Overview
overview
10Static
static
3eeeeeeeeee...00.exe
windows7-x64
eeeeeeeeee...um.exe
windows7-x64
10eeeeeeeeee...ug.exe
windows7-x64
6eeeeeeeeee...le.exe
windows7-x64
3eeeeeeeeee...er.exe
windows7-x64
7eeeeeeeeee...us.exe
windows7-x64
3MEMZ 3.0/MEMZ.bat
windows7-x64
7MEMZ 3.0/MEMZ.exe
windows7-x64
6eeeeeeeeee...MZ.bat
windows7-x64
7eeeeeeeeee...MZ.exe
windows7-x64
6eeeeeeeeee...ld.exe
windows7-x64
3eeeeeeeeee....A.exe
windows7-x64
6eeeeeeeeee...al.exe
windows7-x64
7eeeeeeeeee...15.exe
windows7-x64
3eeeeeeeeee...al.exe
windows7-x64
7eeeeeeeeee...0r.exe
windows7-x64
10eeeeeeeeee...ro.exe
windows7-x64
eeeeeeeeee...od.exe
windows7-x64
10eeeeeeeeee...ts.dll
windows7-x64
1eeeeeeeeee...ts.dll
windows7-x64
3eeeeeeeeee...ot.exe
windows7-x64
3Resubmissions
15-09-2024 23:12
240915-27aqvsxhjq 815-09-2024 23:02
240915-21efgaxake 815-09-2024 22:58
240915-2xypyaxdkj 315-09-2024 22:56
240915-2wn44sxcpk 315-09-2024 22:43
240915-2np2fawhpr 315-09-2024 22:42
240915-2m3k5swhmk 1015-09-2024 22:33
240915-2gqdmawbja 815-09-2024 22:27
240915-2de4gswekk 715-09-2024 22:15
240915-16esravenh 10Analysis
-
max time kernel
1559s -
max time network
1561s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
15-09-2024 22:42
Static task
static1
Behavioral task
behavioral1
Sample
eeeeeeeeeeeeee/Malware_pack_2/Malware_pack_2/000/[email protected]
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
eeeeeeeeeeeeee/Malware_pack_2/Malware_pack_2/Antivirus Platinum/[email protected]
Resource
win7-20240903-en
Behavioral task
behavioral3
Sample
eeeeeeeeeeeeee/Malware_pack_2/Malware_pack_2/ColorBug/[email protected]
Resource
win7-20240704-en
Behavioral task
behavioral4
Sample
eeeeeeeeeeeeee/Malware_pack_2/Malware_pack_2/DesktopPuzzle/[email protected]
Resource
win7-20240903-en
Behavioral task
behavioral5
Sample
eeeeeeeeeeeeee/Malware_pack_2/Malware_pack_2/FakeActivation/[email protected]
Resource
win7-20240729-en
Behavioral task
behavioral6
Sample
eeeeeeeeeeeeee/Malware_pack_2/Malware_pack_2/Happy Antivirus/[email protected]
Resource
win7-20240903-en
Behavioral task
behavioral7
Sample
MEMZ 3.0/MEMZ.bat
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
MEMZ 3.0/MEMZ.exe
Resource
win7-20240903-en
Behavioral task
behavioral9
Sample
eeeeeeeeeeeeee/Malware_pack_2/Malware_pack_2/MEMZ 3.0 (1)/MEMZ 3.0/MEMZ.bat
Resource
win7-20240708-en
Behavioral task
behavioral10
Sample
eeeeeeeeeeeeee/Malware_pack_2/Malware_pack_2/MEMZ 3.0 (1)/MEMZ 3.0/MEMZ.exe
Resource
win7-20240903-en
Behavioral task
behavioral11
Sample
eeeeeeeeeeeeee/Malware_pack_2/Malware_pack_2/NavaShield/[email protected]
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
eeeeeeeeeeeeee/Malware_pack_2/Malware_pack_2/Petya.A/[email protected]
Resource
win7-20240708-en
Behavioral task
behavioral13
Sample
eeeeeeeeeeeeee/Malware_pack_2/Malware_pack_2/Security Central/[email protected]
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
eeeeeeeeeeeeee/Malware_pack_2/Malware_pack_2/Security Defender 2015/[email protected]
Resource
win7-20240903-en
Behavioral task
behavioral15
Sample
eeeeeeeeeeeeee/Malware_pack_2/Malware_pack_2/VineMEMZ-Original.exe
Resource
win7-20240704-en
Behavioral task
behavioral16
Sample
eeeeeeeeeeeeee/Malware_pack_2/Malware_pack_2/WannaCrypt0r/[email protected]
Resource
win7-20240708-en
Behavioral task
behavioral17
Sample
eeeeeeeeeeeeee/Malware_pack_2/Malware_pack_2/Windows Accelerator Pro/[email protected]
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
eeeeeeeeeeeeee/Malware_pack_2/Malware_pack_2/Winlocker.VB6.Blacksod/[email protected]
Resource
win7-20240903-en
Behavioral task
behavioral19
Sample
eeeeeeeeeeeeee/Malware_pack_2/Malware_pack_2/YouAreAnIdiot/AxInterop.ShockwaveFlashObjects.dll
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
eeeeeeeeeeeeee/Malware_pack_2/Malware_pack_2/YouAreAnIdiot/Interop.ShockwaveFlashObjects.dll
Resource
win7-20240729-en
Behavioral task
behavioral21
Sample
eeeeeeeeeeeeee/Malware_pack_2/Malware_pack_2/YouAreAnIdiot/YouAreAnIdiot.exe
Resource
win7-20240903-en
General
-
Target
eeeeeeeeeeeeee/Malware_pack_2/Malware_pack_2/Winlocker.VB6.Blacksod/[email protected]
-
Size
2.4MB
-
MD5
dbfbf254cfb84d991ac3860105d66fc6
-
SHA1
893110d8c8451565caa591ddfccf92869f96c242
-
SHA256
68b0e1932f3b4439865be848c2d592d5174dbdbaab8f66104a0e5b28c928ee0c
-
SHA512
5e9ccdf52ebdb548c3fa22f22dd584e9a603ca1163a622db5707dbcc5d01e4835879dcfd28cb1589cbb25aed00f352f7a0a0962b1f38b68fc7d6693375e7666d
-
SSDEEP
49152:6kAG2QGTC5xvMdgpdb1KRHGepUu2cGbqPs9+q2HRPTnFVSLE:6kAjQGTCnvMmpYQqPNRPTnF4Y
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Program Files (x86)\\Windows\\Error file remover\\fatalerror.exe" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Program Files (x86)\\Windows\\Error file remover\\fatalerror.exe" msiexec.exe -
Executes dropped EXE 1 IoCs
pid Process 2456 fatalerror.exe -
Loads dropped DLL 15 IoCs
pid Process 2644 [email protected] 2644 [email protected] 2768 MsiExec.exe 2768 MsiExec.exe 2768 MsiExec.exe 2768 MsiExec.exe 2768 MsiExec.exe 2768 MsiExec.exe 2768 MsiExec.exe 2768 MsiExec.exe 2768 MsiExec.exe 692 MsiExec.exe 2768 MsiExec.exe 2644 [email protected] 2768 MsiExec.exe -
Blocklisted process makes network request 1 IoCs
flow pid Process 4 2768 MsiExec.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\P: [email protected] File opened (read-only) \??\Y: [email protected] File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\J: [email protected] File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\S: [email protected] File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\H: [email protected] File opened (read-only) \??\V: [email protected] File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\K: [email protected] File opened (read-only) \??\R: [email protected] File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\G: [email protected] File opened (read-only) \??\L: [email protected] File opened (read-only) \??\N: [email protected] File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\B: [email protected] File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\M: [email protected] File opened (read-only) \??\T: [email protected] File opened (read-only) \??\Z: [email protected] File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\E: [email protected] File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: [email protected] File opened (read-only) \??\O: [email protected] File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Q: [email protected] File opened (read-only) \??\W: [email protected] File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\U: [email protected] File opened (read-only) \??\X: [email protected] File opened (read-only) \??\J: msiexec.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Windows\Error file remover\fatalerror.exe msiexec.exe File created C:\Program Files (x86)\Windows\Error file remover\Windows Logoff Sound.wav msiexec.exe -
Drops file in Windows directory 19 IoCs
description ioc Process File created C:\Windows\Installer\f76fca7.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIFCE5.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI36.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI57.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSID5.tmp msiexec.exe File opened for modification C:\Windows\Installer\f76fca7.msi msiexec.exe File created C:\Windows\Installer\f76fcaa.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI163.tmp msiexec.exe File opened for modification C:\Windows\Installer\f76fcaa.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSIFD63.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIFDE2.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI1D1.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIFDC2.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIFE12.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIFE32.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI37.tmp msiexec.exe File created C:\Windows\Tasks\sys.job MsiExec.exe File opened for modification C:\Windows\Installer\MSI221.tmp msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fatalerror.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language [email protected] Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main fatalerror.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch fatalerror.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" fatalerror.exe -
Modifies data under HKEY_USERS 3 IoCs
description ioc Process Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D msiexec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E msiexec.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2784 msiexec.exe 2784 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeRestorePrivilege 2784 msiexec.exe Token: SeTakeOwnershipPrivilege 2784 msiexec.exe Token: SeSecurityPrivilege 2784 msiexec.exe Token: SeCreateTokenPrivilege 2644 [email protected] Token: SeAssignPrimaryTokenPrivilege 2644 [email protected] Token: SeLockMemoryPrivilege 2644 [email protected] Token: SeIncreaseQuotaPrivilege 2644 [email protected] Token: SeMachineAccountPrivilege 2644 [email protected] Token: SeTcbPrivilege 2644 [email protected] Token: SeSecurityPrivilege 2644 [email protected] Token: SeTakeOwnershipPrivilege 2644 [email protected] Token: SeLoadDriverPrivilege 2644 [email protected] Token: SeSystemProfilePrivilege 2644 [email protected] Token: SeSystemtimePrivilege 2644 [email protected] Token: SeProfSingleProcessPrivilege 2644 [email protected] Token: SeIncBasePriorityPrivilege 2644 [email protected] Token: SeCreatePagefilePrivilege 2644 [email protected] Token: SeCreatePermanentPrivilege 2644 [email protected] Token: SeBackupPrivilege 2644 [email protected] Token: SeRestorePrivilege 2644 [email protected] Token: SeShutdownPrivilege 2644 [email protected] Token: SeDebugPrivilege 2644 [email protected] Token: SeAuditPrivilege 2644 [email protected] Token: SeSystemEnvironmentPrivilege 2644 [email protected] Token: SeChangeNotifyPrivilege 2644 [email protected] Token: SeRemoteShutdownPrivilege 2644 [email protected] Token: SeUndockPrivilege 2644 [email protected] Token: SeSyncAgentPrivilege 2644 [email protected] Token: SeEnableDelegationPrivilege 2644 [email protected] Token: SeManageVolumePrivilege 2644 [email protected] Token: SeImpersonatePrivilege 2644 [email protected] Token: SeCreateGlobalPrivilege 2644 [email protected] Token: SeShutdownPrivilege 2804 msiexec.exe Token: SeIncreaseQuotaPrivilege 2804 msiexec.exe Token: SeCreateTokenPrivilege 2804 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2804 msiexec.exe Token: SeLockMemoryPrivilege 2804 msiexec.exe Token: SeIncreaseQuotaPrivilege 2804 msiexec.exe Token: SeMachineAccountPrivilege 2804 msiexec.exe Token: SeTcbPrivilege 2804 msiexec.exe Token: SeSecurityPrivilege 2804 msiexec.exe Token: SeTakeOwnershipPrivilege 2804 msiexec.exe Token: SeLoadDriverPrivilege 2804 msiexec.exe Token: SeSystemProfilePrivilege 2804 msiexec.exe Token: SeSystemtimePrivilege 2804 msiexec.exe Token: SeProfSingleProcessPrivilege 2804 msiexec.exe Token: SeIncBasePriorityPrivilege 2804 msiexec.exe Token: SeCreatePagefilePrivilege 2804 msiexec.exe Token: SeCreatePermanentPrivilege 2804 msiexec.exe Token: SeBackupPrivilege 2804 msiexec.exe Token: SeRestorePrivilege 2804 msiexec.exe Token: SeShutdownPrivilege 2804 msiexec.exe Token: SeDebugPrivilege 2804 msiexec.exe Token: SeAuditPrivilege 2804 msiexec.exe Token: SeSystemEnvironmentPrivilege 2804 msiexec.exe Token: SeChangeNotifyPrivilege 2804 msiexec.exe Token: SeRemoteShutdownPrivilege 2804 msiexec.exe Token: SeUndockPrivilege 2804 msiexec.exe Token: SeSyncAgentPrivilege 2804 msiexec.exe Token: SeEnableDelegationPrivilege 2804 msiexec.exe Token: SeManageVolumePrivilege 2804 msiexec.exe Token: SeImpersonatePrivilege 2804 msiexec.exe Token: SeCreateGlobalPrivilege 2804 msiexec.exe Token: SeRestorePrivilege 2784 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2804 msiexec.exe 2804 msiexec.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2456 fatalerror.exe 2456 fatalerror.exe 2456 fatalerror.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 2644 wrote to memory of 2804 2644 [email protected] 31 PID 2644 wrote to memory of 2804 2644 [email protected] 31 PID 2644 wrote to memory of 2804 2644 [email protected] 31 PID 2644 wrote to memory of 2804 2644 [email protected] 31 PID 2644 wrote to memory of 2804 2644 [email protected] 31 PID 2644 wrote to memory of 2804 2644 [email protected] 31 PID 2644 wrote to memory of 2804 2644 [email protected] 31 PID 2784 wrote to memory of 2768 2784 msiexec.exe 32 PID 2784 wrote to memory of 2768 2784 msiexec.exe 32 PID 2784 wrote to memory of 2768 2784 msiexec.exe 32 PID 2784 wrote to memory of 2768 2784 msiexec.exe 32 PID 2784 wrote to memory of 2768 2784 msiexec.exe 32 PID 2784 wrote to memory of 2768 2784 msiexec.exe 32 PID 2784 wrote to memory of 2768 2784 msiexec.exe 32 PID 2784 wrote to memory of 692 2784 msiexec.exe 33 PID 2784 wrote to memory of 692 2784 msiexec.exe 33 PID 2784 wrote to memory of 692 2784 msiexec.exe 33 PID 2784 wrote to memory of 692 2784 msiexec.exe 33 PID 2784 wrote to memory of 692 2784 msiexec.exe 33 PID 2784 wrote to memory of 692 2784 msiexec.exe 33 PID 2784 wrote to memory of 692 2784 msiexec.exe 33 PID 2696 wrote to memory of 2456 2696 taskeng.exe 36 PID 2696 wrote to memory of 2456 2696 taskeng.exe 36 PID 2696 wrote to memory of 2456 2696 taskeng.exe 36 PID 2696 wrote to memory of 2456 2696 taskeng.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\eeeeeeeeeeeeee\Malware_pack_2\Malware_pack_2\Winlocker.VB6.Blacksod\[email protected]"C:\Users\Admin\AppData\Local\Temp\eeeeeeeeeeeeee\Malware_pack_2\Malware_pack_2\Winlocker.VB6.Blacksod\[email protected]"1⤵
- Loads dropped DLL
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Windows\Error file remover 1.0.0.0\install\0A01606\Error file remover.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\eeeeeeeeeeeeee\Malware_pack_2\Malware_pack_2\Winlocker.VB6.Blacksod\[email protected] SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\eeeeeeeeeeeeee\Malware_pack_2\Malware_pack_2\Winlocker.VB6.Blacksod\ EXE_CMD_LINE="/exenoupdates /exelang 0 /noprereqs "2⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2804
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Modifies WinLogon for persistence
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding D0ADDC51D0899FE9996EA8BBB28C32E32⤵
- Loads dropped DLL
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
PID:2768
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding C4EA71171746CF9FFCC1A7DEC3965FC9 M Global\MSI00002⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:692
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {6E15069F-3F24-4E92-99BC-5BCB75BA2561} S-1-5-21-3290804112-2823094203-3137964600-1000:VORHPBAB\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Program Files (x86)\Windows\Error file remover\fatalerror.exe"C:\Program Files (x86)\Windows\Error file remover\fatalerror.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2456
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x2e81⤵PID:2520
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
99KB
MD5472bc982be450d944756dcb7624f4693
SHA1eae2cd1ed0be6697422ee55a089c70db4717ab93
SHA2566f94c30110a3c99c3b0bb10c1ff8b5b65d5a0bab5570cc2a51803dca575cb426
SHA512440f813356b674ff4cb808bf9e552c9dcc0025a5bafeea5c77764444d3fa363055523e5f023160aa0d2ecfaeece47986ac558cdb99efc4478d81fe6d32d5076d
-
Filesize
69B
MD55313feb29105ff56a14ad6bf3689533b
SHA1b7a3063c99e08f137eaaf033e5433eec7129f5be
SHA256bcf30faa5544db2bdc03a1c13d73928889f0adce87a0d495d6aad8ed5a1b2791
SHA512ea256a3ed92807378b1d39cf5055f8123a6a50b608cd23951b649f28de3ffe5ab4857131545d940fef91b17b324543eba5f4ecaf0e61b5badef7559254407ec8
-
Filesize
84B
MD5347ea2e48d9827d758fea11196cc875c
SHA1e2de7ab3e2ee2625c6de8d4d864b042fa68d94a8
SHA256fdb286d65f411ce7652809f17f2810499cbcd704a15dd213da556a0779541038
SHA51256fb2ba61922b940fbc2743ca40d1968c1ea30a9f793fcdd984e7723df976b829322fb45c2c63791ee23983183690ceae9a99344d2f50dab7982abd33305e2f8
-
C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Error file remover\1.0.0.0\{29DD234C-31B5-4193-A4B1-1AE5D3EF36FE}.session
Filesize4KB
MD50c1165a492fcc63fe1a8279457e84c2b
SHA1b879ae336501f63dae79d3a6e4bf7fd05e5f5c51
SHA2561d59320e6fe8a0a63e9ba347004ed01bef98eb5d2a767f004e4b6ad2abe4cd1c
SHA512bb8e5d9b594bf0684dfd87152da2659caf8534f16f3d996158f6689e5c84608721e6f2d05d85a1b53dd359fe5cb23e237a5d440216d51eebecc98c66b6561b15
-
C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Error file remover\1.0.0.0\{29DD234C-31B5-4193-A4B1-1AE5D3EF36FE}.session
Filesize1KB
MD5b58c40c8d6ffebeb29bf139941a36326
SHA1d48855bf28a0bf434b1d64d2e9c751f44afcea27
SHA256fbcd2ce2b89f72fb399106d4720c490f7c986979b817c26d2b998257eb19de99
SHA512279cc4a0e1013666582bd7e52a54a35162c66113ef0a96036c14d8370e7994e22e593a8c5e11f2b49c05de5d89384a3228c22b130cfb1bb74b25ac365f054653
-
C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Error file remover\1.0.0.0\{29DD234C-31B5-4193-A4B1-1AE5D3EF36FE}.session
Filesize1KB
MD52e5a66325eeae060c22c592f6db182a7
SHA1ed4684f7054373f5284b1c3627591a7786918245
SHA2569382aeceabdb1b5940db8b67413fc80059756a7da94d057a1b4cb4da92762385
SHA5129b3ce44e0d173a8a32ab56628ab0f0cd17a5fe4767ce548a2aca7b479b09082e67d743875e17641c2256acffb532906f5464e5c78d63ebdfc1db2e2f794f1cc1
-
C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Error file remover\1.0.0.0\{29DD234C-31B5-4193-A4B1-1AE5D3EF36FE}.session
Filesize1KB
MD5b44c7a72462e632d1e59670607b1381f
SHA14e7f549a27b2530a35098c0313f4a1f14a781d77
SHA2563c126c2d991ab717ea09d0c2580db3f59c46c5c0ba5605cba74fec91199543a2
SHA5125bfb2a571a5ee0dcd20b5e2625f83a7678682edfb5e39c74054e2dfbfc00b6ddc228e939add0ea5c20fdbd039eb8f0b042a12a515f0cc04a5f17a7e2c9615634
-
C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Error file remover\1.0.0.0\{29DD234C-31B5-4193-A4B1-1AE5D3EF36FE}.session
Filesize2KB
MD5ff1543d7951d87f8bae0046d412411b7
SHA164c2adcc6d4b5483ac8b9b134507ec598e86034d
SHA2564854388a34ca686cc100e303cba56a934ad4eba7b5a837dbf9ed4951bb20356e
SHA5123424870b8fc6a8610944b9b70cd0682d130daeb4dc1c3ca3b2c5942d246fcff420471ead0ad728e4dba659095eed256544050d7bbcc36e9e7d30b712d4007eef
-
C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Error file remover\1.0.0.0\{29DD234C-31B5-4193-A4B1-1AE5D3EF36FE}.session
Filesize2KB
MD5d7030acb496f17a1ccd98a2442cdcb3e
SHA1573abb7e1fc91b59429498d9c29f72c9975ed299
SHA2561ea9abd065aa03c5402b5a23da4c826f39ed33fd38842388ca25d875bbdc02a7
SHA51262d3d35a15e55ca6c56b93bb3f3e68c62e8c6545be2edbed27f7bc2da94087429a2cee0eec89cd4fb78e8a411085806d9ac2db2d87bf8a5c43794af936572152
-
C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Error file remover\1.0.0.0\{29DD234C-31B5-4193-A4B1-1AE5D3EF36FE}.session
Filesize3KB
MD5edbcf609d165cf20176340bae2e42d1b
SHA18e5f559472cb7798f2753a82c0ae2dc52556aa29
SHA256803dbaf78754699afe9bf1c37aa35faa439c36fa242fb357e97d25a38ca5094b
SHA512f2e1f0d41a0b5cbfd42520e3f8fb0f98391d052a5b6bb204f392a8bc30d266a8936fee8836f1f5e07b919637e33f5f6d8e9b6c0f3297ba5094f23359a2b7f8fe
-
C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Error file remover\1.0.0.0\{29DD234C-31B5-4193-A4B1-1AE5D3EF36FE}.session
Filesize3KB
MD5251d4d19b2911064406b43f206fea56a
SHA1b03e720505e2b0dd2e52c9653b54a98092c9f912
SHA256e9040a95476e5b4ac31e30535fcb2c18376d6dc709cffb68274dbab49e109b79
SHA5122d453b6c9073b682acb9398806e454db4794005f30fb7952a32ce0cd60ead9dda8cd51a9611f0c6df7250534d0863fea0fc162236ca85d40fd746f8994564e62
-
C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Error file remover\1.0.0.0\{29DD234C-31B5-4193-A4B1-1AE5D3EF36FE}.session
Filesize3KB
MD5a20a79ef53639b8969f570037b7631fb
SHA1857fafd405c01244936cb41e381e51d8c129d196
SHA256cc3fa3d89caf3589c42a46706d01c242d46634dfe8b30bdbd8e683c69063b20b
SHA5124cba5a58cceaa4b54f509f217c7867407512e6522b0709379f49264c22df17357f2ea5f10f707f3da1731f5c22e28cdc3de97381f195ade9319e55c85ce4db69
-
C:\Users\Admin\AppData\Roaming\Windows\Error file remover 1.0.0.0\install\0A01606\Error file remover.msi
Filesize1010KB
MD527bc9540828c59e1ca1997cf04f6c467
SHA1bfa6d1ce9d4df8beba2bedf59f86a698de0215f3
SHA25605c18698c3dc3b2709afd3355ad5b91a60b2121a52e5fcc474e4e47fb8e95e2a
SHA512a3ae822116cddb52d859de7ffc958541bb47c355a835c5129aade9cc0e5fba3ff25387061deb5b55b5694a535f09fe8669485282eb6e7c818cc7092eb3392848
-
C:\Users\Admin\AppData\Roaming\Windows\Error file remover 1.0.0.0\install\0A01606\Windows Logoff Sound.wav
Filesize724KB
MD5bab1293f4cf987216af8051acddaf97f
SHA100abe5cfb050b4276c3dd2426e883cd9e1cde683
SHA256bc26b1b97eeb45995bbd5f854db19f994cce1bb9ac9fb625eb207302dccdf344
SHA5123b44371756f069be4f70113a09761a855d80e96c23c8cd76d0c19a43e93d1a159af079ba5189b88b5ee2c093099a02b00ea4dc20a498c9c0c2df7dc95e5ddd49
-
Filesize
24KB
MD5e579c5b3c386262e3dd4150eb2b13898
SHA15ab7b37956511ea618bf8552abc88f8e652827d3
SHA256e9573a3041e5a45ed8133576d199eb8d12f8922bbe47d194fef9ac166a96b9e2
SHA5129cf947bad87a701f0e0ad970681767e64b7588089cd9064c72bf24ba6ca0a922988f95b141b29a68ae0e0097f03a66d9b25b9d52197ff71f6e369cde0438e0bb
-
Filesize
126KB
MD53531cf7755b16d38d5e9e3c43280e7d2
SHA119981b17ae35b6e9a0007551e69d3e50aa1afffe
SHA25676133e832c15aa5cbc49fb3ba09e0b8dd467c307688be2c9e85e79d3bf62c089
SHA5127b053ba2cf92ef2431b98b2a06bd56340dad94de36d11e326a80cd61b9acb378ac644ac407cf970f4ef8333b8d3fb4ff40b18bb41ec5aee49d79a6a2adcf28fd
-
Filesize
96KB
MD53cab78d0dc84883be2335788d387601e
SHA114745df9595f190008c7e5c190660361f998d824
SHA256604e79fe970c5ed044517a9a35e4690ea6f7d959d21173ebef45cdd3d3a22bdd
SHA512df6b49f2b5cddebd7e23e81b0f89e4883fc12d95735a9b3f84d2f402f4996c54b5fdea8adb9eaa98e8c973b089656d18d6b322bd71cb42d7807f7fa8a7348820
-
Filesize
128KB
MD57e6b88f7bb59ec4573711255f60656b5
SHA15e7a159825a2d2cb263a161e247e9db93454d4f6
SHA25659ff5bc12b155cc2e666bd8bc34195c3750eb742542374fc5e53fb22d11e862f
SHA512294a379c99403f928d476e04668717cdabc7dc3e33bcf6bcad5c3d93d4268971811ff7303aa5b4b2ed2b59d59c8eba350a9a30888d4b5b3064708521ac21439c
-
Filesize
180KB
MD5d552dd4108b5665d306b4a8bd6083dde
SHA1dae55ccba7adb6690b27fa9623eeeed7a57f8da1
SHA256a0367875b68b1699d2647a748278ebce64d5be633598580977aa126a81cf57c5
SHA512e5545a97014b5952e15bb321135f65c0e24414f8dd606fe454fd2d048d3f769b9318df7cfb2a6bf932eb2bf6d79811b93cb2008115deb0f0fa9db07f32a70969
-
Filesize
312KB
MD5aa82345a8f360804ea1d8d935f0377aa
SHA1c09cf3b1666d9192fa524c801bb2e3542c0840e2
SHA2569c155d4214cebda186647c035ada552963dcac8f88a6b38a23ea34f9ecd1d437
SHA512c051a381d87ba933ea7929c899fb01af2207cb2462dcb2b55c28cff65596b27bdb05a48207624eeea40fddb85003133ad7af09ca93cfb2426c155daea5a9a6db
-
Filesize
88KB
MD54083cb0f45a747d8e8ab0d3e060616f2
SHA1dcec8efa7a15fa432af2ea0445c4b346fef2a4d6
SHA256252b7423b01ff81aea6fe7b40de91abf49f515e9c0c7b95aa982756889f8ac1a
SHA51226f8949cad02334f9942fda8509579303b81b11bc052a962c5c31a7c6c54a1c96957f30ee241c2206d496d2c519d750d7f6a12b52afdb282fa706f9fee385133