makop | 7405d8aafbe729e470d31e0cbf9badf3a99b65256d4b9aad81c9f197b9ba7886

General

Target

1.bin.exe
Size

26KB
MD5

f74616a400973b5d1a5d8c039817ff03
SHA1

2ddd74b84fa10350f4435967f7b1c7a3c82ac124
SHA256

dc9fed631827723135571dfd135b442f2cad1cfa822bd7d4edfa757e2c3790a8
SHA512

9299a16cc30e342ba1a882fcadeee118425997a808e73a994b08aa7351c38be8bacd7ea97eadbc850694bcb42b49ecfa8ff2648eafde41c565eaade42c95a5cf

Score

10^/10

makop persistence ransomware spyware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\readme-warning.txt

Family

makop

Ransom Note

::: Greetings ::: Little FAQ: .1. Q: Whats Happen? A: Your files have been encrypted and now have the "CARLOS" extension. The file structure was not damaged, we did everything possible so that this could not happen. .2. Q: How to recover files? A: If you wish to decrypt your files you will need to pay in bitcoins. .3. Q: What about guarantees? A: Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will cooperate with us. Its not in our interests. To check the ability of returning files, you can send to us any 2 files with SIMPLE extensions(jpg,xls,doc, etc... not databases!) and low sizes(max 1 mb), we will decrypt them and send back to you. That is our guarantee. .4. Q: How to contact with you? A: You can write us to our mailbox: carlosrestore2020@aol.com .5. Q: How will the decryption process proceed after payment? A: After payment we will send to you our scanner-decoder program and detailed instructions for use. With this program you will be able to decrypt all your encrypted files. .6. Q: If I don�t want to pay bad people like you? A: If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause only we have the private key. In practice - time is much more valuable than money. :::BEWARE::: DON'T try to change encrypted files by yourself! If you will try to use any third party software for restoring your data or antivirus solutions - please make a backup for all encrypted files! Any changes in encrypted files may entail damage of the private key and, as result, the loss all data.

Emails

carlosrestore2020@aol.com

Signatures

Makop
Ransomware family discovered by @VK_Intel in early 2020.
ransomware makop
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
ransomware

Processes:

1.bin.exe

description ioc process

File opened for modification C:\Users\Admin\Pictures\TestWrite.tiff 1.bin.exe
Drops startup file 1 IoCs

Processes:

1.bin.exe

description ioc process

File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini 1.bin.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\TestWrite.tiff	1.bin.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	1.bin.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

1.bin.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\1 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\1.bin.exe\""	1.bin.exe

Drops desktop.ini file(s) 77 IoCs

Processes:

1.bin.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	1.bin.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M1AZJ0WQ\desktop.ini	1.bin.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	1.bin.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	1.bin.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	1.bin.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	1.bin.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	1.bin.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	1.bin.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	1.bin.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	1.bin.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	1.bin.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini	1.bin.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	1.bin.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	1.bin.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	1.bin.exe
File opened for modification	C:\Users\Public\desktop.ini	1.bin.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	1.bin.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	1.bin.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	1.bin.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\AT22T7OH\desktop.ini	1.bin.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	1.bin.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	1.bin.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	1.bin.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	1.bin.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3825035466-2522850611-591511364-1000\desktop.ini	1.bin.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\8DDKLDOL\desktop.ini	1.bin.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F6QQJELO\desktop.ini	1.bin.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	1.bin.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	1.bin.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	1.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	1.bin.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\F6O5NPVK\desktop.ini	1.bin.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini	1.bin.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	1.bin.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	1.bin.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	1.bin.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	1.bin.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	1.bin.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	1.bin.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini	1.bin.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	1.bin.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	1.bin.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	1.bin.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	1.bin.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	1.bin.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	1.bin.exe
File opened for modification	C:\Program Files\desktop.ini	1.bin.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	1.bin.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D08RECS3\desktop.ini	1.bin.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini	1.bin.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	1.bin.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	1.bin.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	1.bin.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	1.bin.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	1.bin.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	1.bin.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	1.bin.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	1.bin.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\desktop.ini	1.bin.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	1.bin.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	1.bin.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini	1.bin.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	1.bin.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	1.bin.exe

Drops file in Program Files directory 11000 IoCs

Processes:

1.bin.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.docs.zh_CN_5.5.0.165303.jar	1.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0178459.JPG	1.bin.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\144DPI\(144DPI)notConnectedStateIcon.png	1.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Norfolk	1.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\epl-v10.html	1.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TN00018_.WMF	1.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\NL7MODELS0009.dll	1.bin.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\86.0.4240.111\v8_context_snapshot.bin	1.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.base.nl_ja_4.4.0.v20140623020002.jar	1.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OIMG.DLL	1.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-charts.xml	1.bin.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libaccess_concat_plugin.dll	1.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\windows-amd64\profilerinterface.dll	1.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-attach.xml	1.bin.exe
File opened for modification	C:\Program Files\Java\jre7\README.txt	1.bin.exe
File opened for modification	C:\Program Files\PingImport.svgz	1.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Composite.xml	1.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115839.GIF	1.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Boise	1.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf_3.4.0.v20140827-1444.jar	1.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\XPAGE3C.DLL	1.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\DataType\Status.accft	1.bin.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\CGMIMP32.FLT	1.bin.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PROFILE\THMBNAIL.PNG	1.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR4F.GIF	1.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\messageboxerror.ico	1.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\San_Juan	1.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.eclipse_2.1.200.v20140512-1650.jar	1.bin.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\1.0\Microsoft.Ink.dll	1.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0240175.WMF	1.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\TASKACCS.ICO	1.bin.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.DynamicData.dll	1.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPBlue.png	1.bin.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\button_right_mousedown.png	1.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\WINWORD_COL.HXT	1.bin.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\HandPrints.jpg	1.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18231_.WMF	1.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jvm_ja.jar	1.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02405_.WMF	1.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME21.CSS	1.bin.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\diner.png	1.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\rt.jar	1.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Ulaanbaatar	1.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\bg_TexturedBlue.gif	1.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SY00132_.WMF	1.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18210_.WMF	1.bin.exe
File opened for modification	C:\Program Files\Windows Media Player\mpvis.DLL	1.bin.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\settings.js	1.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0215710.WMF	1.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0400005.PNG	1.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Eirunepe	1.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Taipei	1.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\jconsole.jar	1.bin.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\144DPI\(144DPI)redStateIcon.png	1.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInTray.gif.[4E1245B8].[carlosrestore2020@aol.com].CARLOS	1.bin.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\1042\hxdsui.dll	1.bin.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Bears.htm	1.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\REFEDIT.DLL	1.bin.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\shatter.png	1.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	1.bin.exe
File opened for modification	C:\Program Files\Java\jre7\bin\awt.dll	1.bin.exe
File opened for modification	C:\Program Files\Windows Media Player\Media Renderer\RenderingControl.xml	1.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0237228.WMF	1.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01848_.WMF	1.bin.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

1.bin.exe

pid process

932 1.bin.exe

pid	process
932	1.bin.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

1.bin.exe

description	pid	process	target process
PID 932 wrote to memory of 2012	932	1.bin.exe	cmd.exe
PID 932 wrote to memory of 2012	932	1.bin.exe	cmd.exe
PID 932 wrote to memory of 2012	932	1.bin.exe	cmd.exe
PID 932 wrote to memory of 2012	932	1.bin.exe	cmd.exe
PID 932 wrote to memory of 1476	932	1.bin.exe	NOTEPAD.EXE
PID 932 wrote to memory of 1476	932	1.bin.exe	NOTEPAD.EXE
PID 932 wrote to memory of 1476	932	1.bin.exe	NOTEPAD.EXE
PID 932 wrote to memory of 1476	932	1.bin.exe	NOTEPAD.EXE

C:\Users\Admin\AppData\Local\Temp\1.bin.exe
"C:\Users\Admin\AppData\Local\Temp\1.bin.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:932

C:\Users\Admin\AppData\Local\Temp\1.bin.exe
"C:\Users\Admin\AppData\Local\Temp\1.bin.exe" n
2⤵
PID:1900

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
PID:2012

C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\readme-warning.txt
2⤵
PID:1476

C:\Users\Admin\AppData\Local\Temp\1.bin.exe
"C:\Users\Admin\AppData\Local\Temp\1.bin.exe" n
2⤵
PID:588

C:\Users\Admin\AppData\Local\Temp\1.bin.exe
"C:\Users\Admin\AppData\Local\Temp\1.bin.exe" n
2⤵
PID:1568

C:\Users\Admin\AppData\Local\Temp\1.bin.exe
"C:\Users\Admin\AppData\Local\Temp\1.bin.exe" n
2⤵
PID:1504

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3825035466-2522850611-591511364-1000\desktop.ini
MD5
f9323e99cbc9d87abbb9df804900ac00

SHA1
110a981ea91b11f686fb5829af79228e2ae5505d

SHA256
87668a04aa6960e67fdb334efa8040d0b9ad6946e72a5dfbb62fa4a9cb31dd57

SHA512
4b862cab85e751f5b3445d132105fafd75dee1dd6c8bc7f6797cddfb0780df993e1ea31f0224768db847a661330f372e0e91a7a7b2891ef1b09ad27d0c8be92e

Download Submit
C:\Users\Admin\Desktop\readme-warning.txt
MD5
a070b8e37f3a29de5c5bf7ac37641991

SHA1
bcc2f5475096250d4de73e8fce8d90bf8d6899ad

SHA256
e1712e942e5f08b5206d610cef1dc3892219fefecac8cba574df177f6972188f

SHA512
96afafa11f5c8eac46b5cbdcf2542847ec4e587defad72b8fefa59a92d991fe21c9527ccdedc96e28946be6ed75f9bac14d25b69ace6fba96ce347a5c9ff50c3

Download Submit
\??\PIPE\wkssvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1476-4-0x0000000000000000-mapping.dmp

Download
memory/2012-2-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads