cerber | f255227fd45316c4681085f39e6da2f509af851f8cc2d2a84ea99c06b935ffe6

Resubmissions

22-08-2024 18:43

240822-xc563asamh 10

21-08-2024 17:16

30-06-2024 00:59

20-06-2024 02:02

20-06-2024 01:44

19-06-2024 01:10

18-06-2024 20:40

18-06-2024 13:45

Analysis

max time kernel
668s
max time network
670s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
22-08-2024 18:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Documents/Ransomware.Cerber/cerber.exe
Size

604KB
MD5

8b6bc16fd137c09a08b02bbe1bb7d670
SHA1

c69a0f6c6f809c01db92ca658fcf1b643391a2b7
SHA256

e67834d1e8b38ec5864cfa101b140aeaba8f1900a6e269e6a94c90fcbfe56678
SHA512

b53d2cc0fe5fa52262ace9f6e6ea3f5ce84935009822a3394bfe49c4d15dfeaa96bfe10ce77ffa93dbf81e5428122aa739a94bc709f203bc346597004fd75a24
SSDEEP

6144:yYghlI5/u8f1mr+4RJ99MpDa52RX5wRDhOOU0qsR:yYKlYmDXEpDHRXP01

Score

10^/10

cerber defense_evasion discovery evasion persistence privilege_escalation ransomware trojan

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\16.0\_R_E_A_D___T_H_I_S___576K1U4_.hta

Family

cerber

Ransom Note

<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>CERBER RANSOMWARE: Instructions</title> <HTA:APPLICATION APPLICATIONNAME="1cK0HRaC" SCROLL="yes" SINGLEINSTANCE="yes" WINDOWSTATE="maximize"> <style type="text/css"> a { color: #04a; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #222; font-family: "Lucida Sans Unicode", "Lucida Grande", sans-serif; font-size: 13pt; line-height: 19pt; } body, h1 { margin: 0; padding: 0; } hr { color: #bda; height: 2pt; margin: 1.5%; } h1 { color: #555; font-size: 14pt; } ol { padding-left: 2.5%; } ol li { padding-bottom: 13pt; } small { color: #555; font-size: 11pt; } ul { list-style-type: none; margin: 0; padding: 0; } .button { color: #04a; cursor: pointer; } .button:hover { text-decoration: underline; } .container { background-color: #fff; border: 2pt solid #c7c7c7; margin: 5%; min-width: 850px; padding: 2.5%; } .header { border-bottom: 2pt solid #c7c7c7; margin-bottom: 2.5%; padding-bottom: 2.5%; } .h { display: none; } .hr { background: #bda; display: block; height: 2pt; margin-top: 1.5%; margin-bottom: 1.5%; overflow: hidden; width: 100%; } .info { background-color: #efe; border: 2pt solid #bda; display: inline-block; padding: 1.5%; text-align: center; } .updating { color: red; display: none; padding-left: 35px; background: url("data:image/gif;base64,R0lGODlhGQAZAKIEAMzMzJmZmTMzM2ZmZgAAAAAAAAAAAAAAACH/C05FVFNDQVBFMi4wAwEAAAAh+QQFAAAEACwAAAAAGQAZAAADVki63P4wSEiZvLXemRf4yhYoQ0l9aMiVLISCDms+L/DIwwnfc+c3qZ9g6Hn5hkhF7YgUKI2dpvNpExJ/WKquSoMCvd9geDeuBpcuGFrcQWep5Df7jU0AACH5BAUAAAQALAoAAQAOABQAAAMwSLDU/iu+Gdl0FbTAqeXg5YCdSJCBuZVqKw5wC8/qHJv2IN+uKvytn9AnFBCHx0cCACH5BAUAAAQALAoABAAOABQAAAMzSLoEzrC5F9Wk9YK6Jv8gEYzgaH4myaVBqYbfIINyHdcDI+wKniu7YG+2CPI4RgFI+EkAACH5BAUAAAQALAQACgAUAA4AAAMzSLrcBNDJBeuUNd6WwXbWtwnkFZwMqUpnu6il06IKLChDrsxBGufAHW0C1IlwxeMieEkAACH5BAUAAAQALAEACgAUAA4AAAM0SLLU/lAtFquctk6aIe5gGA1kBpwPqVZn66hl1KINPDRB3sxAGufAHc0C1IkIxcARZ4QkAAAh+QQFAAAEACwBAAQADgAUAAADMUhK0vurSfiko8oKHC//yyCCYvmVI4cOZAq+UCCDcv3VM4cHCuDHOZ/wI/xxigDQMAEAIfkEBQAABAAsAQABAA4AFAAAAzNIuizOkLgZ13xraHVF1puEKWBYlUP1pWrLBLALz+0cq3Yg324PAUAXcNgaBlVGgPAISQAAIfkEBQAABAAsAQABABQADgAAAzRIujzOMBJHpaXPksAVHoogMlzpZWK6lF2UjgobSK9AtjSs7QTg8xCfELgQ/og9I1IxXCYAADs=") left no-repeat; } #change_language { float: right; } #change_language, #texts div { display: none; } </style> </head> <body> <div class="container"> <div class="header"> <a id="change_language" href="#" onclick="return changeLanguage1();" title="English">☑ English</a> <h1>CERBER RANSOMWARE</h1> Instructions </div> <div id="languages"> ☑ Select your language <ul> <li><a href="#" title="English" onclick="return sh_bl('en');">English</a></li> <li><a href="#" title="Arabic" onclick="return sh_bl('ar');">العربية</a></li> <li><a href="#" title="Chinese" onclick="return sh_bl('zh');">中文</a></li> <li><a href="#" title="Dutch" onclick="return sh_bl('nl');">Nederlands</a></li> <li><a href="#" title="French" onclick="return sh_bl('fr');">Français</a></li> <li><a href="#" title="German" onclick="return sh_bl('de');">Deutsch</a></li> <li><a href="#" title="Italian" onclick="return sh_bl('it');">Italiano</a></li> <li><a href="#" title="Japanese" onclick="return sh_bl('ja');">日本語</a></li> <li><a href="#" title="Korean" onclick="return sh_bl('ko');">한국어</a></li> <li><a href="#" title="Polish" onclick="return sh_bl('pl');">Polski</a></li> <li><a href="#" title="Portuguese" onclick="return sh_bl('pt');">Português</a></li> <li><a href="#" title="Spanish" onclick="return sh_bl('es');">Español</a></li> <li><a href="#" title="Turkish" onclick="return sh_bl('tr');">Türkçe</a></li> </ul> </div> <div id="texts"> <div id="en"> Can't yokcu find the necessary files? Is the cuQH7ydJmontent of your files not readable? It is normal beFFbcause the files' names and the data in your files have been encrypwz7Q7LAgXted by "CeUZy7PEnS1Erber Ransomware". It me9xw6nans your files are NOT damage8B4MUd! Your files are modified only. This modification is reversible. Fikrom now it is not posslXible to use your files until they will be decrypted. The only way to decGrypt your files safely is to buy the special decryption software "CrBbMbWlserber Decryptor". Any attempts to restYS2ore your files with the thirrqKqhjd-party software will be fatal for your files! <hr> You can procwnc7v0ML6eed with purchasing of the decryption softwOiAkgzare at your personal page: PlefiloQXase wait...<a class="url" href="http://p27dokhpz2n7nvgr.12hygy.top/16E1-D854-E841-0446-9660" target="_blank">http://p27dokhpz2n7nvgr.12hygy.top/16E1-D854-E841-0446-9660</a><hr><a href="http://p27dokhpz2n7nvgr.14ewqv.top/16E1-D854-E841-0446-9660" target="_blank">http://p27dokhpz2n7nvgr.14ewqv.top/16E1-D854-E841-0446-9660</a><hr><a href="http://p27dokhpz2n7nvgr.14vvrc.top/16E1-D854-E841-0446-9660" target="_blank">http://p27dokhpz2n7nvgr.14vvrc.top/16E1-D854-E841-0446-9660</a><hr><a href="http://p27dokhpz2n7nvgr.129p1t.top/16E1-D854-E841-0446-9660" target="_blank">http://p27dokhpz2n7nvgr.129p1t.top/16E1-D854-E841-0446-9660</a><hr><a href="http://p27dokhpz2n7nvgr.1apgrn.top/16E1-D854-E841-0446-9660" target="_blank">http://p27dokhpz2n7nvgr.1apgrn.top/16E1-D854-E841-0446-9660</a> If tPknvk0bbNIhis page cannot be opened  cligck here  to get a new addrqRLqQyp18ess of your personal page. If the addrevss of your personal page is the same as befov17rgcX2re after you tried to get a new one, you ccutrrGrGan try to get a new address in one hour. At thN3Q5is page you will receive the complete instriWMuB8uctions how to buy the decryptibh9uon software for restoring all your files. Also at this page you will be able to rese9J9tore any one file for free to be sure "CerbeClhXj2u1Thr Decryptor" will help you. <hr> If your pereCnsonal page is not availaG9ble for a long period there is another way to open your personal page - instaOutlfvsGKllation and use of Tor Browser: <ol> <li>run your Inte3Kqsrnet browser (if you do not know what it is run the Internet Explorer);</li> <li>entfer or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER;</li> <li>wait for the site loadalfxJ2ing;</li> <li>on the site you will be offered to doXbBewnload Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li> <li>ru25s3n Tor Browser;</li> <li>connect with the butt12Wm17sBwon "Connect" (if you use the English version);</li> <li>a normal Internet broYe4btxGrQwser window will be opened after the initialization;</li> <li>type or copy the addr9gjpEress http://p27dokhpz2n7nvgr.onion/16E1-D854-E841-0446-9660 in this browser address bar;</li> <li>pregD5nxnss ENTER;</li> <li>the site sho7ov0uld be loaded; if for some reason the site is not lohading wait for a moment and try again.</li> </ol> If you have any prpKFSJCWOToblems during installation or use of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=Install+Tor+Browser+Windows" target="_blank">https://www.youtube.com</a> and type request in the searcKBkgOjMxtxh bar "Install Tor Browser Windows" and you will find a lot of training videos about Tor Browser installation and use. <hr> AdditUFional information: You will figraeWWnd the instrurt6bOzIcctions ("*_READ_THIS_FILE_*.hta") for reY5iOglstoring your files in any f1UT7CY23rnolder with your encE7KGrypted files. The instr1gRI7xfHPeuctions "*_READ_THIS_FILE_*.hta" in the fjardkYrolderBAuTtTss with your encryXBs0khSpted files are not virjjMuses! The instrucERiRPOFbations "*_READ_THIS_FILE_*.hta" will heklp you to decxS6asrypt your files. RemembeWJpyFJMZr! The worst siBkel1ytuation already happ5ened and now the future of your files deoPJiXBhXpends on your determNtZiKkbhination and speed of your actions. </div> <div id="ar" style="direction: rtl;"> لا يمكنك العثور على الملفات الضرورية؟ هل محتوى الملفات غير قابل للقراءة؟ هذا أمر طبيعي لأن أسماء الملفات والبيانات في الملفات قد تم تشفيرها بواسطة "Cerber Ransomware". وهذا يعني أن الملفات الخاصة بك ليست تالفة! فقد تم تعديل ملفاتك فقط. ويمكن التراجع عن هذا. ومن الآن فإنه لا يكن استخدام الملفات الخاصة بك حتى يتم فك تشفيرها. الطريقة الوحيدة لفك تشفير ملفاتك بأمان هو أن تشتري برنامج فك التشفير المتخصص "Cerber Decryptor". إن أية محاولات لاستعادة الملفات الخاصة بك بواسطة برامج من طرف ثالث سوف تكون مدمرة لملفاتك! <hr> يمكنك الشروع في شراء برنامج فك التشفير من صفحتك الشخصية: أرجو الإنتظار...<a class="url" href="http://p27dokhpz2n7nvgr.12hygy.top/16E1-D854-E841-0446-9660" target="_blank">http://p27dokhpz2n7nvgr.12hygy.top/16E1-D854-E841-0446-9660</a><hr><a href="http://p27dokhpz2n7nvgr.14ewqv.top/16E1-D854-E841-0446-9660" target="_blank">http://p27dokhpz2n7nvgr.14ewqv.top/16E1-D854-E841-0446-9660</a><hr><a href="http://p27dokhpz2n7nvgr.14vvrc.top/16E1-D854-E841-0446-9660" target="_blank">http://p27dokhpz2n7nvgr.14vvrc.top/16E1-D854-E841-0446-9660</a><hr><a href="http://p27dokhpz2n7nvgr.129p1t.top/16E1-D854-E841-0446-9660" target="_blank">http://p27dokhpz2n7nvgr.129p1t.top/16E1-D854-E841-0446-9660</a><hr><a href="http://p27dokhpz2n7nvgr.1apgrn.top/16E1-D854-E841-0446-9660" target="_blank">http://p27dokhpz2n7nvgr.1apgrn.top/16E1-D854-E841-0446-9660</a> في حالة تعذر فتح هذه الصفحة  انقر هنا  لإنشاء عنوان جديد لصفحتك الشخصية. في هذه الصفحة سوف تتلقى تعليمات كاملة حول كيفية شراء برنامج فك التشفير لاستعادة جميع الملفات الخاصة بك. في هذه الصفحة أيضًا سوف تتمكن من استعادة ملف واحد بشكل مجاني للتأكد من أن "Cerber Decryptor" سوف يساعدك. <hr> إذا كانت صفحتك الشخصية غير متاحة لفترة طويلة فإن ثمّة طريقة أخرى لفتح صفحتك الشخصية - تحميل واستخدام متصفح Tor: <ol> <li>قم بتشغيل متصفح الإنترنت الخاص بك (إذا كنت لا تعرف ما هو قم بتشغيل إنترنت إكسبلورر);</li> <li>قم بكتابة أو نسخ العنوان <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> إلى شريط العنوان في المستعرض الخاص بك ثم اضغط ENTER;</li> <li>انتظر لتحميل الموقع;</li> <li>سوف يعرض عليك الموقع تحميل متصفح Tor. قم بتحميله وتشغيله، واتبع تعليمات التثبيت، وانتظر حتى اكتمال التثبيت;</li> <li>قم بتشغيل متصفح Tor;</li> <li>اضغط على الزر "Connect" (إذا كنت تستخدم النسخة الإنجليزية);</li> <li>سوف تُفتح نافذة متصفح الإنترنت العادي بعد البدء;</li> <li>قم بكتابة أو نسخ العنوان http://p27dokhpz2n7nvgr.onion/16E1-D854-E841-0446-9660 في شريط العنوان في المتصفح;</li> <li>اضغط ENTER;</li> <li>يجب أن يتم تحميل الموقع؛ إذا لم يتم تحميل الموقع لأي سبب، انتظر للحظة وحاول مرة أخرى.</li> </ol> إذا كان لديك أية مشكلات أثناء عملية التثبيت أو استخدام متصفح Tor، يُرجى زيارة <a href="https://www.youtube.com/results?search_query=Install+Tor+Browser+Windows" target="_blank">https://www.youtube.com</a> واكتب الطلب "install tor browser windows" أو "تثبيت نوافذ متصفح Tor" في شريط البحث، وسوف تجد الكثير من أشرطة الفيديو للتدريب حول تثبيت متصفح Tor واستخدامه. <hr> معلومات إضEAd451nOrافية: سbEQwrوف تجد إرشادات استعادة الملفات الخاصة بك ("*_READ_THIS_FILE_*") في أي مجلد مع ملفاتك المشفرة. الإرشtادات ("*_READ_THIS_FILE_*") الموجودة في المجلدات مع ملفاتك المشفرة ليست فيروسات والإرشادات ("*_READ_THIS_FILE_*") سوف تساعدك على فك تشفير الملفات الخاصة بك. تذكر أن أسوأ موqamKk3xveJقف قد حدث بالفعل، والآن مستقبل ملفاتك يعتمد على عزيمتك وسرعة الإجراءات الخاصة بك. </div> <div id="zh"> 您找不到所需的文件？ 您文件的内容无法阅读？ 这是正常的，因为您文件的文件名和数据已经被“Cerber Ransomware”加密了。 这意味着您的文件并没有损坏！您的文件只�

Extracted

Path

C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\_R_E_A_D___T_H_I_S___YMO2DD9_.txt

Family

cerber

Ransom Note

CERBER RANSOMWARE ----- YOUR DOCUMENTS, PH0TOS, DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ----- The only way to decrypt y0ur files is to receive the private key and decryption program. To receive the private key and decryption program go to any decrypted folder, inside there is the special file (*_READ_THIS_FILE_*) with complete instructions how to decrypt your files. If you cannot find any (*_READ_THIS_FILE_*) file at your PC, follow the instructions below: ----- 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://p27dokhpz2n7nvgr.onion/16E1-D854-E841-0446-9660 Note! This page is available via "Tor Browser" only. ----- Also you can use temporary addresses on your personal page without using "Tor Browser". ----- 1. http://p27dokhpz2n7nvgr.12hygy.top/16E1-D854-E841-0446-9660 2. http://p27dokhpz2n7nvgr.14ewqv.top/16E1-D854-E841-0446-9660 3. http://p27dokhpz2n7nvgr.14vvrc.top/16E1-D854-E841-0446-9660 4. http://p27dokhpz2n7nvgr.129p1t.top/16E1-D854-E841-0446-9660 5. http://p27dokhpz2n7nvgr.1apgrn.top/16E1-D854-E841-0446-9660 ----- Note! These are temporary addresses! They will be available for a limited amount of time! -----

URLs

http://p27dokhpz2n7nvgr.onion/16E1-D854-E841-0446-9660

http://p27dokhpz2n7nvgr.12hygy.top/16E1-D854-E841-0446-9660

http://p27dokhpz2n7nvgr.14ewqv.top/16E1-D854-E841-0446-9660

http://p27dokhpz2n7nvgr.14vvrc.top/16E1-D854-E841-0446-9660

http://p27dokhpz2n7nvgr.129p1t.top/16E1-D854-E841-0446-9660

http://p27dokhpz2n7nvgr.1apgrn.top/16E1-D854-E841-0446-9660

Signatures

Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
ransomware cerber
Contacts a large (1110) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
3012	netsh.exe
1616	netsh.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Control Panel\International\Geo\Nation	tor-browser-windows-x86_64-portable-13.5.2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Control Panel\International\Geo\Nation	firefox.exe
Key value queried	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Control Panel\International\Geo\Nation	firefox.exe

Drops startup file 1 IoCs

description	ioc	Process
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\word\startup\	cerber.exe

Executes dropped EXE 20 IoCs

pid	Process
2900	tor-browser-windows-x86_64-portable-13.5.2.exe
5088	firefox.exe
1004	firefox.exe
3400	firefox.exe
2148	firefox.exe
3572	firefox.exe
4404	tor.exe
4472	firefox.exe
5680	firefox.exe
5924	firefox.exe
6036	firefox.exe
6072	firefox.exe
6016	firefox.exe
5872	firefox.exe
6648	firefox.exe
5880	firefox.exe
6220	firefox.exe
5452	firefox.exe
6764	firefox.exe
5912	firefox.exe

Loads dropped DLL 64 IoCs

pid	Process
2900	tor-browser-windows-x86_64-portable-13.5.2.exe
2900	tor-browser-windows-x86_64-portable-13.5.2.exe
2900	tor-browser-windows-x86_64-portable-13.5.2.exe
5088	firefox.exe
1004	firefox.exe
1004	firefox.exe
1004	firefox.exe
1004	firefox.exe
1004	firefox.exe
1004	firefox.exe
1004	firefox.exe
1004	firefox.exe
1004	firefox.exe
1004	firefox.exe
1004	firefox.exe
3400	firefox.exe
3400	firefox.exe
3400	firefox.exe
3400	firefox.exe
2148	firefox.exe
2148	firefox.exe
2148	firefox.exe
2148	firefox.exe
3572	firefox.exe
3572	firefox.exe
3572	firefox.exe
3572	firefox.exe
4472	firefox.exe
4472	firefox.exe
4472	firefox.exe
4472	firefox.exe
3572	firefox.exe
3572	firefox.exe
2148	firefox.exe
2148	firefox.exe
5680	firefox.exe
5680	firefox.exe
5680	firefox.exe
5680	firefox.exe
4472	firefox.exe
4472	firefox.exe
5924	firefox.exe
5924	firefox.exe
5924	firefox.exe
5924	firefox.exe
5680	firefox.exe
5680	firefox.exe
6036	firefox.exe
6036	firefox.exe
6036	firefox.exe
6036	firefox.exe
6072	firefox.exe
6072	firefox.exe
6072	firefox.exe
6072	firefox.exe
6036	firefox.exe
6036	firefox.exe
5924	firefox.exe
5924	firefox.exe
6072	firefox.exe
6072	firefox.exe
6016	firefox.exe
6016	firefox.exe
6016	firefox.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	firefox.exe

Drops file in System32 directory 38 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\office	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\outlook	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\thunderbird	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\bitcoin	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\excel	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\office	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\desktop	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\office	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\word	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\outlook	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\word	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\onenote	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\the bat!	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\excel	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\word	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\office	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\outlook	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\word	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\documents	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\bitcoin	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\excel	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\outlook	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\onenote	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\the bat!	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\onenote	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\onenote	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\steam	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\thunderbird	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\excel	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\steam	cerber.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmpC033.bmp"	cerber.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File opened for modification	\??\c:\program files (x86)\microsoft\excel	cerber.exe
File opened for modification	\??\c:\program files (x86)\microsoft\office	cerber.exe
File opened for modification	\??\c:\program files (x86)\microsoft\word	cerber.exe
File opened for modification	\??\c:\program files (x86)\steam	cerber.exe
File opened for modification	\??\c:\program files (x86)\powerpoint	cerber.exe
File opened for modification	\??\c:\program files (x86)\the bat!	cerber.exe
File opened for modification	\??\c:\program files\	cerber.exe
File opened for modification	\??\c:\program files (x86)\microsoft sql server	cerber.exe
File opened for modification	\??\c:\program files (x86)\microsoft\outlook	cerber.exe
File opened for modification	\??\c:\program files (x86)\microsoft\powerpoint	cerber.exe
File opened for modification	\??\c:\program files (x86)\office	cerber.exe
File opened for modification	\??\c:\program files (x86)\onenote	cerber.exe
File opened for modification	\??\c:\program files (x86)\thunderbird	cerber.exe
File opened for modification	\??\c:\program files (x86)\	cerber.exe
File opened for modification	\??\c:\program files (x86)\microsoft\microsoft sql server	cerber.exe
File opened for modification	\??\c:\program files (x86)\bitcoin	cerber.exe
File opened for modification	\??\c:\program files (x86)\excel	cerber.exe
File opened for modification	\??\c:\program files (x86)\microsoft\onenote	cerber.exe
File opened for modification	\??\c:\program files (x86)\outlook	cerber.exe
File opened for modification	\??\c:\program files (x86)\word	cerber.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\office	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\office	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\outlook	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\bitcoin	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\excel	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\office	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\office	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\onenote	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\thunderbird	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\bitcoin	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\excel	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\outlook	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\bitcoin	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\the bat!	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\word	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\excel	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\onenote	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\onenote	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\desktop	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\onenote	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\steam	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\desktop	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\word	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\office	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\steam	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\outlook	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\office	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\steam	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\onenote	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\steam	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\thunderbird	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\office	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\outlook	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\the bat!	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\word	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\excel	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\excel	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\word	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\outlook	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\word	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\word	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\onenote	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\outlook	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\the bat!	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\excel	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\outlook	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\documents	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\office	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\outlook	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\the bat!	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\thunderbird	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\thunderbird	cerber.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File created	C:\Users\Admin\Downloads\tor-browser-windows-x86_64-portable-13.5.2.exe:Zone.Identifier	firefox.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cerber.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
308	PING.EXE

Checks processor information in registry 2 TTPs 14 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2488	taskkill.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings	cerber.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	tor-browser-windows-x86_64-portable-13.5.2.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings	firefox.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\tor-browser-windows-x86_64-portable-13.5.2.exe:Zone.Identifier	firefox.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1020	NOTEPAD.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
308	PING.EXE

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeShutdownPrivilege	164	cerber.exe
Token: SeCreatePagefilePrivilege	164	cerber.exe
Token: SeDebugPrivilege	2488	taskkill.exe
Token: SeDebugPrivilege	2028	firefox.exe
Token: SeDebugPrivilege	2028	firefox.exe
Token: SeDebugPrivilege	2900	tor-browser-windows-x86_64-portable-13.5.2.exe
Token: SeDebugPrivilege	2900	tor-browser-windows-x86_64-portable-13.5.2.exe
Token: SeDebugPrivilege	2900	tor-browser-windows-x86_64-portable-13.5.2.exe
Token: SeDebugPrivilege	2900	tor-browser-windows-x86_64-portable-13.5.2.exe
Token: SeDebugPrivilege	2900	tor-browser-windows-x86_64-portable-13.5.2.exe
Token: SeDebugPrivilege	2900	tor-browser-windows-x86_64-portable-13.5.2.exe
Token: SeDebugPrivilege	2900	tor-browser-windows-x86_64-portable-13.5.2.exe
Token: SeDebugPrivilege	1004	firefox.exe
Token: SeDebugPrivilege	1004	firefox.exe
Token: SeDebugPrivilege	2028	firefox.exe
Token: SeDebugPrivilege	2028	firefox.exe
Token: SeDebugPrivilege	2028	firefox.exe
Token: SeDebugPrivilege	2028	firefox.exe
Token: SeDebugPrivilege	2028	firefox.exe
Token: SeDebugPrivilege	2028	firefox.exe
Token: SeDebugPrivilege	2028	firefox.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
2028	firefox.exe
2028	firefox.exe
2028	firefox.exe
2028	firefox.exe
1004	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2028	firefox.exe
2028	firefox.exe
2028	firefox.exe

Suspicious use of SetWindowsHookEx 29 IoCs

pid	Process
2028	firefox.exe
2028	firefox.exe
2028	firefox.exe
2028	firefox.exe
2028	firefox.exe
2028	firefox.exe
2028	firefox.exe
1004	firefox.exe
1004	firefox.exe
1004	firefox.exe
1004	firefox.exe
1004	firefox.exe
1004	firefox.exe
1004	firefox.exe
1004	firefox.exe
1004	firefox.exe
1004	firefox.exe
1004	firefox.exe
1004	firefox.exe
1004	firefox.exe
1004	firefox.exe
1004	firefox.exe
1004	firefox.exe
1004	firefox.exe
1004	firefox.exe
1004	firefox.exe
1004	firefox.exe
1004	firefox.exe
1004	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 164 wrote to memory of 3012	164	cerber.exe	73
PID 164 wrote to memory of 3012	164	cerber.exe	73
PID 164 wrote to memory of 3012	164	cerber.exe	73
PID 164 wrote to memory of 1616	164	cerber.exe	75
PID 164 wrote to memory of 1616	164	cerber.exe	75
PID 164 wrote to memory of 1616	164	cerber.exe	75
PID 164 wrote to memory of 4112	164	cerber.exe	78
PID 164 wrote to memory of 4112	164	cerber.exe	78
PID 164 wrote to memory of 4112	164	cerber.exe	78
PID 164 wrote to memory of 1020	164	cerber.exe	79
PID 164 wrote to memory of 1020	164	cerber.exe	79
PID 164 wrote to memory of 1020	164	cerber.exe	79
PID 164 wrote to memory of 4816	164	cerber.exe	80
PID 164 wrote to memory of 4816	164	cerber.exe	80
PID 164 wrote to memory of 4816	164	cerber.exe	80
PID 4816 wrote to memory of 2488	4816	cmd.exe	82
PID 4816 wrote to memory of 2488	4816	cmd.exe	82
PID 4816 wrote to memory of 2488	4816	cmd.exe	82
PID 4816 wrote to memory of 308	4816	cmd.exe	84
PID 4816 wrote to memory of 308	4816	cmd.exe	84
PID 4816 wrote to memory of 308	4816	cmd.exe	84
PID 2844 wrote to memory of 2028	2844	firefox.exe	87
PID 2844 wrote to memory of 2028	2844	firefox.exe	87
PID 2844 wrote to memory of 2028	2844	firefox.exe	87
PID 2844 wrote to memory of 2028	2844	firefox.exe	87
PID 2844 wrote to memory of 2028	2844	firefox.exe	87
PID 2844 wrote to memory of 2028	2844	firefox.exe	87
PID 2844 wrote to memory of 2028	2844	firefox.exe	87
PID 2844 wrote to memory of 2028	2844	firefox.exe	87
PID 2844 wrote to memory of 2028	2844	firefox.exe	87
PID 2844 wrote to memory of 2028	2844	firefox.exe	87
PID 2844 wrote to memory of 2028	2844	firefox.exe	87
PID 2028 wrote to memory of 2972	2028	firefox.exe	88
PID 2028 wrote to memory of 2972	2028	firefox.exe	88
PID 2028 wrote to memory of 2372	2028	firefox.exe	89
PID 2028 wrote to memory of 2372	2028	firefox.exe	89
PID 2028 wrote to memory of 2372	2028	firefox.exe	89
PID 2028 wrote to memory of 2372	2028	firefox.exe	89
PID 2028 wrote to memory of 2372	2028	firefox.exe	89
PID 2028 wrote to memory of 2372	2028	firefox.exe	89
PID 2028 wrote to memory of 2372	2028	firefox.exe	89
PID 2028 wrote to memory of 2372	2028	firefox.exe	89
PID 2028 wrote to memory of 2372	2028	firefox.exe	89
PID 2028 wrote to memory of 2372	2028	firefox.exe	89
PID 2028 wrote to memory of 2372	2028	firefox.exe	89
PID 2028 wrote to memory of 2372	2028	firefox.exe	89
PID 2028 wrote to memory of 2372	2028	firefox.exe	89
PID 2028 wrote to memory of 2372	2028	firefox.exe	89
PID 2028 wrote to memory of 2372	2028	firefox.exe	89
PID 2028 wrote to memory of 2372	2028	firefox.exe	89
PID 2028 wrote to memory of 2372	2028	firefox.exe	89
PID 2028 wrote to memory of 2372	2028	firefox.exe	89
PID 2028 wrote to memory of 2372	2028	firefox.exe	89
PID 2028 wrote to memory of 2372	2028	firefox.exe	89
PID 2028 wrote to memory of 2372	2028	firefox.exe	89
PID 2028 wrote to memory of 2372	2028	firefox.exe	89
PID 2028 wrote to memory of 2372	2028	firefox.exe	89
PID 2028 wrote to memory of 2372	2028	firefox.exe	89
PID 2028 wrote to memory of 2372	2028	firefox.exe	89
PID 2028 wrote to memory of 2372	2028	firefox.exe	89
PID 2028 wrote to memory of 2372	2028	firefox.exe	89
PID 2028 wrote to memory of 2372	2028	firefox.exe	89
PID 2028 wrote to memory of 2372	2028	firefox.exe	89
PID 2028 wrote to memory of 2372	2028	firefox.exe	89

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe
"C:\Users\Admin\AppData\Local\Temp\Documents\Ransomware.Cerber\cerber.exe"
1⤵
- Drops startup file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:164
- C:\Windows\SysWOW64\netsh.exe
  C:\Windows\system32\netsh.exe advfirewall set allprofiles state on
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:3012
- C:\Windows\SysWOW64\netsh.exe
  C:\Windows\system32\netsh.exe advfirewall reset
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:1616
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___6QDMVXVA_.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4112
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___EPJ3CA_.txt
  2⤵
  - System Location Discovery: System Language Discovery
  - Opens file in notepad (likely ransom note)
  PID:1020
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4816
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "cerber.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2488
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 1 127.0.0.1
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:308

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2844
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2028
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2028.0.1242248391\1661999536" -parentBuildID 20221007134813 -prefsHandle 1688 -prefMapHandle 1488 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e093f9a2-142a-41f5-ae70-ae118d11ef3a} 2028 "\\.\pipe\gecko-crash-server-pipe.2028" 1808 178350d7658 gpu
    3⤵
    PID:2972
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2028.1.1754040876\1307394301" -parentBuildID 20221007134813 -prefsHandle 2152 -prefMapHandle 2148 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2508d679-9e88-48d5-80e0-af1e353766b7} 2028 "\\.\pipe\gecko-crash-server-pipe.2028" 2164 1782a071c58 socket
    3⤵
    - Checks processor information in registry
    PID:2372
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2028.2.470965253\1251615644" -childID 1 -isForBrowser -prefsHandle 2980 -prefMapHandle 2880 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {729e5d97-8df0-4d1e-a3e9-ef3c46670422} 2028 "\\.\pipe\gecko-crash-server-pipe.2028" 2744 1783919f858 tab
    3⤵
    PID:4260
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2028.3.51442434\2082213860" -childID 2 -isForBrowser -prefsHandle 3492 -prefMapHandle 3488 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c39c6d3d-a4d4-4e5f-a3c0-1187e75f6651} 2028 "\\.\pipe\gecko-crash-server-pipe.2028" 3428 1782a062b58 tab
    3⤵
    PID:4792
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2028.4.1180517050\959316418" -childID 3 -isForBrowser -prefsHandle 3872 -prefMapHandle 3868 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f43c0afe-688f-4a6a-a9df-379be9d0e71f} 2028 "\\.\pipe\gecko-crash-server-pipe.2028" 3884 1783a49ab58 tab
    3⤵
    PID:1780
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2028.5.2121338529\1631948299" -childID 4 -isForBrowser -prefsHandle 2612 -prefMapHandle 4552 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {532959ee-788d-4e9d-b6f4-6e3baf09939a} 2028 "\\.\pipe\gecko-crash-server-pipe.2028" 4816 1783b6c6358 tab
    3⤵
    PID:208
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2028.6.404365250\1595076732" -childID 5 -isForBrowser -prefsHandle 4992 -prefMapHandle 4996 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c8e03a37-c782-4410-8b90-dc90097111fc} 2028 "\\.\pipe\gecko-crash-server-pipe.2028" 4984 1783b6c5458 tab
    3⤵
    PID:3848
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2028.7.1796399194\1848167093" -childID 6 -isForBrowser -prefsHandle 5180 -prefMapHandle 5184 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {478c6ae3-2f53-4fa9-9efd-9bee462cf847} 2028 "\\.\pipe\gecko-crash-server-pipe.2028" 5172 1783b6c6658 tab
    3⤵
    PID:3292
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2028.8.18421018\742549460" -childID 7 -isForBrowser -prefsHandle 5636 -prefMapHandle 5632 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {18eacb91-890d-4cb1-80a6-b9e9d9046e35} 2028 "\\.\pipe\gecko-crash-server-pipe.2028" 5644 1783cabf358 tab
    3⤵
    PID:4108
- - C:\Users\Admin\Downloads\tor-browser-windows-x86_64-portable-13.5.2.exe
    "C:\Users\Admin\Downloads\tor-browser-windows-x86_64-portable-13.5.2.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    PID:2900
  - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
      "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:5088
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Checks whether UAC is enabled
        Checks processor information in registry
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:1004
      - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="1004.0.503494050\2086792868" -parentBuildID 20240805090000 -prefsHandle 1660 -prefMapHandle 1724 -prefsLen 19245 -prefMapSize 240456 -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {4f86b8a8-423f-41bf-a2d4-af169f653c7b} 1004 gpu
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3400
      - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="1004.1.442631262\670636332" -childID 1 -isForBrowser -prefsHandle 2556 -prefMapHandle 2552 -prefsLen 20126 -prefMapSize 240456 -jsInitHandle 1128 -jsInitLen 240916 -parentBuildID 20240805090000 -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {1a4e9148-2884-4b65-b976-446fa8892f51} 1004 tab
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2148
      - C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Tor\tor.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Tor\tor.exe" -f "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\torrc" DataDirectory "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor" ClientOnionAuthDir "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\onion-auth" --defaults-torrc "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\torrc-defaults" GeoIPFile "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\geoip" GeoIPv6File "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\geoip6" +__ControlPort 127.0.0.1:9151 HashedControlPassword 16:8a336ac9106936826074389fbace43d38cbcfde1213dc913320d16ca61 +__SocksPort "127.0.0.1:9150 ExtendedErrors IPv6Traffic PreferIPv6 KeepAliveIsolateSOCKSAuth" __OwningControllerProcess 1004 DisableNetwork 1
        6⤵
        Executes dropped EXE
        
        PID:4404
      - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="1004.2.1914293259\1980534155" -childID 2 -isForBrowser -prefsHandle 3028 -prefMapHandle 2760 -prefsLen 20940 -prefMapSize 240456 -jsInitHandle 1128 -jsInitLen 240916 -parentBuildID 20240805090000 -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {35badaf1-4f1f-42c4-aa47-4052bac9462d} 1004 tab
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3572
      - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="1004.3.9993851\2119660663" -childID 3 -isForBrowser -prefsHandle 3056 -prefMapHandle 3284 -prefsLen 21017 -prefMapSize 240456 -jsInitHandle 1128 -jsInitLen 240916 -parentBuildID 20240805090000 -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {9fbbfb3a-3b6e-4bc9-a749-8ee0270e6641} 1004 tab
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4472
      - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="1004.4.58838920\140129851" -parentBuildID 20240805090000 -prefsHandle 3536 -prefMapHandle 3540 -prefsLen 24052 -prefMapSize 240456 -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {e591e758-1de3-4e27-a280-857b1c6b3462} 1004 rdd
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5680
      - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="1004.5.1912531920\195937147" -childID 4 -isForBrowser -prefsHandle 3904 -prefMapHandle 3900 -prefsLen 22309 -prefMapSize 240456 -jsInitHandle 1128 -jsInitLen 240916 -parentBuildID 20240805090000 -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {85e0a61a-8404-4c4f-a006-2fb119468054} 1004 tab
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5924
      - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="1004.6.645363389\139030982" -childID 5 -isForBrowser -prefsHandle 4012 -prefMapHandle 4016 -prefsLen 22309 -prefMapSize 240456 -jsInitHandle 1128 -jsInitLen 240916 -parentBuildID 20240805090000 -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {006ffa93-0008-472c-8606-bc9e4c614be8} 1004 tab
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:6036
      - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="1004.7.364113408\1440278441" -childID 6 -isForBrowser -prefsHandle 4200 -prefMapHandle 4204 -prefsLen 22309 -prefMapSize 240456 -jsInitHandle 1128 -jsInitLen 240916 -parentBuildID 20240805090000 -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {40786ca9-070d-4657-97b9-22d2ede25075} 1004 tab
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:6072
      - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="1004.8.2134881160\1298230919" -childID 7 -isForBrowser -prefsHandle 3284 -prefMapHandle 1656 -prefsLen 23158 -prefMapSize 240456 -jsInitHandle 1128 -jsInitLen 240916 -parentBuildID 20240805090000 -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {6aa285e4-c788-4644-80fa-633f43e8b275} 1004 tab
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        
        PID:6016
      - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="1004.9.1466301598\2143329589" -childID 8 -isForBrowser -prefsHandle 4164 -prefMapHandle 4088 -prefsLen 25159 -prefMapSize 240456 -jsInitHandle 1128 -jsInitLen 240916 -parentBuildID 20240805090000 -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {8c15a3d4-6a26-4264-9741-5a33b94ddca3} 1004 tab
        6⤵
        Executes dropped EXE
        
        PID:5872
      - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="1004.10.282766484\372539284" -childID 9 -isForBrowser -prefsHandle 3064 -prefMapHandle 3972 -prefsLen 23195 -prefMapSize 240456 -jsInitHandle 1128 -jsInitLen 240916 -parentBuildID 20240805090000 -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {c126f4fe-1625-4078-8afe-643bf5f5a746} 1004 tab
        6⤵
        Executes dropped EXE
        
        PID:6648
      - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="1004.11.1256247525\885605142" -childID 10 -isForBrowser -prefsHandle 3820 -prefMapHandle 3828 -prefsLen 23274 -prefMapSize 240456 -jsInitHandle 1128 -jsInitLen 240916 -parentBuildID 20240805090000 -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {3b7d17fd-fbe0-4fc1-bc98-3972cf8a1bf8} 1004 tab
        6⤵
        Executes dropped EXE
        
        PID:5880
      - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="1004.12.1817196760\1527071585" -childID 11 -isForBrowser -prefsHandle 4380 -prefMapHandle 3976 -prefsLen 23274 -prefMapSize 240456 -jsInitHandle 1128 -jsInitLen 240916 -parentBuildID 20240805090000 -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {9b7f9d2b-46d4-4d73-9fe2-ca92139f3671} 1004 tab
        6⤵
        Executes dropped EXE
        
        PID:6220
      - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="1004.13.1956753283\1127638438" -childID 12 -isForBrowser -prefsHandle 4348 -prefMapHandle 5112 -prefsLen 23274 -prefMapSize 240456 -jsInitHandle 1128 -jsInitLen 240916 -parentBuildID 20240805090000 -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {a3968727-5f0c-4634-866c-5ef92bee678c} 1004 tab
        6⤵
        Executes dropped EXE
        
        PID:5452
      - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="1004.14.463184900\433070911" -parentBuildID 20240805090000 -sandboxingKind 1 -prefsHandle 4732 -prefMapHandle 1020 -prefsLen 25680 -prefMapSize 240456 -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {c87cc819-ecdf-4474-a9cf-dbdb6e60e189} 1004 utility
        6⤵
        Executes dropped EXE
        
        PID:6764
      - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="1004.15.1790351432\1970255084" -parentBuildID 20240805090000 -sandboxingKind 0 -prefsHandle 1476 -prefMapHandle 4788 -prefsLen 25680 -prefMapSize 240456 -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {450b4d92-5ab2-4923-b31f-2cf6864f695b} 1004 utility
        6⤵
        Executes dropped EXE
        
        PID:5912
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2028.9.767274187\548413159" -childID 8 -isForBrowser -prefsHandle 5004 -prefMapHandle 4132 -prefsLen 29716 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {30523ade-0076-452b-9f6f-b3673bf35315} 2028 "\\.\pipe\gecko-crash-server-pipe.2028" 5072 1783a49c658 tab
    3⤵
    PID:6148
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2028.10.1486038854\397407103" -childID 9 -isForBrowser -prefsHandle 4460 -prefMapHandle 4988 -prefsLen 29716 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {58098bba-1639-451a-af18-1e1a610f5652} 2028 "\\.\pipe\gecko-crash-server-pipe.2028" 6728 1783a49c358 tab
    3⤵
    PID:6176
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2028.11.1458418949\1131942281" -childID 10 -isForBrowser -prefsHandle 4336 -prefMapHandle 6308 -prefsLen 29716 -prefMapSize 233444 -jsInitHandle 1292 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fd5cc0df-4bf8-4f48-a04e-71e399cc4d65} 2028 "\\.\pipe\gecko-crash-server-pipe.2028" 6560 1782a02fc58 tab
    3⤵
    PID:6632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Network Service Discovery

T1046

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\_R_E_A_D___T_H_I_S___YMO2DD9_.txt

Filesize
1KB

MD5
76c9daccd322ee7f56372b1100f18568

SHA1
a2a0652dcc1c9628ae114e245be1af248a6288ca

SHA256
edb5534afca35053798fdd44755e73597c3e202e9e1accfa51bc1d95b87e773d

SHA512
e6b7bc9a2f087c6d4e9a6d447b556a168e1156c17b9dc97dba61c98ffa20eadffda00a6af4b74ee636d79f43a6731c53e91cf38db45a6a479b99b2fa86aeec27

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B

Filesize
13KB

MD5
b115637bb2fd08e7cc2dc5c8352ed718

SHA1
af63a0c182adca741142883687eb6432c7280038

SHA256
222307ba0595e07ac8eb90a5cf61360f2ce2be383ff8d46b700abb6fe85ab9ee

SHA512
266bb3a870990039d839fab1b7cd9e97c8946eed41c00101b3ced3402bf687fd5ce599666f4f3909125e9ab525a78a69f44f354096ce731e0f11f525b225bf02

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp-u0x.xpi

Filesize
932KB

MD5
3cbd8ce0bc99ca33c5025304b4f1aa1e

SHA1
b3e5dcb7e35577e3071a0f2eba3f897edee87dcc

SHA256
e538163118e8e9dcabd6306b8a9abb3fccb556b7d87b68e18aa0997d121ba00a

SHA512
8275da573d382741a59e9322e589f42f07f01c5adf1927016843ed57414e4da4f25a9726ab4a1c7b749fe0b5e99f7aeb22fab1b658a0a593686c2651acd50710

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\16.0\_R_E_A_D___T_H_I_S___576K1U4_.hta

Filesize
75KB

MD5
51e088690d10c9e78b70759638f911a7

SHA1
49650c5af8d95aaa534a66d320dd9a14e3acd671

SHA256
263a22caab9f437e3f56caa1583ccd91cdbdac009f9589e93238127d28324ddb

SHA512
bb52c6b9fe2ad0b57b76672b4e5fcc08d5ecd473049a12dc41331cde308351994503bc720a6bad6abfda66dc74f9b18b318bd4488c3ad2e65be0962b0d88b1b5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
12KB

MD5
627e16670dff42aee8a1e090c1a12202

SHA1
73eadc0744293084ea1439356b21add3039403d7

SHA256
2897cd668b9ca3e48e48a70b416986c497409cb79c124c8d7f8cb34132c33daa

SHA512
9ef7998cf991357ae456606ee63ebea5d677d2742995e44208683dcd1f12a069d08766d8196de2dc7a09be3517d6bebfcf80b56e74417e6e6cac87f9bc81d97e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\SiteSecurityServiceState.txt

Filesize
555B

MD5
717e65775a43ccfda7683391ad69a599

SHA1
58a372ce767068f6ff448d2d46ff0077024e84eb

SHA256
89b91e4abd1bde31aee7e86e6a932c71b10a7f57fdf13e93f81536665cbdca64

SHA512
65046d6145d426474610f30841dc8d738f3aa4fa9676c55f01fd93c1c2f56f565bacdec9733851fda331551a0243bc0cf60a57ffbd4452612b7ce4c2e1e8af74

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\bookmarkbackups\bookmarks-2024-08-22_11_ynjabA+xcPNHPZU1gEyrew==.jsonlz4

