cerber | d01912af7edc66bb1e9f135ae5e4804f8e4b09713239c07850c987d7a1362906

Analysis

max time kernel
225s
max time network
228s
platform
windows11-21h2_x64
resource
win11-20250210-en
resource tags

arch:x64arch:x86image:win11-20250210-enlocale:en-usos:windows11-21h2-x64system
submitted
14-02-2025 22:00

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

spam.ps1
Size

751B
MD5

8b0e2d190f955bf1704000f1ff0e728c
SHA1

d22e5aeaedf9b18f237cf1ad475c522478aad47a
SHA256

d01912af7edc66bb1e9f135ae5e4804f8e4b09713239c07850c987d7a1362906
SHA512

a0802f01e3670b1b5003dc1dc2bde8059fff200cc1090919bf54dab2b6eebba4a717b68aee21f4b8d3034707333cd0a0a86d0ba01d477321954d253f26ca5e03

Score

10^/10

cerber defense_evasion discovery execution persistence privilege_escalation ransomware trojan

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\_R_E_A_D___T_H_I_S___8KSUH4PG_.txt

Family

cerber

Ransom Note

Hi, I'am CRBR ENCRYPTOR ;) ----- ALL YOUR DOCUMENTS, PH0T0S, DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ----- The only one way to decrypt your files is to receive the private key and decryption program. To receive the private key and decryption program go to any decrypted folder, inside there is the special file (*_R_E_A_D___T_H_I_S_*) with complete instructions how to decrypt your files. If you cannot find any (*_R_E_A_D___T_H_I_S_*) file at your PC, follow the instructions below: ----- 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://xpcx6erilkjced3j.onion/A277-1178-4133-0098-BEFC Note! This page is available via "Tor Browser" only. ----- Also you can use temporary addresses on your personal page without using "Tor Browser". ----- 1. http://xpcx6erilkjced3j.1n5mod.top/A277-1178-4133-0098-BEFC 2. http://xpcx6erilkjced3j.19kdeh.top/A277-1178-4133-0098-BEFC 3. http://xpcx6erilkjced3j.1mpsnr.top/A277-1178-4133-0098-BEFC 4. http://xpcx6erilkjced3j.18ey8e.top/A277-1178-4133-0098-BEFC 5. http://xpcx6erilkjced3j.17gcun.top/A277-1178-4133-0098-BEFC ----- Note! These are temporary addresses! They will be available for a limited amount of time! -----

URLs

http://xpcx6erilkjced3j.onion/A277-1178-4133-0098-BEFC

http://xpcx6erilkjced3j.1n5mod.top/A277-1178-4133-0098-BEFC

http://xpcx6erilkjced3j.19kdeh.top/A277-1178-4133-0098-BEFC

http://xpcx6erilkjced3j.1mpsnr.top/A277-1178-4133-0098-BEFC

http://xpcx6erilkjced3j.18ey8e.top/A277-1178-4133-0098-BEFC

http://xpcx6erilkjced3j.17gcun.top/A277-1178-4133-0098-BEFC

Signatures

Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
ransomware cerber
Cerber family
cerber

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\system.exe"	reg.exe

UAC bypass 3 TTPs 1 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Contacts a large (1124) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Downloads MZ/PE file 2 IoCs

flow	pid	Process
46	5692	Process not Found
46	5692	Process not Found

Modifies Windows Firewall 2 TTPs 2 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
3276	netsh.exe
5492	netsh.exe

Drops startup file 1 IoCs

description	ioc	Process
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\word\startup\	[email protected]

Executes dropped EXE 1 IoCs

pid	Process
3952	system.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "C:\\Users\\Admin\\AppData\\Local\\system.exe"	reg.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\q:	[email protected]
File opened (read-only)	\??\w:	[email protected]
File opened (read-only)	\??\a:	[email protected]
File opened (read-only)	\??\b:	[email protected]
File opened (read-only)	\??\e:	[email protected]
File opened (read-only)	\??\m:	[email protected]
File opened (read-only)	\??\p:	[email protected]
File opened (read-only)	\??\r:	[email protected]
File opened (read-only)	\??\s:	[email protected]
File opened (read-only)	\??\u:	[email protected]
File opened (read-only)	\??\y:	[email protected]
File opened (read-only)	\??\o:	[email protected]
File opened (read-only)	\??\v:	[email protected]
File opened (read-only)	\??\z:	[email protected]
File opened (read-only)	\??\g:	[email protected]
File opened (read-only)	\??\h:	[email protected]
File opened (read-only)	\??\i:	[email protected]
File opened (read-only)	\??\l:	[email protected]
File opened (read-only)	\??\n:	[email protected]
File opened (read-only)	\??\j:	[email protected]
File opened (read-only)	\??\k:	[email protected]
File opened (read-only)	\??\t:	[email protected]
File opened (read-only)	\??\x:	[email protected]

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
131	raw.githubusercontent.com
135	raw.githubusercontent.com
136	raw.githubusercontent.com
139	raw.githubusercontent.com

Drops file in System32 directory 38 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\powerpoint	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\thunderbird	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\bitcoin	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft sql server	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\powerpoint	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\bitcoin	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\excel	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\powerpoint	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft sql server	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\outlook	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\outlook	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\office	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\office	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\word	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\excel	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\excel	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\onenote	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\documents	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\desktop	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\microsoft sql server	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\word	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\the bat!	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\word	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\outlook	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\thunderbird	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\excel	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\onenote	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\powerpoint	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\onenote	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\outlook	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\the bat!	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\onenote	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\steam	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\steam	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\word	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\microsoft sql server	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\office	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\office	[email protected]

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-724944841-4155109997-405633879-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp8CF4.bmp"	[email protected]

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File opened for modification	\??\c:\program files (x86)\excel	[email protected]
File opened for modification	\??\c:\program files (x86)\microsoft\excel	[email protected]
File opened for modification	\??\c:\program files (x86)\microsoft\powerpoint	[email protected]
File opened for modification	\??\c:\program files (x86)\onenote	[email protected]
File opened for modification	\??\c:\program files (x86)\microsoft\word	[email protected]
File opened for modification	\??\c:\program files (x86)\office	[email protected]
File opened for modification	\??\c:\program files (x86)\	[email protected]
File opened for modification	\??\c:\program files (x86)\microsoft sql server	[email protected]
File opened for modification	\??\c:\program files (x86)\microsoft\microsoft sql server	[email protected]
File opened for modification	\??\c:\program files (x86)\microsoft\office	[email protected]
File opened for modification	\??\c:\program files (x86)\steam	[email protected]
File opened for modification	\??\c:\program files (x86)\the bat!	[email protected]
File opened for modification	\??\c:\program files (x86)\thunderbird	[email protected]
File opened for modification	\??\c:\program files (x86)\word	[email protected]
File opened for modification	\??\c:\program files\	[email protected]
File opened for modification	\??\c:\program files (x86)\bitcoin	[email protected]
File opened for modification	\??\c:\program files (x86)\outlook	[email protected]
File opened for modification	\??\c:\program files (x86)\powerpoint	[email protected]
File opened for modification	\??\c:\program files (x86)\microsoft\onenote	[email protected]
File opened for modification	\??\c:\program files (x86)\microsoft\outlook	[email protected]

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\onenote	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\powerpoint	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\the bat!	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\thunderbird	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\word	[email protected]
File opened for modification	\??\c:\windows\	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\bitcoin	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\excel	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\word	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\word	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\documents	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\excel	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\the bat!	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\word	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\office	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\office	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\outlook	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\office	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\onenote	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\powerpoint	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\outlook	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\word	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\onenote	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft sql server	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\microsoft sql server	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\office	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\excel	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\powerpoint	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\word	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\office	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\outlook	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\steam	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\steam	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\excel	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\microsoft sql server	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\outlook	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\steam	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\thunderbird	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft sql server	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\excel	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\outlook	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\onenote	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\thunderbird	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\microsoft sql server	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\office	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\office	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\excel	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\onenote	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\the bat!	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\word	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\excel	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\outlook	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\onenote	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\outlook	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\steam	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\documents	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\excel	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\microsoft sql server	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\powerpoint	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\bitcoin	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\office	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\outlook	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\powerpoint	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\desktop	[email protected]

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2324	powershell.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 29 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	shutdown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SCHTASKS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
460	PING.EXE
1216	MicrosoftEdgeUpdate.exe
5068	cmd.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Kills process with taskkill 1 IoCs

defense_evasion

pid	Process
1336	taskkill.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "8"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe

Modifies registry class 6 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-724944841-4155109997-405633879-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-724944841-4155109997-405633879-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-724944841-4155109997-405633879-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-724944841-4155109997-405633879-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-724944841-4155109997-405633879-1000_Classes\Local Settings	[email protected]
Set value (str)	\REGISTRY\USER\S-1-5-21-724944841-4155109997-405633879-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe

NTFS ADS 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\Cerber 5.zip:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\7ev3n.zip:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\AppData\Local\system.exe\:Zone.Identifier:$DATA	[email protected]

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
6128	NOTEPAD.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
460	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3192	SCHTASKS.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2324	powershell.exe
2324	powershell.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	2324	powershell.exe
Token: SeDebugPrivilege	4168	firefox.exe
Token: SeDebugPrivilege	4168	firefox.exe
Token: SeDebugPrivilege	4168	firefox.exe
Token: SeShutdownPrivilege	984	[email protected]
Token: SeCreatePagefilePrivilege	984	[email protected]
Token: SeDebugPrivilege	4168	firefox.exe
Token: SeDebugPrivilege	4168	firefox.exe
Token: SeDebugPrivilege	4168	firefox.exe
Token: SeDebugPrivilege	1336	taskkill.exe
Token: SeDebugPrivilege	4168	firefox.exe
Token: SeShutdownPrivilege	5332	shutdown.exe
Token: SeRemoteShutdownPrivilege	5332	shutdown.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
4168	firefox.exe
4168	firefox.exe
4168	firefox.exe
4168	firefox.exe
4168	firefox.exe
4168	firefox.exe
4168	firefox.exe
4168	firefox.exe
4168	firefox.exe
4168	firefox.exe
4168	firefox.exe
4168	firefox.exe
4168	firefox.exe
4168	firefox.exe
4168	firefox.exe
4168	firefox.exe
4168	firefox.exe
4168	firefox.exe
4168	firefox.exe
4168	firefox.exe
4168	firefox.exe
4168	firefox.exe
4168	firefox.exe
4168	firefox.exe
4168	firefox.exe
4168	firefox.exe
4168	firefox.exe
4168	firefox.exe
4168	firefox.exe
4168	firefox.exe
4168	firefox.exe
4168	firefox.exe
4168	firefox.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
4168	firefox.exe
2484	MiniSearchHost.exe
4168	firefox.exe
4168	firefox.exe
4168	firefox.exe
4168	firefox.exe
4168	firefox.exe
4168	firefox.exe
6112	PickerHost.exe
912	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2196 wrote to memory of 4168	2196	firefox.exe	96
PID 2196 wrote to memory of 4168	2196	firefox.exe	96
PID 2196 wrote to memory of 4168	2196	firefox.exe	96
PID 2196 wrote to memory of 4168	2196	firefox.exe	96
PID 2196 wrote to memory of 4168	2196	firefox.exe	96
PID 2196 wrote to memory of 4168	2196	firefox.exe	96
PID 2196 wrote to memory of 4168	2196	firefox.exe	96
PID 2196 wrote to memory of 4168	2196	firefox.exe	96
PID 2196 wrote to memory of 4168	2196	firefox.exe	96
PID 2196 wrote to memory of 4168	2196	firefox.exe	96
PID 2196 wrote to memory of 4168	2196	firefox.exe	96
PID 4168 wrote to memory of 1120	4168	firefox.exe	97
PID 4168 wrote to memory of 1120	4168	firefox.exe	97
PID 4168 wrote to memory of 1120	4168	firefox.exe	97
PID 4168 wrote to memory of 1120	4168	firefox.exe	97
PID 4168 wrote to memory of 1120	4168	firefox.exe	97
PID 4168 wrote to memory of 1120	4168	firefox.exe	97
PID 4168 wrote to memory of 1120	4168	firefox.exe	97
PID 4168 wrote to memory of 1120	4168	firefox.exe	97
PID 4168 wrote to memory of 1120	4168	firefox.exe	97
PID 4168 wrote to memory of 1120	4168	firefox.exe	97
PID 4168 wrote to memory of 1120	4168	firefox.exe	97
PID 4168 wrote to memory of 1120	4168	firefox.exe	97
PID 4168 wrote to memory of 1120	4168	firefox.exe	97
PID 4168 wrote to memory of 1120	4168	firefox.exe	97
PID 4168 wrote to memory of 1120	4168	firefox.exe	97
PID 4168 wrote to memory of 1120	4168	firefox.exe	97
PID 4168 wrote to memory of 1120	4168	firefox.exe	97
PID 4168 wrote to memory of 1120	4168	firefox.exe	97
PID 4168 wrote to memory of 1120	4168	firefox.exe	97
PID 4168 wrote to memory of 1120	4168	firefox.exe	97
PID 4168 wrote to memory of 1120	4168	firefox.exe	97
PID 4168 wrote to memory of 1120	4168	firefox.exe	97
PID 4168 wrote to memory of 1120	4168	firefox.exe	97
PID 4168 wrote to memory of 1120	4168	firefox.exe	97
PID 4168 wrote to memory of 1120	4168	firefox.exe	97
PID 4168 wrote to memory of 1120	4168	firefox.exe	97
PID 4168 wrote to memory of 1120	4168	firefox.exe	97
PID 4168 wrote to memory of 1120	4168	firefox.exe	97
PID 4168 wrote to memory of 1120	4168	firefox.exe	97
PID 4168 wrote to memory of 1120	4168	firefox.exe	97
PID 4168 wrote to memory of 1120	4168	firefox.exe	97
PID 4168 wrote to memory of 1120	4168	firefox.exe	97
PID 4168 wrote to memory of 1120	4168	firefox.exe	97
PID 4168 wrote to memory of 1120	4168	firefox.exe	97
PID 4168 wrote to memory of 1120	4168	firefox.exe	97
PID 4168 wrote to memory of 1120	4168	firefox.exe	97
PID 4168 wrote to memory of 1120	4168	firefox.exe	97
PID 4168 wrote to memory of 1120	4168	firefox.exe	97
PID 4168 wrote to memory of 1120	4168	firefox.exe	97
PID 4168 wrote to memory of 1120	4168	firefox.exe	97
PID 4168 wrote to memory of 1120	4168	firefox.exe	97
PID 4168 wrote to memory of 1120	4168	firefox.exe	97
PID 4168 wrote to memory of 1120	4168	firefox.exe	97
PID 4168 wrote to memory of 1120	4168	firefox.exe	97
PID 4168 wrote to memory of 1120	4168	firefox.exe	97
PID 4168 wrote to memory of 652	4168	firefox.exe	98
PID 4168 wrote to memory of 652	4168	firefox.exe	98
PID 4168 wrote to memory of 652	4168	firefox.exe	98
PID 4168 wrote to memory of 652	4168	firefox.exe	98
PID 4168 wrote to memory of 652	4168	firefox.exe	98
PID 4168 wrote to memory of 652	4168	firefox.exe	98
PID 4168 wrote to memory of 652	4168	firefox.exe	98
PID 4168 wrote to memory of 652	4168	firefox.exe	98

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\spam.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2324

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:2420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\HideCompress.bat" "
1⤵
PID:4796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\HideCompress.bat" "
1⤵
PID:1608

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7OTg1MEM1RDctNURFNy00M0QxLThENDAtNjRBMkUzNzc5RUFBfSIgdXNlcmlkPSJ7OEM4MTJCMDgtN0Y4Ri00NzkyLUJCNjctNEVBRjgwM0Y1MEI3fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7QTcyRkE5MDUtOEIwNC00RTc3LTlENTEtOEFGQzg0QzEzRTdFfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4yMjAwMC40OTMiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7RSt4YkF6Nlk2c1UxMjg5YlM2cWw0VlJMYmtqZkJVR1RNSnNqckhyNDRpST0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7OEE2OUQzNDUtRDU2NC00NjNjLUFGRjEtQTY5RDlFNTMwRjk2fSIgdmVyc2lvbj0iMTIzLjAuNjMxMi4xMjMiIG5leHR2ZXJzaW9uPSIiIGxhbmc9ImVuIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjQiIGluc3RhbGxkYXRldGltZT0iMTczOTE4NDU5MiIgb29iZV9pbnN0YWxsX3RpbWU9IjEzMzgzNjU1NTYwNDg1MDAwMCI-PGV2ZW50IGV2ZW50dHlwZT0iMzEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjIxNzk4NjIiIHN5c3RlbV91cHRpbWVfdGlja3M9IjQ4NTI2NzExNzkiLz48L2FwcD48L3JlcXVlc3Q-
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:1216

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2196
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4168
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1964 -parentBuildID 20240401114208 -prefsHandle 1880 -prefMapHandle 1876 -prefsLen 27120 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2eee42eb-a50a-4916-888f-6822a30e88f6} 4168 "\\.\pipe\gecko-crash-server-pipe.4168" gpu
    3⤵
    PID:1120
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2364 -parentBuildID 20240401114208 -prefsHandle 2356 -prefMapHandle 2352 -prefsLen 26998 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {df3bae4d-19bc-4aa8-a87b-9c601840bda9} 4168 "\\.\pipe\gecko-crash-server-pipe.4168" socket
    3⤵
    PID:652
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2976 -childID 1 -isForBrowser -prefsHandle 2968 -prefMapHandle 2944 -prefsLen 22636 -prefMapSize 244628 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d191e68e-5d87-4ea9-9904-2b4f6fce4211} 4168 "\\.\pipe\gecko-crash-server-pipe.4168" tab
    3⤵
    PID:2108
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4048 -childID 2 -isForBrowser -prefsHandle 4040 -prefMapHandle 4036 -prefsLen 32372 -prefMapSize 244628 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cc7ae4f3-b573-4f92-b157-8854473c795c} 4168 "\\.\pipe\gecko-crash-server-pipe.4168" tab
    3⤵
    PID:1152
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4640 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4768 -prefMapHandle 4764 -prefsLen 32372 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3575982e-c40d-40d2-a6bd-631afca95f93} 4168 "\\.\pipe\gecko-crash-server-pipe.4168" utility
    3⤵
    - Checks processor information in registry
    PID:3816
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5420 -childID 3 -isForBrowser -prefsHandle 5452 -prefMapHandle 5448 -prefsLen 27035 -prefMapSize 244628 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e120a6bb-436c-4d3a-8399-5dca2ca0091d} 4168 "\\.\pipe\gecko-crash-server-pipe.4168" tab
    3⤵
    PID:5848
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5380 -childID 4 -isForBrowser -prefsHandle 5556 -prefMapHandle 5560 -prefsLen 27035 -prefMapSize 244628 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0bffa324-15df-41c7-9e2d-ff0a51079f84} 4168 "\\.\pipe\gecko-crash-server-pipe.4168" tab
    3⤵
    PID:5860
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5744 -childID 5 -isForBrowser -prefsHandle 5712 -prefMapHandle 5280 -prefsLen 27035 -prefMapSize 244628 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {34d5e503-9c0d-48b4-a47a-c2076603e68e} 4168 "\\.\pipe\gecko-crash-server-pipe.4168" tab
    3⤵
    PID:5872
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4508 -childID 6 -isForBrowser -prefsHandle 4500 -prefMapHandle 4224 -prefsLen 27257 -prefMapSize 244628 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4adad3a5-b055-4855-bac4-a3dfd60b63c0} 4168 "\\.\pipe\gecko-crash-server-pipe.4168" tab
    3⤵
    PID:4668
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6116 -childID 7 -isForBrowser -prefsHandle 5568 -prefMapHandle 5976 -prefsLen 27612 -prefMapSize 244628 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {edbb4465-0d69-4b8d-9b12-77ce789e6b01} 4168 "\\.\pipe\gecko-crash-server-pipe.4168" tab
    3⤵
    PID:2424

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2484

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3496

C:\Users\Admin\Desktop\[email protected]
"C:\Users\Admin\Desktop\[email protected]"
1⤵
- Drops startup file
- Enumerates connected drives
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:984
- C:\Windows\SysWOW64\netsh.exe
  C:\Windows\system32\netsh.exe advfirewall set allprofiles state on
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:3276
- C:\Windows\SysWOW64\netsh.exe
  C:\Windows\system32\netsh.exe advfirewall reset
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:5492
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___9Y9AHI_.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4776
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___Q4NDXMD_.txt
  2⤵
  - System Location Discovery: System Language Discovery
  - Opens file in notepad (likely ransom note)
  PID:6128
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /d /c taskkill /f /im "E" > NUL & ping -n 1 127.0.0.1 > NUL & del "C" > NUL && exit
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:5068
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "E"
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1336
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 1 127.0.0.1
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:460

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\8cbfd35900204d8eb0eae5b1390ade86 /t 1196 /p 4776
1⤵
PID:5432

C:\Users\Admin\Desktop\[email protected]
"C:\Users\Admin\Desktop\[email protected]"
1⤵
- System Location Discovery: System Language Discovery
- NTFS ADS
PID:3044
- C:\Users\Admin\AppData\Local\system.exe
  "C:\Users\Admin\AppData\Local\system.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3952
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\del.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4204
- - C:\Windows\SysWOW64\SCHTASKS.exe
    C:\Windows\System32\SCHTASKS.exe /create /SC ONLOGON /TN uac /TR "C:\Users\Admin\AppData\Local\bcd.bat" /RL HIGHEST /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:3192
- - C:\windows\SysWOW64\cmd.exe
    C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:64
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3488
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:64
      4⤵
      Modifies WinLogon for persistence
      System Location Discovery: System Language Discovery
      PID:3204
- - C:\windows\SysWOW64\cmd.exe
    C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:64
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3064
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:64
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:5568
- - C:\windows\SysWOW64\cmd.exe
    C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:64
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4392
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:64
      4⤵
      System Location Discovery: System Language Discovery
      PID:1336
- - C:\windows\SysWOW64\cmd.exe
    C:\windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:64
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4744
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:64
      4⤵
      System Location Discovery: System Language Discovery
      PID:4220
- - C:\windows\SysWOW64\cmd.exe
    C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:64
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5680
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:64
      4⤵
      System Location Discovery: System Language Discovery
      PID:5992
- - C:\windows\SysWOW64\cmd.exe
    C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:64
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3352
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:64
      4⤵
      UAC bypass
      System Location Discovery: System Language Discovery
      PID:4444
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "crypted" /t REG_SZ /d 1 /f /reg:64
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3404
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "crypted" /t REG_SZ /d 1 /f /reg:64
      4⤵
      System Location Discovery: System Language Discovery
      PID:4272
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c shutdown -r -t 10 -f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1208
  - - C:\Windows\SysWOW64\shutdown.exe
      shutdown -r -t 10 -f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:5332

C:\Windows\System32\PickerHost.exe
C:\Windows\System32\PickerHost.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:6112

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39aa055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:912

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
1⤵
PID:4100

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
1⤵
PID:5556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\_R_E_A_D___T_H_I_S___7NUZD_.hta

Filesize
76KB

MD5
a67e7243dca219c2e8b811e948015bec

SHA1
da91a941ce762b69efcced1eacbeccebdef5d9a2

SHA256
2462ff17b11c462b2d1f421fb1fe95ef358e5f08c512200212018a9b6dab796b

SHA512
b72cbee26964217482b43e2175511c70f042a71b3ff35390c97fe4557d983f9877f87482e0a79db3d901c1a8a2669c03ca4a4543dd65d70ac2de93096f17eafa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\_R_E_A_D___T_H_I_S___8KSUH4PG_.txt

Filesize
1KB

MD5
3d47e64d60e0a5216eecde2ca40369e5

SHA1
8c52fc009a23f13e478f0d97c500db418a62d6ee

SHA256
6fab2af5c23a43289cf8e161b11cfffc85e749845b31f9f9157b61dbac0f5659

SHA512
266fd47c9da8b6b94f640ff49c08d6d0996e87fc0b95161d24d2e8f135a616819e7f27112b1e173fc654d5702244cc2992dc0f420c10814bf86a05ba1780faa5

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\y39468od.default-release\activity-stream.discovery_stream.json

Filesize
25KB

MD5
e9c8e125ff5e869437c9ee9c31f7c6e8

SHA1
c6bc26a132930691090a7a71fd9c1ab33efe1ad3

SHA256
1932f105c499cf1b4f0ced55f2cb382302b7d881f4f52af1b4a906ba515d45cd

SHA512
8ca998dc9c0955654122d6338b20d1a62dfda137d3590fde6e66a5e4abd515691c85d7551a720fbb0a9cb62850708fad01e254bcb68901f946fa1638fcac90b3

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\y39468od.default-release\activity-stream.discovery_stream.json.tmp

Filesize
24KB

MD5
0dc8e6ccbf992b2fcfed8bb0da3c234b

SHA1
9391bcaac4d890f11d04488d2dd1fead875e081b

SHA256
381a27eb0b8b4beb940cccb27aee5912980a2be01e6e3015d73d75a50dbd5f71

SHA512
f498f04737cceb4fab861004179e4b688f9640d62fd5434a1091c03e99971b22702f95436e95146af826e4c8c51b473d13075341c890cce3c66e6dec990d0659

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
25KB

MD5
dd9932c6c6f9fb1ad1888f7da5b57a9a

SHA1
4fa25fb0c986475e89e73de8adc2ac0c70da771c

SHA256
0f0245cca278d5f78f877803d26684326de5cb53a403e7bb2211b161be9ed4bd

SHA512
337701cf572c333ff0190ec10c9b7ee4c94d00068466f8d85f540b1f670306762b5b4019462e3ed8943fcc8fbcf07f1bbb862a040b4e06b62f70ce8b017c8f70

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
25KB

MD5
6666d97517c44214f1ec69d5babf198d

SHA1
349e1ed74280b4cb2421bc333605fff00a948203

SHA256
8f81b5486a25dcba712802f8a278b3bfe1ef17c91ecc864ac2090d062fdb4858

SHA512
47266d99aacedf56eaf3db2c7da0c0fbbe21adb56ffe916c2930455c7838ae2b9f4ff4c8d585da9ea80b9e30a8e09796e93f459cc70050cbea4c3b52c6ae0edf

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fajh05j3.c5x.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Local\del.bat

Filesize
65B

MD5
5be54536acf6854d3d0217fee5092ce3

SHA1
823d25753559795f3b5a53de6b019b8815abc834

SHA256
076a50ec803f409306be46309faf35ddca3f7a41f6a884a0e0ce55497c10cb62

SHA512
b92ff21c43b6fa1a9711e7422a328583bf304bf7e2020c466825ce9172e6a31c4b04ce4adaf14a0e72a3eab364493dbfccbfb64586deab687c900ebbe541c681

Download Submit
C:\Users\Admin\AppData\Local\system.exe

Filesize
315KB

MD5
09462667691119ac2bb72353285245c6

SHA1
9f90aea7e218bd196e52f39ef4ac6773248cd845

SHA256
d100a1ffbb866ff15cd3120fa9a832bccf1cf3dbcf279e938349baffc57a9c3e

SHA512
65bca6082edc8ece149c95dd54b5d40e89a16f15f137a6e21a8725a757d4bea139975d928f1e6abad116192a75ee4ed55c163711354767f742dcb952ba7c6426

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y39468od.default-release\AlternateServices.bin

Filesize
8KB

MD5
500c3852ce5380eff548f7d8f210e525

SHA1
a11d9af7ff87fa69bc781d225991b655cef36b68

SHA256
b8168c05d642cf17158e7301a2db30a47cf4869d0871e9d2a2f200f69c515b71

SHA512
7f34ae42829ef3ab90a6252c1f1837dc216b0f44566ef75a44dbde01518c2f2f23a94b9617265a7285f55cc1364c456bbabf1e81437635a71f4f86671eb0feca

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y39468od.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
92fdb97283dd1006b4d053d2d6f25ebf

SHA1
a29924a097bcd325d81dded9bebdd3b42fceb0a7

SHA256
94cb49880229b8c2d56fd10c722ffe6843ba54f51fc6053a49d67a6218ceecdb

SHA512
20f7a829b8b63f6fe13946c4fdde80c0c8b14bf81665e144903791653045410ebf63e748cb9b1c6eb8957286d1ff455b440514c2491e78ab1ea28d5355383780

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y39468od.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
e16a726a2a03baa0cc92306dd4f181f8

SHA1
6dedec439dcb408e5d65f72da0628fefa25de81d

SHA256
22fe9157641e19ce6df0f438a51128bbce15aaa34c39929a089237c4cc5b21e2

SHA512
fa39f65ddfb470e7b0d920f719ca5e66dd65ee8ac22af047d4e2312e4b26385dee346bff9a5ecb3d0613e8dbd2f14a5a452d82b8879daaba6c5a7509cfe647af

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y39468od.default-release\datareporting\glean\db\data.safe.tmp

Filesize
43KB

MD5
73be64d9b10d9a0cd6451b3c328774a1

SHA1
4f4c0153b21841bb1a87e9bf04e200351e601bd1

SHA256
08bdbd7e20051eba14dca63680d93d4347c1576be2b560d04d54c114f1fe7018

SHA512
7f2ba23d72f142df2ccaad2edff82fe37b85d5387f82efac0eda409a55c6f8771ad9fc11fa03093bc7bdd4ae8354008690deba3fdba27f350e2aea617652c9eb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y39468od.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
a84d3d0ee64a1854600d43c554d41f1b

SHA1
637eccab7778ea48f32f5d8758e0f6b7c8e61d53

SHA256
d9738bca53712fb9fd7c5887ab3367d68b5be67028811351d13fa50ca33dd4ea

SHA512
73c1956e6ed07ed61ac95b438893b7750c11570a5dbd933fac210d191a6894134c63ab09a0533c6eb4d01d668ac5ebcf24245f33e7ae96738d021797c99e24a6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y39468od.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
9f04b1bd33c868552b6c73c5a99a0b6e

SHA1
a5063ee26d61347efdc0418180eb417cf4962af3

SHA256
c6af63834f59aa2e8b44450e77457609cd99f88ac721ebd665f3f2dbf282ade4

SHA512
88bc74b912761afff835588d438298048f3611c0bb7fc49942f84f49a82cdf140b109307f2dd7aeae6a17ad86713f2f9a492242a798217922c6284554cca4758

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y39468od.default-release\datareporting\glean\pending_pings\10f9890f-b90b-4f7c-a664-56722180f3d9

Filesize
27KB

MD5
c31cf97993996f22b4e5a94e28ff1c8a

SHA1
96ca1855f41e860a554c76954414d71c9c2c25f9

SHA256
82b4cb3d83387d43ec7b4e03e2105370e1759877166c0ebf3267b8fa60813dba

SHA512
2427579dd40a9dca5b8c61ee15fe06b38cdecebdd202bc39691f215d39da29f6f9c2edcb8c23673ccc77b78792b651d5305eb138051cc88adae2ed4f3ca1dde5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y39468od.default-release\datareporting\glean\pending_pings\262808e5-3e0d-4a73-8f26-049f206c14d7

Filesize
982B

MD5
c67bb0139823c4e3c87ade6a522fae02

SHA1
ed0eae016702ed30036909279adccf58ee342808

SHA256
4f1be3020307890f4daf2c940e5f71dc0e7fea3ffbbc39f3bc2389f89a78bb5a

SHA512
5089e348a749482b14c0fd46f768b96385ce7b70df65dfba7ba3a3d3239555329e263ca10eebb3001697ddfe0b2e3f09cfc5f32284f54ac2435e40c2ea2a0dfa

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y39468od.default-release\datareporting\glean\pending_pings\46325d4a-c04e-4d82-9469-7e48f59854f5

Filesize
671B

MD5
84052fbfbbafbf700d4788748e88c361

SHA1
037846125b8e7d0f6c5f4695b200d701abdf721c

SHA256
74300ed2f53aec83c6e7af3a8d5baa32adc4719da11d8aa8977f539c771e864e

SHA512
78dd5297744ed7de4851814a8867fc45340dc88adac17d5c9d72e84364336b57229dcb3b7046956a20b78587b3d579d833d3f5d7303065e5795fc2ac815b3337

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y39468od.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y39468od.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y39468od.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y39468od.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y39468od.default-release\prefs-1.js

Filesize
10KB

MD5
574514781b6b9b8d54c26c048d3a6bc0

SHA1
aca6f0b4afdbdfaf6461e232f5f2b384b83792b4

SHA256
158982939be15a0d338c4fce7889884e831dbd87408b57c59c8d540dec7bc20a

SHA512
b5bc020db092e8a1e52fa1889f5713e2f01c8324bb8eef33c0dbe96abb4d0a6114a875e3237a712ed0bb6fd31714c5b9a5bf46f87aad258db45a1a4e5d6dc056

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y39468od.default-release\prefs-1.js

Filesize
9KB

MD5
04d11c1c3ec02ae886b7dd23011dfbbd

SHA1
21c476a7ecf58b782d4cd6feb1ce15af802f4f25

SHA256
263ebd947472290c88ecb624ad8e5f199d4a16b9aacdd32373aa9d54750f4cf1

SHA512
34d3f55fedf9ac40fd517b378a981ea49edfd2dd2fe68c2dd566fbbb9fc4fd90cabf70d85fc94525013ab57e16b04c8e1ae2d48ef68146b4f4ca7068fb8fcc66

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y39468od.default-release\prefs-1.js

Filesize
11KB

MD5
27e8cf6d7476f9c415ed82d8dfe11779

SHA1
3291e65bc3dc88e22b4523c294704bcc562f194b

SHA256
b2601f63561be2c8b63a96f127ee5e10aaec1a797197aae0addc2c8cc44d5b1f

SHA512
d295a967fe367fe2ead19f8272057f16a35b83956e22c7986693ae37c56dd2f6fa9004374695166fee602659beff0fe2c4d5c08a4105ba9794ad5908017670f1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y39468od.default-release\prefs.js

Filesize
9KB

MD5
f43c7dd235410785e3a49dd4a12f4936

SHA1
58b07883f95eabaff6d6ecd7e5b36e1d97807610

SHA256
2b57bd5aeb2984a75e4d9692322d2837160880e4acd2cae6c8236e4974653b22

SHA512
21f35aefd1321fe8088875a9adfde134a97cfb7b2bc803597ae4501d7f495f0d4e23ffae86e8e57a9218e20b2f5b27625ecda189c4f7cecb1b5863d0f4275220

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y39468od.default-release\prefs.js

Filesize
9KB

MD5
1e8dc4601bb1fbada7ae72ad1663b460

SHA1
6e9f01264e867347ee469570194bc07fee42ad79

SHA256
343ea5f43335b2700add018dfecb851e8dc8a11c3033a3683fbff3206493643b

SHA512
d92ff38fda832af1de6fe9cd446c5761d8878fee1df4008fcde60379cab1c21b32d66ccac84829e949d719678ea8ef1e8b3cca0eb5ad356ce59c4d5c7430430e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y39468od.default-release\prefs.js

Filesize
11KB

MD5
c9284554d2557dacbeb97a4ae816cd05

SHA1
7dec2e37a1a0cf02d1590ee161257e41ad7363ec

SHA256
9a820d8927f3a2dbab2070785f982d8cc71ea6bdc5fc41c2d992e0ae93eee350

SHA512
0764de43f15e890d248e8e9e6eb7d6d7f5c51dd4f698635fee10753393eb6701e7d3c91c927751418f02b9c3d3ddbdc1a6c2e5498368828d9aafee49102ad0d8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y39468od.default-release\sessionCheckpoints.json.tmp

Filesize
259B

MD5
c8dc58eff0c029d381a67f5dca34a913

SHA1
3576807e793473bcbd3cf7d664b83948e3ec8f2d

SHA256
4c22e8a42797f14510228f9f4de8eea45c526228a869837bd43c0540092e5f17

SHA512
b8f7c4150326f617b63d6bc72953160804a3749f6dec0492779f6c72b3b09c8d1bd58f47d499205c9a0e716f55fe5f1503d7676a4c85d31d1c1e456898af77b4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y39468od.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
a65c16951a7b35d94d51cf291029e685

SHA1
89eba3f9bb559c8ececf1faa51aecf9a00f3141e

SHA256
7735a6cf092e7d42a7db67f0aae8e2a5f65bd7b678b59a92f07836ec417af200

SHA512
e6d2535e7525173134378dc17afdc4915e73657089f6bf4073a363e9d30c6e66ba7f2b0fcba136b9b6a8bdc4cf73521a155d1851781cbb6bd669daf07b3c6633

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y39468od.default-release\sessionstore-backups\recovery.baklz4

Filesize
16KB

MD5
55d102a5acde466d3559567cbe0ae427

SHA1
2bcb7d0161800273776e8fbfd3065fa9942dcad3

SHA256
41d410aa6a2f07e52b9986e1dd7efdf7ed586741b39c272a19be3340b8f2b59c

SHA512
8e7baa7b4619b842bb8b3c659dc1970e5d101410751e43a0f941505bea767003acca6e6d9f882b648f8ddb94d6407e099263e99b218d60f7139827ed2c205dc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y39468od.default-release\sessionstore-backups\recovery.baklz4

Filesize
19KB

MD5
d143774b4786d5a2a9b69295b39c5f8d

SHA1
4fe61e3bca5a9383e70ddd45d25377babe3e31cc

SHA256
97aea7d6e694a19981a7f9369d7e112977fa0a0be7e2a17eec5e4f4bbb03210d

SHA512
c92e786ae26a1c984ef7646c7679edcfd686a9fcf9338551deb8809878f25dcf2424f3d9e13b715351f414f502028c71f7fc9681e39cd0519c01d6df70cb9bb3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y39468od.default-release\sessionstore-backups\recovery.baklz4

Filesize
20KB

MD5
c3c52913b856779bfbdf427f96271f26

SHA1
70e9341f8a6b34104aaf744fb0c71a71f396ade8

SHA256
45dac07e142fdbb6305adcf0004e81cf2c6e61454e4a5f617d7e4bb02c25ff82

SHA512
aa27bcf1719dbe3c1793ba3b1f7edb9ac4cfe2c6e29809cf22eb311b8cfc9f1b2311fe1722f8698fa20d2e3fd940903bd7d738adc0fd45c02b89f96dc705dc63

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y39468od.default-release\sessionstore-backups\recovery.baklz4

Filesize
20KB

MD5
579e17dedc3a2d59b74faecab2e77653

SHA1
e07cde33fec50d7c925a215bf046a3a25918a1eb

SHA256
0a310d4a7023311938bea783fa1a3f29546a0edeec67e32630c1e5c8524289a2

SHA512
1d7b9be248efcec9139def38eadd26ebfb183d35ba374391a41a6f559a960d2e56ce25bb5e4c974d8fd5ecdf72ab3cde4a5957429da197435c8cd9ba66d6445c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y39468od.default-release\sessionstore-backups\recovery.baklz4

Filesize
14KB

MD5
ab9b5ab77c3a0c42c4d74a3bb4c15ac3

SHA1
7d2b22654fbfc0066f75732bb06804a8e8d9549e

SHA256
572f4cfaa50953635fe85a19166c1f84a2c3a23afabb05efa254e30036d7c82a

SHA512
96d126896dd61281949cc99f15c60b155ede386d49e8c98c3eaddfc5330fa9084d71f21170b8b51a9e54d759a0b578a026f437eafa09ff72222a291898abdea8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y39468od.default-release\sessionstore-backups\recovery.baklz4

Filesize
19KB

MD5
8d448e8a825318904c0b16a439c5a7d9

SHA1
043bab48793b468bde8a7146c9663713454fee22

SHA256
ca33a74147d4faeb4ec2fd96942b6724cf106595967a4c22b35b17252ec8d87e

SHA512
07903da28c31bec31174c6c4578407020ecd189f8c8c4d9240a93a2016196c77157185cca3b8ff1ae333f8f8ec706a656be34a4ea92ee36f57c2ec0acc20c22a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y39468od.default-release\sessionstore-backups\recovery.baklz4

Filesize
19KB

MD5
d7241be7f8516cd4172573a3fd37f962

SHA1
e63a2a2e8b53b4f9c2081646e527e56d586e068d

SHA256
95463fc514fa64ee2e53792c58344434eace7d0dd61ad68f35b89f7f76b49245

SHA512
d071f5a823bdd959718946d3735e2ef79eb9966ccee9f2d619366421dabf6f7e4efa9c7b4fd66c6d5aa4c43031cb2711496136d6239c76d622b3ebebc311269e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y39468od.default-release\sessionstore-backups\recovery.baklz4

Filesize
20KB

MD5
44dc19be70203f2115b582853178ded2

SHA1
ffe9a05b444541f20e288c536accdc26bd275843

SHA256
64b29f2d529c576f3e3b3020ee127de51246328b59a0912f933bed662d9212bd

SHA512
452c01a6f70d4ae6a9e2baeedb8f9d16c6f499cbdc7b09509a2da2611b1ec409a56b240a8d0282339e11fe6c1e86cb19ffb0074f8f5bec86346aca1f95a75b99

Download Submit
C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\_R_E_A_D___T_H_I_S___OFG9ZXX_.txt

Filesize
1KB

MD5
7dff5ed9dd081a41e1c0777ab98516b5

SHA1
af766651b8c625e373dfb827fcaf2cd399e4bcd5

SHA256
7fedcc4ac7204d63a11676de515ca8366e487e40a915a89b3822ea7401bfbf9b

SHA512
f2fca98571597282b22c9494c0ed0d9215e687c14533f725adcb2c47aa6c9a99f7852e15c47d64d1e93893ceb6db67cdfa67b9fc67f99f6c01a5c3d64e915f05

Download Submit
C:\Users\Admin\Documents\OneNote Notebooks\_R_E_A_D___T_H_I_S___WSBP_.txt

Filesize
1KB

MD5
5bef903fb8ee4a8200d4a3f8ac123ada

SHA1
3a20636d965e002a6d943d14232ca4f3e07088dc

SHA256
8dfb66c1313fe073abb8580e5e4c59f8af8db3fa14730eeb56d7ae55e7b480e3

SHA512
dc87512529be46dce92cb59a99509a052c1749badc590e24264863cf8e5fb57e3a55c833be1ad455a778abbc48ae27525226b13c14e1444b99bcf1c3a7f737ca

Download Submit
C:\Users\Admin\Documents\_R_E_A_D___T_H_I_S___3E0VKXTW_.txt

Filesize
1KB

MD5
71b7431e0d8aa1c7f2a5fae92a1aa464

SHA1
0e3edd03e692ed38e402675625228e86bf650b21

SHA256
ca053be956166c15906fb36cdbf464b03b94c2ee1df9d8d5edf5f47393e0c046

SHA512
949383df4019f6604f4fbd1509dc608bffce56e4b777349c42399c5633b67bd2caf50472958cc9cddfcc0147ed553ccf1323d2bf6a19a2873b8d0a8bf94ad167

Download Submit
C:\Users\Admin\Downloads\7ev3n.FwMz7Te9.zip.part

Filesize
139KB

MD5
c6f3d62c4fb57212172d358231e027bc

SHA1
11276d7a49093a51f04667975e718bb15bc1289b

SHA256
ea60123ec363610c8cfcd0ad5f0ab2832934af69a3c715020a09e6d907691d4c

SHA512
0f58acac541e6dece45949f4bee300e5bbb15ff1e60defe6b854ff4fb57579b18718b313bce425999d3f24319cfb3034cd05ebff0ecbd4c55ce42c7f59169b44

Download Submit
C:\Users\Admin\Downloads\7ev3n.zip

Filesize
139KB

MD5
85a5c7b6d0e7b7451295278a9bb40eb0

SHA1
77a258417a7294cc354bc4d883f0537de8dea579

SHA256
be1fd9cb06b2083b60f4878a1c6de0ae41e22b25daa2478634f9d6d8df9f92ca

SHA512
3db3c96fbcacf33c75ba9dd3b2f8fb3218031d10da4acb844fe10a8115488fffbedff6c42dc15a643d07f5ce630d4c16babc0ade3bbd3d1ce94fb319e432df8c

Download Submit
C:\Users\Admin\Downloads\Cerber 5.32jP5TFX.zip.part

Filesize
181KB

MD5
10d74de972a374bb9b35944901556f5f

SHA1
593f11e2aa70a1508d5e58ea65bec0ae04b68d64

SHA256
ab9f6ac4a669e6cbd9cfb7f7a53f8d2393cd9753cc1b1f0953f8655d80a4a1df

SHA512
1755be2bd1e2c9894865492903f9bf03a460fb4c952f84b748268bf050c3ece4185b612c855804c7600549170742359f694750a46e5148e00b5604aca5020218

Download Submit
memory/984-891-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/984-1285-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/984-877-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/984-1323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/984-1324-0x0000000000440000-0x000000000044E000-memory.dmp

Filesize
56KB

Download
memory/2324-13-0x00007FFB33420000-0x00007FFB33EE2000-memory.dmp

Filesize
10.8MB

Download
memory/2324-10-0x00007FFB33420000-0x00007FFB33EE2000-memory.dmp

Filesize
10.8MB

Download
memory/2324-11-0x00007FFB33420000-0x00007FFB33EE2000-memory.dmp

Filesize
10.8MB

Download
memory/2324-9-0x000002417E250000-0x000002417E272000-memory.dmp

Filesize
136KB

Download
memory/2324-12-0x00007FFB33420000-0x00007FFB33EE2000-memory.dmp

Filesize
10.8MB

Download
memory/2324-16-0x00007FFB33420000-0x00007FFB33EE2000-memory.dmp

Filesize
10.8MB

Download
memory/2324-0-0x00007FFB33423000-0x00007FFB33425000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads