26.2.D86C.exe.400000.0.unpack | JoeSecurity_SmokeLoader_2 | Yara detected SmokeLoader | Joe Security | |
31.2.rundll32.exe.4d00000.0.unpack | SUSP_XORed_MSDOS_Stub_Message | Detects suspicious XORed MSDOS stub message | Florian Roth | - 0x53366:$xo1: \x19%$>m=?"*?, m.,##"9m/(m?8#m$#m\x09\x02\x1Em ")(
|
31.2.rundll32.exe.4d00000.0.unpack | JoeSecurity_ManusCrypt | Yara detected ManusCrypt | Joe Security | |
31.2.rundll32.exe.4d00000.0.unpack | MALWARE_Win_Fabookie | Detects Fabookie / ElysiumStealer | ditekSHen | - 0x4c6e6:$s1: rwinssyslog
- 0x4caec:$s2: _kasssperskdy
- 0x4ca88:$s3: [Title:%s]
- 0x4cbfc:$s4: [Execute]
- 0x4cc10:$s5: [Snapshot]
- 0x4d484:$s6: Mozilla/4.0 (compatible)
- 0x4de3c:$s9: CUdpClient::Start
|
31.2.rundll32.exe.4d00000.0.unpack | MALWARE_Win_Chebka | Detects Chebka | ditekSHen | - 0x4dcf4:$s1: -k netsvcs
- 0x4d484:$s3: Mozilla/4.0 (compatible)
- 0x4caec:$s4: _kasssperskdy
- 0x4c6e8:$s5: winssyslog
- 0x4da4c:$s6: LoaderDll%d
- 0x4c4c8:$s7: cmd.exe /c rundll32.exe shell32.dll,
- 0x4c110:$s8: cmd.exe /c start chrome.exe
- 0x4c270:$s8: cmd.exe /c start msedge.exe
- 0x4c440:$s8: cmd.exe /c start firefox.exe
- 0x54f08:$f1: .?AVCHVncManager@@
- 0x55204:$f2: .?AVCNetstatManager@@
- 0x5525c:$f3: .?AVCTcpAgentListener@@
- 0x54ffc:$f4: .?AVIUdpClientListener@@
- 0x5541c:$f5: .?AVCShellManager@@
- 0x553e0:$f6: .?AVCScreenSpy@@
|
31.2.rundll32.exe.4d00000.0.unpack | Windows_Trojan_Generic_a681f24a | unknown | unknown | - 0x4caec:$a: _kasssperskdy
- 0x4d6ae:$c: {SDTB8HQ9-96HV-S78H-Z3GI-J7UCTY784HHC}
|
15.0.87B9.exe.400000.3.unpack | Windows_Ransomware_Stop_1e8d48ff | unknown | unknown | - 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
|
15.0.87B9.exe.400000.9.unpack | SUSP_XORed_URL_in_EXE | Detects an XORed URL in an executable | Florian Roth | - 0xe0dea:$s1: http://
- 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
- 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
- 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
- 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
- 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF
- 0xe0dea:$f1: http://
|
15.0.87B9.exe.400000.9.unpack | JoeSecurity_Djvu | Yara detected Djvu Ransomware | Joe Security | |
15.0.87B9.exe.400000.9.unpack | MALWARE_Win_STOP | Detects STOP ransomware | ditekSHen | - 0xfe888:$x1: C:\SystemID\PersonalID.txt
- 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC)
- 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\
- 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\
- 0xfecec:$s1: " --AutoStart
- 0xfed00:$s1: " --AutoStart
- 0x102948:$s2: --ForNetRes
- 0x102910:$s3: --Admin
- 0x102d90:$s4: %username%
- 0x102eb4:$s5: ?pid=
- 0x102ec0:$s6: &first=true
- 0x102ed8:$s6: &first=false
- 0xfedf4:$s7: delself.bat
- 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}
- 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}
- 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
|
15.0.87B9.exe.400000.9.unpack | Windows_Ransomware_Stop_1e8d48ff | unknown | unknown | - 0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
- 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
|
15.0.87B9.exe.400000.8.raw.unpack | SUSP_XORed_URL_in_EXE | Detects an XORed URL in an executable | Florian Roth | - 0xe23ea:$s1: http://
- 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
- 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
- 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
- 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
- 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF
- 0xe23ea:$f1: http://
|
15.0.87B9.exe.400000.8.raw.unpack | JoeSecurity_Djvu | Yara detected Djvu Ransomware | Joe Security | |
15.0.87B9.exe.400000.8.raw.unpack | MALWARE_Win_STOP | Detects STOP ransomware | ditekSHen | - 0xffe88:$x1: C:\SystemID\PersonalID.txt
- 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC)
- 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\
- 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\
- 0x1002ec:$s1: " --AutoStart
- 0x100300:$s1: " --AutoStart
- 0x103f48:$s2: --ForNetRes
- 0x103f10:$s3: --Admin
- 0x104390:$s4: %username%
- 0x1044b4:$s5: ?pid=
- 0x1044c0:$s6: &first=true
- 0x1044d8:$s6: &first=false
- 0x1003f4:$s7: delself.bat
- 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}
- 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}
- 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
|
15.0.87B9.exe.400000.8.raw.unpack | Windows_Ransomware_Stop_1e8d48ff | unknown | unknown | - 0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
- 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
|