Filesize
946B

MD5
bc3030c50bf86982219a2ef0685a4342

SHA1
f5959d9850ba5f1b0e7ac71cfa35550c0dfb6c85

SHA256
5e38cdcb2dda5e8038815eb31f05ec6bf9d4db0718af6443aa4247fb70d888d6

SHA512
7970c02c7a335c3b1ae73f9363fd3282f495ddb8238947af59828eca4c52345e5ed2801e2b766b86d13f1fd784629ea86dba711711cc0760fcd579e11c0dae8b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\broadcast-listeners.json

Filesize
216B

MD5
9a2963f9161937b59241702739e40320

SHA1
184a85379ca008d37b89dcf65b8f7c23df5223aa

SHA256
e7bdcee5f8dd56fb313c91dff7e1515e9efe122e89d9cd0d216896dd00ddbfde

SHA512
772bdcfd610b112b0063e8641b4041c2b8388265e264b3340b3cedb51de687987c14a0e8cee3748ad70a263560c19f3ec68ba03310e5deccce84f960743da723

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
0b99ed2f513498af5f9a2b7dbd5de14a

SHA1
898319ae947fd60def1605db4572fa6e767b06b2

SHA256
b4bea9100d5c091e585e45087dc2c3d6904e63cd46c69a735817cef731c442b9

SHA512
cf2322bcf4727549f5f8dc0989be776666fd9f8266975d2353b578ade6fe0f69fd69fdba1f0e09b6baeeab9c2cf102b39c8d4b8bb7f92e4ebbeec31a55cd0ae5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\datareporting\glean\pending_pings\546b086b-415d-45a8-ae2d-196654e6791b

Filesize
9KB

MD5
40972f00b4e523fd3b26b766b81fdea6

SHA1
804c82a440ce14e4c6b642dee6a0172dd5753e51

SHA256
e71febe8102f733278692a2a355bb9e340346aba014e4edc523753c554dad424

SHA512
3d4c1be66b236a7627c280e061ce88d0f2f5ea6c946027aedaa469c1e324bacf49d55a184287839d8c8994fda47c8cd7f299cdd35c4095acf8d24fd2e4149634

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\datareporting\glean\pending_pings\695e989c-1291-4dd2-97b4-9d3582ec9617

Filesize
746B

MD5
7386018e4ba2e0a664d065b746c8e50b

SHA1
369f87160c99e16fef60e26e6f56e2564f5c9dee

SHA256
42ba23b47ebf75da394bec02892430762d0a72f4941e1f3f55dfbabc21004107

SHA512
64203165f0f84b99034dc79bfb8489dcd74547c0164935c1a2e20c5296ab7d477eee7890cc45164c02e831cdc3fb901e829d8e670dbcb7a38934a433eef02e9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\favicons.sqlite-wal

Filesize
320KB

MD5
5b7f1baf980ee20d04ae560fdd7b8027

SHA1
b2f0e0f9e7f5f10dab13407c8ec9a5b56e25edab

SHA256
006b62eb6cc80183f50d480a30aae0782d63f23fab56f2cd8704390a2641a96d

SHA512
a35d65136161aa4ae3973c793f137bc3fc378ed0c67b0af0cbd6791b2c3d06d8d751b6a1df9481cf3752f16f40378303592f56cc5a4ba2fb9db9f08f7cf78a69

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\places.sqlite

Filesize
5.0MB

MD5
e2db73f6d80571988295f61167e97ea6

SHA1
aba7af95b64652debab0e76367182c5688fb9290

SHA256
d7c2533bd6e0cb0ca7fc65ccdb80a485999020e371cdad2075a7a6fe1fa5a621

SHA512
daa873f8b303da48a679a65704e1a83576e21389c6abada493819fdb91124365960842656fe0ebce3c38677b0da2e75592d911d7cc6c58f739553ba86d9845b1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\prefs-1.js

Filesize
6KB

MD5
81198b3274bce8c37890996b50147282

SHA1
d7ede4c729b439e86385aee77ecc4c01d873eba3

SHA256
680b70d43ebdb233ada095683f49f58d8fa3008344d63f62ae7b46f928a05c30

SHA512
bbd42f7bcb8fb11b89b9a815f2ecb3b569819de5ed043f34ca5a78701e6c930466f612b82caf93f3220b2e57db6ad9e0ce57879cad15cf0598c32bbef92fe652

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\prefs-1.js

Filesize
7KB

MD5
18c176e90533c66a17f228de305bbef4

SHA1
5ec2d2b639a5f8c271b0c74191a8258bce109785

SHA256
d47b32ca035e09c2d16da06e7315100d9598e25af028703ca2b0c9468b83c897

SHA512
7b86d798b6716f42af409dea49cd951f47787eb0a5a79ead37cda4d3e9b42af96016b07049478b09efb78f110e86b535fc8a82ce3e8db4b53e490dd4edc87934

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\prefs-1.js

Filesize
10KB

MD5
784f933ad75a16d8ab8d56334bd55789

SHA1
53d7bc52105024753d697541c842cc6986c30234

SHA256
c93cea0e632a87a23713b43c7557d81df9bc1d3ce43ac1b72f84b1e920466a5b

SHA512
509cd98891777100fc82b0adb57facf254f1e6240399a87b8f99eda8a740a387bd8bb0ac2f66fc08a541fe0af6278b1e5abbe0933685626cd904056c1110a5e8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\prefs-1.js

Filesize
9KB

MD5
48d07f0c53d22a3febd9a025a0951be3

SHA1
897e48714cfe881ac96e881eed7ef4f5628c4319

SHA256
ef37cd4d3b7e18097958311cb0c1bf499453dad0645dc5cc27b8ae147de2c471

SHA512
5fa481100c6a334b42825281534e8ebed2d30e0983696e34230fbbcac0f1e9f780ff7199bae1c584dde9ad4b955225cbc18a66c8f59e398ced611f86eedd6b22

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\prefs-1.js

Filesize
6KB

MD5
bee2b507d661701edce7926559bffff4

SHA1
efdeb6023b4d48c7723993985f12369d5a29b34c

SHA256
c3037d8f93626c73d3d7b965384a5d4a257f7321c7dff3a192e0401ede4a86d4

SHA512
713af36eaf4d5c48988d01764a7e7396fba82fd9f74d979b92f48745a94decec97ee7a7a2b1bbe849ccc9a15c5c46454669132c735e1d7d1e03222ec7eba5f90

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\prefs-1.js

Filesize
6KB

MD5
dca75cccf0fd91d70d6b706aa8c91de0

SHA1
fb94d75986610b2be752f3a12171e935340890eb

SHA256
7fee93766725a136fd2c0d0044ad34fe79fd766a4a9335c2b48ddc108f4fdf44

SHA512
ba5588ae9413ea34553ee1cbe364ce2f07b5488eb3b9619abe449e7ca176c587c7166a87033adea8422331c2501f030184a84cff54ff474892acbe12dfc69e80

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\prefs.js

Filesize
6KB

MD5
97309eaa0ea36c0d9a9b9c9786dc34e8

SHA1
b39fa882330fbcb626e8ecfc0edb365c32bed8f8

SHA256
94946e039ded1d3e3ee4a5003fa73ffaa80f2a8620cb6614d267bf579ea93ac2

SHA512
35eda972e57b8104618036ee8ab1267b64809e4298a4097b9057b42947b8fe85beeb84860c19f4aef138145b59f8af9e7372d7e0a56e9ec2c18ff577bc6df5f8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\sessionCheckpoints.json

Filesize
122B

MD5
99601438ae1349b653fcd00278943f90

SHA1
8958d05e9362f6f0f3b616f7bfd0aeb5d37967c9

SHA256
72d74b596f7fc079d15431b51ce565a6465a40f5897682a94a3f1dd19b07959a

SHA512
ffa863d5d6af4a48aadc5c92df4781d3aacbf5d91b43b5e68569952ffec513ff95655b3e54c2161fe27d2274dd4778bad517c7a3972f206381ef292808628c55

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\sessionCheckpoints.json

Filesize
146B

MD5
65690c43c42921410ec8043e34f09079

SHA1
362add4dbd0c978ae222a354a4e8d35563da14b4

SHA256
7343d5a46e2fca762305a4f85c45484a49c1607ede8e8c4bd12bedd2327edb8d

SHA512
c0208d51cf1586e75f22764b82c48ecbb42c1ff54aa412a85af13d686e0119b4e49e98450d25c70e3792d3b9c2cda0c5ab0c6931ebaf548693bb970a35ae62b9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\sessionCheckpoints.json.tmp

Filesize
288B

MD5
948a7403e323297c6bb8a5c791b42866

SHA1
88a555717e8a4a33eccfb7d47a2a4aa31038f9c0

SHA256
2fca1f29b73dd5b4159fa1eb16e69276482f5224ba7d2219a547039129a51f0e

SHA512
17e2f65c33f47c8bb4beca31db2aff3d4bbb6c2d36924057f9f847e207bdcb85ffcbb32c80dd06862ffc9b7f0bd3f5e2e65b48bb1bc3363732751101d5596b1a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
6377704cd45a115b71b9d49134aa52b8

SHA1
9bf4a9962831adcf00695a79ce55dd0ab2e2adca

SHA256
4a0c2236b17ef7e65415adf400dde3201e891aaa801396ee1b86754bcd04d605

SHA512
6bdf72c3f1cbfc5ac03d28f8479f8347298eeab95abc13fbbfd4ee61ffbfe58576dd150690eca507acf2f8ac71acafe0c19421ad1da41f666261716936968083

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
58f6105b44b5f314631d029d36b6942b

SHA1
08d98b995434a91d35fd5a2ca5274cc2cc8c3ddb

SHA256
158466d4862241d9fde67dcb7a6c82b45bee2719aaaf86ec5d34d64a1a91f700

SHA512
0d0a467151e8d21e0231194e822ff5e34156a2eaf746e7fa908f8d6ce171bb9fa2d939e197f23eb32f3e6b53517c3de9583d762e1549e7afa855ed8e0defac1d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
bb72a1376807d70151a299e86c9f1180

SHA1
af40bf9126ed8c0c85dc71ab1dafc71c31f03bd2

SHA256
9dcac913df7a1929c558d88beb35f67120f90cb14d7605827e0cb51a39887798

SHA512
efaddc7ebcb55c2dca79581a0b01b534c8c0e077b41d454210ed124e7020fc5626450153733e695d270578f4e33b1ac31081dd2f766f3512b8a2db105370701c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
17799db3c0e1c334ba3b68e03b25180e

SHA1
2cb8151069f70e48c0131b11ccffbb57564dc11c

SHA256
69b51123b8f29b97016693112107c9b8f6cfbe035a70e5d880e3247742908c6c

SHA512
e8364db9e2b0ec40227b0b688d8ffd898f2f0b640d77603a47b20f62fabb442e8e76a451898241f0b4fa92f7472ea3df63375a39a0c4cf70c1fd20cc70d1614a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
47fde592c473d708f5255ce2aa416b43

SHA1
be302c5ecfd518ae77802c87cb4de7d4b242f97b

SHA256
cd30135e9be8f1be6812bc1b79544af42845d06e60563d451b439a22b152992f

SHA512
a41ae61a58e3592d3a94f8cf68cee9954b96659e8d15f20afa322696e23e849653112300aaa7d372cf14b113864686f7cac43ff04accdae7faa91128b0d84862

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
7a19ba5c09582f006e69e917a763ce5e

SHA1
07aa6024f148b2940d1add484ea5e477b566acdb

SHA256
e8ae9ac034b60181471cc990d6c57d52ff8584c5bf4457b0961f18f31aad5c82

SHA512
8b50d5c8130985dbc3ea3ee6cc221fe6411f47e9d3b245ed99925a5361d034131c5a9ebe38ab6d22f4c9293b278f364a32bc47dc22eaee76921c3d4d470be9cc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\sessionstore.jsonlz4

