hxxps://github[.]com/Endermanch/MalwareDatabase/blob/master/ransomwares/7ev3n[.]zip

Resubmissions

19/02/2025, 03:42

250219-d9pqsswnbp 8

19/02/2025, 03:32

250219-d3vy8swmbn 10

Analysis

max time kernel
44s
max time network
53s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
19/02/2025, 03:42

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://github.com/Endermanch/MalwareDatabase/blob/master/ransomwares/7ev3n.zip

Score

8^/10

defense_evasion discovery ransomware

Malware Config

Signatures

Disables Task Manager via registry modification
defense_evasion

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\U:	[email protected]
File opened (read-only)	\??\W:	[email protected]
File opened (read-only)	\??\O:	[email protected]
File opened (read-only)	\??\H:	[email protected]
File opened (read-only)	\??\I:	[email protected]
File opened (read-only)	\??\J:	[email protected]
File opened (read-only)	\??\P:	[email protected]
File opened (read-only)	\??\Q:	[email protected]
File opened (read-only)	\??\Y:	[email protected]
File opened (read-only)	\??\E:	[email protected]
File opened (read-only)	\??\G:	[email protected]
File opened (read-only)	\??\M:	[email protected]
File opened (read-only)	\??\N:	[email protected]
File opened (read-only)	\??\V:	[email protected]
File opened (read-only)	\??\X:	[email protected]
File opened (read-only)	\??\Z:	[email protected]
File opened (read-only)	\??\B:	[email protected]
File opened (read-only)	\??\K:	[email protected]
File opened (read-only)	\??\L:	[email protected]
File opened (read-only)	\??\R:	[email protected]
File opened (read-only)	\??\S:	[email protected]
File opened (read-only)	\??\T:	[email protected]
File opened (read-only)	\??\A:	[email protected]

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
52	raw.githubusercontent.com
53	raw.githubusercontent.com
54	raw.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Control Panel\Desktop\Wallpaper	[email protected]

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 2 IoCs

defense_evasion

pid	Process
704	taskkill.exe
3824	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133844101770962833"	chrome.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000_Classes\Local Settings	chrome.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\icon.ico"	[email protected]
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-100612193-3312047696-905266872-1000\{0CDEB99C-756F-4C64-99DF-F394D6169241}	[email protected]

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1948	chrome.exe
1948	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
1948	chrome.exe
1948	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1948	chrome.exe
Token: SeCreatePagefilePrivilege	1948	chrome.exe
Token: SeShutdownPrivilege	1948	chrome.exe
Token: SeCreatePagefilePrivilege	1948	chrome.exe
Token: SeShutdownPrivilege	1948	chrome.exe
Token: SeCreatePagefilePrivilege	1948	chrome.exe
Token: SeShutdownPrivilege	1948	chrome.exe
Token: SeCreatePagefilePrivilege	1948	chrome.exe
Token: SeShutdownPrivilege	1948	chrome.exe
Token: SeCreatePagefilePrivilege	1948	chrome.exe
Token: SeShutdownPrivilege	1948	chrome.exe
Token: SeCreatePagefilePrivilege	1948	chrome.exe
Token: SeShutdownPrivilege	1948	chrome.exe
Token: SeCreatePagefilePrivilege	1948	chrome.exe
Token: SeShutdownPrivilege	1948	chrome.exe
Token: SeCreatePagefilePrivilege	1948	chrome.exe
Token: SeShutdownPrivilege	1948	chrome.exe
Token: SeCreatePagefilePrivilege	1948	chrome.exe
Token: SeShutdownPrivilege	1948	chrome.exe
Token: SeCreatePagefilePrivilege	1948	chrome.exe
Token: SeShutdownPrivilege	1948	chrome.exe
Token: SeCreatePagefilePrivilege	1948	chrome.exe
Token: SeShutdownPrivilege	1948	chrome.exe
Token: SeCreatePagefilePrivilege	1948	chrome.exe
Token: SeShutdownPrivilege	1948	chrome.exe
Token: SeCreatePagefilePrivilege	1948	chrome.exe
Token: SeShutdownPrivilege	1948	chrome.exe
Token: SeCreatePagefilePrivilege	1948	chrome.exe
Token: SeShutdownPrivilege	1948	chrome.exe
Token: SeCreatePagefilePrivilege	1948	chrome.exe
Token: SeShutdownPrivilege	1948	chrome.exe
Token: SeCreatePagefilePrivilege	1948	chrome.exe
Token: SeShutdownPrivilege	1948	chrome.exe
Token: SeCreatePagefilePrivilege	1948	chrome.exe
Token: SeShutdownPrivilege	1948	chrome.exe
Token: SeCreatePagefilePrivilege	1948	chrome.exe
Token: SeShutdownPrivilege	1948	chrome.exe
Token: SeCreatePagefilePrivilege	1948	chrome.exe
Token: SeShutdownPrivilege	1948	chrome.exe
Token: SeCreatePagefilePrivilege	1948	chrome.exe
Token: SeShutdownPrivilege	1948	chrome.exe
Token: SeCreatePagefilePrivilege	1948	chrome.exe
Token: SeShutdownPrivilege	1948	chrome.exe
Token: SeCreatePagefilePrivilege	1948	chrome.exe
Token: SeShutdownPrivilege	1948	chrome.exe
Token: SeCreatePagefilePrivilege	1948	chrome.exe
Token: SeShutdownPrivilege	1948	chrome.exe
Token: SeCreatePagefilePrivilege	1948	chrome.exe
Token: SeShutdownPrivilege	1948	chrome.exe
Token: SeCreatePagefilePrivilege	1948	chrome.exe
Token: SeShutdownPrivilege	1948	chrome.exe
Token: SeCreatePagefilePrivilege	1948	chrome.exe
Token: SeShutdownPrivilege	1948	chrome.exe
Token: SeCreatePagefilePrivilege	1948	chrome.exe
Token: SeShutdownPrivilege	1948	chrome.exe
Token: SeCreatePagefilePrivilege	1948	chrome.exe
Token: SeShutdownPrivilege	1948	chrome.exe
Token: SeCreatePagefilePrivilege	1948	chrome.exe
Token: SeShutdownPrivilege	1948	chrome.exe
Token: SeCreatePagefilePrivilege	1948	chrome.exe
Token: SeShutdownPrivilege	1948	chrome.exe
Token: SeCreatePagefilePrivilege	1948	chrome.exe
Token: SeShutdownPrivilege	1948	chrome.exe
Token: SeCreatePagefilePrivilege	1948	chrome.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2504	[email protected]
2504	[email protected]

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1948 wrote to memory of 1784	1948	chrome.exe	86
PID 1948 wrote to memory of 1784	1948	chrome.exe	86
PID 1948 wrote to memory of 2472	1948	chrome.exe	87
PID 1948 wrote to memory of 2472	1948	chrome.exe	87
PID 1948 wrote to memory of 2472	1948	chrome.exe	87
PID 1948 wrote to memory of 2472	1948	chrome.exe	87
PID 1948 wrote to memory of 2472	1948	chrome.exe	87
PID 1948 wrote to memory of 2472	1948	chrome.exe	87
PID 1948 wrote to memory of 2472	1948	chrome.exe	87
PID 1948 wrote to memory of 2472	1948	chrome.exe	87
PID 1948 wrote to memory of 2472	1948	chrome.exe	87
PID 1948 wrote to memory of 2472	1948	chrome.exe	87
PID 1948 wrote to memory of 2472	1948	chrome.exe	87
PID 1948 wrote to memory of 2472	1948	chrome.exe	87
PID 1948 wrote to memory of 2472	1948	chrome.exe	87
PID 1948 wrote to memory of 2472	1948	chrome.exe	87
PID 1948 wrote to memory of 2472	1948	chrome.exe	87
PID 1948 wrote to memory of 2472	1948	chrome.exe	87
PID 1948 wrote to memory of 2472	1948	chrome.exe	87
PID 1948 wrote to memory of 2472	1948	chrome.exe	87
PID 1948 wrote to memory of 2472	1948	chrome.exe	87
PID 1948 wrote to memory of 2472	1948	chrome.exe	87
PID 1948 wrote to memory of 2472	1948	chrome.exe	87
PID 1948 wrote to memory of 2472	1948	chrome.exe	87
PID 1948 wrote to memory of 2472	1948	chrome.exe	87
PID 1948 wrote to memory of 2472	1948	chrome.exe	87
PID 1948 wrote to memory of 2472	1948	chrome.exe	87
PID 1948 wrote to memory of 2472	1948	chrome.exe	87
PID 1948 wrote to memory of 2472	1948	chrome.exe	87
PID 1948 wrote to memory of 2472	1948	chrome.exe	87
PID 1948 wrote to memory of 2472	1948	chrome.exe	87
PID 1948 wrote to memory of 2472	1948	chrome.exe	87
PID 1948 wrote to memory of 4336	1948	chrome.exe	88
PID 1948 wrote to memory of 4336	1948	chrome.exe	88
PID 1948 wrote to memory of 3808	1948	chrome.exe	89
PID 1948 wrote to memory of 3808	1948	chrome.exe	89
PID 1948 wrote to memory of 3808	1948	chrome.exe	89
PID 1948 wrote to memory of 3808	1948	chrome.exe	89
PID 1948 wrote to memory of 3808	1948	chrome.exe	89
PID 1948 wrote to memory of 3808	1948	chrome.exe	89
PID 1948 wrote to memory of 3808	1948	chrome.exe	89
PID 1948 wrote to memory of 3808	1948	chrome.exe	89
PID 1948 wrote to memory of 3808	1948	chrome.exe	89
PID 1948 wrote to memory of 3808	1948	chrome.exe	89
PID 1948 wrote to memory of 3808	1948	chrome.exe	89
PID 1948 wrote to memory of 3808	1948	chrome.exe	89
PID 1948 wrote to memory of 3808	1948	chrome.exe	89
PID 1948 wrote to memory of 3808	1948	chrome.exe	89
PID 1948 wrote to memory of 3808	1948	chrome.exe	89
PID 1948 wrote to memory of 3808	1948	chrome.exe	89
PID 1948 wrote to memory of 3808	1948	chrome.exe	89
PID 1948 wrote to memory of 3808	1948	chrome.exe	89
PID 1948 wrote to memory of 3808	1948	chrome.exe	89
PID 1948 wrote to memory of 3808	1948	chrome.exe	89
PID 1948 wrote to memory of 3808	1948	chrome.exe	89
PID 1948 wrote to memory of 3808	1948	chrome.exe	89
PID 1948 wrote to memory of 3808	1948	chrome.exe	89
PID 1948 wrote to memory of 3808	1948	chrome.exe	89
PID 1948 wrote to memory of 3808	1948	chrome.exe	89
PID 1948 wrote to memory of 3808	1948	chrome.exe	89
PID 1948 wrote to memory of 3808	1948	chrome.exe	89
PID 1948 wrote to memory of 3808	1948	chrome.exe	89
PID 1948 wrote to memory of 3808	1948	chrome.exe	89
PID 1948 wrote to memory of 3808	1948	chrome.exe	89

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/Endermanch/MalwareDatabase/blob/master/ransomwares/7ev3n.zip
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffbdb37cc40,0x7ffbdb37cc4c,0x7ffbdb37cc58
  2⤵
  PID:1784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1864,i,9828566581433746855,1576419994294939242,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=1860 /prefetch:2
  2⤵
  PID:2472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1980,i,9828566581433746855,1576419994294939242,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2168 /prefetch:3
  2⤵
  PID:4336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2260,i,9828566581433746855,1576419994294939242,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2344 /prefetch:8
  2⤵
  PID:3808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3108,i,9828566581433746855,1576419994294939242,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3152 /prefetch:1
  2⤵
  PID:3348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3132,i,9828566581433746855,1576419994294939242,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3180 /prefetch:1
  2⤵
  PID:4236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4348,i,9828566581433746855,1576419994294939242,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4700 /prefetch:8
  2⤵
  PID:516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4840,i,9828566581433746855,1576419994294939242,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4852 /prefetch:8
  2⤵
  PID:3236

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3268

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5016

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2500

C:\Users\Admin\Downloads\000\[email protected]
"C:\Users\Admin\Downloads\000\[email protected]"
1⤵
- Enumerates connected drives
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2504
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\windl.bat""
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1912
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:704
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im taskmgr.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:3824
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic useraccount where name='Admin' set FullName='UR NEXT'
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4212
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic useraccount where name='Admin' rename 'UR NEXT'
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2500
- - C:\Windows\SysWOW64\shutdown.exe
    shutdown /f /r /t 0
    3⤵
    PID:3976

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3977055 /state1:0x41c64e6d
1⤵
PID:1616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
717fde09efe9509602dd14fa38422c70

SHA1
14bed16bd5690fccd5eb30e446cc0af211daff23

SHA256
d581ef26ddcc06222e0f7bb9cdd13225c2128ea78c85ba390f43741c63c4ce59

SHA512
8e19acbd98f89e739e12eac54fac055911e7a71611274fc88ce8cf7632aaad66e03d3cbb15c0827b69dc6487e726cc69e1111277d6a54d59582dd04e2bbd62b5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1024B

MD5
4e774449e235aa2d4b057fc7f1590f1a

SHA1
c2773a710a11941ac9cd4ef5afcbd95f03a465e5

SHA256
d2214379857b37a93f5e127d3b6fcf94e895a8819dc28eace623e6249144e032

SHA512
c1634697418543fc79c5cf567311476ca7544bc9d2df8a5c8c33c2ae22e67f95cb304c34b2e4a86710b3e11b1edda2dfd53b3d891808786e493e84a70a7ec809

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
1c46dea5245b925382aabd36ade91230

SHA1
3be0f11c18ee36d86650ff46b7108effdba8e948

SHA256
eda4230418f7382388ca00bbc1e393c97f30481b9d4d3720967453247c1c67ae

SHA512
aca375cc50df0d1aeec306e7ffca7fdb23b3583ad142bd07f35c20a297c17cbfcbc2fe87cf9ad314c750d686097ec4c4bc86396c9666445d48462e0fa41ca446

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
b1547053036f4915c4ea505aeecfccf6

SHA1
1edec537077c5b5a385486fc87fbcbc5ba726afc

SHA256
f598ff5fa6eb4693c4f313ffe959cffac8136299cf46c430c89cd9d8888c09de

SHA512
5e6f59a5d30ca5034807a75d7fe7ff8c05565a8387c7d86aa019f1a887418d44373ec8c300ac83de8bf997584120e2c3c0a8badd022d9ed299b448e1ef1de64f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
47b14346568cbd428316c15619bc2cb8

SHA1
f11a813c0d2d2554078ef9a1e767115651e897ac

SHA256
fb02c6b2d3e39f02a174fd1440a69fc8a1b571bcf72c3dd693f54887020ba3b9

SHA512
382af95b3beb81791b4ac011715fe69f6381052b0716daf47aa2ca92b5a185d75a0648c09834a39caad6cc0ab83b728ddcfd3240a9c7fc3bcb438daad6284f02

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
52bb328dafefbe7da7fa3423a0790077

SHA1
9ef7b3bc975b39ba7635541565f1545d21a6bbae

SHA256
1ac935a75b0095affe5a7612261d02668a69ddeb1a12830a0894df52f390f4d0

SHA512
75a4b473836b62753e282e75ec323cd043542ce300c0b11d83d21e248f7e0cbdf6f47671e898dcfbb65e155f9263dc2d330a31ec434161b153a2d0e11b2cde1f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d94a20d9d6b7bb5b20bbc0eb59dc5958

SHA1
facccd043c401c22603c40b1ef03da90186562bd

SHA256
2b16f8e945f1206f7f336caf07fa767ec85f46d12d12ea7344aad75f947322a1

SHA512
3d6a77f5ac02d9c5b077151fee0a6f9a0833a55285ab3fecf9bac706c3bdc364090132a7e535e20955b4794f3d7e6fbca365b1d069019d6b4347e4e92d971e87

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4c3028a8290319f2f820305509148d93

SHA1
0bf2ac3ef83cad41d8e6f935aa5d422fa835b895

SHA256
1e8c7c7837811683844893809ffb109afae8da134830fefdb053903ef64cd5e6

SHA512
ff7334af5381868828d4c5709c988b9c98e200a8988009742e68d0cb1680990d632093c7a8b3c1be6908f6d254cc17f386dd52b80f1c6d27cd27a8c8f99143ac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
122KB

MD5
d34a8d7d0b742a0ee4021fefb1f6d465

SHA1
eaf9a4fcdcf8ba4553aef628a6a82d8b161d5a5a

SHA256
d5d5d522fbd301f0a77e209871521fa91e1b878b8419ef36dd0aa52757e65dfd

SHA512
8c2927d8f201e3fbdb701f6220d462f3ff6e502fc01d86c268143c3569994fa0ce28cd674e388f52ee60a5f3ba339e42f24ca346ff1a73ed58a5bc4d40ec8ea1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
122KB

MD5
b7471b802e1b294a968a19d84a17b319

SHA1
b315611ee80703a64a11b8e04980c9d6ca32380f

SHA256
3324db8ffa75fdf08289ba6a9d992f8fd34f50219a8c8a3dfc1e7a81ba6e020b

SHA512
f0bf4bee90894f996e7fb468e2c08d9a9075d2ff9085f3ff28dff806fc509cb5da652419b0e3f286da56bcc1c80591dc72196958f605bf5dda2b43d53e136d78

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
122KB

MD5
ebb0bd48308bdd43e1d5e19618b9f5e4

SHA1
5a56b888d51d9bd99efc6099f67efd677b404dbf

SHA256
a9707a4c8ae053bc1a14826ab0fca2fc3bf1a811b2c9e29edc25039cf3f0dda3

SHA512
d79c86f4b7a1e1ca4238adffe5ab23c7ceec963328004180ea103791cb2aa59b7d27a10027222d77e8ddbed596d2db3ac9aad983f6f7f38b56d9912296440800

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
896KB

MD5
b099e505704b4876a949e970020f128f

SHA1
cba06e0a2d0371a9b718eb1cc615d99b1ec7dea8

SHA256
b18aa54ed363d964d43e669f3809c228ec2fe9b74a9c3b10fb2f5bd0fede543e

SHA512
eab046bedb29a6cb3f7a398c1651b924e96c08f6a936a12ce9ffe5ce5c2ace90c8bcca9c359305ff4fc322ea309ab249c718056a0a20916541fe95721b45a261

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\one.rtf

Filesize
403B

MD5
6fbd6ce25307749d6e0a66ebbc0264e7

SHA1
faee71e2eac4c03b96aabecde91336a6510fff60

SHA256
e152b106733d9263d3cf175f0b6197880d70acb753f8bde8035a3e4865b31690

SHA512
35a0d6d91178ec10619cf4d2fd44d3e57aa0266e1779e15b1eef6e9c359c77c384e0ffe4edb2cde980a6847e53f47733e6eacb72d46762066b3541dee3d29064

Download Submit
C:\Users\Admin\AppData\Local\Temp\rniw.exe

Filesize
76KB

MD5
9232120b6ff11d48a90069b25aa30abc

SHA1
97bb45f4076083fca037eee15d001fd284e53e47

SHA256
70faa0e1498461731f873d3594f20cbf2beaa6f123a06b66f9df59a9cdf862be

SHA512
b06688a9fc0b853d2895f11e812c48d5871f2793183fda5e9638ded22fc5dc1e813f174baedc980a1f0b6a7b0a65cd61f29bb16acc6dd45da62988eb012d6877

Download Submit
C:\Users\Admin\AppData\Local\Temp\text.txt

Filesize
396B

MD5
9037ebf0a18a1c17537832bc73739109

SHA1
1d951dedfa4c172a1aa1aae096cfb576c1fb1d60

SHA256
38c889b5d7bdcb79bbcb55554c520a9ce74b5bfc29c19d1e4cb1419176c99f48

SHA512
4fb5c06089524c6dcd48b6d165cedb488e9efe2d27613289ef8834dbb6c010632d2bd5e3ac75f83b1d8024477ebdf05b9e0809602bbe1780528947c36e4de32f

Download Submit
C:\Users\Admin\AppData\Local\Temp\windl.bat

Filesize
771B

MD5
a9401e260d9856d1134692759d636e92

SHA1
4141d3c60173741e14f36dfe41588bb2716d2867

SHA256
b551fba71dfd526d4916ae277d8686d83fff36d22fcf6f18457924a070b30ef7

SHA512
5cbe38cdab0283b87d9a9875f7ba6fa4e8a7673d933ca05deddddbcf6cf793bd1bf34ac0add798b4ed59ab483e49f433ce4012f571a658bc0add28dd987a57b6

Download Submit
C:\Users\Admin\Downloads\000.zip.crdownload

Filesize
119KB

MD5
d113bd83e59586dd8f1843bdb9b98ee0

SHA1
6c203d91d5184dade63dbab8aecbdfaa8a5402ab

SHA256
9d3fe04d88c401178165f7fbdf307ac0fb690cc5fef8b70ee7f380307d4748f8

SHA512
0e763ff972068d2d9946a2659968e0f78945e9bf9a73090ec81f2a6f96ac9b43a240544455068d41afa327035b20b0509bb1ad79a28147b6375ed0c0cf3efec5

Download Submit
memory/2504-241-0x000000000B9B0000-0x000000000B9BE000-memory.dmp

Filesize
56KB

Download
memory/2504-247-0x000000000BA50000-0x000000000BA60000-memory.dmp

Filesize
64KB

Download
memory/2504-248-0x000000000BA50000-0x000000000BA60000-memory.dmp

Filesize
64KB

Download
memory/2504-250-0x000000000BA50000-0x000000000BA60000-memory.dmp

Filesize
64KB

Download
memory/2504-249-0x000000000BA50000-0x000000000BA60000-memory.dmp

Filesize
64KB

Download
memory/2504-251-0x000000000BB10000-0x000000000BB20000-memory.dmp

Filesize
64KB

Download
memory/2504-252-0x000000000BB10000-0x000000000BB20000-memory.dmp

Filesize
64KB

Download
memory/2504-254-0x000000000BA50000-0x000000000BA60000-memory.dmp

Filesize
64KB

Download
memory/2504-253-0x000000000BA50000-0x000000000BA60000-memory.dmp

Filesize
64KB

Download
memory/2504-255-0x000000000BB10000-0x000000000BB20000-memory.dmp

Filesize
64KB

Download
memory/2504-240-0x000000000B9E0000-0x000000000BA18000-memory.dmp

Filesize
224KB

Download
memory/2504-222-0x0000000005FE0000-0x0000000006584000-memory.dmp

Filesize
5.6MB

Download
memory/2504-221-0x0000000075220000-0x00000000759D0000-memory.dmp

Filesize
7.7MB

Download
memory/2504-220-0x00000000008F0000-0x0000000000F9E000-memory.dmp

Filesize
6.7MB

Download
memory/2504-201-0x000000007522E000-0x000000007522F000-memory.dmp

Filesize
4KB

Download
memory/2504-1097-0x0000000075220000-0x00000000759D0000-memory.dmp

Filesize
7.7MB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads