# VirusTotal & hash lists

If you execute UAC and select an appropriate profile (like full, or ir\_triage) you'll have a list of hashes of executables which were running at the time of acquisition. Within process folder within live\_response, you'll hash\_running\_process.md5 and .sha1

Edit those and strip the first column. If you're using Notepad++, you can just open the file, press Alt + Shift and select the second column and delete it. Save this as a new file, called process.md5 (you need the original listing to identify the process and map it back to pstree/cmd).

1. Download VirusTotal search from Didier Stevens' website (<https://blog.didierstevens.com/programs/virustotal-tools/>)
2. Fetch an API key from VirusTotal (free for small volume queries)
3. Make sure you have Python2.7 installed
4. Execute the following command

```
$ python2.7 virustotal-search.py -k APIKEY hashes.md5
```

This will display the results via the console, as well as save it as a CSV file.

![](https://3710248095-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MAcqFKR60dGwoJxmUG5%2Fuploads%2FHJ5Ym2DeyIQnfcyA8k2M%2Fimage.png?alt=media\&token=e4a58399-acd9-424e-9faf-a391d1ffa822)