Filesize
3KB

MD5
8fb1ec301a0222254149a0d0a95448a7

SHA1
363089ca6ce914e03d885b0746a4f9ca83eba61e

SHA256
bf9f0a2d06c7d873a455cf2589ea458d3c4e94b42b4d745befbe2d8ed215db0a

SHA512
8dad9e83013f8060949a95dd0c9fded72edceb5b99a171ebfabe40aa0ed089637f7980438b79ad6b820d81d8b58bb4c510976118024fd2d1855b3d261d2c6517

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
7.9MB

MD5
77da1ad4d219fef29b39a83afcfdccb1

SHA1
5a90443381959bae1b2b58f823927f69336dd615

SHA256
45c44bb23f7b0b8c98b4ebad929d32bc2b71349629eb8e50ab2f2b13ea2629c3

SHA512
e9cd5d5d99557b7bb7d7d13b692219096058f5000b48b4e61ec293bbe97bd613d6513e16e1af37770e25c9e90ac7e6382feb43ecae0c0ce7b66c9f060c05a229

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
184KB

MD5
0d0013d9708d9fef539adc917f5b87f6

SHA1
5e071e6b4d8abf007c8bb78ee948caf5bb0439e1

SHA256
f416d29cdbaa66b7d04483831d2a593a735316fafb643414a12df78da0ab054b

SHA512
851e9965a0fed9e0f5195ce655635cf13687d18678e4a9df807ab22cbc53c02cd2006fd65d93cd80b2a06d709e59122ea9933ba5cec551c6d51f5e9b4c175388

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\targeting.snapshot.json

Filesize
3KB

MD5
84fdccd6d3b7f468863dd91bb575fc81

SHA1
8b42afb287192f9c17d2caee521258c0f559bf84

SHA256
ff49d4d745000c56ac06c4cf373dfb4e03ea1a0b1942b53ec4dc63109ad0da40

SHA512
c562e442086b8f17e78a4e34e07cecd46292c044d6963771c874dd7fb93683841336475b00946dbc64941d9c4e7f16125ae7555dd41ac80c0099d19f1da68fd0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\xulstore.json

Filesize
141B

MD5
1995825c748914809df775643764920f

SHA1
55c55d77bb712d2d831996344f0a1b3e0b7ff98a

SHA256
87835b1bd7d0934f997ef51c977349809551d47e32c3c9224899359ae0fce776

SHA512
c311970610d836550a07feb47bd0774fd728130d0660cbada2d2d68f2fcfbe84e85404d7f5b8ab0f71a6c947561dcffa95df2782a712f4dcb7230ea8ba01c34c

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\bookmarkbackups\bookmarks-2024-08-22_15_2DqpkHbXxq6tOo26dPkxVw==.jsonlz4

Filesize
1KB

MD5
c807ef64bfc24af84533b94907b9b730

SHA1
2ce302550e79c7bb67c5f17d559c837ca41a5d1c

SHA256
36dc6fb07e1018952539f7821fd4d1438ec4ffa147cc88d5932b159d42296e13

SHA512
7345e1ed6cae9e5f4041afa0f38549b053b661f6d5c0ea0aa9606d084c635107d14ca0e713af2e51c99ae5700ce90542defb02c6c42766b15bea6ed589a50c06

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\datareporting\glean\db\data.safe.tmp

Filesize
182B

MD5
c58234a092f9d899f0a623e28a4ab9db

SHA1
7398261b70453661c8b84df12e2bde7cbc07474b

SHA256
eaec709a98b57cd9c054a205f9bfa76c7424db2845c077822804f31e16ac134c

SHA512
ae2724fc45a8d9d26e43d86bcc7e20f398d8ab4e251e89550087ace1311c4d2571392f2f0bed78da211fcb28766779c1853b80742faa69f722b2c44c283569fd

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\extensions.json

Filesize
27KB

MD5
2393ddb1cf812324336f58f021457dc5

SHA1
5cc5b62e877c5cf3e2d1348710272e8ddc19ceed

SHA256
0b8bfe9f65b87094e6631ca3cd70b7361adf7ebd6de31adbe14d51a6bdb2ef1c

SHA512
6096c9f3cdcd05c4b3416fc4131f9921a517e4d004d57635e9014a3ed686cbc93ab8061560c11e7c9ccdba8910cdab02a5ba1fa0a735656696b74db5af7686c8

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\favicons.sqlite

Filesize
5.0MB

MD5
f1523f113604d2b6871cf4cf26048a8c

SHA1
ffc23f145392dd06883788be97ed8f54578bd512

SHA256
7d112b7fae17f17d1f54a9af9188bfdcabf2272c4d05e54a8263e9454e2f33c4

SHA512
0ff3bf5cc7fcbf25f8cd3610756599e5e5cc1d43cc2a42c3eb6a77a3b68a7b89a4d63c998a6858d77e1da01a56fb9538c7876c95ead9aabf47500d3237bba300

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\favicons.sqlite-wal

Filesize
1.4MB

MD5
78284f10e216bac734ecc2e77e6c16df

SHA1
501b07b67c7151e928734b1c87586492fc45e014

SHA256
1c00197732d9365ea71b23806b36645fe049f424b27ffe1acb0b8449ae0b8aa7

SHA512
331d7b347a18681c10e06f1f57d48c44fe7dee63c2081f85c5539c700154d989a14fc0a8553245aa3edf73a49acb371a01763968ad0caeea56d238f9655c5012

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\places.sqlite-wal

Filesize
2.1MB

MD5
ddef0672e3a1dfa7f656e6550fb42229

SHA1
91e32145875b243f1d5b35cb565f0520300c482b

SHA256
3f21cd5515ae14f57d147e2274485bbbcb792a987b36300c0839c61ef89e39eb

SHA512
03f4f2d25fb78c254a8580f17e5f2719151d9f029465767be7b582bfa134d8fd59f321a315251e52e48dd749204d1f65b0bdd5e11530f522e86dc906b3c227a0

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\prefs-1.js

Filesize
6KB

MD5
48b18beb6dacb0d541c7eaa610fb97fa

SHA1
579703338b4e025c295f29b78ea959620c87009a

SHA256
1ebce4d3e0be79e1210f5a9d9f88a17d8ecfb78607ec9db7ab8d068a3485de70

SHA512
703fff354bb6cb245bf03cc7c58d1f4c0ced54df37aebd1ce78c2a01bcf7f11dcb976b6ba60bc7b075438d5dadbdedc46b0ee454f2cfee0cac3dac057a5f82eb

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\prefs-1.js

Filesize
5KB

MD5
8abeffa51c33f7c99e6aa0e0eebccff2

SHA1
ec76d041ceaf8efcbac87267889ac56b952223fd

SHA256
b670f62baca5ad48aaf4231f821bf241397ebbccc3a0d0f2a964fc4a3f6bd644

SHA512
52ddd897735c255f374962f3395c6d52257da8a4cdfe2178aa1388807dd05214b5e0911f48e587c97963f74708360dcd23dd7cc3ad3ea17c5eabec58f23b7f21

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\prefs-1.js

Filesize
6KB

MD5
f0d6cb40a8b53b966159c819d5eea314

SHA1
8d7742d91a99980b898ea312b2d5484dff34cb5b

SHA256
1f081130a8779cf3c3d11ea1575178e6433c932572851670833a4a616cb14ee4

SHA512
3987f3a01bf824453b75b26667aef208c9a411f65e885b00da6e3350e3fe7a77a3343b9457e2f0e5dd212af61c834429888b9c94f2421860244c3a3bbc253aee

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\prefs-1.js

Filesize
6KB

MD5
9abad763cc7ab16096123ee8d9e428f5

SHA1
cb5b80b21c2b6100aa2084060ea828ad2b10c3d8

SHA256
29922702835562cc8a12a32e8f19a9efdfc3e89f6f8f70d957018332c6f80829

SHA512
a6d2d2e77344215da4ccd1f5a75c8bddb0e7f3d643753aaab898742b50c49916dfe6f74c6db52afa8ef69ebd55b91b0f9c0b9a7f5685adce2c6e5a874b99fc61

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\prefs.js

Filesize
2KB

MD5
932160db145ea0c695c93fb25752c030

SHA1
08a4178624960914c100ea0bdece6dd7bcdcdd6b

SHA256
213a28ea7b88a80d2e760156c9b4a4575f728141ffcff4bc5c5d233d8fd7e2b8

SHA512
2787da5a09f615a0e9fadb4507850809c05b4d8ed574b879dfea2290fcef69febbf130ad6432764f2cd6147f27d789372601ff4a6956da4e6d57ed30de78f128

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\prefs.js

Filesize
5KB

MD5
af42efefbb45c30a824f77b11a659a03

SHA1
57951fdc888c0a37808364fd6db76b069231afdc

SHA256
f90538b50f3cf97f7264cf69715d0788683348056b6bffcb512f80c7cd985897

SHA512
8eb8a00eac1846b1e8114f583da42569b880affb07ce7a1be14c496c03e5a983426677bc0292514c33c51198571137fbd5ce9ede83ecb119b9028b2b151dbe75

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\prefs.js

Filesize
867B

MD5
bfa4ce46454987198132c8bf0d7cadb5

SHA1
dafeeddc34b5c5a9a55ba379ca3b7c13267062fa

SHA256
1b95186e6ebab38f293b4d3688297db061afa831860266412ba92093fde2e1d1

SHA512
9a31d99759039cb757b90758d1ca511617bfd6a4ed36880186d67636ed9fdd37338c9f1cbca220d2b8efeb347b0e39fe7e11c85c0d88e7f1bc73844de0483a12

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\sessionCheckpoints.json.tmp

Filesize
90B

MD5
c4ab2ee59ca41b6d6a6ea911f35bdc00

SHA1
5942cd6505fc8a9daba403b082067e1cdefdfbc4

SHA256
00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2

SHA512
71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\sessionCheckpoints.json.tmp

Filesize
53B

MD5
ea8b62857dfdbd3d0be7d7e4a954ec9a

SHA1
b43bc4b3ea206a02ef8f63d5bfad0c96bf2a3b2a

SHA256
792955295ae9c382986222c6731c5870bd0e921e7f7e34cc4615f5cd67f225da

SHA512
076ee83534f42563046d25086166f82e1a3ec61840c113aec67abe2d8195daa247d827d0c54e7e8f8a1bbf2d082a3763577587e84342ec160ff97905243e6d19

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
112KB

MD5
5896ac8f160627d802c975538a7f39ce

SHA1
b59b16d32166e32c5a3d83162026010512aaed57

SHA256
b28103cd1045dccee3f64f8f74aa7c8ba8257f0435332abe66f04d2efe3f5ddf

SHA512
1edf248df4dbfb45c2f3fff1214248d40bccab21989eecba1fbfb4f37d81cfd69bea3522e6fadefa6da34e7f3e9d371fa1c2a7481de31acb5054ed3032f7b47d

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profiles.ini

Filesize
103B

MD5
5b0cb2afa381416690d2b48a5534fe41

SHA1
5c7d290a828ca789ea3cf496e563324133d95e06

SHA256
11dedeb495c4c00ad4ef2ecacbd58918d1c7910f572bbbc87397788bafca265c

SHA512
0e8aafd992d53b2318765052bf3fbd5f21355ae0cbda0d82558ecbb6304136f379bb869c2f9a863496c5d0c11703dbd24041af86131d32af71f276df7c5a740e

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\cached-microdesc-consensus.tmp

Filesize
2.6MB

MD5
0ba70169e76e33daa61f4dd2d9ea1993

SHA1
2c6d9b143ece4b801dd1b15502ba45d7f3177738

SHA256
75ddca59403c136dd4d0d9078ddc31dbce5be0c1a86127b5680e13bbbd92ff89

SHA512
48cbbbb31eb8f0cc64954f717894877f0f4aaabdfc300b10d4764e819ca77c82da358c92d4b65da760954b6d8f66850c2512b5acf1ebfa20bff5d8b4fd8a1377

