Analysis
-
max time kernel
1776s -
max time network
1522s -
platform
windows10-1703_x64 -
resource
win10-20240611-en -
resource tags
arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system -
submitted
09-07-2024 19:55
Static task
static1
Behavioral task
behavioral1
Sample
Cerber 5.zip
Resource
win10-20240611-en
General
-
Target
Cerber 5.zip
-
Size
161KB
-
MD5
9b18a780ee4f0797f45151b9107ad4d7
-
SHA1
d4aea66a973a0b2f9b1733af30029686d98f2d74
-
SHA256
9003d86df3dba6a8aad7f9642ace677ba53b7eeb44acd75c3159a984f0a0356b
-
SHA512
a113a8be579c0b2ebe70445c0aa1107e25d17a848d9b8d0c5efd8c43c046f126a83a9819babd7e79dd3e2f4f79357dd75a3a4317b2e7d6c7e986bafa2f85c25c
-
SSDEEP
3072:ssLya4KM2bVinYjqKok8ValLPfkgLDoa3A0cK/u1Ntn4PBRC/jCpFT62aJJxnMyM:G2oq72n9dH5M2vkm0y3Cl3pId9Rd9qvB
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\_R_E_A_D___T_H_I_S___84V1ET_.txt
cerber
http://xpcx6erilkjced3j.onion/FB48-0804-A8C2-0098-BE8A
http://xpcx6erilkjced3j.1n5mod.top/FB48-0804-A8C2-0098-BE8A
http://xpcx6erilkjced3j.19kdeh.top/FB48-0804-A8C2-0098-BE8A
http://xpcx6erilkjced3j.1mpsnr.top/FB48-0804-A8C2-0098-BE8A
http://xpcx6erilkjced3j.18ey8e.top/FB48-0804-A8C2-0098-BE8A
http://xpcx6erilkjced3j.17gcun.top/FB48-0804-A8C2-0098-BE8A
Signatures
-
Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
-
Contacts a large (1127) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Modifies Windows Firewall 2 TTPs 2 IoCs
Processes:
netsh.exenetsh.exepid process 2028 netsh.exe 1408 netsh.exe -
Drops startup file 1 IoCs
Processes:
description ioc process File opened for modification \??\c:\users\admin\appdata\roaming\microsoft\word\startup\ [email protected] -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
description ioc process File opened (read-only) \??\q: [email protected] File opened (read-only) \??\l: [email protected] File opened (read-only) \??\m: [email protected] File opened (read-only) \??\g: [email protected] File opened (read-only) \??\y: [email protected] File opened (read-only) \??\z: [email protected] File opened (read-only) \??\n: [email protected] File opened (read-only) \??\x: [email protected] File opened (read-only) \??\g: [email protected] File opened (read-only) \??\i: [email protected] File opened (read-only) \??\r: [email protected] File opened (read-only) \??\w: [email protected] File opened (read-only) \??\k: [email protected] File opened (read-only) \??\u: [email protected] File opened (read-only) \??\w: [email protected] File opened (read-only) \??\s: [email protected] File opened (read-only) \??\e: [email protected] File opened (read-only) \??\i: [email protected] File opened (read-only) \??\k: [email protected] File opened (read-only) \??\r: [email protected] File opened (read-only) \??\b: [email protected] File opened (read-only) \??\p: [email protected] File opened (read-only) \??\q: [email protected] File opened (read-only) \??\v: [email protected] File opened (read-only) \??\s: [email protected] File opened (read-only) \??\z: [email protected] File opened (read-only) \??\a: [email protected] File opened (read-only) \??\h: [email protected] File opened (read-only) \??\p: [email protected] File opened (read-only) \??\x: [email protected] File opened (read-only) \??\a: [email protected] File opened (read-only) \??\h: [email protected] File opened (read-only) \??\y: [email protected] File opened (read-only) \??\e: [email protected] File opened (read-only) \??\n: [email protected] File opened (read-only) \??\o: [email protected] File opened (read-only) \??\j: [email protected] File opened (read-only) \??\t: [email protected] File opened (read-only) \??\t: [email protected] File opened (read-only) \??\l: [email protected] File opened (read-only) \??\m: [email protected] File opened (read-only) \??\o: [email protected] File opened (read-only) \??\u: [email protected] File opened (read-only) \??\v: [email protected] File opened (read-only) \??\b: [email protected] File opened (read-only) \??\j: [email protected] -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs
Processes:
flow ioc 133 camo.githubusercontent.com 148 raw.githubusercontent.com 130 camo.githubusercontent.com 131 camo.githubusercontent.com 132 camo.githubusercontent.com 145 raw.githubusercontent.com 146 raw.githubusercontent.com 147 raw.githubusercontent.com 120 camo.githubusercontent.com -
Drops file in System32 directory 38 IoCs
Processes:
description ioc process File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\steam [email protected] File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\excel [email protected] File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\onenote [email protected] File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\office [email protected] File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\onenote [email protected] File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\onenote [email protected] File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\excel [email protected] File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\powerpoint [email protected] File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\word [email protected] File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\thunderbird [email protected] File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\desktop [email protected] File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\excel [email protected] File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\excel [email protected] File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\office [email protected] File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\documents [email protected] File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\outlook [email protected] File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\word [email protected] File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\thunderbird [email protected] File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\office [email protected] File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\word [email protected] File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\microsoft sql server [email protected] File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\outlook [email protected] File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\powerpoint [email protected] File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\steam [email protected] File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\word [email protected] File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\outlook [email protected] File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\powerpoint [email protected] File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\the bat! [email protected] File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\bitcoin [email protected] File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft sql server [email protected] File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\onenote [email protected] File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\outlook [email protected] File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\powerpoint [email protected] File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\bitcoin [email protected] File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft sql server [email protected] File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\microsoft sql server [email protected] File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\office [email protected] File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\the bat! [email protected] -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp88D8.bmp" [email protected] -
Drops file in Program Files directory 20 IoCs
Processes:
description ioc process File opened for modification \??\c:\program files (x86)\microsoft sql server [email protected] File opened for modification \??\c:\program files (x86)\microsoft\onenote [email protected] File opened for modification \??\c:\program files (x86)\steam [email protected] File opened for modification \??\c:\program files (x86)\office [email protected] File opened for modification \??\c:\program files (x86)\thunderbird [email protected] File opened for modification \??\c:\program files\ [email protected] File opened for modification \??\c:\program files (x86)\excel [email protected] File opened for modification \??\c:\program files (x86)\microsoft\excel [email protected] File opened for modification \??\c:\program files (x86)\microsoft\office [email protected] File opened for modification \??\c:\program files (x86)\microsoft\powerpoint [email protected] File opened for modification \??\c:\program files (x86)\microsoft\word [email protected] File opened for modification \??\c:\program files (x86)\ [email protected] File opened for modification \??\c:\program files (x86)\microsoft\outlook [email protected] File opened for modification \??\c:\program files (x86)\onenote [email protected] File opened for modification \??\c:\program files (x86)\the bat! [email protected] File opened for modification \??\c:\program files (x86)\word [email protected] File opened for modification \??\c:\program files (x86)\bitcoin [email protected] File opened for modification \??\c:\program files (x86)\microsoft\microsoft sql server [email protected] File opened for modification \??\c:\program files (x86)\outlook [email protected] File opened for modification \??\c:\program files (x86)\powerpoint [email protected] -
Drops file in Windows directory 64 IoCs
Processes:
description ioc process File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\office [email protected] File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\powerpoint [email protected] File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\onenote [email protected] File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\powerpoint [email protected] File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\excel [email protected] File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\excel [email protected] File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\word [email protected] File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\steam [email protected] File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\microsoft sql server [email protected] File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\onenote [email protected] File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\steam [email protected] File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\steam [email protected] File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\office [email protected] File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\onenote [email protected] File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\outlook [email protected] File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\outlook [email protected] File opened for modification \??\c:\windows\serviceprofiles\localservice\documents [email protected] File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\microsoft sql server [email protected] File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\office [email protected] File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\the bat! [email protected] File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\bitcoin [email protected] File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\onenote [email protected] File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\excel [email protected] File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\word [email protected] File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\word [email protected] File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\powerpoint [email protected] File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\the bat! [email protected] File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\excel [email protected] File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\excel [email protected] File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\word [email protected] File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\office [email protected] File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\outlook [email protected] File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\powerpoint [email protected] File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\steam [email protected] File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\the bat! [email protected] File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\excel [email protected] File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\office [email protected] File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\word [email protected] File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\microsoft sql server [email protected] File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\office [email protected] File opened for modification \??\c:\windows\serviceprofiles\localservice\desktop [email protected] File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft sql server [email protected] File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\excel [email protected] File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\office [email protected] File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\powerpoint [email protected] File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\bitcoin [email protected] File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft sql server [email protected] File opened for modification \??\c:\windows\serviceprofiles\networkservice\desktop [email protected] File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\office [email protected] File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\word [email protected] File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\outlook [email protected] File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\outlook [email protected] File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\onenote [email protected] File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\thunderbird [email protected] File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\bitcoin [email protected] File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\excel [email protected] File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\onenote [email protected] File opened for modification \??\c:\windows\serviceprofiles\networkservice\documents [email protected] File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\powerpoint [email protected] File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\powerpoint [email protected] File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\outlook [email protected] File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\powerpoint [email protected] File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\thunderbird [email protected] File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\word [email protected] -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
Processes:
netsh.exenetsh.exedescription ioc process Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEfirefox.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 720 taskkill.exe -
Modifies registry class 2 IoCs
Processes:
firefox.exe[email protected]description ioc process Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings firefox.exe Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings [email protected] -
NTFS ADS 1 IoCs
Processes:
firefox.exedescription ioc process File created C:\Users\Admin\Downloads\Cerber 5.zip:Zone.Identifier firefox.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 1224 NOTEPAD.EXE -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 3496 WINWORD.EXE 3496 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
description pid process Token: SeDebugPrivilege 2856 firefox.exe Token: SeDebugPrivilege 2856 firefox.exe Token: SeDebugPrivilege 2856 firefox.exe Token: SeDebugPrivilege 2856 firefox.exe Token: SeDebugPrivilege 2856 firefox.exe Token: SeDebugPrivilege 2856 firefox.exe Token: SeShutdownPrivilege 1196 [email protected] Token: SeCreatePagefilePrivilege 1196 [email protected] Token: SeDebugPrivilege 720 taskkill.exe Token: SeDebugPrivilege 2856 firefox.exe Token: SeDebugPrivilege 2856 firefox.exe Token: SeDebugPrivilege 2856 firefox.exe -
Suspicious use of FindShellTrayWindow 50 IoCs
Processes:
firefox.exepid process 2856 firefox.exe 2856 firefox.exe 2856 firefox.exe 2856 firefox.exe 2856 firefox.exe 2856 firefox.exe 2856 firefox.exe 2856 firefox.exe 2856 firefox.exe 2856 firefox.exe 2856 firefox.exe 2856 firefox.exe 2856 firefox.exe 2856 firefox.exe 2856 firefox.exe 2856 firefox.exe 2856 firefox.exe 2856 firefox.exe 2856 firefox.exe 2856 firefox.exe 2856 firefox.exe 2856 firefox.exe 2856 firefox.exe 2856 firefox.exe 2856 firefox.exe 2856 firefox.exe 2856 firefox.exe 2856 firefox.exe 2856 firefox.exe 2856 firefox.exe 2856 firefox.exe 2856 firefox.exe 2856 firefox.exe 2856 firefox.exe 2856 firefox.exe 2856 firefox.exe 2856 firefox.exe 2856 firefox.exe 2856 firefox.exe 2856 firefox.exe 2856 firefox.exe 2856 firefox.exe 2856 firefox.exe 2856 firefox.exe 2856 firefox.exe 2856 firefox.exe 2856 firefox.exe 2856 firefox.exe 2856 firefox.exe 2856 firefox.exe -
Suspicious use of SendNotifyMessage 49 IoCs
Processes:
firefox.exepid process 2856 firefox.exe 2856 firefox.exe 2856 firefox.exe 2856 firefox.exe 2856 firefox.exe 2856 firefox.exe 2856 firefox.exe 2856 firefox.exe 2856 firefox.exe 2856 firefox.exe 2856 firefox.exe 2856 firefox.exe 2856 firefox.exe 2856 firefox.exe 2856 firefox.exe 2856 firefox.exe 2856 firefox.exe 2856 firefox.exe 2856 firefox.exe 2856 firefox.exe 2856 firefox.exe 2856 firefox.exe 2856 firefox.exe 2856 firefox.exe 2856 firefox.exe 2856 firefox.exe 2856 firefox.exe 2856 firefox.exe 2856 firefox.exe 2856 firefox.exe 2856 firefox.exe 2856 firefox.exe 2856 firefox.exe 2856 firefox.exe 2856 firefox.exe 2856 firefox.exe 2856 firefox.exe 2856 firefox.exe 2856 firefox.exe 2856 firefox.exe 2856 firefox.exe 2856 firefox.exe 2856 firefox.exe 2856 firefox.exe 2856 firefox.exe 2856 firefox.exe 2856 firefox.exe 2856 firefox.exe 2856 firefox.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
Processes:
firefox.exeWINWORD.EXEpid process 2856 firefox.exe 2856 firefox.exe 2856 firefox.exe 2856 firefox.exe 3496 WINWORD.EXE 3496 WINWORD.EXE 3496 WINWORD.EXE 3496 WINWORD.EXE 3496 WINWORD.EXE 3496 WINWORD.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
firefox.exefirefox.exedescription pid process target process PID 4492 wrote to memory of 2856 4492 firefox.exe firefox.exe PID 4492 wrote to memory of 2856 4492 firefox.exe firefox.exe PID 4492 wrote to memory of 2856 4492 firefox.exe firefox.exe PID 4492 wrote to memory of 2856 4492 firefox.exe firefox.exe PID 4492 wrote to memory of 2856 4492 firefox.exe firefox.exe PID 4492 wrote to memory of 2856 4492 firefox.exe firefox.exe PID 4492 wrote to memory of 2856 4492 firefox.exe firefox.exe PID 4492 wrote to memory of 2856 4492 firefox.exe firefox.exe PID 4492 wrote to memory of 2856 4492 firefox.exe firefox.exe PID 4492 wrote to memory of 2856 4492 firefox.exe firefox.exe PID 4492 wrote to memory of 2856 4492 firefox.exe firefox.exe PID 2856 wrote to memory of 4680 2856 firefox.exe firefox.exe PID 2856 wrote to memory of 4680 2856 firefox.exe firefox.exe PID 2856 wrote to memory of 3556 2856 firefox.exe firefox.exe PID 2856 wrote to memory of 3556 2856 firefox.exe firefox.exe PID 2856 wrote to memory of 3556 2856 firefox.exe firefox.exe PID 2856 wrote to memory of 3556 2856 firefox.exe firefox.exe PID 2856 wrote to memory of 3556 2856 firefox.exe firefox.exe PID 2856 wrote to memory of 3556 2856 firefox.exe firefox.exe PID 2856 wrote to memory of 3556 2856 firefox.exe firefox.exe PID 2856 wrote to memory of 3556 2856 firefox.exe firefox.exe PID 2856 wrote to memory of 3556 2856 firefox.exe firefox.exe PID 2856 wrote to memory of 3556 2856 firefox.exe firefox.exe PID 2856 wrote to memory of 3556 2856 firefox.exe firefox.exe PID 2856 wrote to memory of 3556 2856 firefox.exe firefox.exe PID 2856 wrote to memory of 3556 2856 firefox.exe firefox.exe PID 2856 wrote to memory of 3556 2856 firefox.exe firefox.exe PID 2856 wrote to memory of 3556 2856 firefox.exe firefox.exe PID 2856 wrote to memory of 3556 2856 firefox.exe firefox.exe PID 2856 wrote to memory of 3556 2856 firefox.exe firefox.exe PID 2856 wrote to memory of 3556 2856 firefox.exe firefox.exe PID 2856 wrote to memory of 3556 2856 firefox.exe firefox.exe PID 2856 wrote to memory of 3556 2856 firefox.exe firefox.exe PID 2856 wrote to memory of 3556 2856 firefox.exe firefox.exe PID 2856 wrote to memory of 3556 2856 firefox.exe firefox.exe PID 2856 wrote to memory of 3556 2856 firefox.exe firefox.exe PID 2856 wrote to memory of 3556 2856 firefox.exe firefox.exe PID 2856 wrote to memory of 3556 2856 firefox.exe firefox.exe PID 2856 wrote to memory of 3556 2856 firefox.exe firefox.exe PID 2856 wrote to memory of 3556 2856 firefox.exe firefox.exe PID 2856 wrote to memory of 3556 2856 firefox.exe firefox.exe PID 2856 wrote to memory of 3556 2856 firefox.exe firefox.exe PID 2856 