Resubmissions
29-06-2024 07:53
240629-jrbzwatdqe 1029-06-2024 07:51
240629-jpsvlswgrn 529-06-2024 07:48
240629-jnc3rswgqk 329-06-2024 07:37
240629-jf3y8atcpa 1029-06-2024 07:36
240629-je8s3stcnd 829-06-2024 07:34
240629-jd4gzawfqq 129-06-2024 07:33
240629-jdq7mstcld 129-06-2024 07:29
240629-jbarwawfnj 7Analysis
-
max time kernel
934s -
max time network
992s -
platform
windows11-21h2_x64 -
resource
win11-20240611-en -
resource tags
-
submitted
29-06-2024 07:53
General
-
Target
The-MALWARE-Repo
-
Size
284KB
-
MD5
1c0a02c3390b9fd77746574def84b1d1
-
SHA1
2e62ae7936cf5b6398308f702ddbb06427091109
-
SHA256
29dc64e0ada4c711d0452801d3364b2f44cf4bd52337547aaa2f40744da97cd1
-
SHA512
4f62bc5c219a6fa412dc06653227561b10cb32d144be733e0b2e57dea24baa17683dc09b84c57237326e6909e27f42ea7e1f70032eeff455d12423364bc433a2
-
SSDEEP
6144:ibRoQ02n9dH5M2vkm0y3Cl3pId9Rj9vvZJT3CqbMrhryfQNRPaCieMjAkvCJv1VZ:qRoQ02n9dH5M2vkm0y3Cl3pId9Rj9vvC
Malware Config
Signatures
-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (592) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Disables Task Manager via registry modification
-
Drops file in Drivers directory 3 IoCs
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
-
Deletes itself 1 IoCs
-
Drops startup file 6 IoCs
-
Executes dropped EXE 9 IoCs
-
Loads dropped DLL 14 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Drops desktop.ini file(s) 64 IoCs
-
Enumerates connected drives 3 TTPs 47 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory 9 IoCs
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
-
Program crash 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 36 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Interacts with shadow copies 3 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Kills process with taskkill 2 IoCs
-
Modifies Internet Explorer settings 1 TTPs 9 IoCs
-
Modifies registry class 64 IoCs
-
NTFS ADS 64 IoCs
-
Suspicious behavior: AddClipboardFormatListener 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of SetWindowsHookEx 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo1⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2864.0.934918005\301938980" -parentBuildID 20230214051806 -prefsHandle 1796 -prefMapHandle 1788 -prefsLen 22074 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7a2f0ab8-1fd0-4388-97f6-84aba8598076} 2864 "\\.\pipe\gecko-crash-server-pipe.2864" 1888 28453223758 gpu3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2864.1.1383736794\946188684" -parentBuildID 20230214051806 -prefsHandle 2404 -prefMapHandle 2392 -prefsLen 22110 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5b389b5c-93f8-48c4-8427-cd2d72908143} 2864 "\\.\pipe\gecko-crash-server-pipe.2864" 2416 28446586058 socket3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2864.2.1291002947\1857721117" -childID 1 -isForBrowser -prefsHandle 3056 -prefMapHandle 3052 -prefsLen 22148 -prefMapSize 235121 -jsInitHandle 984 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {30affb93-e442-498c-9cb2-b2ee4a98d330} 2864 "\\.\pipe\gecko-crash-server-pipe.2864" 3068 2845610fc58 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2864.3.1000492465\528760318" -childID 2 -isForBrowser -prefsHandle 3584 -prefMapHandle 3580 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 984 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1a10ef49-b62e-48b1-8aa3-1095def652d0} 2864 "\\.\pipe\gecko-crash-server-pipe.2864" 3592 28458890158 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2864.4.1267151407\428172120" -childID 3 -isForBrowser -prefsHandle 5100 -prefMapHandle 5096 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 984 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6f07194c-ba10-4198-850d-a9f8ed61e1f3} 2864 "\\.\pipe\gecko-crash-server-pipe.2864" 5108 2845b277658 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2864.5.2095402685\341004309" -childID 4 -isForBrowser -prefsHandle 5236 -prefMapHandle 5244 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 984 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {22ccb69b-5413-450d-9ff7-a1072bb1bb58} 2864 "\\.\pipe\gecko-crash-server-pipe.2864" 5316 2845b278258 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2864.6.163119557\751402702" -childID 5 -isForBrowser -prefsHandle 5512 -prefMapHandle 5508 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 984 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {977ca08b-f276-43f9-a4c2-129dae121ba5} 2864 "\\.\pipe\gecko-crash-server-pipe.2864" 5436 2845b278e58 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2864.7.1333887165\994208310" -childID 6 -isForBrowser -prefsHandle 1560 -prefMapHandle 5436 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 984 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e09142ae-ecc2-454d-bbdd-ab63bd65bd2b} 2864 "\\.\pipe\gecko-crash-server-pipe.2864" 5884 2845af68358 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2864.8.858730122\2119042937" -childID 7 -isForBrowser -prefsHandle 5304 -prefMapHandle 5092 -prefsLen 27774 -prefMapSize 235121 -jsInitHandle 984 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {32bf1d69-a880-4058-ae09-1a0c47521905} 2864 "\\.\pipe\gecko-crash-server-pipe.2864" 3844 28458b49b58 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2864.9.618830945\594160103" -childID 8 -isForBrowser -prefsHandle 3560 -prefMapHandle 2684 -prefsLen 27774 -prefMapSize 235121 -jsInitHandle 984 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2eb372ef-7ddc-468e-aaf7-9fee54fea8c7} 2864 "\\.\pipe\gecko-crash-server-pipe.2864" 5232 28459761758 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2864.10.1348793360\1808921121" -childID 9 -isForBrowser -prefsHandle 5092 -prefMapHandle 6544 -prefsLen 28271 -prefMapSize 235121 -jsInitHandle 984 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {14048f11-27b6-43e7-ae3f-5ce2e912e3b6} 2864 "\\.\pipe\gecko-crash-server-pipe.2864" 2944 2845c0e8858 tab3⤵
-
C:\Windows\System32\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\BabylonClient12.msi"3⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Browser Hijackers\BabylonToolbar.txt1⤵
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Trololo.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\Trololo.exe"1⤵
-
C:\Windows\SYSTEM32\taskkill.exetaskkill.exe /f /im explorer.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\taskkill.exetaskkill.exe /f /im taskmgr.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004D0 0x00000000000004CC1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{682159d9-c321-47ca-b3f1-30e36b2ec8b9} -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Virus\WinNuke.98.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Virus\WinNuke.98.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Virus\Floxif\Floxif.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Virus\Floxif\Floxif.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3560 -s 4563⤵
- Program crash
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Virus\Gnil\Gnil.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Virus\Gnil\Gnil.exe"2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\drivers\spoclsv.exeC:\Windows\system32\drivers\spoclsv.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Virus\Mabezat\Mabezat.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Virus\Mabezat\Mabezat.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\$uckyLocker.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\$uckyLocker.exe"2⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\CoronaVirus.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\CoronaVirus.exe"2⤵
- Deletes itself
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
-
C:\Windows\system32\mode.commode con cp select=12514⤵
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
-
C:\Windows\system32\mode.commode con cp select=12514⤵
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"3⤵
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"3⤵
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\DeriaLock.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\DeriaLock.exe"2⤵
- Drops startup file
- Executes dropped EXE
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {3eef301f-b596-4c0b-bd92-013beafce793} -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {515980c3-57fe-4c1e-a561-730dd256ab98} -Embedding1⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 79C7608D30027FD22BD28C48BADCF576 C2⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3560 -ip 35601⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\f125598af73b439393c9b5483dc67510 /t 49300 /p 492921⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{682159d9-c321-47ca-b3f1-30e36b2ec8b9} -Embedding1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"2⤵
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\YouAreAnIdiot\WebsiteSourceCode\index.html.id-0354D2D0.[[email protected]].txt2⤵
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Joke\YouAreAnIdiot\WebsiteSourceCode\README.md.id-0354D2D0.txt2⤵
-
C:\Windows\SysWOW64\appidtel.exe"C:\Windows\SysWOW64\appidtel.exe"2⤵
-
C:\Windows\SysWOW64\appidtel.exe"C:\Windows\SysWOW64\appidtel.exe"2⤵
-
C:\Windows\SysWOW64\AtBroker.exe"C:\Windows\SysWOW64\AtBroker.exe"2⤵
-
C:\Windows\SysWOW64\AtBroker.exe"C:\Windows\SysWOW64\AtBroker.exe"2⤵
-
C:\Windows\System32\cleanmgr.exe"C:\Windows\System32\cleanmgr.exe" /D C2⤵
- Drops file in System32 directory
- Checks SCSI registry key(s)
-
C:\Users\Admin\AppData\Local\Temp\2CDCA9C0-7ED3-420F-9F44-E68902213049\dismhost.exeC:\Users\Admin\AppData\Local\Temp\2CDCA9C0-7ED3-420F-9F44-E68902213049\dismhost.exe {F1B7E10E-C38B-4CD0-8DA5-6E2F126AD7C0}3⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\New Microsoft Word.txt2⤵
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\New Microsoft Word.txt2⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵
-
C:\Windows\system32\printfilterpipelinesvc.exeC:\Windows\system32\printfilterpipelinesvc.exe -Embedding1⤵
- Drops file in System32 directory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SDRSVC1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Accessibility Features
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Accessibility Features
1Defense Evasion
Direct Volume Access
1Indicator Removal
2File Deletion
2Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\$Recycle.Bin\S-1-5-21-952492217-3293592999-1071733403-1000\$IMK91R8Filesize
52B
MD5101cf98a028a0ca80c789be1faab321f
SHA12220b4998991c17b49456d38b55d2b366e0e30f3
SHA256a9ea04c46d6673718e18f93d1a8b98bd528c37a50e201da26f3370a1ee8ecadf
SHA512b2f67ffedd17ce1b938e1921401e3318239fae7aa696594eae43e27a91ef74c1698d4d3f0d9fd4741b6b03a2bc13cab747a997d1206a778ca9cd3ab6def82f8b
-
C:\$Recycle.Bin\S-1-5-21-952492217-3293592999-1071733403-1000\desktop.iniFilesize
129B
MD5a526b9e7c716b3489d8cc062fbce4005
SHA12df502a944ff721241be20a9e449d2acd07e0312
SHA256e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066
SHA512d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88
-
C:\Program Files\Common Files\System\symsrv.dllFilesize
72KB
MD5ccf7e487353602c57e2e743d047aca36
SHA199f66919152d67a882685a41b7130af5f7703888
SHA256eaf76e5f1a438478ecf7b678744da34e9d9e5038b128f0c595672ee1dbbfd914
SHA512dde0366658082b142faa6487245bfc8b8942605f0ede65d12f8c368ff3673ca18e416a4bf132c4bee5be43e94aef0531be2008746c24f1e6b2f294a63ab1486c
-
C:\Program Files\Common Files\System\symsrv.dllMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll.id-0354D2D0.[[email protected]].ncovFilesize
2.7MB
MD5561c307ee6d9da31ef81b4fb97f01b42
SHA1aeea6f980cebbce6922f5b0673cf157005ba98c0
SHA2568d28603ebeed9df7c154627b6399b2c9cb6d647b7a32cd663222f0c4042067bb
SHA512c4fbbd6b899ef018c45239afb4e39d40a7c4f424a56ca7bbe9fc1c9b8372d0b91e7466d7372c2ccb849980f3659f944c5e49818dea01e884917c98d9647986f5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEBFilesize
471B
MD5f0654c059b469b80a1a21c6b744d16e2
SHA134edf2534fdaa5adfc9c2a8f52cc0ad013270712
SHA256a4a643e74d678940c32fe6a6ca55c8cf88a6e27b37efa08d681c5606358fb0fd
SHA512685c12940cf1d8a8c56059f31377161c930e5a0c539abe8b74db99fe27b031c31f948cec911424edf38e588c8b2020190d1419d54ac08d7b3671827b20895caf
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_2E76130AF11138F39D76E0D756C0740AFilesize
727B
MD55ee6ccbc7d233848a628fe046d0ce599
SHA17e6a4c74b3673e6f990fcf3485d25af6c6f76ddc
SHA256cf9f7121e90e65989ca548a9fb36cc1d55809884b9899c77353941a2df2cf643
SHA5128bddf19aca9b8f16a8c5ac2275794d8133341a4accbca41c0d17364e0afd3691358eb38b73e263c973654fdd00ff405902e0618b681b64e544b7cf6c79beefa6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141Filesize
727B
MD5dad7bc23e39f06d077a9f739394e8e33
SHA17942295abaf525debc484226f4ddf9303a089b0d
SHA256a04b55710053f213a4524156034513c51c148173ae09c7da6b728315a1402387
SHA512181c56bb9904a3b655149a00d595b07285e55bffd5489f3c16aa17b1b30b13c8f515a5ae95269f7ba26dd84018077e06faa3e76def408ecf5c01d07c784c46c4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEBFilesize
400B
MD57f4de0f454053cd263cd4e3166ab3dd1
SHA173e238f06b893943172b9ff8762d8b0e6be97c2c
SHA25656939d897c803c8af758031c97c0180929692e83e85e71c9c10c04ae0d928a09
SHA512617dbe3fbcddc5aa6dc812ef6828c18b393ff2c3256c5dd1dc8235b4978aeacac64f8b4911a46f1f946943ce5406b278e5cbbe486f10229028bc7a367c4bb189
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_2E76130AF11138F39D76E0D756C0740AFilesize
404B
MD5903b28c327402bdff3a94b634ac2a2ef
SHA1980e65578ae19f2c64f982fa93b22aa337bde4df
SHA256f07acc69bf3732a659fd5c2d1e0fb264b524f06bfb15b993e713abd0b1d3fa3e
SHA512345b685ef9d2ec4902e47864273958ed3b36a2574149b4d855e121d39e7ad37d1137a2707494ebe688b0cb7c5a8711177afd3a51afd10fa02dd85cdf31fad3ed
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141Filesize
412B
MD50d169ddd47d36bcc1acd6c5dd91ca9c5
SHA1fe51abd03acff138401e0ad9b7ed1dc90c1e9ce2
SHA256b79458e8c80089684d71c5ee0c2e9bbf0dc0b499090815fc9164c82584a77291
SHA512a3836ee6e4592ff497a5dc0f66ecfc1a3f29fb9fb3f291a4dc0945ad2ecef5f6f3b90254befaf1d22a16b380ea3ba5491c05b6a40403e91da115a12fa68ad2c7
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.dbFilesize
28KB
MD5ce07cad48574d860b6c13ceb34970916
SHA17426182df48ff4067880a078f756e1d230b2ee64
SHA2569b53a8d79e3c7bdfaa6e420c27fe3f5419279279920753f756cdbf1380ff2204
SHA512dd8b8b673697fe4d26d1555c6a7371e22b7ed27d112d932cee7c7e82e0338a3a22fa79977a4456b918c5f7d7ee8b88fdbcbdeaabe5f17281b58dcb5f1e5d34e2
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xde90bbv.default-release\activity-stream.discovery_stream.json.tmpFilesize
37KB
MD55ac9836a5f70b5007cddb5e7f987ef6f
SHA1692f0c41cd01d7400dc41c628ada3e73243fa95e
SHA256152e0ac1a173c39921580975e37b57d4bd132a45b3c7c17601dca82f13d858f8
SHA512a7f2ac89a4fb865de7a18589bbd5c73be93c9820e635a78c2c585620e86418427893a3e350cda197f95d934ba0e6824fbee9595f2ce3b2d444c2996495512b56
-
C:\Users\Admin\AppData\Local\Temp\MSIA3F2.tmpFilesize
421KB
MD56425466b9a37d03dafcba34f9d01685a
SHA12489ed444bce85f1cbcedcdd43e877e7217ae119
SHA25656f8ca5b2079bc97a7af9c015ed4b6163635baef0d9a287d19fc227fc330c53d
SHA51262f4c79d165282db14b662d4242a065af4c8a642f2023032ab5a059e2d6001f0b80e9a0562989013acf01a80a67491be9b671e6bd99220cf9d4fb44a17719371
-
C:\Users\Admin\AppData\Local\Temp\{09EAD19A-804B-444F-B17C-15F8C5837E63}\BException.dllFilesize
142KB
MD5a2d4928c9836812735b3516c6950a9ec
SHA101873285eec57b208fa2d4b71d06f176486538c8
SHA25679ca108d5c51259d8fb38ed1cfcc5a70e9cf67a5954e52a4339b39ff04fa20c8
SHA512d03964a2bb597bf0fdefb787de3b462010c4cd02d286b16587a03b5228553a307d1b8f472c312e0d8bb53f21570aa5b112d85193cf42b83ef33fb7905855eba7
-
C:\Users\Admin\AppData\Local\Temp\{09EAD19A-804B-444F-B17C-15F8C5837E63}\BabyServices.dllFilesize
922KB
MD511bf30b923d096bc73918c6079a927d3
SHA1c75809bb25651e4e94a0dcdb2d124e64dd49287f
SHA25660e601066d4a203e39eefe70ac05e1aac9b45f47f532e038affa8dae4e009275
SHA5123f22b336df3a311ae707132a0451c83642683a01e1d0dd1b01f7c4f182efcd0bdec4c3effe02321d0aa619226f80853356e7e8692c443bf2f74a9ea382b3f03c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\5f7b5f1e01b83767.automaticDestinations-msFilesize
1KB
MD582cc65efe9fc6e6490124e854c245dc3
SHA16820c4fa32f1082b508ea568b4e2ce1c59566aae
SHA256e2da65c41225ab3b05647b474d6869c1ab9395f8191f840566a831e6c0fdb56c
SHA512cea507635fcbc7f6a5d08b6753ba09617d133e3c7afaab8a926a020178b0ac4eb2b03b756e6eccaaab8a3eded1fa400c2bd411047e373e53c0a08e92d3763e60
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-msFilesize
5KB
MD5393a83b2f55f69eb6579c1a83cdfbb04
SHA17011333165797aedc9ca1528927325ff4544205d
SHA256d4d8ba21bbeb21ace9f46a69a1fb4944781ab3c4d057e91c77bc9d6a80da1cd3
SHA512f43c7e6f8b4f6b6e342cfbbc1ef971872e5b6d82d08dc0200ab2bfc87475a9cb0cbfb12597ac60845efb34f6bec78dd1e076ffd4c4f7f15695c00ff982d85cd7
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-msFilesize
6KB
MD5356183a90995955faeb11d4afd1db475
SHA1d45a1452361cfb647782de300b6bb179f2ca555b
SHA2562760a7aedbd24004186867ae370b3c7c77b38d176fcbf704d5e8819645253e0b
SHA512de933bef95a43aea6769e246419ba4cd37721df960ea8d4e7d60d4a1c46850c747101338a8e75e795a98beb2f8b877894fcad04e1d5a5ac73ecd2d2ff0d34097
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-msFilesize
7KB
MD5415eb5567f47a966e71cf8646f60f24e
SHA1dffdf4dc4a357899a59b35dbcc2381afe0ab1406
SHA256417e7c097a3c995496e0943692b60b0755dd47f5d165b275e3701e8bcb935740
SHA512f472924568141acf6fae48c02d349d261a6c50622dfa29d6b5eed0cefc62a05dc64dee3c71c9fffe9ae3bda12dacbaff5e04448a136d7e3d1d91c7a55a2fb8af
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-msFilesize
7KB
MD5640d016070ff12099f2acef9cde48456
SHA12221f6714ed60bc4b136fcf385587a60600cc371
SHA2560dca421650fd83d0ba5ebad673aade7b944a2f163f4a486acf6a6024daf3bf8f
SHA5127c4cc5e1717db9b1fb18e41176b46e4c3eab429272f13909fbe088c210a6076398b53706f8968e23951606b4fad25c72704aee179f60064e2d51b697a297bf0e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-msFilesize
19KB
MD592c3161ab8adef2174573618547da695
SHA1281b2fa559ae092af81af531fea14c374f0f1497
SHA2568dd40256dae5b4bb63572a4307f450a054b9e2fefab673dec5266caf495d3bb3
SHA51264b5fc082b0816ecaa357e2262d900601c456d5186f9f5465bc19d5c7b98d56c0fef844039e3ea364c685f7ffe6c39b0a9e260c8e98f4c93c83953fcf1dd44ab
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-msFilesize
19KB
MD5a8e78e1dec59ed679ae22be279a37058
SHA18fb5cbef40649c1769c455f96f3854715ad51226
SHA2561f307c169fa5dc6fe1b790b1d0126237b944c130024214083ba9fca608d6cf9c
SHA512300cf5913ea8fad717df9131467fa8447057646729e9f7070c1151db24afa0c2bd02aaa8e0e593113caf58fb089e28e83cbb21ec369699ab1f4f20ef103307da
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-msFilesize
19KB
MD5a14f9f9e093b57dfc567c386cc129fba
SHA1dcd2a14beb5ae89f23a02b4f82dbe9cc38bce9a6
SHA256861abcf0cba1075ac9d92d5ed37100d7df47b11dd70a9f41b0c70c3921663b43
SHA512417692a8dc68d15eeb9b8253b74d1029eb6d1c7a01a5db923185da1763c7a61d11f086e9ec8b9273bde1069aab77237f443cbac317e42dfd1bc9aa201379b61e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-msFilesize
19KB
MD5b414911360bf08307de6ce9ba10d05ce
SHA1f545d2de122242c34789a8a55aaa1881722e82c9
SHA2567cd9ff4ce0fa4b7d3d38c5325ac19f8fb2996aa2c0b689a7543815e64844be54
SHA5122c6f776c7bb2f941779b6dd5fda1c628f34c34a4c1ceb1fbc4a9aea3556482432faceff4eeb8e9c2e1d4076f0a5e34c544d617b7cda06b9e7c816157bdbecd92
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-msFilesize
19KB
MD5aa0c6b4c5e19517f7405de04050901dc
SHA1a7b8a3204833d27ea2b4b8e460785724869b6b8b
SHA256f55bdc47de5861373cc5d77b9f31b19227e513bb13c18836cd4d1c0e2625eafa
SHA512d2a4af7e3405976b5d2ac6f9dcf4c103835685338ac4f41f273376b826f664bf2cfd7a68154613c74890f4efc773bd4778de0e15c3a015a496815e6aeaa1597a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xde90bbv.default-release\prefs-1.jsFilesize
6KB
MD567a6ba2fa539ba326e21b906647b1f27
SHA1c242ddb7cd75b7946e74f1078a9ddd2390f788d6
SHA256f49c4be1bd8beb7af5adac3d21ac0624719bd0ad4a07867fd3c9821584ffbff5
SHA512b905278e3c211a46d67c9ba475544be589c26ee46f4f48333dcc4e3200a04484eea89a02f1e3e297003f0c327efd87f8b19c7885f985ac7015d14fbce2f5a98a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xde90bbv.default-release\prefs-1.jsFilesize
7KB
MD54b1972995be78f435e51751e1f8be47c
SHA1d9d8768f83f4c0b3d863365109ea078b4673b235
SHA25630c3c87d9cb0036831066aecc342209298879959442bf619214def82c4e20d63
SHA512cabab8f5abf96f03f5bb3626711858992b005e2e975d47f2a66828917c7f4800bc68f750099774e021248ca539dacd7b9f861b4aae75ab91b88bf812e9c4c62a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xde90bbv.default-release\sessionstore-backups\recovery.jsonlz4Filesize
5KB
MD519cf839a4ef8609399cb7d91e3256d28
SHA1ce9734fce80b375e0cfd17663887c17b6d1a9b04
SHA2569dd5d403261990c921189edecc1bb25ce440c4599b126416e3dfc51e9a48e5dd
SHA512c68cb4687898062ea0e5292b673216d2e5b761f4c8cc96acda3785d5f1ae73b70d514cd57dfa7633e85eecb5d0f520b4e4a9f3087c2a38f2babdde77f5273fa0
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xde90bbv.default-release\sessionstore-backups\recovery.jsonlz4Filesize
9KB
MD58ddc8960d8c9a3de0d16dec2a821f20c
SHA1639645a85377a6ba4cebec182062706e4ed10fde
SHA25641313de2aca4b389d16ca720807443413fb663a2d11a723b1d6402e4f119bb6f
SHA5127e058481f52edc91b0bfc81c7aa52e9824cd974b9dfabdbfcba849cb2cd3dae6faecad76950cd977c1e7167457a7e6a4caf41540a909efc37449da01428eb3c6
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xde90bbv.default-release\sessionstore-backups\recovery.jsonlz4Filesize
3KB
MD5ff53edee9d6395415a1bce0d415f5fd1
SHA1ea84b7d2285b2b5cf25a40c1c6dc08448adba4e4
SHA2566cf63dbbc530c21af60e4c6ca9fe90a09580d639a8651ffaed86dc18a05738b0
SHA512847675de72c699f6cce46483d45db4ab9c78655251ba727be40b190488fb95bd881e6030ca1455c7f7c20c3e60eeb84e1689132b1709ff4d960c5c761aa3de40
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xde90bbv.default-release\sessionstore-backups\recovery.jsonlz4Filesize
7KB
MD53d5d551e8673f017110f5a9f2c896df3
SHA134b2a015874a90609b84318f199f274a608e7e0b
SHA256176cb1235a488bcec65de2cdcfda6400bb07d7cdfaa15efbef1b1cfc88871d4b
SHA5120202305ad6968d2e3487f2998203acadef2cea88bf381fbd6099241c1256bceaf487e090c31ba95c6155c445731ba3e71dc309f582ec38cfd58d60abdc2d1916
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xde90bbv.default-release\sessionstore-backups\recovery.jsonlz4Filesize
9KB
MD57e51e1d437c28f37e858734bf440687d
SHA15ed89089f210af67d0318886f25515dcab51e48b
SHA2564d266a2c9c134ea415ca4e2a7520788d6ba221e96cd793cfe8d8f77cb8dba866
SHA51248378ff6341c2e0b2c9bc31a7dac47e0f9177597c02b6b5c37aee74d6d4addb135714a7c2f6fd9628d011a0f409d34d9dd7fc6bed068700a13f12a88f87490e2
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xde90bbv.default-release\sessionstore-backups\recovery.jsonlz4Filesize
7KB
MD571547035d39c7454552fc0c9772fb614
SHA16d37160bd55e592487a5ce638f566154f2c84db3
SHA256a50d02f3f37e193c35482d886fe5e828968dacee329b8d8278e82f447ce6ed60
SHA51239b2a2da96ffc19463efd8ffd16b37fa5db5c9a2a71ec8aa77518e0dfbcc93238e3eda1cb2a1dca42363556fc65be6d9f45dd2a9b8ad436bd8cc35c2ee151141
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xde90bbv.default-release\sessionstore-backups\recovery.jsonlz4Filesize
9KB
MD50dfc54421daf1a5e558cd59be7f9019c
SHA1d1aacd2e4335c24d18d935e3d52403785e4e2f6c
SHA256d2faf7b756928042425f028922a8fb34df391853264659f7e0546b43f842360c
SHA512071766d12f26fa9a1fef11a83402b425c67d1b09d941023e53156439efd75abaf94779c3e3222213bde3db1dc4ecb388a345d64026d50d00eca5c5f08f0a3994
-
C:\Users\Admin\Documents\OneNote Notebooks\New shortcut.lnkFilesize
174B
MD51bdd72ec0b43b65bccd5f83544b18da3
SHA1b7b2cc10c343ed6aed494a390d86a44cad02f71d
SHA2566b4041c41866d7fee369a17f877ab6378c9eebf7ffd87b883a0129170c0fa2ff
SHA512911d51a060adc6c9422fcd5fb869f3eb22a2bb58e64e848f27b5b79d6d2316f9ed2221584e06eb43d05b49d1864166edb1f1d1d6091dddb0e19402e7e6a00ea3
-
C:\Users\Admin\Documents\OneNote Notebooks\cmd.exe.lnkFilesize
1KB
MD581f1d7a1aa02d667ea147d5fd158fea4
SHA1f4c45735bae977222ea34d0136a23df4deef0c54
SHA2563bc3fee025e2daa95e5beb50103b37bf763a2911c415887e61deefcafdf036e1
SHA5121e21a3f813d89feddf2de6a0b8d6c653bb3c265df0f31a781411a30334c66597e21d0f45fc0a96a3f138132e0ceab65e04d70e381cdcc4a41a9a6f5d2a3d120e
-
C:\Users\Admin\Downloads\BabylonClient12.M7-TZ5vn.msi.partFilesize
63KB
MD562f980610bb01233ae84715d765c9d06
SHA1b26141d0b503810d92bcc5c2cf548c4d70cc689a
SHA2563c874181841fa632cd2719d3e6958ace3b7a3882d34ef28cc971dedd79e36581
SHA51291b7e865f591f99734610aceede0e7e0979e5d53cc50ea9ecda42faf810f3c3c858c198e70b2a0b59bf902e4242f397df6e0df9c6e5718b568142b8335d8a930
-
C:\Users\Admin\Downloads\BabylonClient12.msi:Zone.IdentifierFilesize
171B
MD5a5cf33c029cda72d5ea85cdbd0437827
SHA1aac5786849a2227b44c143905ecd2eaf0f9f2271
SHA256457de0237689d6719e480ad9e790c710f20d2d46c0366d5af4aee720fbf676c6
SHA512f8d19777e801db1b03ad661757b439230a0f66ad2e94872b97645a2007f9376f10aaede78506626f3dae8240ca3556e4cd992d34ec17f56fdc117ec4a4dbc96d
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Banking-Malware\Emotet.zip:Zone.IdentifierFilesize
92B
MD5c6c7806bab4e3c932bb5acb3280b793e
SHA1a2a90b8008e5b27bdc53a15dc345be1d8bd5386b
SHA2565ba37b532dbb714d29f33e79dacb5740096fd1e89da0a07b9b8e6b803931c61a
SHA512c648be984413fdbaeb34808c8164c48b5441a8f3f35533b189f420230e5e90605c15fde2ce0d9fe42e9755c594dd1ef32de71a24016277ad2cef2f9afcf0ad93
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\$uckyLocker.exeFilesize
414KB
MD5c850f942ccf6e45230169cc4bd9eb5c8
SHA151c647e2b150e781bd1910cac4061a2cee1daf89
SHA25686e0eac8c5ce70c4b839ef18af5231b5f92e292b81e440193cdbdc7ed108049f
SHA5122b3890241b8c8690aab0aed347daa778aba20f29f76e8b79b02953b6252324317520b91ea60d3ef73e42ad403f7a6e0e3f2a057799f21ed447dae7096b2f47d9
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\CoronaVirus.exeFilesize
1.0MB
MD5055d1462f66a350d9886542d4d79bc2b
SHA1f1086d2f667d807dbb1aa362a7a809ea119f2565
SHA256dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0
SHA5122c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\DeriaLock.exeFilesize
484KB
MD50a7b70efba0aa93d4bc0857b87ac2fcb
SHA101a6c963b2f5f36ff21a1043587dcf921ae5f5cd
SHA2564f5bff64160044d9a769ab277ff85ba954e2a2e182c6da4d0672790cf1d48309
SHA5122033f9637b8d023242c93f54c140dd561592a3380a15a9fdc8ebfa33385ff4fc569d66c846a01b4ac005f0521b3c219e87f4b1ed2a83557f9d95fa066ad25e14
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Virus\Floxif\Floxif.exeFilesize
532KB
MD500add4a97311b2b8b6264674335caab6
SHA13688de985909cc9f9fa6e0a4f2e43d986fe6d0ec
SHA256812af0ec9e1dfd8f48b47fd148bafe6eecb42d0a304bc0e4539750dd23820a7f
SHA512aaf5dae929e6b5809b77b6a79ab833e548b66fb628afeb20b554d678947494a6804cb3d59bf6bbcb2b14cede1a0609aa41f8e7fe8a7999d578e8b7af7144cb70
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Virus\Gnil\Gnil.exeFilesize
73KB
MD537e887b7a048ddb9013c8d2a26d5b740
SHA1713b4678c05a76dbd22e6f8d738c9ef655e70226
SHA25624c0638ff7571c7f4df5bcddd50bc478195823e934481fa3ee96eb1d1c4b4a1b
SHA51299f74eb00c6f6d1cbecb4d88e1056222e236cb85cf2a421243b63cd481939d3c4693e08edde743722d3320c27573fbcc99bf749ff72b857831e4b6667374b8af
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Virus\Mabezat\Mabezat.exeFilesize
141KB
MD5de8d08a3018dfe8fd04ed525d30bb612
SHA1a65d97c20e777d04fb4f3c465b82e8c456edba24
SHA2562ae0c4a5f1fedf964e2f8a486bf0ee5d1816aac30c889458a9ac113d13b50ceb
SHA512cc4bbf71024732addda3a30a511ce33ce41cbed2d507dfc7391e8367ddf9a5c4906a57bf8310e3f6535646f6d365835c7e49b95584d1114faf2738dcb1eb451a
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Virus\WinNuke.98.exeFilesize
32KB
MD5eb9324121994e5e41f1738b5af8944b1
SHA1aa63c521b64602fa9c3a73dadd412fdaf181b690
SHA2562f1f93ede80502d153e301baf9b7f68e7c7a9344cfa90cfae396aac17e81ce5a
SHA5127f7a702ddec8d94cb2177b4736d94ec53e575be3dd2d610410cb3154ba9ad2936c98e0e72ed7ab5ebbcbe0329be0d9b20a3bcd84670a6d1c8d7e0a9a3056edd2
-
C:\Windows\Logs\DISM\dism.logFilesize
21KB
MD5434d982e31b4df51a6e108b304aff8fa
SHA156f08f89dd4fda82416de1f214863e830ae29110
SHA256098ee3dd50364f94e7831c5c770dccae91f2d1a31d91a19b49931696461c03c1
SHA512a27e4ba9d4e7e0df42475a929233d96003e302e0354cfbc1534c8000f334afebb7fb9e33aa920dd89b3a5d1345d0dc1d1ac7f5102c04214f62373ab7afce0fe4
-
memory/2080-549-0x000000001CCB0000-0x000000001CD4C000-memory.dmpFilesize
624KB
-
memory/2080-546-0x000000001C1C0000-0x000000001C266000-memory.dmpFilesize
664KB
-
memory/2080-548-0x000000001C740000-0x000000001CC0E000-memory.dmpFilesize
4.8MB
-
memory/2080-550-0x00007FFAF5720000-0x00007FFAF60C1000-memory.dmpFilesize
9.6MB
-
memory/2080-547-0x00007FFAF5720000-0x00007FFAF60C1000-memory.dmpFilesize
9.6MB
-
memory/2080-551-0x0000000001AD0000-0x0000000001AD8000-memory.dmpFilesize
32KB
-
memory/2080-552-0x000000001CEF0000-0x000000001CF3C000-memory.dmpFilesize
304KB
-
memory/2080-565-0x00007FFAF59D5000-0x00007FFAF59D6000-memory.dmpFilesize
4KB
-
memory/2080-568-0x00007FFAF5720000-0x00007FFAF60C1000-memory.dmpFilesize
9.6MB
-
memory/2080-545-0x00007FFAF59D5000-0x00007FFAF59D6000-memory.dmpFilesize
4KB
-
memory/2852-1038-0x0000000002B60000-0x0000000002B87000-memory.dmpFilesize
156KB
-
memory/3560-1091-0x0000000000CD0000-0x0000000000D45000-memory.dmpFilesize
468KB
-
memory/3560-1090-0x0000000010000000-0x0000000010030000-memory.dmpFilesize
192KB
-
memory/3560-1093-0x0000000010000000-0x0000000010030000-memory.dmpFilesize
192KB
-
memory/3668-1101-0x0000000000400000-0x0000000000444000-memory.dmpFilesize
272KB
-
memory/3668-1103-0x0000000000400000-0x0000000000444000-memory.dmpFilesize
272KB
-
memory/4200-1102-0x0000000000400000-0x0000000000444000-memory.dmpFilesize
272KB
-
memory/4200-1095-0x0000000000400000-0x0000000000444000-memory.dmpFilesize
272KB
-
memory/4272-1118-0x0000000005830000-0x0000000005DD6000-memory.dmpFilesize
5.6MB
-
memory/4272-1119-0x0000000005320000-0x00000000053B2000-memory.dmpFilesize
584KB
-
memory/4272-1117-0x00000000007C0000-0x000000000082E000-memory.dmpFilesize
440KB
-
memory/4272-1120-0x00000000052F0000-0x00000000052FA000-memory.dmpFilesize
40KB
-
memory/5316-1105-0x0000000001000000-0x0000000001026000-memory.dmpFilesize
152KB
-
memory/5628-1145-0x0000000000400000-0x000000000056F000-memory.dmpFilesize
1.4MB
-
memory/5628-1128-0x0000000000400000-0x000000000056F000-memory.dmpFilesize
1.4MB
-
memory/5628-17693-0x0000000000400000-0x000000000056F000-memory.dmpFilesize
1.4MB
-
memory/5876-1131-0x0000000000AF0000-0x0000000000B72000-memory.dmpFilesize
520KB
-
memory/5876-1132-0x00000000054D0000-0x000000000556C000-memory.dmpFilesize
624KB
-
memory/5876-1133-0x0000000005860000-0x00000000058B6000-memory.dmpFilesize
344KB