Overview
overview
10Static
static
3AntivirusD...t3.exe
windows7-x64
6AntivirusD...t3.exe
windows10-2004-x64
6AntivirusD...t4.exe
windows7-x64
10AntivirusD...t4.exe
windows10-2004-x64
10AntivirusD...te.exe
windows7-x64
1AntivirusD...te.exe
windows10-2004-x64
1AntivirusD...er.exe
windows7-x64
10AntivirusD...er.exe
windows10-2004-x64
AntivirusD...er.exe
windows7-x64
10AntivirusD...er.exe
windows10-2004-x64
10AntivirusD...er.exe
windows7-x64
AntivirusD...er.exe
windows10-2004-x64
AntivirusD....2.bat
windows7-x64
10AntivirusD....2.bat
windows10-2004-x64
8AntivirusD...re.exe
windows7-x64
1AntivirusD...re.exe
windows10-2004-x64
10AntivirusD...st.exe
windows7-x64
1AntivirusD...st.exe
windows10-2004-x64
1AntivirusD...re.exe
windows7-x64
10AntivirusD...re.exe
windows10-2004-x64
10AntivirusD...t3.exe
windows7-x64
6AntivirusD...t3.exe
windows10-2004-x64
6AntivirusD...t3.exe
windows7-x64
6AntivirusD...t3.exe
windows10-2004-x64
6AntivirusD...re.exe
windows7-x64
10AntivirusD...re.exe
windows10-2004-x64
10AntivirusD...us.exe
windows7-x64
9AntivirusD...us.exe
windows10-2004-x64
9AntivirusD.../c.exe
windows7-x64
1AntivirusD.../c.exe
windows10-2004-x64
1AntivirusD.../f.exe
windows7-x64
1AntivirusD.../f.exe
windows10-2004-x64
1Analysis
-
max time kernel
127s -
max time network
139s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
28-04-2024 03:37
Static task
static1
Behavioral task
behavioral1
Sample
AntivirusDefender-main/AntivirusDefender/AntivirusDefender/Resources/antivirusfalsepositivetest3.exe
Resource
win7-20240215-en
windows7-x64
Behavioral task
behavioral2
Sample
AntivirusDefender-main/AntivirusDefender/AntivirusDefender/Resources/antivirusfalsepositivetest3.exe
Resource
win10v2004-20240419-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
AntivirusDefender-main/AntivirusDefender/AntivirusDefender/Resources/antivirusfalsepositivetest4.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral4
Sample
AntivirusDefender-main/AntivirusDefender/AntivirusDefender/Resources/antivirusfalsepositivetest4.exe
Resource
win10v2004-20240419-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
AntivirusDefender-main/AntivirusDefender/AntivirusDefender/Resources/usbwrite.exe
Resource
win7-20240215-en
windows7-x64
Behavioral task
behavioral6
Sample
AntivirusDefender-main/AntivirusDefender/AntivirusDefender/Resources/usbwrite.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
AntivirusDefender-main/AntivirusDefender/AntivirusDefender/bin/Debug/AntivirusDefender.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral8
Sample
AntivirusDefender-main/AntivirusDefender/AntivirusDefender/bin/Debug/AntivirusDefender.exe
Resource
win10v2004-20240419-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
AntivirusDefender-main/AntivirusDefender/AntivirusDefender/bin/Debug/defender.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral10
Sample
AntivirusDefender-main/AntivirusDefender/AntivirusDefender/bin/Debug/defender.exe
Resource
win10v2004-20240419-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
AntivirusDefender-main/AntivirusDefender/AntivirusDefender/obj/Debug/AntivirusDefender.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral12
Sample
AntivirusDefender-main/AntivirusDefender/AntivirusDefender/obj/Debug/AntivirusDefender.exe
Resource
win10v2004-20240419-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
AntivirusDefender-main/AntivirusDefender3.2.bat
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral14
Sample
AntivirusDefender-main/AntivirusDefender3.2.bat
Resource
win10v2004-20240419-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
AntivirusDefender-main/JigsawRansomware/JigsawRansomware/JigsawRansomware/bin/Release/JigsawRansomware.exe
Resource
win7-20240215-en
windows7-x64
Behavioral task
behavioral16
Sample
AntivirusDefender-main/JigsawRansomware/JigsawRansomware/JigsawRansomware/bin/Release/JigsawRansomware.exe
Resource
win10v2004-20240419-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
AntivirusDefender-main/JigsawRansomware/JigsawRansomware/JigsawRansomware/bin/Release/JigsawRansomware.vshost.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral18
Sample
AntivirusDefender-main/JigsawRansomware/JigsawRansomware/JigsawRansomware/bin/Release/JigsawRansomware.vshost.exe
Resource
win10v2004-20240419-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
AntivirusDefender-main/JigsawRansomware/JigsawRansomware/JigsawRansomware/obj/Release/JigsawRansomware.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral20
Sample
AntivirusDefender-main/JigsawRansomware/JigsawRansomware/JigsawRansomware/obj/Release/JigsawRansomware.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
AntivirusDefender-main/antivirusfalsepositivetest3/antivirusfalsepositivetest3/bin/Debug/antivirusfalsepositivetest3.exe
Resource
win7-20240220-en
windows7-x64
Behavioral task
behavioral22
Sample
AntivirusDefender-main/antivirusfalsepositivetest3/antivirusfalsepositivetest3/bin/Debug/antivirusfalsepositivetest3.exe
Resource
win10v2004-20240419-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
AntivirusDefender-main/antivirusfalsepositivetest3/antivirusfalsepositivetest3/obj/Debug/antivirusfalsepositivetest3.exe
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral24
Sample
AntivirusDefender-main/antivirusfalsepositivetest3/antivirusfalsepositivetest3/obj/Debug/antivirusfalsepositivetest3.exe
Resource
win10v2004-20240419-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
AntivirusDefender-main/antivirusfalsepositivetest4/antivirusfalsepositivetest4/Resources/JigsawRansomware.exe
Resource
win7-20240215-en
windows7-x64
Behavioral task
behavioral26
Sample
AntivirusDefender-main/antivirusfalsepositivetest4/antivirusfalsepositivetest4/Resources/JigsawRansomware.exe
Resource
win10v2004-20240419-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
AntivirusDefender-main/antivirusfalsepositivetest4/antivirusfalsepositivetest4/Resources/blacklotus.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral28
Sample
AntivirusDefender-main/antivirusfalsepositivetest4/antivirusfalsepositivetest4/Resources/blacklotus.exe
Resource
win10v2004-20240419-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
AntivirusDefender-main/antivirusfalsepositivetest4/antivirusfalsepositivetest4/Resources/c.exe
Resource
win7-20240220-en
windows7-x64
Behavioral task
behavioral30
Sample
AntivirusDefender-main/antivirusfalsepositivetest4/antivirusfalsepositivetest4/Resources/c.exe
Resource
win10v2004-20240419-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
AntivirusDefender-main/antivirusfalsepositivetest4/antivirusfalsepositivetest4/Resources/f.exe
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral32
Sample
AntivirusDefender-main/antivirusfalsepositivetest4/antivirusfalsepositivetest4/Resources/f.exe
Resource
win10v2004-20240419-en
windows10-2004-x64
General
-
Target
AntivirusDefender-main/AntivirusDefender/AntivirusDefender/Resources/antivirusfalsepositivetest4.exe
-
Size
10.1MB
-
MD5
97f44c7df82adc19ce025cfc8958245c
-
SHA1
699fb553ea85db7c6c5fc5118ab7a1a0c3b19602
-
SHA256
0fc9a98ed6bad1f94e0357b6bb833b4eca20bea119abc0cdfa3bb4caeeddcda1
-
SHA512
e2da423ba4eee8f4e836f5eeed82bfe9cf482a911200f805dcdff20d41901c73b40faf187c66ef2e32f9ec8f6d565c43f38229c026285dd0411d4c1c8c22c27e
-
SSDEEP
196608:QbxNMGrnhzvYf9EfmiAf1qkB8I9r1UhraBMBMBR:kMGr4+BAf1qC1caBMWBR
Malware Config
Signatures
-
Jigsaw Ransomware
Ransomware family first created in 2016. Named based on wallpaper set after infection in the early versions.
-
Enumerates VirtualBox registry keys 2 TTPs 5 IoCs
description ioc Process Key opened \Registry\Machine\SYSTEM\ControlSet001\Services\VBoxGuest a.exe Key opened \Registry\Machine\SYSTEM\ControlSet001\Services\VBoxMouse a.exe Key opened \Registry\Machine\SYSTEM\ControlSet001\Services\VBoxService a.exe Key opened \Registry\Machine\SYSTEM\ControlSet001\Services\VBoxSF a.exe Key opened \Registry\Machine\SYSTEM\ControlSet001\Services\VBoxVideo a.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
description ioc Process Key opened \Registry\Machine\HARDWARE\ACPI\DSDT\VBOX__ a.exe Key opened \Registry\Machine\HARDWARE\ACPI\FADT\VBOX__ a.exe Key opened \Registry\Machine\HARDWARE\ACPI\RSDT\VBOX__ a.exe -
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
description ioc Process Key opened \Registry\Machine\SOFTWARE\Oracle\VirtualBox Guest Additions a.exe -
Renames multiple (2133) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\drivers\RwDrv.sys l.exe -
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
description ioc Process Key opened \Registry\Machine\SOFTWARE\VMware, Inc.\VMware Tools a.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion a.exe -
Executes dropped EXE 9 IoCs
pid Process 2572 thirdpartyclamavinstaller.exe 2564 thirdpartyclamavinstaller.exe 2028 jigsaw.exe 2544 a.exe 1396 c.exe 1880 f.exe 812 l.exe 1664 z.exe 2060 drpbx.exe -
Loads dropped DLL 13 IoCs
pid Process 1752 antivirusfalsepositivetest4.exe 1752 antivirusfalsepositivetest4.exe 1752 antivirusfalsepositivetest4.exe 1752 antivirusfalsepositivetest4.exe 1752 antivirusfalsepositivetest4.exe 1752 antivirusfalsepositivetest4.exe 1028 WerFault.exe 1028 WerFault.exe 1028 WerFault.exe 1752 antivirusfalsepositivetest4.exe 1752 antivirusfalsepositivetest4.exe 1752 antivirusfalsepositivetest4.exe 1028 WerFault.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe" jigsaw.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\MyGigaPp = "C:\\Users\\Admin\\thirdpartyclamavinstaller0.exe" antivirusfalsepositivetest4.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\jahrein = "C:\\Users\\Admin\\AppData\\Local\\Temp\\AntivirusDefender-main\\AntivirusDefender\\AntivirusDefender\\Resources\\rebcoana.exe" antivirusfalsepositivetest4.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Media = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AntivirusDefender-main\\AntivirusDefender\\AntivirusDefender\\Resources\\z.exe\"" z.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks system information in the registry 2 TTPs 1 IoCs
System information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer a.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2544 a.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\jce.jar.fun drpbx.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\send-email-16.png.fun drpbx.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-attach.xml.fun drpbx.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-awt.jar.fun drpbx.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler-charts.xml drpbx.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\menu_arrow.gif drpbx.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_choosecolor.gif.fun drpbx.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.ja_5.5.0.165303.jar drpbx.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\js\settings.js drpbx.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\feature.xml.fun drpbx.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-explorer.xml.fun drpbx.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\UrbanPhotoAlbum.potx drpbx.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding_1.4.2.v20140729-1044.jar.fun drpbx.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\MeetingIconMask.bmp drpbx.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\background.png drpbx.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.renderers.swt.nl_zh_4.4.0.v20140623020002.jar drpbx.exe File opened for modification C:\Program Files\Java\jre7\lib\images\cursors\win32_LinkDrop32x32.gif drpbx.exe File created C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Horizon.xml.fun drpbx.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_jpn.xml drpbx.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-dayi.xml drpbx.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf.provider.filetransfer.httpclient4_1.0.800.v20140827-1444.jar drpbx.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\16to9Squareframe_Buttongraphic.png drpbx.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\add_over.png drpbx.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.core.nl_ja_4.4.0.v20140623020002.jar drpbx.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\rtf_justify.gif.fun drpbx.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.alert.ja_5.5.0.165303.jar drpbx.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.attach_5.5.0.165303.jar drpbx.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler.jar drpbx.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\library.js drpbx.exe File created C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Waveform.xml.fun drpbx.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.batik.util.gui_1.7.0.v200903091627.jar.fun drpbx.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.text_3.5.300.v20130515-1451.jar drpbx.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\BodyPaneBackground.jpg drpbx.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-sampler_zh_CN.jar drpbx.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_box_top.png drpbx.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-full.png drpbx.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_MoveNoDrop32x32.gif drpbx.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.updatechecker_1.1.200.v20131119-0908.jar drpbx.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\indxicon.gif.fun drpbx.exe File created C:\Program Files\DenyClose.xlsb.fun drpbx.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\ja-jp.xml drpbx.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.scheduler_1.2.0.v20140422-1847.jar drpbx.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_CopyNoDrop32x32.gif.fun drpbx.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-keyring-fallback.xml.fun drpbx.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\Gadget_Main_Background_Loading.png drpbx.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.net.nl_zh_4.4.0.v20140623020002.jar.fun drpbx.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.workbench.nl_zh_4.4.0.v20140623020002.jar.fun drpbx.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\AboutBox.zip.fun drpbx.exe File opened for modification C:\Program Files\7-Zip\Lang\fi.txt drpbx.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.felix.gogo.shell_0.10.0.v201212101605.jar drpbx.exe File created C:\Program Files\VideoLAN\VLC\lua\http\requests\playlist_jstree.xml.fun drpbx.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\btn-back-static.png drpbx.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_cloudy.png drpbx.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\locale\updater_ja.jar drpbx.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\gadget.xml drpbx.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.core.commands.nl_zh_4.4.0.v20140623020002.jar drpbx.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.services.nl_ja_4.4.0.v20140623020002.jar.fun drpbx.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.lucene.analysis_3.5.0.v20120725-1805.jar drpbx.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\settings.js drpbx.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-options-api.xml drpbx.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-charts_ja.jar.fun drpbx.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\AssemblyInfoInternal.zip.fun drpbx.exe File created C:\Program Files\7-Zip\Lang\pt-br.txt.fun drpbx.exe File opened for modification C:\Program Files\VideoLAN\VLC\NEWS.txt drpbx.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main f.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2572 thirdpartyclamavinstaller.exe 2572 thirdpartyclamavinstaller.exe 2572 thirdpartyclamavinstaller.exe 2572 thirdpartyclamavinstaller.exe 2572 thirdpartyclamavinstaller.exe 2572 thirdpartyclamavinstaller.exe 2572 thirdpartyclamavinstaller.exe 2572 thirdpartyclamavinstaller.exe 2572 thirdpartyclamavinstaller.exe 2572 thirdpartyclamavinstaller.exe 2572 thirdpartyclamavinstaller.exe 2572 thirdpartyclamavinstaller.exe 2572 thirdpartyclamavinstaller.exe 2572 thirdpartyclamavinstaller.exe 2572 thirdpartyclamavinstaller.exe 2572 thirdpartyclamavinstaller.exe 2572 thirdpartyclamavinstaller.exe 2572 thirdpartyclamavinstaller.exe 2572 thirdpartyclamavinstaller.exe 2572 thirdpartyclamavinstaller.exe 2572 thirdpartyclamavinstaller.exe 2572 thirdpartyclamavinstaller.exe 2572 thirdpartyclamavinstaller.exe 2572 thirdpartyclamavinstaller.exe 2572 thirdpartyclamavinstaller.exe 2572 thirdpartyclamavinstaller.exe 2572 thirdpartyclamavinstaller.exe 2572 thirdpartyclamavinstaller.exe 2572 thirdpartyclamavinstaller.exe 2572 thirdpartyclamavinstaller.exe 2572 thirdpartyclamavinstaller.exe 2572 thirdpartyclamavinstaller.exe 2572 thirdpartyclamavinstaller.exe 2572 thirdpartyclamavinstaller.exe 2572 thirdpartyclamavinstaller.exe 2572 thirdpartyclamavinstaller.exe 2572 thirdpartyclamavinstaller.exe 2572 thirdpartyclamavinstaller.exe 2572 thirdpartyclamavinstaller.exe 2572 thirdpartyclamavinstaller.exe 2572 thirdpartyclamavinstaller.exe 2572 thirdpartyclamavinstaller.exe 2572 thirdpartyclamavinstaller.exe 2572 thirdpartyclamavinstaller.exe 2572 thirdpartyclamavinstaller.exe 2572 thirdpartyclamavinstaller.exe 2572 thirdpartyclamavinstaller.exe 2572 thirdpartyclamavinstaller.exe 2572 thirdpartyclamavinstaller.exe 2572 thirdpartyclamavinstaller.exe 2572 thirdpartyclamavinstaller.exe 2572 thirdpartyclamavinstaller.exe 2572 thirdpartyclamavinstaller.exe 2572 thirdpartyclamavinstaller.exe 2572 thirdpartyclamavinstaller.exe 2572 thirdpartyclamavinstaller.exe 2572 thirdpartyclamavinstaller.exe 2572 thirdpartyclamavinstaller.exe 2572 thirdpartyclamavinstaller.exe 2572 thirdpartyclamavinstaller.exe 2572 thirdpartyclamavinstaller.exe 2572 thirdpartyclamavinstaller.exe 2572 thirdpartyclamavinstaller.exe 2572 thirdpartyclamavinstaller.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 472 Process not Found -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2572 thirdpartyclamavinstaller.exe Token: SeDebugPrivilege 2564 thirdpartyclamavinstaller.exe Token: SeDebugPrivilege 1752 antivirusfalsepositivetest4.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1880 f.exe 1880 f.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1752 wrote to memory of 2572 1752 antivirusfalsepositivetest4.exe 28 PID 1752 wrote to memory of 2572 1752 antivirusfalsepositivetest4.exe 28 PID 1752 wrote to memory of 2572 1752 antivirusfalsepositivetest4.exe 28 PID 1752 wrote to memory of 2572 1752 antivirusfalsepositivetest4.exe 28 PID 1752 wrote to memory of 2572 1752 antivirusfalsepositivetest4.exe 28 PID 1752 wrote to memory of 2572 1752 antivirusfalsepositivetest4.exe 28 PID 1752 wrote to memory of 2572 1752 antivirusfalsepositivetest4.exe 28 PID 1752 wrote to memory of 2648 1752 antivirusfalsepositivetest4.exe 29 PID 1752 wrote to memory of 2648 1752 antivirusfalsepositivetest4.exe 29 PID 1752 wrote to memory of 2648 1752 antivirusfalsepositivetest4.exe 29 PID 1752 wrote to memory of 2648 1752 antivirusfalsepositivetest4.exe 29 PID 1752 wrote to memory of 2564 1752 antivirusfalsepositivetest4.exe 31 PID 1752 wrote to memory of 2564 1752 antivirusfalsepositivetest4.exe 31 PID 1752 wrote to memory of 2564 1752 antivirusfalsepositivetest4.exe 31 PID 1752 wrote to memory of 2564 1752 antivirusfalsepositivetest4.exe 31 PID 1752 wrote to memory of 2564 1752 antivirusfalsepositivetest4.exe 31 PID 1752 wrote to memory of 2564 1752 antivirusfalsepositivetest4.exe 31 PID 1752 wrote to memory of 2564 1752 antivirusfalsepositivetest4.exe 31 PID 1752 wrote to memory of 2656 1752 antivirusfalsepositivetest4.exe 32 PID 1752 wrote to memory of 2656 1752 antivirusfalsepositivetest4.exe 32 PID 1752 wrote to memory of 2656 1752 antivirusfalsepositivetest4.exe 32 PID 1752 wrote to memory of 2656 1752 antivirusfalsepositivetest4.exe 32 PID 1752 wrote to memory of 2004 1752 antivirusfalsepositivetest4.exe 34 PID 1752 wrote to memory of 2004 1752 antivirusfalsepositivetest4.exe 34 PID 1752 wrote to memory of 2004 1752 antivirusfalsepositivetest4.exe 34 PID 1752 wrote to memory of 2004 1752 antivirusfalsepositivetest4.exe 34 PID 1752 wrote to memory of 2664 1752 antivirusfalsepositivetest4.exe 35 PID 1752 wrote to memory of 2664 1752 antivirusfalsepositivetest4.exe 35 PID 1752 wrote to memory of 2664 1752 antivirusfalsepositivetest4.exe 35 PID 1752 wrote to memory of 2664 1752 antivirusfalsepositivetest4.exe 35 PID 1752 wrote to memory of 2028 1752 antivirusfalsepositivetest4.exe 37 PID 1752 wrote to memory of 2028 1752 antivirusfalsepositivetest4.exe 37 PID 1752 wrote to memory of 2028 1752 antivirusfalsepositivetest4.exe 37 PID 1752 wrote to memory of 2028 1752 antivirusfalsepositivetest4.exe 37 PID 1752 wrote to memory of 2436 1752 antivirusfalsepositivetest4.exe 39 PID 1752 wrote to memory of 2436 1752 antivirusfalsepositivetest4.exe 39 PID 1752 wrote to memory of 2436 1752 antivirusfalsepositivetest4.exe 39 PID 1752 wrote to memory of 2436 1752 antivirusfalsepositivetest4.exe 39 PID 1752 wrote to memory of 2544 1752 antivirusfalsepositivetest4.exe 40 PID 1752 wrote to memory of 2544 1752 antivirusfalsepositivetest4.exe 40 PID 1752 wrote to memory of 2544 1752 antivirusfalsepositivetest4.exe 40 PID 1752 wrote to memory of 2544 1752 antivirusfalsepositivetest4.exe 40 PID 1752 wrote to memory of 1164 1752 antivirusfalsepositivetest4.exe 42 PID 1752 wrote to memory of 1164 1752 antivirusfalsepositivetest4.exe 42 PID 1752 wrote to memory of 1164 1752 antivirusfalsepositivetest4.exe 42 PID 1752 wrote to memory of 1164 1752 antivirusfalsepositivetest4.exe 42 PID 1752 wrote to memory of 240 1752 antivirusfalsepositivetest4.exe 43 PID 1752 wrote to memory of 240 1752 antivirusfalsepositivetest4.exe 43 PID 1752 wrote to memory of 240 1752 antivirusfalsepositivetest4.exe 43 PID 1752 wrote to memory of 240 1752 antivirusfalsepositivetest4.exe 43 PID 1752 wrote to memory of 1396 1752 antivirusfalsepositivetest4.exe 45 PID 1752 wrote to memory of 1396 1752 antivirusfalsepositivetest4.exe 45 PID 1752 wrote to memory of 1396 1752 antivirusfalsepositivetest4.exe 45 PID 1752 wrote to memory of 1396 1752 antivirusfalsepositivetest4.exe 45 PID 1752 wrote to memory of 964 1752 antivirusfalsepositivetest4.exe 47 PID 1752 wrote to memory of 964 1752 antivirusfalsepositivetest4.exe 47 PID 1752 wrote to memory of 964 1752 antivirusfalsepositivetest4.exe 47 PID 1752 wrote to memory of 964 1752 antivirusfalsepositivetest4.exe 47 PID 1752 wrote to memory of 1880 1752 antivirusfalsepositivetest4.exe 49 PID 1752 wrote to memory of 1880 1752 antivirusfalsepositivetest4.exe 49 PID 1752 wrote to memory of 1880 1752 antivirusfalsepositivetest4.exe 49 PID 1752 wrote to memory of 1880 1752 antivirusfalsepositivetest4.exe 49 PID 2544 wrote to memory of 1028 2544 a.exe 50 PID 2544 wrote to memory of 1028 2544 a.exe 50
Processes
-
C:\Users\Admin\AppData\Local\Temp\AntivirusDefender-main\AntivirusDefender\AntivirusDefender\Resources\antivirusfalsepositivetest4.exe"C:\Users\Admin\AppData\Local\Temp\AntivirusDefender-main\AntivirusDefender\AntivirusDefender\Resources\antivirusfalsepositivetest4.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Users\Admin\AppData\Local\Temp\AntivirusDefender-main\AntivirusDefender\AntivirusDefender\Resources\thirdpartyclamavinstaller.exe"C:\Users\Admin\AppData\Local\Temp\AntivirusDefender-main\AntivirusDefender\AntivirusDefender\Resources\thirdpartyclamavinstaller.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2572
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\AntivirusDefender-main\AntivirusDefender\AntivirusDefender\Resources\thirdpartyclamavinstaller.exe" "C:\Users\Admin\thirdpartyclamavinstaller.exe" & pause2⤵PID:2648
-
-
C:\Users\Admin\AppData\Local\Temp\AntivirusDefender-main\AntivirusDefender\AntivirusDefender\Resources\thirdpartyclamavinstaller.exe"C:\Users\Admin\AppData\Local\Temp\AntivirusDefender-main\AntivirusDefender\AntivirusDefender\Resources\thirdpartyclamavinstaller.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2564
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\AntivirusDefender-main\AntivirusDefender\AntivirusDefender\Resources\thirdpartyclamavinstaller.exe" "C:\Users\Admin\thirdpartyclamavinstaller.exe" & pause2⤵PID:2656
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\AntivirusDefender-main\AntivirusDefender\AntivirusDefender\Resources\thirdpartyclamavinstaller0.exe" "C:\Users\Admin\thirdpartyclamavinstaller0.exe" & pause2⤵PID:2004
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\AntivirusDefender-main\AntivirusDefender\AntivirusDefender\Resources\jigsaw.exe" "C:\Users\Admin\jigsaw_backup.exe" & pause2⤵PID:2664
-
-
C:\Users\Admin\AppData\Local\Temp\AntivirusDefender-main\AntivirusDefender\AntivirusDefender\Resources\jigsaw.exe"C:\Users\Admin\AppData\Local\Temp\AntivirusDefender-main\AntivirusDefender\AntivirusDefender\Resources\jigsaw.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2028 -
C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe"C:\Users\Admin\AppData\Local\Drpbx\drpbx.exe" C:\Users\Admin\AppData\Local\Temp\AntivirusDefender-main\AntivirusDefender\AntivirusDefender\Resources\jigsaw.exe3⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2060
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\AntivirusDefender-main\AntivirusDefender\AntivirusDefender\Resources\a.exe" "C:\Users\Admin\a_backup.exe" & pause2⤵PID:2436
-
-
C:\Users\Admin\AppData\Local\Temp\AntivirusDefender-main\AntivirusDefender\AntivirusDefender\Resources\a.exe"C:\Users\Admin\AppData\Local\Temp\AntivirusDefender-main\AntivirusDefender\AntivirusDefender\Resources\a.exe"2⤵
- Enumerates VirtualBox registry keys
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Checks system information in the registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2544 -s 163⤵
- Loads dropped DLL
PID:1028
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\AntivirusDefender-main\AntivirusDefender\AntivirusDefender\Resources\b.exe" "C:\Users\Admin\b_backup.exe" & pause2⤵PID:1164
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\AntivirusDefender-main\AntivirusDefender\AntivirusDefender\Resources\c.exe" "C:\Users\Admin\c_backup.exe" & pause2⤵PID:240
-
-
C:\Users\Admin\AppData\Local\Temp\AntivirusDefender-main\AntivirusDefender\AntivirusDefender\Resources\c.exe"C:\Users\Admin\AppData\Local\Temp\AntivirusDefender-main\AntivirusDefender\AntivirusDefender\Resources\c.exe"2⤵
- Executes dropped EXE
PID:1396
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\AntivirusDefender-main\AntivirusDefender\AntivirusDefender\Resources\f.exe" "C:\Users\Admin\f_backup.exe" & pause2⤵PID:964
-
-
C:\Users\Admin\AppData\Local\Temp\AntivirusDefender-main\AntivirusDefender\AntivirusDefender\Resources\f.exe"C:\Users\Admin\AppData\Local\Temp\AntivirusDefender-main\AntivirusDefender\AntivirusDefender\Resources\f.exe"2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1880
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\AntivirusDefender-main\AntivirusDefender\AntivirusDefender\Resources\l.exe" "C:\Users\Admin\l_backup.exe" & pause2⤵PID:1992
-
-
C:\Users\Admin\AppData\Local\Temp\AntivirusDefender-main\AntivirusDefender\AntivirusDefender\Resources\l.exe"C:\Users\Admin\AppData\Local\Temp\AntivirusDefender-main\AntivirusDefender\AntivirusDefender\Resources\l.exe"2⤵
- Drops file in Drivers directory
- Executes dropped EXE
PID:812
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\AntivirusDefender-main\AntivirusDefender\AntivirusDefender\Resources\m.exe" "C:\Users\Admin\m_backup.exe" & pause2⤵PID:764
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\AntivirusDefender-main\AntivirusDefender\AntivirusDefender\Resources\z.exe" "C:\Users\Admin\z_backup.exe" & pause2⤵PID:2484
-
-
C:\Users\Admin\AppData\Local\Temp\AntivirusDefender-main\AntivirusDefender\AntivirusDefender\Resources\z.exe"C:\Users\Admin\AppData\Local\Temp\AntivirusDefender-main\AntivirusDefender\AntivirusDefender\Resources\z.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1664
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\AntivirusDefender-main\AntivirusDefender\AntivirusDefender\Resources\of.exe" "C:\Users\Admin\of_backup.exe" & pause2⤵PID:2288
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
160B
MD5000e8c41d4a15fb34d0be0dbb56e3778
SHA100c4eae64ee6239d7c65d819c6ce1ac329224f8c
SHA2568bdfa6a5b7de345cf0d4fe0e9c17d8b0e9db26d58b05b1b2ebbb3a05a068ff28
SHA512775d832eb8ab73e4a93789917dca69edb6c91fbb426e02acf7c6e213ffb4575776187209d1c471fbf57c4621ea3c23d9850f6dfc2770d62c17de9d66710800af
-
C:\Users\Admin\AppData\Local\Temp\AntivirusDefender-main\AntivirusDefender\AntivirusDefender\Resources\b.exe
Filesize96KB
MD5ddfe44f87fac7daeeb1b681dea3300e9
SHA19a7291fc90f56d8c46cc78397a6f36bb23c60f66
SHA256951f74882c1873bfe56e0bff225e3cd5d8964af4f7334182bc1bf0ec9e987a0a
SHA512775a17e879e23262b3102c88218de6c1adde8e3a8c7112937aa63cb159c52e280f30782d5c6925661b0e92c63472345fe1eaa0e354b9a14412fbbd6550b5487f
-
C:\Users\Admin\AppData\Local\Temp\AntivirusDefender-main\AntivirusDefender\AntivirusDefender\Resources\c.exe
Filesize44KB
MD56d1a47574ef7598017c13d64769cccfb
SHA11d75bfb18ffc0b820cb36acf8707343fa6679863
SHA256d61417d72a054d45ee33e395079e9d674f891a42ed0ec5357b5a8d91c69858a6
SHA5127e4f90cd9f1c072089d626a51cffb3e89216e2ad5c55ade7b2c2f4f2d8106d5bc2030d2e1f6745cc47bf12180f566c2eb88dc0925f3040eb641e1fb1e6239f13
-
C:\Users\Admin\AppData\Local\Temp\AntivirusDefender-main\AntivirusDefender\AntivirusDefender\Resources\l.exe
Filesize334KB
MD5e00216958f15f1db6371b583a3ea438a
SHA14b9e71615b37aea1eaeb5b1cfa0eee048118ff72
SHA25681e96c07e6c9cb02f72c0943a42ff9f8f09a09c508f8bbaa1142a9ee4f1326cf
SHA5129d46b4fbf26c775929e95e145b390f0d12566e482920f629b342db2aaa37c5a40a789226ecfe51ba0f0b94fce827b9f53180232cda48bae510cce1e3b37bed16
-
C:\Users\Admin\AppData\Local\Temp\AntivirusDefender-main\AntivirusDefender\AntivirusDefender\Resources\thirdpartyclamavinstaller0.exe
Filesize11KB
MD5c406d8a0b58a59cfacbd41a267cec4bf
SHA184f496a9337aa2f8055fcbf5aa77b67d48bd0e21
SHA2563e3950ea1bd00d98ceb91d7be28beb40772af548d32c9584fa631eda1db01642
SHA51208a6a905f91faa40a116e071fe153bfd75e43dd47b2d21a56ebad8409102b078f79c854f9d72612d5a9bdc5e5ae9f05324d421334c35fc2402bbe9f9fb47bfa2
-
C:\Users\Admin\AppData\Local\Temp\AntivirusDefender-main\AntivirusDefender\AntivirusDefender\Resources\z.exe
Filesize85KB
MD50d3da5adb9bb63c7fcb0185756601749
SHA172dbd9bc44173033b504dddc655b2082e99cf2b9
SHA256f31034fffec424d6e4505318400ecc3b00f8c2107c1823510a037b11a49f0741
SHA51212cb90877e442deb37ca64e911a9d699b3d799e89889f023458bf6f032eb2838b344bddb02cfed82aaae5af84b172d0acd95d84b9db469e2d4cb28586cd30e14
-
C:\Users\Admin\AppData\Local\Temp\AntivirusDefender-main\JigsawRansomware\JigsawRansomware\packages\Newtonsoft.Json.10.0.3\lib\net45\Newtonsoft.Json.xml.fun
Filesize658KB
MD5e3ab3f6e3dd3856197ef93ab05bc2048
SHA105a5ebab502ac54af84109bf361cfbab147d4eb4
SHA25689ab2878576875ad4b5f06ef7ee0f76311a86d87a50c17ec2d2e34dbe9c15fa1
SHA5124047bea983fa05ee89257fcfa060fb6ec4c01e33f948a3277792f9f1a643a0f20d9b8c0f2dafd5619d7fd9d8d03f89ba36bcd681a0bb61d3265a388451a4ce5b
-
Filesize
16B
MD5cfdae8214d34112dbee6587664059558
SHA1f649f45d08c46572a9a50476478ddaef7e964353
SHA25633088cb514406f31e3d96a92c03294121ee9f24e176f7062625c2b36bee7a325
SHA512c260f2c223ecbf233051ac1d6a1548ad188a2777085e9d43b02da41b291ff258e4c506f99636150847aa24918c7bbb703652fef2fe55b3f50f85b5bd8dd5f6e3
-
Filesize
1.7MB
MD52d4991c3b6da35745e0d4f76dffbca56
SHA161340c41787d16b753598670de2cb1dcf50718c5
SHA2563dacf5cd40090a6d011f1e522eaed2d29699b9d892ce122ea406e0c9d03d5d2d
SHA51287eb0d4957d81c9ec3be2bf5f032428b4d8e298b8dd70c6a5fc9cd98ad2bb12beb457b32ab698452cb558fdd98e6a78fb081fdf22f63ad0238f0a8ff1092a17f
-
\Users\Admin\AppData\Local\Temp\AntivirusDefender-main\AntivirusDefender\AntivirusDefender\Resources\a.exe
Filesize2.4MB
MD5d948d4b6db5d6d6e2e1ba6c0fa4bf008
SHA105846d5b1d37ee2d716140de4f4f984cf1e631d1
SHA2561f43703d2171ab90e98357b6dfdf824417baa191a59419c27fce42cbafdb7ecf
SHA512fce681b3721eaf87f27b758782095e34665517ea4e0529cf18b32c4d0d5270ec40c8acf296ad2665e60a6e7e0430807f87e01e3a145902c9fea2a3c83100c15d
-
\Users\Admin\AppData\Local\Temp\AntivirusDefender-main\AntivirusDefender\AntivirusDefender\Resources\f.exe
Filesize3.0MB
MD54994952020da28bb0aa023d236a6bf3b
SHA1af807380a745a4bcf937b87a081ef895ee7f15ba
SHA256bb8c0e477512adab1db26eb77fe10dadbc5dcbf8e94569061c7199ca4626a420
SHA51288393499d0816c173ea0b983995833e82e1aac1a73554d0b64d959b69dcf943644ab74927ad576bda48bbdace66256900aab33383f5a0546f6dfe21a8dd5662a
-
\Users\Admin\AppData\Local\Temp\AntivirusDefender-main\AntivirusDefender\AntivirusDefender\Resources\jigsaw.exe
Filesize60KB
MD514a2065165fca7f48b20123ea1ca8d2d
SHA1f6371909e9b9751d3f7539a75ec0f024cd3094bf
SHA256cb8068f6f5623b19fea0e5e8657ea059283dc7fbb04ac61c204b8fcf9b09cc3c
SHA512eadd1e658b19805cc64a8a9a391f42fcae5c410c89b95a1b2e5d8615aadc1e873fb67e214fff5f96163b8340bc37443cfbb4d50eccd2b8e06b6294f503adf103
-
\Users\Admin\AppData\Local\Temp\AntivirusDefender-main\AntivirusDefender\AntivirusDefender\Resources\thirdpartyclamavinstaller.exe
Filesize14KB
MD505bd1940ef02d78bc2bd107e81f729f5
SHA1dd5a4c413464dd21143e98f57484ea979e79d057
SHA256576e4c14ef11683d332abc303503e257084cfef8ced3072549bdecd0a44bfbe1
SHA5125967ddaa8eef68883a29de0b470ea101a0c2fb7ba51e7e45ecef1c2f31391993fa9514300c778c1931581b44001f672affb0217333353797742e821e7e885343