wrote to memory of 3556 2856 firefox.exe firefox.exe PID 2856 wrote to memory of 3556 2856 firefox.exe firefox.exe PID 2856 wrote to memory of 3556 2856 firefox.exe firefox.exe PID 2856 wrote to memory of 3556 2856 firefox.exe firefox.exe PID 2856 wrote to memory of 3556 2856 firefox.exe firefox.exe PID 2856 wrote to memory of 3556 2856 firefox.exe firefox.exe PID 2856 wrote to memory of 3556 2856 firefox.exe firefox.exe PID 2856 wrote to memory of 3556 2856 firefox.exe firefox.exe PID 2856 wrote to memory of 3556 2856 firefox.exe firefox.exe PID 2856 wrote to memory of 3556 2856 firefox.exe firefox.exe PID 2856 wrote to memory of 3556 2856 firefox.exe firefox.exe PID 2856 wrote to memory of 3556 2856 firefox.exe firefox.exe PID 2856 wrote to memory of 3556 2856 firefox.exe firefox.exe PID 2856 wrote to memory of 3556 2856 firefox.exe firefox.exe PID 2856 wrote to memory of 3556 2856 firefox.exe firefox.exe PID 2856 wrote to memory of 3556 2856 firefox.exe firefox.exe PID 2856 wrote to memory of 3556 2856 firefox.exe firefox.exe PID 2856 wrote to memory of 3556 2856 firefox.exe firefox.exe PID 2856 wrote to memory of 3556 2856 firefox.exe firefox.exe PID 2856 wrote to memory of 4544 2856 firefox.exe firefox.exe PID 2856 wrote to memory of 4544 2856 firefox.exe firefox.exe PID 2856 wrote to memory of 4544 2856 firefox.exe firefox.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\Cerber 5.zip"1⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2856.0.897043194\169027303" -parentBuildID 20221007134813 -prefsHandle 1732 -prefMapHandle 1720 -prefsLen 20767 -prefMapSize 233414 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d559e689-2f89-41c9-a18c-24f0c945cc44} 2856 "\\.\pipe\gecko-crash-server-pipe.2856" 1808 20e299d9758 gpu3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2856.1.1695159279\1898633417" -parentBuildID 20221007134813 -prefsHandle 2152 -prefMapHandle 2148 -prefsLen 20848 -prefMapSize 233414 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {67eaeb9a-624d-4d31-b1bd-e900b7828c52} 2856 "\\.\pipe\gecko-crash-server-pipe.2856" 2164 20e294e3558 socket3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2856.2.632880036\860316017" -childID 1 -isForBrowser -prefsHandle 2988 -prefMapHandle 3044 -prefsLen 20951 -prefMapSize 233414 -jsInitHandle 1040 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c5b7cb4b-f2ec-4aeb-bd51-675bb76d8995} 2856 "\\.\pipe\gecko-crash-server-pipe.2856" 3012 20e29960f58 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2856.3.1579714695\504621238" -childID 2 -isForBrowser -prefsHandle 3508 -prefMapHandle 3504 -prefsLen 26136 -prefMapSize 233414 -jsInitHandle 1040 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a830d348-42fd-41b8-bb92-1ae89be858ff} 2856 "\\.\pipe\gecko-crash-server-pipe.2856" 3452 20e2e52f558 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2856.4.1113802680\452176855" -childID 3 -isForBrowser -prefsHandle 3856 -prefMapHandle 3852 -prefsLen 26195 -prefMapSize 233414 -jsInitHandle 1040 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bc8de60f-ddd2-45a1-8bcb-9dc123fc11ec} 2856 "\\.\pipe\gecko-crash-server-pipe.2856" 3868 20e2ed28258 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2856.5.73091822\402880746" -childID 4 -isForBrowser -prefsHandle 4044 -prefMapHandle 4960 -prefsLen 26274 -prefMapSize 233414 -jsInitHandle 1040 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ac1800a2-0ae6-41ca-8bc1-b693efa73eac} 2856 "\\.\pipe\gecko-crash-server-pipe.2856" 4956 20e1e62ed58 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2856.6.961618435\926534524" -childID 5 -isForBrowser -prefsHandle 4876 -prefMapHandle 5028 -prefsLen 26274 -prefMapSize 233414 -jsInitHandle 1040 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9b8aff69-4fbf-4957-bdb2-5b95cfea7835} 2856 "\\.\pipe\gecko-crash-server-pipe.2856" 1560 20e2f0d5258 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2856.7.1515851732\879536253" -childID 6 -isForBrowser -prefsHandle 5228 -prefMapHandle 5232 -prefsLen 26274 -prefMapSize 233414 -jsInitHandle 1040 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f0a4bd0f-e76b-4d6b-b6e3-230815277d0d} 2856 "\\.\pipe\gecko-crash-server-pipe.2856" 5220 20e2f0d5e58 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2856.8.1565700835\385213657" -childID 7 -isForBrowser -prefsHandle 2732 -prefMapHandle 2820 -prefsLen 26698 -prefMapSize 233414 -jsInitHandle 1040 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {24a17953-80cc-48be-99b8-e26befab017e} 2856 "\\.\pipe\gecko-crash-server-pipe.2856" 2844 20e2bdaa458 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2856.9.952090346\1216888564" -childID 8 -isForBrowser -prefsHandle 5072 -prefMapHandle 4828 -prefsLen 26873 -prefMapSize 233414 -jsInitHandle 1040 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9a36c600-b2e9-4ef6-b29e-d2ccf81ad647} 2856 "\\.\pipe\gecko-crash-server-pipe.2856" 5068 20e2bca7f58 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2856.10.630349615\407224709" -childID 9 -isForBrowser -prefsHandle 3900 -prefMapHandle 3928 -prefsLen 26873 -prefMapSize 233414 -jsInitHandle 1040 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {dab04256-2f15-40b5-b306-a233753432c3} 2856 "\\.\pipe\gecko-crash-server-pipe.2856" 4136 20e31c0eb58 tab3⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Downloads\Cerber 5\[email protected]"C:\Users\Admin\Downloads\Cerber 5\[email protected]"1⤵
- Drops startup file
- Enumerates connected drives
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exeC:\Windows\system32\netsh.exe advfirewall set allprofiles state on2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
C:\Windows\SysWOW64\netsh.exeC:\Windows\system32\netsh.exe advfirewall reset2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___V9W2_.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___5RH4MKP_.txt2⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /d /c taskkill /f /im "E" > NUL & ping -n 1 127.0.0.1 > NUL & del "C" > NUL && exit2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im "E"3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\PING.EXEping -n 1 127.0.0.13⤵
- Runs ping.exe
-
C:\Users\Admin\Downloads\Cerber 5\[email protected]
-
C:\Windows\SysWOW64\werfault.exewerfault.exe /h /shared Global\4d2c43894d084acd8518ba5134f0142a /t 3288 /p 2401⤵
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Documents\These.docx" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\_R_E_A_D___T_H_I_S___84V1ET_.txtFilesize
1KB
MD5436f809bd3102cc780878f5bdf9ca63a
SHA106af49def04be45c7ddc4f84ca9dfad6fa9e0363
SHA25644334207cc66917ec09dfe8ba62f47ea0089715c98eb438920bc7747bff58dc7
SHA5122050b26a3830234fa9be71cd87b0662d364fbe73b3d015f5da8d235902346816cbcfc270e3e994493c53e7239aee1bb8cc972ec48701bfd947dfe8ff4cd62a5e
-
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\_R_E_A_D___T_H_I_S___SKWJJT_.htaFilesize
76KB
MD5a65ebdae28ba88f199029d93e8aec3b9
SHA18aa73ba527a97d9ab5671b42d4559de66227655c
SHA25688bd9dba49b1a8da0a7d5c9f8c6faab73cb507a3d68d0f229cf0c04e9cbb8688
SHA51281d3c2ac12fd6aec6661bf3351060305d3474d2467860497a2de18d60b460633e87d60d142b9e1a518f54445b1ea50eaeb949a6b466e5e1f07bf3746517ed116
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\activity-stream.discovery_stream.json.tmpFilesize
23KB
MD518d20039aec6b6623afceb861b57b956
SHA1c5cee1e3fdd842cd56b4c7dbd28e724c6357db07
SHA256b55923590368e23f13a729edd3a6d9a9ad0b36ef3df1876bda54f48d81148e3e
SHA5123f4db1b2db973319c988b85bdcf1da2c815b36fbbc87fa9de1926321c451c577916ceb6436030c62fdf0ba20902410c41df695fe26ba0e4dde8843fb65d10184
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\cache2\doomed\29470Filesize
11KB
MD5c428f406fe72c9c68c7ad52cc91c6988
SHA1926c76c413f23cca9d2ccc187bda57eba58b4540
SHA256fcab6b0783a73a965ddbbfa4c66db5d9e6d3778a33cb840a052c2ee966995f68
SHA5125bd316f27f2195742b478e5dc758ebd395f2a73f42886429f29a0146d263bd20112d23abc6358e7bf9e23f246eb41df850a88a5bf38677e07b0338081381cfd8
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftlFilesize
7KB
MD5c460716b62456449360b23cf5663f275
SHA106573a83d88286153066bae7062cc9300e567d92
SHA2560ec0f16f92d876a9c1140d4c11e2b346a9292984d9a854360e54e99fdcd99cc0
SHA512476bc3a333aace4c75d9a971ef202d5889561e10d237792ca89f8d379280262ce98cf3d4728460696f8d7ff429a508237764bf4a9ccb59fd615aee07bdcadf30
-
C:\Users\Admin\AppData\Local\Temp\TCD6931.tmp\iso690.xslFilesize
263KB
MD5ff0e07eff1333cdf9fc2523d323dd654
SHA177a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA2563f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d
-
C:\Users\Admin\AppData\Local\Temp\tmpaddonFilesize
442KB
MD585430baed3398695717b0263807cf97c
SHA1fffbee923cea216f50fce5d54219a188a5100f41
SHA256a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA51206511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1
-
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1Filesize
8.0MB
MD5a01c5ecd6108350ae23d2cddf0e77c17
SHA1c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-msFilesize
18KB
MD527daa2685d6bca9c584252872ea9f954
SHA12e61855482f94f2393370a3e1393e8a8a3ee5f5b
SHA256f8246447402b2ae73abb292e0e526ed75473ded279e5c85586fbaf71ac2fdac1
SHA5126a4e5869d653fdf1fff0b123aa790ae665655bcc91582ba7bd3b4f7327da2840e273eb42a4f7ed2e2793bfde1b734aa253223923eabfe8b47d090a0e8050d3b2
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-msFilesize
18KB
MD5afe0956d418b9ce6d1f7d161c5bb131a
SHA12f985e29da5d9ab82a6f69290aff39b16f6c46e6
SHA25671880f44a6dfdc88221d131dd78624ce13712173d4565ff60a4db84c03ce3858
SHA5125d0025b127586e3954677d68eaf9caeaad8c970a9253383cd4ef62588400403f60e93e7a59719e1ac0b87b167fba517f2b9c9e8bcb65623170e62f2e87f61b3b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\AlternateServices.txtFilesize
1KB
MD5435ca61203612b53abc9b3f057a94168
SHA111380938554c0c41595597147b9760ba957e7055
SHA256a74c75114cab253f32bd0bd78ba3a9812a014599425b6dac7602be220f14f124
SHA512c36331eea1d90f329272efdaee1fad85044210023c8af7a418e75ffb4b05e749cbc43d988f14aa2103cc7f856f77d9d96b44be98692e8554e1888a7cb2257450
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\SiteSecurityServiceState.txtFilesize
1KB
MD52980c7599c6ea8fcaaee658e49f22d3b
SHA16c2d622385cac6bfcd5382945e23bd72550005d5
SHA256c037d84520e6febff97daf0ae9e8dbf1fdc000b881ffa87a36788943a5b293a1
SHA5127a4a2be952ccaaa217d49a224f8c62279bab47a67363228007ff143b4bf1438525ccccb19d2345a05ed91d169f1ba7af6de4e39d607f6819e4bce867fd97977f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\bookmarkbackups\bookmarks-2024-07-09_11_f70S+BIHcjdozL1H+8sV3g==.jsonlz4Filesize
953B
MD514e152530b0003973263fd54064ea363
SHA198a18c46e4980317a1f795bb0f364f02b7524f06
SHA25698818f8d867aabab23dcf95b03d2d912fd8d6106f1bf48e1f04dc9b5af42f199
SHA51221a75ea8970d68bac8100f499d88b38fbdd904d5217e69492f10f63c9026f43f00508fc62e059f54f82d7a1bb6c16b15f14b281c87542613ddd20893029ce664
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\broadcast-listeners.jsonFilesize
204B
MD572c95709e1a3b27919e13d28bbe8e8a2
SHA100892decbee63d627057730bfc0c6a4f13099ee4
SHA2569cf589357fceea2f37cd1a925e5d33fd517a44d22a16c357f7fb5d4d187034aa
SHA512613ca9dd2d12afe31fb2c4a8d9337eeecfb58dabaeaaba11404b9a736a4073dfd9b473ba27c1183d3cc91d5a9233a83dce5a135a81f755d978cea9e198209182
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\datareporting\glean\db\data.safe.binFilesize
2KB
MD5662b42ce143750235619d872d3de59a9
SHA14fc967e169a56d7369eb89ea62207f9bc366f21e
SHA256769112fab8966228c3471cc11d08889279e11f3403f7ba4a6dc6daf6f21741be
SHA512b64738b2d4845091db01cf899b8fbc1d9a89ebb0dc5ffa6101226c9001f1b891aa3ccf906e6c2fc35d7cf9d7b7384b5b82aab010ab2fe22d63d9f41c7e1a761f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\datareporting\glean\db\data.safe.binFilesize
2KB
MD5dacf5920904a5bc127f63b7c66e06c2c
SHA1604677e06dbc125f129c2a1c66c349439a53e4ff
SHA256d85ae7d25126b8fbbc8a623df40225ca1bfad4b785bee60e058ae71f10897591
SHA512c7e3c86390741a15ce3bb76568ad107723543fb0050e84b7b33dff8cc4b3c2e9665397afd7cce5096b6042f1e8533991d1dc2ef0bc1c4aab539d8fbe6c6ec5e8
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\datareporting\glean\pending_pings\120cc18c-e253-4cc2-8f53-ebdbe4c0f349Filesize
746B
MD56e9036fe188a2063b62595d0e14619db
SHA18b5b5b22472a4e250fa02f46dbee5e09dfe97cf9
SHA256826e43782d0ebc517f52b200c2371eb6aaabf05d9453131cc01a9d729182f70c
SHA5120a678afba0efe4f92d4e9eaea2adaa10072218e0759262091835af2baad2283b47f7841889e3d42d3f82b60f889c317bc2dbfb078ef9b40dcfbebb50811b013b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\datareporting\glean\pending_pings\83c24078-a67a-4832-8dc7-cdf6f32e49f5Filesize
10KB
MD573b0f13d5166afe90d225be48084bfba
SHA1921c567881eba73f66e837ad923b3c92f2860233
SHA256d496eaf5f2f875cecd320128ca9114ae8deda271825ae249a57032199bc905f1
SHA512124bade149472078f3d209a7e59a6c5d5811026ae227422987cf14e979bbabe27d52b7e0dea8a55c0b6e5e43c4944d4338085c12640e84899fd3c36222d8b5fa
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dllFilesize
997KB
MD5fe3355639648c417e8307c6d051e3e37
SHA1f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA2561ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA5128f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.infoFilesize
116B
MD53d33cdc0b3d281e67dd52e14435dd04f
SHA14db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txtFilesize
479B
MD549ddb419d96dceb9069018535fb2e2fc
SHA162aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA2562af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA51248386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\gmp-widevinecdm\4.10.2557.0\manifest.jsonFilesize
372B
MD58be33af717bb1b67fbd61c3f4b807e9e
SHA17cf17656d174d951957ff36810e874a134dd49e0
SHA256e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA5126125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dllFilesize
11.8MB
MD533bf7b0439480effb9fb212efce87b13
SHA1cee50f2745edc6dc291887b6075ca64d716f495a
SHA2568ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.libFilesize
1KB
MD5688bed3676d2104e7f17ae1cd2c59404
SHA1952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA25633899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA5127a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sigFilesize
1KB
MD5937326fead5fd401f6cca9118bd9ade9
SHA14526a57d4ae14ed29b37632c72aef3c408189d91
SHA25668a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\prefs-1.jsFilesize
6KB
MD5b7496bdce27add1595f57fdd4f403671
SHA19c20f42e2a606accefc8cc98ef0c5e717adbb639
SHA2561eaa556cd2df178f9457e4f4fc752a14c8b14b22e8909ecd3e6e569e7f5d607d
SHA5123b48305d5597aed992fd1b0fa4e5955b1e7715540ddfab89d4387446b799e1b1c34865124a1333dbad6fce9e26b5f5763ebc0d5866041cbcb42205127b97ae16
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\prefs-1.jsFilesize
7KB
MD5a45e1f5b2dbb63188ff7aef17ed822a4
SHA13e55bb0f307823078854957653d0e4ac2255e911
SHA2562b60004c46b992887de1be8afcfd93b0c2b1fd42a1b7e786c6ca9129529d553f
SHA512bd065ad6cef1844cfb20d36864a0ea42f522e6563ca9cb15c50123704b1951a1aff064b73c1bd2178f7f966db08317311bfc3acf6849613ea1412a1cc8423d45
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\prefs-1.jsFilesize
7KB
MD52efffaaae917d1155bd302739fc9db01
SHA1029d1fbb6cac0766a315030e2e224b81f4798693
SHA256f356fa3a95583c327514b62da53b1bbdde1f311534bfb7b544756e372bbc8351
SHA512ddfd3167d1c78510ba4c60544974318b1cd5ceae1bcfa948d2ccc5e7f416793f6a09a961e22c9d35614c955bf3ff570755269a426513534878f776343afde23b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\prefs-1.jsFilesize
6KB
MD54db81c00a55c610b120fa24fd20006d6
SHA1f0b245b1f5823441daa18266aa69c919d7cc20eb
SHA2567a1d51d92a5e6a456563c48c215d79b8a1be594473929b88dc95c0405813edb3
SHA512218a3dd73ddf2e9107f1d9262d605a83b5a68b81fe55d0e1199c8e9b1388541d7daaa3d7e2ee725b799c34a3d9f0cc763b82789c7e4deb51e2c275f3e00b6627
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\prefs.jsFilesize
6KB
MD5b20e23bb8e5ff9b462019908e2cfb626
SHA1197219614fdf7991b4b76bd8f3e6c8965c9636a5
SHA256fb75643d436b85bf7d1db247e1bed7da31e017f25fda95ccf6b53d0ba311682c
SHA5121b28b80877a48ec952f15df93d3817571ab59890cc1c60acfcd3223944448e09c6ceb63e2f50d77061f8220907c7ede3ee01609d9623743c9f578abdecccba3d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\sessionCheckpoints.jsonFilesize
90B
MD5c4ab2ee59ca41b6d6a6ea911f35bdc00
SHA15942cd6505fc8a9daba403b082067e1cdefdfbc4
SHA25600ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2
SHA51271ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\sessionstore-backups\recovery.jsonlz4Filesize
3KB
MD50d86c825fa0ca56b3f5049e8cd65fabe
SHA1c199517757f8e892e89b2c77b36a75d2bc2f36f9
SHA25631d9b0f7c9f7af19d167e047f7a2e425c4aba11778b98aaacc33675cb7739660
SHA5127c0d431e37eaeef0244aa5530cdfafd02844e907ea0dc517610c2526be937aa3146625ddf079d29fd9a867a6384f85dbb9b1459a6cad0087e43fd452c4954c90
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\sessionstore-backups\recovery.jsonlz4Filesize
4KB
MD5decbdf0ab479424a78b6e89d3a826eb0
SHA1c4674c52594dd31513e74eb1ab358b8d2bb3f0e3
SHA256a819d0aa4f5224d2e00ee63046d01dacea1db98e6970893f2a0d98ebf3ed14ba
SHA51243df4cfb707c2b830a546046e79f9dba46a0ae0a7a7ab7f6379d40fc18f4245d7e1631a74c7b6692535c4af0dbf68e5fe6ec885a4b43b470091697d895d034dd
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\sessionstore-backups\recovery.jsonlz4Filesize
7KB
MD55b9cd3956d8ec62164e9dfab447aa256
SHA107786bee11556775a1ad3200e17bc73ace02a79a
SHA256c6056a51206a349ca452635549e7d5c678e6d8979444dc5f08a5a4a066d4b316
SHA512df885b1e47ce3c0668f872a499cca0296881bfc1dcadf5e962e6628921389d27a2aad4a96c11c38dc5b0df64a3db0ba638656e40a37f84715386b8179f9692c7
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\sessionstore-backups\recovery.jsonlz4Filesize
1KB
MD525d783186bbf7dbb3f816f6b2988cc5e
SHA1aef82d899eb08e9a9b4abb4268f1cf5e4f2f6bab
SHA2562915725a1d6684c881a32e7d98722a05f09f4139e6226b225aa3aff7194dec5f
SHA512d97c68c787f9810407f759c3eeb664e1e47ffdc2d157fd5e1a39ad782309ca35097e46ec1be84e94fd39f9dda9126dfec009b6214eddbe38fdffb200a31a5112
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\sessionstore-backups\recovery.jsonlz4Filesize
4KB
MD5c79ac2507f6bfd5bb91481c813eeaa3d
SHA13ac2d2374723f532848beb6d8be8a2e9ad022dc9
SHA256eae8aa9737fdf13a76ab7626a1428b8a74d6c056a200199d736a0619cbf09695
SHA5125c561bcf97179544040cfd6c44015c55f75d70242950d9d2b44f689e093b817449ff3ab7f1d2a0b6c44493c105dff2d7437cb81ef85e46980b3edd0f6b5f6d37
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\sessionstore-backups\recovery.jsonlz4Filesize
8KB
MD50a58a4d04fdeaff506e36d273a26e23b
SHA15199c340f3d8b72bbe0e90c318dde1e5c11e7161
SHA2566a774c75746efb53f7b90cced2ad622fa335e530bece1af7db33c8ad1e8b11ec
SHA51220d9d63e5bb7fac355cc3bd98bf67fa0410b442ad9628fdf008f425b80de2afebe9e55ae7e0dca7150bbef9f0741f6cb3f4a83da9a34f36f7ead002cbd10d2a1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\sessionstore-backups\recovery.jsonlz4Filesize
9KB
MD5a1c3711d43f423aa32ceaa393bcfd288
SHA14ca3ab04fc5f992022676cb746ebf2d7eac0c752
SHA256a77d6f9121f7ef04dc96d02d9143486291b806a5b51f2a1edabd95539d79459d
SHA512c1d4e9f7d1c953a9904ef1f042d9c069e0f90c7ae7dc25567920bfd8bdebafc254bfd6f9301d1e44e8317e711b585c71905c600f6940b6f8775d73ebeb196639
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqliteFilesize
192KB
MD5db9aab43ec95455c7c0b90eba65418bb
SHA14200b6d8e29decca640573dcb3f67514b4e451cb
SHA256246b0fb5f8e18b010f2929d571cdad5147cf727656a113655539cdbb26eaabf4
SHA512d7ff6f8c4dfc249bcac2ef902e527b7043dd1ce88db9621c216d8f7dbba9b93f538b94d245e83a24764ab4051c450d1ac507cba7c5f7ad9a207e05355ccb509b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\targeting.snapshot.jsonFilesize
4KB
MD5ddbd352421cb3eafcbd03bf42cc8915e
SHA13f699740d1ce85aa53d02f4ed6f6ba5f9006606b
SHA256f05f5a1fb2749a24de2ceece625f8e066a25ebe056d6afa45b801815a9172c31
SHA512c45ee4e4fa74d08052e7b82c4e76985cfb0963f8f4012b090abe3e93a74b3fb754d83853b575f32970bbd8e91193b7225395bcc4b5decfa9d6ffdbd2cb66f1cc
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\xulstore.jsonFilesize
141B
MD51995825c748914809df775643764920f
SHA155c55d77bb712d2d831996344f0a1b3e0b7ff98a
SHA25687835b1bd7d0934f997ef51c977349809551d47e32c3c9224899359ae0fce776
SHA512c311970610d836550a07feb47bd0774fd728130d0660cbada2d2d68f2fcfbe84e85404d7f5b8ab0f71a6c947561dcffa95df2782a712f4dcb7230ea8ba01c34c
-
C:\Users\Admin\Downloads\LF6mMyRs.zip.partFilesize
181KB
MD510d74de972a374bb9b35944901556f5f
SHA1593f11e2aa70a1508d5e58ea65bec0ae04b68d64
SHA256ab9f6ac4a669e6cbd9cfb7f7a53f8d2393cd9753cc1b1f0953f8655d80a4a1df
SHA5121755be2bd1e2c9894865492903f9bf03a460fb4c952f84b748268bf050c3ece4185b612c855804c7600549170742359f694750a46e5148e00b5604aca5020218
-
memory/1196-951-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1196-593-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1196-584-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1196-977-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/1196-978-0x0000000000440000-0x000000000044E000-memory.dmpFilesize
56KB
-
memory/3496-992-0x00007FF899560000-0x00007FF899570000-memory.dmpFilesize
64KB
-
memory/3496-985-0x00007FF89C630000-0x00007FF89C640000-memory.dmpFilesize
64KB
-
memory/3496-986-0x00007FF89C630000-0x00007FF89C640000-memory.dmpFilesize
64KB
-
memory/3496-987-0x00007FF89C630000-0x00007FF89C640000-memory.dmpFilesize
64KB
-
memory/3496-988-0x00007FF89C630000-0x00007FF89C640000-memory.dmpFilesize
64KB
-
memory/3496-991-0x00007FF899560000-0x00007FF899570000-memory.dmpFilesize
64KB