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\cached-microdescs.new

Filesize
8.0MB

MD5
7d1c5b073d7c70f7a602f9ced072a3be

SHA1
8f3c9245491dc8f6ceeb544a09700f8deb27093a

SHA256
a56585381513c9bcfdd7c27610696088e32ca60307072d694eab9bb5a5b4b46a

SHA512
ee36ae69e4f258a20f290ca66c68e359a0f8bdf3ac675c9ae0e31ccbadc922da7a965f1da1b670dea95c48e8163c5cf316aa67087081d0a91fd870ee8a4dbafa

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\browser\omni.ja

Filesize
24.9MB

MD5
2e0e8a91aa8f5b77908aa4106228038a

SHA1
1ba47b82c05bd6b47b467a74bafdfc2faf551ae7

SHA256
7f4ffcbf99d93db5b9c900220b7282945b489ab76a2d2731b4f9e12ba31d3b03

SHA512
df505edf0e1336d5068352283c2da7b8026d56b6df5f03abe7d4b02406e86553e5aea5f0e070315c2fb67696c03abeaac27b2f65f752e37296ce6118cb6f50dd

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\defaults\pref\channel-prefs.js

Filesize
429B

MD5
3d84d108d421f30fb3c5ef2536d2a3eb

SHA1
0f3b02737462227a9b9e471f075357c9112f0a68

SHA256
7d9d37eff1dc4e59a6437026602f1953ef58ee46ff3d81dbb8e13b0fd0bec86b

SHA512
76cb3d59b08b0e546034cbb4fb11d8cfbb80703430dfe6c9147612182ba01910901330db7f0f304a90474724f32fd7b9d102c351218f7a291d28b3a80b7ac1e5

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\dependentlibs.list

Filesize
42B

MD5
70b1d09d91bc834e84a48a259f7c1ee9

SHA1
592ddaec59f760c0afe677ad3001f4b1a85bb3c0

SHA256
2b157d7ff7505d10cb5c3a7de9ba14a6832d1f5bfdbfe4fff981b5db394db6ce

SHA512
b37be03d875aa75df5a525f068ed6cf43970d38088d7d28ae100a51e2baa55c2ad5180be0beda2300406db0bdea231dde1d3394ee1c466c0230253edfe6aa6e4

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\distribution\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi

Filesize
932KB

MD5
251150b67c4a694555ecd4a6bdcf5993

SHA1
92b571569aa6c265a6dcf715c04de50bacf712a4

SHA256
b22c007534471a8fb74378e970ba79a536a44f88d81ad3852273b82a466d10c7

SHA512
c525dde844ac84a92ee4098369a8e8c958e475cc785fe1a6c514618a59dd48a1d75ed30523ae20b044909527d0d29102fd644e5e7853568b584663c0a0221d09

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe

Filesize
1.8MB

MD5
48df39f022d853929c0df59630a45ede

SHA1
fed259e241d064c9141e2b70d075922de410e428

SHA256
52b3be893f46a3fb2e0668a5e548a2e04501073824f59313b0f9d4265be684fd

SHA512
7251c08a8e2375c5437060ed52ac3d57c94a9f14d08ae7c6af40a2a5a327a83470cd66dca0263910a0875fcc2acb7100ef4d3a3577034b5553636f0d551c5ee8

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\fonts\000_README.txt

Filesize
297B

MD5
793eae5fb25086c0e169081b6034a053

SHA1
3c7cc102c8fcaf3dcbe48c3f8b17ec0f45dcc475

SHA256
14e396a360e5f9c5833dc71131d0b909f7b24c902b74f31a7a3d78d5aa0fa980

SHA512
5e949be232df14bf7bfb679986a16f4a613439f5b5e71271abbfbf74296b43c977510fd6403702139ffd77dd3369e054dbe086e0188fff4f436f3505654e1f70

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\fonts\NotoNaskhArabic-Regular.ttf

Filesize
225KB

MD5
27dfbbe8ee4015763e3c51d73474e94a

SHA1
4328cdc9a3f9c6b7df0624c81afbd3459f213e40

SHA256
b4fe7b745c5b40e5d6294a883afcb8b4264b88d331fd0b4620050441479f391e

SHA512
42cc921fee7bad58ee1fac12eb8153b580b5d9d6ed510d5df4bd4be754ef1b017c987051385d828b70de050340f9629be7b385d0338c9db6e0f9f51543387375

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\fonts\NotoSans-Regular.ttf

Filesize
589KB

MD5
e782457ebb0389715abdf5a9e20b3234

SHA1
e0d9ad78d1972d056d015452ed8dee529e8bb24b

SHA256
0e90d375cdb64f088a6a676eb560b755afa184e523fefbb9c33fdda4d7dd8461

SHA512
3ec030fdaa18f90bd8060466276c9ec49fd9233746e603d61a4f65a9a53e97e7b3382f8f913da17c48ffefc8adcf2be25f7e1c51f16555068b8f344a4e6dd961

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\fonts\NotoSansAdlam-Regular.ttf

Filesize
91KB

MD5
ac01114123630edca1bd86dc859c65e7

SHA1
f7e68b5f5e52814121077d40a845a90214b29d41

SHA256
1b7b86711479fbfd060ed38abe1258246b4be2826760e6827287958218bb3f5c

SHA512
1c9ac878ba12f3de207aa9a7eb8c0239f769f9ae7475fec998e998192aa6900fe146039ac982612c6c0b7e5363355f2803d8f62e4787c0908c883ac3796e2a9b

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\fonts\NotoSansBalinese-Regular.ttf

Filesize
128KB

MD5
12764d72c2cee67144991a62e8e0d1c5

SHA1
f61be58fea99ad23ef720fbc189673a6e3fd6a64

SHA256
194e110cb1e3f1938def209e152a8007fe5a8b0db5b7ce46a2de6e346667e43d

SHA512
fb670a7dbb57465d6384cd5c3a35356e94bf54ac4cb7578e67c8729ff982943b99c95b57f6059443e3e8b56d8c8d2cfc6e81ae3a1cf07306f91c3a96e4883906

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\fonts\NotoSansBamum-Regular.ttf

Filesize
224KB

MD5
f0b22427c3ddce97435c84ce50239878

SHA1
a4a61de819c79dc743df4c5b152382f7e2e7168d

SHA256
0282610e6923d06a4d120cff3824e829b4535a8c4c57c07e11dbe73475541084

SHA512
ff2b22e58597d0ba19562c36f03cf83b5f327eee27f979c9ff84fe35a21b1fc9234f21fdb35fb95f933c79b9cf7760328d29b31480153da59a6576cf5f7f544e

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\fonts\NotoSansBassaVah-Regular.ttf

Filesize
7KB

MD5
778376d22591a4a98bf83ac555ddf413

SHA1
608172ca18450b4cc61ff6cc155f66cff55c5bf9

SHA256
8218239377452e05634a91ee8a4338daf0aa96a15673a437533a098eb9c06f53

SHA512
e895a03374a3d3da04554cd048191722652ed4f1f7cc91639354843138ce26aea6c7f2da0ecda47eb76bcdd61a0315cc2e35e080a5953c24d82f4e94ce4aa260

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\fonts\NotoSansBatak-Regular.ttf

Filesize
21KB

MD5
9390ee64243e5335b79e33e5e8311341

SHA1
c8d4b3ab79f6b12311eb4e4da29e709e583b5870

SHA256
cff9f0e51e7f1d95934cac31d9ad43ba453ee308c7b46a27803dc7e2e6c3adef

SHA512
ad7b23dab247c5c71298c5023bc58bd1d00160145558d86ab75dd37de1f1017540bac544cd9bf1cb2802d19d2973c0cf189d05a980777de886ffb552ae923bc0

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\fonts\NotoSansBengali-Regular.ttf

Filesize
198KB

MD5
7b5138efef2c02dda9cfae9917cd913f

SHA1
b44b58f354c4a68e119df226f01ad763b2d1025c

SHA256
9f8b4dd091f19b111d24ea18daae81bea8684cc67de17ea1acd797e144bf20ba

SHA512
47e4cfd2218c91080fc4ccc3ac13dabe9efb7c96b981d53577177fb062973b9fad0052edcf2b0c663ff3b7a1d9e38e96586c93cb72618d64344b96e3df13204c

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\fonts\NotoSansBuginese-Regular.ttf

Filesize
7KB

MD5
bd4c30081a164037311e8712423c5bf2

SHA1
2a13bc7987ca34644b075c1fe197ba293b4ca527

SHA256
bc19f17d7f6e8f280c2cc95ef6d1b67fac25becfe98722f482039a4d84f3c9ba

SHA512
2a20d113b73cbca311d08dba40dcb7f8ab9d5383f7590b61b785070f77204db9ab163557a420c6c96ede815643f82ffdf75bc59b5802284779ff237616734c66

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\fonts\NotoSansBuhid-Regular.ttf

Filesize
5KB

MD5
34699ac8824cdb6593b4dbef605dd6b2

SHA1
22ff82e35cbb1ac9053f767f404ee351786fe0c2

SHA256
328d80e11e7f65f9b6e4bac12de32b7ce42154301c2a14ba92155e32e05939d6

SHA512
fe714d5d44c6c2f4f96b4349bff301a67749bcb084ade3a0270723f1fa6bd6061193c4d782cb663d63e2c32cc809f33a8114e2e0bc6915de2b04efc82b5de673

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\fonts\NotoSansCanadianAboriginal-Regular.ttf

Filesize
111KB

MD5
fc6ec655d6a00c567119522854e24172

SHA1
b72baef2dc0aca98cf7d3458cc027f4b0622db08

SHA256
0d188756c9c282bf31738af5373f2363cc8007bbbc8d5560fae5821ed4937611

SHA512
0a0eb23751b5df39becbbb308b6b36e324ea6ec469d2167a795cc10fb3bc38cb7b3187a3a63566e280470b09a080c000280e3b9a01681a68f8a3f35c7a2f139a

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\fonts\NotoSansChakma-Regular.ttf

Filesize
80KB

MD5
82f2c632a76dc9922cd85630d0c97db9

SHA1
4558e69543903a058b3d5a7b8f50a6dea8ea50f9

SHA256
60ce1d029e35b432dd68cc9f6c94f69bd84d8c97f28f06130186606dd2c3325d

SHA512
cbfe37179fa4bd8618eade5e5168dcfab9d784586319014692bcfc7f767187e4beee24b3afb471abdd9adde747eaf51648926ed1a790e9f8458152c283fb34e0

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\fonts\NotoSansCham-Regular.ttf

Filesize
31KB

MD5
bf95af30d1db0fdb374cf646dc81b461

SHA1
6bf52ccaba21c23a9b461af8cfb7574bad6bee3e

SHA256
74cbbe944f25c64f0fd2f158716a648b970e3df714f8ca2644d56f65f5eeee4e

SHA512
52c5fc608d9e771cffc6de8ffcb953240cd445e77c4d65582dba198eec33c247891bed32de7b88c22f177e07c094716210623d1381c4cbb68fc5ad048cc24e3b

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\fonts\NotoSansCherokee-Regular.ttf

Filesize
92KB

MD5
fd393a7c5b16eba60e38b72b5fa3a2dd

SHA1
d074eb1baea8caf869ba6aba69b9cc9b2fc4568f

SHA256
c052352137ae8d283840a0e2991a675d47859d8fdbae5726d373d4f0d97a8c87

SHA512
30d5c5f5069580186ded817621ad2c6eca338216680c288b249972d420f009fe94f77ef44b106355223a80ade7f9d851a6e6fe6417d2bbbb35b9f0182a1c9180

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\fonts\NotoSansCoptic-Regular.ttf

Filesize
47KB

MD5
bc7e07463581535f8cf124dbfda9bb5f

SHA1
4d59c125be1263685c909b8f1b202194a0087e70

SHA256
e3d5915c74797a084d8525cc5fb8da08d0c1256b7ea75f6687fee3f28d2c58df

SHA512
ccf8477dfc771c00a5a0e3b3cc0bbce06291679f077f24858b1547de4ac21fd21805c1a1ef6ae8a0215b8b956562a349ee32a956ca5750ff8923c6c19335474a

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\fonts\NotoSansDeseret-Regular.ttf

Filesize
19KB

MD5
c0d20faa4acd8b886197e897a6ddc7d4

SHA1
64355303ac0b639f0135bb51325b8aee780b11e4

SHA256
9f384e8a75a059b8efcbead73ef5aa3b504ac3e9d218be5368a20b19bfccdeec

SHA512
c7062651d7fdaae6168f65887f1a6d07b95b721efbe3d756f5a1fad58641f2b5fd1a3d732ae4225ee3228454ed1982c7258be70abb41ab9d8ed867915337192f

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\fonts\NotoSansDevanagari-Regular.ttf

Filesize
229KB

MD5
2358cc51bd1271c89f2c173e684876fa

SHA1
7c30d7317d34ce0503bfd3b24900bd0fa4c6a69b

SHA256
dc0eb899c5852c819bfb30482e6f2ee1e44a4c8cd28f6622a2d4561bf1e3e444

SHA512
873696739807520826aa7c6b825701dc36786d020902eedb6ec7438d9aee71efcf1c6dbedf7bd4dea7604de73e1506f66961f7b5f5c80b7a9e71c73bb3aab264

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\fonts\NotoSansElbasan-Regular.ttf

Filesize
18KB

MD5
1c7297bc694bdb5baba7c1d39f333c63

SHA1
4de6449e4f8d315c91109a741ced09b86c3302c9

SHA256
6d52707e91a77e23f389f42b5da65d7047205e7833041fe0b2cd7ff280e14749

SHA512
91ba1203c4057c930ef08470395c91b03c2618f5decb9bbedd9b37f858a29c63e537c658bcae73fc32fa7e9e11911bba6d0fc540b16e180936c8082ef00f15ca

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\fonts\NotoSansEthiopic-Regular.ttf

Filesize
367KB

MD5
de7cf6c6fa2fbc854dcf6d2e2716f1d1

SHA1
f07c1412adb1cc2d742546a25eb66ba63ee3c840

SHA256
f6f7fc379db9438959a2b0527e7a2cf36ea9c84626d56ec444fff37fc24c3c10

SHA512
ee98dc59d2fe843fbcad6eb2009ef865016478ef655dd2f873b4bc45c4e67908aac4b776c5846514d3f80aa4843d1426b797f2c385e7d3ce814d7d96386049b2

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\fonts\NotoSansGeorgian-Regular.ttf

Filesize
51KB

MD5
61f5441fdfe5be8a1b933ef1ef674ec4

SHA1
07a3c3cbd0f7d2cfef5e74e1c28d5b2ccbca35eb

SHA256
a14c27d89ef15d7855dcf03c6524cd2d98ce7d4374dcd7643b7d07d7ba0f13a5

SHA512
2dc8136cb7f4bb57ae2c7bab7b775c317f6f46e76eeeca93bbb0d9edcde3f35e9420601bf3d6e1043511d02d7447e2b64214a89f02f5b32e30ee347236bfcd78

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\fonts\NotoSansGrantha-Regular.ttf

Filesize
350KB

MD5
a3d0e9dded672781968f021d6f869ae5

SHA1
98af88c343c9b761b0a0b03859fcb1ace7851a40

SHA256
98a079a902bcd5f298cdcf59eeb21bbc8565b4f361e75faba300aac376b842cf

SHA512
e60d5ceb0b82dcb1f58969487a3075bed673881219c082ee78e6102c4cf17122e8537c8b6e58d2f9b8097b5a1902711b743e9e4cbc455dcf3dbb4bac796d8b28

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\omni.ja

Filesize
18.3MB

MD5
0f840da5ccad4a9abab2249d34107d0a

SHA1
2f6e522d8317a7fa20f973c2e21e5e4cb445813b

SHA256
b6c49b0adc15c9c63a97d47801ba6434336781572dbd985c58cce9ab505b2715

SHA512
33453061fd3b1fa360b0413a3f6de82449bcfc3d2bbd50e6b8a358ccffef11a583060a3c604547e8426fa2ce14894cb7cd5674d98795078499cb565bb61dbde7

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Tor Browser.lnk

Filesize
829B

MD5
aa96f2923f698ef8ea1e80ec8c39a577

SHA1
42531db3e58c58f068cccacaf727dc8cfae80d93

SHA256
97991d5b18ca04fba3b62f348eb2b8a96437d5114b728c6689829e4da021103a

SHA512
bffd346773081efd38fd1616dfb0c4359619bafeeed989161b3899c513b42fe4f3cc1c633b97efc1c5785822c576d514a8dc61681cf6afc8f1b8270134eae643

Download Submit
C:\Users\Admin\Downloads\tor-browser-windows-x86_64-portable-13.8afceeLQ.5.2.exe.part

Filesize
7KB

MD5
e08cee58d70afc00a449ad7bd83eb956

SHA1
03ea377ff7a90429809c0659e0fff816d439256e

SHA256
7642cd82cd2b34dd7c6f68871c5ee0aba52bb938e47a6cfff9a604d9bbc347f8

SHA512
78f22a292afe84f2093b734944e37638626fc44166c74bec6fb9650ecc23690224dc03043548dc18ef75e59f248832a664f063bf410debaf4b5dba9d7cb96728

Download Submit
\Users\Admin\AppData\Local\Temp\nswFB64.tmp\LangDLL.dll

Filesize
7KB

MD5
d02e216c527f97b5cd320770cbe03a0d

SHA1
76a0bea3650c393341e240231cf999d11a3d8eb8

SHA256
cda679d62e2852d900f412239e7c01a64a928db6c0cc03b8fa0c1eabdfe815c4

SHA512
39d99ea0045e332f197f0d6430a71adaeaccd1c8e1028ad997ffa5527e5a0fe5dbdda62e02329ae1824abad43eedd64dbfb05a1e8e19010745bfe8d53e83d990

Download Submit
\Users\Admin\AppData\Local\Temp\nswFB64.tmp\System.dll

Filesize
24KB

MD5
62a6f7756aabaeafe2eaa8a1b19eeb99

SHA1
24b7ec2cf0712f03911fad6b7ccf933e0879fe5b

SHA256
4c4d8324fc74a61ed5477b6602fecd1f404f524e6c17c6d7a0b682f8521a29d7

SHA512
7d30a35811f4dc5e3c4714224ac2b143d17f6a1de744db230b3a74409c6705233831e340b13d468c612b9e924cf69a62a15164e601e62609c98a46cf4ec0562f

Download Submit
\Users\Admin\AppData\Local\Temp\nswFB64.tmp\nsDialogs.dll

Filesize
13KB

MD5
6cac9c4cbadc065beeebe16e57279a9a

SHA1
26bcac80ab11c56d8d9de74a85ef2314044f96ca

SHA256
f33b3bfbb97fedfe2d77ebb894c7db5c32b8905bedab6c58248108021cf96bdb

SHA512
854b505ca4d17127fafabc8e4d903e097b6e77d4adcb2873185333a7fac68d6e903b2e8f3ce0df639ec3c44feb3666489405ee74d49f512700ab86cec4bc9e44

Download Submit
\Users\Admin\Desktop\Tor Browser\Browser\freebl3.dll

Filesize
690KB

MD5
4bff42570c44d1af9d31718d1165e9e9

SHA1
22bd9336f5a47fa322a108841a8f9ffcfd1a0788

SHA256
b81a3fc9c56686e138427cb297d22bab3b27a6697088f0762782f66c981eb798

SHA512
1cc932dcde4e37b149c6a0282c0d82bd696c7e9c041b57a6b518e059bd15deaca4daff45d1772ea99f81e89ae7648a95a5a7c3dcbe1eb22a19e5a85f347b62d5

Download Submit
\Users\Admin\Desktop\Tor Browser\Browser\lgpllibs.dll

Filesize
43KB

MD5
a500c0cd26048eaf8cc92ae8d6d7808c

SHA1
41d8b76e4dcaa288b55f4e67958297f06d8e3e19

SHA256
2b947a58c76d2e25420b0b77c23dcb3c97577468d453768738bc3a4837acbcb6

SHA512
146d65c4d94db2c941fdb9c0d9e0060cb05922287206dc89c66def220bcd009610bdb43e7696ff76621f807ecb45e58d89d304de1ab0c19aa826ee5d5876b7c1

Download Submit
\Users\Admin\Desktop\Tor Browser\Browser\mozglue.dll

Filesize
1.4MB

MD5
dc623edf731063dc825836006dcefdf9

SHA1
846ac453e16d69fa75cc260df67b31c1aafabdfb

SHA256
f36e7753915836440df27721789828217eecaa0f9d8d3eb0d14a05db28d55d77

SHA512
8f0c6c038e0603ab7db63a3e1a8f0c62d291b70398e1559f85d5418ec2def039877067c63a10787faa8f680624403edc5515dd9b87eb2d9258888fc77d6ded6f

Download Submit
\Users\Admin\Desktop\Tor Browser\Browser\nss3.dll

Filesize
2.5MB

MD5
b44887d937a99c7f61e3dabfd3655772

SHA1
7ad09d9029b6c50dcd5d6ee4901e7aaf2b7fe396

SHA256
e011f0ebcd5cffbc9040a17896d02f41a0f56d2f3b6a51ec50a48d97393f88e8

SHA512
e23fd3c56fb2544535e28e50d23cf95224e35f5e632be7265de4a3a232eae53d79ecc628c2d73fd028f5fff8d140b37fd87a017b3047a5443d5974cd02af5199

Download Submit
\Users\Admin\Desktop\Tor Browser\Browser\nssckbi.dll

Filesize
472KB

MD5
b645b4ffc1cd57216f997c6009bd2682

SHA1
8363aa4d4eec139cf447ffe63ea5f09a5656a577

SHA256
50ba3748e14401e25c5306256fda4df94dd87cabc2b4719708595c7eb49c54ea

SHA512
25a117f181e6bb18652c8e13fdd48ba086df450d40227853f2c14ba77febbcb8cddd119eed0ba598e848f7409ff21fc24629d2e2a2646fe18379b79988bae4ed

Download Submit
\Users\Admin\Desktop\Tor Browser\Browser\softokn3.dll

Filesize
288KB

MD5
ad248c672a16769f43536ac65a93626b

SHA1
b6c148374c230af9f4938427d82d9b9a734106bc

SHA256
a66fa6697d038de866dad879e91d66fa3307b1b7d1faf46df7af8b13b8e10271

SHA512
18df48ca3760a322b3acdc242c236c86f007b85d575e4e2ce842acd9ef2c46ee4de564f7c3ef714f8f5a96e64da4e7a2b8b5d8941e1435a7446fcb3b36ac0f92

Download Submit
memory/164-416-0x0000000000440000-0x0000000000451000-memory.dmp

Filesize
68KB

Download
memory/164-0-0x00000000006E0000-0x0000000000711000-memory.dmp

Filesize
196KB

Download
memory/164-415-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/164-400-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/164-390-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/164-7-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/164-3-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/164-2-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/164-1-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1004-3235-0x0000023DFBB10000-0x0000023DFBB20000-memory.dmp

Filesize
64KB

Download
memory/1004-3334-0x0000023DF09E0000-0x0000023DF0B50000-memory.dmp

Filesize
1.4MB

Download
memory/1004-3156-0x0000023DF77E0000-0x0000023DF77F0000-memory.dmp

Filesize
64KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads