f413dc1d7

SHA256
0b6a612cb1220905fee9e10dd762e3140c57b25fc2190ee3ab0e2c692bbb8eb5

SHA512
b7d36adc31d7f2fdcf4c82f4a648e5591cfb6c3520850ab26fe47ebe6f148f3aced13ffc2b2dab4a7b52a8ac38cbb58d74d59c51ea3fd2132612ed258edda570

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\50jftte4.default-release\cache2\entries\8E85625EE9AA011944D3C0C6D5776A5A154B9FB0

Filesize
554KB

MD5
9a756576954f591d8c5372fcb96fc321

SHA1
d8904da7e0b2661f7dd0a2f7cd412462390da326

SHA256
a3dcb5dd8a6382b1a0f9c0288c814e60b6b5a3501bd30ec7cc7586de01f00968

SHA512
9d131a97e4297f5e4a00e6daa4ac5fd3afbbdaf91a672e7e81e5ad857b0da799d8c31d206ab44c6a53104384d728c6149a72ed7316ba18bf3c8423bc7ee835ff

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\50jftte4.default-release\cache2\entries\9053EBC162369DFB6E44725D663192EC1776807A

Filesize
130KB

MD5
321d62909b69c647ac1eaf1d572e7994

SHA1
2a0ea80e3a104d2b860a3021bf64136b97ac8020

SHA256
8abd9f5de12352581dba983d67e4ebba2a3f8570049382f2a986eec405289f2c

SHA512
b7f5e8f7fb853ed401b8cba5296fe9dcc27fd0d9bc8302ffdde96f53f5df3c514da0d5ec520832695c38bf27a53d05996db7c1a9d89169be7bedcbc31b69bb29

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\50jftte4.default-release\cache2\entries\956C138E7E189A8F1B675B499ED2D87604EE6E73

Filesize
47KB

MD5
4528aaab8def646942c8ea85d0d2f053

SHA1
656f917f5c97dbc83c9a3c9abb5a899d0b16ddf8

SHA256
ac6945a9b1de6cc7ace7a382444a21fcd54e156fa319c46acc711439a2afd6c5

SHA512
d4d5db04b9de87a39db6d9fa2fcd1b180019c0b5c24e0644d6e7343879da24c78ca212a463081bd2a4b8efff10d7c5323f2a62d1bafec287a8f8491010ae8890

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\50jftte4.default-release\cache2\entries\97AFFA25C9ED84269BA5F8059413E057B9831B3A

Filesize
41KB

MD5
822b9b4407e5b0c067da357fe174f87d

SHA1
e16f6106cbe61e1adeb3c565c8d32169c84c4054

SHA256
505743f0ece06c038cd057ad583257d94843f88d823173f6992fac4c5f5aaa12

SHA512
768ffbae4b794e02536c377228755369bcaaf41cae351b29745774f1e8319bf203ea5e14d6235cc6e2bf07319363f9f42a49020e14b14d03d0835a7887c92fe1

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\50jftte4.default-release\cache2\entries\98E0A37ECBCD04FD3A54713B64F404A8E86CA22F

Filesize
17KB

MD5
e8722e62cb47bbb78626112361f5baf6

SHA1
f93b7953f902e70149b2c79b7b48daa460fad6c1

SHA256
d0ad53d9d983ffde10197ec777040cd40f4c67332c937be8fe3c1f11e6fdc8c2

SHA512
951029cc73c1c3d828accf0c1e5814cd58f76de9972acb0f782e97e846951db397a5b54491b0abb666cee759a2fbe280543f1cbcc8917e0819cc294a62c728c2

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\50jftte4.default-release\cache2\entries\A175F5A17FB1329B98C65A5564AD92A1E96C826A

Filesize
1016KB

MD5
6867fb2d88836a99ae9b1f882f2cc95b

SHA1
1e790cf8dc7a587c534891cf2f590995932d41b6

SHA256
96788abfd4d45beb74e9c70cec996a2d8a41b8baba044fee0a9975272d222a95

SHA512
74059a40e742bf8b4093972e47d7db702a138999dfdc0b16ca1ce66627cb5b687b1ec378b6ea522c2d60919efe3e186dfcfddbb1424307f03c26387eab0f0c79

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\50jftte4.default-release\cache2\entries\A6C74BC2260EAFF823C7AED38BBA607C962CCB55

Filesize
39KB

MD5
f3a888f2441211a8d27faa5c99fc5ec1

SHA1
a2bf26366be3815cc7443556416432a0d5bfd93d

SHA256
56bdbc3b6f878d3435e9aa65a7ac337072f4d042892e24d9f6da7335903f6127

SHA512
9fdcfac09cfba4e4f9e21f6b9c7928bd0488102f0449f7c9d0e3cca61b0ce6cb76f3e621284287fda2ed76a3d87b5f482be8bd05f3f8021a793a45a32e56e336

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\50jftte4.default-release\cache2\entries\A6FF77C2033C908B03713433B4AB74F22209835F

Filesize
24KB

MD5
79592ae3c32e44dae464e3e9390bd888

SHA1
b324e563b2cd3e617a155421c42e213e5cc29d2f

SHA256
e4400b53f3143429a8df8f66d8ab5e07a1565ff1d7cc3066cf569faf6e58a5b6

SHA512
034fe3c22c2c7c9f44aa1aa77ec815ab741c6257572194f7d393f4a95dfc46811d4f9cb83c1ae11d975ad871c9f0a7b1e5f1c0a654ba6f1a4f90b00515f6fcb1

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\50jftte4.default-release\cache2\entries\BC02779E4549B742F87E407101403B7CA65078CE

Filesize
45KB

MD5
d8509a71864472fb4ec75f35e2b39376

SHA1
40363b87a536cb7991823440a81b1599d7234d4d

SHA256
04937f6e4e38bdd47bd5daaa832e3680b26d5093022791af2a8bd8323770451f

SHA512
237797521e4fce492f8f84d437089f67abaf0390d376afd30038073bbdefbd5c51707e95aac85d574962635414f97e46d23a1dc0aaa9e6f78d05c7e01a0dbb65

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\50jftte4.default-release\cache2\entries\C3F133B8E17B6F9FF4E9D7FE9EA9F938D4450720

Filesize
13KB

MD5
f2b97f0bc15d17bed728918e54a58cd0

SHA1
df01c46e0c53a53431aa1af17b3ec75a56a4e4a4

SHA256
60d29faa18e36f74c9a9feb1dc43e97ef273c9b1cfc7f4729be2f05149c1742e

SHA512
b6b76c265601e55857a4a21bf4b9af35d17c13778a86bb3e69e6c1892b464149ad1b60ac96443ab0732417d6a64c05c2141b220d90c727c7285d1eccb3f000b4

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\50jftte4.default-release\cache2\entries\C713E8CEC8F461E36685AFC07C464CA149321CD3

Filesize
95KB

MD5
42a58461d12356645e72304c4a0b69a6

SHA1
fe836e2865e76e431ec99268550994ed463f0848

SHA256
487102eef3901e67e62c797706434ee7317e305acf658d53556e114137037ddf

SHA512
08b74ac4dab6845c1b594b9cd513267b6d9f379965144343cafe53860211d0ff03340392b093e55bd03195f5cddc68bf52dc22a7da1bbc2934b1bfe405c027e1

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\50jftte4.default-release\cache2\entries\CF1F76B5E57BCBC0F87E18769B5F33540777D2CF

Filesize
4.5MB

MD5
97244f99677babf512f95716c842daa2

SHA1
1cffaf6d5a74810226f3cb9fb0d5d5aacd3e33c3

SHA256
ac79542eee696a622e2e6651b025a617982e3bae56891efdad56af437ffa5607

SHA512
e840feb607ae904649d2aa3d9194a39e39be1edb4b6ef38d1bc7c93ba43b22829918eed73ca91ad387c4258618e7f06fb02f416e066443913067b61cc3c4597e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\50jftte4.default-release\cache2\entries\D028B8CCF87D8DD05164734B6A824C03B2E596FD

Filesize
291KB

MD5
2135ea89446b0c3348e9e9cea0118f66

SHA1
ba08c5b9ec99021d70f52b9f7ff1f2784cd4b487

SHA256
3bc8122d6d0bf62eae01e72e08ec1816607511793b3d0c25ee1214af56d4d935

SHA512
420b9cca1894a0cde0d7003b54a6658ec578271d7a602915418df4dd25cc89e69dbc4acfb9be1073e8056ad474e9c2342bf5b9d97fb25dd4f94025c4a0cb40f5

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\50jftte4.default-release\cache2\entries\E19316B1CDA62317F9DA2551F9B56E711FCC77AD

Filesize
13KB

MD5
a2c29cb47ea1f8799e815af88076ac04

SHA1
9df6b7245a08a374f17c4ff6ddf87b860f998cb9

SHA256
c585fe85470209ab117c9ced28eafbe48f0aad1cb4ce222d18c3888c648055e2

SHA512
6b9dbc3c17693efa94ccb5b661b9ba3490ed9eef3c19c2ee99efb1061d819fd7cf2a2117632ad6ce76f00a29818d4d6368b89018e94400c9404ab4447eb9a9d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
502KB

MD5
e690f995973164fe425f76589b1be2d9

SHA1
e947c4dad203aab37a003194dddc7980c74fa712

SHA256
87862f4bc8559fbe578389a9501dc01c4c585edb4bb03b238493327296d60171

SHA512
77991110c1d195616e936d27151d02e4d957be6c20a4f3b3511567868b5ddffc6abbfdc668d17672f5d681f12b20237c7905f9b0daaa6d71dcdac4b38f2448b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
14.0MB

MD5
bcceccab13375513a6e8ab48e7b63496

SHA1
63d8a68cf562424d3fc3be1297d83f8247e24142

SHA256
a6af95a209b2e652ed6766804b9b8ad6b6a68f2c610b8f14713cd40df0d62bf9

SHA512
d94483deaae98bf9212699f1ab0bd913f6151a63e65ebc1ea644ab98d5e3ebd74ecaa08f70aca31e11a5d2c64d1504b723817af35bbe9d7b05c758dd6945d484

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
20KB

MD5
f8052a1fac1272d2f07f5f3913b146e6

SHA1
7f965fbc7ae2c269ca70d2ae7b916269a066f43b

SHA256
18b288a87ac06dafadad300c76a9c64e65b94cdd7847c9921ee5c9591d69fd6d

SHA512
32a29184481a9fc5e13637dcc2da43e5ad9919cbd36e8674140bc33f5c89018c5540bd6da4ca140c20f808e98c9c70a2b75be97488c39587db057c5618b72a11

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
20KB

MD5
925491baa2e0dd927ccf790b138befb0

SHA1
8094a240cf1f6945d9f512079a5ab30a1e6640a0

SHA256
5160fb5302dab25b1da59606672eead517c374c55d4d30316161b0af5ab760e1

SHA512
606737f4a2dd90c71642a4b3eef1e78b1f16823e1d7418e3474f3cedb800be6c837752a21015fc1ffa447bbb14539ca266b22d43635d26c912250ab4bb422b4a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
21KB

MD5
33d0f8ccceb0ea0d8933a45eb85f11df

SHA1
35f5c45a4998a9ff58e17007c3c22906ddd3409b

SHA256
ec85bd9519c7ebf52917f19018efbd0f78373d02df912d62cd1421d043841942

SHA512
b66a4e5776e23f61ff00cfe85e457b8d5b966fdf68b2b9169791fe9ea72d2b6aa2561d3bf13ccef80e2c5abd975f651ab3dc92a71f9eefb41193c01145f7a038

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
20KB

MD5
eee91c3a09c4fcd27b8df8e54a4a385a

SHA1
d13696460e4d0053056362d4403193b234713ba4

SHA256
b3f52bfe9b6c7233bdd8995de5bcd3b4770772a0d2d3df309c1b2d729fad98b6

SHA512
91d02f39eafc2feca5febda6957d87f4c51d1102390df1b75afc202ed4fd1401be612ca2d8ced0285f555227dcc482202dd8000ab5376dd39ff7aacc722bfac5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
21KB

MD5
ec7508363399eab37cf8db02c7aa5c5e

SHA1
991f36db3c2020f665a891083a846ce231b2e3d3

SHA256
ab115221f94ca706881f4da3fcdd6aff21baa8489db3c59dc7faab2bda039227

SHA512
26e1d127089840a7a3ebfe0929e89d2e38bf7167122d4e46894b52c194ce0f1d79a12c77757f5751bdaeac48a2cfb74e98db4f5d1b897592e44bbef73710d482

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\AlternateServices.bin

Filesize
17KB

MD5
32eb4440c7bef87086fb72c23332bc68

SHA1
55320f50e520e6dea282533d59405f6c5ea38d14

SHA256
dd6bf1f24990745164d9efaddf58125b88b7fd57e2a3285a45c2552e121d2d96

SHA512
886aa739364611517cd345e55f0356728eca87184b7bebe7617a230bfb8cd1f6510526f2e5a3da3953dfd83ea5f7c7d3820dc181a2d1ad84ccb624018f72bcf8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\AlternateServices.bin

Filesize
7KB

MD5
aca8db484e548d85ca22e8c95700bba9

SHA1
3a2b5008b575ac18c2a6c1547a784b4d1ab75025

SHA256
b53f1375844852787330a4c22539c4528db73f30715af81aef89a5c6ece45077

SHA512
2a3586a5c1fe7a044cf383f3122fa9a29adda41a7ccadb53c31a356e7da90cb6879aa387501ebd716de0d39bf2e02d25ea90f12d016a1d1f844b5c75be0cc2ae

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
542526ab1d270131b7054141cbb27933

SHA1
7c5ba171a83e50451906357f07bbb44db1274b72

SHA256
686aa2343ea6ab9dcfc71e6e7439eda57f8358ec18d7c75eff7e30455a59acc2

SHA512
8716c6be295f13536106b395ec35c88376c63bee70aa5725b04b02ce3492add503b390af8c7ae11c3a4434f22df27ce097820eb8606a00612a602274ea75bdb0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\datareporting\glean\db\data.safe.tmp

Filesize
123KB

MD5
7002f5d1868aa9151b1c22279ba4b39c

SHA1
4b660c1e7f8e89c3761f7509da3c8f58a41dbcab

SHA256
33b1aceb5e4ca16748197860722e833b42a4899b7463086cab858cb5edd29b92

SHA512
009f4c3b0c6265b1208320a7de2b0b2164f739db066a95176a968947b8684fd3cd96bf1554e8f241248c75a809b0f080b3c99a862f2e90857ac6adbdae0ec7d0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\datareporting\glean\db\data.safe.tmp

Filesize
7KB

MD5
75cbf072c4ab30c06e832bfa9cbe560d

SHA1
c2331bc35dc761d3ea6d2e738c3d79b5191a737e

SHA256
bcb181d4251dac394d591b5b56117b4121797ae2b412a2887f10a2394dca711d

SHA512
6edd756b3139ad07e852a1a2a9a25392b4827169a11278a151a7b4c30239b672bce8033ce42a1fcdd956c3888787aa6158e67043671d01e956a7bc250e9a88ea

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\datareporting\glean\db\data.safe.tmp

Filesize
135KB

MD5
417cb2db2d9099bd4ec87e4c82dae6f6

SHA1
4609b0ccc675585d0fee9c3f7c35ef4805811420

SHA256
482726ee2d819ee8d406369fd9afdb2e9a5e17a13011ae8ede010d4036d63c91

SHA512
f5254dbabbe20e001048eb07590d06a87d8c8f92e47d95bfcad8f95f7ea726120af8dcb37bb47b43eea7c447d67dd267c40b28a8ff2fe29c903081c701f061f1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\datareporting\glean\db\data.safe.tmp

Filesize
123KB

MD5
01112f28fa254346601715e2211fab72

SHA1
e06e7b3fc82b29ec7608e4155d33d073154a5a60

SHA256
7e63066c66d5c3dbd8954254dea4f0304ef6e0dc44eacacf882e36221084756b

SHA512
43d270d3f2913400f368fe52af7e178942ac85c39f75e1a218afccf94bf2adfb5e600aa86d3906f50c43f51782194c5788267a62d409e462d87734412088b24e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\datareporting\glean\events\events

Filesize
1KB

MD5
9c9d2e7d0b3db26c62f41c1a0a533a1c

SHA1
269e5c6c7eddf6393c61a778df4eb3ac5bb3bbdf

SHA256
46347294a6fe1606d76505872160cfbb0bcb28bd19a2476f2cbd16386935ec6b

SHA512
3a2b0946a7dbad637abe0d1b30a982a296bb3cc19ea03d9a3740ffe72b8ca31a25f1ce66b07d3b5b60867bc1948df20179a6171654f2b476440a74d455e5ff54

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\datareporting\glean\events\events

Filesize
4KB

MD5
249e0520754495f788fce5f68e3d558d

SHA1
d3d186379d3c7342d7a341b46d94454ef682667c

SHA256
2b625932ccb3be704a339e14ec7967b4e0ec322e80bbb19a4f1326f9d60cdba4

SHA512
f9768592c17db2db4baf778adb78f1c0d92fa316f0c5f91acca65adca5d99bb3032ea1a317c07f71371887416bd5298e91bc21c0c82cd3261ed359e3dc67c50c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\datareporting\glean\pending_pings\25ac2063-dc89-4c6f-974f-d6bedb3cf7a1

Filesize
2KB

MD5
8ea1c97de33eea5247b303403ad8fb8b

SHA1
0a3267428eaf91b9e2790aa1c30f260f19efdb10

SHA256
ea4d978b52cff80befe15d2f7ff39423f42c982f2282c472aad3b77aac49af2b

SHA512
f11aaf25434aa938efe8cb8393d40b86fbaa80041bacfda3f86f06fd0910011b626a69f80407988cb36423dd795348f28de288f63e9a8be514d792463da9b41c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\datareporting\glean\pending_pings\7d1aa5e2-83b6-4cda-b11d-b39683039271

Filesize
1003B

MD5
5ec6e265546e7e157e3a241ac0c614ad

SHA1
ff81b20a1774d2c1279deaccb0d004cf61fd1a00

SHA256
a2226915fd99e72c347bbbc868c96fcbe93026825eca6f2b465d9a3845b71b6e

SHA512
04a378e71573f0ba9b742bfc8a569705abd1a8f35299cc3fe2c744fa559614d02f92e9dab55a4ed38d4f550163c893d3cf76e187a5def8e4484d11997a1906b7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\datareporting\glean\pending_pings\96d580b2-46ec-4c03-93ca-800acbcd2705

Filesize
4KB

MD5
08eb57041af04ebba135f953e3a050b3

SHA1
d33046019fd36feaf472e1613b505c1a838c7b1d

SHA256
33ee2cdbcdaa0c7a760544ac57964b203857d0ccecf2f997bd56f8dc8c13e83f

SHA512
f1ff12065811d8c55fa4fa20e4d8aea4d5fb90b3c82a2a4daf62e79b158e1224968793d3203ed526b51f99b29704b89459f8e1733e5497945e51c3b6b965119d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\datareporting\glean\pending_pings\9a8235b0-2bc6-4ea4-bb52-0c8adb2476e9

Filesize
281B

MD5
37755c34efffcfb19e3b1d1b02674be8

SHA1
6ae31f8f8d08ac77a9016d61ae43eeb661c55af2

SHA256
9539fe7473f13511f11e66a89bba4cbd3e00f4c8ae96314ee839a57fd85ddd52

SHA512
8ab93c586323e73fd8961da70f4faf8e57680bf332ef6eb3ebcb334dd918a5d07dfde323bd5192bdf607cb606689796f8bfc992c96a7e27e8be8c3712bed4deb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\datareporting\glean\pending_pings\b23ace45-6ebe-4fd9-9c90-0ad8ecb4fb12

Filesize
235B

MD5
376823c1bb2f7fbd0aa18b7fde1e74e9

SHA1
b2c45b04fbcea2f34639c1ddbd7333e17376cae5

SHA256
3be3d1b008befe9ca95d25afe3f241666881385514559242bba111c674613cf6

SHA512
98d0d9a4ccf41f76a36c623fd3d0a2c121babd972e69b55ae844a12b951448ddff4e82bcf5ed1136043dd931d979374dec806243dd88d61f1449e04feec6dcee

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\datareporting\glean\pending_pings\ca81905a-0bfa-4956-b8c4-3c9600baaed1

Filesize
281B

MD5
42f6ef5fac8585051d78f4f350ee33c3

SHA1
8fa16835ad55ce71653f69df6ceb0f09adf26e94

SHA256
155cd364a93a0e04a0617d8b79f9c8bb79be7d19731c7e5001a3939ba65a84a8

SHA512
9969a637c5d33b18a65f58ba6fbfbd34a69acd848199377effda7697d1f082af72afd043940de64d63a371f7549ebef64908a282a6b6acf0f844a55b18c085e9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\datareporting\glean\pending_pings\d15dc47e-079d-4e7f-b878-79b792b7647c

Filesize
883B

MD5
3e383d2df2cd6f2684a0d7a42ebad410

SHA1
06d6617d76fe55cfb203ad759643cae5a7195fda

SHA256
fda849351feb9ccc825b042954a4da9cef5ccc7f9be73120614850d9e80d0ffb

SHA512
ee66fa7a999a6e02f37749b6b8bde069fa78a30b1d6952b9a428379e641ebef091df3c4494ef1b75a0724e859ed68f91643dcba8aa7c490e9a862f36754e95d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\datareporting\glean\pending_pings\d3caf917-05ae-4cf1-a158-30c07a7eedd3

Filesize
16KB

MD5
001582b1c3ce2b87f33f795be5ff25ab

SHA1
79fd73791cac4d6e52dbeb6caa3c1a374cd7c74e

SHA256
c783a27f9da8e921bdd29febfd7e2183fd1cfbfa9bce63d7f110e95c363c3a09

SHA512
c2ab2ed74eae5582215d57927cfb36a3fab617c2d2c2c5df361130f68fb6cc794542c39b99141eb8f07776147798a4e2db2305c8a273071e1af7feaa4931d44c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\datareporting\glean\pending_pings\dec1e8eb-6bd7-4f5f-baa4-ff3425a4f7bf

Filesize
886B

MD5
9d8b6c2c7503865a8f58561e876ed6b1

SHA1
a5dab3863f372f9740b4b5effde8265751450325

SHA256
2fe9d3deec0fed098e96bc95c78277cf9143d3078113a6a55ebadd9e15991303

SHA512
5e53543ce8c98708db40ec71ea1cac3fe3607e9ea748a51126226a6e743fe089467866194232849183c44bba14381dd54ece4153194494e8b18cb1a8e192d180

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\datareporting\glean\pending_pings\e21b6b61-17d6-49e9-abd3-2d4e11b25ce6

Filesize
235B

MD5
d11e0900a63ec3925ce80094d6826670

SHA1
f255ac3b8db85791c085cabf623e1cafe3662b0e

SHA256
2fbc0c9c45b1064e68ec1ec8d729868ca933627eac967e3d8bf1350dc1f7fdbb

SHA512
3d2becf528dfa134f00e32aa0094c5b7944bc9982843f06830c6eb7211b084cdc4a00a96b06799e456d357bc90b2e1861de8183b577889ade2e6eadd40dad785

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\datareporting\glean\pending_pings\e511d174-855c-476b-b5b1-3040467550ec

Filesize
1008B

MD5
e38178b13291e40d68e9174df0cb1eb0

SHA1
68434a08e1c1c2c3916450a589bd2e08855e20e4

SHA256
bfb6ec395ec3c412d69389ae53a149eb2878c6a2b49235ebca593759c0e43a6b

SHA512
c84fe875f4cbe0ff5bc93cf210b555a51ff2b9cb76e063bbaae5f10c68c15064c7b3df0835cb9828fb72085459dc51d64b79698826890d23e0ff188b6689d0e4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\datareporting\glean\pending_pings\f269d752-020b-41f0-b144-23bf2331cfdd

Filesize
8KB

MD5
25c6ecbb75de352971a5f406743f34b9

SHA1
555c2708bf477401c2c0765ee76cc32eff37d52c

SHA256
06f6f062c10f99ed540532073ddbbb2c58800b1fdd61cf552f4c30ad0c008f2c

SHA512
163f5503aa7e80136592de97b738d9d5d75136deba0a73e3d215648097c0cc1716355f1e72c9f2df674375a781641bb62257bfea26893f2c79d026978c02a3b8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\gmp-gmpopenh264\2.6.0\gmpopenh264.dll

Filesize
1.1MB

MD5
626073e8dcf656ac4130e3283c51cbba

SHA1
7e3197e5792e34a67bfef9727ce1dd7dc151284c

SHA256
37c005a7789747b412d6c0a6a4c30d15732da3d857b4f94b744be1a67231b651

SHA512
eebdeef5e47aeadfeebdbab8625f4ec91e15c4c4e4db4be91ea41be4a3da1e1afeed305f6470e5d6b2a31c41cbfb5548b35a15fccd7896d3fde7cdf402d7a339

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\gmp-gmpopenh264\2.6.0\gmpopenh264.info

Filesize
116B

MD5
ae29912407dfadf0d683982d4fb57293

SHA1
0542053f5a6ce07dc206f69230109be4a5e25775

SHA256
fe7686a6281f0ab519c32c788ce0da0d01640425018dcffcfcb81105757f6fe6

SHA512
6f9083152c02f93a900cb69b1ce879e0c0d69453f1046280ca549a0301ae7925facdda6329f7ccb61726addee78ba2fffc5ba3491a185f139f3155716caf0a8d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\gmp-widevinecdm\4.10.2891.0\manifest.json

Filesize
1001B

MD5
32aeacedce82bafbcba8d1ade9e88d5a

SHA1
a9b4858d2ae0b6595705634fd024f7e076426a24

SHA256
4ed3c6389f6f7cd94db5cd0f870c34a296fc0de3b1e707fccf01645b455790ce

SHA512
67dfe5632188714ec87f3c79dbe217a0ae4dfb784f3fac63affd20fef8b8ef1978c28b3bf7955f3daaf3004ac5316b1ffa964683b0676841bab4274c325c6e2b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\gmp-widevinecdm\4.10.2891.0\widevinecdm.dll

Filesize
18.5MB

MD5
1b32d1ec35a7ead1671efc0782b7edf0

SHA1
8e3274b9f2938ff2252ed74779dd6322c601a0c8

SHA256
3ed0dec36754402707c2ae4fbfa887fe3089945f6f7c1a8a3e6c1e64ad1c2648

SHA512
ab452caa2a529b5bf3874c291f1ffb2a30d9ea43dae5df6a6995dde4bc3506648c749317f0d8e94c31214e62f18f855d933b6d0b6b44634b01e058d3c5fcb499

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\prefs-1.js

Filesize
6KB

MD5
5e388f9c01a4b9be57e5c7cdd925ae7e

SHA1
27399c1e155ac4a8bea8929f6c1668d139228c01

SHA256
e1858659c44807979636af3474d1dc24e1cc2a0c00a57d36709755344707c351

SHA512
346405ffbe5fc9159f77e2032fe2967725547fff6fc2e8decebe8bf2a41dad041dbd666fe467cc237c071232f5f135dfbe56b3bbaa411aad206189742806f856

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\prefs-1.js

Filesize
8KB

MD5
d93d0474c91599d30df4a6b15da447a0

SHA1
ec406c47fcf4a40cd32195a6ad9e78d2348369fb

SHA256
46ebe7a3daf40b94e6dce208d62029644a14e2ffa65445a8d0c3bf2f07cf07e8

SHA512
0e2610713ef63969e66b77f05b3d6339a280de567e52e765bb254371789f02bf361d29e63e069ed2e98f837ccba6152232663f622ca7ecc8fffaf73f1523e504

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\prefs-1.js

Filesize
6KB

MD5
60853e2c727af63ffb8b62e8509d75df

SHA1
793856b1cff60a7e75bbb648987520fe13b5f26b

SHA256
f1d25b8111a292d016311602163f463eae7ef023efb15f8550a24082b5121abd

SHA512
e9bdf2b5f4bbc6f8019473ae0f1686d96a025bb45723c6a110814dec0b31fd378e06ad091d0ccf1495b33173aa810b2f5ab39b392175a12052da66559ad70ab5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\prefs.js

Filesize
6KB

MD5
25cacae2aee5b420042db25a176c15ea

SHA1
b7aa036bf68e50880561630975d51ce24ead715f

SHA256
65861ca5d846e06e64e4fc029dc34322aa8cc261cfe1e285397a1ec7e7ebe49f

SHA512
42b26ffed427447cf128702197beaed67ba62fd64970ad77e41c4f54ca764c2c0bf33da38b78234dd62c4bb02eac5c577c8c5f8bf7fc5fa4902a0af68c819743

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\prefs.js

Filesize
11KB

MD5
f880f11b5e838631611926c4088cafad

SHA1
1c9939ebcd9513442e0da85bdb0e71146538da98

SHA256
5b294561d6c28563d7dc0ed487ba709efae1682377d8157ef9517721f6f792a4

SHA512
20058f1c56a91251025f44db19bff639e171cc6d84ab0ad1a09943fd2d98179cbb747f57ae45dd14669871bd32952d2baf3356e065ee93304f79c540654f4341

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\prefs.js

Filesize
11KB

MD5
7c6bdfd52a794a4c8d9e6d61a701fbda

SHA1
1983f1726c1578de90e6bb1fe04a19f5c479b96b

SHA256
ab11fb834cc11988a3558dc35c46fae81e72749027463ae9b289d4ce2c3f9137

SHA512
7d57409ee13aa3bf31d8408144d8afef279db574cffd4a106de70925d96b775912feefb59b231fea6d7fe167f6f304aceac477035739abc6c5b3552880334317

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\serviceworker-1.txt

Filesize
413B

MD5
3c27033c6c64cc1bcad640e9a59d8c1e

SHA1
4e67db3c1fcee7660e4d5a39835d79259f4454dc

SHA256
19fd85f2e1f71ba00cacd169c9eea24dc895073648aa34890f7297987853888c

SHA512
c78ce625c95d168e862d3458b3fbad8ee1b630c79577f33824a267fc9613b3e256e9450d00f8dd289d11a5544eff6cb5f8ec9ee54308795c630af8f7d4cf0a0d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\serviceworker.txt

Filesize
162B

MD5
9f42519eda452c62bfbb63fb76afb436

SHA1
61e2231eced76b42325c9d59516f0c799230bc58

SHA256
b4b772384182af670a72a5b228779af20e2ee5f1613adb9806fe3891f2d38218

SHA512
038f7f6f241e7b773462719c659d6c594a0174514ebc1256140880baf7e3d8892a9cde896263b65886d609b2ad8269836be2671538a66a0a1ad3259f2b08629c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\sessionstore-backups\recovery.baklz4

Filesize
5KB

MD5
012224bf1d7c77494f1e761eb5f613a6

SHA1
bbbeb55fc121e21304bd9da897322752ec6cbf61

SHA256
d3023077425f57d4d2934fa833245877289b44cc1186b04cfbc42e61ce136aa6

SHA512
31c9fcca4a75a5773b88ccf1576f4565764cfe61f5295f7433048ae1a40f3d42484995ea19e9b3470cf58b8c672a435ad246c8771593f3b45a01afdb3d82f6ab

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\sessionstore-backups\recovery.baklz4

Filesize
5KB

MD5
97eefcbd4e52e0e2a495b42673949864

SHA1
d3e190a4a54229732da97a03d3be11355fd1da8b

SHA256
cefee33eec63eae553afe41e15cfb8f518df29f373a16978bc9c0167f2a39f9d

SHA512
5d01d9e3aed5f7259c1092b1c640a57efc9e995d930fde28cb45c2388ced38bfea0c70d33020701b7d0361fa1990250bb241b600fd6f1f434d780aa3c649f40f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\sessionstore-backups\recovery.baklz4

Filesize
20KB

MD5
54387d6356a5a3493345ddfc98272c0b

SHA1
d78c172b9434e71be9806ea841b7d2722ad609b4

SHA256
0ab40f5f42e857c07a0bbd00fee8376e2feb05541b9713998d4c85828eed4b92

SHA512
1d997d45fc80eb00be082c34f70b9548f6251b7bfc0fb97dbb820bf04c48bef1f48366a6ba0d768be3dc187fb26c11990baa7cbe68417fd120a9f84629105532

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\sessionstore-backups\recovery.baklz4

Filesize
6KB

MD5
2c95e95313c108b1c01bae78401f3ceb

SHA1
52cb72ce426aaf98e132d61c70c0718767f49e6b

SHA256
5a62d5173f516e59624fb63108875172599a9a4e4d7210dc607fbb9cddf8ea07

SHA512
0f2cd79764da8836de67c01b502c0f579c4a51f6167d950b4703c05be66a9e5b06a8afa59e5234abeb6b47dde495d9e89289dd89d803a5e243ce1a29624c7cff

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\sessionstore-backups\recovery.baklz4

Filesize
17KB

MD5
1b0b993a1f9db10b785db818080f3477

SHA1
74377837dc77ecfa23c6d54fa67ebc55557e6b20

SHA256
1331c356af0ec7a325286e0b3703bce5ebf80d33d4241b3e54f7183b3bf06466

SHA512
a39125a8dbf135aa9ef3cf358cfac5f6c2a598ed6de01c3a0b43757838a6d880dff33064b5d5b44e846ff8afd1d6a4305c03181376218d2c83faeb580270c25c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\sessionstore-backups\recovery.baklz4

Filesize
2KB

MD5
5040981686248a9751436afab0f13313

SHA1
ced9323d7ba6c7315c4fcd6e0a8f0008f9cf19c2

SHA256
30c3cd249eadf687caa675cdac105c95d1fae766027f6adf81b1e1cd737ffb4d

SHA512
f701d33601a713138d2b1d9ab273d27497d02213da0b068582f8f6d97c2ba19c8490a13bdd9bde6421d8cb90ad11438ac1ae72efed5f13d87334d43fe7fbd5b8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\sessionstore-backups\recovery.baklz4

Filesize
5KB

MD5
ece6ce1099a20df47e3a899109c04292

SHA1
5d8691536b79210fbb985eec775e8be847191766

SHA256
dea0cb2542a0004de834a764d40eea979bc965faa366e925d7c4e550e25e529f

SHA512
de0c38daac2e02db761ec44a4c66098fb0cf8ec3a9acd353adb821712da4e6c2496d876996049e66b2c72b6158294bf50b2451cde4397ee71e17662266498ff1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\sessionstore-backups\recovery.baklz4

Filesize
6KB

MD5
eedc228c240a9cb830dde4cb92a03f89

SHA1
f6fc18afdd508dcdf58e3cd4cee1d4d0148a0c23

SHA256
5204f53b36bd3eabb7ae6f60bd9ca7c8dc835d8e04bc9d5d5c4667009b44b459

SHA512
4de3e5e140e92af90faf528c172e8b52abd82e5a5e67f3b2147861c770446c66df1b4583799cdc7518076c8a56b6c6c57b48cf0183f463392268856cadbd86c6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\sessionstore-backups\recovery.baklz4

Filesize
12KB

MD5
ef34b5893779b6f106c187e2df231ff3

SHA1
80a9d2bbed22ab530c6d0068cb4662ae32a914f4

SHA256
6ff0a019e535eb75c87868fbc1d81f60db5aee3ef46ccb16f5942d87f0d3f0b3

SHA512
eefb84509c5074da4c718ac8776b30e4d6ec1f052cfaad67e19e1360da499672cc4ab50884b948298fff9d941eb745056e9815bab1121596d5c04ef1a02a806a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\sessionstore-backups\recovery.baklz4

Filesize
20KB

MD5
962e9aa2e063b646fff7cc28260615e4

SHA1
1759e12502e870f439ab96419087c754edfa8973

SHA256
82d81e9aa2a3c36143f8ac47c6467bf3ffa102e063b10e36b70e6b8370b36bed

SHA512
2e101d32ea03a12523f6979b1750fa719b7292c4547c06da9d97df5ef4406829ad678e268d0d91bac34e010eeeae19c4f7db71d47c4aef9c1bf6b62cce02f737

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\sessionstore-backups\recovery.baklz4

Filesize
17KB

MD5
1fcc5311215e3b511e1e0944aff6ca58

SHA1
df5708d600e2a0c06b4745dba23054ed4fbb95ba

SHA256
d09043313cb06c62f0bb690b7f803e10cc9e82884453ae87ebc2cb984906db9b

SHA512
0acf386130d0566a00afe3fb8ce657d2e3b486971a0bb4a52309580dfa2310d2974c780517086d8ad1753719c7bf63bffe448d3048759f6dd0f9e906595c7de0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\sessionstore-backups\recovery.baklz4

Filesize
23KB

MD5
a974faf79b31cace379ae35f3dd00303

SHA1
8ff1a7e158f1c37f8b35fe8d3aeacf7202ee001b

SHA256
211a21b3dcae68cb1e3a448229b2012ab098ab6271e72f0f2c4f822ab7b2f7e1

SHA512
03cfb46ef35b28cb52d69f470f594b4680df3613db9ef7df1e18b5fda9b9454df6b2dc8e669f6ae2e2d83efa153debd67ee08e88de216769a76f86ed41041377

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\sessionstore-backups\recovery.baklz4

Filesize
23KB

MD5
ab79774a26ba46810fe2e7acf48313c2

SHA1
b2f8b922b156fe801bdf0876f8476281073f9bca

SHA256
5b172cc3543693bd5bb2991321cdb8fd05dbf18d692002fed37d4180121087f3

SHA512
039bb16e899de581ec921596eb896042c6b9c097ad4205101061e917f96cf1d1de7f88cf86bb0fe0e63d7ce53d37060c46df1bd0c01a44fa35b85e2ceaddf894

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\sessionstore-backups\recovery.baklz4

Filesize
20KB

MD5
b2c12bcbda597c10b9eed812fdf1b651

SHA1
788c56ddf9d4c344c6ec025a4c7b1daf1e2cd350

SHA256
84fb3d63b44a05cad805bf149d79430f21eb339647d5f38927010d70c53d235f

SHA512
0ce70704d0d45f32b1eeb79a6ecd9bd810cce5dc55323864f0578e8c64a1dcdc8a85006741865726a0621421f5af9197b8e6e27f8d4ad088dfcf0e20b23317f2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\sessionstore-backups\recovery.baklz4

Filesize
23KB

MD5
453cb25193dc97bf626ebaec1e4a0a71

SHA1
89c45bccb8b29e494f50a161e25fdcb8e159d41c

SHA256
5397e812efc2da8aa43f43fc90b9bed7bde4513af3a6739b87b2a403d321f3bc

SHA512
f6257c50ecf6a9747e4714e32aece416fcfb761e991ae15a4efe639847165129ea9b94115549b3d3dfb08fe676e9809284f8739bd7228b9301ece6c604113a45

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\sessionstore-backups\recovery.baklz4

Filesize
23KB

MD5
62dd389d36dfd2acec07bc6fd7b0e5a1

SHA1
da8bb865ab89a6c4d06ea69feedb1dec5c62e952

SHA256
71a3894d9edad8a711e954cce654f2fd7d622170b68d0026f18c2ae3f73a37c7

SHA512
d0b78c2b613e6017dd630ad198e20f1e4fad587262304209572a2f1e25edc04deb5e7a9d142b61df7e801e94a0d8fa653bf34677adddba9b3311daebd6d31886

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\sessionstore-backups\recovery.baklz4

Filesize
28KB

MD5
7de062be514fcc4661d2fc7e09488d64

SHA1
3cf7020e922e78c95db1b2f449c030670d81ad4a

SHA256
4caf6c009128de6f1b4cfdf43995ac2529e0bbe29f0965f6a13e894d4e1c918e

SHA512
566d7e57d8c75a2368b4f93df5711f780ecff2f37be61a1af2336de9a11cef8c916fc2fa3d6c7c09bfd27412dc7abacebab9919735183c468ce706049674c9f9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\storage\default\https+++github.com\ls\usage

Filesize
12B

MD5
9e89f8d581f7c22679122e5e61ada809

SHA1
19667207e15b1d36dc50c4a72ce3163342b7862f

SHA256
421d4cbb4c59f5e94dcb376548fca28bde43197ecbae6fa1887b512b498919da

SHA512
14f5611a9a0f9c5060377765c08c205f63b06a06bcc36ea4d1e837734906a56ed887a1efa9101b0b168ff9d22a16583f02393841ad26c090f2a0e57c9ce0f899

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\storage\default\https+++tagging.wetransfer.com\cache\morgue\228\{f7379c8b-7ccf-43ad-854e-ebb34490efe4}.final

Filesize
3KB

MD5
f9411804882741478b92612440fb9579

SHA1
9815df832521ef33a687e9405c26b6966ec1362f

SHA256
eeee3599ecdf16220af8b4f6e44747853d8185a91be0d4099be0bed09204d4f8

SHA512
dc50f3c1d4f1386c6e78a43ecbb5267fd1eb84821eefc701485be29c6fefce231d14f83f77b33bbad3753d16fbc54b914c33049c67a2e61412a475a919b65b64

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\storage\default\https+++wetransfer.com\cache\morgue\250\{28cd60e1-c19f-467f-9d87-dbbb010c3dfa}.final

Filesize
13KB

MD5
ada5e1b3ad236cd53a4e24a0d5b497af

SHA1
f75bddf945615c8cd2e6ed5a946599ae03ce92dd

SHA256
1e755574dc239dc6bff09b57646b2f7ac903e3153281fd8c9b67f62bb6cbe0a4

SHA512
b8db6fa95421823a4f744248c9cf3e6b454a2cbc2c7159d2e77f9d936b08e44172e86e8c9ceb2fc39d3e4814588bb414215c2a813d43df98b8f56f6f0101902e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\storage\default\https+++wetransfer.com\cache\morgue\77\{dda29c45-9747-449e-9f82-a016e6e64c4d}.tmp

Filesize
5KB

MD5
e07501b6896066e33a64fef024f77880

SHA1
cd2da770500637e333b23b3a18adbb6578c5189f

SHA256
ee9649d1a16e103522110f32f5c6f3a5a35d0c71596d2e22c643f21392b5d44e

SHA512
c057f783a64d3fd2d574052abef473d1885a47589cf5ae3b800a659ac2ee10d763367566f756c08b9d65aa850293f8c6d072d2f17066f68fe95fdc7de431e3ae

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\storage\default\https+++wetransfer.com\cache\morgue\79\{0a196c91-4d6f-4a72-8af2-994ce6c6604f}.final

Filesize
975B

MD5
190c864007ed3b4f011debcc29cf600a

SHA1
0b637352ab59f294fec69d28f52363c3f530ea09

SHA256
b4911aa66e06fc6d9ebf29e4b9cb0d39930a38974a51bdbf0054579e2d3497b3

SHA512
50d0b1e0a90eaf8ff14e254994dc5fe03bb8a786b32cabed8b6edd7475732555dab38c04ea0c4c77e39e247364f90468e0b05c425398435ee2f985d3adc73757

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\storage\default\https+++wetransfer.com\cache\morgue\79\{198fd19c-aedd-4e51-8939-a02bd3d49f4f}.final

Filesize
4KB

MD5
427a18e3c9a85a984f49d427a78610c5

SHA1
6d0e5b1f5a640311910021fc2a78f39b5d4a0039

SHA256
c262de87bf91692d2ec5f56abc1e052db6562eeb8424e3607c47e68663325b6d

SHA512
c5264b11c3aece8319642818d94930b85578fcdaced3af25f8c72ed971b5d805c9f0a5af9cb1711bdc0b5d81154fc4a59f41c8bedcf0062cf666df8346bc90a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\storage\default\https+++wetransfer.com\idb\3865057905o3rVino.sqlite

Filesize
64KB

MD5
c3c435ef05c595ff865c4d6a2c3f1da3

SHA1
428f3de0b3a72c9da7f352d743c92cdbc379f456

SHA256
4ecf5bc5aaa401f27056f4915a8960a04266649729aa94ab65c9517cc31a343f

SHA512
0137db58718d914e22d34baa1e4922ce3fd2cf162b407d188896390e20e04ccb53b4348c1a04f11d4e589c0be712a992490f55ab3b3f61218c23b170d56a4a8b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\storage\default\https+++wetransfer.com\ls\usage

Filesize
12B

MD5
2331647eca20168544649d0fbabe1829

SHA1
3f9efc7ff010a8589196ad860b22a37cbe059380

SHA256
7a8da7637147a36b2bacbeefe97c8da466fc64667d4f2bbb166652da33cefc74

SHA512
447ff9615cd237bf21d07afad595fb45f390d43f04306514732a2fc77a245c1cf2d2708545bd8d161c36c21985d71ca5f1ba268f371c28cc4937dc7c63d07695

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\storage\default\https+++wetransfer.com\ls\usage

Filesize
12B

MD5
e38c74fbb5f30abad2071e88380b024e

SHA1
a9fd956a2ded1e6d431b6ad0decd227399881643

SHA256
825494158fc319de49762b6907453c8e00ff8342c3304713f10af869f85949d2

SHA512
4f7b07b8c5bc3054c320eb7b64e34c86d0a7546137237788f7d9c6fa4d7bef872ec723d441956fbf7e7528a23680f8bbac3a24657c46066898b2bf9f6bbc6234

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
3.5MB

MD5
3cb199571925d936100cd8a170f2bc70

SHA1
9f230d74d311efdbf246d3f8ebebbd7994d8aeec

SHA256
c0ca87b95504fee5c779973ab52dacfc9bef1928d1e3c0ce391c7c41204dbfc1

SHA512
53893a5d8f2c97353e43b893a0dad9f8fe513d7576ed0d27cbdf3cb3d9efeb2d3d6bee5fc9e62e7c1ca2d7c7b4310e2181016a9ee1fe68d989d26677989d7d64

Download Submit
C:\Users\Admin\Downloads\Aufgaben(1).KAjETlxq.zip.part

Filesize
534KB

MD5
059062c1f6a2a6230c5ed4ade5543a9a

SHA1
c408cff20f56d8af0c863dd1d575fefe39a5a692

SHA256
b60bbb742dcfa20bf2244ee4193996edbd45225e2e9a2ce54b9d10f0cbf7bcc4

SHA512
6d46761b79f667f8c9ffeb619558dfc8dfc22346a2eb39e6d66c73a34e427ade1a3be40732a7833e7d2f4e6933c7b19ebff89e279ea96ce84d832da49c85ee1b

Download Submit
C:\Users\Admin\Downloads\Aufgaben(1)\Aufgabe 2\!Please Read Me!.txt

Filesize
797B

MD5
afa18cf4aa2660392111763fb93a8c3d

SHA1
c219a3654a5f41ce535a09f2a188a464c3f5baf5

SHA256
227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0

SHA512
4161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b

Download Submit
C:\Users\Admin\Downloads\Aufgaben(1)\Aufgabe 2\!WannaDecryptor!.exe

Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
C:\Users\Admin\Downloads\Aufgaben(1)\Aufgabe 2\!WannaDecryptor!.exe.lnk

Filesize
800B

MD5
eeb9ca4380883d77158e35b3bd164415

SHA1
85e518967acba5067c777f079e208607808b652c

SHA256
30f19bc46af7ae31efdfa5335bda1d930022cd67a90aae48a62f92513a16c3d6

SHA512
a545f1b9d1bacc1d86c127feef6c6855d4533ad67f6d0087f5facd240701690704bd740ce2442606cc31e4f35b13dc2e6d742afaa908d50b8ce25af720b83d38

Download Submit
C:\Users\Admin\Downloads\Aufgaben(1)\Aufgabe 2\00000000.res

Filesize
136B

MD5
397f5fb280d066b63a53b47420e17b20

SHA1
8fcbc333fc2836de09bea11434c3935d70ab5f56

SHA256
1b540802ef35cee020cff76a3c9d9d031492575fc478187b07ce5b7a26222735

SHA512
c4a2d6b4824ae0161bc25d75974e58d77383e507caf560b9bfcd8ed1b0c78613a12dab11a724dd578f5eb067f3a499e1de857dfcecbbc26b4a137021066cb5c0

Download Submit
C:\Users\Admin\Downloads\Aufgaben(1)\Aufgabe 2\00000000.res

Filesize
136B

MD5
69ec6f88d4c2794df938c2f558c751d8

SHA1
9824413194f4f476f4088834eecb0cb20d923833

SHA256
843e3e3b0ea35cf4e8a199863e8befbecd132fa22778ecd0389ac337f8c3b9c2

SHA512
093526188a3ea1e7d49683cc436a9ab402d387048443c409ca109aa2df37ea0c10990265f2dc617172570fae380159d6a93d10c66e4c232b7a4b490c50411d72

Download Submit
C:\Users\Admin\Downloads\Aufgaben(1)\Aufgabe 2\00000000.res

Filesize
136B

MD5
1038566738a315fdd9aaca7c51e66dfe

SHA1
32d6cf408fb67a8b43cee91158e833e530fb862d

SHA256
8e53b7d0b7104a18877c725c26ca781b645465cbc7ae0e25d698768de386eab4

SHA512
13cc15004c268bf398e64e2a7b96c8f764a2cc300fe1c45097dd8eef932de2fb67bf88964767dfa1de53e741ce62c52f2a4b7bb8348a4d2eab429c4a884ca643

Download Submit
C:\Users\Admin\Downloads\Aufgaben(1)\Aufgabe 2\298021742757704.bat

Filesize
362B

MD5
e3a5cc429246c9933bfeb9594f9b1562

SHA1
2dbff1ad55dcd2978d8f8ccbd95c045b0346bc6a

SHA256
1ec9eb6f807d4b67abcc26b16e34a134aab77590ca15dd015d659e67e18a69b9

SHA512
0c73d012dbdf793af77f9dee6d22be074116f0efe89641dcddaee28d27bcf26455c7074fb28ce8ec644de2811bf09d8bb5d076e64e41f9a5e9038dfd72a1ce3b

Download Submit
C:\Users\Admin\Downloads\Aufgaben(1)\Aufgabe 2\c.vbs

Filesize
245B

MD5
eb9580367dd177dfe849584821e78782

SHA1
97dc8cbe7aa5402e6a57246661b8065010ee4cc5

SHA256
f3f2487e44b6807695525f5815a8acdd459f53acdd56cad75a217084b7dc5299

SHA512
52baa426ac00aae01d0a4dca72d284424ac90e528dd183ef4e76b8077373b7cf368b245051ce8acd2e2cb0a111e026d77ef0bbfcc14dfbdf0f28f71226ad38f6

Download Submit
C:\Users\Admin\Downloads\Aufgaben(1)\Aufgabe 2\c.wry

Filesize
628B

MD5
8ddb8ee6296a493f3e7445d9367e2cc2

SHA1
5526967c472c65e76dad32098af81d613c30d78f

SHA256
b082104008939a4e404b80bb0c648f2ce4239af8f32c5217743da37b8d0d68de

SHA512
cbdb01cd3bb85822de23146715f8b5802838fcca46bc4ba4da3de5a8f7c576abc4d00df67bd39987e974c3985154c505b2c4455bad61e7a0115cd378088f8930

Download Submit
C:\Users\Admin\Downloads\Aufgaben(1)\Aufgabe 2\m.wry

Filesize
42KB

MD5
980b08bac152aff3f9b0136b616affa5

SHA1
2a9c9601ea038f790cc29379c79407356a3d25a3

SHA256
402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9

SHA512
100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496

Download Submit
C:\Users\Admin\Downloads\Fagot.95mi5IqO.a.exe.part

Filesize
373KB

MD5
30cdab5cf1d607ee7b34f44ab38e9190

SHA1
d4823f90d14eba0801653e8c970f47d54f655d36

SHA256
1517527c1d705a6ebc6ec9194aa95459e875ac3902a9f4aab3bf24b6a6f8407f

SHA512
b465f3b734beaea3951ff57759f13971649b549fafca71342b52d7e74949e152c0fbafe2df40354fc00b5dc8c767f3f5c6940e4ba308888e4395d8fd21e402b3

Download Submit
C:\Users\Admin\Downloads\IconDance.exe

Filesize
301KB

MD5
7ad8c84dea7bd1e9cbb888734db28961

SHA1
58e047c7abecdd31d4e3c937b0ee89c98ab06c6a

SHA256
a4b6e53453d1874a6f78f0d7aa14dfafba778062f4b85b42b4c1001e1fc17095

SHA512
d34b087f7c6dd224e9bfe7a24364f878fc55c5368ce7395349ca063a7fd9ac555baed8431bfa13c331d7e58108b34e0f9d84482ce2e133f623dd086f14345adb

Download Submit
C:\Users\Admin\Downloads\WannaCry.Eb6bjdeN.exe.part

Filesize
224KB

MD5
5c7fb0927db37372da25f270708103a2

SHA1
120ed9279d85cbfa56e5b7779ffa7162074f7a29

SHA256
be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844

SHA512
a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206

Download Submit
memory/1648-4278-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1648-4279-0x0000000000550000-0x0000000000551000-memory.dmp

Filesize
4KB

Download
memory/1648-3391-0x0000000000550000-0x0000000000551000-memory.dmp

Filesize
4KB

Download
memory/4496-4806-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/4536-3398-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download