Analysis
-
max time kernel
729s -
max time network
440s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
-
submitted
12-08-2024 20:19
General
-
Target
https://github.com/Da2dalus/The-MALWARE-Repo
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
Wipelock
Wipelock is an Android trojan with multiple capabilities, such as wiping data, reading and sending SMS messages without the victim's knowledge.
-
Wipelock Android payload 2 IoCs
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Remote Service Session Hijacking: RDP Hijacking 1 TTPs 2 IoCs
Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment.
-
Manipulates Digital Signatures 1 TTPs 12 IoCs
Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
Office macro that triggers on suspicious action 1 IoCs
Office document macro which triggers in special circumstances - often malicious.
-
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Sets service image path in registry 2 TTPs 9 IoCs
-
Suspicious Office macro 1 IoCs
Office document equipped with macros.
-
Executes dropped EXE 4 IoCs
-
Impair Defenses: Safe Mode Boot 1 TTPs 20 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Declares broadcast receivers with permission to handle system events 2 IoCs
-
Declares services with permission to bind to the system 2 IoCs
-
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Password Policy Discovery 1 TTPs
Attempt to access detailed information about the password policy used within an enterprise network.
-
Requests dangerous framework permissions 23 IoCs
-
Drops file in System32 directory 41 IoCs
-
Hide Artifacts: Hidden Users 1 TTPs 1 IoCs
-
Drops file in Windows directory 1 IoCs
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 32 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 64 IoCs
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
Modifies Internet Explorer start page 1 TTPs 1 IoCs
-
Modifies registry class 64 IoCs
-
NTFS ADS 1 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 32 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 13 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Da2dalus/The-MALWARE-Repo1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffeb0d73cb8,0x7ffeb0d73cc8,0x7ffeb0d73cd82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1704,18050127252598881616,6292619177406847043,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1936 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1704,18050127252598881616,6292619177406847043,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2356 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1704,18050127252598881616,6292619177406847043,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2688 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1704,18050127252598881616,6292619177406847043,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1704,18050127252598881616,6292619177406847043,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1704,18050127252598881616,6292619177406847043,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5268 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1704,18050127252598881616,6292619177406847043,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1704,18050127252598881616,6292619177406847043,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5420 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1704,18050127252598881616,6292619177406847043,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3276 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1704,18050127252598881616,6292619177406847043,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1704,18050127252598881616,6292619177406847043,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1704,18050127252598881616,6292619177406847043,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3632 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1704,18050127252598881616,6292619177406847043,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6060 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1704,18050127252598881616,6292619177406847043,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5876 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1704,18050127252598881616,6292619177406847043,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3656 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1704,18050127252598881616,6292619177406847043,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5004 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1704,18050127252598881616,6292619177406847043,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4864 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\System32\NOTEPAD.EXE"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Downloads\JoinDisable.bat1⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\System32\DataExchangeHost.exeC:\Windows\System32\DataExchangeHost.exe -Embedding1⤵
-
C:\Users\Admin\Desktop\New folder\Dharma.exe"C:\Users\Admin\Desktop\New folder\Dharma.exe"1⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\Desktop\New folder\ac\nc123.exe"C:\Users\Admin\Desktop\New folder\ac\nc123.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cls3⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\Desktop\New folder\ac\mssql.exe"C:\Users\Admin\Desktop\New folder\ac\mssql.exe"2⤵
- Sets service image path in registry
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Desktop\New folder\ac\mssql2.exe"C:\Users\Admin\Desktop\New folder\ac\mssql2.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\New folder\ac\Shadow.bat" "2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\New folder\ac\systembackup.bat" "2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c WMIC Group Where "SID = 'S-1-5-32-544'" Get Name /Value | Find "="3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\Wbem\WMIC.exeWMIC Group Where "SID = 'S-1-5-32-544'" Get Name /Value4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\find.exeFind "="4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet user systembackup Default3104 /add /active:"yes" /expires:"never" /passwordchg:"NO"3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user systembackup Default3104 /add /active:"yes" /expires:"never" /passwordchg:"NO"4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet localgroup Administrators systembackup /add3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup Administrators systembackup /add4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c WMIC Group Where "SID = 'S-1-5-32-555'" Get Name /Value | Find "="3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\Wbem\WMIC.exeWMIC Group Where "SID = 'S-1-5-32-555'" Get Name /Value4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\find.exeFind "="4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet localgroup "Remote Desktop Users" systembackup /add3⤵
- Remote Service Session Hijacking: RDP Hijacking
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Remote Desktop Users" systembackup /add4⤵
- Remote Service Session Hijacking: RDP Hijacking
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet accounts /forcelogoff:no /maxpwage:unlimited3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 accounts /forcelogoff:no /maxpwage:unlimited4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /t REG_DWORD /d 0x1 /f3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\system\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0x0 /f3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v systembackup /t REG_DWORD /d 0x0 /f3⤵
- Hide Artifacts: Hidden Users
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\attrib.exeattrib C:\users\systembackup +r +a +s +h3⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add portopening TCP 3389 "Remote Desktop"3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\sc.exesc config tlntsvr start=auto3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net.exenet start Telnet3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start Telnet4⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\Desktop\New folder\ac\EVER\SearchHost.exe"C:\Users\Admin\Desktop\New folder\ac\EVER\SearchHost.exe"2⤵
- Executes dropped EXE
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Desktop\New folder\EternalRocks.exe"C:\Users\Admin\Desktop\New folder\EternalRocks.exe"1⤵
-
C:\Users\Admin\Desktop\New folder\Fagot.a.exe"C:\Users\Admin\Desktop\New folder\Fagot.a.exe"1⤵
- Modifies WinLogon for persistence
- Manipulates Digital Signatures
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Desktop\New folder\Fantom.exe"C:\Users\Admin\Desktop\New folder\Fantom.exe"1⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\Desktop\New folder\Flasher.exe"C:\Users\Admin\Desktop\New folder\Flasher.exe"1⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\Desktop\New folder\FlashKiller.exe"C:\Users\Admin\Desktop\New folder\FlashKiller.exe"1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3632 -s 2522⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3632 -ip 36321⤵
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa39d2055 /state1:0x41c64e6d1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Account Manipulation
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Modify Registry
5Subvert Trust Controls
1SIP and Trust Provider Hijacking
1Impair Defenses
2Disable or Modify System Firewall
1Safe Mode Boot
1Hide Artifacts
3Hidden Files and Directories
2Hidden Users
1Discovery
Query Registry
3Peripheral Device Discovery
1System Information Discovery
4Password Policy Discovery
1Browser Information Discovery
1Permission Groups Discovery
1Local Groups
1System Location Discovery
1System Language Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD54c3889d3f0d2246f800c495aec7c3f7c
SHA1dd38e6bf74617bfcf9d6cceff2f746a094114220
SHA2560a4781bca132edf11500537cbf95ff840c2b6fd33cd94809ca9929f00044bea4
SHA5122d6cb23e2977c0890f69751a96daeb71e0f12089625f32b34b032615435408f21047b90c19de09f83ef99957681440fdc0c985e079bb196371881b5fdca68a37
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5c4a10f6df4922438ca68ada540730100
SHA14c7bfbe3e2358a28bf5b024c4be485fa6773629e
SHA256f286c908fea67163f02532503b5555a939f894c6f2e683d80679b7e5726a7c02
SHA512b4d407341989e0bbbe0cdd64f7757bea17f0141a89104301dd7ffe45e7511d3ea27c53306381a29c24df68bdb9677eb8c07d4d88874d86aba41bb6f0ce7a942c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
2KB
MD58107fb347bc11e65085f96739a379577
SHA120beb3369f74b6c953369c0fc647d8af33daa023
SHA256197ece9a50b64500b8581d4b2e541959ca24507c4619990bfc53a3de9fbad392
SHA51274de0dc5f44c3ea55495660e557e350a499d4458a753ca8b5b5981997c7eb13a41913b9cdf07c6aeb15e6950f0eeab429ea4407c6a784d2c82f1c7f8702837b6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
573B
MD5f83773a679edc3c4703652b91dd47495
SHA11bc6265839181383818c7e3862fd165fb6d0918a
SHA256dee5ecb4508cda27c1f9cc2a4c4b98b99698c322fbce2d59c7ea758ac90222f4
SHA5124b7318590553c7de646b838216fa68ce8671aa0deb9cf59c9bceed2e4553560b65b8f053e91708e70e7756411cbf7c1a37370a8def4bccdbb9b23427e1b1210e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
573B
MD594716db8a4f3d9b64b6c3234c31ab99e
SHA1212ef4fb095c5d4f3f7cf7ffb3d4bdbd175b270f
SHA25631b69e06e12f39d0cf66a18d7ae456a451f7a085d6adc5891f4268771dc2398e
SHA5121f6cacaa86694623245f1e1b70252b319c7ffac2fb554a038f780242216ff197e0ec38a6f28aad8bf142c25ed9cd05f23516dd9b5b03a811ed6eb40daf4c2d0e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5762ac6cf1c5afa793e5b3795a3023f37
SHA1204314169c9973a5034ab6862baf03664617a698
SHA2565fb74f484b7ac7c0eb558c847c9637abcef2466f8bf886cddc89f96169fd6c42
SHA5121b3e8285ea8dedc918830e70a49b18dcca7c0a50a50ce52ace19c283c07a48970527035569fc5a84f7d2be8f0e4f83adbeb4271090b4fc5668e9463e0bef5a6b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5b9dba548b942827cb97560c363d56603
SHA1def78a6c9341a233272e3bedc97ce35966a824c9
SHA25638bace7d1a970b7a52fca220ea8f6c354cb9618e87d657e0f094a6cd6c38b7ee
SHA512088116f7b255ed9031ff233ecf5e877cec9e9a3a1365f559a45d827de0c3edec902ceb117b7c359503f24aaaf9dd570ded9618b8e7193f698467b435696f55aa
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD54014b569442a9344b2f84ffe240de1c0
SHA190704788dfbb2560cf92bff05fb5e2f157b48ffd
SHA256cbf8357f9f1b873ea65c631fab89eada13abe75b77f4fa2af69da93235cb9bc1
SHA5128c1066f56a01918f38d4aaac8aaeb92a3300d1c85918d19c0a351a164b86b709263f68b9be2b364fb97e5717b0409ef1da31ec35eee97445c13bce826085d07d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD584660d1b714c0f2d75a6c7f86c28d018
SHA122831ffddcdf05bdde175b21f42b071502f5e934
SHA256bc5124e822a9ac7ba2fa759cda233b1234000b7d9c1e319a983b018c3ea40b57
SHA512aef2a524257a449569e288388d191741ffeaa4b7ee01ed9753279520ce8ec8e49fae71749909f70386c993bcb54888d03c1d437e082f813f49900d30692d86d2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD576460f4e3adb16b3c77c70a49954db7f
SHA10840895feed9103f1401b386f007ca8c188b57be
SHA2565e55b7d6f66a4d12213ca4177a064b90d4a4b11f0d0a44a25fdd656d1d734e27
SHA512849030c7de292f73c78de85680e0e2331421acf19efdfee68e0ed963eb9c1157e56b57bd36cf6dad79e2504b94a76dd87050eb075dee889337314e6f1dd4eb00
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD53aab5d80c9a360a0d025c470db1d7493
SHA16606063188672a83bc67398210f2a502ac004ae2
SHA256fe259cd493d90d07d44270c96d4b0e96eef28f6f2eeb24f0da612b24f15930bf
SHA51297e2d22bd80596ff3a43ec7b68b3de6424f316527a4ef1c1e58634c9b871163ad8c564f0ec41bc39abc4338d2f33455575e000361d341a60829369390055e562
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD528495c4da1e6e39db55be4459aacb430
SHA14c211ffbd54d56eda28b41ebdeeb2376aa53cf84
SHA256284a1fa26df45e1ce4299f4a8228891b2af44129515f976723e8147c25ab0f07
SHA512cf28fdd1969d2059b1af83f3f1191649bb4318efd984901c5d78b8267575b2ce1b6b54ba56b7cae23da6870f6a28dacee709486079cec4416a6ef9264145d3da
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD54efbea40fa27745b18612d929cd6285a
SHA1c69cc6bcbaaa3332f287854a4515d9832807cf10
SHA25647d69bfcbee5326e703f87d641bbdbaefefefea564a477209e40608a3797f0f2
SHA51283719e88edeb3f498b552987e0fb3c51189a7667e47a305e91db91db88e31a82c09556daad9dee7fbecc0b72c094e7bb0675794ee2b1e29d136af94825ee3bda
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD530bdf2444f6bad7769bf52dc94333330
SHA1cfe07b41b28aa8c044cf2a61b21be68fc61548eb
SHA2568abc9818231ea0f72467aaef1f4edade135c2bf672d9b1c28da1a174788ced3d
SHA51279fbf157766759e3c30b82bb49c11509f7efc2f9a80d68d8ec945dcbf5fce1e9836d408d47ef87ccc6d526d693cd1931bedc513cd6afb931ff896854a82a11a1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57f28e.TMPFilesize
866B
MD56738ca3172ec5eebd3fba0c288537f15
SHA105d10f4574e5e21933ed2f9b4bc73d1cc2306565
SHA2567bf09c5a7cd46bf1638a44ec1c262f6d5d86b6a6a1388c99a807f756b88d82df
SHA5123e569c9b969db10abf100abcc81f0915c6ffc43f03130960c084d71672ecf2175ca5fd75dec9213c98147b6cc932ad440f8c152cd5d1eb563e4b0892b20ac0e7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5aeef071f89b92439598ec6f32a6ab9d2
SHA1e4acfba9b2fb0ff787797de3a5755650c2d54d3b
SHA256e25631cce2bfe93d8da8e75e78d66537e332a2a3f5ebb648f8c51376bd144b1c
SHA5122d1910105f37950ae2df0a6f2395beb01e234e53f6bb17b956d267dee4cb923275894555a5e675dca99bd3b7e559eb3634c4861b813655eae604f2af12e93284
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5658e7eba3db9936d0f753d6c6e7dab7f
SHA117c03fb7a61e85d614e72d856fab6f5147ed8a22
SHA25604128d20dcbc66c653970fc1bc1540675302f1efb167efffd0ef4c38ee431b16
SHA512db36fd9eca7258f482cbc8d497e82500fa2c0ffd5709f9c235ec085c50848ed4763fb070c013f7bb4eeb1d9d5993cb92fbc0f3f4e7eddcd76a4503a01f1c81b2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5bcc50938802d59cddba84b0da32c9cc9
SHA1c2aee7cbf2a5ffdbd0890a41eaee9904d28000e3
SHA2565c0238f4b5acdc134b2eb22dab53d19f22534da260757edbf2ce6bc206344e78
SHA5122d4a23422b23c6976af40057f8051faa1119f02edfdb4f85bf123e2cff18bc8c97c97d30f2b3eaf4c25d5deea2ddcb03f73f535e5c5869723604c641344a6202
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD50098f49eece1f7af3c1011456544514c
SHA1f6b67d135b08c2ac21ce6d14125479eccfab48df
SHA2561d110f40478518518dbfbd76a972dbb8491ee478e17689b371d57c5172e88a9f
SHA512a6dc7ab059537b886c1f1952d69792a19eb9f6094c2fca13bcbe744150df95b283db74fe5a291e778f8b2b515d8c102d06d0eb6ee40c48c569f74af1fe26cd43
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD54da4af6cbe79b68378e805c362c32c32
SHA1c8cd262b703919780caf02f4fe8d11fa6d7c6014
SHA256705a05b846884bca30c6249bc25d7a8b2a6f59759660b0ce44797df5beb2fa73
SHA512606c132e2cc1e789ec591f1913df636ea8c13c2cc2ffc5122eee6835693f9def044631a806fd7b26f101127d4a3ae8dcd0dbd455070d1082b7bdf004263b35a5
-
C:\Users\Admin\Desktop\New folder\BonziKill.txtFilesize
198B
MD5d5d9094b24ee344ca83e342175df4750
SHA1e12568dadb918e941df1a41104e67832f9011c1b
SHA256c207b0a91f8c340ea9b08f334dcfaaeb5307eecb1bfb01d68cc7b9ad994a037c
SHA51256375b35df448874cb2f8622de19d2b30cab63aec90a84a746ff6633ed37c30b9575c159306c60b78c32a0f12a92684b1f2bdba95f75e9bcd109b89c2336135d
-
C:\Users\Admin\Desktop\New folder\CobaltStrike.docFilesize
86KB
MD596ff9d4cac8d3a8e73c33fc6bf72f198
SHA117d7edf6e496dec4695d686e7d0e422081cd5cbe
SHA25696db5d52f4addf46b0a41d45351a52041d9e5368aead642402db577bcb33cc3d
SHA51223659fb32dff24b17caffaf94133dac253ccde16ea1ad4d378563b16e99cb10b3d7e9dacf1b95911cd54a2cad4710e48c109ab73796b954cd20844833d3a7c46
-
C:\Users\Admin\Desktop\New folder\Grave.apkFilesize
560KB
MD561b29201190909e848107d93063726ca
SHA1f6505a3b56fdbbc54e1624793581afe45010c890
SHA25664c874d0a67387d174fbf18811ef23e9d9b0f532ed7f805e542dacdf3c9d42f9
SHA512a2e8fa752d62e77e20e6fd86b7c6de3e683e41932eef448164944bd5f5dbb91ccf4380b3c13943e5c0264b9127b7f5e471ece68753af541d408caefae1065930
-
C:\Users\Admin\Desktop\New folder\Malum.apkFilesize
2.8MB
MD528ac5460e68eb83737ae2d3cd4f1d49f
SHA197fc58ce2d7d952fe512856a0d3f52fa68329a9b
SHA256b2f3fe699dc862eeb3f471c0ee3075f5edfa7aa9f9eb3815cf34802f24112397
SHA5121ef7ed4de0157378e07380c6b493da7f53b3b7c5d419fb1d1a60d16a5403cdce38645d22bf0c0d9dc2e2ea2ceee5ccf1b9a8e8e34d88a033fa9ad1ec7a8d73b1
-
C:\Users\Admin\Desktop\New folder\Mobile_Legends_Adventure.apkFilesize
4.0MB
MD542585ccd2b7867c12052653e4d54b7cc
SHA1a9348c3aabcc0171d1e35edeb37fd2da0fff0ad4
SHA256b47bcc55ca8dc0625a145d6809cfa3ad78e9e3b4f33bc608b5bcaf7e9e1e5827
SHA512e270bd1fbbaaccf3382048e9ac2489444a735ed32fb83f7681526a1edb0b7847d6adb8d75064b065309293ef75c45e2ea85fb132a1c12afd08b3a1346caad550
-
C:\Users\Admin\Desktop\New folder\ac\EVER\SearchHost.exeFilesize
1.6MB
MD58add121fa398ebf83e8b5db8f17b45e0
SHA1c8107e5c5e20349a39d32f424668139a36e6cfd0
SHA25635c4a6c1474eb870eec901cef823cc4931919a4e963c432ce9efbb30c2d8a413
SHA5128f81c4552ff561eea9802e5319adcd6c7e5bdd1dc4c91e56fda6bdc9b7e8167b222500a0aee5cf27b0345d1c19ac9fa95ae4fd58d4c359a5232bcf86f03d2273
-
C:\Users\Admin\Desktop\New folder\ac\igvfpxuxmkoorey.sysFilesize
674KB
MD5b2233d1efb0b7a897ea477a66cd08227
SHA1835a198a11c9d106fc6aabe26b9b3e59f6ec68fd
SHA2565fd17e3b8827b5bb515343bc4066be0814f6466fb4294501becac284a378c0da
SHA5126ca61854db877d767ce587ac3d7526cda8254d937a159fd985e0475d062d07ae83e7ff4f9f42c7e1e1cad5e1f408f6849866aa4e9e48b29d80510e5c695cee37
-
C:\Users\Admin\Desktop\New folder\ac\mssql.exeFilesize
10.2MB
MD5f6a3d38aa0ae08c3294d6ed26266693f
SHA19ced15d08ffddb01db3912d8af14fb6cc91773f2
SHA256c522e0b5332cac67cde8fc84080db3b8f2e0fe85f178d788e38b35bbe4d464ad
SHA512814b1130a078dcb6ec59dbfe657724e36aa3db64ed9b2f93d8559b6a50e512365c8596240174141d6977b5ddcf7f281add7886c456dc7463c97f432507e73515
-
C:\Users\Admin\Desktop\New folder\ac\mssql2.exeFilesize
6.7MB
MD5f7d94750703f0c1ddd1edd36f6d0371d
SHA1cc9b95e5952e1c870f7be55d3c77020e56c34b57
SHA256659e441cadd42399fc286b92bbc456ff2e9ecb24984c0586acf83d73c772b45d
SHA512af0ced00dc6eeaf6fb3336d9b3abcc199fb42561b8ce24ff2e6199966ad539bc2387ba83a4838301594e50e36844796e96c30a9aa9ad5f03cf06860f3f44e0fa
-
C:\Users\Admin\Desktop\New folder\ac\nc123.exeFilesize
125KB
MD5597de376b1f80c06d501415dd973dcec
SHA1629c9649ced38fd815124221b80c9d9c59a85e74
SHA256f47e3555461472f23ab4766e4d5b6f6fd260e335a6abc31b860e569a720a5446
SHA512072565912208e97cc691e1a102e32fd6c243b5a3f8047a159e97aabbe302bddc36f3c52cecde3b506151bc89e0f3b5acf6552a82d83dac6e0180c873d36d3f6b
-
C:\Users\Admin\Desktop\New folder\elite.apkFilesize
533KB
MD59f01767647e2e72f446d374bbcb20c53
SHA1f6b1adcd7723b525418a05bcede5c671366d7ab3
SHA256fcee982b3d0e1601b40078d98df03503668aec7542721f921ae8248bc3cec3a1
SHA5124b9dc2dc08f015ed96a3ce30978994314d3edca84348eb62e7cb65d4d5477f179c44c80cc0a67863bc119555d0217f57681d047ce98ec405bd5eeaf2da8280ed
-
C:\Users\Admin\Desktop\New folder\mobelejen.apkFilesize
549KB
MD545be5a7857a4fa1c5eadd519e9402e8a
SHA136feb0809c1853f9a1f6d587302691abd7ce90e9
SHA2567d59e24f4bdf28a846d21e2608796f7e91389c4778bec75369d7b05e3f8449a5
SHA51246c869051e0c97b68f4388b87caecd82bf7362110a34ebb28ddc5fcd6c8a0e339eeaafbfce54d22593e245457fae7ec4c36b49a8556d3327ba7f90a40dd96a73
-
C:\Users\Admin\Desktop\New folder\vi4a.apkFilesize
37KB
MD55f616a8fb9ce44ed75834487405be446
SHA18ae9c48e6a8a21b4c8068e0b8855240978637fdf
SHA256b0ff5690c31f160808a869a14fa55f9e38c82de81cf98b895badc88c997ee45c
SHA5120ad658d53c455f7e68c3a4722f475bba65c22f17fd2c330a1ed34bff384462ceae9096c2d2e9cb4ad35168c551d579ca6b7335728432e94661dc8f65cdd14c58
-
C:\Users\Admin\Downloads\AddDeny.rtfFilesize
742KB
MD564300d46de17a787c47ddc1f187117d4
SHA122ee46f6c069bbad90cffc32de3546ef5e9fe1bf
SHA2569e390a38e70228ab26b66de0fe2f96af723d7830feabb4a827fb139aa2e674dc
SHA5120a236698b5771a152d46548b311c7512137211fde19e8d6b87de82fe7ed6d374d693de0f12008fcfcd1cb6cd426316c8c6b23d440171f01b61badb490ffc40dd
-
C:\Users\Admin\Downloads\AddEnable.wmvFilesize
799KB
MD59bd8efde468dcfd829d6cb7c1ae8924f
SHA1ef6abcc8554157653059650eefbc71ecdf38647d
SHA2569d7e3db8512361210b0f73c1e053c652a1d656bf568399ae1b3c424752e1c3f4
SHA512722dafe327068a8d754d272df93725ddca97cc8b5e1c7b3b8a6b6a1b21a28e35ce916ff7c877c1ca6555cb15ae7b0c7f2e08df5ff9ab206418d80b5f32158819
-
C:\Users\Admin\Downloads\AssertRestore.vssmFilesize
535KB
MD52209c620eeff3e0369c7c7fca2d45c29
SHA18fbb4925d263a9f11ea3f8a9d3360f8f9f78965e
SHA256e8cc0620935c89eb7bccdfc7c55048cbd27f3d1881c739bd743e5be918587f0c
SHA51260f627080dda63dcdd9173c8e81ee6a72d4983cc2f6a6bc048eee2327b0a8376fac613abb1e14b1669f84c41e4e357010ba9ae1691ddd22677afe2ceeb179bed
-
C:\Users\Admin\Downloads\BackupComplete.htmlFilesize
611KB
MD5f1568478b8009331f4ec65c25be053ce
SHA11d8e54db33e577e912fd787db1a4ed3efde64882
SHA2560ac6896fce40785116171c5944a7cf72fd3b85f3e64bbcb9c8832d797dc0fb8a
SHA51207ead582aa0131e623f2f65cda23e54d09d4f47bcd5607a04d9a86aff9bf05bffca991d122c263cde88d1c41d645d77e2dc61182f91f7526d3d8c0d9f4592335
-
C:\Users\Admin\Downloads\BackupProtect.edrwxFilesize
855KB
MD59970b4e5f589c916aac6be805b8af621
SHA1aae25b0863494678566c0d3537741c566b2a92fb
SHA2569fc0b373055d5ece4f79c934f68cddb8df5b1c7fa6b673215624de0689ac79e3
SHA5123a428787eef3c283aad857dca18a1110b6a8195c5ae1d46cfb3e4f501a1452c1b53f8d74a5d2ce4f29c6d562f9b56a6dedb36cca77949a98446e4a8373ab0df4
-
C:\Users\Admin\Downloads\CopyEnable.tiffFilesize
347KB
MD5d9ece229a42606e686041a0258f59668
SHA127c39776f724aed7ed5e6bea537d71d3dfef6480
SHA256279a4b071e2ae0741b7be51cb751fa95984aba61d14f767177a4813ba08b5735
SHA512c8773af25e6edefbd60564f1b3dfd06807f3064b103d1f01216a0ff56bfc7e76c85d518d49a0a4a6e445f5dfcd13c3874c3cd4b8e8b1c6a2ccf074897b0d380d
-
C:\Users\Admin\Downloads\EnableSearch.zipFilesize
874KB
MD5cbd220e2052c6b9561b1660483011250
SHA1da4180caae45dec6664eefde791d4b0e149636db
SHA2569879f60bc46ab9e1e9ff3431d2251a7f695bceb119d83ec8ac3d14ad08287b3d
SHA51276df74d60dd4707743d3243b32bcd2ce460fe11a9604731a99b76c3476febcc2432c6f9440eb28e0ac30072adcd2fb81dd97db14b0d9623ef6be4a598f15598f
-
C:\Users\Admin\Downloads\EnableUpdate.m1vFilesize
460KB
MD510618610024b07664b3bdc337bde4864
SHA1308faf6c10dfddc2afe4852c3cf8e59e5faa970e
SHA256c9ae85b855290eae77c00cc5e48725108e2f104304b1901c5789ce4079612226
SHA512e10b2650239737b145b3b8a2478a2572c4906deb8e905b7635f3dfa4a5c4088f11acfff9d560020b0c3843518e67f3ab53ecf2adf80a3cc2a2bbfc1a3bb6f31e
-
C:\Users\Admin\Downloads\EnterCompress.mhtFilesize
310KB
MD51806f5d375c401256b1256f9556fed2a
SHA10e67044ff4cf18afbcecdcf58a6627e693021f4d
SHA256e005459b637e2adbfcad3256f17c79231625f3b2300a80b8e4a540ecc9adc8f9
SHA51281a072557b2032708d50d8f6f7609ae6d082dc59c7c897f91fb291d50a03487964e14e636ed25e6df9b446f3584be6fc0fb8db1df31c9fdddcc6e4577a272cd3
-
C:\Users\Admin\Downloads\ExitLock.pcxFilesize
705KB
MD54d12854ab8440439930f202b7526b1c5
SHA19bcdc87f9b14170c946a3a45e47b82d4b1863657
SHA256ec6a59eab50853fece701fece9dac8709821f9c3aca4efca9cf470b7cd084b2c
SHA512fdb6169e6277a670f007c4309bed2cd1e520b7584c49765a1ce25c1e0fd2700b952e24c49b162de6ba8523c714d4754ca27597a1123c16b1411da6c124a2ceea
-
C:\Users\Admin\Downloads\ExitSync.potxFilesize
686KB
MD5ebbc5bb705d5878504f217cbf85f803d
SHA13cded51b8d006125142914496eeed16225266d2e
SHA256a8a195c1bffdb3d6d3c6b7a2f754f1f9875b6a7b0ef351903a97578450b8f6c2
SHA5126d086f2542fc027e76bbbb724e25e3271a328ef681217eeb314e82bef30afe118e804021351b57499a1f1bc7b577b054c52d18b55f3945395948c35d546bfca1
-
C:\Users\Admin\Downloads\GetAdd.xpsFilesize
404KB
MD54e081e0e99361179965b40f49a861e86
SHA119357c5335ee2641132d0bc9a2a2a3b896274f36
SHA256720fd7fea8feb02b6877096018421dc79141c46647260e860d083f3ea7bb9f2a
SHA5126ea863d232d73653d77ecb8751be8240a5ea5393e4858f76561e1766022936868966137d52b43892945b437a32e551ab1891e6710c5c148958ab95a609655962
-
C:\Users\Admin\Downloads\GroupUnregister.wdpFilesize
818KB
MD56484f37b255cb70280aaad811e5a7100
SHA16d7aaad63d20b1fcd56297bb2a03cc29c3fa17dd
SHA256affb5a49ea724ee6a32affd933361a481c02e4fa77eae2efbc416fc6dc4d85df
SHA51268e797f0f81c0151411348e4b3d66ca4057b3879d5f01e65d175d1adc0cb5a75d77e245cff255c350ad60bc42add9994256251d8556032113412e7a60cf9ed5c
-
C:\Users\Admin\Downloads\JoinDisable.batFilesize
554KB
MD59f6ce15b306724624088a791aac95c9a
SHA17b620c0fe920960715bb25530f21364e0cecf5f7
SHA256abe3fd7e9cfbb403c75bf3a7d0a8323558d52c1ad0fc3c63fcc30dc352f2fe6c
SHA5128604290725f5b837505b0de2cecc1ab9dd7331399913a0fec8c4529933c5c9b44c81a0a52b96bba41f2baa1a2c9e0d12a3859c01117d5757607a6c9f53c440f7
-
C:\Users\Admin\Downloads\MountClear.7zFilesize
517KB
MD5c0db01bbea2f5ea196a7a2e8bebe7f18
SHA1ec9f705114e5bc4190fb1fec2f5e023ef5eb638e
SHA25624a9a313deab618616a3d872e526bb8f78fb7f18edecaa655065fe69b8d9fad1
SHA512cf09166fb7127abeba519906065ebfe7473343ba0f36e56add9337a1791f70e9387afc21233f42885836ef507dcc3b2ea6a0b3f7877f8ccfef71e970c80c7d21
-
C:\Users\Admin\Downloads\MountRepair.rtfFilesize
329KB
MD535a44dab39c06ac36b1abe4bb982314a
SHA162c2dbad0eb378ef50c88c1e84f3da089ed1a36b
SHA25603422f402390addbecf3da5116faf063ad590a1d105a3d8237833d83ab5f6f53
SHA5121221fcb6fa483546832ea6e62673e227d2c45e37420578b3468c3f0f4da1c67d8ab5577dd90ff53bee463ec3afef48afad0291675151b6feaafc8132082dbcf6
-
C:\Users\Admin\Downloads\MovePop.sysFilesize
630KB
MD5a4f4d0028d575480e2305c083cde584f
SHA1c806f61380a865470e78abb7ef312df403cbc7b6
SHA2560b8bc0d1467d6963bb5696f1b8b9da22ad51d1940cbb7d05f57687259ddd95e0
SHA51239ba2e7af5e95d7cdde5f2193924e66ed7e5e6f995417d779dae0d60e0c4afff4f82a4971f62c7192a2b18faeed9ad1188a6daa198d6e9cc83dd3d65a7c31622
-
C:\Users\Admin\Downloads\PingSkip.mhtmlFilesize
761KB
MD5492f0417b5a08625dd05bcbe66b7e0db
SHA16c4beb385a0b891889de3bc7e0e52b4d63e04deb
SHA25647f7c59905fa37449e2723ab16152ee4228e1560e424aa47a39b2fe33eac5416
SHA512ac3cbf0efcb54b322bf08a89176a77f7921307974ed4c0798288b789e0bbcd7641eab43aacdf88d091aec296a67af75eeca661845d68ab9e19800407295eab65
-
C:\Users\Admin\Downloads\PopRedo.kixFilesize
498KB
MD589e63783be67d5879ee3366ab4407e00
SHA12dae8991faa4c8eb31fd67e941aedcbdd35ea37b
SHA256e7c007d7a7812951df8462a5ef454909a0ededc845fdde9f5bf0390030f118cc
SHA512c9c388af69afc62803a49114215ba4fe3d7a844a1e1a18565babb2e1f274fea47ed2a9e332ac37172915e14d79205455af68eaa0cbcefc4a3820fe4e89ac7a44
-
C:\Users\Admin\Downloads\PublishMove.odsFilesize
573KB
MD5b9ddc3527db393a9255a5e713ae569ca
SHA12416c0aa8fdab4847ed4929d489dde54e1d74735
SHA256c80fbbc731b72d729ec3a5d3ac62333f4381e3c0651d48c38e1f7d7c4e13d9a4
SHA512ea327343ed481341e73f37116ea031cc32cd31215f4a6d6bfd5ef2adbcf76db73862f8509ba035fac0fff0a65583b99ce20c5ebc6ce421d64733a7791f5010f9
-
C:\Users\Admin\Downloads\ReceiveSet.jpeFilesize
385KB
MD5bfb4fbb056c28683f4da70f83b48c996
SHA1368ebeac5d1b145f9f6a08120c11d68945e4bc8c
SHA256b1853e491ec7a58f81166242d1add8e08099d9381642a70894678851c1857983
SHA51226735acb804b83eebd642b84237c936694a63ee6eb873fbce100bb717fc2662cd2a2ce3788ef18f476c33a12269c5dcfa7b4d18b40585c70cfc14b4cbd65a9d0
-
C:\Users\Admin\Downloads\RedoRegister.htmFilesize
366KB
MD582a3f6484cdb7d313c586d487ad40db2
SHA1df87e443b04e1d5a2330abfe40b0f918bfbe06c1
SHA2561a4dc8de1c61b99d3d12a658dddbc06808ba16f2132685ee296895902aa35677
SHA512e631d03b3caea1066b4c0b175abb2e23dbf6ed3bfc1d765a17b3a4e9ec5163c936f6d494450b336726f0686a654092345a0e8a1d1e3a5d51059db3c9b73177b8
-
C:\Users\Admin\Downloads\ResetRemove.dwgFilesize
724KB
MD50d0d3c6d630ca6f1e1e8ecef1bbe63c9
SHA1ef5678555c8516fea9c9f6d1217ae780f4f06d22
SHA256879d4e933379a79dbc1b7213e1cf88e80346878018c67c42dad780c3775c8e4b
SHA512c3da347d2b6e64831123c1a192d548968bbed85fb89eba65d375b9f3f65ea17b2a8d6f70ed14bea4f1d6b5e2e3fb079b4d70e8bd88cb55c5b10b2431553211b5
-
C:\Users\Admin\Downloads\ResetSend.scfFilesize
423KB
MD50efee0e0df223c0801ad7265516a3d13
SHA17ce2f3510017b12552c89e89d4b3e6b84567fd50
SHA256b9dfecb788422103d61294f1f92e6a91a8495a32f59bc3de755ace4673f1d7a9
SHA512da9188e8dcc5e0c3e91ab00c751584f6e1ec2e09e680731564a3f17be26be4f8476b258796a0557761bcd8801cf3b6c5b9fcae4fdd4c522a8f0f7290f6b6cce6
-
C:\Users\Admin\Downloads\ResizeConvert.ppsmFilesize
441KB
MD50b6d81cd0a5fed8543af5edcfdb2a04f
SHA1a507909a619199ca0771cd62fe5fd7473cd90ca6
SHA256dd09f25735e0a9a8040dbd2824c5bbbfe85d784551f3e68fb72d99f44d50c5e2
SHA512477b7fc3efd5439bab993f3d663b8f17ce44e36d9883409151cfcf3d60aa4a6246118f2aae8e7dc077e07cc700e7f5c2f7578098b4de2f8cd8040bec63a6171b
-
C:\Users\Admin\Downloads\RestartResize.jfifFilesize
836KB
MD51fd2ef4d89ac42219915aca364338918
SHA1deb7b4607acd2c1fceb5b912824be023cc558ae7
SHA2568e708f4c9207b84dd67fa030039c2b87abc2dc41836a16db224ef50320b1fb16
SHA512dff2374e10581e8ed03b0f6e04db3e0183e327dea351c7c9d08e26dc77699b2e898fe20cb9711c845699d0ef88551e571581f5052d84ea4ca1d355301e41e7e3
-
C:\Users\Admin\Downloads\RestoreNew.pngFilesize
667KB
MD520ce18592ee42e6a84a3bf5904c624d5
SHA19d00426a19f6cb327f3918e3a8df94077570a912
SHA256672647d7f5a8a687881852da86693acf640bdbeda3ccdfff4d6d9ce90502b495
SHA512f68cdd50ba4512a9b5666838e3fa48fc66b0b46a9e2e319be4a7ab6e3f3d37e4147ff066e7e26a963a39df4ee189a46c0092ec9c5d5bbe4fd08035c5506bce62
-
C:\Users\Admin\Downloads\ResumeWatch.xlaFilesize
1.2MB
MD595a1b15f6324bd539334e34e73f99905
SHA1c1e298476117e7739212b11c7194da5220cee030
SHA256d2d82500fcf05b58a20a7e0396da356788f896689bce1feea34a256ee92c6705
SHA512c55b1bdb231483fb86f7e17422c0d73a2db97acd8fe2e93016bf1736b86ad9238fe94675d11764b1924eba203815978d358a29ab26716d50f17ac6827263fcdc
-
C:\Users\Admin\Downloads\StepMerge.dwfxFilesize
592KB
MD5173a287b856215928c09ea7ea5b05e65
SHA1465f7afe58db371d0b0051237caebd2e1f39c58b
SHA2567944aedbd84fad922184dbd0fa727bb805bab3ca31784c812c72c3dbc2e0327a
SHA512a7307785dea8de0fe1988e62aa91593598b1b6a6c11471f15a9b4c0b944f2648fe09ca430807eaa0eff68fa8bd6f8c39efeaabf7abaf84a4501118ac22059a41
-
C:\Users\Admin\Downloads\StepUnpublish.otfFilesize
893KB
MD5ceb8708e8b5bf7f9ad5d173590f5fcac
SHA16c6e87c5df7df4b78a82c80ca80793b3021592a3
SHA2561b8b65ad583dc5ceb04e0a8d85629e0bd1acecb6f05d6e604bf58739b80cd6f1
SHA51235abd42ac932ced28468f964b2561dd58ac2df2953e3f8ec20c208ca1d3d48e5d2f2c08cc0a5a0968569bc40281dc280b84dfc692a774ef35f7177b17058868b
-
C:\Users\Admin\Downloads\SuspendRegister.sqlFilesize
479KB
MD58a8e39dfb4c5432b91be774a3586edd7
SHA1cae1c6a5afa0fcee31ebb3fcce17eb88f0afcc39
SHA25680d32a2ecf99b3f0d949af2305269a4a959c221d03d62b11aec8f7c20d6f76ce
SHA51249838ef437e1c43b0999f1bbbbecfeca531b2df6cc8c7029ec7aa1c4743ec780993d174008e861a0a221afaf0fb5174c2475c1e2127a74dde1efd7e38bed6c17
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master.zip:Zone.IdentifierFilesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Spyware\Kakwa.docFilesize
72KB
MD59a039302b3f3109607dfa7c12cfbd886
SHA19056556d0d63734e0c851ab549b05ccd28cf4abf
SHA25631ca294ddd253e4258a948cf4d4b7aaaa3e0aa1457556e0e62ee53c22b4eb6f0
SHA5128a174536b266b017962406076fe54ec3f4b625517b522875f233cd0415d5d7642a1f8ff980fb42d14dab1f623e3f91a735adefa2b9276d1622fa48e76952d83c
-
C:\Users\Admin\Downloads\UndoClose.mpaFilesize
780KB
MD5ff4c585bbfc94139d9e69d7aad3d5e9c
SHA1ee2118fcd8d8a6006107cb10b8c29406afd0fcf8
SHA25610a6865388451a4d431ab7acf4733db545f360e4db4356cc66203349898b5fc1
SHA512466d4769d2a75b01ef90b4679a0285c7c0838511ea9c4ed2507d34fbbb86d6524069587e96e15b0234dcd536176068810338162eabbfeefccf1445876b9246a7
-
C:\Users\Admin\Downloads\WaitGroup.ps1Filesize
648KB
MD55499ce469f6908c797da028fc6b12072
SHA11c9ea18d896c01d6a37ae4f664141dfe12856ab7
SHA256fed1c3da02ad0a69e52a59ee0b78e79702b54fca99e3c10d133e4f0833e83e82
SHA51281f758453c69c1fc7eab3662a18f9a9f3403daf185bde8d24d0a781f36fb1b98e256b454312e22f52549cb7a1a426902acde49bfd2a6e4d9a398a694b12d9035
-
C:\Windows\SysWOW64\ntkrnlpa.exeFilesize
373KB
MD530cdab5cf1d607ee7b34f44ab38e9190
SHA1d4823f90d14eba0801653e8c970f47d54f655d36
SHA2561517527c1d705a6ebc6ec9194aa95459e875ac3902a9f4aab3bf24b6a6f8407f
SHA512b465f3b734beaea3951ff57759f13971649b549fafca71342b52d7e74949e152c0fbafe2df40354fc00b5dc8c767f3f5c6940e4ba308888e4395d8fd21e402b3
-
C:\Windows\SysWOW64\ntkrnlpa.exe:Zone.IdentifierFilesize
92B
MD5c6c7806bab4e3c932bb5acb3280b793e
SHA1a2a90b8008e5b27bdc53a15dc345be1d8bd5386b
SHA2565ba37b532dbb714d29f33e79dacb5740096fd1e89da0a07b9b8e6b803931c61a
SHA512c648be984413fdbaeb34808c8164c48b5441a8f3f35533b189f420230e5e90605c15fde2ce0d9fe42e9755c594dd1ef32de71a24016277ad2cef2f9afcf0ad93
-
\??\pipe\LOCAL\crashpad_1640_RFFVFYFQOMVLDGMGMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/2372-713-0x0000000140000000-0x0000000140ACB000-memory.dmpFilesize
10.8MB
-
memory/2484-952-0x000000001D710000-0x000000001DC20000-memory.dmpFilesize
5.1MB
-
memory/2484-715-0x000000001BA10000-0x000000001BE3E000-memory.dmpFilesize
4.2MB
-
memory/2484-720-0x000000001C510000-0x000000001C9DE000-memory.dmpFilesize
4.8MB
-
memory/2484-956-0x00000000013F0000-0x00000000013F8000-memory.dmpFilesize
32KB
-
memory/2484-953-0x000000001DCC0000-0x000000001DD5C000-memory.dmpFilesize
624KB
-
memory/3632-955-0x0000000000400000-0x0000000000404000-memory.dmpFilesize
16KB
-
memory/3852-714-0x0000000000400000-0x0000000000B02000-memory.dmpFilesize
7.0MB
-
memory/3852-957-0x0000000000400000-0x0000000000B02000-memory.dmpFilesize
7.0MB
-
memory/3852-701-0x0000000000400000-0x0000000000B02000-memory.dmpFilesize
7.0MB
-
memory/3908-828-0x0000000002650000-0x000000000267B000-memory.dmpFilesize
172KB
-
memory/3908-796-0x0000000002650000-0x000000000267B000-memory.dmpFilesize
172KB
-
memory/3908-830-0x0000000002650000-0x000000000267B000-memory.dmpFilesize
172KB
-
memory/3908-834-0x0000000002650000-0x000000000267B000-memory.dmpFilesize
172KB
-
memory/3908-826-0x0000000002650000-0x000000000267B000-memory.dmpFilesize
172KB
-
memory/3908-824-0x0000000002650000-0x000000000267B000-memory.dmpFilesize
172KB
-
memory/3908-822-0x0000000002650000-0x000000000267B000-memory.dmpFilesize
172KB
-
memory/3908-820-0x0000000002650000-0x000000000267B000-memory.dmpFilesize
172KB
-
memory/3908-818-0x0000000002650000-0x000000000267B000-memory.dmpFilesize
172KB
-
memory/3908-816-0x0000000002650000-0x000000000267B000-memory.dmpFilesize
172KB
-
memory/3908-814-0x0000000002650000-0x000000000267B000-memory.dmpFilesize
172KB
-
memory/3908-812-0x0000000002650000-0x000000000267B000-memory.dmpFilesize
172KB
-
memory/3908-810-0x0000000002650000-0x000000000267B000-memory.dmpFilesize
172KB
-
memory/3908-808-0x0000000002650000-0x000000000267B000-memory.dmpFilesize
172KB
-
memory/3908-806-0x0000000002650000-0x000000000267B000-memory.dmpFilesize
172KB
-
memory/3908-804-0x0000000002650000-0x000000000267B000-memory.dmpFilesize
172KB
-
memory/3908-802-0x0000000002650000-0x000000000267B000-memory.dmpFilesize
172KB
-
memory/3908-800-0x0000000002650000-0x000000000267B000-memory.dmpFilesize
172KB
-
memory/3908-798-0x0000000002650000-0x000000000267B000-memory.dmpFilesize
172KB
-
memory/3908-832-0x0000000002650000-0x000000000267B000-memory.dmpFilesize
172KB
-
memory/3908-794-0x0000000002650000-0x000000000267B000-memory.dmpFilesize
172KB
-
memory/3908-792-0x0000000002650000-0x000000000267B000-memory.dmpFilesize
172KB
-
memory/3908-790-0x0000000002650000-0x000000000267B000-memory.dmpFilesize
172KB
-
memory/3908-788-0x0000000002650000-0x000000000267B000-memory.dmpFilesize
172KB
-
memory/3908-784-0x0000000002650000-0x000000000267B000-memory.dmpFilesize
172KB
-
memory/3908-782-0x0000000002650000-0x000000000267B000-memory.dmpFilesize
172KB
-
memory/3908-780-0x0000000002650000-0x000000000267B000-memory.dmpFilesize
172KB
-
memory/3908-779-0x0000000002650000-0x000000000267B000-memory.dmpFilesize
172KB
-
memory/3908-836-0x0000000002650000-0x000000000267B000-memory.dmpFilesize
172KB
-
memory/3908-838-0x0000000002650000-0x000000000267B000-memory.dmpFilesize
172KB
-
memory/3908-840-0x0000000002650000-0x000000000267B000-memory.dmpFilesize
172KB
-
memory/3908-787-0x0000000002650000-0x000000000267B000-memory.dmpFilesize
172KB
-
memory/3908-947-0x0000000004D70000-0x0000000004D7A000-memory.dmpFilesize
40KB
-
memory/3908-907-0x0000000004C30000-0x0000000004CC2000-memory.dmpFilesize
584KB
-
memory/3908-905-0x0000000004DA0000-0x0000000005346000-memory.dmpFilesize
5.6MB
-
memory/3908-740-0x0000000002650000-0x0000000002682000-memory.dmpFilesize
200KB
-
memory/3908-731-0x0000000002500000-0x0000000002532000-memory.dmpFilesize
200KB