14.2.87B9.exe.26f15a0.1.unpack | SUSP_XORed_URL_in_EXE | Detects an XORed URL in an executable | Florian Roth | - 0xdf7ea:$s1: http://
- 0xfd898:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
- 0xfdf28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
- 0xfdf4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
- 0x101b2b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
- 0xffa26:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF
- 0xdf7ea:$f1: http://
|
14.2.87B9.exe.26f15a0.1.unpack | JoeSecurity_Djvu | Yara detected Djvu Ransomware | Joe Security | |
14.2.87B9.exe.26f15a0.1.unpack | MALWARE_Win_STOP | Detects STOP ransomware | ditekSHen | - 0xfd288:$x1: C:\SystemID\PersonalID.txt
- 0xfd734:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC)
- 0xfd0f0:$x3: e:\doc\my work (c++)\_git\encryption\
- 0x102f28:$x3: E:\Doc\My work (C++)\_Git\Encryption\
- 0xfd6ec:$s1: " --AutoStart
- 0xfd700:$s1: " --AutoStart
- 0x101348:$s2: --ForNetRes
- 0x101310:$s3: --Admin
- 0x101790:$s4: %username%
- 0x1018b4:$s5: ?pid=
- 0x1018c0:$s6: &first=true
- 0x1018d8:$s6: &first=false
- 0xfd7f4:$s7: delself.bat
- 0x1017f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}
- 0x101820:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}
- 0x101848:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
|
14.2.87B9.exe.26f15a0.1.unpack | Windows_Ransomware_Stop_1e8d48ff | unknown | unknown | - 0x102f28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
- 0xc1ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
|
15.0.87B9.exe.400000.6.unpack | SUSP_XORed_URL_in_EXE | Detects an XORed URL in an executable | Florian Roth | - 0xe0dea:$s1: http://
- 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
- 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
- 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
- 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
- 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF
- 0xe0dea:$f1: http://
|
15.0.87B9.exe.400000.6.unpack | JoeSecurity_Djvu | Yara detected Djvu Ransomware | Joe Security | |
15.0.87B9.exe.400000.6.unpack | MALWARE_Win_STOP | Detects STOP ransomware | ditekSHen | - 0xfe888:$x1: C:\SystemID\PersonalID.txt
- 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC)
- 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\
- 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\
- 0xfecec:$s1: " --AutoStart
- 0xfed00:$s1: " --AutoStart
- 0x102948:$s2: --ForNetRes
- 0x102910:$s3: --Admin
- 0x102d90:$s4: %username%
- 0x102eb4:$s5: ?pid=
- 0x102ec0:$s6: &first=true
- 0x102ed8:$s6: &first=false
- 0xfedf4:$s7: delself.bat
- 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}
- 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}
- 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
|
15.0.87B9.exe.400000.6.unpack | Windows_Ransomware_Stop_1e8d48ff | unknown | unknown | - 0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
- 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
|
15.0.87B9.exe.400000.7.unpack | SUSP_XORed_URL_in_EXE | Detects an XORed URL in an executable | Florian Roth | - 0xe0dea:$s1: http://
- 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
- 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
- 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
- 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
- 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF
- 0xe0dea:$f1: http://
|
15.0.87B9.exe.400000.7.unpack | JoeSecurity_Djvu | Yara detected Djvu Ransomware | Joe Security | |
15.0.87B9.exe.400000.7.unpack | MALWARE_Win_STOP | Detects STOP ransomware | ditekSHen | - 0xfe888:$x1: C:\SystemID\PersonalID.txt
- 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC)
- 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\
- 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\
- 0xfecec:$s1: " --AutoStart
- 0xfed00:$s1: " --AutoStart
- 0x102948:$s2: --ForNetRes
- 0x102910:$s3: --Admin
- 0x102d90:$s4: %username%
- 0x102eb4:$s5: ?pid=
- 0x102ec0:$s6: &first=true
- 0x102ed8:$s6: &first=false
- 0xfedf4:$s7: delself.bat
- 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}
- 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}
- 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
|
15.0.87B9.exe.400000.7.unpack | Windows_Ransomware_Stop_1e8d48ff | unknown | unknown | - 0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
- 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
|
15.0.87B9.exe.400000.5.unpack | SUSP_XORed_URL_in_EXE | Detects an XORed URL in an executable | Florian Roth | - 0xe0dea:$s1: http://
- 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
- 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
- 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
- 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
- 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF
- 0xe0dea:$f1: http://
|
15.0.87B9.exe.400000.5.unpack | JoeSecurity_Djvu | Yara detected Djvu Ransomware | Joe Security | |
15.0.87B9.exe.400000.5.unpack | MALWARE_Win_STOP | Detects STOP ransomware | ditekSHen | - 0xfe888:$x1: C:\SystemID\PersonalID.txt
- 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC)
- 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\
- 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\
- 0xfecec:$s1: " --AutoStart
- 0xfed00:$s1: " --AutoStart
- 0x102948:$s2: --ForNetRes
- 0x102910:$s3: --Admin
- 0x102d90:$s4: %username%
- 0x102eb4:$s5: ?pid=
- 0x102ec0:$s6: &first=true
- 0x102ed8:$s6: &first=false
- 0xfedf4:$s7: delself.bat
- 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}
- 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}
- 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
|
15.0.87B9.exe.400000.5.unpack | Windows_Ransomware_Stop_1e8d48ff | unknown | unknown | - 0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
- 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
|
15.0.87B9.exe.400000.9.raw.unpack | SUSP_XORed_URL_in_EXE | Detects an XORed URL in an executable | Florian Roth | - 0xe23ea:$s1: http://
- 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
- 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
- 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
- 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
- 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF
- 0xe23ea:$f1: http://
|
15.0.87B9.exe.400000.9.raw.unpack | JoeSecurity_Djvu | Yara detected Djvu Ransomware | Joe Security | |
15.0.87B9.exe.400000.9.raw.unpack | MALWARE_Win_STOP | Detects STOP ransomware | ditekSHen | - 0xffe88:$x1: C:\SystemID\PersonalID.txt
- 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC)
- 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\
- 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\
- 0x1002ec:$s1: " --AutoStart
- 0x100300:$s1: " --AutoStart
- 0x103f48:$s2: --ForNetRes
- 0x103f10:$s3: --Admin
- 0x104390:$s4: %username%
- 0x1044b4:$s5: ?pid=
- 0x1044c0:$s6: &first=true
- 0x1044d8:$s6: &first=false
- 0x1003f4:$s7: delself.bat
- 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}
- 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}
- 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
|
15.0.87B9.exe.400000.9.raw.unpack | Windows_Ransomware_Stop_1e8d48ff | unknown | unknown | - 0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
- 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
|
26.3.D86C.exe.b10000.0.raw.unpack | JoeSecurity_SmokeLoader_2 | Yara detected SmokeLoader | Joe Security | |
15.0.87B9.exe.400000.8.unpack | SUSP_XORed_URL_in_EXE | Detects an XORed URL in an executable | Florian Roth | - 0xe0dea:$s1: http://
- 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
- 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
- 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
- 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
- 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF
- 0xe0dea:$f1: http://
|
15.0.87B9.exe.400000.8.unpack | JoeSecurity_Djvu | Yara detected Djvu Ransomware | Joe Security | |
15.0.87B9.exe.400000.8.unpack | MALWARE_Win_STOP | Detects STOP ransomware | ditekSHen | - 0xfe888:$x1: C:\SystemID\PersonalID.txt
- 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC)
- 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\
- 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\
- 0xfecec:$s1: " --AutoStart
- 0xfed00:$s1: " --AutoStart
- 0x102948:$s2: --ForNetRes
- 0x102910:$s3: --Admin
- 0x102d90:$s4: %username%
- 0x102eb4:$s5: ?pid=
- 0x102ec0:$s6: &first=true
- 0x102ed8:$s6: &first=false
- 0xfedf4:$s7: delself.bat
- 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}
- 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}
- 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
|
15.0.87B9.exe.400000.8.unpack | Windows_Ransomware_Stop_1e8d48ff | unknown | unknown | - 0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
- 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
|
15.0.87B9.exe.400000.10.unpack | SUSP_XORed_URL_in_EXE | Detects an XORed URL in an executable | Florian Roth | - 0xe0dea:$s1: http://
- 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
- 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
- 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
- 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
- 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF
- 0xe0dea:$f1: http://
|
15.0.87B9.exe.400000.10.unpack | JoeSecurity_Djvu | Yara detected Djvu Ransomware | Joe Security | |
15.0.87B9.exe.400000.10.unpack | MALWARE_Win_STOP | Detects STOP ransomware | ditekSHen | - 0xfe888:$x1: C:\SystemID\PersonalID.txt
- 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC)
- 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\
- 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\
- 0xfecec:$s1: " --AutoStart
- 0xfed00:$s1: " --AutoStart
- 0x102948:$s2: --ForNetRes
- 0x102910:$s3: --Admin
- 0x102d90:$s4: %username%
- 0x102eb4:$s5: ?pid=
- 0x102ec0:$s6: &first=true
- 0x102ed8:$s6: &first=false
- 0xfedf4:$s7: delself.bat
- 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}
- 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}
- 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
|
15.0.87B9.exe.400000.10.unpack | Windows_Ransomware_Stop_1e8d48ff | unknown | unknown | - 0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
- 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
|
39.3.C39A.exe.940000.0.raw.unpack | JoeSecurity_SmokeLoader_2 | Yara detected SmokeLoader | Joe Security | |
26.2.D86C.exe.b00e67.1.raw.unpack | JoeSecurity_SmokeLoader_2 | Yara detected SmokeLoader | Joe Security | |
15.2.87B9.exe.400000.0.raw.unpack | SUSP_XORed_URL_in_EXE | Detects an XORed URL in an executable | Florian Roth | - 0xe23ea:$s1: http://
- 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
- 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
- 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
- 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
- 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF
- 0xe23ea:$f1: http://
|
15.2.87B9.exe.400000.0.raw.unpack | JoeSecurity_Djvu | Yara detected Djvu Ransomware | Joe Security | |
15.2.87B9.exe.400000.0.raw.unpack | MALWARE_Win_STOP | Detects STOP ransomware | ditekSHen | - 0xffe88:$x1: C:\SystemID\PersonalID.txt
- 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC)
- 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\
- 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\
- 0x1002ec:$s1: " --AutoStart
- 0x100300:$s1: " --AutoStart
- 0x103f48:$s2: --ForNetRes
- 0x103f10:$s3: --Admin
- 0x104390:$s4: %username%
- 0x1044b4:$s5: ?pid=
- 0x1044c0:$s6: &first=true
- 0x1044d8:$s6: &first=false
- 0x1003f4:$s7: delself.bat
- 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}
- 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}
- 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
|
15.2.87B9.exe.400000.0.raw.unpack | Windows_Ransomware_Stop_1e8d48ff | unknown | unknown | - 0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
- 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
|
14.2.87B9.exe.26f15a0.1.raw.unpack | SUSP_XORed_URL_in_EXE | Detects an XORed URL in an executable | Florian Roth | - 0xe0dea:$s1: http://
- 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
- 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
- 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
- 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
- 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF
- 0xe0dea:$f1: http://
|
14.2.87B9.exe.26f15a0.1.raw.unpack | JoeSecurity_Djvu | Yara detected Djvu Ransomware | Joe Security | |
14.2.87B9.exe.26f15a0.1.raw.unpack | MALWARE_Win_STOP | Detects STOP ransomware | ditekSHen | - 0xfe888:$x1: C:\SystemID\PersonalID.txt
- 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC)
- 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\
- 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\
- 0xfecec:$s1: " --AutoStart
- 0xfed00:$s1: " --AutoStart
- 0x102948:$s2: --ForNetRes
- 0x102910:$s3: --Admin
- 0x102d90:$s4: %username%
- 0x102eb4:$s5: ?pid=
- 0x102ec0:$s6: &first=true
- 0x102ed8:$s6: &first=false
- 0xfedf4:$s7: delself.bat
- 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}
- 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}
- 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
|
14.2.87B9.exe.26f15a0.1.raw.unpack | Windows_Ransomware_Stop_1e8d48ff | unknown | unknown | - 0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
- 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
|
39.2.C39A.exe.400000.0.unpack | JoeSecurity_SmokeLoader_2 | Yara detected SmokeLoader | Joe Security | |
15.0.87B9.exe.400000.2.unpack | Windows_Ransomware_Stop_1e8d48ff | unknown | unknown | - 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
|
27.2.E9D3.exe.9dab40.2.raw.unpack | MAL_ME_RawDisk_Agent_Jan20_2 | Detects suspicious malware using ElRawDisk | Florian Roth | - 0x31a58:$s2: The Magic Word!
- 0x3db98:$s2: The Magic Word!
- 0x31db8:$s3: Software\Oracle\VirtualBox
- 0x31a47:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
|
27.2.E9D3.exe.9d86a0.3.raw.unpack | MAL_ME_RawDisk_Agent_Jan20_2 | Detects suspicious malware using ElRawDisk | Florian Roth | - 0x33ef8:$s2: The Magic Word!
- 0x40038:$s2: The Magic Word!
- 0x34258:$s3: Software\Oracle\VirtualBox
- 0x33ee7:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
|
27.2.E9D3.exe.9d2d00.0.raw.unpack | MAL_ME_RawDisk_Agent_Jan20_2 | Detects suspicious malware using ElRawDisk | Florian Roth | - 0x39898:$s2: The Magic Word!
- 0x459d8:$s2: The Magic Word!
- 0x39bf8:$s3: Software\Oracle\VirtualBox
- 0x39887:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
|
27.3.E9D3.exe.3e36ca0.1.raw.unpack | MAL_ME_RawDisk_Agent_Jan20_2 | Detects suspicious malware using ElRawDisk | Florian Roth | - 0x33ef8:$s2: The Magic Word!
- 0x40038:$s2: The Magic Word!
- 0x34258:$s3: Software\Oracle\VirtualBox
- 0x33ee7:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
|
15.0.87B9.exe.400000.0.unpack | Windows_Ransomware_Stop_1e8d48ff | unknown | unknown | - 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
|
27.3.E9D3.exe.3e31300.3.raw.unpack | MAL_ME_RawDisk_Agent_Jan20_2 | Detects suspicious malware using ElRawDisk | Florian Roth | - 0x39898:$s2: The Magic Word!
- 0x459d8:$s2: The Magic Word!
- 0x39bf8:$s3: Software\Oracle\VirtualBox
- 0x39887:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
|
15.0.87B9.exe.400000.6.raw.unpack | SUSP_XORed_URL_in_EXE | Detects an XORed URL in an executable | Florian Roth | - 0xe23ea:$s1: http://
- 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
- 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
- 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
- 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
- 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF
- 0xe23ea:$f1: http://
|
15.0.87B9.exe.400000.6.raw.unpack | JoeSecurity_Djvu | Yara detected Djvu Ransomware | Joe Security | |
15.0.87B9.exe.400000.6.raw.unpack | MALWARE_Win_STOP | Detects STOP ransomware | ditekSHen | - 0xffe88:$x1: C:\SystemID\PersonalID.txt
- 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC)
- 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\
- 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\
- 0x1002ec:$s1: " --AutoStart
- 0x100300:$s1: " --AutoStart
- 0x103f48:$s2: --ForNetRes
- 0x103f10:$s3: --Admin
- 0x104390:$s4: %username%
- 0x1044b4:$s5: ?pid=
- 0x1044c0:$s6: &first=true
- 0x1044d8:$s6: &first=false
- 0x1003f4:$s7: delself.bat
- 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}
- 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}
- 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
|
15.0.87B9.exe.400000.6.raw.unpack | Windows_Ransomware_Stop_1e8d48ff | unknown | unknown | - 0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
- 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
|
36.0.svchost.exe.2f31bfb0000.0.unpack | SUSP_XORed_MSDOS_Stub_Message | Detects suspicious XORed MSDOS stub message | Florian Roth | - 0x6506e:$xo1: \x19%$>m=?"*?, m.,##"9m/(m?8#m$#m\x09\x02\x1Em ")(
|
36.0.svchost.exe.2f31bfb0000.0.unpack | JoeSecurity_ManusCrypt | Yara detected ManusCrypt | Joe Security | |
36.0.svchost.exe.2f31bfb0000.0.unpack | MALWARE_Win_Chebka | Detects Chebka | ditekSHen | - 0x58c08:$s1: -k netsvcs
- 0x583c8:$s3: Mozilla/4.0 (compatible)
- 0x576f0:$s4: _kasssperskdy
- 0x56d88:$s5: winssyslog
- 0x58950:$s6: LoaderDll%d
- 0x56c60:$s7: cmd.exe /c rundll32.exe shell32.dll,
- 0x56890:$s8: cmd.exe /c start chrome.exe
- 0x569f0:$s8: cmd.exe /c start msedge.exe
- 0x56bd0:$s8: cmd.exe /c start firefox.exe
- 0x66ef0:$f1: .?AVCHVncManager@@
- 0x672d8:$f2: .?AVCNetstatManager@@
- 0x67348:$f3: .?AVCTcpAgentListener@@
- 0x671c8:$f4: .?AVIUdpClientListener@@
- 0x67578:$f5: .?AVCShellManager@@
- 0x67528:$f6: .?AVCScreenSpy@@
|
36.0.svchost.exe.2f31bfb0000.0.unpack | Windows_Trojan_Generic_a681f24a | unknown | unknown | - 0x576f0:$a: _kasssperskdy
- 0x5861e:$c: {SDTB8HQ9-96HV-S78H-Z3GI-J7UCTY784HHC}
|
15.0.87B9.exe.400000.1.unpack | Windows_Ransomware_Stop_1e8d48ff | unknown | unknown | - 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
|
39.2.C39A.exe.930e67.1.raw.unpack | JoeSecurity_SmokeLoader_2 | Yara detected SmokeLoader | Joe Security | |
15.0.87B9.exe.400000.7.raw.unpack | SUSP_XORed_URL_in_EXE | Detects an XORed URL in an executable | Florian Roth | - 0xe23ea:$s1: http://
- 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
- 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
- 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
- 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
- 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF
- 0xe23ea:$f1: http://
|
15.0.87B9.exe.400000.7.raw.unpack | JoeSecurity_Djvu | Yara detected Djvu Ransomware | Joe Security | |
15.0.87B9.exe.400000.7.raw.unpack | MALWARE_Win_STOP | Detects STOP ransomware | ditekSHen | - 0xffe88:$x1: C:\SystemID\PersonalID.txt
- 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC)
- 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\
- 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\
- 0x1002ec:$s1: " --AutoStart
- 0x100300:$s1: " --AutoStart
- 0x103f48:$s2: --ForNetRes
- 0x103f10:$s3: --Admin
- 0x104390:$s4: %username%
- 0x1044b4:$s5: ?pid=
- 0x1044c0:$s6: &first=true
- 0x1044d8:$s6: &first=false
- 0x1003f4:$s7: delself.bat
- 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}
- 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}
- 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
|
15.0.87B9.exe.400000.7.raw.unpack | Windows_Ransomware_Stop_1e8d48ff | unknown | unknown | - 0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
- 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
|
15.0.87B9.exe.400000.4.unpack | SUSP_XORed_URL_in_EXE | Detects an XORed URL in an executable | Florian Roth | - 0xe0dea:$s1: http://
- 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
- 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
- 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
- 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
- 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF
- 0xe0dea:$f1: http://
|
15.0.87B9.exe.400000.4.unpack | JoeSecurity_Djvu | Yara detected Djvu Ransomware | Joe Security | |
15.0.87B9.exe.400000.4.unpack | MALWARE_Win_STOP | Detects STOP ransomware | ditekSHen | - 0xfe888:$x1: C:\SystemID\PersonalID.txt
- 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC)
- 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\
- 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\
- 0xfecec:$s1: " --AutoStart
- 0xfed00:$s1: " --AutoStart
- 0x102948:$s2: --ForNetRes
- 0x102910:$s3: --Admin
- 0x102d90:$s4: %username%
- 0x102eb4:$s5: ?pid=
- 0x102ec0:$s6: &first=true
- 0x102ed8:$s6: &first=false
- 0xfedf4:$s7: delself.bat
- 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}
- 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}
- 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
|
15.0.87B9.exe.400000.4.unpack | Windows_Ransomware_Stop_1e8d48ff | unknown | unknown | - 0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
- 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
|
15.2.87B9.exe.400000.0.unpack | SUSP_XORed_URL_in_EXE | Detects an XORed URL in an executable | Florian Roth | - 0xe0dea:$s1: http://
- 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
- 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
- 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
- 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
- 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF
- 0xe0dea:$f1: http://
|
15.2.87B9.exe.400000.0.unpack | JoeSecurity_Djvu | Yara detected Djvu Ransomware | Joe Security | |
15.2.87B9.exe.400000.0.unpack | MALWARE_Win_STOP | Detects STOP ransomware | ditekSHen | - 0xfe888:$x1: C:\SystemID\PersonalID.txt
- 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC)
- 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\
- 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\
- 0xfecec:$s1: " --AutoStart
- 0xfed00:$s1: " --AutoStart
- 0x102948:$s2: --ForNetRes
- 0x102910:$s3: --Admin
- 0x102d90:$s4: %username%
- 0x102eb4:$s5: ?pid=
- 0x102ec0:$s6: &first=true
- 0x102ed8:$s6: &first=false
- 0xfedf4:$s7: delself.bat
- 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}
- 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}
- 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
|
15.2.87B9.exe.400000.0.unpack | Windows_Ransomware_Stop_1e8d48ff | unknown | unknown | - 0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
- 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
|
27.3.E9D3.exe.3e39140.2.raw.unpack | MAL_ME_RawDisk_Agent_Jan20_2 | Detects suspicious malware using ElRawDisk | Florian Roth | - 0x31a58:$s2: The Magic Word!
- 0x3db98:$s2: The Magic Word!
- 0x31db8:$s3: Software\Oracle\VirtualBox
- 0x31a47:$sc1: 00 5C 00 5C 00 2E 00 5C 00 25 00 73
|
15.0.87B9.exe.400000.10.raw.unpack | SUSP_XORed_URL_in_EXE | Detects an XORed URL in an executable | Florian Roth | - 0xe23ea:$s1: http://
- 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
- 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
- 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
- 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
- 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF
- 0xe23ea:$f1: http://
|
15.0.87B9.exe.400000.10.raw.unpack | JoeSecurity_Djvu | Yara detected Djvu Ransomware | Joe Security | |
15.0.87B9.exe.400000.10.raw.unpack | MALWARE_Win_STOP | Detects STOP ransomware | ditekSHen | - 0xffe88:$x1: C:\SystemID\PersonalID.txt
- 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC)
- 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\
- 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\
- 0x1002ec:$s1: " --AutoStart
- 0x100300:$s1: " --AutoStart
- 0x103f48:$s2: --ForNetRes
- 0x103f10:$s3: --Admin
- 0x104390:$s4: %username%
- 0x1044b4:$s5: ?pid=
- 0x1044c0:$s6: &first=true
- 0x1044d8:$s6: &first=false
- 0x1003f4:$s7: delself.bat
- 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}
- 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}
- 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
|
15.0.87B9.exe.400000.10.raw.unpack | Windows_Ransomware_Stop_1e8d48ff | unknown | unknown | - 0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
- 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
|
15.0.87B9.exe.400000.5.raw.unpack | Windows_Ransomware_Stop_1e8d48ff | unknown | unknown | - 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
|
43.0.svchost.exe.156b6b50000.0.unpack | SUSP_XORed_MSDOS_Stub_Message | Detects suspicious XORed MSDOS stub message | Florian Roth | - 0x6506e:$xo1: \x19%$>m=?"*?, m.,##"9m/(m?8#m$#m\x09\x02\x1Em ")(
|
43.0.svchost.exe.156b6b50000.0.unpack | JoeSecurity_ManusCrypt | Yara detected ManusCrypt | Joe Security | |
43.0.svchost.exe.156b6b50000.0.unpack | MALWARE_Win_Chebka | Detects Chebka | ditekSHen | - 0x58c08:$s1: -k netsvcs
- 0x583c8:$s3: Mozilla/4.0 (compatible)
- 0x576f0:$s4: _kasssperskdy
- 0x56d88:$s5: winssyslog
- 0x58950:$s6: LoaderDll%d
- 0x56c60:$s7: cmd.exe /c rundll32.exe shell32.dll,
- 0x56890:$s8: cmd.exe /c start chrome.exe
- 0x569f0:$s8: cmd.exe /c start msedge.exe
- 0x56bd0:$s8: cmd.exe /c start firefox.exe
- 0x66ef0:$f1: .?AVCHVncManager@@
- 0x672d8:$f2: .?AVCNetstatManager@@
- 0x67348:$f3: .?AVCTcpAgentListener@@
- 0x671c8:$f4: .?AVIUdpClientListener@@
- 0x67578:$f5: .?AVCShellManager@@
- 0x67528:$f6: .?AVCScreenSpy@@
|
43.0.svchost.exe.156b6b50000.0.unpack | Windows_Trojan_Generic_a681f24a | unknown | unknown | - 0x576f0:$a: _kasssperskdy
- 0x5861e:$c: {SDTB8HQ9-96HV-S78H-Z3GI-J7UCTY784HHC}
|
36.0.svchost.exe.2f31bfb0000.0.raw.unpack | SUSP_XORed_MSDOS_Stub_Message | Detects suspicious XORed MSDOS stub message | Florian Roth | - 0x6646e:$xo1: \x19%$>m=?"*?, m.,##"9m/(m?8#m$#m\x09\x02\x1Em ")(
|
36.0.svchost.exe.2f31bfb0000.0.raw.unpack | JoeSecurity_ManusCrypt | Yara detected ManusCrypt | Joe Security | |
36.0.svchost.exe.2f31bfb0000.0.raw.unpack | MALWARE_Win_Chebka | Detects Chebka | ditekSHen | - 0x59e08:$s1: -k netsvcs
- 0x595c8:$s3: Mozilla/4.0 (compatible)
- 0x588f0:$s4: _kasssperskdy
- 0x57f88:$s5: winssyslog
- 0x59b50:$s6: LoaderDll%d
- 0x57e60:$s7: cmd.exe /c rundll32.exe shell32.dll,
- 0x57a90:$s8: cmd.exe /c start chrome.exe
- 0x57bf0:$s8: cmd.exe /c start msedge.exe
- 0x57dd0:$s8: cmd.exe /c start firefox.exe
- 0x682f0:$f1: .?AVCHVncManager@@
- 0x686d8:$f2: .?AVCNetstatManager@@
- 0x68748:$f3: .?AVCTcpAgentListener@@
- 0x685c8:$f4: .?AVIUdpClientListener@@
- 0x68978:$f5: .?AVCShellManager@@
- 0x68928:$f6: .?AVCScreenSpy@@
|
36.0.svchost.exe.2f31bfb0000.0.raw.unpack | Windows_Trojan_Generic_a681f24a | unknown | unknown | - 0x588f0:$a: _kasssperskdy
- 0x5981e:$c: {SDTB8HQ9-96HV-S78H-Z3GI-J7UCTY784HHC}
|
43.0.svchost.exe.156b6b50000.0.raw.unpack | SUSP_XORed_MSDOS_Stub_Message | Detects suspicious XORed MSDOS stub message | Florian Roth | - 0x6646e:$xo1: \x19%$>m=?"*?, m.,##"9m/(m?8#m$#m\x09\x02\x1Em ")(
|
43.0.svchost.exe.156b6b50000.0.raw.unpack | JoeSecurity_ManusCrypt | Yara detected ManusCrypt | Joe Security | |
43.0.svchost.exe.156b6b50000.0.raw.unpack | MALWARE_Win_Chebka | Detects Chebka | ditekSHen | - 0x59e08:$s1: -k netsvcs
- 0x595c8:$s3: Mozilla/4.0 (compatible)
- 0x588f0:$s4: _kasssperskdy
- 0x57f88:$s5: winssyslog
- 0x59b50:$s6: LoaderDll%d
- 0x57e60:$s7: cmd.exe /c rundll32.exe shell32.dll,
- 0x57a90:$s8: cmd.exe /c start chrome.exe
- 0x57bf0:$s8: cmd.exe /c start msedge.exe
- 0x57dd0:$s8: cmd.exe /c start firefox.exe
- 0x682f0:$f1: .?AVCHVncManager@@
- 0x686d8:$f2: .?AVCNetstatManager@@
- 0x68748:$f3: .?AVCTcpAgentListener@@
- 0x685c8:$f4: .?AVIUdpClientListener@@
- 0x68978:$f5: .?AVCShellManager@@
- 0x68928:$f6: .?AVCScreenSpy@@
|
43.0.svchost.exe.156b6b50000.0.raw.unpack | Windows_Trojan_Generic_a681f24a | unknown | unknown | - 0x588f0:$a: _kasssperskdy
- 0x5981e:$c: {SDTB8HQ9-96HV-S78H-Z3GI-J7UCTY784HHC}
|
27.3.E9D3.exe.3860000.0.raw.unpack | SUSP_PE_Discord_Attachment_Oct21_1 | Detects suspicious executable with reference to a Discord attachment (often used for malware hosting on a legitimate FQDN) | Florian Roth | - 0x36d645:$x1: https://cdn.discordapp.com/attachments/
- 0x36e115:$x1: https://cdn.discordapp.com/attachments/
|
Click to see the 98 entries |