badrabbit | hxxps://mega[.]nz/file/5AV20ICB#6vywRQbH_cRm1BMKvkkSAsDwMOlsZ8GASR4D5o9QxSo

Analysis

max time kernel
321s
max time network
332s
platform
windows11-21h2_x64
resource
win11-20231128-en
resource tags

arch:x64arch:x86image:win11-20231128-enlocale:en-usos:windows11-21h2-x64system
submitted
02/12/2023, 18:06

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://mega.nz/file/5AV20ICB#6vywRQbH_cRm1BMKvkkSAsDwMOlsZ8GASR4D5o9QxSo

Score

10^/10

badrabbit wannacry aspackv2 discovery evasion persistence ransomware spyware stealer upx worm

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\ransomwares\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

Signatures

BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
ransomware badrabbit
Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (1115) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Disables RegEdit via registry modification 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	[email protected]
Set value (int)	\REGISTRY\USER\S-1-5-21-3101619610-3579357151-2691346733-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	[email protected]

Disables Task Manager via registry modification
evasion

Modifies Windows Firewall 1 TTPs 2 IoCs

evasion

Windows Service

T1543.003

pid	Process
4704	netsh.exe
4688	netsh.exe

ASPack v2.12-2.42 4 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x000100000002a932-1234.dat	aspack_v212_v242
behavioral1/files/0x000100000002a932-1235.dat	aspack_v212_v242
behavioral1/files/0x000100000002a935-1266.dat	aspack_v212_v242
behavioral1/files/0x000100000002a935-1265.dat	aspack_v212_v242

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDC274.tmp	[email protected]
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDC26D.tmp	[email protected]

Executes dropped EXE 26 IoCs

pid	Process
1580	[email protected]
3548	[email protected]
2944	Butterfly On Desktop_1.0.exe
3528	[email protected]
4824	[email protected]
3756	Fantom.exe
4592	[email protected]
2328	[email protected]
4176	weUkYQMA.exe
4548	xsAgYkcU.exe
3884	[email protected]
2324	[email protected]
1060	taskdl.exe
1360	[email protected]
3556	[email protected]
4688	[email protected]
2120	system.exe
4312	[email protected]
4292	D4C1.tmp
3984	Antivirus 2021.exe
916	A employee has shared Covid-19 report with You.doc.exe
1776	Beryllium.exe
4160	Bitmap2_GDIOnly.exe
360	bmp.exe
5184	BitBlt.exe
5264	taskdl.exe

Loads dropped DLL 37 IoCs

pid	Process
2944	Butterfly On Desktop_1.0.exe
2944	Butterfly On Desktop_1.0.exe
2944	Butterfly On Desktop_1.0.exe
2944	Butterfly On Desktop_1.0.exe
2944	Butterfly On Desktop_1.0.exe
2944	Butterfly On Desktop_1.0.exe
2944	Butterfly On Desktop_1.0.exe
2944	Butterfly On Desktop_1.0.exe
2944	Butterfly On Desktop_1.0.exe
2944	Butterfly On Desktop_1.0.exe
2944	Butterfly On Desktop_1.0.exe
2944	Butterfly On Desktop_1.0.exe
2944	Butterfly On Desktop_1.0.exe
2944	Butterfly On Desktop_1.0.exe
2944	Butterfly On Desktop_1.0.exe
2944	Butterfly On Desktop_1.0.exe
2944	Butterfly On Desktop_1.0.exe
2944	Butterfly On Desktop_1.0.exe
2944	Butterfly On Desktop_1.0.exe
2944	Butterfly On Desktop_1.0.exe
2944	Butterfly On Desktop_1.0.exe
2944	Butterfly On Desktop_1.0.exe
2944	Butterfly On Desktop_1.0.exe
2944	Butterfly On Desktop_1.0.exe
2944	Butterfly On Desktop_1.0.exe
2944	Butterfly On Desktop_1.0.exe
2944	Butterfly On Desktop_1.0.exe
2944	Butterfly On Desktop_1.0.exe
2944	Butterfly On Desktop_1.0.exe
2944	Butterfly On Desktop_1.0.exe
2944	Butterfly On Desktop_1.0.exe
2944	Butterfly On Desktop_1.0.exe
2944	Butterfly On Desktop_1.0.exe
2944	Butterfly On Desktop_1.0.exe
2944	Butterfly On Desktop_1.0.exe
1304	rundll32.exe
4516	rundll32.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4440	icacls.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/916-3078-0x0000000000400000-0x000000000046E000-memory.dmp	upx

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3101619610-3579357151-2691346733-1000\Software\Microsoft\Windows\CurrentVersion\Run\weUkYQMA.exe = "C:\\Users\\Admin\\cmEwwgYA\\weUkYQMA.exe"	[email protected]
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\xsAgYkcU.exe = "C:\\ProgramData\\eOUgwUQk\\xsAgYkcU.exe"	[email protected]
Set value (str)	\REGISTRY\USER\S-1-5-21-3101619610-3579357151-2691346733-1000\Software\Microsoft\Windows\CurrentVersion\Run\weUkYQMA.exe = "C:\\Users\\Admin\\cmEwwgYA\\weUkYQMA.exe"	weUkYQMA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\xsAgYkcU.exe = "C:\\ProgramData\\eOUgwUQk\\xsAgYkcU.exe"	xsAgYkcU.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\WINDOWS\\Web\\rundll32.exe"	[email protected]
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AVPCC = "C:\\WINDOWS\\Cursors\\avp.exe"	[email protected]

Checks for any installed AV software in registry 1 TTPs 9 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast\Version	Butterfly On Desktop_1.0.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast	Butterfly On Desktop_1.0.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVG\AV	Butterfly On Desktop_1.0.exe
Key opened	\REGISTRY\MACHINE\Software\Avast Software\Avast	Butterfly On Desktop_1.0.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast	Butterfly On Desktop_1.0.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast\Version	Butterfly On Desktop_1.0.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVG\AV\Dir	Butterfly On Desktop_1.0.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVG\AV\Dir	Butterfly On Desktop_1.0.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVG\AV	Butterfly On Desktop_1.0.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\r:	[email protected]
File opened (read-only)	\??\s:	[email protected]
File opened (read-only)	\??\w:	[email protected]
File opened (read-only)	\??\i:	[email protected]
File opened (read-only)	\??\v:	[email protected]
File opened (read-only)	\??\z:	[email protected]
File opened (read-only)	\??\a:	[email protected]
File opened (read-only)	\??\e:	[email protected]
File opened (read-only)	\??\l:	[email protected]
File opened (read-only)	\??\n:	[email protected]
File opened (read-only)	\??\o:	[email protected]
File opened (read-only)	\??\p:	[email protected]
File opened (read-only)	\??\t:	[email protected]
File opened (read-only)	\??\y:	[email protected]
File opened (read-only)	\??\b:	[email protected]
File opened (read-only)	\??\g:	[email protected]
File opened (read-only)	\??\h:	[email protected]
File opened (read-only)	\??\j:	[email protected]
File opened (read-only)	\??\k:	[email protected]
File opened (read-only)	\??\m:	[email protected]
File opened (read-only)	\??\q:	[email protected]
File opened (read-only)	\??\u:	[email protected]
File opened (read-only)	\??\x:	[email protected]

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "DANGER"	[email protected]
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Äëÿ òîãî ÷òîáû âîññòàíîâèòü íîðìàëüíóþ ðàáîòó ñâîåãî êîìïüþòåðà íå ïîòåðÿâ ÂÑÞ èíôîðìàöèþ! È ñ ýêîíîìèâ äåíüãè, ïðèøëè ìíå íà e-mail [email protected] êîä ïîïîëíåíèÿ ñ÷åòà êèåâñòàð íà 25 ãðèâåíü. Â îòâåò â òå÷åíèå äâåíàäöàòè ÷àñîâ íà ñâîé e-mail òû ïîëó÷èøü ôàèë äëÿ óäàëåíèÿ ýòîé ïðîãðàììû."	[email protected]

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\infpub.dat	[email protected]
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File opened for modification	C:\Windows\D4C1.tmp	rundll32.exe
File opened for modification	C:\WINDOWS\Web	[email protected]
File created	C:\Windows\infpub.dat	[email protected]
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\cscc.dat	rundll32.exe
File created	C:\Windows\dispci.exe	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2444	SCHTASKS.exe
2172	schtasks.exe
2044	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
5784	taskkill.exe

Modifies Control Panel 6 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3101619610-3579357151-2691346733-1000\Control Panel\International	[email protected]
Set value (str)	\REGISTRY\USER\S-1-5-21-3101619610-3579357151-2691346733-1000\Control Panel\International\sTimeFormat = "ÕÓÉ"	[email protected]
Key created	\REGISTRY\USER\S-1-5-21-3101619610-3579357151-2691346733-1000\Control Panel\Desktop	[email protected]
Set value (str)	\REGISTRY\USER\S-1-5-21-3101619610-3579357151-2691346733-1000\Control Panel\Desktop\WallpaperOriginX = "210"	[email protected]
Set value (str)	\REGISTRY\USER\S-1-5-21-3101619610-3579357151-2691346733-1000\Control Panel\Desktop\WallpaperOriginY = "187"	[email protected]
Set value (str)	\REGISTRY\USER\S-1-5-21-3101619610-3579357151-2691346733-1000\Control Panel\Desktop\MenuShowDelay = "9999"	[email protected]

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main	[email protected]
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Window title = ":::::::::::::::::: ÌÎÉ ÕÓÉ ÏÐÎÒÓÕ À ÏÈÇÄÀ ÃÍÈÅÒ ::::::::::::::::::"	[email protected]
Key created	\REGISTRY\USER\S-1-5-21-3101619610-3579357151-2691346733-1000\Software\Microsoft\Internet Explorer\Main	[email protected]
Set value (str)	\REGISTRY\USER\S-1-5-21-3101619610-3579357151-2691346733-1000\Software\Microsoft\Internet Explorer\Main\Window title = ":::::::::::::::::: ÌÎÉ ÕÓÉ ÏÐÎÒÓÕ À ÏÈÇÄÀ ÃÍÈÅÒ ::::::::::::::::::"	[email protected]

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "http://poetry.rotten.com/lightning/"	[email protected]
Set value (str)	\REGISTRY\USER\S-1-5-21-3101619610-3579357151-2691346733-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://poetry.rotten.com/lightning/"	[email protected]

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "75"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3101619610-3579357151-2691346733-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\REGFILE\SHELL\OPEN\COMMAND	[email protected]
Key created	\REGISTRY\USER\S-1-5-21-3101619610-3579357151-2691346733-1000_Classes\Local Settings	Antivirus 2021.exe
Key created	\REGISTRY\USER\S-1-5-21-3101619610-3579357151-2691346733-1000_Classes\Local Settings	cmd.exe

Modifies registry key 1 TTPs 9 IoCs

Modify Registry

T1112

pid	Process
336	reg.exe
3104	reg.exe
4016	reg.exe
2640	reg.exe
4312	reg.exe
852	reg.exe
2728	reg.exe
3688	reg.exe
2680	reg.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4\Blob = 190000000100000010000000fa46ce7cbb85cfb4310075313a09ee050300000001000000140000008cf427fd790c3ad166068de81e57efbb932272d47e000000010000000800000000c001b39667d6011d0000000100000010000000521b5f4582c1dcaae381b05e37ca2d341400000001000000140000006a72267ad01eef7de73b6951d46c8d9f901266ab0b000000010000001800000045006e00740072007500730074002e006e0065007400000062000000010000002000000043df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f3397f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b06010505070307530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f0000000100000020000000fde5f2d9ce2026e1e10064c0a468c9f355b90acf85baf5ce6f52d4016837fd942000000001000000420400003082043e30820326a00302010202044a538c28300d06092a864886f70d01010b05003081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d204732301e170d3039303730373137323535345a170d3330313230373137353535345a3081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100ba84b672db9e0c6be299e93001a776ea32b895411ac9da614e5872cffef68279bf7361060aa527d8b35fd3454e1c72d64e32f2728a0ff78319d06a808000451eb0c7e79abf1257271ca3682f0a87bd6a6b0e5e65f31c77d5d4858d7021b4b332e78ba2d5863902b1b8d247cee4c949c43ba7defb547d57bef0e86ec279b23a0b55e250981632135c2f7856c1c294b3f25ae4279a9f24d7c6ecd09b2582e3ccc2c445c58c977a066b2a119fa90a6e483b6fdbd4111942f78f07bff5535f9c3ef4172ce669ac4e324c6277eab7e8e5bb34bc198bae9c51e7b77eb553b13322e56dcf703c1afae29b67b683f48da5af624c4de058ac64341203f8b68d946324a4710203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604146a72267ad01eef7de73b6951d46c8d9f901266ab300d06092a864886f70d01010b05000382010100799f1d96c6b6793f228d87d3870304606a6b9a2e59897311ac43d1f513ff8d392bc0f2bd4f708ca92fea17c40b549ed41b9698333ca8ad62a20076ab59696e061d7ec4b9448d98af12d461db0a194647f3ebf763c1400540a5d2b7f4b59a36bfa98876880455042b9c877f1a373c7e2da51ad8d4895ecabdac3d6cd86dafd5f3760fcd3b8838229d6c939ac43dbf821b653fa60f5daafce5b215cab5adc6bc3dd084e8ea0672b04d393278bf3e119c0ba49d9a21f3f09b0b3078dbc1dc8743febc639acac5c21cc9c78dff3b125808e6b63dec7a2c4efb8396ce0c3c69875473a473c293ff5110ac155401d8fc05b189a17f74839a49d7dc4e7b8a486f8b45f6	Butterfly On Desktop_1.0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4	Butterfly On Desktop_1.0.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4\Blob = 0f0000000100000020000000fde5f2d9ce2026e1e10064c0a468c9f355b90acf85baf5ce6f52d4016837fd94090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b0601050507030762000000010000002000000043df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f3390b000000010000001800000045006e00740072007500730074002e006e006500740000001400000001000000140000006a72267ad01eef7de73b6951d46c8d9f901266ab1d0000000100000010000000521b5f4582c1dcaae381b05e37ca2d347e000000010000000800000000c001b39667d6010300000001000000140000008cf427fd790c3ad166068de81e57efbb932272d42000000001000000420400003082043e30820326a00302010202044a538c28300d06092a864886f70d01010b05003081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d204732301e170d3039303730373137323535345a170d3330313230373137353535345a3081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100ba84b672db9e0c6be299e93001a776ea32b895411ac9da614e5872cffef68279bf7361060aa527d8b35fd3454e1c72d64e32f2728a0ff78319d06a808000451eb0c7e79abf1257271ca3682f0a87bd6a6b0e5e65f31c77d5d4858d7021b4b332e78ba2d5863902b1b8d247cee4c949c43ba7defb547d57bef0e86ec279b23a0b55e250981632135c2f7856c1c294b3f25ae4279a9f24d7c6ecd09b2582e3ccc2c445c58c977a066b2a119fa90a6e483b6fdbd4111942f78f07bff5535f9c3ef4172ce669ac4e324c6277eab7e8e5bb34bc198bae9c51e7b77eb553b13322e56dcf703c1afae29b67b683f48da5af624c4de058ac64341203f8b68d946324a4710203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604146a72267ad01eef7de73b6951d46c8d9f901266ab300d06092a864886f70d01010b05000382010100799f1d96c6b6793f228d87d3870304606a6b9a2e59897311ac43d1f513ff8d392bc0f2bd4f708ca92fea17c40b549ed41b9698333ca8ad62a20076ab59696e061d7ec4b9448d98af12d461db0a194647f3ebf763c1400540a5d2b7f4b59a36bfa98876880455042b9c877f1a373c7e2da51ad8d4895ecabdac3d6cd86dafd5f3760fcd3b8838229d6c939ac43dbf821b653fa60f5daafce5b215cab5adc6bc3dd084e8ea0672b04d393278bf3e119c0ba49d9a21f3f09b0b3078dbc1dc8743febc639acac5c21cc9c78dff3b125808e6b63dec7a2c4efb8396ce0c3c69875473a473c293ff5110ac155401d8fc05b189a17f74839a49d7dc4e7b8a486f8b45f6	Butterfly On Desktop_1.0.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
5400	NOTEPAD.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2172	PING.EXE

Suspicious behavior: EnumeratesProcesses 62 IoCs

pid	Process
3328	msedge.exe
3328	msedge.exe
1136	msedge.exe
1136	msedge.exe
900	identity_helper.exe
900	identity_helper.exe
840	msedge.exe
840	msedge.exe
2444	msedge.exe
2444	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
2944	Butterfly On Desktop_1.0.exe
2944	Butterfly On Desktop_1.0.exe
2944	Butterfly On Desktop_1.0.exe
2944	Butterfly On Desktop_1.0.exe
2944	Butterfly On Desktop_1.0.exe
2944	Butterfly On Desktop_1.0.exe
2944	Butterfly On Desktop_1.0.exe
2944	Butterfly On Desktop_1.0.exe
2944	Butterfly On Desktop_1.0.exe
2944	Butterfly On Desktop_1.0.exe
2944	Butterfly On Desktop_1.0.exe
2944	Butterfly On Desktop_1.0.exe
2944	Butterfly On Desktop_1.0.exe
2944	Butterfly On Desktop_1.0.exe
2944	Butterfly On Desktop_1.0.exe
2944	Butterfly On Desktop_1.0.exe
2944	Butterfly On Desktop_1.0.exe
2944	Butterfly On Desktop_1.0.exe
2944	Butterfly On Desktop_1.0.exe
2944	Butterfly On Desktop_1.0.exe
2944	Butterfly On Desktop_1.0.exe
2944	Butterfly On Desktop_1.0.exe
2944	Butterfly On Desktop_1.0.exe
2328	[email protected]
2328	[email protected]
2328	[email protected]
2328	[email protected]
2324	[email protected]
2324	[email protected]
2324	[email protected]
2324	[email protected]
1360	[email protected]
1360	[email protected]
1360	[email protected]
1360	[email protected]
1304	rundll32.exe
1304	rundll32.exe
1304	rundll32.exe
1304	rundll32.exe
4516	rundll32.exe
4516	rundll32.exe
4292	D4C1.tmp
4292	D4C1.tmp
4292	D4C1.tmp
4292	D4C1.tmp
4292	D4C1.tmp
4292	D4C1.tmp
4292	D4C1.tmp

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5184	BitBlt.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
1136	msedge.exe
1136	msedge.exe
1136	msedge.exe
1136	msedge.exe
1136	msedge.exe
1136	msedge.exe
1136	msedge.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: 33	4640	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4640	AUDIODG.EXE
Token: SeRestorePrivilege	2936	7zG.exe
Token: 35	2936	7zG.exe
Token: SeSecurityPrivilege	2936	7zG.exe
Token: SeSecurityPrivilege	2936	7zG.exe
Token: SeDebugPrivilege	2944	Butterfly On Desktop_1.0.exe
Token: SeSystemtimePrivilege	4824	[email protected]
Token: SeDebugPrivilege	3756	Fantom.exe
Token: SeShutdownPrivilege	3884	[email protected]
Token: SeCreatePagefilePrivilege	3884	[email protected]
Token: SeShutdownPrivilege	1304	rundll32.exe
Token: SeDebugPrivilege	1304	rundll32.exe
Token: SeTcbPrivilege	1304	rundll32.exe
Token: SeShutdownPrivilege	4516	rundll32.exe
Token: SeDebugPrivilege	4516	rundll32.exe
Token: SeTcbPrivilege	4516	rundll32.exe
Token: SeDebugPrivilege	4292	D4C1.tmp
Token: SeShutdownPrivilege	5476	shutdown.exe
Token: SeRemoteShutdownPrivilege	5476	shutdown.exe
Token: SeDebugPrivilege	5784	taskkill.exe

Suspicious use of FindShellTrayWindow 43 IoCs

pid	Process
1136	msedge.exe
1136	msedge.exe
1136	msedge.exe
1136	msedge.exe
1136	msedge.exe
1136	msedge.exe
1136	msedge.exe
1136	msedge.exe
1136	msedge.exe
1136	msedge.exe
1136	msedge.exe
1136	msedge.exe
1136	msedge.exe
1136	msedge.exe
1136	msedge.exe
1136	msedge.exe
1136	msedge.exe
1136	msedge.exe
1136	msedge.exe
1136	msedge.exe
1136	msedge.exe
1136	msedge.exe
1136	msedge.exe
1136	msedge.exe
1136	msedge.exe
1136	msedge.exe
1136	msedge.exe
1136	msedge.exe
1136	msedge.exe
1136	msedge.exe
1136	msedge.exe
1136	msedge.exe
1136	msedge.exe
1136	msedge.exe
1136	msedge.exe
1136	msedge.exe
1136	msedge.exe
1136	msedge.exe
1136	msedge.exe
1136	msedge.exe
1136	msedge.exe
2936	7zG.exe
3548	[email protected]

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1136	msedge.exe
1136	msedge.exe
1136	msedge.exe
1136	msedge.exe
1136	msedge.exe
1136	msedge.exe
1136	msedge.exe
1136	msedge.exe
1136	msedge.exe
1136	msedge.exe
1136	msedge.exe
1136	msedge.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4060	MiniSearchHost.exe
2944	Butterfly On Desktop_1.0.exe
5764	PickerHost.exe
5712	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1136 wrote to memory of 712	1136	msedge.exe	78
PID 1136 wrote to memory of 712	1136	msedge.exe	78
PID 1136 wrote to memory of 4336	1136	msedge.exe	79
PID 1136 wrote to memory of 4336	1136	msedge.exe	79
PID 1136 wrote to memory of 4336	1136	msedge.exe	79
PID 1136 wrote to memory of 4336	1136	msedge.exe	79
PID 1136 wrote to memory of 4336	1136	msedge.exe	79
PID 1136 wrote to memory of 4336	1136	msedge.exe	79
PID 1136 wrote to memory of 4336	1136	msedge.exe	79
PID 1136 wrote to memory of 4336	1136	msedge.exe	79
PID 1136 wrote to memory of 4336	1136	msedge.exe	79
PID 1136 wrote to memory of 4336	1136	msedge.exe	79
PID 1136 wrote to memory of 4336	1136	msedge.exe	79
PID 1136 wrote to memory of 4336	1136	msedge.exe	79
PID 1136 wrote to memory of 4336	1136	msedge.exe	79
PID 1136 wrote to memory of 4336	1136	msedge.exe	79
PID 1136 wrote to memory of 4336	1136	msedge.exe	79
PID 1136 wrote to memory of 4336	1136	msedge.exe	79
PID 1136 wrote to memory of 4336	1136	msedge.exe	79
PID 1136 wrote to memory of 4336	1136	msedge.exe	79
PID 1136 wrote to memory of 4336	1136	msedge.exe	79
PID 1136 wrote to memory of 4336	1136	msedge.exe	79
PID 1136 wrote to memory of 4336	1136	msedge.exe	79
PID 1136 wrote to memory of 4336	1136	msedge.exe	79
PID 1136 wrote to memory of 4336	1136	msedge.exe	79
PID 1136 wrote to memory of 4336	1136	msedge.exe	79
PID 1136 wrote to memory of 4336	1136	msedge.exe	79
PID 1136 wrote to memory of 4336	1136	msedge.exe	79
PID 1136 wrote to memory of 4336	1136	msedge.exe	79
PID 1136 wrote to memory of 4336	1136	msedge.exe	79
PID 1136 wrote to memory of 4336	1136	msedge.exe	79
PID 1136 wrote to memory of 4336	1136	msedge.exe	79
PID 1136 wrote to memory of 4336	1136	msedge.exe	79
PID 1136 wrote to memory of 4336	1136	msedge.exe	79
PID 1136 wrote to memory of 4336	1136	msedge.exe	79
PID 1136 wrote to memory of 4336	1136	msedge.exe	79
PID 1136 wrote to memory of 4336	1136	msedge.exe	79
PID 1136 wrote to memory of 4336	1136	msedge.exe	79
PID 1136 wrote to memory of 4336	1136	msedge.exe	79
PID 1136 wrote to memory of 4336	1136	msedge.exe	79
PID 1136 wrote to memory of 4336	1136	msedge.exe	79
PID 1136 wrote to memory of 4336	1136	msedge.exe	79
PID 1136 wrote to memory of 3328	1136	msedge.exe	80
PID 1136 wrote to memory of 3328	1136	msedge.exe	80
PID 1136 wrote to memory of 3076	1136	msedge.exe	81
PID 1136 wrote to memory of 3076	1136	msedge.exe	81
PID 1136 wrote to memory of 3076	1136	msedge.exe	81
PID 1136 wrote to memory of 3076	1136	msedge.exe	81
PID 1136 wrote to memory of 3076	1136	msedge.exe	81
PID 1136 wrote to memory of 3076	1136	msedge.exe	81
PID 1136 wrote to memory of 3076	1136	msedge.exe	81
PID 1136 wrote to memory of 3076	1136	msedge.exe	81
PID 1136 wrote to memory of 3076	1136	msedge.exe	81
PID 1136 wrote to memory of 3076	1136	msedge.exe	81
PID 1136 wrote to memory of 3076	1136	msedge.exe	81
PID 1136 wrote to memory of 3076	1136	msedge.exe	81
PID 1136 wrote to memory of 3076	1136	msedge.exe	81
PID 1136 wrote to memory of 3076	1136	msedge.exe	81
PID 1136 wrote to memory of 3076	1136	msedge.exe	81
PID 1136 wrote to memory of 3076	1136	msedge.exe	81
PID 1136 wrote to memory of 3076	1136	msedge.exe	81
PID 1136 wrote to memory of 3076	1136	msedge.exe	81
PID 1136 wrote to memory of 3076	1136	msedge.exe	81
PID 1136 wrote to memory of 3076	1136	msedge.exe	81

System policy modification 1 TTPs 37 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewOnDrive = "1"	[email protected]
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoToolbarCustomize = "1"	[email protected]
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispCPL = "1"	[email protected]
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	[email protected]
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecentDocsMenu = "1"	[email protected]
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoUserNameInStartMenu = "1"	[email protected]
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{20D04FE0-3AEA-1069-A2D8-08002B30309D} = "1"	[email protected]
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Uninstall	[email protected]
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1"	[email protected]
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPrinters = "1"	[email protected]
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "1"	[email protected]
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMMyDocs = "1"	[email protected]
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop = "1"	[email protected]
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFavoritesMenu = "1"	[email protected]
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetHood = "1"	[email protected]
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	[email protected]
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMMyPictures = "1"	[email protected]
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktop = "1"	[email protected]
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMHelp = "1"	[email protected]
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMFUprogramsList = "1"	[email protected]
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuPinnedList = "1"	[email protected]
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMyMusic = "1"	[email protected]
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoClose = "1"	[email protected]
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Uninstall\NoAddRemovePrograms = "1"	[email protected]
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	[email protected]
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives = "1044"	[email protected]
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoLogOff = "1"	[email protected]
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoThemesTab = "1"	[email protected]
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoManageMyComputerVerb = "1"	[email protected]
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum	[email protected]
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{450D8FBA-AD25-11D0-98A8-0800361B1103} = "1"	[email protected]
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	[email protected]
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups = "1"	[email protected]
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1"	[email protected]
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSaveSettings = "1"	[email protected]
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPrinterTabs = "1"	[email protected]
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuSubFolders = "1"	[email protected]

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
996	attrib.exe
2912	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mega.nz/file/5AV20ICB#6vywRQbH_cRm1BMKvkkSAsDwMOlsZ8GASR4D5o9QxSo
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc2b303cb8,0x7ffc2b303cc8,0x7ffc2b303cd8
  2⤵
  PID:712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1892,15033244842127932897,14385857131273044561,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1912 /prefetch:2
  2⤵
  PID:4336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1892,15033244842127932897,14385857131273044561,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2332 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1892,15033244842127932897,14385857131273044561,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2804 /prefetch:8
  2⤵
  PID:3076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,15033244842127932897,14385857131273044561,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3488 /prefetch:1
  2⤵
  PID:3632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,15033244842127932897,14385857131273044561,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2368 /prefetch:1
  2⤵
  PID:1700
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1892,15033244842127932897,14385857131273044561,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5348 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1892,15033244842127932897,14385857131273044561,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5460 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1892,15033244842127932897,14385857131273044561,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4776 /prefetch:8
  2⤵
  PID:4684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,15033244842127932897,14385857131273044561,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:1
  2⤵
  PID:3620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,15033244842127932897,14385857131273044561,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5604 /prefetch:1
  2⤵
  PID:1764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,15033244842127932897,14385857131273044561,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:1
  2⤵
  PID:2320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,15033244842127932897,14385857131273044561,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3964 /prefetch:1
  2⤵
  PID:3528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,15033244842127932897,14385857131273044561,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5772 /prefetch:1
  2⤵
  PID:1980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1892,15033244842127932897,14385857131273044561,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5936 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1892,15033244842127932897,14385857131273044561,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=3420 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3336

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4508

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2312

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004BC 0x00000000000004EC
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4640

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4060

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4936

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\VirusCollection\" -spe -an -ai#7zMap27410:94:7zEvent9548
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2936

C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\jokes\[email protected]
"C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\jokes\[email protected]"
1⤵
- Executes dropped EXE
PID:1580

C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\jokes\[email protected]
"C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\jokes\[email protected]"
1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:3548

C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\jokes\Butterfly On Desktop_1.0.exe
"C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\jokes\Butterfly On Desktop_1.0.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks for any installed AV software in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2944

C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\jokes\[email protected]
"C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\jokes\[email protected]"
1⤵
- Executes dropped EXE
PID:3528

C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\ransomwares\[email protected]
"C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\ransomwares\[email protected]"
1⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4824

C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\ransomwares\Fantom.exe
"C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\ransomwares\Fantom.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3756

C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\ransomwares\[email protected]
"C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\ransomwares\[email protected]"
1⤵
- Drops startup file
- Executes dropped EXE
PID:4592
- C:\Windows\SysWOW64\attrib.exe
  attrib +h .
  2⤵
  - Views/modifies file attributes
  PID:996
- C:\Windows\SysWOW64\icacls.exe
  icacls . /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4440
- C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\ransomwares\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:1060
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 121131701540660.bat
  2⤵
  PID:1428
- - C:\Windows\SysWOW64\cscript.exe
    cscript.exe //nologo m.vbs
    3⤵
    PID:2292
- C:\Windows\SysWOW64\attrib.exe
  attrib +h +s F:\$RECYCLE
  2⤵
  - Views/modifies file attributes
  PID:2912
- C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\ransomwares\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:5264

C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\ransomwares\[email protected]
"C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\ransomwares\[email protected]"
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:2328
- C:\Users\Admin\cmEwwgYA\weUkYQMA.exe
  "C:\Users\Admin\cmEwwgYA\weUkYQMA.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4176
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\ransomwares\Endermanch@ViraLock"
  2⤵
  PID:1644
- - C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\ransomwares\[email protected]
    C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\ransomwares\Endermanch@ViraLock
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2324
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\ransomwares\Endermanch@ViraLock"
      4⤵
      PID:1480
    - - C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\ransomwares\[email protected]
        
        C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\ransomwares\Endermanch@ViraLock
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1360
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\ransomwares\Endermanch@ViraLock"
        6⤵
        
        PID:2728
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        Modifies registry key
        
        PID:336
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        Modifies registry key
        
        PID:3104
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies registry key
        
        PID:4016
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QmoUAcoQ.bat" "C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\ransomwares\[email protected]""
        6⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:2144
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies registry key
      PID:852
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      Modifies registry key
      PID:3688
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      Modifies registry key
      PID:2680
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zqEIkgcg.bat" "C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\ransomwares\[email protected]""
      4⤵
      PID:1516
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:8
- C:\ProgramData\eOUgwUQk\xsAgYkcU.exe
  "C:\ProgramData\eOUgwUQk\xsAgYkcU.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4548
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MwoUEAcU.bat" "C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\ransomwares\[email protected]""
  2⤵
  PID:2172
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:2380
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:2640
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:4312
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:2728

C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\ransomwares\[email protected]
"C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\ransomwares\[email protected]"
1⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:3884
- C:\Windows\SysWOW64\netsh.exe
  C:\Windows\system32\netsh.exe advfirewall set allprofiles state on
  2⤵
  - Modifies Windows Firewall
  PID:4704
- C:\Windows\SysWOW64\netsh.exe
  C:\Windows\system32\netsh.exe advfirewall reset
  2⤵
  - Modifies Windows Firewall
  PID:4688
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /d /c taskkill /f /im "E" > NUL & ping -n 1 127.0.0.1 > NUL & del "C" > NUL && exit
  2⤵
  PID:5612
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "E"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5784
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 1 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:2172

C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\ransomwares\[email protected]
"C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\ransomwares\[email protected]"
1⤵
- Executes dropped EXE
PID:3556
- C:\Users\Admin\AppData\Local\system.exe
  "C:\Users\Admin\AppData\Local\system.exe"
  2⤵
  - Executes dropped EXE
  PID:2120
- - C:\Windows\SysWOW64\SCHTASKS.exe
    C:\Windows\System32\SCHTASKS.exe /create /SC ONLOGON /TN uac /TR "C:\Users\Admin\AppData\Local\bcd.bat" /RL HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:2444
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\del.bat
    3⤵
    PID:3340
- - C:\windows\SysWOW64\cmd.exe
    C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:64
    3⤵
    PID:2756
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:64
      4⤵
      PID:4320
- - C:\windows\SysWOW64\cmd.exe
    C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:64
    3⤵
    PID:2728
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:64
      4⤵
      PID:200
- - C:\windows\SysWOW64\cmd.exe
    C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:64
    3⤵
    PID:5100
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:64
      4⤵
      PID:2096
- - C:\windows\SysWOW64\cmd.exe
    C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:64
    3⤵
    PID:1432
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:64
      4⤵
      PID:4516
- - C:\windows\SysWOW64\cmd.exe
    C:\windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:64
    3⤵
    PID:3928
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:64
      4⤵
      PID:1080
- - C:\windows\SysWOW64\cmd.exe
    C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:64
    3⤵
    PID:3100
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:64
      4⤵
      PID:2276
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "crypted" /t REG_SZ /d 1 /f /reg:64
    3⤵
    PID:3560
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "crypted" /t REG_SZ /d 1 /f /reg:64
      4⤵
      PID:4848
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c shutdown -r -t 10 -f
    3⤵
    PID:5048
  - - C:\Windows\SysWOW64\shutdown.exe
      shutdown -r -t 10 -f
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5476

C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\ransomwares\[email protected]
"C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\ransomwares\[email protected]"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4688
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1304
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Delete /F /TN rhaegal
    3⤵
    PID:2924
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Delete /F /TN rhaegal
      4⤵
      PID:3568
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 2723248496 && exit"
    3⤵
    PID:2188
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 2723248496 && exit"
      4⤵
      Creates scheduled task(s)
      PID:2172
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 18:29:00
    3⤵
    PID:2788
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 18:29:00
      4⤵
      Creates scheduled task(s)
      PID:2044
- - C:\Windows\D4C1.tmp
    "C:\Windows\D4C1.tmp" \\.\pipe\{9BBBC7B5-D81C-4A15-B35D-FFDFEEC6C3A7}
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4292
- - C:\Windows\SysWOW64\cmd.exe
    /c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:
    3⤵
    PID:340
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Delete /F /TN drogon
    3⤵
    PID:5516

C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\ransomwares\[email protected]
"C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\ransomwares\[email protected]"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4312
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4516

C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\Virus\Antivirus 2021.exe
"C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\Virus\Antivirus 2021.exe"
1⤵
- Executes dropped EXE
- Modifies registry class
PID:3984
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "C:\Antivirus.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  PID:5752

C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\Virus\A employee has shared Covid-19 report with You.doc.exe
"C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\Virus\A employee has shared Covid-19 report with You.doc.exe"
1⤵
- Executes dropped EXE
PID:916
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\E58A.tmp\E58B.tmp\E58C.bat "C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\Virus\A employee has shared Covid-19 report with You.doc.exe""
  2⤵
  - Modifies registry class
  PID:5192
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\Virus\Covid19.txt
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:5400

C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\Virus\Beryllium.exe
"C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\Virus\Beryllium.exe"
1⤵
- Executes dropped EXE
PID:1776

C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\Virus\Bitmap2_GDIOnly.exe
"C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\Virus\Bitmap2_GDIOnly.exe"
1⤵
- Executes dropped EXE
PID:4160

C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\Virus\bmp.exe
"C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\Virus\bmp.exe"
1⤵
- Executes dropped EXE
PID:360

C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\Virus\BitBlt.exe
"C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\Virus\BitBlt.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
PID:5184

C:\Windows\System32\PickerHost.exe
C:\Windows\System32\PickerHost.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:5764

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3949055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:5712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\AppV\Setup\@[email protected]

Filesize
936B

MD5
4011e955ba3cce63a2c1ff888d839091

SHA1
5eb4ae19e152f6108c9335f4aec23bdbe77e8893

SHA256
3b31f0970bbcbd31f11465b1a0695090d127235e1f02cfcaaef63b6f337677d9

SHA512
1b89451db3a166a700e631b22bdbf37e3fa1425816530e533c6a19d63129d1ae76c1641cd188f0e11f9e64023925e0bc37c2a7a9a88110ab0eae7c38a045f285

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6e126312d2ac3e6411def860af3effb5

SHA1
0bafa7fa6e6ff58c03f90e7be34f176d2fa6482d

SHA256
66d8cd3d3710122eb73a2991cd38b5b9eb0b84a7479d9a18aae674489cd4b45b

SHA512
f0770e3e4c9f0e9160aec628ba7771a76d6761119c12541775fdf4578d185b04ed3c87537e4e43a717dfd8dd152e35aa4b1ddb92ff00667aa74a56877dd21a53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
fb4b886e735dc3311026796968449fbc

SHA1
fffeebcb6d4bc7a961347f558858999e5d0d8467

SHA256
49fb57f5bea8715606ce2abcd4620d4bd2f9d75ba2ff2c04816ac940d83997a7

SHA512
bd9051232d4b27bf5a8aea378ecbaf033eb16142193155280a4a0dd8e7bf0d7581e426c86b40a14a4a4573b3cdadda260fea8a4f3f8961e3402861ad502e2da7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\00\00000000

Filesize
4.5MB

MD5
064c693eacf7ed4a710ada56eb526f5b

SHA1
80cd53a2ae4f4ce58ec637f9d5199ea6726fe450

SHA256
229f77469eb6350c70923a7383e547fbcaf33e4513803d36e93c314dbe33ff6b

SHA512
b926760e9d4df86072fbb5730451f6932309ce3e5dbe4e8d552586fba66fdef65e7e56f48e32536e0ca45945775eb3ecf981dd7499e888ebbb8cbc472a4088a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\Paths\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\LOG.old

Filesize
1KB

MD5
bc3c50b1f5a496df585860e1e5030044

SHA1
535ae8e15d301f69ffa147ddcb4285bac1a8d3a1

SHA256
2db18e1686b50c0fd1364f8f0c7180b2aa28ba83113d51121ddc5b082294bcff

SHA512
a125d5f9705a3ae8868754092c0f08ea096d4cef652a52896597b481fb6886ab9ee11608da603a5dc0c2df550d0cf73950890eab602417ad6240b7ab14376c1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\LOG.old

Filesize
1KB

MD5
99e1d0752a76d7a93fb2828700a3e62a

SHA1
c2782d7ad706e2119e59ca7b1ef6589c79c52c1a

SHA256
e3c3162ab008bba7fc6e2b0c57940a51bf9bbcb0d3c57da096590ea5deabe26d

SHA512
9ce8e3adc557c1444b871b1eb9a54dad0c4c7e7148069f70153a880db7ba7a7143ff035849c00cfc1aa489ce669be9868e164719e8604761d3cc651c622af19d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\LOG.old

Filesize
1KB

MD5
6654d41bcf0ffff09a2530d16d1c1f96

SHA1
86bb24a069be57d7910e2fd145ea0a7ef25e89ce

SHA256
126ef8c49e146a378ea199430c41e8a3372b232d5ae53674de6211dc801e8020

SHA512
c6fe867e3cc2967a63923790968eca934e59033e7d017944ba18e5b2d6287a3d52a6ac437aed7c9c2e7323415256f67ec9f38507d28d61cd8e61a0a43cb5604b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\LOG.old

Filesize
1KB

MD5
2dd6b67845e013a976813b5834bbfa3b

SHA1
87044bf3aef81d63acc2a6e8a858908f0832f28a

SHA256
5071f0166040da8c5dd29427ef09699bcdc29cb3907954abeb933c9dc7823626

SHA512
61bbaf16f66b1e57b73f8ca40c35fab32f36b869610338c8f01fa2d7fc1895f9199ea5238e8168452972c777296642423a53416a345c9856ede01467bc648814

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\LOG.old

Filesize
1KB

MD5
2a8b2b8d6035327126f094ad1c21d53d

SHA1
e35faf4c84b5f57e95c8a4d801563bfe4400a0ee

SHA256
3ebe47fda56cf09ab161dd7a535703540f3baee3084903dd5a9b734d5802a699

SHA512
55028e3629c8806e5dc73f5cb028892328d271b2503ab0da477f533b8a3aecfcf5e3827fe115e7b8f80f46df2b25505894baa13b4c118fbf8af813c05c06fbdc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\LOG.old

Filesize
1KB

MD5
ece930b2f769242e518c72fc38c1ac4f

SHA1
99df741f93659446e52f7e3320bb9370ed9a04b4

SHA256
5a9b6ff79710ac57d8fdd13ada543bae88cf447079bb9ac94eae280c0d5a2775

SHA512
110ed872add60dbb6a25cfacc4b940e7bb3f33f108c901bf94a4cc83c2da9c6e3720a4a1d235df90b55dfeceb7e657da8196aaa9da7a48c0b1c59f11ae0ec49a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\LOG.old

Filesize
1KB

MD5
1787cb9fb6070e127787e27a678011ba

SHA1
f5cd975173d651c045473b666a63a6f4309c67a5

SHA256
7281fdf93f6c9c6be95e7b82e7fc3d00ddfb848f5a5a0252c3d2af1b29718701

SHA512
7d4ca038545d0fc811171340b5c30b62d7665f4eac82458edb6d418b2245edef9bd0a09e73f3cdd3cd10e3e0a2016295d86ef2cee836852923b534dd3f5e175f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\LOG.old

Filesize
1KB

MD5
482e4e43e3a9cd163a3c790afafcf3d7

SHA1
67fb3fcab4b90b7cf0fe4540e5488e85a1fd7886

SHA256
445c294ac8f4630dff285ef8b5579a3c9370f786c8648c0b33cbab90d30a5583

SHA512
b3368b0ff0c5e3dbfb17ce001591530e252b15f7d6e4bdf97e0bdd7f286ef72200603b9c7884a0a39111dafdb9e987411ee384a67f634adb2fac5790ab1a0b53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\LOG.old

Filesize
1KB

MD5
e19070f46a681afbfdae7b07d659a06e

SHA1
f625d29523461d3e103d7c61515288d05a99b2e6

SHA256
304b3fea835e984722a8eae3747bc3c655b52e215910c3842c1c42f21e669085

SHA512
38cb0cae43836f58f25d1c7458f886a7a1b8907857a43c975aa34379e4aa37abaf41e1a1eee4be29f55a6950f2a29c5a2ae7409b7c698b3e219160441e7cf9c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\LOG.old

Filesize
1KB

MD5
fd807f8738b78d3fbd3ba13ce136924f

SHA1
d1e97e3550f3bc7ec3e0e06529305817ff3e2909

SHA256
dd352e11798e4f1628e95ee74475b49bc7167ec5a09a82be1015dee554fa62ee

SHA512
41d808055514f2f957235b5801cdfc9ff92d22a9cbc8c1ab2b7458ff2f71bb4f069340ef1ace47d5587d89d253aeab5847d8229c5b220a64e5fc2bbf9484ae1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\LOG.old

Filesize
1KB

MD5
8af13522a956a79af0e69903f55b1fba

SHA1
3181cce322bcc38874a86b86ad2b1c3ec4462820

SHA256
e16a3abb4e70392fd0b03a259bd1f590c1f6b963517f7d9a677392ca9fab7233

SHA512
54f67a24dbbec64654ded1cab2c1a990b84bcce3265dedb82c718b2d585d348a8e38d63c245234cbf2363f9125bb34e3208752f1d6f3e046301656a810d08f8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\LOG.old

Filesize
1KB

MD5
5c1598dc30041b62fbb41384c2087ff8

SHA1
1d288c77aa134a1291020d73b9445c0eb1867c6c

SHA256
064e060ee10ef1c7bed46d393741abb0f2d797d5e8fe7581aa3285242d8ae1e4

SHA512
59e077dac8a18963536925f5d2e6d11ba9edc6d5d91991a5b3fd0db9be6c55e9318dfd3ac93cab6279051c3d64d9ca63c3034f94f8441feee69f5bfdc56402b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\LOG.old

Filesize
1KB

MD5
d2ecb42f846c32db4e76188faf6abb01

SHA1
f81b1f687921ce7313edf737f78c49a10cad65c5

SHA256
2afe7774466c2df1887510916468179196934f1c0b2d22ebe50da20138b47dfb

SHA512
171c42c9384aad204f4cef588afdf443e5ccb809ce8a703d5f1f423b608554c8760eab70ba0fbdecf81becfcc53a7640e2d40d5cf91f8fe74019089783677492

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\LOG.old

Filesize
2KB

MD5
bd42d28eeeafeee47b42df4d2166f5ff

SHA1
0f8f94551359802b5d1f0a5729784e595bdcf144

SHA256
f608b30b82f902108ca1e6c9112086fe61c2292f3b1e104bd9bed20f7135541b

SHA512
c4e8b8ef7234b835d57d0b3edd7bfa0cd4659beeb7fb654cfe10ca4fe4d76fb4b992ad00d26baaa9d5a04daf47dbf8414233dca42a6af437a94aa31125ac00e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\LOG.old~RFe57cddf.TMP

Filesize
598B

MD5
fd3ef1bb183cc9a7580144d6b676b73c

SHA1
8106a8050ab4467584648a9280891bbbe379f1bd

SHA256
956c1e10d9571d51f84ebc41ff359dc2dea9109f04447c9c4845184ee6d51fd1

SHA512
c4e253b0fa9eb6b883e6f3188056a2466ff08e6d23ca8724bbe46e20eeb056a9687428e8ed0f607c3e05be05e45b9db99a0e7f9705dce178dd8d6cb1982a2755

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
188B

MD5
03da8e9f1c34251a6a9fc171f9972a58

SHA1
4817ec312c6bd1ce48635f652f4ea8d70a190987

SHA256
08bfcc15479ee1cf404d6d0c9aa3a5a1eba16288f4e432b56b66861d88052451

SHA512
d8df733d82c529cf321cb5ac9db4216b32b6b6904201207600fec3fcd26c92e550520335e02ff423747d3772ab672ad95528f8bc4a15bd70abf6421d6e0ac727

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
9931e5552670e24b01e50bd1b82e39de

SHA1
6c80c31712a2742398a0bf8ea3193ceb7afcb1e9

SHA256
135bc71cc6a024ab8a70e1e344b0ff76afcfd5438fb3d40320718578b9f9caeb

SHA512
0498dfe778bf51e6ad4a48356694573006e92de3ca60475aaf80a43000f58ba833d970d57e9872f748b7c1e46424c704fe7b676a11ea035c24f50d865e2c1427

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
36d38ba5b1697972918d3932758f799d

SHA1
5130279e272501368a3f7f1d9ce5c974df2b1f34

SHA256
c5d3ca9a793ecac8b821b81c9c6765bda0cf1ec849dc3a300ddd1c5f63b0873e

SHA512
ceffcd6a444342f41aa8d387b4223c11fbbd9891869690bf28377e195136a7830dd2a90164d454ce692fb185f20ecd4d40a2ec8749ba616fb6994c2f15468e6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
182a43e7dd9dc21191aa7cd76c4f5dda

SHA1
d9a2c164ca5d754b9ac889dc06d1875404e70318

SHA256
d780e19fe090ebc48a967aab3ab82b2cad27e42cad71db753a23b7d03b89df09

SHA512
14d6904f53c76ffcbc7f5d8cf8ca573e874f2c7e803318e9e9c077487025759eaa3801327c802cdde59758d3987b086cfbc308579d4ae0f5033fe3582f1546dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
1ae397b084a1ed17629564d7aec31f61

SHA1
0abca5b486839f5082bef8a8b9e242963d11b6a5

SHA256
ffc3083df397a7a2ce8bd04b7768aed2fe42d88c8963e1890a3897dc82ce6463

SHA512
fea8742e0b6e7e51032a144205d0d0fdffa0185d8ad489c0279f7475d6f9051c97daded93beb95d02743ca65240bfc858424c70bb8f774e9c3c45d24c7f60a70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
25KB

MD5
590a4be82ce0e7f8c69b0a547a8ed945

SHA1
062639b7a6e192a2587e55c8463dfd1173a25c0a

SHA256
e5e00d40a7698d1436f72cfaf14a43372bfad5c71ae3737e8131e4662628dbbb

SHA512
eb91a8f98ed3ff1a7e3ff65ff94cdecead42f31aca2ba25b9edaa5dab948a83bb2566a99f3237659eba753917d283d18ee3286da4150f47d4297b99a979472f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
45d969ec6a6af1de920c16675497d16b

SHA1
305cb4bbd8eca5a0feef3ed9f728d480d4b4406c

SHA256
d8c3b020b3610692f6bfe027f449ec888aa4679868302612abb2af39d8f1b132

SHA512
55ce3524bd2016579b5453d9bc582c14164f0ead858361ffdc183fc173a4e025e282bfca835a09a3441fe0ec6bf90d9f33a6c07b756f1edebab40992f54591f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57f695.TMP

Filesize
48B

MD5
26db2bb14c188bf7712cd4f6de3be178

SHA1
d1244f56b3aba760d95c7234ef0141fcadc19c58

SHA256
f43bc679a0670c69064543fb192e3b0acce0eded0a08e1ba88f62ff408451957

SHA512
6355db1f1a01fa38a2d96ef425903860606264f1eb0d0469646f366da7f4554a347955f3a7cf8dffa31ab8bbe8fc4e43ce1e103d3086f52d636525f352c2151d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\e43a294e-f25f-45cc-b9e5-8245dc567be5.tmp

Filesize
5KB

MD5
9de7d8f9f1d530ce13d75dac468b246c

SHA1
56c1e98649cd04b79b3c76cd9e8ffa9ad8b66ce8

SHA256
8881c0dfa4dddff5de0156069891e46b30f8f4430c61c0919628f967104d234d

SHA512
ef361a51e80059328daf385f4de73af451b344383a2429cd4358f1d4bafb515cfad7f0c64562109f6d4cb4169e90c59ecb018df7392263b33ee9f0f811243ea2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
1e71195086021b112553895b7e5fa872

SHA1
d5cc5ab8f2f2a25766ef207b2e9814586bc54094

SHA256
bedc4eb480c5f0923252c6be58dbf46f858ecdb86c6df489b1671169e510254c

SHA512
60d2c52561349fed6e64fdca264500f5f13368b503d586997e1d631caeb3bba1820c6cbb9118d29b4f71378e39227643ea535b8bfd8180f9d01b0596ae73eac9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ae6de843adaa4dacf825c81e8e1295b2

SHA1
19dca5426a72c5eb83403b99eb2e55303fec26f0

SHA256
d221f81a32638b2ab7e20d19becfe1499730e5edfc78da6dd6b6d23583a6dc05

SHA512
917fc139ce0e77cbab1b5e64a54b1b6634507f3b7ee336494e1c68690e42c3b93a98d75821e3458e03e9843ba5bf23487031e08ea266c5588641659122520110

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
b14496d248a07986e0cd800e041aa514

SHA1
f0a8b6b33814d9b4491b98793ccd543fb826712d

SHA256
8818f0f6e475d86a2f6cd4ae19c6dff5eb9c7e5d7bce84136041ea6743effeca

SHA512
19a96fd12f59298b30455560995135d285f73d3d20e4ca8fe6976c27c4040bcf7f5ffb19cdf9bdfd38bc55c5b9e417a88fabf76a5aee8ae95ed2560cf3d9a073

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
b07ce292c287dd50161c41e105c98ca8

SHA1
85caf49dfc198504c651f713482dce881066ed42

SHA256
c6de30a4987f6ad068caef9f96ae181eee48a95d7bff7297d512b68c80bb24e2

SHA512
5ef87c9289816e0f6982573bf6a92925b5b5119ba421691e769982570fa67f3ac2dba3f55481bc767da88a709edf7a5e1b72657fdf6eef7646f41d956efda66f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Butterfly On Desktop_1.0.exe_1701540639\Resources\OfferPage.html

Filesize
1KB

MD5
bd68838ecb5211eec61b623b8d90c7b1

SHA1
468d3c8cdbbe481db7ff9ccc36ca1e0549fe8e76

SHA256
528bdb8513b87c0ab8f940c5cd2905a942511b073fb3a58754cba5fbf76d04e7

SHA512
cf92209cc21461e5e77889dd9c53d84639b2e5446cc508bec131048d93ca9c9e063da314a18c66190f52fad4517034ff544d3686651f91fed272ec00d5ffc457

Download Submit
C:\Users\Admin\AppData\Local\Temp\Butterfly On Desktop_1.0.exe_1701540639\sciter32.dll

Filesize
5.6MB

MD5
b431083586e39d018e19880ad1a5ce8f

SHA1
3bbf957ab534d845d485a8698accc0a40b63cedd

SHA256
b525fdcc32c5a359a7f5738a30eff0c6390734d8a2c987c62e14c619f99d406b

SHA512
7805a3464fcc3ac4ea1258e2412180c52f2af40a79b540348486c830a20c2bbed337bbf5f4a8926b3ef98c63c87747014f5b43c35f7ec4e7a3693b9dbd0ae67b

Download Submit
C:\Users\Admin\AppData\Local\Temp\QmoUAcoQ.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce0cbe4bbc6e47c4cfee146eef3a3356\H2OCommonResources.dll

Filesize
5.7MB

MD5
574bf4e368acda5c4d0587cef85f3265

SHA1
9145d21575bfb3e917660da0c7c17950a5ed2293

SHA256
b7d24e1f000d2ac8040967f33102c7393e502160029ce0efd62330c02d367703

SHA512
5544c3a225ea77cf289acf4957ef500877165fa47a09ba1edb45a90989cb284a94665ca9d7e809dc4b1264cfd1f99cfb4d771db862d4d298fa9fc0b492bb6410

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce0cbe4bbc6e47c4cfee146eef3a3356\H2OCommonResources.dll

Filesize
5.7MB

MD5
574bf4e368acda5c4d0587cef85f3265

SHA1
9145d21575bfb3e917660da0c7c17950a5ed2293

SHA256
b7d24e1f000d2ac8040967f33102c7393e502160029ce0efd62330c02d367703

SHA512
5544c3a225ea77cf289acf4957ef500877165fa47a09ba1edb45a90989cb284a94665ca9d7e809dc4b1264cfd1f99cfb4d771db862d4d298fa9fc0b492bb6410

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce0cbe4bbc6e47c4cfee146eef3a3356\H2OCommonResources.dll

Filesize
5.7MB

MD5
574bf4e368acda5c4d0587cef85f3265

SHA1
9145d21575bfb3e917660da0c7c17950a5ed2293

SHA256
b7d24e1f000d2ac8040967f33102c7393e502160029ce0efd62330c02d367703

SHA512
5544c3a225ea77cf289acf4957ef500877165fa47a09ba1edb45a90989cb284a94665ca9d7e809dc4b1264cfd1f99cfb4d771db862d4d298fa9fc0b492bb6410

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce0cbe4bbc6e47c4cfee146eef3a3356\H2ODAL.dll

Filesize
17KB

MD5
d8baf69855cd6e563db75040d5c93446

SHA1
e18a423066eebe04c250b9c39df85f9f141a7511

SHA256
747feb099706d4835e000c3ee8ceadc8c15d824cbb1d7439161d56ffcd2eaf21

SHA512
2cf7198589baef6fd3f4e508c761a5d223060c6418accd8bb50d6eb5dedd8cbd5aa29bb0dd4146dffcbb6755526bdb8e501dc6feb5a8cca39452c2b89c19696d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce0cbe4bbc6e47c4cfee146eef3a3356\H2ODAL.dll

Filesize
17KB

MD5
d8baf69855cd6e563db75040d5c93446

SHA1
e18a423066eebe04c250b9c39df85f9f141a7511

SHA256
747feb099706d4835e000c3ee8ceadc8c15d824cbb1d7439161d56ffcd2eaf21

SHA512
2cf7198589baef6fd3f4e508c761a5d223060c6418accd8bb50d6eb5dedd8cbd5aa29bb0dd4146dffcbb6755526bdb8e501dc6feb5a8cca39452c2b89c19696d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce0cbe4bbc6e47c4cfee146eef3a3356\H2ODAL.dll

Filesize
17KB

MD5
d8baf69855cd6e563db75040d5c93446

SHA1
e18a423066eebe04c250b9c39df85f9f141a7511

SHA256
747feb099706d4835e000c3ee8ceadc8c15d824cbb1d7439161d56ffcd2eaf21

SHA512
2cf7198589baef6fd3f4e508c761a5d223060c6418accd8bb50d6eb5dedd8cbd5aa29bb0dd4146dffcbb6755526bdb8e501dc6feb5a8cca39452c2b89c19696d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce0cbe4bbc6e47c4cfee146eef3a3356\H2OModels.dll

Filesize
78KB

MD5
17e51e917a9571db645210bbf3346e8d

SHA1
5b3d7d918feea625613fba2442c1bd59dcea8c6c

SHA256
a5d947b0492fdfe581ab89bc639c5a293d0fbe8ec337ae52f5e42ffa460ef442

SHA512
bbdb70f38f032e7e210c1bbfddc12b65fc7e9ade06b20661f291c0ab0c6403c24fdc6bfc446126122a5a784c55b35256657f6ad98ed00604426e83ed59bab310

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce0cbe4bbc6e47c4cfee146eef3a3356\H2OModels.dll

Filesize
78KB

MD5
17e51e917a9571db645210bbf3346e8d

SHA1
5b3d7d918feea625613fba2442c1bd59dcea8c6c

SHA256
a5d947b0492fdfe581ab89bc639c5a293d0fbe8ec337ae52f5e42ffa460ef442

SHA512
bbdb70f38f032e7e210c1bbfddc12b65fc7e9ade06b20661f291c0ab0c6403c24fdc6bfc446126122a5a784c55b35256657f6ad98ed00604426e83ed59bab310

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce0cbe4bbc6e47c4cfee146eef3a3356\H2OModels.dll

Filesize
78KB

MD5
17e51e917a9571db645210bbf3346e8d

SHA1
5b3d7d918feea625613fba2442c1bd59dcea8c6c

SHA256
a5d947b0492fdfe581ab89bc639c5a293d0fbe8ec337ae52f5e42ffa460ef442

SHA512
bbdb70f38f032e7e210c1bbfddc12b65fc7e9ade06b20661f291c0ab0c6403c24fdc6bfc446126122a5a784c55b35256657f6ad98ed00604426e83ed59bab310

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce0cbe4bbc6e47c4cfee146eef3a3356\H2OResources.dll

Filesize
20KB

MD5
c358d1550a03a629d994a6780cd71cdf

SHA1
8afa6e479d1e9deb4a02cd8756981ad68f4ef123

SHA256
a0ad25c23dcd972e19372960bc4724f41f242664f34c54c67d5e31a6186a58d5

SHA512
1e552a1746f7caeef1491971ed0f5903cec4b424130134691799454fba673b7c091ec924984abedbd5b17158092b1ed967a6fa27e233fb6e551b925c50acb092

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce0cbe4bbc6e47c4cfee146eef3a3356\H2OResources.dll

Filesize
20KB

MD5
c358d1550a03a629d994a6780cd71cdf

SHA1
8afa6e479d1e9deb4a02cd8756981ad68f4ef123

SHA256
a0ad25c23dcd972e19372960bc4724f41f242664f34c54c67d5e31a6186a58d5

SHA512
1e552a1746f7caeef1491971ed0f5903cec4b424130134691799454fba673b7c091ec924984abedbd5b17158092b1ed967a6fa27e233fb6e551b925c50acb092

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce0cbe4bbc6e47c4cfee146eef3a3356\H2OResources.dll

Filesize
20KB

MD5
c358d1550a03a629d994a6780cd71cdf

SHA1
8afa6e479d1e9deb4a02cd8756981ad68f4ef123

SHA256
a0ad25c23dcd972e19372960bc4724f41f242664f34c54c67d5e31a6186a58d5

SHA512
1e552a1746f7caeef1491971ed0f5903cec4b424130134691799454fba673b7c091ec924984abedbd5b17158092b1ed967a6fa27e233fb6e551b925c50acb092

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce0cbe4bbc6e47c4cfee146eef3a3356\H2OServices.dll

Filesize
166KB

MD5
d823cce48af722c77d35d6d49f75b3f6

SHA1
957ef9b96fb2de5ba00faf5d1d5e07c7a800e423

SHA256
69d6fd2ce57ad98a56fbe0ed9d09f5f8cd969e8a68d7dfcd64a06592ad23aaff

SHA512
2b7db40a3a39c97e3b31c8abd500f148f4bfdae87fc1b7bcd4d873cde95b2328fdf59024328625d96976dd61d9e2669ba2e4dbc1fabce734397cdf35888421e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce0cbe4bbc6e47c4cfee146eef3a3356\H2OServices.dll

Filesize
166KB

MD5
d823cce48af722c77d35d6d49f75b3f6

SHA1
957ef9b96fb2de5ba00faf5d1d5e07c7a800e423

SHA256
69d6fd2ce57ad98a56fbe0ed9d09f5f8cd969e8a68d7dfcd64a06592ad23aaff

SHA512
2b7db40a3a39c97e3b31c8abd500f148f4bfdae87fc1b7bcd4d873cde95b2328fdf59024328625d96976dd61d9e2669ba2e4dbc1fabce734397cdf35888421e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce0cbe4bbc6e47c4cfee146eef3a3356\H2OServices.dll

Filesize
166KB

MD5
d823cce48af722c77d35d6d49f75b3f6

SHA1
957ef9b96fb2de5ba00faf5d1d5e07c7a800e423

SHA256
69d6fd2ce57ad98a56fbe0ed9d09f5f8cd969e8a68d7dfcd64a06592ad23aaff

SHA512
2b7db40a3a39c97e3b31c8abd500f148f4bfdae87fc1b7bcd4d873cde95b2328fdf59024328625d96976dd61d9e2669ba2e4dbc1fabce734397cdf35888421e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce0cbe4bbc6e47c4cfee146eef3a3356\H2OUtilities.dll

Filesize
125KB

MD5
d1565006cd6c858e0722e828ab7d0af6

SHA1
81681d919901a3342f18cee9c9186873a297db22

SHA256
be34893a1e2ed82d3824872b87febcfe9cf2aeee59df4c171f8861a34d6e8bee

SHA512
24b966098814f84500459df29c1225672b6ba7dd54773820fbdd6f36eceead5116bad411e40f11ff7e0000e4247001d7eacabe073e3a9d1f56cf311c7470cebb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce0cbe4bbc6e47c4cfee146eef3a3356\H2OUtilities.dll

Filesize
125KB

MD5
d1565006cd6c858e0722e828ab7d0af6

SHA1
81681d919901a3342f18cee9c9186873a297db22

SHA256
be34893a1e2ed82d3824872b87febcfe9cf2aeee59df4c171f8861a34d6e8bee

SHA512
24b966098814f84500459df29c1225672b6ba7dd54773820fbdd6f36eceead5116bad411e40f11ff7e0000e4247001d7eacabe073e3a9d1f56cf311c7470cebb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce0cbe4bbc6e47c4cfee146eef3a3356\H2OUtilities.dll

Filesize
125KB

MD5
d1565006cd6c858e0722e828ab7d0af6

SHA1
81681d919901a3342f18cee9c9186873a297db22

SHA256
be34893a1e2ed82d3824872b87febcfe9cf2aeee59df4c171f8861a34d6e8bee

SHA512
24b966098814f84500459df29c1225672b6ba7dd54773820fbdd6f36eceead5116bad411e40f11ff7e0000e4247001d7eacabe073e3a9d1f56cf311c7470cebb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce0cbe4bbc6e47c4cfee146eef3a3356\H2OViewModels.dll

Filesize
9KB

MD5
29c85eb8d9e8fcc08dcb6702049a3178

SHA1
faec404c9195e242b05b11fa1658f4db04db7ab0

SHA256
b72fdb3cf3356fe3b447745aaf2a4b77b8d6efd536434bb9f2b39e43d790b4e7

SHA512
728d2d0cfa97a27ca5287806a841aa88e48eac42a615e4316fe48c9836113829e33366b211142af58ff8a7c37963ee5953f5871b0acaf5ab85510cb050014729

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce0cbe4bbc6e47c4cfee146eef3a3356\H2OViewModels.dll

Filesize
9KB

MD5
29c85eb8d9e8fcc08dcb6702049a3178

SHA1
faec404c9195e242b05b11fa1658f4db04db7ab0

SHA256
b72fdb3cf3356fe3b447745aaf2a4b77b8d6efd536434bb9f2b39e43d790b4e7

SHA512
728d2d0cfa97a27ca5287806a841aa88e48eac42a615e4316fe48c9836113829e33366b211142af58ff8a7c37963ee5953f5871b0acaf5ab85510cb050014729

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce0cbe4bbc6e47c4cfee146eef3a3356\H2OViewModels.dll

Filesize
9KB

MD5
29c85eb8d9e8fcc08dcb6702049a3178

SHA1
faec404c9195e242b05b11fa1658f4db04db7ab0

SHA256
b72fdb3cf3356fe3b447745aaf2a4b77b8d6efd536434bb9f2b39e43d790b4e7

SHA512
728d2d0cfa97a27ca5287806a841aa88e48eac42a615e4316fe48c9836113829e33366b211142af58ff8a7c37963ee5953f5871b0acaf5ab85510cb050014729

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce0cbe4bbc6e47c4cfee146eef3a3356\HtmlAgilityPack.dll

Filesize
154KB

MD5
17220f65bd242b6a491423d5bb7940c1

SHA1
a33fabf2b788e80f0f7f84524fe3ed9b797be7ad

SHA256
23056f14edb6e0afc70224d65de272a710b5d26e6c3b9fe2dfd022073050c59f

SHA512
bfbe284a2ee7361ada9a9cb192580fd64476e70bc78d14e80ad1266f7722a244d890600cf24bfb83d4914e2434272679ba177ee5f98c709950e43192f05e215e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce0cbe4bbc6e47c4cfee146eef3a3356\HtmlAgilityPack.dll

Filesize
154KB

MD5
17220f65bd242b6a491423d5bb7940c1

SHA1
a33fabf2b788e80f0f7f84524fe3ed9b797be7ad

SHA256
23056f14edb6e0afc70224d65de272a710b5d26e6c3b9fe2dfd022073050c59f

SHA512
bfbe284a2ee7361ada9a9cb192580fd64476e70bc78d14e80ad1266f7722a244d890600cf24bfb83d4914e2434272679ba177ee5f98c709950e43192f05e215e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce0cbe4bbc6e47c4cfee146eef3a3356\HtmlAgilityPack.dll

Filesize
154KB

MD5
17220f65bd242b6a491423d5bb7940c1

SHA1
a33fabf2b788e80f0f7f84524fe3ed9b797be7ad

SHA256
23056f14edb6e0afc70224d65de272a710b5d26e6c3b9fe2dfd022073050c59f

SHA512
bfbe284a2ee7361ada9a9cb192580fd64476e70bc78d14e80ad1266f7722a244d890600cf24bfb83d4914e2434272679ba177ee5f98c709950e43192f05e215e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce0cbe4bbc6e47c4cfee146eef3a3356\MyDownloader.Core.dll

Filesize
56KB

MD5
f931e960cc4ed0d2f392376525ff44db

SHA1
1895aaa8f5b8314d8a4c5938d1405775d3837109

SHA256
1c1c5330ea35f518bf85fad69dc2da1a98a4dfeadbf6ac0ba0ac7cc51bbcc870

SHA512
7fa5e582ad1bb094cbbb68b1db301dcf360e180eb58f8d726a112133277ceaa39660c6d4b3248c19a8b5767a4ae09f4597535711d789ca4f9f334a204d87ffe0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce0cbe4bbc6e47c4cfee146eef3a3356\MyDownloader.Core.dll

Filesize
56KB

MD5
f931e960cc4ed0d2f392376525ff44db

SHA1
1895aaa8f5b8314d8a4c5938d1405775d3837109

SHA256
1c1c5330ea35f518bf85fad69dc2da1a98a4dfeadbf6ac0ba0ac7cc51bbcc870

SHA512
7fa5e582ad1bb094cbbb68b1db301dcf360e180eb58f8d726a112133277ceaa39660c6d4b3248c19a8b5767a4ae09f4597535711d789ca4f9f334a204d87ffe0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce0cbe4bbc6e47c4cfee146eef3a3356\MyDownloader.Core.dll

Filesize
56KB

MD5
f931e960cc4ed0d2f392376525ff44db

SHA1
1895aaa8f5b8314d8a4c5938d1405775d3837109

SHA256
1c1c5330ea35f518bf85fad69dc2da1a98a4dfeadbf6ac0ba0ac7cc51bbcc870

SHA512
7fa5e582ad1bb094cbbb68b1db301dcf360e180eb58f8d726a112133277ceaa39660c6d4b3248c19a8b5767a4ae09f4597535711d789ca4f9f334a204d87ffe0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce0cbe4bbc6e47c4cfee146eef3a3356\MyDownloader.Extension.dll

Filesize
168KB

MD5
28f1996059e79df241388bd9f89cf0b1

SHA1
6ad6f7cde374686a42d9c0fcebadaf00adf21c76

SHA256
c3f8a46e81f16bbfc75de44dc95f0d145213c8af0006bb097950ac4d1562f5ce

SHA512
9654d451cb2f184548649aa04b902f5f6aff300c6f03b9261ee3be5405527b4f23862d8988f9811987da22e386813e844e7c5068fd6421c91551f5b33c625f29

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce0cbe4bbc6e47c4cfee146eef3a3356\MyDownloader.Extension.dll

Filesize
168KB

MD5
28f1996059e79df241388bd9f89cf0b1

SHA1
6ad6f7cde374686a42d9c0fcebadaf00adf21c76

SHA256
c3f8a46e81f16bbfc75de44dc95f0d145213c8af0006bb097950ac4d1562f5ce

SHA512
9654d451cb2f184548649aa04b902f5f6aff300c6f03b9261ee3be5405527b4f23862d8988f9811987da22e386813e844e7c5068fd6421c91551f5b33c625f29

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce0cbe4bbc6e47c4cfee146eef3a3356\MyDownloader.Extension.dll

Filesize
168KB

MD5
28f1996059e79df241388bd9f89cf0b1

SHA1
6ad6f7cde374686a42d9c0fcebadaf00adf21c76

SHA256
c3f8a46e81f16bbfc75de44dc95f0d145213c8af0006bb097950ac4d1562f5ce

SHA512
9654d451cb2f184548649aa04b902f5f6aff300c6f03b9261ee3be5405527b4f23862d8988f9811987da22e386813e844e7c5068fd6421c91551f5b33c625f29

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce0cbe4bbc6e47c4cfee146eef3a3356\Newtonsoft.Json.dll

Filesize
541KB

MD5
9de86cdf74a30602d6baa7affc8c4a0f

SHA1
9c79b6fbf85b8b87dd781b20fc38ba2ac0664143

SHA256
56032ade45ccf8f4c259a2e57487124cf448a90bca2eeb430da2722d9e109583

SHA512
dca0f6078df789bb8c61ffb095d78f564bfc3223c6795ec88aeb5f132c014c5e3cb1bd8268f1e5dc96d7302c7f3de97e73807f3583cb4a320d7adbe93f432641

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce0cbe4bbc6e47c4cfee146eef3a3356\Newtonsoft.Json.dll

Filesize
541KB

MD5
9de86cdf74a30602d6baa7affc8c4a0f

SHA1
9c79b6fbf85b8b87dd781b20fc38ba2ac0664143

SHA256
56032ade45ccf8f4c259a2e57487124cf448a90bca2eeb430da2722d9e109583

SHA512
dca0f6078df789bb8c61ffb095d78f564bfc3223c6795ec88aeb5f132c014c5e3cb1bd8268f1e5dc96d7302c7f3de97e73807f3583cb4a320d7adbe93f432641

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce0cbe4bbc6e47c4cfee146eef3a3356\Newtonsoft.Json.dll

Filesize
541KB

MD5
9de86cdf74a30602d6baa7affc8c4a0f

SHA1
9c79b6fbf85b8b87dd781b20fc38ba2ac0664143

SHA256
56032ade45ccf8f4c259a2e57487124cf448a90bca2eeb430da2722d9e109583

SHA512
dca0f6078df789bb8c61ffb095d78f564bfc3223c6795ec88aeb5f132c014c5e3cb1bd8268f1e5dc96d7302c7f3de97e73807f3583cb4a320d7adbe93f432641

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce0cbe4bbc6e47c4cfee146eef3a3356\Ninject.dll

Filesize
133KB

MD5
8db691813a26e7d0f1db5e2f4d0d05e3

SHA1
7c7a33553dd0b50b78bf0ca6974c77088da253eb

SHA256
3043a65f11ac204e65bca142ff4166d85f1b22078b126b806f1fecb2a315c701

SHA512
d02458180ec6e6eda89b5b0e387510ab2fad80f9ce57b8da548aaf85c34a59c39afaeacd1947bd5eb81bee1f6d612ca57d0b2b756d64098dfc96ca0bf2d9f62f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce0cbe4bbc6e47c4cfee146eef3a3356\Ninject.dll

Filesize
133KB

MD5
8db691813a26e7d0f1db5e2f4d0d05e3

SHA1
7c7a33553dd0b50b78bf0ca6974c77088da253eb

SHA256
3043a65f11ac204e65bca142ff4166d85f1b22078b126b806f1fecb2a315c701

SHA512
d02458180ec6e6eda89b5b0e387510ab2fad80f9ce57b8da548aaf85c34a59c39afaeacd1947bd5eb81bee1f6d612ca57d0b2b756d64098dfc96ca0bf2d9f62f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce0cbe4bbc6e47c4cfee146eef3a3356\Ninject.dll

Filesize
133KB

MD5
8db691813a26e7d0f1db5e2f4d0d05e3

SHA1
7c7a33553dd0b50b78bf0ca6974c77088da253eb

SHA256
3043a65f11ac204e65bca142ff4166d85f1b22078b126b806f1fecb2a315c701

SHA512
d02458180ec6e6eda89b5b0e387510ab2fad80f9ce57b8da548aaf85c34a59c39afaeacd1947bd5eb81bee1f6d612ca57d0b2b756d64098dfc96ca0bf2d9f62f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce0cbe4bbc6e47c4cfee146eef3a3356\OfferSDK.dll

Filesize
173KB

MD5
96ba82404612c54c8035670384f5a768

SHA1
1bd337d88be490a2bd12b21e5dfdbf211a1235af

SHA256
368b5072de14843f919ab626fca2ae95c6c2b5ed77b0318db5f3cd2a93971de0

SHA512
720a0bcf060899d341b5625747944ab2d29c82297f2db85334f3ebfe1c0134f22055f413667255e8fcb9374fa5595e3778b67c097aa988c25b04367293d024f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce0cbe4bbc6e47c4cfee146eef3a3356\OfferSDK.dll

Filesize
173KB

MD5
96ba82404612c54c8035670384f5a768

SHA1
1bd337d88be490a2bd12b21e5dfdbf211a1235af

SHA256
368b5072de14843f919ab626fca2ae95c6c2b5ed77b0318db5f3cd2a93971de0

SHA512
720a0bcf060899d341b5625747944ab2d29c82297f2db85334f3ebfe1c0134f22055f413667255e8fcb9374fa5595e3778b67c097aa988c25b04367293d024f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce0cbe4bbc6e47c4cfee146eef3a3356\OfferSDK.dll

Filesize
173KB

MD5
96ba82404612c54c8035670384f5a768

SHA1
1bd337d88be490a2bd12b21e5dfdbf211a1235af

SHA256
368b5072de14843f919ab626fca2ae95c6c2b5ed77b0318db5f3cd2a93971de0

SHA512
720a0bcf060899d341b5625747944ab2d29c82297f2db85334f3ebfe1c0134f22055f413667255e8fcb9374fa5595e3778b67c097aa988c25b04367293d024f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce0cbe4bbc6e47c4cfee146eef3a3356\SciterWrapper.dll

Filesize
139KB

MD5
02900ea60f5b8bca8d930315707af125

SHA1
6474108d4639b6ed5a4359e62845b521c2a281bc

SHA256
3878264e135b3b7381580455eb90c98a9929c0311762ce031efd5f5f7aa0ca33

SHA512
3aebac944a095bb59a8845cbbfa6df025b6e4c3cc5e82560dfbe6d48bda99bfcacd37a47e37f055e8fb0493f32f26846f5219c17dfefc88234e47a68e776e70d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce0cbe4bbc6e47c4cfee146eef3a3356\SciterWrapper.dll

Filesize
139KB

MD5
02900ea60f5b8bca8d930315707af125

SHA1
6474108d4639b6ed5a4359e62845b521c2a281bc

SHA256
3878264e135b3b7381580455eb90c98a9929c0311762ce031efd5f5f7aa0ca33

SHA512
3aebac944a095bb59a8845cbbfa6df025b6e4c3cc5e82560dfbe6d48bda99bfcacd37a47e37f055e8fb0493f32f26846f5219c17dfefc88234e47a68e776e70d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce0cbe4bbc6e47c4cfee146eef3a3356\SciterWrapper.dll

Filesize
139KB

MD5
02900ea60f5b8bca8d930315707af125

SHA1
6474108d4639b6ed5a4359e62845b521c2a281bc

SHA256
3878264e135b3b7381580455eb90c98a9929c0311762ce031efd5f5f7aa0ca33

SHA512
3aebac944a095bb59a8845cbbfa6df025b6e4c3cc5e82560dfbe6d48bda99bfcacd37a47e37f055e8fb0493f32f26846f5219c17dfefc88234e47a68e776e70d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce0cbe4bbc6e47c4cfee146eef3a3356\ServiceHide.Net.dll

Filesize
101KB

MD5
5ed5560e3c4562619a5225772483064a

SHA1
6a0e59a06171225db80d0c3ca1cdd53ce4e3f02c

SHA256
27bda087af199fb9082c25b13a23f6168efeae950734980215c2b7553f497780

SHA512
50f0379a0a621f7a1ee79efc68834d4e64c3a75e2e9a5d6c79bdf54bbe86d45597031c72fb882ec4643560b4bc6f5a49e819f54d8f313c5114991bd8577ff41b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce0cbe4bbc6e47c4cfee146eef3a3356\ServiceHide.Net.dll

Filesize
101KB

MD5
5ed5560e3c4562619a5225772483064a

SHA1
6a0e59a06171225db80d0c3ca1cdd53ce4e3f02c

SHA256
27bda087af199fb9082c25b13a23f6168efeae950734980215c2b7553f497780

SHA512
50f0379a0a621f7a1ee79efc68834d4e64c3a75e2e9a5d6c79bdf54bbe86d45597031c72fb882ec4643560b4bc6f5a49e819f54d8f313c5114991bd8577ff41b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce0cbe4bbc6e47c4cfee146eef3a3356\ServiceHide.Net.dll

Filesize
101KB

MD5
5ed5560e3c4562619a5225772483064a

SHA1
6a0e59a06171225db80d0c3ca1cdd53ce4e3f02c

SHA256
27bda087af199fb9082c25b13a23f6168efeae950734980215c2b7553f497780

SHA512
50f0379a0a621f7a1ee79efc68834d4e64c3a75e2e9a5d6c79bdf54bbe86d45597031c72fb882ec4643560b4bc6f5a49e819f54d8f313c5114991bd8577ff41b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce0cbe4bbc6e47c4cfee146eef3a3356\ServiceHide.Net.dll

Filesize
101KB

MD5
5ed5560e3c4562619a5225772483064a

SHA1
6a0e59a06171225db80d0c3ca1cdd53ce4e3f02c

SHA256
27bda087af199fb9082c25b13a23f6168efeae950734980215c2b7553f497780

SHA512
50f0379a0a621f7a1ee79efc68834d4e64c3a75e2e9a5d6c79bdf54bbe86d45597031c72fb882ec4643560b4bc6f5a49e819f54d8f313c5114991bd8577ff41b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce0cbe4bbc6e47c4cfee146eef3a3356\ServiceHide.dll

Filesize
151KB

MD5
1bf73d9f025be036e5acc0cfe1928af4

SHA1
80dca2951603b3383c319a43da1a1e93b8f369d5

SHA256
5580588820f429d6d17c73c0526e032e5fdb2e2b1343071f5c4fc379c209353a

SHA512
4212e4cb5738998837a2f62ee5c326d1461c31300894f1d9380155b510ea3ba3364c543496cdab0ff97e18722ba83939426901eeb7f013e0618a26e626643fec

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce0cbe4bbc6e47c4cfee146eef3a3356\ServiceHide.dll

Filesize
151KB

MD5
1bf73d9f025be036e5acc0cfe1928af4

SHA1
80dca2951603b3383c319a43da1a1e93b8f369d5

SHA256
5580588820f429d6d17c73c0526e032e5fdb2e2b1343071f5c4fc379c209353a

SHA512
4212e4cb5738998837a2f62ee5c326d1461c31300894f1d9380155b510ea3ba3364c543496cdab0ff97e18722ba83939426901eeb7f013e0618a26e626643fec

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce0cbe4bbc6e47c4cfee146eef3a3356\msvcp140.dll

Filesize
426KB

MD5
8ff1898897f3f4391803c7253366a87b

SHA1
9bdbeed8f75a892b6b630ef9e634667f4c620fa0

SHA256
51398691feef7ae0a876b523aec47c4a06d9a1ee62f1a0aee27de6d6191c68ad

SHA512
cb071ad55beaa541b5baf1f7d5e145f2c26fbee53e535e8c31b8f2b8df4bf7723f7bef214b670b2c3de57a4a75711dd204a940a2158939ad72f551e32da7ab03

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce0cbe4bbc6e47c4cfee146eef3a3356\vcruntime140.dll

Filesize
74KB

MD5
1a84957b6e681fca057160cd04e26b27

SHA1
8d7e4c98d1ec858db26a3540baaaa9bbf96b5bfe

SHA256
9faeaa45e8cc986af56f28350b38238b03c01c355e9564b849604b8d690919c5

SHA512
5f54c9e87f2510c56f3cf2ceeb5b5ad7711abd9f85a1ff84e74dd82d15181505e7e5428eae6ff823f1190964eb0a82a569273a4562ec4131cecfa00a9d0d02aa

Download Submit
C:\Users\Admin\AppData\Local\system.exe

Filesize
315KB

MD5
f74b265e5da8b9094b627b43dc330fe2

SHA1
528750e48eb39ea00ce0ad0f094d6b4d248e5155

SHA256
2f90de3c1fce18a2fc396f99f7e03bf3a3bb7cac911b194a98dda191011de0bb

SHA512
377386cfad937f803fe5fb9b1964515996a5eee47bed974c54887d0d7af92718f8c423bd0ff6546331e02b39b23a1fc3ec2cb5ea4a1b4b5e1885c0b7a99a3f0f

Download Submit
C:\Users\Admin\Downloads\VirusCollection .zip

Filesize
571.7MB

MD5
114fffa0822d7897307f8001d9bd872a

SHA1
d6ef493b79df63c48b8b798716384b5a83ec2bce

SHA256
fbd87c34ab60337f178f8f246336de88defb24dde931ca15a9d07be0371014cf

SHA512
cf2ea145f932b32fbb274fb5dba88f7d153d7d455ac9d23dbbd5dff1faad5c66ca58f7056db0a1caf09e6b5ba7cecbc0703d685d5b585e34a8c1b35e4b0a5372

Download Submit
C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\Virus\EthicalHackingTools Setup.exe

Filesize
11.2MB

MD5
2b4de576cc897dba5c6c9b7bab273bcf

SHA1
53f9cb004413cfc277878efe0c70a261ea7cd502

SHA256
1e2796b060e7c4876df3b648ac7f55a19b0c03369eecc75616755f356753e867

SHA512
d96f721a0edecf38d50c8f4c40009769996d7a51a422c5b5d30469b06f5fa2b8b8d5e1650a15725a86c9d0cbe22e2c3732564d1c0ca2eeddfceb935a9c27df77

Download Submit
C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\jokes\Butterfly On Desktop_1.0.exe

Filesize
6.7MB

MD5
ad3de6f0bcaaeae04496d25e1104ddb9

SHA1
37316fbaf792816268d5c181fae7eedbbc6427cb

SHA256
a84bd135f9efdf2b8edeeaaf497809f4c6ec853f2cf47c7f5b8cf36c55a40d14

SHA512
ddb5f24841e38e22be019c411772b291b5b045e9b6f4f9d7ec9e0fb38f089712cec4025112d109059e13eda1040725cb18508bed5ef9e8eeb53cc0b3b5ca2def

Download Submit
C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\jokes\Butterfly On Desktop_1.0.exe

Filesize
6.7MB

MD5
ad3de6f0bcaaeae04496d25e1104ddb9

SHA1
37316fbaf792816268d5c181fae7eedbbc6427cb

SHA256
a84bd135f9efdf2b8edeeaaf497809f4c6ec853f2cf47c7f5b8cf36c55a40d14

SHA512
ddb5f24841e38e22be019c411772b291b5b045e9b6f4f9d7ec9e0fb38f089712cec4025112d109059e13eda1040725cb18508bed5ef9e8eeb53cc0b3b5ca2def

Download Submit
C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\jokes\[email protected]

Filesize
248KB

MD5
20d2c71d6d9daf4499ffc4a5d164f1c3

SHA1
38e5dcd93f25386d05a34a5b26d3fba1bf02f7c8

SHA256
3ac8cc58dcbceaec3dab046aea050357e0e2248d30b0804c738c9a5b037c220d

SHA512
8ffd56fb3538eb60da2dde9e3d6eee0dac8419c61532e9127f47c4351b6e53e01143af92b2e26b521e23cdbbf15d7a358d3757431e572e37a1eede57c7d39704

Download Submit
C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\jokes\[email protected]

Filesize
248KB

MD5
20d2c71d6d9daf4499ffc4a5d164f1c3

SHA1
38e5dcd93f25386d05a34a5b26d3fba1bf02f7c8

SHA256
3ac8cc58dcbceaec3dab046aea050357e0e2248d30b0804c738c9a5b037c220d

SHA512
8ffd56fb3538eb60da2dde9e3d6eee0dac8419c61532e9127f47c4351b6e53e01143af92b2e26b521e23cdbbf15d7a358d3757431e572e37a1eede57c7d39704

Download Submit
C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\jokes\[email protected]

Filesize
138KB

MD5
0b3b2dff5503cb032acd11d232a3af55

SHA1
6efc31c1d67f70cf77c319199ac39f70d5a7fa95

SHA256
ef878461a149024f3065121ff4e165731ecabef1b94b0b3ed2eda010ad39202b

SHA512
484014d65875e706f7e5e5f54c2045d620e5cce5979bf7f37b45c613e6d948719c0b8e466df5d8908706133ce4c4b71a11b804417831c9dbaf72b6854231ea17

Download Submit
C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\jokes\[email protected]

Filesize
138KB

MD5
0b3b2dff5503cb032acd11d232a3af55

SHA1
6efc31c1d67f70cf77c319199ac39f70d5a7fa95

SHA256
ef878461a149024f3065121ff4e165731ecabef1b94b0b3ed2eda010ad39202b

SHA512
484014d65875e706f7e5e5f54c2045d620e5cce5979bf7f37b45c613e6d948719c0b8e466df5d8908706133ce4c4b71a11b804417831c9dbaf72b6854231ea17

Download Submit
C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\jokes\[email protected]

Filesize
246KB

MD5
9254ca1da9ff8ad492ca5fa06ca181c6

SHA1
70fa62e6232eae52467d29cf1c1dacb8a7aeab90

SHA256
30676ad5dc94c3fec3d77d87439b2bf0a1aaa7f01900b68002a06f11caee9ce6

SHA512
a84fbbdea4e743f3e41878b9cf6db219778f1479aa478100718af9fc8d7620fc7a3295507e11df39c7863cb896f946514e50368db480796b6603c8de5580685a

Download Submit
C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\jokes\[email protected]

Filesize
246KB

MD5
9254ca1da9ff8ad492ca5fa06ca181c6

SHA1
70fa62e6232eae52467d29cf1c1dacb8a7aeab90

SHA256
30676ad5dc94c3fec3d77d87439b2bf0a1aaa7f01900b68002a06f11caee9ce6

SHA512
a84fbbdea4e743f3e41878b9cf6db219778f1479aa478100718af9fc8d7620fc7a3295507e11df39c7863cb896f946514e50368db480796b6603c8de5580685a

Download Submit
C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\ransomwares\@[email protected]

Filesize
933B

MD5
f97d2e6f8d820dbd3b66f21137de4f09

SHA1
596799b75b5d60aa9cd45646f68e9c0bd06df252

SHA256
0e5ece918132a2b1a190906e74becb8e4ced36eec9f9d1c70f5da72ac4c6b92a

SHA512
efda21d83464a6a32fdeef93152ffd32a648130754fdd3635f7ff61cc1664f7fc050900f0f871b0ddd3a3846222bf62ab5df8eed42610a76be66fff5f7b4c4c0

Download Submit
C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\ransomwares\@[email protected]

Filesize
240KB

MD5
7bf2b57f2a205768755c07f238fb32cc

SHA1
45356a9dd616ed7161a3b9192e2f318d0ab5ad10

SHA256
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

SHA512
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

Download Submit
C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\ransomwares\BsYY.exe

Filesize
651KB

MD5
a90eabed2ccdbc2ab5866246244f03bf

SHA1
6a81a1e542510029c0ebb42346c86ee6d48d835e

SHA256
678249ce1b9a5e78021a9ca6d2175d25088e11f6a337869edf28b9d1ec18a282

SHA512
dde005a834c7ed5e68d4ed8a07895221e3115e2260f98312b85d236c6130b7006a69ba5c76eb07be51455d79392ae3f4c77556aa9228aa20b05ef69c04f6256e

Download Submit
C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\ransomwares\CcEK.exe

Filesize
5.2MB

MD5
fe6369e837eac69a563a92dbd38a233b

SHA1
973fee53ac01904f2b6768600dde2394a13074ae

SHA256
f682956f8b9c979cc43f16be748b1006f588f8147e8fde5c8c016f51a559d94f

SHA512
ea489939c790e1e4e1fd8d5f8a30d454b15cdfd4bbe911a505e258850517bfd1e588371ac4237bc21d61573fd237957fb669f9de9873c9689e9bd7da9e407e3e

Download Submit
C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\ransomwares\DcQI.exe

Filesize
813KB

MD5
3e55a7335e8c5f58097f2d85f8d02b78

SHA1
46e92ea713fe9198417ac5ba2035cc4cd0db17b9

SHA256
1e0ea5ea2238b9ca57096f6315eac497ddafd1253d4ac67153c22f95b353ea13

SHA512
16b4501df3b203a98465ce795f7c6f815a83934fe9e300d942682088d5f3fbb6b4235c99da33e8dc3c5115bb4678699ff7b74e8d65fcdbbc8a40701efeaabec0

Download Submit
C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\ransomwares\[email protected]

Filesize
53KB

MD5
87ccd6f4ec0e6b706d65550f90b0e3c7

SHA1
213e6624bff6064c016b9cdc15d5365823c01f5f

SHA256
e79f164ccc75a5d5c032b4c5a96d6ad7604faffb28afe77bc29b9173fa3543e4

SHA512
a72403d462e2e2e181dbdabfcc02889f001387943571391befed491aaecba830b0869bdd4d82bca137bd4061bbbfb692871b1b4622c4a7d9f16792c60999c990

Download Submit
C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\ransomwares\[email protected]

Filesize
53KB

MD5
87ccd6f4ec0e6b706d65550f90b0e3c7

SHA1
213e6624bff6064c016b9cdc15d5365823c01f5f

SHA256
e79f164ccc75a5d5c032b4c5a96d6ad7604faffb28afe77bc29b9173fa3543e4

SHA512
a72403d462e2e2e181dbdabfcc02889f001387943571391befed491aaecba830b0869bdd4d82bca137bd4061bbbfb692871b1b4622c4a7d9f16792c60999c990

Download Submit
C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\ransomwares\[email protected]

Filesize
3.4MB

MD5
84c82835a5d21bbcf75a61706d8ab549

SHA1
5ff465afaabcbf0150d1a3ab2c2e74f3a4426467

SHA256
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

SHA512
90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244

Download Submit
C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\ransomwares\[email protected]

Filesize
3.4MB

MD5
84c82835a5d21bbcf75a61706d8ab549

SHA1
5ff465afaabcbf0150d1a3ab2c2e74f3a4426467

SHA256
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

SHA512
90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244

Download Submit
C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\ransomwares\FMwY.exe

Filesize
646KB

MD5
ed155a6700b5b0450a4c8c0e4687058d

SHA1
bf63593d780750a004e0499674c32caea4664ecb

SHA256
4e4c47acede520c34a6a22c51fd001203ce7d24480db95e16b4140f0dade282f

SHA512
17031d7e704c077ccbfa4751dec3d07ffa9f68c7af6b72e1cb61d6f92c3baa43a10562ee2522193d207b224e903acc4ea0f49d13d2038007d2185cc759594e7d

Download Submit
C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\ransomwares\Fantom.exe

Filesize
261KB

MD5
7d80230df68ccba871815d68f016c282

SHA1
e10874c6108a26ceedfc84f50881824462b5b6b6

SHA256
f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b

SHA512
64d02b3e7ed82a64aaac1f74c34d6b6e6feaac665ca9c08911b93eddcec66595687024ec576e74ea09a1193ace3923969c75de8733859835fef45335cf265540

Download Submit
C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\ransomwares\Fantom.exe

Filesize
261KB

MD5
7d80230df68ccba871815d68f016c282

SHA1
e10874c6108a26ceedfc84f50881824462b5b6b6

SHA256
f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b

SHA512
64d02b3e7ed82a64aaac1f74c34d6b6e6feaac665ca9c08911b93eddcec66595687024ec576e74ea09a1193ace3923969c75de8733859835fef45335cf265540

Download Submit
C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\ransomwares\LMoM.exe

Filesize
816KB

MD5
cc3e3d1461cf402a39b2b880bfa630d0

SHA1
703754d4ff6e766cdbd8955f8b22636251d0af99

SHA256
46d13456de28806afde62b8a5ce301d91eb16e995a8a7decbd413fef3d95e40c

SHA512
3f36541473d0e3362b3ea356705300a35b0cb69971ec90091d37830cbce2a66b9d8152eb55ee8f529d60af21e88abe7e2ea2eefe74ad38634f11eca0d77be897

Download Submit
C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\ransomwares\NEAk.exe

Filesize
782KB

MD5
e7701099913f0e042ea486dd7250a1f1

SHA1
8b5a98c8494a4d4a4b1a8e49f4d11c550123022d

SHA256
412b514563d47d6260ac397d847de147c8797082c86876f388d863ae5162e568

SHA512
346f4e3c0dccc411fb26693e9ed1eaf4d8941089720bbbf6e4a81e859789ebe76557ce85adf9e898b2b329ef0d40f7d79f714488f9e785e2df39a6e59a76f98c

Download Submit
C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\ransomwares\Ogww.exe

Filesize
637KB

MD5
a223ef8ce5a9a0584c1cbd57970af530

SHA1
28f437f1ac3159778ae513aea23684486f54305b

SHA256
5f156b072ef1b4620eb8ff13aa57c49fe4245fa20c4487cd1e37ddc96f2eb846

SHA512
208db885df2746765a1b14975cfce33dfab25d0e97ae79fb38ad3ef98550dddc46523146919cfeb0024cccf86f01cf66d01a3f9ebf8fa6786dfd837b357ead08

Download Submit
C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\ransomwares\RUYU.exe

Filesize
185KB

MD5
53bce98811b82b0e8303e457c00182d1

SHA1
91d7ec2e5660c46ffe6e876e0300f0eae03fdc6c

SHA256
07b9acbc9b6a4575de3658049ffeebe759965eca3603a517ba52a0d32a726974

SHA512
14811207b7714d04c1fc16d8b81e9cb58a873c90ecfd9bf339b29b15695529d82a2917d10e9e5ff7e21cf9dc1926152658f46645355f682e2e00d043e815f008

Download Submit
C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\ransomwares\Towg.exe

Filesize
238KB

MD5
fda81a737103807ad90ffcc7cb4b7a4a

SHA1
3297a7ae3f4ebf93f542183e4fc7dddd7718373c

SHA256
67e1d3fa79440f56daf566502b64de236ac98b507c835cb72a073cdeeeb0f73b

SHA512
d075ea885cda14b7988bf37a05e4f210a4cf75966f1fca59b75064fc0fe43def12e8a27e192c2282f51dd9360868d1c7744f5ea70297ba95ba633c6a3cbc27a4

Download Submit
C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\ransomwares\VQQE.exe

Filesize
206KB

MD5
d21c94f93d89b251b867e1eacfa1123a

SHA1
426de861fb0f4597e38c012b29d7d61f4be6c03b

SHA256
76f91dcde9e03fbef23508ef64fda9c54b63dea5d155222d96dce36e51ab18d3

SHA512
be62d7a4e8d20620b6534622a4317be83af4f9b676948c0914dd95e8925dd60b2414ed9d144048b908f06a1b3aa84655ab3a4a37df31ad868fe026805418c238

Download Submit
C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\ransomwares\WEUG.exe

Filesize
427KB

MD5
0e1c43cbe49826e1b658df09b040568f

SHA1
75aec9d9212e42d1992dfea60d7fd5c5f77bda82

SHA256
447dfb75a6b3089dbd36c52df466e7c4880a6f5ebb62f1f3cf617764c476e583

SHA512
b9315a6b3b8f859c04c930fe00df015b103fabe715fc86ee8ab53f12d256a924b20c960e33eba9028e7b44dc398cab5c6b3cd7dee6a6d4054c1d96d7f7f27bfd

Download Submit
C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\ransomwares\aQMO.exe

Filesize
824KB

MD5
f0a75161c3f502d542c06744a065c3d2

SHA1
2896f33a33405f832c29a586f27c6275c14dbfa6

SHA256
cc95fc60decb56cdd500b9c62ef0a5c7d114500d5773d9dee6dabeb8b7855417

SHA512
ace3f2d4b5fab95a08f012158bf0d98e7a68733d344aaf45aeb7c81bdd1aa347fee456810b548a88d18a96f59d885923143a471a371dcdbbafa5fff524049ee2

Download Submit
C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\ransomwares\bEsS.ico

Filesize
4KB

MD5
9af98ac11e0ef05c4c1b9f50e0764888

SHA1
0b15f3f188a4d2e6daec528802f291805fad3f58

SHA256
c3d81c0590da8903a57fb655949bf75919e678a2ef9e373105737cf2c6819e62

SHA512
35217ccd4c48a4468612dd284b8b235ec6b2b42b3148fa506d982870e397569d27fcd443c82f33b1f7f04c5a45de5bf455351425dae5788774e0654d16c9c7e1

Download Submit
C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\ransomwares\hwgs.exe

Filesize
315KB

MD5
791568593c7dcf9976527b66362f72c6

SHA1
549c2dca308797a5ee3b488e9bae80b518d2990f

SHA256
79ecb2928f23e937ba5abb0f3d0b9cc6ce975ad51525a2c78ae5a4ba5e75d227

SHA512
5b710c2b7cd9446a5c2d508c3718e3227cf19b98989513ad053f8222448daf00505a47b7e1f43fb3ce213ca0aee63176daaf14fb44f8663004f61cf52244ab29

Download Submit
C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\ransomwares\jEse.exe

Filesize
776KB

MD5
da4d45730d40d76a3a94b16520ce05fc

SHA1
d430d02ee4f3b535c025faabb2784bce9c439e11

SHA256
837e1a21bb456e8e521b4bb61a64e3f0d65e48371714406806d971f2716bf841

SHA512
0425bb70288c0fabdfde85667761c08fc2d4500cd519827b3f9fbd7c257dccc6cb317aaede8536c28e3390fc4cdf61dbc9a729b7e781355bed0c1f2c46406e45

Download Submit
C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\ransomwares\jsAw.exe

Filesize
640KB

MD5
f48ace0cb224d5c92fe79d1d892ede3d

SHA1
3d22c4ff7f5df863891e07395ec9d72613160aef

SHA256
409b2bbaa0c8eaa0c2ec47a3825566f479d6c9a3bc199f93b7fdf1ea97e14e07

SHA512
b6e29da74e52ee08140894b0c982e8aa00a401f1eef44bc0ecc011d2686c241f7c3cfb6d9e9d05cb12be0a8b241cffc6e68c98f693b811ccd82a084401b9265f

Download Submit
C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\ransomwares\lQgy.exe

Filesize
239KB

MD5
9014d5ea58dc4bdb1bcbc7334eafc48a

SHA1
4107ffdc026d54868523b4e5fcb3e19ad69d63de

SHA256
5ee1b24086a05168fd0a026109988e759e4702194a3bc58d5958d7b23ed4297d

SHA512
dbe8831fb42b6d81a633fe472218ca68e3881c2d7698f297e1ecacf382f7bab484a41fbb1f338d79133d278cf901cbcfd0218323506bf67c0fe63de8f8c972f5

Download Submit
C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\ransomwares\msg\m_finnish.wnry

Filesize
37KB

MD5
35c2f97eea8819b1caebd23fee732d8f

SHA1
e354d1cc43d6a39d9732adea5d3b0f57284255d2

SHA256
1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

SHA512
908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

Download Submit
C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\ransomwares\pMMC.exe

Filesize
816KB

MD5
8a58167ba01afbe36d08709da532f969

SHA1
65638cbcf4ade8290539951f532229336ef43bd0

SHA256
b1dc8c7fd77008132cf960d1e32a3fc94b104fe233022f5f91267fa8e7850043

SHA512
f3cdb5682c37c8b0e8c4a78c90f05ba9b53f582534a40cab745dfdc10b70854af9e146217701e496db69b759fb681023701fea1d933375f0ba1194a02a4f1bc9

Download Submit
C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\ransomwares\pcoO.exe

Filesize
657KB

MD5
1ce6af49b1a990278cf7b8f3f6cb6be6

SHA1
e57db922bc2cfeabc7d67a0adf52e29ebc5fe7e9

SHA256
45dc5868526830e01e4e746f6000bbdc94316c3d9679c838a1e6de7c5146e4c8

SHA512
8f8b09d079651623aef74d65f3eb9403f493fca71713fb1457c0a06d3351ce12ae5c96585b95e7a74ec6c9c5cbd63722fe75bf3572ab701ecd06a410e166aeee

Download Submit
C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\ransomwares\qMEq.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\ransomwares\qoYS.exe

Filesize
208KB

MD5
143bee1c08224d6e2eda976273eb3a29

SHA1
acf781342f5122f5fd9a09f84f63155e145e7984

SHA256
f16cfc74f6c4be0bfdb0aade4359e7cf19f5c273edd43fae470333f459fef911

SHA512
25a49f69ac9e86d152d8843b3eab76e805221a612ae9dcc448ccd323e646b31c59144696b30dd939448475a79439e2a3671b214f40683fb039407f142fed0606

Download Submit
C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\ransomwares\uEQs.exe

Filesize
188KB

MD5
0f62c57fb8457b4be6602ac5eb9c5671

SHA1
0ef8b1ef83958061036eb3b5fd5980eb85684c14

SHA256
14db2c57577c00cd5057dd35ab4f186686ebbee8bc6cea11adb91b7e15f98750

SHA512
4964e99c9a5bdcddd8f91126629de49fad0892238699f33252e7390f75b0adceb3795fdc5c5185fefe530b2109c5f6f872c14f64467d8750ce033b9c5e5e3671

Download Submit
C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\ransomwares\wUAa.exe

Filesize
230KB

MD5
a98b1613b7e4188e3fd1af3dfecbacad

SHA1
e203191625e2ccc8f9cc24753057d880f5aabdcf

SHA256
c5fdb306156c1902f97e81d3b540ac50b3885da38cd6fc68704be25cfdfa5cce

SHA512
a70814d88b05caa5fdef281265d1e18a3039cf4a0c2c373e649178c30fd1b7b7c29731acc8489986a256f9ac68ee4a2f14b97a2190efe94640f978ecbd116f0a

Download Submit
C:\Users\Admin\Downloads\VirusCollection\VirusCollection_\ransomwares\xwAK.exe

Filesize
323KB

MD5
f3dc72ef094e0b218422636bf97f33f0

SHA1
b0cb4d4f6a346d679348d00e9ef4337a590db9aa

SHA256
ce4769fdff89f43e7f4d8d14233ada3379d5db1b51c326c0a9bed6530abcc069

SHA512
338652df85fbe38a1872bd25702958b4ef99ee27a90b5c7b50622cab25554aa35f16e7d80e940809a5dd641a7f83b7c8700f19d9b1cdbf7a091b3a384161e404

Download Submit
memory/360-3092-0x000000001C740000-0x000000001CC0E000-memory.dmp

Filesize
4.8MB

Download
memory/360-3158-0x00007FFC165D0000-0x00007FFC16F71000-memory.dmp

Filesize
9.6MB

Download
memory/360-3160-0x0000000002030000-0x0000000002040000-memory.dmp

Filesize
64KB

Download
memory/360-3203-0x0000000001E50000-0x0000000001E58000-memory.dmp

Filesize
32KB

Download
memory/916-3078-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1360-1778-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1360-1714-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1580-1394-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1580-1232-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1580-1233-0x00000000023E0000-0x00000000023E1000-memory.dmp

Filesize
4KB

Download
memory/1580-1451-0x00000000023E0000-0x00000000023E1000-memory.dmp

Filesize
4KB

Download
memory/2324-1656-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2324-1670-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2328-1652-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2328-1633-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2944-1412-0x00000000080A0000-0x0000000008132000-memory.dmp

Filesize
584KB

Download
memory/2944-1383-0x0000000007020000-0x0000000007042000-memory.dmp

Filesize
136KB

Download
memory/2944-1239-0x0000000000C50000-0x0000000001300000-memory.dmp

Filesize
6.7MB

Download
memory/2944-1275-0x00000000062F0000-0x0000000006322000-memory.dmp

Filesize
200KB

Download
memory/2944-1283-0x00000000062D0000-0x00000000062EA000-memory.dmp

Filesize
104KB

Download
memory/2944-1291-0x0000000006360000-0x0000000006390000-memory.dmp

Filesize
192KB

Download
memory/2944-1299-0x0000000006390000-0x00000000063B6000-memory.dmp

Filesize
152KB

Download
memory/2944-1307-0x0000000006330000-0x000000000633A000-memory.dmp

Filesize
40KB

Download
memory/2944-1315-0x00000000063E0000-0x00000000063E8000-memory.dmp

Filesize
32KB

Download
memory/2944-1323-0x0000000006440000-0x000000000646A000-memory.dmp

Filesize
168KB

Download
memory/2944-1331-0x00000000064A0000-0x00000000064CC000-memory.dmp

Filesize
176KB

Download
memory/2944-1341-0x0000000006470000-0x000000000648D000-memory.dmp

Filesize
116KB

Download
memory/2944-1358-0x00000000069F0000-0x0000000006A02000-memory.dmp

Filesize
72KB

Download
memory/2944-1377-0x00000000070B0000-0x000000000713C000-memory.dmp

Filesize
560KB

Download
memory/2944-1382-0x00000000066E0000-0x00000000066EA000-memory.dmp

Filesize
40KB

Download
memory/2944-1264-0x0000000005D80000-0x0000000005DA8000-memory.dmp

Filesize
160KB

Download
memory/2944-1384-0x00000000072E0000-0x0000000007637000-memory.dmp

Filesize
3.3MB

Download
memory/2944-1390-0x00000000079D0000-0x00000000079DC000-memory.dmp

Filesize
48KB

Download
memory/2944-1393-0x00000000083B0000-0x0000000008956000-memory.dmp

Filesize
5.6MB

Download
memory/2944-1400-0x0000000009F20000-0x000000000A4D4000-memory.dmp

Filesize
5.7MB

Download
memory/2944-1242-0x0000000005DC0000-0x0000000005DD0000-memory.dmp

Filesize
64KB

Download
memory/2944-1431-0x0000000007970000-0x000000000799E000-memory.dmp

Filesize
184KB

Download
memory/2944-1632-0x0000000005DC0000-0x0000000005DD0000-memory.dmp

Filesize
64KB

Download
memory/2944-1240-0x00000000746D0000-0x0000000074E81000-memory.dmp

Filesize
7.7MB

Download
memory/2944-1457-0x00000000746D0000-0x0000000074E81000-memory.dmp

Filesize
7.7MB

Download
memory/2944-1241-0x0000000005DD0000-0x00000000061B4000-memory.dmp

Filesize
3.9MB

Download
memory/3528-1447-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/3528-1269-0x0000000002410000-0x0000000002411000-memory.dmp

Filesize
4KB

Download
memory/3528-1644-0x0000000002410000-0x0000000002411000-memory.dmp

Filesize
4KB

Download
memory/3548-1442-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/3548-1236-0x0000000002410000-0x0000000002411000-memory.dmp

Filesize
4KB

Download
memory/3756-1506-0x0000000004A10000-0x0000000004A3B000-memory.dmp

Filesize
172KB

Download
memory/3756-1490-0x0000000004A10000-0x0000000004A3B000-memory.dmp

Filesize
172KB

Download
memory/3756-1463-0x0000000004B90000-0x0000000004BA0000-memory.dmp

Filesize
64KB

Download
memory/3756-1466-0x0000000004A10000-0x0000000004A3B000-memory.dmp

Filesize
172KB

Download
memory/3756-1468-0x0000000004A10000-0x0000000004A3B000-memory.dmp

Filesize
172KB

Download
memory/3756-1459-0x0000000004B90000-0x0000000004BA0000-memory.dmp

Filesize
64KB

Download
memory/3756-1456-0x0000000004A10000-0x0000000004A3B000-memory.dmp

Filesize
172KB

Download
memory/3756-1712-0x00000000746D0000-0x0000000074E81000-memory.dmp

Filesize
7.7MB

Download
memory/3756-1455-0x0000000004A10000-0x0000000004A3B000-memory.dmp

Filesize
172KB

Download
memory/3756-1454-0x00000000746D0000-0x0000000074E81000-memory.dmp

Filesize
7.7MB

Download
memory/3756-1453-0x0000000004A10000-0x0000000004A42000-memory.dmp

Filesize
200KB

Download
memory/3756-1452-0x00000000049E0000-0x0000000004A12000-memory.dmp

Filesize
200KB

Download
memory/3756-1460-0x0000000004A10000-0x0000000004A3B000-memory.dmp

Filesize
172KB

Download
memory/3756-1585-0x00000000052E0000-0x00000000052EA000-memory.dmp

Filesize
40KB

Download
memory/3756-2572-0x0000000004B90000-0x0000000004BA0000-memory.dmp

Filesize
64KB

Download
memory/3756-3042-0x0000000004B90000-0x0000000004BA0000-memory.dmp

Filesize
64KB

Download
memory/3756-1584-0x0000000004A70000-0x0000000004A71000-memory.dmp

Filesize
4KB

Download
memory/3756-1583-0x0000000004B90000-0x0000000004BA0000-memory.dmp

Filesize
64KB

Download
memory/3756-1470-0x0000000004A10000-0x0000000004A3B000-memory.dmp

Filesize
172KB

Download
memory/3756-1472-0x0000000004A10000-0x0000000004A3B000-memory.dmp

Filesize
172KB

Download
memory/3756-1516-0x0000000004A10000-0x0000000004A3B000-memory.dmp

Filesize
172KB

Download
memory/3756-1514-0x0000000004A10000-0x0000000004A3B000-memory.dmp

Filesize
172KB

Download
memory/3756-1512-0x0000000004A10000-0x0000000004A3B000-memory.dmp

Filesize
172KB

Download
memory/3756-1474-0x0000000004A10000-0x0000000004A3B000-memory.dmp

Filesize
172KB

Download
memory/3756-1476-0x0000000004A10000-0x0000000004A3B000-memory.dmp

Filesize
172KB

Download
memory/3756-1480-0x0000000004A10000-0x0000000004A3B000-memory.dmp

Filesize
172KB

Download
memory/3756-1510-0x0000000004A10000-0x0000000004A3B000-memory.dmp

Filesize
172KB

Download
memory/3756-1478-0x0000000004A10000-0x0000000004A3B000-memory.dmp

Filesize
172KB

Download
memory/3756-1508-0x0000000004A10000-0x0000000004A3B000-memory.dmp

Filesize
172KB

Download
memory/3756-1464-0x0000000004A10000-0x0000000004A3B000-memory.dmp

Filesize
172KB

Download
memory/3756-1504-0x0000000004A10000-0x0000000004A3B000-memory.dmp

Filesize
172KB

Download
memory/3756-1502-0x0000000004A10000-0x0000000004A3B000-memory.dmp

Filesize
172KB

Download
memory/3756-1500-0x0000000004A10000-0x0000000004A3B000-memory.dmp

Filesize
172KB

Download
memory/3756-1498-0x0000000004A10000-0x0000000004A3B000-memory.dmp

Filesize
172KB

Download
memory/3756-1496-0x0000000004A10000-0x0000000004A3B000-memory.dmp

Filesize
172KB

Download
memory/3756-1494-0x0000000004A10000-0x0000000004A3B000-memory.dmp

Filesize
172KB

Download
memory/3756-1492-0x0000000004A10000-0x0000000004A3B000-memory.dmp

Filesize
172KB

Download
memory/3756-1482-0x0000000004A10000-0x0000000004A3B000-memory.dmp

Filesize
172KB

Download
memory/3756-1488-0x0000000004A10000-0x0000000004A3B000-memory.dmp

Filesize
172KB

Download
memory/3756-1486-0x0000000004A10000-0x0000000004A3B000-memory.dmp

Filesize
172KB

Download
memory/3756-1484-0x0000000004A10000-0x0000000004A3B000-memory.dmp

Filesize
172KB

Download
memory/3884-1660-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3884-1658-0x0000000003E70000-0x0000000003EA1000-memory.dmp

Filesize
196KB

Download
memory/4160-3202-0x0000000001540000-0x0000000001550000-memory.dmp

Filesize
64KB

Download
memory/4160-3170-0x0000000001540000-0x0000000001550000-memory.dmp

Filesize
64KB

Download
memory/4160-3165-0x00007FFC165D0000-0x00007FFC16F71000-memory.dmp

Filesize
9.6MB

Download
memory/4160-3161-0x0000000001540000-0x0000000001550000-memory.dmp

Filesize
64KB

Download
memory/4160-3100-0x00007FFC165D0000-0x00007FFC16F71000-memory.dmp

Filesize
9.6MB

Download
memory/4160-3094-0x000000001C530000-0x000000001C5CC000-memory.dmp

Filesize
624KB

Download
memory/4176-1645-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4548-1648-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads