Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
730s -
max time network
1822s -
platform
windows10-1703_x64 -
resource
win10-20240221-en -
resource tags
arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system -
submitted
15/03/2024, 15:08
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://mega.nz/file/knl0SZjb#rNGJxxlpLfD8fEcm1-Q-j1LLwutjtwz5GhOcuDMcmRE
Resource
win10-20240221-en
General
-
Target
https://mega.nz/file/knl0SZjb#rNGJxxlpLfD8fEcm1-Q-j1LLwutjtwz5GhOcuDMcmRE
Malware Config
Signatures
-
Chaos
Ransomware family first seen in June 2021.
-
Chaos Ransomware 2 IoCs
resource yara_rule behavioral1/files/0x000900000001ac3e-377.dat family_chaos behavioral1/memory/3812-379-0x0000000000180000-0x00000000003CE000-memory.dmp family_chaos -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 5024 bcdedit.exe 4288 bcdedit.exe -
pid Process 3788 wbadmin.exe -
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini svchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\read_me.txt svchost.exe -
Executes dropped EXE 2 IoCs
pid Process 3812 RB.exe 1184 svchost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 35 IoCs
description ioc Process File opened for modification C:\Users\Admin\Favorites\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Music\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini svchost.exe File opened for modification C:\Users\Public\Documents\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini svchost.exe File opened for modification C:\Users\Public\Videos\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini svchost.exe File opened for modification C:\Users\Public\Music\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini svchost.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-885525822-3215264538-2232956653-1000\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Videos\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Documents\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini svchost.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Searches\desktop.ini svchost.exe File opened for modification C:\Users\Public\Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Public\Desktop\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Links\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini svchost.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: wmplayer.exe File opened (read-only) \??\T: wmplayer.exe File opened (read-only) \??\B: unregmp2.exe File opened (read-only) \??\G: unregmp2.exe File opened (read-only) \??\V: unregmp2.exe File opened (read-only) \??\X: unregmp2.exe File opened (read-only) \??\A: wmplayer.exe File opened (read-only) \??\R: wmplayer.exe File opened (read-only) \??\A: unregmp2.exe File opened (read-only) \??\M: unregmp2.exe File opened (read-only) \??\W: unregmp2.exe File opened (read-only) \??\P: wmplayer.exe File opened (read-only) \??\Q: wmplayer.exe File opened (read-only) \??\H: unregmp2.exe File opened (read-only) \??\P: unregmp2.exe File opened (read-only) \??\Q: unregmp2.exe File opened (read-only) \??\S: unregmp2.exe File opened (read-only) \??\H: wmplayer.exe File opened (read-only) \??\I: wmplayer.exe File opened (read-only) \??\L: wmplayer.exe File opened (read-only) \??\M: wmplayer.exe File opened (read-only) \??\E: unregmp2.exe File opened (read-only) \??\O: unregmp2.exe File opened (read-only) \??\T: unregmp2.exe File opened (read-only) \??\U: unregmp2.exe File opened (read-only) \??\Y: unregmp2.exe File opened (read-only) \??\N: wmplayer.exe File opened (read-only) \??\I: unregmp2.exe File opened (read-only) \??\R: unregmp2.exe File opened (read-only) \??\Z: unregmp2.exe File opened (read-only) \??\V: wmplayer.exe File opened (read-only) \??\E: wmplayer.exe File opened (read-only) \??\K: wmplayer.exe File opened (read-only) \??\U: wmplayer.exe File opened (read-only) \??\Z: wmplayer.exe File opened (read-only) \??\J: unregmp2.exe File opened (read-only) \??\L: unregmp2.exe File opened (read-only) \??\N: unregmp2.exe File opened (read-only) \??\J: wmplayer.exe File opened (read-only) \??\O: wmplayer.exe File opened (read-only) \??\Y: wmplayer.exe File opened (read-only) \??\K: unregmp2.exe File opened (read-only) \??\B: wmplayer.exe File opened (read-only) \??\S: wmplayer.exe File opened (read-only) \??\W: wmplayer.exe File opened (read-only) \??\X: wmplayer.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-885525822-3215264538-2232956653-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2yd2t6oka.jpg" svchost.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\rescache\_merged\4183903823\810424605.pri taskmgr.exe File created C:\Windows\rescache\_merged\1601268389\3877292338.pri taskmgr.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll svchost.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 7 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 vds.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 4660 vssadmin.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-885525822-3215264538-2232956653-1000_Classes\Local Settings firefox.exe Key created \REGISTRY\USER\S-1-5-21-885525822-3215264538-2232956653-1000_Classes\Local Settings svchost.exe Key created \REGISTRY\USER\S-1-5-21-885525822-3215264538-2232956653-1000_Classes\Local Settings OpenWith.exe -
NTFS ADS 1 IoCs
description ioc Process File created C:\Users\Admin\Downloads\صنع_فيروس_الفدية.zip:Zone.Identifier firefox.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 200 NOTEPAD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1184 svchost.exe -
Suspicious behavior: EnumeratesProcesses 58 IoCs
pid Process 1948 taskmgr.exe 1948 taskmgr.exe 1948 taskmgr.exe 1948 taskmgr.exe 1948 taskmgr.exe 1948 taskmgr.exe 1948 taskmgr.exe 1948 taskmgr.exe 1948 taskmgr.exe 1948 taskmgr.exe 1948 taskmgr.exe 1948 taskmgr.exe 1948 taskmgr.exe 1948 taskmgr.exe 1948 taskmgr.exe 1948 taskmgr.exe 1948 taskmgr.exe 1948 taskmgr.exe 1948 taskmgr.exe 1948 taskmgr.exe 1948 taskmgr.exe 1948 taskmgr.exe 1948 taskmgr.exe 1948 taskmgr.exe 1948 taskmgr.exe 3812 RB.exe 3812 RB.exe 3812 RB.exe 3812 RB.exe 3812 RB.exe 3812 RB.exe 3812 RB.exe 3812 RB.exe 3812 RB.exe 3812 RB.exe 3812 RB.exe 3812 RB.exe 3812 RB.exe 3812 RB.exe 3812 RB.exe 1184 svchost.exe 1184 svchost.exe 1184 svchost.exe 1184 svchost.exe 1184 svchost.exe 1184 svchost.exe 1184 svchost.exe 1184 svchost.exe 1184 svchost.exe 1184 svchost.exe 1184 svchost.exe 1184 svchost.exe 1184 svchost.exe 1184 svchost.exe 1184 svchost.exe 1184 svchost.exe 1184 svchost.exe 1184 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3188 OpenWith.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 5104 firefox.exe Token: SeDebugPrivilege 5104 firefox.exe Token: 33 2096 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2096 AUDIODG.EXE Token: SeDebugPrivilege 5104 firefox.exe Token: SeDebugPrivilege 1948 taskmgr.exe Token: SeSystemProfilePrivilege 1948 taskmgr.exe Token: SeCreateGlobalPrivilege 1948 taskmgr.exe Token: 33 1948 taskmgr.exe Token: SeIncBasePriorityPrivilege 1948 taskmgr.exe Token: SeRestorePrivilege 2840 7zG.exe Token: 35 2840 7zG.exe Token: SeSecurityPrivilege 2840 7zG.exe Token: SeSecurityPrivilege 2840 7zG.exe Token: SeRestorePrivilege 4052 7zG.exe Token: 35 4052 7zG.exe Token: SeSecurityPrivilege 4052 7zG.exe Token: SeSecurityPrivilege 4052 7zG.exe Token: SeDebugPrivilege 3812 RB.exe Token: SeDebugPrivilege 1184 svchost.exe Token: SeBackupPrivilege 4076 vssvc.exe Token: SeRestorePrivilege 4076 vssvc.exe Token: SeAuditPrivilege 4076 vssvc.exe Token: SeIncreaseQuotaPrivilege 4084 WMIC.exe Token: SeSecurityPrivilege 4084 WMIC.exe Token: SeTakeOwnershipPrivilege 4084 WMIC.exe Token: SeLoadDriverPrivilege 4084 WMIC.exe Token: SeSystemProfilePrivilege 4084 WMIC.exe Token: SeSystemtimePrivilege 4084 WMIC.exe Token: SeProfSingleProcessPrivilege 4084 WMIC.exe Token: SeIncBasePriorityPrivilege 4084 WMIC.exe Token: SeCreatePagefilePrivilege 4084 WMIC.exe Token: SeBackupPrivilege 4084 WMIC.exe Token: SeRestorePrivilege 4084 WMIC.exe Token: SeShutdownPrivilege 4084 WMIC.exe Token: SeDebugPrivilege 4084 WMIC.exe Token: SeSystemEnvironmentPrivilege 4084 WMIC.exe Token: SeRemoteShutdownPrivilege 4084 WMIC.exe Token: SeUndockPrivilege 4084 WMIC.exe Token: SeManageVolumePrivilege 4084 WMIC.exe Token: 33 4084 WMIC.exe Token: 34 4084 WMIC.exe Token: 35 4084 WMIC.exe Token: 36 4084 WMIC.exe Token: SeIncreaseQuotaPrivilege 4084 WMIC.exe Token: SeSecurityPrivilege 4084 WMIC.exe Token: SeTakeOwnershipPrivilege 4084 WMIC.exe Token: SeLoadDriverPrivilege 4084 WMIC.exe Token: SeSystemProfilePrivilege 4084 WMIC.exe Token: SeSystemtimePrivilege 4084 WMIC.exe Token: SeProfSingleProcessPrivilege 4084 WMIC.exe Token: SeIncBasePriorityPrivilege 4084 WMIC.exe Token: SeCreatePagefilePrivilege 4084 WMIC.exe Token: SeBackupPrivilege 4084 WMIC.exe Token: SeRestorePrivilege 4084 WMIC.exe Token: SeShutdownPrivilege 4084 WMIC.exe Token: SeDebugPrivilege 4084 WMIC.exe Token: SeSystemEnvironmentPrivilege 4084 WMIC.exe Token: SeRemoteShutdownPrivilege 4084 WMIC.exe Token: SeUndockPrivilege 4084 WMIC.exe Token: SeManageVolumePrivilege 4084 WMIC.exe Token: 33 4084 WMIC.exe Token: 34 4084 WMIC.exe Token: 35 4084 WMIC.exe -
Suspicious use of FindShellTrayWindow 59 IoCs
pid Process 5104 firefox.exe 5104 firefox.exe 5104 firefox.exe 5104 firefox.exe 1948 taskmgr.exe 1948 taskmgr.exe 1948 taskmgr.exe 1948 taskmgr.exe 1948 taskmgr.exe 1948 taskmgr.exe 1948 taskmgr.exe 1948 taskmgr.exe 1948 taskmgr.exe 1948 taskmgr.exe 1948 taskmgr.exe 1948 taskmgr.exe 1948 taskmgr.exe 1948 taskmgr.exe 1948 taskmgr.exe 1948 taskmgr.exe 1948 taskmgr.exe 1948 taskmgr.exe 1948 taskmgr.exe 1948 taskmgr.exe 1948 taskmgr.exe 1948 taskmgr.exe 1948 taskmgr.exe 1948 taskmgr.exe 1948 taskmgr.exe 1948 taskmgr.exe 1948 taskmgr.exe 1948 taskmgr.exe 1948 taskmgr.exe 1948 taskmgr.exe 1948 taskmgr.exe 1948 taskmgr.exe 1948 taskmgr.exe 1948 taskmgr.exe 1948 taskmgr.exe 1948 taskmgr.exe 1948 taskmgr.exe 1948 taskmgr.exe 1948 taskmgr.exe 1948 taskmgr.exe 1948 taskmgr.exe 1948 taskmgr.exe 1948 taskmgr.exe 1948 taskmgr.exe 1948 taskmgr.exe 1948 taskmgr.exe 1948 taskmgr.exe 1948 taskmgr.exe 1948 taskmgr.exe 1948 taskmgr.exe 1948 taskmgr.exe 1948 taskmgr.exe 2840 7zG.exe 4052 7zG.exe 2416 wmplayer.exe -
Suspicious use of SendNotifyMessage 54 IoCs
pid Process 5104 firefox.exe 5104 firefox.exe 5104 firefox.exe 1948 taskmgr.exe 1948 taskmgr.exe 1948 taskmgr.exe 1948 taskmgr.exe 1948 taskmgr.exe 1948 taskmgr.exe 1948 taskmgr.exe 1948 taskmgr.exe 1948 taskmgr.exe 1948 taskmgr.exe 1948 taskmgr.exe 1948 taskmgr.exe 1948 taskmgr.exe 1948 taskmgr.exe 1948 taskmgr.exe 1948 taskmgr.exe 1948 taskmgr.exe 1948 taskmgr.exe 1948 taskmgr.exe 1948 taskmgr.exe 1948 taskmgr.exe 1948 taskmgr.exe 1948 taskmgr.exe 1948 taskmgr.exe 1948 taskmgr.exe 1948 taskmgr.exe 1948 taskmgr.exe 1948 taskmgr.exe 1948 taskmgr.exe 1948 taskmgr.exe 1948 taskmgr.exe 1948 taskmgr.exe 1948 taskmgr.exe 1948 taskmgr.exe 1948 taskmgr.exe 1948 taskmgr.exe 1948 taskmgr.exe 1948 taskmgr.exe 1948 taskmgr.exe 1948 taskmgr.exe 1948 taskmgr.exe 1948 taskmgr.exe 1948 taskmgr.exe 1948 taskmgr.exe 1948 taskmgr.exe 1948 taskmgr.exe 1948 taskmgr.exe 1948 taskmgr.exe 1948 taskmgr.exe 1948 taskmgr.exe 1948 taskmgr.exe -
Suspicious use of SetWindowsHookEx 19 IoCs
pid Process 5104 firefox.exe 5104 firefox.exe 5104 firefox.exe 5104 firefox.exe 3188 OpenWith.exe 3188 OpenWith.exe 3188 OpenWith.exe 3188 OpenWith.exe 3188 OpenWith.exe 3188 OpenWith.exe 3188 OpenWith.exe 3188 OpenWith.exe 3188 OpenWith.exe 3188 OpenWith.exe 3188 OpenWith.exe 3188 OpenWith.exe 3188 OpenWith.exe 3188 OpenWith.exe 3188 OpenWith.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4640 wrote to memory of 5104 4640 firefox.exe 72 PID 4640 wrote to memory of 5104 4640 firefox.exe 72 PID 4640 wrote to memory of 5104 4640 firefox.exe 72 PID 4640 wrote to memory of 5104 4640 firefox.exe 72 PID 4640 wrote to memory of 5104 4640 firefox.exe 72 PID 4640 wrote to memory of 5104 4640 firefox.exe 72 PID 4640 wrote to memory of 5104 4640 firefox.exe 72 PID 4640 wrote to memory of 5104 4640 firefox.exe 72 PID 4640 wrote to memory of 5104 4640 firefox.exe 72 PID 4640 wrote to memory of 5104 4640 firefox.exe 72 PID 4640 wrote to memory of 5104 4640 firefox.exe 72 PID 5104 wrote to memory of 932 5104 firefox.exe 73 PID 5104 wrote to memory of 932 5104 firefox.exe 73 PID 5104 wrote to memory of 772 5104 firefox.exe 74 PID 5104 wrote to memory of 772 5104 firefox.exe 74 PID 5104 wrote to memory of 772 5104 firefox.exe 74 PID 5104 wrote to memory of 772 5104 firefox.exe 74 PID 5104 wrote to memory of 772 5104 firefox.exe 74 PID 5104 wrote to memory of 772 5104 firefox.exe 74 PID 5104 wrote to memory of 772 5104 firefox.exe 74 PID 5104 wrote to memory of 772 5104 firefox.exe 74 PID 5104 wrote to memory of 772 5104 firefox.exe 74 PID 5104 wrote to memory of 772 5104 firefox.exe 74 PID 5104 wrote to memory of 772 5104 firefox.exe 74 PID 5104 wrote to memory of 772 5104 firefox.exe 74 PID 5104 wrote to memory of 772 5104 firefox.exe 74 PID 5104 wrote to memory of 772 5104 firefox.exe 74 PID 5104 wrote to memory of 772 5104 firefox.exe 74 PID 5104 wrote to memory of 772 5104 firefox.exe 74 PID 5104 wrote to memory of 772 5104 firefox.exe 74 PID 5104 wrote to memory of 772 5104 firefox.exe 74 PID 5104 wrote to memory of 772 5104 firefox.exe 74 PID 5104 wrote to memory of 772 5104 firefox.exe 74 PID 5104 wrote to memory of 772 5104 firefox.exe 74 PID 5104 wrote to memory of 772 5104 firefox.exe 74 PID 5104 wrote to memory of 772 5104 firefox.exe 74 PID 5104 wrote to memory of 772 5104 firefox.exe 74 PID 5104 wrote to memory of 772 5104 firefox.exe 74 PID 5104 wrote to memory of 772 5104 firefox.exe 74 PID 5104 wrote to memory of 772 5104 firefox.exe 74 PID 5104 wrote to memory of 772 5104 firefox.exe 74 PID 5104 wrote to memory of 772 5104 firefox.exe 74 PID 5104 wrote to memory of 772 5104 firefox.exe 74 PID 5104 wrote to memory of 772 5104 firefox.exe 74 PID 5104 wrote to memory of 772 5104 firefox.exe 74 PID 5104 wrote to memory of 772 5104 firefox.exe 74 PID 5104 wrote to memory of 772 5104 firefox.exe 74 PID 5104 wrote to memory of 772 5104 firefox.exe 74 PID 5104 wrote to memory of 772 5104 firefox.exe 74 PID 5104 wrote to memory of 772 5104 firefox.exe 74 PID 5104 wrote to memory of 772 5104 firefox.exe 74 PID 5104 wrote to memory of 772 5104 firefox.exe 74 PID 5104 wrote to memory of 772 5104 firefox.exe 74 PID 5104 wrote to memory of 772 5104 firefox.exe 74 PID 5104 wrote to memory of 772 5104 firefox.exe 74 PID 5104 wrote to memory of 772 5104 firefox.exe 74 PID 5104 wrote to memory of 772 5104 firefox.exe 74 PID 5104 wrote to memory of 772 5104 firefox.exe 74 PID 5104 wrote to memory of 772 5104 firefox.exe 74 PID 5104 wrote to memory of 772 5104 firefox.exe 74 PID 5104 wrote to memory of 772 5104 firefox.exe 74 PID 5104 wrote to memory of 1196 5104 firefox.exe 75 PID 5104 wrote to memory of 1196 5104 firefox.exe 75 PID 5104 wrote to memory of 1196 5104 firefox.exe 75 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://mega.nz/file/knl0SZjb#rNGJxxlpLfD8fEcm1-Q-j1LLwutjtwz5GhOcuDMcmRE"1⤵
- Suspicious use of WriteProcessMemory
PID:4640 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://mega.nz/file/knl0SZjb#rNGJxxlpLfD8fEcm1-Q-j1LLwutjtwz5GhOcuDMcmRE2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5104 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5104.0.1068000357\372919772" -parentBuildID 20221007134813 -prefsHandle 1680 -prefMapHandle 1672 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0fad707a-9472-473e-a034-41a7a69ee929} 5104 "\\.\pipe\gecko-crash-server-pipe.5104" 1760 1d4643d9958 gpu3⤵PID:932
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5104.1.263929173\1563484214" -parentBuildID 20221007134813 -prefsHandle 2104 -prefMapHandle 2100 -prefsLen 21608 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cec049df-f725-423e-afc6-5a64b791841a} 5104 "\\.\pipe\gecko-crash-server-pipe.5104" 2124 1d452070558 socket3⤵
- Checks processor information in registry
PID:772
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5104.2.793642368\922377185" -childID 1 -isForBrowser -prefsHandle 2880 -prefMapHandle 2904 -prefsLen 21711 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6a4bb190-940f-44a1-81dc-ae847d174b3b} 5104 "\\.\pipe\gecko-crash-server-pipe.5104" 2712 1d4682cd858 tab3⤵PID:1196
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5104.3.976098127\1429967361" -childID 2 -isForBrowser -prefsHandle 3500 -prefMapHandle 3496 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {87674edf-730c-4f69-b3e7-1b7fa24ae9fc} 5104 "\\.\pipe\gecko-crash-server-pipe.5104" 3508 1d4694fc058 tab3⤵PID:1488
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5104.4.1905671168\238874314" -childID 3 -isForBrowser -prefsHandle 4696 -prefMapHandle 4692 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9bc36004-e70e-4100-8427-e5b7272fb5e3} 5104 "\\.\pipe\gecko-crash-server-pipe.5104" 4704 1d46aab9b58 tab3⤵PID:4616
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5104.5.114277570\709340955" -childID 4 -isForBrowser -prefsHandle 4912 -prefMapHandle 4908 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {86a08dbf-2d3d-4583-a71e-c249110514ae} 5104 "\\.\pipe\gecko-crash-server-pipe.5104" 4924 1d46aaba458 tab3⤵PID:4880
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5104.6.31998301\1266471970" -childID 5 -isForBrowser -prefsHandle 5040 -prefMapHandle 5044 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7054c69e-2eaf-4b23-bccd-0fbd5fec492d} 5104 "\\.\pipe\gecko-crash-server-pipe.5104" 5032 1d46aaba758 tab3⤵PID:428
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5104.7.628604165\574470960" -childID 6 -isForBrowser -prefsHandle 5308 -prefMapHandle 5616 -prefsLen 26424 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {68c44ceb-8fbb-4cc5-9bea-9643752dbbfd} 5104 "\\.\pipe\gecko-crash-server-pipe.5104" 4844 1d46a77c258 tab3⤵PID:64
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x3f41⤵
- Suspicious use of AdjustPrivilegeToken
PID:2096
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1948
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\صنع_فيروس_الفدية\" -spe -an -ai#7zMap5471:94:7zEvent163571⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2840
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\صنع_فيروس_الفدية\" -spe -an -ai#7zMap15092:90:7zEvent252981⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4052
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4232
-
C:\Users\Admin\Desktop\صنع_فيروس_الفدية\RB.exe"C:\Users\Admin\Desktop\صنع_فيروس_الفدية\RB.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3812 -
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1184 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete3⤵PID:4960
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:4660
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4084
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no3⤵PID:4460
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures4⤵
- Modifies boot configuration data using bcdedit
PID:5024
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no4⤵
- Modifies boot configuration data using bcdedit
PID:4288
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet3⤵PID:4292
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet4⤵
- Deletes backup catalog
PID:3788
-
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_me.txt3⤵
- Opens file in notepad (likely ransom note)
PID:200
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4076
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵PID:3912
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:216
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
PID:4648
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3188
-
C:\Program Files (x86)\Windows Media Player\wmplayer.exe"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding1⤵PID:4372
-
C:\Program Files (x86)\Windows Media Player\setup_wm.exe"C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding2⤵PID:308
-
C:\Program Files (x86)\Windows Media Player\wmplayer.exe"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Relaunch /Play C:\Users\Admin\Desktop\CheckpointOptimize.wm3⤵
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
PID:2416
-
-
-
C:\Windows\SysWOW64\unregmp2.exe"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon2⤵PID:5048
-
C:\Windows\System32\unregmp2.exe"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT3⤵
- Enumerates connected drives
PID:4796
-
-
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s upnphost1⤵
- Drops file in Windows directory
PID:284
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
MD598df921f667bf303621c789390ed9f2e
SHA1d9c82e51534cf1c2eb5a255286de6a09ca364d1a
SHA2568b8497d37fa9ddd44e275aa7631d7c7173c384a501d11e73e3d4401513c4bbe3
SHA51258e896295763c2729c5a19986356e7cc7706265bbda5cd9cec98201ec9ce86c4b68a3e388c86aba198870ca4b8ab1a7876f2d8e1fff7437216dd2789b3ed3796
-
Filesize
1024KB
MD574aec598db28dd3ee7722b4bae2d2a65
SHA10420f05190f6f3ab846828b403f45cd69b849e6f
SHA256ec20b5dc0454697a646622c8030a832a433bacff662511a9dc5d70a8fb921e1c
SHA5121ef9f1955de855793b30406836ba101288729c9c1d499e17e51791a39115a7a296357aee18dbfaf673659ce7af2e78692cd91abbbd1769ebf218b27e236b0731
-
Filesize
9KB
MD57050d5ae8acfbe560fa11073fef8185d
SHA15bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b
-
Filesize
9KB
MD57e25633cdad660927a4e3c69efa5b31f
SHA12b199792ef9a6ec1f6289a51585228437598f629
SHA256150968198409db0236de8727660bab314c9f2e34d38e12d1035c0f6638e92fbd
SHA51287e5b5f0926e074c07fb51793941da323c01d6c9cbf4b8c7c258f96dcd013e99406d232c348e3871c94d3a9c9774e6764e2e62e507ad578f380744056cb86035
-
Filesize
546B
MD5df03e65b8e082f24dab09c57bc9c6241
SHA16b0dacbf38744c9a381830e6a5dc4c71bd7cedbf
SHA256155b9c588061c71832af329fafa5678835d9153b8fbb7592195ae953d0c455ba
SHA512ef1cc8d27fbc5da5daab854c933d3914b84ee539d4d2f0126dc1a04a830c5599e39a923c80257653638b1b99b0073a7174cc164be5887181730883c752ba2f99
-
Filesize
523B
MD5d58da90d6dc51f97cb84dfbffe2b2300
SHA15f86b06b992a3146cb698a99932ead57a5ec4666
SHA25693acdb79543d9248ca3fca661f3ac287e6004e4b3dafd79d4c4070794ffbf2ad
SHA5127f1e95e5aa4c8a0e4c967135c78f22f4505f2a48bbc619924d0096bf4a94d469389b9e8488c12edacfba819517b8376546687d1145660ad1f49d8c20a744e636
-
Filesize
1KB
MD58af94ae980ded23c9e47f23aea73f24e
SHA1095e8d3c6f8f04f815f45e1579e88d08a2cecb56
SHA25686f6f6d8f1d2a380d6fed800ea63a11f80ed804ca661bd0b0d929384e080e5df
SHA5125b54b64df21dcfcf615db75e685178712bfa7a39461254df90c8c9b2980b59bb826a398ef6430c551b5a3e2d48366bc8e2a6a33101ac73ef653a39104f7472e1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\74d7f43c1561fc1e.customDestinations-ms
Filesize3KB
MD5b7723a71818725fabd1650a4f67d67d3
SHA17b3aa32385c6a3fdd4916522b6e54f553c1a8bba
SHA256afb038fc4f44bebf01863610188d8ceb6665a6b5a2f14a6d9684041b00bbc7b8
SHA512e6a2f6df12a41ef1a8ee4cd7f9b5985a11f8001ae3cb55961e2323f96efcc984e51af30471632c33cc5ec6ba5dc2102397ba86ce6b2a64cfa9e7ba492e667fa1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\74d7f43c1561fc1e.customDestinations-ms
Filesize1KB
MD5e91e1d26112ef5614db396e3669dee9f
SHA1bcdbb66557098243aeec2483767997b96570ca38
SHA2560d323e08e9fa18948957116e8a44b257c18755a235bd2d2b2b5c57d681b2062d
SHA51297eb6bb4885a70a6f699b6e78f965fa232401af28abcbd5948b9a84cc42f3374e13fc95e3405ea96cb2971ad32dcbfba1e4de7a83adaeb693f05bbe5f5a3ed74
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\j1lgjc9k.default-release\SiteSecurityServiceState.txt
Filesize397B
MD5da152e388c13805448e7473a9e05ecf9
SHA1d9643f75079d816642b7d9eed87e4f70c87c337e
SHA2567338fd4811520ee521c660b0c4676eaa41b962e0b616614077612b8d6c4a33d6
SHA5129375eb5915ef40dd50a2cb276908f4b08fd325b5e4a846ef21a7a8480cecb48bc435e128fa061978e79c5f4946e54a31e160cd9eda8ac56e08043bff55dea1c3
-
Filesize
298KB
MD5b132f7417e06071e37f58477cff8c5b1
SHA1fdf49efdc3d05d89c63752ab2723a3a658c32fcb
SHA256ead945107e143e2a5314f68f1aafeb0514e6b142c7605768934ac48b7aa63879
SHA5125602465d43aa59bf43585d522d59aef9c9fc989b85a390d61dbfff1e4b51d6d182807c6e21f2d52d65bc26da0ae9c1415822e1edb82eb6183e092c3819e3b30e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\j1lgjc9k.default-release\datareporting\glean\db\data.safe.bin
Filesize2KB
MD5fb0b5d5163079a938c021bb5e34f0383
SHA10821621aefe69d43fb740646570cc5fe45dd8696
SHA256079f13726601b1440228182900999c005e86e50d772a80d622a76be73c89fd30
SHA51241efece8c4a5810971588314977cea031d9edba348a2586831f63658cec7d5fc2bfb974b31718c0e0a320961c0988697388397aed39f4ada1a5e18ccc90f51a3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\j1lgjc9k.default-release\datareporting\glean\db\data.safe.bin
Filesize12KB
MD502442bef6c12ef01c2743d7cec17c91a
SHA187093e38f570d8e61e12023d23b4bea3e85802be
SHA2569fe3474815439eac6fa93006ba4015ca91a63135d79475d0a82ed526e14fe9df
SHA512f56281bf7be05d79107e340288782efe0ec55f3e2e11f95b777ffbcf45709a900913566a9ab4e34ca7370e7c77511ed3285c6add65f1def72dd7a4d1beddaa26
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\j1lgjc9k.default-release\datareporting\glean\pending_pings\1c6e507f-6ae2-41c4-9e08-79274220c1a9
Filesize10KB
MD56dddd9f479cba6b716b3ddc222f7b3e6
SHA1340c3cef4815e3c8aef3c8e4ca70e322aefcec6f
SHA2568c9a2098aa5c2f2c4a7e26c3805533d0a7a7c7bed2e16fdbf149cdab5d26697b
SHA512ede89fb09b9c57f85ad333d892983e90fa061726188dd9729c10830a0727a226f18d73f09e8da760593314ca6cb30bd9c8939238279b8c185d8616d758461b0f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\j1lgjc9k.default-release\datareporting\glean\pending_pings\b79009d0-c530-4e2a-9b55-143a5ed34175
Filesize746B
MD5a28921254a52fb072f6c6648a164d7f3
SHA1312d3e4fb8ff1b91cb7c975967430dc2765a3cfd
SHA2562eee9dcc4dea7fbaeaa40c864431b052b72d71829750abacddea11448d93a3d1
SHA5128bb5ba43ae5acce841fab7f2c109907add7b1e4890c8ddf01b5aa9c6594d937febec0426c334ba493dc082a44241598927b84e41a8f704d6918f1bf0765de026
-
Filesize
6KB
MD5d9b6a0b1770ec161c561b47fed675f80
SHA12f09a08377f091a8e8395194b39e92b3c042531a
SHA256e93c84a654eb6bed66dd37120c757309674f0c0ea585bd06e3791de50fefb55b
SHA5128e63566602df47061332eac86cc587f4685bf0a531ab3911747f8d3db27dcc7d37c06561958d52ed0bd7831c8e09c156a34074e818eb2bb50b79d7f8633bf921
-
Filesize
6KB
MD5ccdd674a571b2c70118f53ef529fdf75
SHA12bfd21323fef4f8fb3f98096049bc41aadbc7125
SHA2564b8e053d7b4e008db5666e11e4dab6f19fea7bb6a2037a658d09ae57116ba015
SHA512247cfc088a1634cb9b84ed960a51bce3ebe7c42ca230acd6a7de7984c9a4d26d4d2c1534c6900e67f2cdf8fbe110c6f0598267908c98f2c4f9676917a0582681
-
Filesize
153B
MD5b2e94d93f2107dcf323bae4d7a0cc1ab
SHA1cd1bce65240669a4cbcc85fcde01db903c49b6c7
SHA2566200a140035803de4e31e56e8adfab50659899ea087294b24c0fee7919febd85
SHA5128128c4f0ee1f5f0b834d8ac5db8713b9c7815b57d15a489b18b1763c7f6f29ab1e4a3f697d92cdec216a2bfbf4b8834e9eb794f27fcfce9ae5010a1b915f0893
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\j1lgjc9k.default-release\sessionCheckpoints.json
Filesize288B
MD56b77a9f779399e95d1cee931a2c8f8ff
SHA1826efd4feb0d50fcce5696111af7c811b81adcd9
SHA2563a0285c8233ef0324b269f7291094e19fd9b77259f9419861ad796f7e9c979f3
SHA512ef537c75fab8e86483ac03cc0d2feaf41575e35f54b95669a26bf6dfbf58021dc9a5bbe54d9537b55da3fbb0e0262adf6c5efd4394faaec81a31604533afec4f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\j1lgjc9k.default-release\sessionstore-backups\recovery.jsonlz4
Filesize5KB
MD5aa26f9dba313a8dba666ed5e75c08575
SHA177cb10ac99e8fe1f8168ed6da72bebf13647ac32
SHA256125a5ec280df8299e5fc61cbd2905a67d11a38e661fc9a3a82fb7e6f59f45a9d
SHA51297c2778b574abfd86ed801f1b1d65f552ce67c81ed6d820aed07710b605a83d21810de9ddd525fde3d6f9b798820c9548c9bdc39ac427c13fccfa27f06c919df
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\j1lgjc9k.default-release\sessionstore.jsonlz4
Filesize5KB
MD5b8427963ce75cfc0a6f7e775f741f0d3
SHA1c683a1baa19d423b31426945d7561fcae5c532bf
SHA256b33191ea290b8524f4f6f0280f99bd346e928286148be6914727c4710516f319
SHA512fa98f5dd8cb53cb3ca2cd84781d71e73a063d663f9e0df9afb450f7c01c58aedc92537a9bf08f2147e4566dd70f4df7ddca682adbdc363dbdd3aaceb78070e90
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\j1lgjc9k.default-release\storage\default\https+++mega.nz\cache\morgue\174\{831e66af-a3a3-4165-9c99-becf967bbfae}.final
Filesize1KB
MD53efa9abd92666265dd81c4f4311a96f9
SHA141b6b716d67b93555e444cd453f3c6e3f8c9522c
SHA2565066b1841e8877db31312ef3af86f9bc9234c95071119e025764f45241a4e2e7
SHA5125961950f077501608a0f2975e7f69c483eeacc4eec4ac77fd650cc1131609501f87819f93ed23aa508a90426156abf038a859fac4112d2d4435bbb634027cd6c
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\j1lgjc9k.default-release\storage\default\https+++mega.nz\idb\3713173747_s_edmban.sqlite
Filesize48KB
MD5f5c2903bc8a30fec85bfb7816f532b76
SHA16049ae3d501b9a004084667d8a43451c00fcb38f
SHA256c407c6a129eb61f2ca15ddef81d28d5741156bd05bd9560ab9ec9fe5fb91bf1d
SHA512de8abfc80056f685232988b2324fdd0c9168e5d5896bf65e65cdfdc17ae9a00180ab29d933a1bf62549073335b0040459faa4905d7899f2d828e7027d00d02a9
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\j1lgjc9k.default-release\targeting.snapshot.json
Filesize3KB
MD5986f7085325f792b2543b6d822ef3001
SHA15d289f48d355a28db992a4fb8cedada2f81e42af
SHA256a0fb20869e898b44eba18c8e3b039f3cdab87170c0017e874ecad7d65c086669
SHA512fff605abef3bbabfa13b139adfb1515f1acb37064aac4e3b981a4b716f70ecc08e078b9f9be09541d95ab6d8383fba69d7eee8caa319d3a0b42fe5fc6fca8e26
-
Filesize
120B
MD505e1ddb4298be4c948c3ae839859c3e9
SHA1ea9195602eeed8d06644026809e07b3ad29335e5
SHA2561c2c5d5211674c3c8473e0589085499471399e53e9a85d7dd3b075fef6cbb6be
SHA5123177b48cd0c877821419d7e5eb247a4c899bc37258994f22257ceaafefb316e6f5959faae02e380e432d7752f0218d45d56d6878c1e751d201d9fdb3ff98612e
-
Filesize
332B
MD59535830528649ad9f1496d286c657dc8
SHA1e088dd5e57efb31c9140cb6f82e93ebfe5615e7c
SHA256c1f6cdee53a3659b2686c039222c1d74b62a4b7aaf39a6f6a5b1b79eedc5742c
SHA512ccc387007e4cee4d7fec624c82c231c4d189376500be6c354531bf4ba08d0b38b9794707ca61251e007a5d5615b3e1382aa1475a5d990472492d03b699f2d46e
-
Filesize
82KB
MD55436e23cbfbef492510cedca9feb5d39
SHA12b9adad0a62292e00428b60601653e3360217a7c
SHA256bcbf8a93e65930c2e70e3d532570898f5431bd19f0cd49cec624a34f87b58d92
SHA512ad88f324cb67b15e45b384aa57b95508a86e6689723248a79eecf1855f34b4cf07cf01860f4276cb82338b9b41c28f86f16f367a33335f68492206ea4e959e49
-
Filesize
2.3MB
MD5501f2e157acf6ad3d59ad82b79223a42
SHA1a004d2265926c8fbb65c23ae3d865de135da9b4c
SHA256388f913982ddfbb3b0c578c0c176c2b25c99fea76f316085d5d2d679e754fcb2
SHA5129916af1275fb40abe29c80682b8d6d88d4da24c2891936ea0fd07d491fa55e57dc5ee7e327ab2077fe489fa5bace3651fd74161466efbc7e1aa02974126541c0
-
Filesize
6KB
MD57c78ecf2e2405beb63370e623a2e4cd8
SHA125169fd8cb6d425168011225528be6924b62234d
SHA2563b39ebed386a62b4aa4aab5b989aaf175429e83955ea84ac2bf8a72df662e76e
SHA512622d35627d4cecc2636768adbb0228fde83b7a8f15aa875aed3f2b12ffa8d65df80047ac806a8724e1293106a81821f85cfc80544343f289f6180b3e62bcac45
-
Filesize
2.3MB
MD5d90def1e63de81f1dadd1c3071be87a2
SHA183b2dac5d38b0de01682ac4405041c2cf44b3cc7
SHA25607c9e64bdf03fbd6487b0b8a3648b177ad603523d7db8297feea1bb5041c9bd6
SHA5128e8c7c9a892ac5682f9d8bc1e5b8a7bfa77150b87864cb16a80a523adb72f465f50a04844f8390238491688933643a105636f3ce48841614587b05617f69db9f
-
Filesize
10.4MB
MD598233f007b65c14ed68014fdd5575f76
SHA1f40c76dcf6dde9667d81c1c6eac4084debe92c54
SHA25640b5a24c5a2dd104cdd3eecfd7ee8b2fd4ef6a2a69fd99ce208be5cfa4ba1499
SHA5127628fcc3913a5923dc670d028f0b5638780093bb09c4c0ec96559903ff4fc3b6cf4b6259b8bf21a98ce5ae40b47343f1820f394303d4e793d8bfa9566b168ab2
-
Filesize
4.5MB
MD5436d850d8e07cbf4e69ce2266361ab59
SHA121ca581f204b2e72c0c45fbd3e27a41c85d8e44f
SHA25689a3e847399bc838b07e2c3615f25550fa53b2a3ee48ad31e934bfa3ebcc6346
SHA512b96e7716533d27fbffc0e6700187c2e2d18f402bb6396188bbe80aa5072a060089e5e6f3df12812d7bec5d3dd3f3b3ce55f058fb6822f46f8f9c463ed70a8a14
-
Filesize
110KB
MD56d35f3f3b0ea356407637370ef3d7455
SHA114b2a9612a353592a9a88d4428262076c2ee25ae
SHA25604aa9add152769073f3f639e5cf305177b5f7cde3ac11962aae63312a8473c3f
SHA512538e82117cb818e5ad1785e05a115b610e3914d5809b1f9e8443d9fa7c3a1ec8fb291617ae8baeaed94bd042b90379de2309ca948dd582ccf83472245db1af9f
-
Filesize
3.3MB
MD5d86f0a91bbe5b77da2469f2c10d76b75
SHA14add66b4ba73dd333ebdc848d062a5706008ec90
SHA2560fa549a10b37d8a811861deb439ed7f7fc4c37fc7fc10eccc77a36e346374d81
SHA51269fd0547874ac1043548dfc3e1a9b04eacb996831a8408c85102763e521c33eebc66459865eb0db881140e3335d998157f814890e0c26677c8c7d151bfa3368b