Analysis
-
max time kernel
739s -
max time network
762s -
platform
windows10-1703_x64 -
resource
win10-20220901-en -
resource tags
-
submitted
19-02-2023 02:17
General
-
Target
https://github.com/Endermanch/MalwareDatabase/archive/refs/heads/master.zip
Malware Config
Signatures
-
BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs
-
mimikatz is an open source tool to dump credentials on Windows 2 IoCs
-
Disables RegEdit via registry modification 2 IoCs
-
Disables Task Manager via registry modification
-
Downloads MZ/PE file
-
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
-
ASPack v2.12-2.42 2 IoCs
Detects executables packed with ASPack v2.12-2.42
-
Executes dropped EXE 7 IoCs
-
Adds Run key to start application 2 TTPs 5 IoCs
-
Modifies WinLogon 2 TTPs 2 IoCs
-
Drops file in System32 directory 7 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 9 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 7 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Modifies Control Panel 6 IoCs
-
Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
-
Modifies Internet Explorer settings 1 TTPs 53 IoCs
-
Modifies Internet Explorer start page 1 TTPs 2 IoCs
-
Modifies registry class 20 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 40 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 37 IoCs
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://github.com/Endermanch/MalwareDatabase/archive/refs/heads/master.zip1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2416 CREDAT:82945 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Antivirus.zip\[email protected]"C:\Users\Admin\AppData\Local\Temp\Temp1_Antivirus.zip\[email protected]"1⤵
- Adds Run key to start application
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop wscsvc2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop wscsvc3⤵
-
C:\Windows\SysWOW64\net.exenet stop winmgmt /y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop winmgmt /y3⤵
-
C:\Windows\SysWOW64\net.exenet start winmgmt2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start winmgmt3⤵
-
C:\Windows\SysWOW64\net.exenet start wscsvc2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start wscsvc3⤵
-
C:\Windows\SysWOW64\Wbem\mofcomp.exemofcomp C:\Users\Admin\AppData\Local\Temp\4otjesjty.mof2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -s Winmgmt1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R2⤵
-
C:\Windows\SysWOW64\werfault.exewerfault.exe /h /shared Global\0ddacc4687794bdfa1a714b56b2ebdbb /t 3872 /p 26521⤵
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\MalwareDatabase-master\MalwareDatabase-master\jokes\" -an -ai#7zMap4033:3090:7zEvent25021⤵
-
C:\Users\Admin\Downloads\MalwareDatabase-master\MalwareDatabase-master\jokes\[email protected]"C:\Users\Admin\Downloads\MalwareDatabase-master\MalwareDatabase-master\jokes\[email protected]"1⤵
- Executes dropped EXE
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\MalwareDatabase-master\MalwareDatabase-master\ransomwares\" -an -ai#7zMap2592:3116:7zEvent299051⤵
-
C:\Users\Admin\Downloads\MalwareDatabase-master\MalwareDatabase-master\ransomwares\[email protected]"C:\Users\Admin\Downloads\MalwareDatabase-master\MalwareDatabase-master\ransomwares\[email protected]"1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 152⤵
- Modifies extensions of user files
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Delete /F /TN rhaegal3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /F /TN rhaegal4⤵
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 30461194 && exit"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 30461194 && exit"4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 02:43:003⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 02:43:004⤵
- Creates scheduled task(s)
-
C:\Windows\FA12.tmp"C:\Windows\FA12.tmp" \\.\pipe\{D21EBEA9-3191-4A8C-A60A-A91F3CC69147}3⤵
- Executes dropped EXE
-
C:\Users\Admin\Downloads\MalwareDatabase-master\MalwareDatabase-master\ransomwares\[email protected]"C:\Users\Admin\Downloads\MalwareDatabase-master\MalwareDatabase-master\ransomwares\[email protected]"1⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- System policy modification
-
C:\Users\Admin\Downloads\MalwareDatabase-master\MalwareDatabase-master\ransomwares\[email protected]"C:\Users\Admin\Downloads\MalwareDatabase-master\MalwareDatabase-master\ransomwares\[email protected]"1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\system.exe"C:\Users\Admin\AppData\Local\system.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\del.bat3⤵
-
C:\Windows\SysWOW64\SCHTASKS.exeC:\Windows\System32\SCHTASKS.exe /create /SC ONLOGON /TN uac /TR "C:\Users\Admin\AppData\Local\bcd.bat" /RL HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:644⤵
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:644⤵
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:644⤵
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:644⤵
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:644⤵
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:644⤵
-
C:\Users\Admin\Downloads\MalwareDatabase-master\MalwareDatabase-master\ransomwares\[email protected]"C:\Users\Admin\Downloads\MalwareDatabase-master\MalwareDatabase-master\ransomwares\[email protected]"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Checks processor information in registry
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\MalwareDatabase-master\MalwareDatabase-master\enderware\ProgramOverflow\" -ad -an -ai#7zMap30658:204:7zEvent141581⤵
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\MalwareDatabase-master\MalwareDatabase-master\trojans\MEMZ\" -ad -an -ai#7zMap18095:178:7zEvent15771⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3452.0.69510508\731119022" -parentBuildID 20200403170909 -prefsHandle 1528 -prefMapHandle 1520 -prefsLen 1 -prefMapSize 219987 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3452 "\\.\pipe\gecko-crash-server-pipe.3452" 1612 gpu3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3452.3.206995669\1322219960" -childID 1 -isForBrowser -prefsHandle 1436 -prefMapHandle 2068 -prefsLen 156 -prefMapSize 219987 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3452 "\\.\pipe\gecko-crash-server-pipe.3452" 2192 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3452.13.842559836\813366702" -childID 2 -isForBrowser -prefsHandle 3468 -prefMapHandle 3464 -prefsLen 6938 -prefMapSize 219987 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3452 "\\.\pipe\gecko-crash-server-pipe.3452" 3448 tab3⤵
-
C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ.zip\[email protected]"C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ.zip\[email protected]"1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ.zip\[email protected]"C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ.zip\[email protected]" /watchdog2⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ.zip\[email protected]"C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ.zip\[email protected]" /watchdog2⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ.zip\[email protected]"C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ.zip\[email protected]" /watchdog2⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ.zip\[email protected]"C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ.zip\[email protected]" /watchdog2⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ.zip\[email protected]"C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ.zip\[email protected]" /watchdog2⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\Temp1_MEMZ.zip\[email protected]
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776Filesize
471B
MD544473f7895457ecbfa77d0f7777575a4
SHA11898765e10279b7229c23700c249678d29e69c65
SHA25628a71b0ac973f73d9d3dd86470061e41411b4ad7586632d15af318429b34cfb4
SHA512374c14c92ed49f20381067b9e1ec5fb084dc59b272fe2b5d5213e674a1496c1548a934d3f0b0b917b80f6a0edd00c8aa78bb28595ea7970ed0d918f031717099
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776Filesize
434B
MD56d61c92f4d18906616d101324c69a7a2
SHA17964f73f41f8723b83885571fb40c49c83e45d8f
SHA2568e4f9f1ba18744257880084a61d9a05a61efaaffb399ba14b297ccac16f599e5
SHA5128fa5ec3c006c5d8d89a77e4c374fc8e692c70dc503ea111d18af9490a13b2ab08aec464272a01561efa5fc6d2f83d2191e091c2c09e47c9262268555f4c3a306
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\1X3N6AOC.cookieFilesize
614B
MD5f7de0ac97fe09296302292ae10cd2c82
SHA1b2b862b99a68aae33487fe6466d4b26a91a3cbb6
SHA256be2941ec78d77d1436ba384d4f8b0f1b5f4b2a7163fcde3b2a563ef02bf77717
SHA512f90e2ab61d02754a529d1a3d750c7ee4eba6c3340ccb868cc9ac498d033cc1c1ae6fe348dd8433b5b16dc29bc612289db6da6365a3ab46f07f6272351e3a9713
-
C:\Users\Admin\AppData\Local\Temp\4otjesjty.mofFilesize
443B
MD57fad92afda308dca8acfc6ff45c80c24
SHA1a7fa35e7f90f772fc943c2e940737a48b654c295
SHA25676e19416eb826a27bdcf626c3877cf7812bbe9b62cc2ccc5c2f65461d644246f
SHA51249eed1e1197401cb856064bf7fdbd9f3bc57f3c864d47f509346d44eed3b54757d8c6cdb6254990d21291065f0762d2a1588d09e43c5728f77a420f6a8dcd6ea
-
C:\Users\Admin\AppData\Local\del.batFilesize
125B
MD58d42da5a66e7e78ed9b2175a2acce9be
SHA1a23ee736e0455efdca1de4b5fa2aedd4ed9be456
SHA256c3d7cdb2a6ad0648c30f25fe3f1e1b899817712cca7fdcc580a1f5a0a543d2ff
SHA51281a86553c948f0e3b6ba2e9bc74050c4fff7cb9141943deaf922e60f4b35db0c585c6cc3e911c5a583c40bb95343f2bdf5ddd47819ceeeaa0ab448d4f0824ff0
-
C:\Users\Admin\AppData\Local\system.exeFilesize
315KB
MD55426b16d62b6d518ee2531b48de73720
SHA18558e3319aa827ba674d3aafa9e9b90f5babf00c
SHA256b10929e99b33bcbc896d5a159b9f99d945f4d2f09cc9748801eb002d31f7ebea
SHA51205540e01237748500bb4fcf6a3303694d2113092f0da3b3cd90bd7124b5c2b857ecfd6ffa015140d81903881d264f9bbb9cc0d372c7ca262a461f65ec5fc0763
-
C:\Users\Admin\AppData\Local\system.exeFilesize
315KB
MD55426b16d62b6d518ee2531b48de73720
SHA18558e3319aa827ba674d3aafa9e9b90f5babf00c
SHA256b10929e99b33bcbc896d5a159b9f99d945f4d2f09cc9748801eb002d31f7ebea
SHA51205540e01237748500bb4fcf6a3303694d2113092f0da3b3cd90bd7124b5c2b857ecfd6ffa015140d81903881d264f9bbb9cc0d372c7ca262a461f65ec5fc0763
-
C:\Users\Admin\Downloads\MalwareDatabase-master.zip.9jiu1ww.partialFilesize
211.4MB
MD51c09e575bd55fbc5c18969bb20922ae4
SHA109632b90d9551c769572ae7322d7313c33884474
SHA256b3628770aaf2246a1fcedfae7e8b7523e962ca49340f6bb881562c0673a4a446
SHA5128ddcc055357a4695826bf7c4a4f397d6949f74e99ff912fd7697c86826ea9da87383bb76443818e30b1816be64c7e3bc879908dbef3f214fc8b4c42144849d7c
-
C:\Users\Admin\Downloads\MalwareDatabase-master\MalwareDatabase-master\jokes\[email protected]Filesize
373KB
MD59c3e9e30d51489a891513e8a14d931e4
SHA14e5a5898389eef8f464dee04a74f3b5c217b7176
SHA256f8f7b5f20ca57c61df6dc8ff49f2f5f90276a378ec17397249fdc099a6e1dcd8
SHA512bf45677b7dd6c67ad350ec6ecad5bc3f04dea179fae0ff0a695c69f7de919476dd7a69c25b04c8530a35119e4933f4a8c327ed6dcef892b1114dfd7e494a19a7
-
C:\Users\Admin\Downloads\MalwareDatabase-master\MalwareDatabase-master\jokes\[email protected]Filesize
373KB
MD59c3e9e30d51489a891513e8a14d931e4
SHA14e5a5898389eef8f464dee04a74f3b5c217b7176
SHA256f8f7b5f20ca57c61df6dc8ff49f2f5f90276a378ec17397249fdc099a6e1dcd8
SHA512bf45677b7dd6c67ad350ec6ecad5bc3f04dea179fae0ff0a695c69f7de919476dd7a69c25b04c8530a35119e4933f4a8c327ed6dcef892b1114dfd7e494a19a7
-
C:\Users\Admin\Downloads\MalwareDatabase-master\MalwareDatabase-master\ransomwares\[email protected]Filesize
315KB
MD59f8bc96c96d43ecb69f883388d228754
SHA161ed25a706afa2f6684bb4d64f69c5fb29d20953
SHA2567d373ccb96d1dbb1856ef31afa87c2112a0c1795a796ab01cb154700288afec5
SHA512550a891c1059f58aa983138caf65a7ea9c326cb1b94c15f3e7594128f6e9f1295b9c2dbc0925637dba7c94e938083fffc6a63dc7c2e5b1e247679931cce505c6
-
C:\Users\Admin\Downloads\MalwareDatabase-master\MalwareDatabase-master\ransomwares\[email protected]Filesize
315KB
MD59f8bc96c96d43ecb69f883388d228754
SHA161ed25a706afa2f6684bb4d64f69c5fb29d20953
SHA2567d373ccb96d1dbb1856ef31afa87c2112a0c1795a796ab01cb154700288afec5
SHA512550a891c1059f58aa983138caf65a7ea9c326cb1b94c15f3e7594128f6e9f1295b9c2dbc0925637dba7c94e938083fffc6a63dc7c2e5b1e247679931cce505c6
-
C:\Users\Admin\Downloads\MalwareDatabase-master\MalwareDatabase-master\ransomwares\[email protected]Filesize
431KB
MD5fbbdc39af1139aebba4da004475e8839
SHA1de5c8d858e6e41da715dca1c019df0bfb92d32c0
SHA256630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da
SHA51274eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87
-
C:\Users\Admin\Downloads\MalwareDatabase-master\MalwareDatabase-master\ransomwares\[email protected]Filesize
431KB
MD5fbbdc39af1139aebba4da004475e8839
SHA1de5c8d858e6e41da715dca1c019df0bfb92d32c0
SHA256630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da
SHA51274eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87
-
C:\Users\Admin\Downloads\MalwareDatabase-master\MalwareDatabase-master\ransomwares\[email protected]Filesize
211KB
MD5b805db8f6a84475ef76b795b0d1ed6ae
SHA17711cb4873e58b7adcf2a2b047b090e78d10c75b
SHA256f5d002bfe80b48386a6c99c41528931b7f5df736cd34094463c3f85dde0180bf
SHA51262a2c329b43d186c4c602c5f63efc8d2657aa956f21184334263e4f6d0204d7c31f86bda6e85e65e3b99b891c1630d805b70997731c174f6081ecc367ccf9416
-
C:\Users\Admin\Downloads\MalwareDatabase-master\MalwareDatabase-master\ransomwares\[email protected]Filesize
211KB
MD5b805db8f6a84475ef76b795b0d1ed6ae
SHA17711cb4873e58b7adcf2a2b047b090e78d10c75b
SHA256f5d002bfe80b48386a6c99c41528931b7f5df736cd34094463c3f85dde0180bf
SHA51262a2c329b43d186c4c602c5f63efc8d2657aa956f21184334263e4f6d0204d7c31f86bda6e85e65e3b99b891c1630d805b70997731c174f6081ecc367ccf9416
-
C:\Users\Admin\Downloads\MalwareDatabase-master\MalwareDatabase-master\ransomwares\[email protected]Filesize
53KB
MD587ccd6f4ec0e6b706d65550f90b0e3c7
SHA1213e6624bff6064c016b9cdc15d5365823c01f5f
SHA256e79f164ccc75a5d5c032b4c5a96d6ad7604faffb28afe77bc29b9173fa3543e4
SHA512a72403d462e2e2e181dbdabfcc02889f001387943571391befed491aaecba830b0869bdd4d82bca137bd4061bbbfb692871b1b4622c4a7d9f16792c60999c990
-
C:\Users\Admin\Downloads\MalwareDatabase-master\MalwareDatabase-master\ransomwares\[email protected]Filesize
53KB
MD587ccd6f4ec0e6b706d65550f90b0e3c7
SHA1213e6624bff6064c016b9cdc15d5365823c01f5f
SHA256e79f164ccc75a5d5c032b4c5a96d6ad7604faffb28afe77bc29b9173fa3543e4
SHA512a72403d462e2e2e181dbdabfcc02889f001387943571391befed491aaecba830b0869bdd4d82bca137bd4061bbbfb692871b1b4622c4a7d9f16792c60999c990
-
C:\Windows\FA12.tmpFilesize
60KB
MD5347ac3b6b791054de3e5720a7144a977
SHA1413eba3973a15c1a6429d9f170f3e8287f98c21c
SHA256301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c
SHA5129a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787
-
C:\Windows\FA12.tmpFilesize
60KB
MD5347ac3b6b791054de3e5720a7144a977
SHA1413eba3973a15c1a6429d9f170f3e8287f98c21c
SHA256301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c
SHA5129a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787
-
C:\Windows\infpub.datFilesize
401KB
MD51d724f95c61f1055f0d02c2154bbccd3
SHA179116fe99f2b421c52ef64097f0f39b815b20907
SHA256579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648
SHA512f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113
-
memory/208-1041-0x0000000000000000-mapping.dmp
-
memory/320-611-0x0000000000000000-mapping.dmp
-
memory/696-860-0x0000000000000000-mapping.dmp
-
memory/1056-1097-0x0000000000000000-mapping.dmp
-
memory/1120-1102-0x0000000000000000-mapping.dmp
-
memory/1144-864-0x0000000000000000-mapping.dmp
-
memory/1168-779-0x0000000000000000-mapping.dmp
-
memory/1188-590-0x0000000000000000-mapping.dmp
-
memory/1208-210-0x0000000000000000-mapping.dmp
-
memory/1236-315-0x0000000000000000-mapping.dmp
-
memory/1460-1106-0x0000000000000000-mapping.dmp
-
memory/1624-899-0x0000000000000000-mapping.dmp
-
memory/1796-1098-0x0000000000000000-mapping.dmp
-
memory/1964-309-0x0000000000000000-mapping.dmp
-
memory/1968-214-0x0000000000000000-mapping.dmp
-
memory/2180-207-0x0000000000000000-mapping.dmp
-
memory/2412-584-0x0000000000000000-mapping.dmp
-
memory/2444-911-0x0000000000000000-mapping.dmp
-
memory/2448-816-0x0000000000000000-mapping.dmp
-
memory/2456-608-0x0000000000000000-mapping.dmp
-
memory/2520-203-0x0000000000000000-mapping.dmp
-
memory/2548-629-0x0000000000000000-mapping.dmp
-
memory/2652-155-0x00000000774F0000-0x000000007767E000-memory.dmpFilesize
1.6MB
-
memory/2652-151-0x00000000774F0000-0x000000007767E000-memory.dmpFilesize
1.6MB
-
memory/2652-166-0x00000000774F0000-0x000000007767E000-memory.dmpFilesize
1.6MB
-
memory/2652-167-0x00000000774F0000-0x000000007767E000-memory.dmpFilesize
1.6MB
-
memory/2652-168-0x00000000774F0000-0x000000007767E000-memory.dmpFilesize
1.6MB
-
memory/2652-170-0x00000000774F0000-0x000000007767E000-memory.dmpFilesize
1.6MB
-
memory/2652-171-0x00000000774F0000-0x000000007767E000-memory.dmpFilesize
1.6MB
-
memory/2652-169-0x00000000774F0000-0x000000007767E000-memory.dmpFilesize
1.6MB
-
memory/2652-172-0x00000000774F0000-0x000000007767E000-memory.dmpFilesize
1.6MB
-
memory/2652-173-0x00000000774F0000-0x000000007767E000-memory.dmpFilesize
1.6MB
-
memory/2652-174-0x00000000774F0000-0x000000007767E000-memory.dmpFilesize
1.6MB
-
memory/2652-175-0x00000000774F0000-0x000000007767E000-memory.dmpFilesize
1.6MB
-
memory/2652-176-0x00000000774F0000-0x000000007767E000-memory.dmpFilesize
1.6MB
-
memory/2652-177-0x00000000774F0000-0x000000007767E000-memory.dmpFilesize
1.6MB
-
memory/2652-178-0x00000000774F0000-0x000000007767E000-memory.dmpFilesize
1.6MB
-
memory/2652-179-0x00000000774F0000-0x000000007767E000-memory.dmpFilesize
1.6MB
-
memory/2652-181-0x00000000774F0000-0x000000007767E000-memory.dmpFilesize
1.6MB
-
memory/2652-182-0x00000000774F0000-0x000000007767E000-memory.dmpFilesize
1.6MB
-
memory/2652-183-0x00000000774F0000-0x000000007767E000-memory.dmpFilesize
1.6MB
-
memory/2652-180-0x00000000774F0000-0x000000007767E000-memory.dmpFilesize
1.6MB
-
memory/2652-184-0x00000000774F0000-0x000000007767E000-memory.dmpFilesize
1.6MB
-
memory/2652-185-0x00000000774F0000-0x000000007767E000-memory.dmpFilesize
1.6MB
-
memory/2652-186-0x00000000774F0000-0x000000007767E000-memory.dmpFilesize
1.6MB
-
memory/2652-187-0x00000000774F0000-0x000000007767E000-memory.dmpFilesize
1.6MB
-
memory/2652-188-0x00000000774F0000-0x000000007767E000-memory.dmpFilesize
1.6MB
-
memory/2652-158-0x00000000774F0000-0x000000007767E000-memory.dmpFilesize
1.6MB
-
memory/2652-125-0x00000000774F0000-0x000000007767E000-memory.dmpFilesize
1.6MB
-
memory/2652-159-0x00000000774F0000-0x000000007767E000-memory.dmpFilesize
1.6MB
-
memory/2652-161-0x00000000774F0000-0x000000007767E000-memory.dmpFilesize
1.6MB
-
memory/2652-164-0x00000000774F0000-0x000000007767E000-memory.dmpFilesize
1.6MB
-
memory/2652-163-0x00000000774F0000-0x000000007767E000-memory.dmpFilesize
1.6MB
-
memory/2652-126-0x00000000774F0000-0x000000007767E000-memory.dmpFilesize
1.6MB
-
memory/2652-127-0x00000000774F0000-0x000000007767E000-memory.dmpFilesize
1.6MB
-
memory/2652-162-0x00000000774F0000-0x000000007767E000-memory.dmpFilesize
1.6MB
-
memory/2652-160-0x00000000774F0000-0x000000007767E000-memory.dmpFilesize
1.6MB
-
memory/2652-156-0x00000000774F0000-0x000000007767E000-memory.dmpFilesize
1.6MB
-
memory/2652-157-0x00000000774F0000-0x000000007767E000-memory.dmpFilesize
1.6MB
-
memory/2652-147-0x00000000774F0000-0x000000007767E000-memory.dmpFilesize
1.6MB
-
memory/2652-149-0x00000000774F0000-0x000000007767E000-memory.dmpFilesize
1.6MB
-
memory/2652-128-0x00000000774F0000-0x000000007767E000-memory.dmpFilesize
1.6MB
-
memory/2652-154-0x00000000774F0000-0x000000007767E000-memory.dmpFilesize
1.6MB
-
memory/2652-153-0x00000000774F0000-0x000000007767E000-memory.dmpFilesize
1.6MB
-
memory/2652-152-0x00000000774F0000-0x000000007767E000-memory.dmpFilesize
1.6MB
-
memory/2652-165-0x00000000774F0000-0x000000007767E000-memory.dmpFilesize
1.6MB
-
memory/2652-150-0x00000000774F0000-0x000000007767E000-memory.dmpFilesize
1.6MB
-
memory/2652-129-0x00000000774F0000-0x000000007767E000-memory.dmpFilesize
1.6MB
-
memory/2652-148-0x00000000774F0000-0x000000007767E000-memory.dmpFilesize
1.6MB
-
memory/2652-143-0x00000000774F0000-0x000000007767E000-memory.dmpFilesize
1.6MB
-
memory/2652-130-0x00000000774F0000-0x000000007767E000-memory.dmpFilesize
1.6MB
-
memory/2652-146-0x00000000774F0000-0x000000007767E000-memory.dmpFilesize
1.6MB
-
memory/2652-145-0x00000000774F0000-0x000000007767E000-memory.dmpFilesize
1.6MB
-
memory/2652-144-0x00000000774F0000-0x000000007767E000-memory.dmpFilesize
1.6MB
-
memory/2652-142-0x00000000774F0000-0x000000007767E000-memory.dmpFilesize
1.6MB
-
memory/2652-141-0x00000000774F0000-0x000000007767E000-memory.dmpFilesize
1.6MB
-
memory/2652-140-0x00000000774F0000-0x000000007767E000-memory.dmpFilesize
1.6MB
-
memory/2652-139-0x00000000774F0000-0x000000007767E000-memory.dmpFilesize
1.6MB
-
memory/2652-138-0x00000000774F0000-0x000000007767E000-memory.dmpFilesize
1.6MB
-
memory/2652-131-0x00000000774F0000-0x000000007767E000-memory.dmpFilesize
1.6MB
-
memory/2652-137-0x00000000774F0000-0x000000007767E000-memory.dmpFilesize
1.6MB
-
memory/2652-136-0x00000000774F0000-0x000000007767E000-memory.dmpFilesize
1.6MB
-
memory/2652-132-0x00000000774F0000-0x000000007767E000-memory.dmpFilesize
1.6MB
-
memory/2652-133-0x00000000774F0000-0x000000007767E000-memory.dmpFilesize
1.6MB
-
memory/2652-134-0x00000000774F0000-0x000000007767E000-memory.dmpFilesize
1.6MB
-
memory/2652-135-0x00000000774F0000-0x000000007767E000-memory.dmpFilesize
1.6MB
-
memory/3040-913-0x0000000000000000-mapping.dmp
-
memory/3136-204-0x0000000000000000-mapping.dmp
-
memory/3164-1149-0x0000000000000000-mapping.dmp
-
memory/3528-818-0x0000000000000000-mapping.dmp
-
memory/3552-852-0x0000000000000000-mapping.dmp
-
memory/3600-630-0x0000000000000000-mapping.dmp
-
memory/3604-907-0x0000000000000000-mapping.dmp
-
memory/3700-897-0x0000000000000000-mapping.dmp
-
memory/4004-484-0x0000000000000000-mapping.dmp
-
memory/4008-935-0x0000000000000000-mapping.dmp
-
memory/4032-856-0x0000000000000000-mapping.dmp
-
memory/4384-312-0x0000000000000000-mapping.dmp
-
memory/4436-311-0x0000000000000000-mapping.dmp
-
memory/4636-850-0x0000000000000000-mapping.dmp
-
memory/4728-1014-0x0000000000FB0000-0x0000000000FEC000-memory.dmpFilesize
240KB
-
memory/4728-1036-0x0000000005B10000-0x0000000005B66000-memory.dmpFilesize
344KB
-
memory/4728-1035-0x00000000058B0000-0x00000000058BA000-memory.dmpFilesize
40KB
-
memory/4728-1020-0x0000000005940000-0x00000000059D2000-memory.dmpFilesize
584KB
-
memory/4728-1018-0x0000000005DA0000-0x000000000629E000-memory.dmpFilesize
5.0MB
-
memory/4728-1015-0x0000000005800000-0x000000000589C000-memory.dmpFilesize
624KB
-
memory/4760-1095-0x0000000000000000-mapping.dmp
-
memory/4948-849-0x0000000000000000-mapping.dmp
-
memory/5064-614-0x0000000000000000-mapping.dmp