Analysis
-
max time kernel
252s -
max time network
311s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
24-03-2024 17:11
Errors
General
-
Target
https://github.com/Da2dalus/The-MALWARE-Repo/tree/master/Ransomware
Malware Config
Extracted
F:\$RECYCLE.BIN\S-1-5-21-557049126-2506969350-2798870634-1000\IQJYNXQ-MANUAL.txt
gandcrab
http://gandcrabmfe6mnef.onion/edf09d4b6206e09
Extracted
C:\g1rFryAhrVg2xrt\DECRYPT_YOUR_FILES.HTML
fantomd12@yandex.ru
fantom12@techemail.com
Signatures
-
BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
-
CryptoLocker
Ransomware family with multiple variants.
-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 2 IoCs
-
Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
-
UAC bypass 3 TTPs 2 IoCs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (438) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
mimikatz is an open source tool to dump credentials on Windows 1 IoCs
-
Contacts a large (1140) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Disables RegEdit via registry modification 4 IoCs
-
Disables Task Manager via registry modification
-
Disables use of System Restore points 1 TTPs
-
Downloads MZ/PE file
-
Modifies Windows Firewall 2 TTPs 3 IoCs
-
Sets file execution options in registry 2 TTPs 64 IoCs
-
Sets service image path in registry 2 TTPs 12 IoCs
-
Drops startup file 6 IoCs
-
Executes dropped EXE 8 IoCs
-
Loads dropped DLL 1 IoCs
-
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 13 IoCs
-
Drops desktop.ini file(s) 64 IoCs
-
Enumerates connected drives 3 TTPs 47 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 1 IoCs
-
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 6 IoCs
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Interacts with shadow copies 2 TTPs 4 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Modifies Internet Explorer settings 1 TTPs 4 IoCs
-
Modifies Internet Explorer start page 1 TTPs 2 IoCs
-
Modifies registry class 3 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 32 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 34 IoCs
-
Suspicious use of SendNotifyMessage 25 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Da2dalus/The-MALWARE-Repo/tree/master/Ransomware1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9523b46f8,0x7ff9523b4708,0x7ff9523b47182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2200,3314002778319645969,6737957470650844238,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2208 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2200,3314002778319645969,6737957470650844238,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2200,3314002778319645969,6737957470650844238,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2892 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,3314002778319645969,6737957470650844238,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,3314002778319645969,6737957470650844238,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2200,3314002778319645969,6737957470650844238,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5596 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2200,3314002778319645969,6737957470650844238,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5752 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2200,3314002778319645969,6737957470650844238,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5752 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,3314002778319645969,6737957470650844238,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,3314002778319645969,6737957470650844238,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5448 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,3314002778319645969,6737957470650844238,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,3314002778319645969,6737957470650844238,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3484 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,3314002778319645969,6737957470650844238,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5928 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,3314002778319645969,6737957470650844238,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5868 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,3314002778319645969,6737957470650844238,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6436 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2200,3314002778319645969,6737957470650844238,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5588 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2200,3314002778319645969,6737957470650844238,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5396 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,3314002778319645969,6737957470650844238,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5340 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,3314002778319645969,6737957470650844238,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5568 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,3314002778319645969,6737957470650844238,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5064 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2200,3314002778319645969,6737957470650844238,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3020 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,3314002778319645969,6737957470650844238,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2108 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2200,3314002778319645969,6737957470650844238,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5848 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2200,3314002778319645969,6737957470650844238,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2288 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,3314002778319645969,6737957470650844238,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5616 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,3314002778319645969,6737957470650844238,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3676 /prefetch:12⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Downloads\Da2dalus The-MALWARE-Repo master Ransomware\$uckyLocker.exe"C:\Users\Admin\Downloads\Da2dalus The-MALWARE-Repo master Ransomware\$uckyLocker.exe"1⤵
- Sets desktop wallpaper using registry
-
C:\Users\Admin\Downloads\Da2dalus The-MALWARE-Repo master Ransomware\7ev3n.exe"C:\Users\Admin\Downloads\Da2dalus The-MALWARE-Repo master Ransomware\7ev3n.exe"1⤵
-
C:\Users\Admin\AppData\Local\system.exe"C:\Users\Admin\AppData\Local\system.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\del.bat3⤵
-
C:\Windows\SysWOW64\SCHTASKS.exeC:\Windows\System32\SCHTASKS.exe /create /SC ONLOGON /TN uac /TR "C:\Users\Admin\AppData\Local\bcd.bat" /RL HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:644⤵
- Modifies WinLogon for persistence
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:644⤵
- Adds Run key to start application
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:644⤵
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:644⤵
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:644⤵
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:644⤵
- UAC bypass
-
C:\Users\Admin\Downloads\Da2dalus The-MALWARE-Repo master Ransomware\Annabelle.exe"C:\Users\Admin\Downloads\Da2dalus The-MALWARE-Repo master Ransomware\Annabelle.exe"1⤵
- Modifies WinLogon for persistence
- Modifies Windows Defender Real-time Protection settings
- UAC bypass
- Disables RegEdit via registry modification
- Sets file execution options in registry
- Adds Run key to start application
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin delete shadows /all /quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin delete shadows /all /quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin delete shadows /all /quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\NetSh.exeNetSh Advfirewall set allprofiles state off2⤵
- Modifies Windows Firewall
-
C:\Windows\System32\shutdown.exe"C:\Windows\System32\shutdown.exe" -r -t 00 -f2⤵
-
C:\Users\Admin\Downloads\Da2dalus The-MALWARE-Repo master Ransomware\BadRabbit.exe"C:\Users\Admin\Downloads\Da2dalus The-MALWARE-Repo master Ransomware\BadRabbit.exe"1⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 152⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Delete /F /TN rhaegal3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /F /TN rhaegal4⤵
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 219676972 && exit"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 219676972 && exit"4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 17:32:003⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 17:32:004⤵
- Creates scheduled task(s)
-
C:\Windows\FC0A.tmp"C:\Windows\FC0A.tmp" \\.\pipe\{6555E5E9-89B0-4C1C-9884-7038FE10327A}3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Downloads\Da2dalus The-MALWARE-Repo master Ransomware\Cerber5.exe"C:\Users\Admin\Downloads\Da2dalus The-MALWARE-Repo master Ransomware\Cerber5.exe"1⤵
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exeC:\Windows\system32\netsh.exe advfirewall set allprofiles state on2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exeC:\Windows\system32\netsh.exe advfirewall reset2⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___247AS_.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵
-
C:\Users\Admin\Downloads\Da2dalus The-MALWARE-Repo master Ransomware\CoronaVirus.exe"C:\Users\Admin\Downloads\Da2dalus The-MALWARE-Repo master Ransomware\CoronaVirus.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
-
C:\Windows\system32\mode.commode con cp select=12513⤵
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"2⤵
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"2⤵
-
C:\Users\Admin\Downloads\Da2dalus The-MALWARE-Repo master Ransomware\CryptoLocker.exe"C:\Users\Admin\Downloads\Da2dalus The-MALWARE-Repo master Ransomware\CryptoLocker.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe"C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" "/rC:\Users\Admin\Downloads\Da2dalus The-MALWARE-Repo master Ransomware\CryptoLocker.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe"C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" /w000002243⤵
- Executes dropped EXE
-
C:\Users\Admin\Downloads\Da2dalus The-MALWARE-Repo master Ransomware\CryptoWall.exe"C:\Users\Admin\Downloads\Da2dalus The-MALWARE-Repo master Ransomware\CryptoWall.exe"1⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\syswow64\explorer.exe"2⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\svchost.exe-k netsvcs3⤵
-
C:\Users\Admin\Downloads\Da2dalus The-MALWARE-Repo master Ransomware\DeriaLock.exe"C:\Users\Admin\Downloads\Da2dalus The-MALWARE-Repo master Ransomware\DeriaLock.exe"1⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Downloads\Da2dalus The-MALWARE-Repo master Ransomware\Dharma.exe"C:\Users\Admin\Downloads\Da2dalus The-MALWARE-Repo master Ransomware\Dharma.exe"1⤵
-
C:\Users\Admin\Downloads\Da2dalus The-MALWARE-Repo master Ransomware\ac\nc123.exe"C:\Users\Admin\Downloads\Da2dalus The-MALWARE-Repo master Ransomware\ac\nc123.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Downloads\Da2dalus The-MALWARE-Repo master Ransomware\ac\mssql.exe"C:\Users\Admin\Downloads\Da2dalus The-MALWARE-Repo master Ransomware\ac\mssql.exe"2⤵
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Downloads\Da2dalus The-MALWARE-Repo master Ransomware\ac\mssql2.exe"C:\Users\Admin\Downloads\Da2dalus The-MALWARE-Repo master Ransomware\ac\mssql2.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Da2dalus The-MALWARE-Repo master Ransomware\ac\Shadow.bat" "2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Da2dalus The-MALWARE-Repo master Ransomware\ac\systembackup.bat" "2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c WMIC Group Where "SID = 'S-1-5-32-544'" Get Name /Value | Find "="3⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exeWMIC Group Where "SID = 'S-1-5-32-544'" Get Name /Value4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\find.exeFind "="4⤵
-
C:\Windows\SysWOW64\net.exenet user systembackup Default3104 /add /active:"yes" /expires:"never" /passwordchg:"NO"3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user systembackup Default3104 /add /active:"yes" /expires:"never" /passwordchg:"NO"4⤵
-
C:\Users\Admin\Downloads\Da2dalus The-MALWARE-Repo master Ransomware\ac\EVER\SearchHost.exe"C:\Users\Admin\Downloads\Da2dalus The-MALWARE-Repo master Ransomware\ac\EVER\SearchHost.exe"2⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Downloads\Da2dalus The-MALWARE-Repo master Ransomware\Fantom.exe"C:\Users\Admin\Downloads\Da2dalus The-MALWARE-Repo master Ransomware\Fantom.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"2⤵
-
C:\Users\Admin\Downloads\Da2dalus The-MALWARE-Repo master Ransomware\GandCrab.exe"C:\Users\Admin\Downloads\Da2dalus The-MALWARE-Repo master Ransomware\GandCrab.exe"1⤵
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Downloads\Da2dalus The-MALWARE-Repo master Ransomware\Krotten.exe"C:\Users\Admin\Downloads\Da2dalus The-MALWARE-Repo master Ransomware\Krotten.exe"1⤵
- Disables RegEdit via registry modification
- Adds Run key to start application
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Downloads\Da2dalus The-MALWARE-Repo master Ransomware\NoMoreRansom.exe"C:\Users\Admin\Downloads\Da2dalus The-MALWARE-Repo master Ransomware\NoMoreRansom.exe"1⤵
- Adds Run key to start application
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___247AS_.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}1⤵
-
C:\Users\Admin\Downloads\Da2dalus The-MALWARE-Repo master Ransomware\Annabelle.exe"C:\Users\Admin\Downloads\Da2dalus The-MALWARE-Repo master Ransomware\Annabelle.exe"1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa38b6855 /state1:0x41c64e6d1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
4Registry Run Keys / Startup Folder
3Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
4Registry Run Keys / Startup Folder
3Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Defense Evasion
Modify Registry
9Impair Defenses
3Disable or Modify Tools
2Disable or Modify System Firewall
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Indicator Removal
2File Deletion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\$Recycle.Bin\S-1-5-21-557049126-2506969350-2798870634-1000\IQJYNXQ-MANUAL.txtFilesize
8KB
MD546e06443bf3f5a8b2957ab2dd7fa2faf
SHA1f7ae5225ca7b79d327c33161f837474fdde2081f
SHA256d1ed436bf6a62ab86f4c2d0fed91a2644a2d2bacbb44ee1c151cf0b515fba5f7
SHA512ebadb1e588a7094a354feabe7a3666288f77a02d5ca79bc89ffbbeefe40e2d017a02f8fc7a688f42050e75d075a513713a6640274c03886f657932daedc04158
-
C:\$Recycle.Bin\S-1-5-21-557049126-2506969350-2798870634-1000\desktop.ini.id-B6206E09.[coronavirus@qq.com].ncovFilesize
918B
MD595357dc79c1a435a6007d2c30060c154
SHA1de15a88392febdccd3cff7953dd5788306641267
SHA256cd92780059138256f698000666523afa2fd3ed5f4d1fdf55b83179e4bb5ac001
SHA512521faf658696382c8c24c9b54b9c59efbd708496a7bcdbada6fc615d7eb6f94d5052a593bba5f07a282836a2e0c1b138064453b38b88d648b879c43475e5f1c1
-
C:\$Recycle.Bin\S-1-5-21-557049126-2506969350-2798870634-1000\desktop.ini.id-B6206E09.[coronavirus@qq.com].ncovFilesize
378B
MD50622239b1730d778b3e837dd4078e7ee
SHA167ff6889776dd7f00bca2e5b34fbb21113ddb20a
SHA2566c3e81dd9710cad0b1671ce83078ef96433633ea089ab48e4113514666ed8c07
SHA512280d723e2bcfd35a0f92e3be013d959b02dea3a674dec36fcdfe7c798560dd4ded1862ee405d89ef63c6afc37f62bc6a178311ec15f3604d6b938edd394eea09
-
C:\Program Files\7-Zip\7z.dll.id-B6206E09.[coronavirus@qq.com].ncovFilesize
2.5MB
MD55d814f60fd22216d7debd05beaa12dd2
SHA1d6d44fa523612bfabd0a2904efeb7af4d132529a
SHA256cd39b9748a9d2ba78de5c43718b5994b4b07d53247e281115a28a13315991222
SHA512d65dd3e7a59db0d35bd020a347cbffbe11326c36195e5e04f401198b3f796220d772a5daa736403ee5ec8811e7c7057bc68239e1a3154c9a08a2197fa10944e5
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\CoronaVirus.exeFilesize
768KB
MD54182878bc42374642fac7459770ef556
SHA10834be017de17c29df1be10ffd9e6e14857f87de
SHA256d2c0486fcf7fd923f904b1a9e1c51b9c74d62f1af7090799c6f47e106d22bb73
SHA51281a3d5ad4061c8953dfa27296f90ef3886fdf2edb9a66a6cc074b88cb36dd871082ca3c87a673722dc6be6b5300945ba498fdaeccc49361ec2eca3ae226427ca
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5fd7944a4ff1be37517983ffaf5700b11
SHA1c4287796d78e00969af85b7e16a2d04230961240
SHA256b54b41e7ce5600bc653aa7c88abb666976872b2d5e2d657bfc1147a0b49e9d74
SHA51228c58a2ccf39963a8d9f67ea5b93dbccf70b0109b2c8a396a58389cdec9db1205523a95730485bcbc9d533867cbf0e7167ad370fd45740e23656d01d96ee543b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5a774512b00820b61a51258335097b2c9
SHA138c28d1ea3907a1af6c0443255ab610dd9285095
SHA25601946a2d65e59b66ebc256470ff4861f32edee90a44e31bf67529add95cafef4
SHA512ce109be65060a5e7a872707c6c2ccce3aacd577e59c59d6e23e78d03e3d502f2707713fda40a546ed332e41a56ef90297af99590a5ab02f686a58bcbf3a82da1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000fFilesize
69KB
MD5a127a49f49671771565e01d883a5e4fa
SHA109ec098e238b34c09406628c6bee1b81472fc003
SHA2563f208f049ffaf4a7ed808bf0ff759ce7986c177f476b380d0076fd1f5482fca6
SHA51261b54222e54e7ab8743a2d6ca3c36768a7b2cf22d5689a3309dee9974b1f804533720ea9de2d3beab44853d565a94f1bc0e60b9382997abcf03945219f98d734
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000010Filesize
34KB
MD502214b097305a8302b21e630fa201576
SHA190c2a31521803b73e847f7a3e0cfceec84df9fa5
SHA2561d98076cfae6a0a8f0b0b1c654270b900de83e633cc01d98ef63e6a8e485a3f4
SHA512553c81eb51880f83b9918aef766ff0f41170895b1cda2589f0b69c3d1362de8e8decf14a413f6b5df1fb7ce07fc939211407b29046188b37c290133c9d5e1cd4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000011Filesize
64KB
MD5d6b36c7d4b06f140f860ddc91a4c659c
SHA1ccf16571637b8d3e4c9423688c5bd06167bfb9e9
SHA25634013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92
SHA5122a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000012Filesize
19KB
MD52e86a72f4e82614cd4842950d2e0a716
SHA1d7b4ee0c9af735d098bff474632fc2c0113e0b9c
SHA256c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f
SHA5127a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000013Filesize
63KB
MD5710d7637cc7e21b62fd3efe6aba1fd27
SHA18645d6b137064c7b38e10c736724e17787db6cf3
SHA256c0997474b99524325dfedb5c020436e7ea9f9c9a1a759ed6daf7bdd4890bdc2b
SHA51219aa77bed3c441228789cf8f931ca6194cc8d4bc7bb85d892faf5eaeda67d22c8c3b066f8ceda8169177da95a1fe111bd3436ceeaf4c784bd2bf96617f4d0c44
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000014Filesize
84KB
MD574e33b4b54f4d1f3da06ab47c5936a13
SHA16e5976d593b6ee3dca3c4dbbb90071b76e1cd85c
SHA256535fc48679c38decd459ad656bdd6914e539754265244d0cc7b1da6bddf3e287
SHA51279218e8ee50484af968480ff9b211815c97c3f3035414e685aa5d15d9b4152682d87b66202339f212bf3b463a074bf7a4431107b50303f28e2eb4b17843991c2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000015Filesize
1.1MB
MD5fcb3b79b4ee2a97d69020a59b8d5caee
SHA14c8c8dc00b8c71694cdadbfd1fe70358d34a0883
SHA25636b4ec7a0ae8d3b2f907b88735287ffc68c0c35e472b3c8cc30f49f4387c9f8b
SHA5127874b3e78d0c0ef2f1f2e417a989550208c20aab398ef9ec800104dc047ec3866863dbbeab379fdbda7643210b03e20d7305a5fb776df88bef72ad89023cb558
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
3KB
MD5c3f7695ca23729d3455e2c466b6106eb
SHA1b2326a8ec4c41cff2939df7a1b39cc6e3235764d
SHA2563351a1a16890df6268341b300655f4e0834a6b80b7ad5603d71d7939954bcc6e
SHA51203eae3a30eb04db4ee6c00d91c1e748393123be018536423a6462f89f99a97ca553a588033d346f8e8fb08e87f131e2d2eae77126e0645033494536000f3e919
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
4KB
MD5c81fc61e1f82fcc0cc9795f58bab61a6
SHA1da62cd221c7b1aeba59c4f7ed8cd34fce21ff966
SHA256c50dc353e57d15c12b61e1583f42918513258c8c14543cb1a5dcd937984dceca
SHA512e6cf8c74f30675cc45803eb5305b04998b1db76878a2264968481384ca9854958e87757f6c8a70f64546174bd5f151c7cdbca96c8002126e9942760f04cae9ec
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
1KB
MD5cef9ecbd2023d1725a6eb7fdc899803a
SHA133bd455625478d6e420c71f7d860cef9c352d172
SHA256e8485b5a16c9d0541c40ac3378031df2fbc9a4cc1269282f6bd82e476e07d238
SHA5121499fad65a4f6feebfafed19dc549f55a32a3cf91d79ab60ae3acd6a5615f2e2c9463668e416d9a3f1e2b016eec400db6d19080582ed0bc3a160bf6d2dc9c4ae
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
1KB
MD593a257b03f5a8a84d3459b77d54b4ad5
SHA16ac239107b619d4c62da698342fdb6c2152897c6
SHA2568620b9334698471ca0e8c0ebf913c39ec184bbe4df50f64848f5f483a1448e78
SHA512bf6f482fe3f23b039f55a01ada9d53985d080f8853b6590c9505a46543a893d21aaec6b0fe28c6a483bfcd905b43081691f442d9f17baf7c83395f3290bfce4e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5185265d12bb4adaf0ee2ccd440d79b65
SHA10f5b6142d9cb3259fa30607c153766b3f42b0d97
SHA256f2b549efe4d56813640919208b1ce350917f95fcf426e605afd753d41f04e186
SHA5129d7727b88d44ee6136dad73f5ed05b017e7b48d30f381596caeb8211d6540e28f4f8209517089f1be54d596381c0b060503622a832142be054fcaf14aa2f2051
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD58e95d9297ab01755538e83bafcfb2344
SHA1a0c380ecc1d641230da02bd4aaf3b146f65e47d1
SHA256f49adaa5e0b1db0386eb6280b77f993aab11d3db37d261bc0c42c31866f0a0ab
SHA5126c380289e5a0ab8d8132483c7248dba6ef53ae5612b6102c7ae4e2c2cf0eeebee7f700aa4010ea46f4d0f10ea5db01d37e386fa29af96c40735f0e1bd57038fc
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD5160afd473bfa0fb56e15f066de57981d
SHA1533f8b5269583083f2e7aa5c4311669be9e90881
SHA256b041bbbbd6d3eb29aae58c7c90f0eb005ed4c4c60af8e4124322b90ac8c22622
SHA512614d362a762bd07caca29401c31bc59c0301fca8d9268ab1b10ea40ef0ecdad1f6ec65366108c4ebddd6f7d49f1bf5cf7d3c2e950db715834945355a136d0506
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD58ec0a7f9a9f62819ed082a7607554a9c
SHA1daded61df7a810962f7f0c89376035d8a680f201
SHA256316a09959fe2461cf3d43e233027647121f43a3c89e6217971a117fd10b9f0f1
SHA512a0d4d78cc1dca5b8cfce0e9b9d9cc519631146f5a7e9933ed0a3069a909a1b5b7fa760e385acc2c92bac3fc95c7d35f0f3309f9291c18c77bafd69473b656eba
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD568fccbaa149533dccfd99d32f0cac358
SHA1eb4a566b80389b7b55eac4f7e0c7c56cf146cbe8
SHA2564b19b88a7934d33cf9abf180b1260bd4c4e3eb4be58f181ffca906443e53ae0e
SHA51259be60f52f99e2cb4098e53255cfac82e40e62e2e7b508755cc58fc39af3901541cba9d1dc41a6127c6e402712c8e656323a8bf63560eebc8bc7cc39ff8750c2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD55f28d40b68a4e278b06b7508b3dbc6c6
SHA18c431dbd443490c45b808e6d604340e5ffd71069
