Analysis Overview
Threat Level: Known bad
The file https://mega.nz/file/knl0SZjb#rNGJxxlpLfD8fEcm1-Q-j1LLwutjtwz5GhOcuDMcmRE was found to be: Known bad.
Malicious Activity Summary
Chaos Ransomware
Chaos
Deletes shadow copies
Modifies boot configuration data using bcdedit
Deletes backup catalog
Reads user/profile data of web browsers
Drops startup file
Executes dropped EXE
Enumerates connected drives
Drops desktop.ini file(s)
Sets desktop wallpaper using registry
Drops file in Windows directory
Enumerates physical storage devices
Suspicious use of SendNotifyMessage
Checks SCSI registry key(s)
Suspicious use of FindShellTrayWindow
Checks processor information in registry
Suspicious behavior: AddClipboardFormatListener
Uses Volume Shadow Copy service COM API
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Interacts with shadow copies
Modifies registry class
Suspicious behavior: GetForegroundWindowSpam
Opens file in notepad (likely ransom note)
NTFS ADS
Suspicious use of AdjustPrivilegeToken
Uses Task Scheduler COM API
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-15 15:08
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-15 15:08
Reported
2024-03-15 15:43
Platform
win10-20240221-en
Max time kernel
730s
Max time network
1822s
Command Line
Signatures
Chaos
Chaos Ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Deletes shadow copies
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
Deletes backup catalog
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\wbadmin.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\read_me.txt | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\صنع_فيروس_الفدية\RB.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Reads user/profile data of web browsers
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Favorites\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\Desktop\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\Music\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Public\Documents\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Public\Videos\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Public\Music\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\Camera Roll\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\Saved Games\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | F:\$RECYCLE.BIN\S-1-5-21-885525822-3215264538-2232956653-1000\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\Favorites\Links\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\Videos\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\Documents\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\Downloads\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\OneDrive\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\Searches\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Public\Pictures\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Public\Desktop\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\Contacts\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\Saved Pictures\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\Links\desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Enumerates connected drives
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-885525822-3215264538-2232956653-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2yd2t6oka.jpg" | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\rescache\_merged\4183903823\810424605.pri | C:\Windows\system32\taskmgr.exe | N/A |
| File created | C:\Windows\rescache\_merged\1601268389\3877292338.pri | C:\Windows\system32\taskmgr.exe | N/A |
| File created | C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll | \??\c:\windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll | \??\c:\windows\system32\svchost.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName | C:\Windows\System32\vds.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 | C:\Windows\System32\vds.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\System32\vds.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 | C:\Windows\System32\vds.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-885525822-3215264538-2232956653-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-885525822-3215264538-2232956653-1000_Classes\Local Settings | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-885525822-3215264538-2232956653-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\Downloads\صنع_فيروس_الفدية.zip:Zone.Identifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Desktop\صنع_فيروس_الفدية\RB.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Processes
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://mega.nz/file/knl0SZjb#rNGJxxlpLfD8fEcm1-Q-j1LLwutjtwz5GhOcuDMcmRE"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://mega.nz/file/knl0SZjb#rNGJxxlpLfD8fEcm1-Q-j1LLwutjtwz5GhOcuDMcmRE
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5104.0.1068000357\372919772" -parentBuildID 20221007134813 -prefsHandle 1680 -prefMapHandle 1672 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0fad707a-9472-473e-a034-41a7a69ee929} 5104 "\\.\pipe\gecko-crash-server-pipe.5104" 1760 1d4643d9958 gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5104.1.263929173\1563484214" -parentBuildID 20221007134813 -prefsHandle 2104 -prefMapHandle 2100 -prefsLen 21608 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cec049df-f725-423e-afc6-5a64b791841a} 5104 "\\.\pipe\gecko-crash-server-pipe.5104" 2124 1d452070558 socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5104.2.793642368\922377185" -childID 1 -isForBrowser -prefsHandle 2880 -prefMapHandle 2904 -prefsLen 21711 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6a4bb190-940f-44a1-81dc-ae847d174b3b} 5104 "\\.\pipe\gecko-crash-server-pipe.5104" 2712 1d4682cd858 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5104.3.976098127\1429967361" -childID 2 -isForBrowser -prefsHandle 3500 -prefMapHandle 3496 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {87674edf-730c-4f69-b3e7-1b7fa24ae9fc} 5104 "\\.\pipe\gecko-crash-server-pipe.5104" 3508 1d4694fc058 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5104.4.1905671168\238874314" -childID 3 -isForBrowser -prefsHandle 4696 -prefMapHandle 4692 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9bc36004-e70e-4100-8427-e5b7272fb5e3} 5104 "\\.\pipe\gecko-crash-server-pipe.5104" 4704 1d46aab9b58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5104.5.114277570\709340955" -childID 4 -isForBrowser -prefsHandle 4912 -prefMapHandle 4908 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {86a08dbf-2d3d-4583-a71e-c249110514ae} 5104 "\\.\pipe\gecko-crash-server-pipe.5104" 4924 1d46aaba458 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5104.6.31998301\1266471970" -childID 5 -isForBrowser -prefsHandle 5040 -prefMapHandle 5044 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7054c69e-2eaf-4b23-bccd-0fbd5fec492d} 5104 "\\.\pipe\gecko-crash-server-pipe.5104" 5032 1d46aaba758 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5104.7.628604165\574470960" -childID 6 -isForBrowser -prefsHandle 5308 -prefMapHandle 5616 -prefsLen 26424 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {68c44ceb-8fbb-4cc5-9bea-9643752dbbfd} 5104 "\\.\pipe\gecko-crash-server-pipe.5104" 4844 1d46a77c258 tab
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3f4
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\صنع_فيروس_الفدية\" -spe -an -ai#7zMap5471:94:7zEvent16357
C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\صنع_فيروس_الفدية\" -spe -an -ai#7zMap15092:90:7zEvent25298
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\Desktop\صنع_فيروس_الفدية\RB.exe
"C:\Users\Admin\Desktop\صنع_فيروس_الفدية\RB.exe"
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_me.txt
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding
C:\Program Files (x86)\Windows Media Player\setup_wm.exe
"C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding
C:\Windows\SysWOW64\unregmp2.exe
"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
C:\Windows\System32\unregmp2.exe
"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Relaunch /Play C:\Users\Admin\Desktop\CheckpointOptimize.wm
\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s upnphost
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:49769 | tcp | |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | mega.nz | udp |
| US | 8.8.8.8:53 | content-signature-2.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | shavar.services.mozilla.com | udp |
| US | 8.8.8.8:53 | push.services.mozilla.com | udp |
| LU | 31.216.144.5:443 | mega.nz | tcp |
| US | 8.8.8.8:53 | mega.nz | udp |
| US | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | firefox.settings.services.mozilla.com | udp |
| US | 44.230.91.85:443 | shavar.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 34.160.144.191:443 | content-signature-2.cdn.mozilla.net | tcp |
| US | 34.117.237.239:443 | contile.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | mega.nz | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 34.107.243.93:443 | autopush.prod.mozaws.net | tcp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | shavar.services.mozilla.com | udp |
| US | 52.13.152.141:443 | shavar.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | 5.144.216.31.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 141.152.13.52.in-addr.arpa | udp |
| LU | 31.216.144.5:443 | mega.nz | tcp |
| US | 8.8.8.8:53 | eu.static.mega.co.nz | udp |
| US | 8.8.8.8:53 | eu.static.mega.co.nz | udp |
| LU | 66.203.124.37:443 | eu.static.mega.co.nz | tcp |
| LU | 66.203.124.37:443 | eu.static.mega.co.nz | tcp |
| US | 8.8.8.8:53 | g.api.mega.co.nz | udp |
| US | 8.8.8.8:53 | lu.api.mega.co.nz | udp |
| LU | 66.203.125.13:443 | lu.api.mega.co.nz | tcp |
| LU | 66.203.125.13:443 | lu.api.mega.co.nz | tcp |
| US | 8.8.8.8:53 | eu.static.mega.co.nz | udp |
| US | 8.8.8.8:53 | lu.api.mega.co.nz | udp |
| US | 8.8.8.8:53 | g.api.mega.co.nz | udp |
| LU | 66.203.125.11:443 | g.api.mega.co.nz | tcp |
| US | 34.149.100.209:443 | firefox.settings.services.mozilla.com | tcp |
| US | 34.149.100.209:443 | firefox.settings.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | 37.124.203.66.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.125.203.66.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.125.203.66.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 85.91.230.44.in-addr.arpa | udp |
| N/A | 127.0.0.1:49777 | tcp | |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| N/A | 127.0.0.1:6341 | tcp | |
| N/A | 127.0.0.1:6341 | tcp | |
| US | 8.8.8.8:53 | gfs270n339.userstorage.mega.co.nz | udp |
| US | 8.8.8.8:53 | gfs206n135.userstorage.mega.co.nz | udp |
| US | 8.8.8.8:53 | gfs214n142.userstorage.mega.co.nz | udp |
| US | 8.8.8.8:53 | gfs208n141.userstorage.mega.co.nz | udp |
| US | 8.8.8.8:53 | gfs262n335.userstorage.mega.co.nz | udp |
| US | 8.8.8.8:53 | gfs204n149.userstorage.mega.co.nz | udp |
| N/A | 127.0.0.1:6341 | tcp | |
| N/A | 127.0.0.1:6341 | tcp | |
| FR | 185.206.26.51:443 | gfs208n141.userstorage.mega.co.nz | tcp |
| FR | 185.206.26.51:443 | gfs208n141.userstorage.mega.co.nz | tcp |
| FR | 185.206.26.51:443 | gfs208n141.userstorage.mega.co.nz | tcp |
| US | 8.8.8.8:53 | gfs208n141.userstorage.mega.co.nz | udp |
| FR | 185.206.26.51:443 | gfs208n141.userstorage.mega.co.nz | tcp |
| BE | 94.24.37.45:443 | gfs206n135.userstorage.mega.co.nz | tcp |
| BE | 94.24.37.45:443 | gfs206n135.userstorage.mega.co.nz | tcp |
| BE | 94.24.37.45:443 | gfs206n135.userstorage.mega.co.nz | tcp |
| BE | 94.24.37.45:443 | gfs206n135.userstorage.mega.co.nz | tcp |
| US | 8.8.8.8:53 | gfs206n135.userstorage.mega.co.nz | udp |
| ES | 185.206.27.52:443 | gfs214n142.userstorage.mega.co.nz | tcp |
| US | 8.8.8.8:53 | gfs214n142.userstorage.mega.co.nz | udp |
| ES | 185.206.27.52:443 | gfs214n142.userstorage.mega.co.nz | tcp |
| ES | 185.206.27.52:443 | gfs214n142.userstorage.mega.co.nz | tcp |
| ES | 185.206.27.52:443 | gfs214n142.userstorage.mega.co.nz | tcp |
| LU | 89.44.168.49:443 | gfs270n339.userstorage.mega.co.nz | tcp |
| LU | 89.44.168.49:443 | gfs270n339.userstorage.mega.co.nz | tcp |
| LU | 89.44.168.49:443 | gfs270n339.userstorage.mega.co.nz | tcp |
| LU | 89.44.168.49:443 | gfs270n339.userstorage.mega.co.nz | tcp |
| US | 8.8.8.8:53 | gfs208n141.userstorage.mega.co.nz | udp |
| US | 8.8.8.8:53 | gfs206n135.userstorage.mega.co.nz | udp |
| US | 8.8.8.8:53 | gfs214n142.userstorage.mega.co.nz | udp |
| US | 8.8.8.8:53 | gfs270n339.userstorage.mega.co.nz | udp |
| US | 8.8.8.8:53 | 51.26.206.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.37.24.94.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 49.168.44.89.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 52.27.206.185.in-addr.arpa | udp |
| NL | 185.206.24.77:443 | gfs204n149.userstorage.mega.co.nz | tcp |
| NL | 185.206.24.77:443 | gfs204n149.userstorage.mega.co.nz | tcp |
| NL | 185.206.24.77:443 | gfs204n149.userstorage.mega.co.nz | tcp |
| NL | 185.206.24.77:443 | gfs204n149.userstorage.mega.co.nz | tcp |
| US | 8.8.8.8:53 | gfs204n149.userstorage.mega.co.nz | udp |
| DE | 94.24.36.45:443 | gfs262n335.userstorage.mega.co.nz | tcp |
| DE | 94.24.36.45:443 | gfs262n335.userstorage.mega.co.nz | tcp |
| DE | 94.24.36.45:443 | gfs262n335.userstorage.mega.co.nz | tcp |
| US | 8.8.8.8:53 | gfs204n149.userstorage.mega.co.nz | udp |
| DE | 94.24.36.45:443 | gfs262n335.userstorage.mega.co.nz | tcp |
| US | 8.8.8.8:53 | gfs262n335.userstorage.mega.co.nz | udp |
| US | 8.8.8.8:53 | gfs270n339.userstorage.mega.co.nz | udp |
| US | 8.8.8.8:53 | gfs262n335.userstorage.mega.co.nz | udp |
| US | 8.8.8.8:53 | 77.24.206.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.36.24.94.in-addr.arpa | udp |
| ES | 185.206.27.52:443 | gfs214n142.userstorage.mega.co.nz | tcp |
| FR | 185.206.26.51:443 | gfs208n141.userstorage.mega.co.nz | tcp |
| NL | 185.206.24.77:443 | gfs204n149.userstorage.mega.co.nz | tcp |
| US | 8.8.8.8:53 | redir.metaservices.microsoft.com | udp |
| GB | 88.221.134.89:80 | redir.metaservices.microsoft.com | tcp |
| US | 8.8.8.8:53 | onlinestores.metaservices.microsoft.com | udp |
| GB | 88.221.135.114:80 | onlinestores.metaservices.microsoft.com | tcp |
| US | 8.8.8.8:53 | 89.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 114.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | c.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.f.f.ip6.arpa | udp |
| US | 8.8.8.8:53 | 63.141.182.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 185.178.17.96.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\j1lgjc9k.default-release\datareporting\glean\db\data.safe.bin
| MD5 | fb0b5d5163079a938c021bb5e34f0383 |
| SHA1 | 0821621aefe69d43fb740646570cc5fe45dd8696 |
| SHA256 | 079f13726601b1440228182900999c005e86e50d772a80d622a76be73c89fd30 |
| SHA512 | 41efece8c4a5810971588314977cea031d9edba348a2586831f63658cec7d5fc2bfb974b31718c0e0a320961c0988697388397aed39f4ada1a5e18ccc90f51a3 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\j1lgjc9k.default-release\datareporting\glean\pending_pings\b79009d0-c530-4e2a-9b55-143a5ed34175
| MD5 | a28921254a52fb072f6c6648a164d7f3 |
| SHA1 | 312d3e4fb8ff1b91cb7c975967430dc2765a3cfd |
| SHA256 | 2eee9dcc4dea7fbaeaa40c864431b052b72d71829750abacddea11448d93a3d1 |
| SHA512 | 8bb5ba43ae5acce841fab7f2c109907add7b1e4890c8ddf01b5aa9c6594d937febec0426c334ba493dc082a44241598927b84e41a8f704d6918f1bf0765de026 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\j1lgjc9k.default-release\datareporting\glean\pending_pings\1c6e507f-6ae2-41c4-9e08-79274220c1a9
| MD5 | 6dddd9f479cba6b716b3ddc222f7b3e6 |
| SHA1 | 340c3cef4815e3c8aef3c8e4ca70e322aefcec6f |
| SHA256 | 8c9a2098aa5c2f2c4a7e26c3805533d0a7a7c7bed2e16fdbf149cdab5d26697b |
| SHA512 | ede89fb09b9c57f85ad333d892983e90fa061726188dd9729c10830a0727a226f18d73f09e8da760593314ca6cb30bd9c8939238279b8c185d8616d758461b0f |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\j1lgjc9k.default-release\storage\default\https+++mega.nz\cache\morgue\174\{831e66af-a3a3-4165-9c99-becf967bbfae}.final
| MD5 | 3efa9abd92666265dd81c4f4311a96f9 |
| SHA1 | 41b6b716d67b93555e444cd453f3c6e3f8c9522c |
| SHA256 | 5066b1841e8877db31312ef3af86f9bc9234c95071119e025764f45241a4e2e7 |
| SHA512 | 5961950f077501608a0f2975e7f69c483eeacc4eec4ac77fd650cc1131609501f87819f93ed23aa508a90426156abf038a859fac4112d2d4435bbb634027cd6c |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\j1lgjc9k.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | aa26f9dba313a8dba666ed5e75c08575 |
| SHA1 | 77cb10ac99e8fe1f8168ed6da72bebf13647ac32 |
| SHA256 | 125a5ec280df8299e5fc61cbd2905a67d11a38e661fc9a3a82fb7e6f59f45a9d |
| SHA512 | 97c2778b574abfd86ed801f1b1d65f552ce67c81ed6d820aed07710b605a83d21810de9ddd525fde3d6f9b798820c9548c9bdc39ac427c13fccfa27f06c919df |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\j1lgjc9k.default-release\cache2\doomed\17580
| MD5 | 7e25633cdad660927a4e3c69efa5b31f |
| SHA1 | 2b199792ef9a6ec1f6289a51585228437598f629 |
| SHA256 | 150968198409db0236de8727660bab314c9f2e34d38e12d1035c0f6638e92fbd |
| SHA512 | 87e5b5f0926e074c07fb51793941da323c01d6c9cbf4b8c7c258f96dcd013e99406d232c348e3871c94d3a9c9774e6764e2e62e507ad578f380744056cb86035 |
C:\Users\Admin\Downloads\صنع_فيروس_الفدية.0bnxV_9H.zip.part
| MD5 | 98233f007b65c14ed68014fdd5575f76 |
| SHA1 | f40c76dcf6dde9667d81c1c6eac4084debe92c54 |
| SHA256 | 40b5a24c5a2dd104cdd3eecfd7ee8b2fd4ef6a2a69fd99ce208be5cfa4ba1499 |
| SHA512 | 7628fcc3913a5923dc670d028f0b5638780093bb09c4c0ec96559903ff4fc3b6cf4b6259b8bf21a98ce5ae40b47343f1820f394303d4e793d8bfa9566b168ab2 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\j1lgjc9k.default-release\storage\default\https+++mega.nz\idb\3713173747_s_edmban.sqlite
| MD5 | f5c2903bc8a30fec85bfb7816f532b76 |
| SHA1 | 6049ae3d501b9a004084667d8a43451c00fcb38f |
| SHA256 | c407c6a129eb61f2ca15ddef81d28d5741156bd05bd9560ab9ec9fe5fb91bf1d |
| SHA512 | de8abfc80056f685232988b2324fdd0c9168e5d5896bf65e65cdfdc17ae9a00180ab29d933a1bf62549073335b0040459faa4905d7899f2d828e7027d00d02a9 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\j1lgjc9k.default-release\prefs-1.js
| MD5 | d9b6a0b1770ec161c561b47fed675f80 |
| SHA1 | 2f09a08377f091a8e8395194b39e92b3c042531a |
| SHA256 | e93c84a654eb6bed66dd37120c757309674f0c0ea585bd06e3791de50fefb55b |
| SHA512 | 8e63566602df47061332eac86cc587f4685bf0a531ab3911747f8d3db27dcc7d37c06561958d52ed0bd7831c8e09c156a34074e818eb2bb50b79d7f8633bf921 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\j1lgjc9k.default-release\sessionstore.jsonlz4
| MD5 | b8427963ce75cfc0a6f7e775f741f0d3 |
| SHA1 | c683a1baa19d423b31426945d7561fcae5c532bf |
| SHA256 | b33191ea290b8524f4f6f0280f99bd346e928286148be6914727c4710516f319 |
| SHA512 | fa98f5dd8cb53cb3ca2cd84781d71e73a063d663f9e0df9afb450f7c01c58aedc92537a9bf08f2147e4566dd70f4df7ddca682adbdc363dbdd3aaceb78070e90 |
C:\Users\Admin\Downloads\صنع_فيروس_الفدية.zip
| MD5 | 436d850d8e07cbf4e69ce2266361ab59 |
| SHA1 | 21ca581f204b2e72c0c45fbd3e27a41c85d8e44f |
| SHA256 | 89a3e847399bc838b07e2c3615f25550fa53b2a3ee48ad31e934bfa3ebcc6346 |
| SHA512 | b96e7716533d27fbffc0e6700187c2e2d18f402bb6396188bbe80aa5072a060089e5e6f3df12812d7bec5d3dd3f3b3ce55f058fb6822f46f8f9c463ed70a8a14 |
C:\Users\Admin\Desktop\صنع_فيروس_الفدية\RB.exe
| MD5 | 501f2e157acf6ad3d59ad82b79223a42 |
| SHA1 | a004d2265926c8fbb65c23ae3d865de135da9b4c |
| SHA256 | 388f913982ddfbb3b0c578c0c176c2b25c99fea76f316085d5d2d679e754fcb2 |
| SHA512 | 9916af1275fb40abe29c80682b8d6d88d4da24c2891936ea0fd07d491fa55e57dc5ee7e327ab2077fe489fa5bace3651fd74161466efbc7e1aa02974126541c0 |
memory/3812-379-0x0000000000180000-0x00000000003CE000-memory.dmp
memory/3812-380-0x00007FFB52EC0000-0x00007FFB538AC000-memory.dmp
memory/1184-387-0x00007FFB52EC0000-0x00007FFB538AC000-memory.dmp
memory/3812-388-0x00007FFB52EC0000-0x00007FFB538AC000-memory.dmp
memory/1184-390-0x000000001BE00000-0x000000001BF00000-memory.dmp
C:\Users\Admin\Desktop\صنع_فيروس_الفدية\1234.jpg
| MD5 | 5436e23cbfbef492510cedca9feb5d39 |
| SHA1 | 2b9adad0a62292e00428b60601653e3360217a7c |
| SHA256 | bcbf8a93e65930c2e70e3d532570898f5431bd19f0cd49cec624a34f87b58d92 |
| SHA512 | ad88f324cb67b15e45b384aa57b95508a86e6689723248a79eecf1855f34b4cf07cf01860f4276cb82338b9b41c28f86f16f367a33335f68492206ea4e959e49 |
C:\Users\Admin\Desktop\صنع_فيروس_الفدية\pdf.ico
| MD5 | 7c78ecf2e2405beb63370e623a2e4cd8 |
| SHA1 | 25169fd8cb6d425168011225528be6924b62234d |
| SHA256 | 3b39ebed386a62b4aa4aab5b989aaf175429e83955ea84ac2bf8a72df662e76e |
| SHA512 | 622d35627d4cecc2636768adbb0228fde83b7a8f15aa875aed3f2b12ffa8d65df80047ac806a8724e1293106a81821f85cfc80544343f289f6180b3e62bcac45 |
C:\Users\Admin\Desktop\صنع_فيروس_الفدية\كيفية إنشاء فايروس الفدية.mp4
| MD5 | d90def1e63de81f1dadd1c3071be87a2 |
| SHA1 | 83b2dac5d38b0de01682ac4405041c2cf44b3cc7 |
| SHA256 | 07c9e64bdf03fbd6487b0b8a3648b177ad603523d7db8297feea1bb5041c9bd6 |
| SHA512 | 8e8c7c9a892ac5682f9d8bc1e5b8a7bfa77150b87864cb16a80a523adb72f465f50a04844f8390238491688933643a105636f3ce48841614587b05617f69db9f |
C:\Users\Admin\Contacts\read_me.txt
| MD5 | 9535830528649ad9f1496d286c657dc8 |
| SHA1 | e088dd5e57efb31c9140cb6f82e93ebfe5615e7c |
| SHA256 | c1f6cdee53a3659b2686c039222c1d74b62a4b7aaf39a6f6a5b1b79eedc5742c |
| SHA512 | ccc387007e4cee4d7fec624c82c231c4d189376500be6c354531bf4ba08d0b38b9794707ca61251e007a5d5615b3e1382aa1475a5d990472492d03b699f2d46e |
C:\Users\Admin\Downloads\صنع_فيروس_الفدية\1234.jpg
| MD5 | 6d35f3f3b0ea356407637370ef3d7455 |
| SHA1 | 14b2a9612a353592a9a88d4428262076c2ee25ae |
| SHA256 | 04aa9add152769073f3f639e5cf305177b5f7cde3ac11962aae63312a8473c3f |
| SHA512 | 538e82117cb818e5ad1785e05a115b610e3914d5809b1f9e8443d9fa7c3a1ec8fb291617ae8baeaed94bd042b90379de2309ca948dd582ccf83472245db1af9f |
C:\Users\Admin\Downloads\صنع_فيروس_الفدية\كيفية إنشاء فايروس الفدية.mp4
| MD5 | d86f0a91bbe5b77da2469f2c10d76b75 |
| SHA1 | 4add66b4ba73dd333ebdc848d062a5706008ec90 |
| SHA256 | 0fa549a10b37d8a811861deb439ed7f7fc4c37fc7fc10eccc77a36e346374d81 |
| SHA512 | 69fd0547874ac1043548dfc3e1a9b04eacb996831a8408c85102763e521c33eebc66459865eb0db881140e3335d998157f814890e0c26677c8c7d151bfa3368b |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\j1lgjc9k.default-release\cert9.db
| MD5 | b132f7417e06071e37f58477cff8c5b1 |
| SHA1 | fdf49efdc3d05d89c63752ab2723a3a658c32fcb |
| SHA256 | ead945107e143e2a5314f68f1aafeb0514e6b142c7605768934ac48b7aa63879 |
| SHA512 | 5602465d43aa59bf43585d522d59aef9c9fc989b85a390d61dbfff1e4b51d6d182807c6e21f2d52d65bc26da0ae9c1415822e1edb82eb6183e092c3819e3b30e |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\j1lgjc9k.default-release\prefs.js
| MD5 | ccdd674a571b2c70118f53ef529fdf75 |
| SHA1 | 2bfd21323fef4f8fb3f98096049bc41aadbc7125 |
| SHA256 | 4b8e053d7b4e008db5666e11e4dab6f19fea7bb6a2037a658d09ae57116ba015 |
| SHA512 | 247cfc088a1634cb9b84ed960a51bce3ebe7c42ca230acd6a7de7984c9a4d26d4d2c1534c6900e67f2cdf8fbe110c6f0598267908c98f2c4f9676917a0582681 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\j1lgjc9k.default-release\serviceworker.txt
| MD5 | b2e94d93f2107dcf323bae4d7a0cc1ab |
| SHA1 | cd1bce65240669a4cbcc85fcde01db903c49b6c7 |
| SHA256 | 6200a140035803de4e31e56e8adfab50659899ea087294b24c0fee7919febd85 |
| SHA512 | 8128c4f0ee1f5f0b834d8ac5db8713b9c7815b57d15a489b18b1763c7f6f29ab1e4a3f697d92cdec216a2bfbf4b8834e9eb794f27fcfce9ae5010a1b915f0893 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\j1lgjc9k.default-release\sessionCheckpoints.json
| MD5 | 6b77a9f779399e95d1cee931a2c8f8ff |
| SHA1 | 826efd4feb0d50fcce5696111af7c811b81adcd9 |
| SHA256 | 3a0285c8233ef0324b269f7291094e19fd9b77259f9419861ad796f7e9c979f3 |
| SHA512 | ef537c75fab8e86483ac03cc0d2feaf41575e35f54b95669a26bf6dfbf58021dc9a5bbe54d9537b55da3fbb0e0262adf6c5efd4394faaec81a31604533afec4f |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\j1lgjc9k.default-release\SiteSecurityServiceState.txt
| MD5 | da152e388c13805448e7473a9e05ecf9 |
| SHA1 | d9643f75079d816642b7d9eed87e4f70c87c337e |
| SHA256 | 7338fd4811520ee521c660b0c4676eaa41b962e0b616614077612b8d6c4a33d6 |
| SHA512 | 9375eb5915ef40dd50a2cb276908f4b08fd325b5e4a846ef21a7a8480cecb48bc435e128fa061978e79c5f4946e54a31e160cd9eda8ac56e08043bff55dea1c3 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\j1lgjc9k.default-release\targeting.snapshot.json
| MD5 | 986f7085325f792b2543b6d822ef3001 |
| SHA1 | 5d289f48d355a28db992a4fb8cedada2f81e42af |
| SHA256 | a0fb20869e898b44eba18c8e3b039f3cdab87170c0017e874ecad7d65c086669 |
| SHA512 | fff605abef3bbabfa13b139adfb1515f1acb37064aac4e3b981a4b716f70ecc08e078b9f9be09541d95ab6d8383fba69d7eee8caa319d3a0b42fe5fc6fca8e26 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\j1lgjc9k.default-release\xulstore.json
| MD5 | 05e1ddb4298be4c948c3ae839859c3e9 |
| SHA1 | ea9195602eeed8d06644026809e07b3ad29335e5 |
| SHA256 | 1c2c5d5211674c3c8473e0589085499471399e53e9a85d7dd3b075fef6cbb6be |
| SHA512 | 3177b48cd0c877821419d7e5eb247a4c899bc37258994f22257ceaafefb316e6f5959faae02e380e432d7752f0218d45d56d6878c1e751d201d9fdb3ff98612e |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\j1lgjc9k.default-release\datareporting\glean\db\data.safe.bin
| MD5 | 02442bef6c12ef01c2743d7cec17c91a |
| SHA1 | 87093e38f570d8e61e12023d23b4bea3e85802be |
| SHA256 | 9fe3474815439eac6fa93006ba4015ca91a63135d79475d0a82ed526e14fe9df |
| SHA512 | f56281bf7be05d79107e340288782efe0ec55f3e2e11f95b777ffbcf45709a900913566a9ab4e34ca7370e7c77511ed3285c6add65f1def72dd7a4d1beddaa26 |
memory/1184-903-0x00007FFB52EC0000-0x00007FFB538AC000-memory.dmp
memory/1184-904-0x000000001BE00000-0x000000001BF00000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\wmsetup.log
| MD5 | 8af94ae980ded23c9e47f23aea73f24e |
| SHA1 | 095e8d3c6f8f04f815f45e1579e88d08a2cecb56 |
| SHA256 | 86f6f6d8f1d2a380d6fed800ea63a11f80ed804ca661bd0b0d929384e080e5df |
| SHA512 | 5b54b64df21dcfcf615db75e685178712bfa7a39461254df90c8c9b2980b59bb826a398ef6430c551b5a3e2d48366bc8e2a6a33101ac73ef653a39104f7472e1 |
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML
| MD5 | 7050d5ae8acfbe560fa11073fef8185d |
| SHA1 | 5bc38e77ff06785fe0aec5a345c4ccd15752560e |
| SHA256 | cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b |
| SHA512 | a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b |
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
| MD5 | 98df921f667bf303621c789390ed9f2e |
| SHA1 | d9c82e51534cf1c2eb5a255286de6a09ca364d1a |
| SHA256 | 8b8497d37fa9ddd44e275aa7631d7c7173c384a501d11e73e3d4401513c4bbe3 |
| SHA512 | 58e896295763c2729c5a19986356e7cc7706265bbda5cd9cec98201ec9ce86c4b68a3e388c86aba198870ca4b8ab1a7876f2d8e1fff7437216dd2789b3ed3796 |
C:\Users\Admin\AppData\Local\Temp\tmp40078.WMC\allservices.xml
| MD5 | df03e65b8e082f24dab09c57bc9c6241 |
| SHA1 | 6b0dacbf38744c9a381830e6a5dc4c71bd7cedbf |
| SHA256 | 155b9c588061c71832af329fafa5678835d9153b8fbb7592195ae953d0c455ba |
| SHA512 | ef1cc8d27fbc5da5daab854c933d3914b84ee539d4d2f0126dc1a04a830c5599e39a923c80257653638b1b99b0073a7174cc164be5887181730883c752ba2f99 |
C:\Users\Admin\AppData\Local\Temp\tmp42062.WMC\serviceinfo.xml
| MD5 | d58da90d6dc51f97cb84dfbffe2b2300 |
| SHA1 | 5f86b06b992a3146cb698a99932ead57a5ec4666 |
| SHA256 | 93acdb79543d9248ca3fca661f3ac287e6004e4b3dafd79d4c4070794ffbf2ad |
| SHA512 | 7f1e95e5aa4c8a0e4c967135c78f22f4505f2a48bbc619924d0096bf4a94d469389b9e8488c12edacfba819517b8376546687d1145660ad1f49d8c20a744e636 |
memory/2416-960-0x0000000007780000-0x0000000007790000-memory.dmp
memory/2416-961-0x0000000007780000-0x0000000007790000-memory.dmp
memory/2416-962-0x000000000A4E0000-0x000000000A4F0000-memory.dmp
memory/2416-963-0x000000000A4E0000-0x000000000A4F0000-memory.dmp
memory/2416-965-0x000000000A4E0000-0x000000000A4F0000-memory.dmp
memory/2416-964-0x000000000A4E0000-0x000000000A4F0000-memory.dmp
memory/2416-966-0x000000000A4E0000-0x000000000A4F0000-memory.dmp
memory/2416-968-0x000000000A4E0000-0x000000000A4F0000-memory.dmp
memory/2416-970-0x000000000A4E0000-0x000000000A4F0000-memory.dmp
memory/2416-971-0x000000000A4E0000-0x000000000A4F0000-memory.dmp
memory/2416-972-0x000000000A4E0000-0x000000000A4F0000-memory.dmp
memory/2416-967-0x000000000A4E0000-0x000000000A4F0000-memory.dmp
memory/2416-973-0x000000000A570000-0x000000000A580000-memory.dmp
memory/2416-974-0x000000000A4E0000-0x000000000A4F0000-memory.dmp
memory/2416-975-0x000000000A4E0000-0x000000000A4F0000-memory.dmp
memory/2416-976-0x000000000A4E0000-0x000000000A4F0000-memory.dmp
memory/2416-977-0x000000000A4E0000-0x000000000A4F0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
| MD5 | 74aec598db28dd3ee7722b4bae2d2a65 |
| SHA1 | 0420f05190f6f3ab846828b403f45cd69b849e6f |
| SHA256 | ec20b5dc0454697a646622c8030a832a433bacff662511a9dc5d70a8fb921e1c |
| SHA512 | 1ef9f1955de855793b30406836ba101288729c9c1d499e17e51791a39115a7a296357aee18dbfaf673659ce7af2e78692cd91abbbd1769ebf218b27e236b0731 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\74d7f43c1561fc1e.customDestinations-ms
| MD5 | b7723a71818725fabd1650a4f67d67d3 |
| SHA1 | 7b3aa32385c6a3fdd4916522b6e54f553c1a8bba |
| SHA256 | afb038fc4f44bebf01863610188d8ceb6665a6b5a2f14a6d9684041b00bbc7b8 |
| SHA512 | e6a2f6df12a41ef1a8ee4cd7f9b5985a11f8001ae3cb55961e2323f96efcc984e51af30471632c33cc5ec6ba5dc2102397ba86ce6b2a64cfa9e7ba492e667fa1 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\74d7f43c1561fc1e.customDestinations-ms
| MD5 | e91e1d26112ef5614db396e3669dee9f |
| SHA1 | bcdbb66557098243aeec2483767997b96570ca38 |
| SHA256 | 0d323e08e9fa18948957116e8a44b257c18755a235bd2d2b2b5c57d681b2062d |
| SHA512 | 97eb6bb4885a70a6f699b6e78f965fa232401af28abcbd5948b9a84cc42f3374e13fc95e3405ea96cb2971ad32dcbfba1e4de7a83adaeb693f05bbe5f5a3ed74 |