SHA256274372dbc83a28a95776b59f84e68544d95ad27b560e64beeed9ec31a1eae149
SHA512b053558d04077d5e5a831075bf3e6444a05fad8baf49849c800c5187bdfb571e6a0972f904dff91d77c6b003590660c8eb9356be5ad245f39e802a4fc1105322
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD59d31be68b46732e18ad42359152ad172
SHA1c3d5f5a7cf0dac577e35b3e445e49ca8d3b574cb
SHA2564a88dad99bfe0dd2783010bed9fe5e1076591291d3040ad59bebffdba28bb2c5
SHA512ba8bf055ae816d5d35443ad097cda7425e525145b1de3ad2d476c20abbf5fb76f64a5d02eefe0cc1f3cd78d4945428f4bec3ed5dbebb5367a2a2f76ad218e47f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD549684b5c5beed9f9f04d0dc0b3cac6c5
SHA16b43661d9b276adc777983a6422477b7de431c62
SHA2564e1fbb407d73ff2d4d98984096d700d6ceac58e0d4f12f658c8e2024787afe36
SHA512d7d10e722d7c898b778fa4c5982f2756eeba9ca114e2be9992c410dd3848b655797cd7addf30804bea2e8254c5198f47cd569bf320d79bc877eba561f8dcd143
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5cf4773ad60737be35b03a8ecebcd096b
SHA1736f57dd20e5d70fa40a4023366045a9788c745d
SHA256d97c6a0196b304022ab01a7c4d44f048d17feb96da705fb42a2e66ac78fc341d
SHA512aa42dfda15b8f2bf4e6dc87755d3665f44bc8c85d2cc9a87559092e7b6d311320fb8e3ad9eb4396fcc897314aeb0b90752a907f74fd3f41afa3ea4b360eb399e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57c7d4.TMPFilesize
874B
MD53ff1d64f2057d92d043b0fd0c9f22f88
SHA1742bc58c6116adefe9823bd352a1592f8f8023ab
SHA2560b8bb929e2bf8e5bdbe921c20950089dad64685210d826d1eb9fe8a39f2d99c9
SHA512801a14cec6d86e89db163da93bea7eb44c4712c43f8ef64145fc53db7073922712effc5796d421724989336b6f1fbca86dad32eea2becd1eabc253b7dfaac917
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\da8b5aad-0ddc-4ba0-a66f-b284617d7da5.tmpFilesize
6KB
MD537535f735c60190078a6cba1042dcd1a
SHA17d46954120372bd1a455558d0eda342fd744cf1a
SHA2567000c043e38bd1421a3f4c8e70227ac9daa147f59623af3ee4eb55b5b25b116e
SHA5122880996295b1dc4847823fb56b3c6f1f93a1253b84955f3c6670ad6b09b541d61f42459410586edd7e0970974131d5cfd009effa0c1e0f2043a4ef0e2acdcb70
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD543bf60aaf34380b0af24dfa9fae226f1
SHA1dbf11f96d340b4b382328f038974180c4b13ee30
SHA256d50cb0b68b070b2f1829031baccca9c1d6caaca8297872a610a7e5668a1c9e9d
SHA5120642933c600b3632df9daed21a6a964d365a26e47f6999de96799786c4a81b3d300cc8559c314efcf1c3a3f748a3ebc3fbea0123d95886f7a0d35ef0fdf0875c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD59b2dd6f5a1042d8db326a5a8ff897cc8
SHA1b2478a35478eb6ba65df5b7c9de8e9375bc7cc6b
SHA2562ec179d4c1be0741dffef20430fcdb6f93e7df8958c3aa903b31532e1af01f02
SHA51248bb5f381e18752ab60a2e476bee490213740cd0d2d0f2b6531b11e3ac3fcca38a44c41d046de40ba5c93fb346ff0a4b7f6da6ddea9a1b9c9181d37bb982b281
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD5963ad36bd8ddd1398585bd56f98fd18c
SHA1a4d0733c9014de1609d277418d2809fb4cfdc8a1
SHA2567281d230bfe54c5e12b651501c69244a5a33fac0b7a38b7ada4e0647a732ee00
SHA512513e89bcb265a78cd07eb2083702a89dec699120e469090b64af7ffb609c77e0c1cc5d41fb4982370c4a5ad42aceb13bdefaf9c342f149cd5d6c60993cbb5142
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD5b62032ad9968beed61b6908df4a32214
SHA15dcb1eb1376fe3f3902ffa7093f5630b09fa5cb0
SHA2567e968e2bd47d495a6768f37ffcd71fac1d233a4097fde4d5d3bfe0576cb0f5f9
SHA5127c7d2b113cc8f672f070832a79c22b25cd7376641cb34a685bfd1d0122bd41f3825dee77eb284be21f8a79c43c929d8c2d1f3e9a678942d068d4ac6033f7095b
-
C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exeFilesize
21KB
MD5fec89e9d2784b4c015fed6f5ae558e08
SHA1581fd9fb59bd42fbe7bd065cf0e6ff6d4d0daba2
SHA256489f2546a4ad1e0e0147d1ca2fd8801785689f67fb850171ccbaa6306a152065
SHA512e3bbf89cc0a955a2819455137e540952c55f417732a596ef314a46d5312b3bed644ac7595f75d3639ebc30e85f0f210dba0ef5b013d1b83bafd2c17a9d685a24
-
C:\Users\Admin\AppData\Local\del.batFilesize
100B
MD53f0bf833cda75ba13ee3999eddeff836
SHA17e581b7641c3081fcecf2ea8cb1ba262ec5e68c3
SHA256feaa47953b7def5dc66a3d978745010c980d889aba42b963095ca5ff4e8d45d3
SHA512f390de0cc40cf8e94078c9e50bbfa35463697c33ad5a2af0dd3abb44f5ef8ed16718719aa0cf79092bc634286c0576daf8de287e26296c0fe067126f64409f82
-
C:\Users\Admin\AppData\Local\system.exeFilesize
315KB
MD568c8e18a1887eedc3da23719a34f6329
SHA1682a53bb3b8006219f0cfde25f7866db755c0a19
SHA256b3d38fd9bc60f5610c262392e8dcce0ad05b6a7ebc4e4b7232578ed80ff0270d
SHA5122733065fe4e2ee1749bfb78d5541cdb5204f291ceec4711da856e4e8f2d80eed51169c5434afbcc493434862787267f878de619847f03113c078a24d8f177c07
-
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dicFilesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\139b50ea.exeFilesize
132KB
MD5919034c8efb9678f96b47a20fa6199f2
SHA1747070c74d0400cffeb28fbea17b64297f14cfbd
SHA256e036d68b8f8b7afc6c8b6252876e1e290f11a26d4ad18ac6f310662845b2c734
SHA512745a81c50bbfd62234edb9788c83a22e0588c5d25c00881901923a02d7096c71ef5f0cd5b73f92ad974e5174de064b0c5ea8044509039aab14b2aed83735a7c4
-
C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exeFilesize
338KB
MD504fb36199787f2e3e2135611a38321eb
SHA165559245709fe98052eb284577f1fd61c01ad20d
SHA256d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9
SHA512533d6603f6e2a77bd1b2c6591a135c4717753d53317c1be06e43774e896d9543bcd0ea6904a0688aa84b2d8424641d68994b1e7dc4aa46d66c36feecb6145444
-
C:\Users\Admin\Desktop\READ_IT.txtFilesize
124B
MD554ba0db9b8701f99a46ae533da6fe630
SHA12bd5aea2aceea62deb7ba06969ff6108f3381929
SHA256bb1455630e747e00b60910f9eadf47641ecc46e917034d08530430569d8eaeac
SHA51227fa4e43cf1a1b79a597cfb28aa29457aa096d8c485f84d7b2754268148bfa7430e53abdee4897f911af51aabbae3942ff57cbae02765bbea27e1c181bfecc1a
-
C:\Users\Admin\Documents\1.R5AFilesize
11KB
MD585906469a37c5e037e574ffc6d2a436e
SHA1c2e970a86d308e8db9ce4d76a0bfd299efd1e910
SHA256ae8df427066b4ce856dea93cdcd08b5948ef1b1c98f3d2f6d3e8db2346dfac45
SHA5128587b53191efb3275b5d67e1a3253f5839f76462697ecaa5c2eb22da5f5cb3bc4540ca9146a3bf3f287075bfc9498a9c7c139668a894907d446a8e9ed01c1582
-
C:\Users\Admin\Documents\2.R5AFilesize
192KB
MD5b2a96a37c649341f5ac543789d9e2670
SHA13c15ba177b819deff50aac4609c4e75872241998
SHA256c735cbabb1db46b060b7b53e61ac724416660838824723d6cb3ae37914d5a9ef
SHA5123598545661c619ca945feb058aea2f8ce2a3b491c50be726719a241b98e5b16bd47524fdca4fa9eed3bbfda032ce0e81085cf56d9c0d08d16f7ad20733afb855
-
C:\Users\Admin\Documents\3.R5AFilesize
11KB
MD5f5c5a2e944d361943376cc7756f16c9e
SHA11d712c715071eec4621686e74d003619ab4d1f03
SHA256388cebed4a66ddf9818a495d9743172084e70df49b10fdf8e5736c24f43dadeb
SHA512436925c4afc31e25bce735a3855817bf328a2ccb03cd09a5661b4f301fc82f95e07ec13ac412df8fdae5c7b0d189c69d60689e90136a6121a97f31a04c821b5e
-
C:\Users\Admin\Documents\4.R5AFilesize
1024KB
MD571e22542560f18f212e591455acf443a
SHA1355a578e357a904423b087c5fd42008d11c3e7e9
SHA2564eea37a8b633b4631d848e509a48d5b16a96bf4c1b00f5d1356043068891f2a3
SHA5128e4590e864c8f57dc1ee296e5daa64c90abf83f0ce3c1234a3d5119d8a41c6eaaaba631254eb73ed08d74e367dbcb1587a6eed48b26ce89dcd7540be89230e0c
-
C:\Users\Admin\Documents\5.R5AFilesize
11KB
MD5839ac0a19fd745643b458e1342782a3a
SHA11a83389328b895b6117b44f9f23872e5266f1e16
SHA2566b36efba19f4d5a07fc3069b78b32d607f07a661b79a3586bd15e501ff1dc2dc
SHA5124b66624ceb656876c7301b93ae0d6f92be5bb3a26f2c311384d33e2335a115605b00b5493c7760822805909f4ac403371ef7e6b699b4e715499c14b65e245471
-
C:\Users\Admin\Documents\6.R5AFilesize
11KB
MD569c03cb2d835b3ec618f6ba833e1f11e
SHA112f2797e4c93e4fd4d4f5aeb2faf1e35e50aedac
SHA2564efdd6865206156a535a7c129346808d4f3424d0e06754e7cbc5417a91498b9f
SHA512ea2e5f847863866b429f017d4364ae283a7b46bdf1c33b382a61a9b1a350a6347408f5505396d728c313b6dc27a794e28111e6bec8a1e568e9c4d2d774d52458
-
C:\Users\Admin\Downloads\Da2dalus The-MALWARE-Repo master Ransomware.zipFilesize
24.6MB
MD52b9d7761bdf21c76a2a422bfcc4cdf0e
SHA100d312e6a42c4d93a8b18509c6b620c9f8ee8a00
SHA2566dd95bde11d22564b5e4136909698bbc6460d08b8f55362dcefcb3d962976ac8
SHA5124a4d90b7fd5cf2c5d185e0b9f4c5462b2ed3a648ce4b7b52f3bfa28bcbba08239f2ec71ccfd41287acaec3bd3a78af4e1c67dc98716f47a2c8306e7f5fd6143e
-
C:\Users\Admin\Downloads\Da2dalus The-MALWARE-Repo master Ransomware.zipFilesize
320KB
MD588f24c916520ef85928a387131af660e
SHA16d681acd49bd3ce0624225b6290b8cc8b5d4dc7f
SHA2563e30c98a540c216457b087095590cd960239ad8bdecf1934fe1f1313dceddad6
SHA512b1627a1f42d9be0b42f067d6ae6fd18f3061d801794f9e85136a5b7417a5e043154399ddae2ab270450b96941fed734b7fe54439b71a0453847967f8fdc546e0
-
C:\Users\Admin\Downloads\Da2dalus The-MALWARE-Repo master Ransomware\ac\EVER\Everything.iniFilesize
19KB
MD55531bbb8be242dfc9950f2c2c8aa0058
SHA1b08aadba390b98055c947dce8821e9e00b7d01ee
SHA2564f03ab645fe48bf3783eb58568e89b3b3401956dd17cb8049444058dab0634d7
SHA5123ce7e1d7b330cc9d75c3ce6d4531afe6bfa210a0bcbb45d4a7c29aabff79bebf3263fe0b5377956e2f88036b466383f001a7a6713da04a411b1aceb42bc38291
-
C:\Users\Admin\Downloads\Da2dalus The-MALWARE-Repo master Ransomware\ac\EVER\SearchHost.exeFilesize
128KB
MD50111d35eb62fac0447e6bdfa71f58aa5
SHA14f9573252d1f8974e7106305b13af3565add6558
SHA25644aa0efb7bbd5521aeb0ea8e952ae313153a7d9fc0f9eaf3a8ea6724732f88d4
SHA5122c532b55a4aab1e57a1564267f0770257dcadced4a1c96d60a38386283e39cb0cd47effe7a815807d489ab0298170cd74da14e616cc8c587d5b7f52d54092207
-
C:\Users\Admin\Downloads\Da2dalus The-MALWARE-Repo master Ransomware\ac\EVER\SearchHost.exeFilesize
561KB
MD586ec260012457305e1d88f06f8373b9a
SHA1daa580b28279a95e2589a019b0ce16808154f0d6
SHA25698862f81c502c6114438c7bce5e82fa8661672ad866d9b2ab2deade00e7139b1
SHA51275885241784798c25797ad65c082b76a563c94a2a4b9cd078d40b6cecdbb2abc83faa48fa7d9e5324bab770d2c37087d2536d57a9ce5c9beee77a1ab03371f6b
-
C:\Users\Admin\Downloads\Da2dalus The-MALWARE-Repo master Ransomware\ac\EVER\SearchHost.exeFilesize
192KB
MD531fe79797fa856ce5983c6c399bbe9b7
SHA18647c40987c5f6ceb87632c8dabbc4124118d91c
SHA2560d52b5ccf4e5dd922aa13dbcec284215bb1e5464f377117127e5835507602dc4
SHA5120102e238d21efa240db6028ee64276b5ee9b48a9efcbf297618a04632ed4ca06a2c6800b69fcd95a7296c96c74ae803a175fd231c2a60aacaa6cf4d36a59786b
-
C:\Users\Admin\Downloads\Da2dalus The-MALWARE-Repo master Ransomware\ac\Shadow.batFilesize
28B
MD5df8394082a4e5b362bdcb17390f6676d
SHA15750248ff490ceec03d17ee9811ac70176f46614
SHA256da3f155cfb98ce0add29a31162d23da7596da44ba2391389517fe1a2790da878
SHA5128ce519dc5c2dd0bbb9f7f48bedf01362c56467800ac0029c8011ee5d9d19e3b3f2eff322e7306acf693e2edb9cf75caaf7b85eb8b2b6c3101ff7e1644950303d
-
C:\Users\Admin\Downloads\Da2dalus The-MALWARE-Repo master Ransomware\ac\mssql.exeFilesize
64KB
MD515051f741f8ff82f2fbcb0dc07e4ee65
SHA146bb91a94064571eba22456dbdcf45b47c1df05b
SHA2565629a0c1d79354cee94381b3883c8821ba70e21b3544d252ea415f6738ed3138
SHA5123f0358d661acb0284ab54333322c4b8821a7d743796b2bc21d5d8d84a6ce1eb41e98323eca34569a6e859e7e20d551057e441ccad4d5c9bf1dac0bbe2b188827
-
C:\Users\Admin\Downloads\Da2dalus The-MALWARE-Repo master Ransomware\ac\mssql.exeFilesize
448KB
MD52a4221b9647d7ea0e20a2d3cfc0c16ad
SHA1058e5c9aa97cb609563345a949665f4c56668cc9
SHA256a16e1f037ff07be02f9b494ed4b7ccd74992a42f6e3f22fde4e3eb13232362e2
SHA51255fd47e79a77fe976161455f20dd194679474b87bb83b86346af67d8f35aca639e92a3697bf5e282bee59e7f4969c9fcb2f4c7d4ec24a7e98d95542c424f1cb6
-
C:\Users\Admin\Downloads\Da2dalus The-MALWARE-Repo master Ransomware\ac\mssql.exeFilesize
384KB
MD563b78997c235fa734a3a374feb2a59e3
SHA19c93acd13aa9608bc5e3f00e2b893318c290c69e
SHA256a04955be8274c62bab0ce1b6a48e2c7a92d1bbce12bf05e1a9c55465febc044b
SHA5121cd80a500c7d1ce5fb43e5a06ec401e540fd156e7fd6d4aac6b25f38ba48f006b10787e861729cd1bc4cd6644ead9038b807ffda6dc334b00daab0d2a5391687
-
C:\Users\Admin\Downloads\Da2dalus The-MALWARE-Repo master Ransomware\ac\mssql2.exeFilesize
576KB
MD512e48f0aac1698e199c6c7cab02e075b
SHA12be6ab05139137b5bbf44f35f9e325c1fc1a7c90
SHA2564cc4d2cc23f67d38fc437e61f167641741ffa391d07555985608249216ecaacc
SHA512185dbf28e9aa1b568a4b06e78cb20e82643edec39377a72880033a084c29a859055e9637aff38a2ee85a2a9b5417cd873e4e4ad30fddae05ee60246773bdf414
-
C:\Users\Admin\Downloads\Da2dalus The-MALWARE-Repo master Ransomware\ac\mssql2.exeFilesize
128KB
MD56dd11e3db0cbfa9024be702df5396089
SHA18660820f7752526e66efc98013543210ff710409
SHA25625d62f336e7ca7307cebd0b4e9f8b26855c3451b81487b618d8efa438ecf10b3
SHA51240c3b621c68dd7c9c5c301237704b8357b146b0af824a9289b7de0fc6600121e6bb106a9130f5a1487f91f6dffc03a76fb4dff262f7c84305f831dcd45e2889e
-
C:\Users\Admin\Downloads\Da2dalus The-MALWARE-Repo master Ransomware\ac\mssql2.exeFilesize
384KB
MD5cf45f5d2222389a15b189651640397ab
SHA1863b0134848cbaef4ff8c70c9693294b04eb9357
SHA2569079c24e1b428392e89f578945730b3eb79b971a44446b115077a2cfcb597572
SHA5129618519f59f716ebd61b8ce34a70a7291efe5e38001c56e8b84c3252c384bdef24570bd9de2185a0d2a6b04ee62192a2e18ffd247d66d19e1c071cef7d22cfbc
-
C:\Users\Admin\Downloads\Da2dalus The-MALWARE-Repo master Ransomware\ac\nc123.exeFilesize
125KB
MD5597de376b1f80c06d501415dd973dcec
SHA1629c9649ced38fd815124221b80c9d9c59a85e74
SHA256f47e3555461472f23ab4766e4d5b6f6fd260e335a6abc31b860e569a720a5446
SHA512072565912208e97cc691e1a102e32fd6c243b5a3f8047a159e97aabbe302bddc36f3c52cecde3b506151bc89e0f3b5acf6552a82d83dac6e0180c873d36d3f6b
-
C:\Users\Admin\Downloads\Da2dalus The-MALWARE-Repo master Ransomware\ac\systembackup.batFilesize
1KB
MD5b4b2f1a6c7a905781be7d877487fc665
SHA17ee27672d89940e96bcb7616560a4bef8d8af76c
SHA2566246b0045ca11da483e38317421317dc22462a8d81e500dee909a5269c086b5f
SHA512f883cea56a9ac5dcb838802753770494ce7b1de9d7da6a49b878d534810f9c87170f04e0b8b516ae19b9492f40635a72b3e8a4533d39312383c520abe00c5ae6
-
C:\Users\Admin\Downloads\Da2dalus The-MALWARE-Repo master Ransomware\ac\thwskdtkuszmoe.sysFilesize
674KB
MD5b2233d1efb0b7a897ea477a66cd08227
SHA1835a198a11c9d106fc6aabe26b9b3e59f6ec68fd
SHA2565fd17e3b8827b5bb515343bc4066be0814f6466fb4294501becac284a378c0da
SHA5126ca61854db877d767ce587ac3d7526cda8254d937a159fd985e0475d062d07ae83e7ff4f9f42c7e1e1cad5e1f408f6849866aa4e9e48b29d80510e5c695cee37
-
C:\Windows\FC0A.tmpFilesize
60KB
MD5347ac3b6b791054de3e5720a7144a977
SHA1413eba3973a15c1a6429d9f170f3e8287f98c21c
SHA256301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c
SHA5129a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787
-
C:\Windows\infpub.datFilesize
401KB
MD51d724f95c61f1055f0d02c2154bbccd3
SHA179116fe99f2b421c52ef64097f0f39b815b20907
SHA256579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648
SHA512f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113
-
C:\g1rFryAhrVg2xrt\DECRYPT_YOUR_FILES.HTMLFilesize
1KB
MD5b537e33b09334f4cc80fb3edc2050281
SHA1c0c9836b7024ef3885de9eeb0cbef87b5f4f7f8e
SHA256eb2b99579c6eb3b90a8f72e464fc75f346f2f16488fc2abd75bc72070996dea1
SHA512e75fbc6bddc2ebd01a331212328d1dc2bfe04574b3893bdab208af594a71943b7ab613396f1d664c47f8cf24660e2ad0bc1b14ee8ff79e206bb7ada8dc7f3403
-
F:\$RECYCLE.BIN\S-1-5-21-557049126-2506969350-2798870634-1000\IQJYNXQ-MANUAL.txtFilesize
8KB
MD59785f38785585849073f247ba0054eff
SHA1d4b81015f8c934f4b1c18213ed7b7efe3f0fd3a9
SHA25618e26f4b7ab68b42460690ebc9a56dcecac5e5a4a6d24bcb837b464f348bb57d
SHA5127e90a077c6130a189b5deffacf2c45886456b6d382345fe9764a18043ff96424a43b33bc5b6a54f462350e78ef3f5d3c13910137fc93fe77348d6cf96590e358
-
F:\$RECYCLE.BIN\S-1-5-21-557049126-2506969350-2798870634-1000\desktop.ini.id-B6206E09.[coronavirus@qq.com].ncovFilesize
918B
MD59b48db019c33b7761426d588f650ed00
SHA175a5213f23ed270cc88039d9ac96d88d266d498c
SHA2567cf682b77ff37dcfff728f1fea499ecee3b79a0cbaa4fb44cbe88967fa0e54d9
SHA512de0fa4f9bc3fe220f1830efcc241b90d8d38b5572fc95204069afbcc09136f0a24a98ad1942106c62447092f98cfab2d9334575ec84dbb056581e3b0e48b1411
-
\??\pipe\LOCAL\crashpad_504_IIADOWSNIYKBBKRBMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1516-856-0x0000000002840000-0x00000000028A8000-memory.dmpFilesize
416KB
-
memory/1516-864-0x0000000002840000-0x00000000028A8000-memory.dmpFilesize
416KB
-
memory/1516-906-0x0000000002840000-0x00000000028A8000-memory.dmpFilesize
416KB
-
memory/2268-26722-0x0000000074500000-0x0000000074CB0000-memory.dmpFilesize
7.7MB
-
memory/2268-5576-0x00000000049A0000-0x00000000049CB000-memory.dmpFilesize
172KB
-
memory/2268-1024-0x00000000049A0000-0x00000000049CB000-memory.dmpFilesize
172KB
-
memory/2268-1034-0x00000000049A0000-0x00000000049CB000-memory.dmpFilesize
172KB
-
memory/2268-1036-0x00000000049A0000-0x00000000049CB000-memory.dmpFilesize
172KB
-
memory/2268-1038-0x00000000049A0000-0x00000000049CB000-memory.dmpFilesize
172KB
-
memory/2268-1040-0x00000000049A0000-0x00000000049CB000-memory.dmpFilesize
172KB
-
memory/2268-27709-0x0000000004990000-0x00000000049A0000-memory.dmpFilesize
64KB
-
memory/2268-1046-0x00000000049A0000-0x00000000049CB000-memory.dmpFilesize
172KB
-
memory/2268-1059-0x00000000049A0000-0x00000000049CB000-memory.dmpFilesize
172KB
-
memory/2268-27708-0x0000000004990000-0x00000000049A0000-memory.dmpFilesize
64KB
-
memory/2268-27746-0x0000000074500000-0x0000000074CB0000-memory.dmpFilesize
7.7MB
-
memory/2268-1012-0x0000000002280000-0x00000000022B2000-memory.dmpFilesize
200KB
-
memory/2268-1066-0x00000000049A0000-0x00000000049CB000-memory.dmpFilesize
172KB
-
memory/2268-1015-0x00000000049A0000-0x00000000049D2000-memory.dmpFilesize
200KB
-
memory/2268-1026-0x00000000049A0000-0x00000000049CB000-memory.dmpFilesize
172KB
-
memory/2268-1016-0x0000000074500000-0x0000000074CB0000-memory.dmpFilesize
7.7MB
-
memory/2268-1017-0x0000000004990000-0x00000000049A0000-memory.dmpFilesize
64KB
-
memory/2268-2782-0x00000000049A0000-0x00000000049CB000-memory.dmpFilesize
172KB
-
memory/2268-1021-0x0000000004990000-0x00000000049A0000-memory.dmpFilesize
64KB
-
memory/2268-2786-0x00000000049A0000-0x00000000049CB000-memory.dmpFilesize
172KB
-
memory/2268-26701-0x0000000000560000-0x000000000056E000-memory.dmpFilesize
56KB
-
memory/2268-2788-0x00000000049A0000-0x00000000049CB000-memory.dmpFilesize
172KB
-
memory/2268-1032-0x00000000049A0000-0x00000000049CB000-memory.dmpFilesize
172KB
-
memory/2268-2791-0x00000000049A0000-0x00000000049CB000-memory.dmpFilesize
172KB
-
memory/2268-1022-0x0000000004990000-0x00000000049A0000-memory.dmpFilesize
64KB
-
memory/2268-2798-0x00000000049A0000-0x00000000049CB000-memory.dmpFilesize
172KB
-
memory/2268-2806-0x00000000049A0000-0x00000000049CB000-memory.dmpFilesize
172KB
-
memory/2268-20850-0x0000000002410000-0x0000000002411000-memory.dmpFilesize
4KB
-
memory/2268-20181-0x0000000004990000-0x00000000049A0000-memory.dmpFilesize
64KB
-
memory/2296-874-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/2296-2796-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/2296-27372-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/2296-873-0x0000000003D70000-0x0000000003DA1000-memory.dmpFilesize
196KB
-
memory/2492-825-0x0000000005C20000-0x0000000005C30000-memory.dmpFilesize
64KB
-
memory/2492-1023-0x0000000005C20000-0x0000000005C30000-memory.dmpFilesize
64KB
-
memory/2492-27747-0x0000000074500000-0x0000000074CB0000-memory.dmpFilesize
7.7MB
-
memory/2492-822-0x0000000074500000-0x0000000074CB0000-memory.dmpFilesize
7.7MB
-
memory/2492-823-0x0000000005F50000-0x00000000064F4000-memory.dmpFilesize
5.6MB
-
memory/2492-826-0x00000000059D0000-0x00000000059DA000-memory.dmpFilesize
40KB
-
memory/2492-2784-0x0000000005C20000-0x0000000005C30000-memory.dmpFilesize
64KB
-
memory/2492-821-0x0000000000F60000-0x0000000000FCE000-memory.dmpFilesize
440KB
-
memory/2492-831-0x0000000005C20000-0x0000000005C30000-memory.dmpFilesize
64KB
-
memory/2492-1014-0x0000000074500000-0x0000000074CB0000-memory.dmpFilesize
7.7MB
-
memory/2492-824-0x0000000005A40000-0x0000000005AD2000-memory.dmpFilesize
584KB
-
memory/3172-1065-0x00000000053F0000-0x00000000054F0000-memory.dmpFilesize
1024KB
-
memory/3744-27634-0x0000000074500000-0x0000000074CB0000-memory.dmpFilesize
7.7MB
-
memory/3744-979-0x0000000004FB0000-0x0000000004FC0000-memory.dmpFilesize
64KB
-
memory/3744-26715-0x0000000004FB0000-0x0000000004FC0000-memory.dmpFilesize
64KB
-
memory/3744-1000-0x0000000004FB0000-0x0000000004FC0000-memory.dmpFilesize
64KB
-
memory/3744-968-0x0000000004D20000-0x0000000004DBC000-memory.dmpFilesize
624KB
-
memory/3744-26719-0x0000000004FB0000-0x0000000004FC0000-memory.dmpFilesize
64KB
-
memory/3744-981-0x0000000005110000-0x0000000005166000-memory.dmpFilesize
344KB
-
memory/3744-26706-0x0000000074500000-0x0000000074CB0000-memory.dmpFilesize
7.7MB
-
memory/3744-960-0x0000000074500000-0x0000000074CB0000-memory.dmpFilesize
7.7MB
-
memory/3744-961-0x0000000000420000-0x00000000004A2000-memory.dmpFilesize
520KB
-
memory/3884-954-0x0000000001290000-0x00000000012B5000-memory.dmpFilesize
148KB
-
memory/3884-958-0x0000000001290000-0x00000000012B5000-memory.dmpFilesize
148KB
-
memory/4016-1062-0x0000000000400000-0x000000000056F000-memory.dmpFilesize
1.4MB
-
memory/4016-1061-0x000000000ADC0000-0x000000000ADF4000-memory.dmpFilesize
208KB
-
memory/4016-893-0x0000000000400000-0x000000000056F000-memory.dmpFilesize
1.4MB
-
memory/4016-2779-0x0000000000400000-0x000000000056F000-memory.dmpFilesize
1.4MB
-
memory/5104-27754-0x00007FF93D580000-0x00007FF93E041000-memory.dmpFilesize
10.8MB
-
memory/5104-6090-0x000001FC99410000-0x000001FC9A99E000-memory.dmpFilesize
21.6MB
-
memory/5104-830-0x000001FCFD6A0000-0x000001FCFE694000-memory.dmpFilesize
16.0MB
-
memory/5104-829-0x00007FF93D580000-0x00007FF93E041000-memory.dmpFilesize
10.8MB
-
memory/5104-18857-0x000001FCFEFF0000-0x000001FCFF000000-memory.dmpFilesize
64KB
-
memory/5104-1058-0x00007FF93D580000-0x00007FF93E041000-memory.dmpFilesize
10.8MB
-
memory/5944-1013-0x0000000000E10000-0x0000000000E35000-memory.dmpFilesize
148KB
-
memory/5944-1025-0x0000000000E10000-0x0000000000E35000-memory.dmpFilesize
148KB
-
memory/5944-27744-0x0000000000E10000-0x0000000000E35000-memory.dmpFilesize
148KB
-
memory/12400-2807-0x0000000000400000-0x0000000000B02000-memory.dmpFilesize
7.0MB
-
memory/12400-22251-0x0000000000400000-0x0000000000B02000-memory.dmpFilesize
7.0MB
-
memory/12400-22197-0x0000000076040000-0x0000000076130000-memory.dmpFilesize
960KB
-
memory/12484-6197-0x0000000000400000-0x00000000005DE000-memory.dmpFilesize
1.9MB
-
memory/12484-27749-0x0000000000400000-0x00000000005DE000-memory.dmpFilesize
1.9MB
-
memory/12484-26176-0x0000000002230000-0x00000000022FE000-memory.dmpFilesize
824KB
-
memory/21012-26716-0x0000000000B70000-0x0000000000B7C000-memory.dmpFilesize
48KB
-
memory/21012-27748-0x00007FF93D580000-0x00007FF93E041000-memory.dmpFilesize
10.8MB
-
memory/21012-26724-0x000000001B6F0000-0x000000001B700000-memory.dmpFilesize
64KB
-
memory/21012-26717-0x00007FF93D580000-0x00007FF93E041000-memory.dmpFilesize
10.8MB
-
memory/24288-26703-0x00007FF93D580000-0x00007FF93E041000-memory.dmpFilesize
10.8MB
-
memory/24288-27764-0x00007FF93D580000-0x00007FF93E041000-memory.dmpFilesize
10.8MB