| 11.3.uucbfdt.720000.0.raw.unpack | JoeSecurity_SmokeLoader_2 | Yara detected SmokeLoader | Joe Security | |
| 0.2.file.exe.700e67.1.raw.unpack | JoeSecurity_SmokeLoader_2 | Yara detected SmokeLoader | Joe Security | |
| 30.0.gecbfdt.700e67.2.raw.unpack | JoeSecurity_SmokeLoader_2 | Yara detected SmokeLoader | Joe Security | |
| 11.2.uucbfdt.400000.0.unpack | JoeSecurity_SmokeLoader_2 | Yara detected SmokeLoader | Joe Security | |
| 12.2.37F1.exe.4a8b076.2.unpack | JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security | |
| 12.2.37F1.exe.4a8b076.2.unpack | MALWARE_Win_RedLine | Detects RedLine infostealer | ditekSHen | - 0x33122:$pat14: , CommandLine:
- 0x22004:$v2_1: ListOfProcesses
- 0x204ba:$v4_3: base64str
- 0x20479:$v4_4: stringKey
- 0x204c4:$v4_5: BytesToStringConverted
- 0x204af:$v4_6: FromBase64
- 0x21cc1:$v4_8: procName
- 0x1f082:$v5_1: DownloadAndExecuteUpdate
- 0x1f0aa:$v5_2: ITaskProcessor
- 0x1f070:$v5_3: CommandLineUpdate
- 0x1f09b:$v5_4: DownloadUpdate
- 0x1efe4:$v5_5: FileScanning
- 0x1f282:$v5_7: RecordHeaderField
- 0x1f1ac:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
|
| 30.2.gecbfdt.400000.0.unpack | JoeSecurity_SmokeLoader_2 | Yara detected SmokeLoader | Joe Security | |
| 13.2.405E.exe.810e67.1.raw.unpack | JoeSecurity_SmokeLoader_2 | Yara detected SmokeLoader | Joe Security | |
| 12.2.37F1.exe.7290000.9.raw.unpack | JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security | |
| 12.2.37F1.exe.7290000.9.raw.unpack | MALWARE_Win_RedLine | Detects RedLine infostealer | ditekSHen | - 0x34f22:$pat14: , CommandLine:
- 0x23e04:$v2_1: ListOfProcesses
- 0x222ba:$v4_3: base64str
- 0x22279:$v4_4: stringKey
- 0x222c4:$v4_5: BytesToStringConverted
- 0x222af:$v4_6: FromBase64
- 0x23ac1:$v4_8: procName
- 0x20e82:$v5_1: DownloadAndExecuteUpdate
- 0x20eaa:$v5_2: ITaskProcessor
- 0x20e70:$v5_3: CommandLineUpdate
- 0x20e9b:$v5_4: DownloadUpdate
- 0x20de4:$v5_5: FileScanning
- 0x21082:$v5_7: RecordHeaderField
- 0x20fac:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
|
| 30.2.gecbfdt.700e67.1.raw.unpack | JoeSecurity_SmokeLoader_2 | Yara detected SmokeLoader | Joe Security | |
| 12.2.37F1.exe.7290000.9.unpack | JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security | |
| 12.2.37F1.exe.7290000.9.unpack | MALWARE_Win_RedLine | Detects RedLine infostealer | ditekSHen | - 0x33122:$pat14: , CommandLine:
- 0x22004:$v2_1: ListOfProcesses
- 0x204ba:$v4_3: base64str
- 0x20479:$v4_4: stringKey
- 0x204c4:$v4_5: BytesToStringConverted
- 0x204af:$v4_6: FromBase64
- 0x21cc1:$v4_8: procName
- 0x1f082:$v5_1: DownloadAndExecuteUpdate
- 0x1f0aa:$v5_2: ITaskProcessor
- 0x1f070:$v5_3: CommandLineUpdate
- 0x1f09b:$v5_4: DownloadUpdate
- 0x1efe4:$v5_5: FileScanning
- 0x1f282:$v5_7: RecordHeaderField
- 0x1f1ac:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
|
| 30.0.gecbfdt.400000.3.unpack | JoeSecurity_SmokeLoader_2 | Yara detected SmokeLoader | Joe Security | |
| 12.2.37F1.exe.4b70ee8.4.raw.unpack | JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security | |
| 12.2.37F1.exe.4b70ee8.4.raw.unpack | MALWARE_Win_RedLine | Detects RedLine infostealer | ditekSHen | - 0x34f22:$pat14: , CommandLine:
- 0x23e04:$v2_1: ListOfProcesses
- 0x222ba:$v4_3: base64str
- 0x22279:$v4_4: stringKey
- 0x222c4:$v4_5: BytesToStringConverted
- 0x222af:$v4_6: FromBase64
- 0x23ac1:$v4_8: procName
- 0x20e82:$v5_1: DownloadAndExecuteUpdate
- 0x20eaa:$v5_2: ITaskProcessor
- 0x20e70:$v5_3: CommandLineUpdate
- 0x20e9b:$v5_4: DownloadUpdate
- 0x20de4:$v5_5: FileScanning
- 0x21082:$v5_7: RecordHeaderField
- 0x20fac:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
|
| 0.3.file.exe.710000.0.raw.unpack | JoeSecurity_SmokeLoader_2 | Yara detected SmokeLoader | Joe Security | |
| 25.0.5999.exe.400000.9.raw.unpack | SUSP_XORed_URL_in_EXE | Detects an XORed URL in an executable | Florian Roth | - 0xe23ea:$s1: http://
- 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
- 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
- 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
- 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
- 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF
- 0xe23ea:$f1: http://
|
| 25.0.5999.exe.400000.9.raw.unpack | JoeSecurity_Djvu | Yara detected Djvu Ransomware | Joe Security | |
| 25.0.5999.exe.400000.9.raw.unpack | MALWARE_Win_STOP | Detects STOP ransomware | ditekSHen | - 0xffe88:$x1: C:\SystemID\PersonalID.txt
- 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC)
- 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\
- 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\
- 0x1002ec:$s1: " --AutoStart
- 0x100300:$s1: " --AutoStart
- 0x103f48:$s2: --ForNetRes
- 0x103f10:$s3: --Admin
- 0x104390:$s4: %username%
- 0x1044b4:$s5: ?pid=
- 0x1044c0:$s6: &first=true
- 0x1044d8:$s6: &first=false
- 0x1003f4:$s7: delself.bat
- 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}
- 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}
- 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
|
| 25.0.5999.exe.400000.9.raw.unpack | Windows_Ransomware_Stop_1e8d48ff | unknown | unknown | - 0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
- 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
|
| 12.2.37F1.exe.5f55530.7.unpack | JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security | |
| 12.2.37F1.exe.5f55530.7.unpack | MALWARE_Win_RedLine | Detects RedLine infostealer | ditekSHen | - 0x3400a:$pat14: , CommandLine:
- 0x22eec:$v2_1: ListOfProcesses
- 0x213a2:$v4_3: base64str
- 0x21361:$v4_4: stringKey
- 0x213ac:$v4_5: BytesToStringConverted
- 0x21397:$v4_6: FromBase64
- 0x22ba9:$v4_8: procName
- 0x1ff6a:$v5_1: DownloadAndExecuteUpdate
- 0x1ff92:$v5_2: ITaskProcessor
- 0x1ff58:$v5_3: CommandLineUpdate
- 0x1ff83:$v5_4: DownloadUpdate
- 0x1fecc:$v5_5: FileScanning
- 0x2016a:$v5_7: RecordHeaderField
- 0x20094:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
|
| 12.2.37F1.exe.5f56418.8.raw.unpack | JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security | |
| 12.2.37F1.exe.5f56418.8.raw.unpack | MALWARE_Win_RedLine | Detects RedLine infostealer | ditekSHen | - 0x34f22:$pat14: , CommandLine:
- 0x6ba5a:$pat14: , CommandLine:
- 0x23e04:$v2_1: ListOfProcesses
- 0x5a93c:$v2_1: ListOfProcesses
- 0x222ba:$v4_3: base64str
- 0x58df2:$v4_3: base64str
- 0x22279:$v4_4: stringKey
- 0x58db1:$v4_4: stringKey
- 0x222c4:$v4_5: BytesToStringConverted
- 0x58dfc:$v4_5: BytesToStringConverted
- 0x222af:$v4_6: FromBase64
- 0x58de7:$v4_6: FromBase64
- 0x23ac1:$v4_8: procName
- 0x5a5f9:$v4_8: procName
- 0x20e82:$v5_1: DownloadAndExecuteUpdate
- 0x579ba:$v5_1: DownloadAndExecuteUpdate
- 0x20eaa:$v5_2: ITaskProcessor
- 0x579e2:$v5_2: ITaskProcessor
- 0x20e70:$v5_3: CommandLineUpdate
- 0x579a8:$v5_3: CommandLineUpdate
- 0x20e9b:$v5_4: DownloadUpdate
|
| 12.2.37F1.exe.4a8a18e.3.raw.unpack | JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security | |
| 12.2.37F1.exe.4a8a18e.3.raw.unpack | MALWARE_Win_RedLine | Detects RedLine infostealer | ditekSHen | - 0x35e0a:$pat14: , CommandLine:
- 0x24cec:$v2_1: ListOfProcesses
- 0x231a2:$v4_3: base64str
- 0x23161:$v4_4: stringKey
- 0x231ac:$v4_5: BytesToStringConverted
- 0x23197:$v4_6: FromBase64
- 0x249a9:$v4_8: procName
- 0x21d6a:$v5_1: DownloadAndExecuteUpdate
- 0x21d92:$v5_2: ITaskProcessor
- 0x21d58:$v5_3: CommandLineUpdate
- 0x21d83:$v5_4: DownloadUpdate
- 0x21ccc:$v5_5: FileScanning
- 0x21f6a:$v5_7: RecordHeaderField
- 0x21e94:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
|
| 30.0.gecbfdt.400000.1.unpack | JoeSecurity_SmokeLoader_2 | Yara detected SmokeLoader | Joe Security | |
| 12.2.37F1.exe.5f56418.8.unpack | JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security | |
| 12.2.37F1.exe.5f56418.8.unpack | MALWARE_Win_RedLine | Detects RedLine infostealer | ditekSHen | - 0x33122:$pat14: , CommandLine:
- 0x22004:$v2_1: ListOfProcesses
- 0x204ba:$v4_3: base64str
- 0x20479:$v4_4: stringKey
- 0x204c4:$v4_5: BytesToStringConverted
- 0x204af:$v4_6: FromBase64
- 0x21cc1:$v4_8: procName
- 0x1f082:$v5_1: DownloadAndExecuteUpdate
- 0x1f0aa:$v5_2: ITaskProcessor
- 0x1f070:$v5_3: CommandLineUpdate
- 0x1f09b:$v5_4: DownloadUpdate
- 0x1efe4:$v5_5: FileScanning
- 0x1f282:$v5_7: RecordHeaderField
- 0x1f1ac:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
|
| 12.3.37F1.exe.2eb9e80.1.unpack | JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security | |
| 12.3.37F1.exe.2eb9e80.1.unpack | MALWARE_Win_RedLine | Detects RedLine infostealer | ditekSHen | - 0x33122:$pat14: , CommandLine:
- 0x22004:$v2_1: ListOfProcesses
- 0x204ba:$v4_3: base64str
- 0x20479:$v4_4: stringKey
- 0x204c4:$v4_5: BytesToStringConverted
- 0x204af:$v4_6: FromBase64
- 0x21cc1:$v4_8: procName
- 0x1f082:$v5_1: DownloadAndExecuteUpdate
- 0x1f0aa:$v5_2: ITaskProcessor
- 0x1f070:$v5_3: CommandLineUpdate
- 0x1f09b:$v5_4: DownloadUpdate
- 0x1efe4:$v5_5: FileScanning
- 0x1f282:$v5_7: RecordHeaderField
- 0x1f1ac:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
|
| 25.0.5999.exe.400000.8.unpack | SUSP_XORed_URL_in_EXE | Detects an XORed URL in an executable | Florian Roth | - 0xe0dea:$s1: http://
- 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
- 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
- 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
- 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
- 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF
- 0xe0dea:$f1: http://
|
| 25.0.5999.exe.400000.8.unpack | JoeSecurity_Djvu | Yara detected Djvu Ransomware | Joe Security | |
| 25.0.5999.exe.400000.8.unpack | MALWARE_Win_STOP | Detects STOP ransomware | ditekSHen | - 0xfe888:$x1: C:\SystemID\PersonalID.txt
- 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC)
- 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\
- 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\
- 0xfecec:$s1: " --AutoStart
- 0xfed00:$s1: " --AutoStart
- 0x102948:$s2: --ForNetRes
- 0x102910:$s3: --Admin
- 0x102d90:$s4: %username%
- 0x102eb4:$s5: ?pid=
- 0x102ec0:$s6: &first=true
- 0x102ed8:$s6: &first=false
- 0xfedf4:$s7: delself.bat
- 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}
- 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}
- 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
|
| 25.0.5999.exe.400000.8.unpack | Windows_Ransomware_Stop_1e8d48ff | unknown | unknown | - 0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
|
| 0.2.file.exe.400000.0.unpack | JoeSecurity_SmokeLoader_2 | Yara detected SmokeLoader | Joe Security | |
| 12.2.37F1.exe.48d0e67.1.raw.unpack | JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security | |
| 12.2.37F1.exe.48d0e67.1.raw.unpack | MALWARE_Win_RedLine | Detects RedLine infostealer | ditekSHen | - 0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
- 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
- 0x700:$s3: 83 EC 38 53 B0 A7 88 44 24 2B 88 44 24 2F B0 D7 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
- 0x1ed8a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
- 0x1e9d0:$s5: delete[]
- 0x1de88:$s6: constructor or from DllMain.
|
| 12.2.37F1.exe.5f8cf50.6.raw.unpack | JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security | |
| 12.2.37F1.exe.5f8cf50.6.raw.unpack | MALWARE_Win_RedLine | Detects RedLine infostealer | ditekSHen | - 0x34f22:$pat14: , CommandLine:
- 0x23e04:$v2_1: ListOfProcesses
- 0x222ba:$v4_3: base64str
- 0x22279:$v4_4: stringKey
- 0x222c4:$v4_5: BytesToStringConverted
- 0x222af:$v4_6: FromBase64
- 0x23ac1:$v4_8: procName
- 0x20e82:$v5_1: DownloadAndExecuteUpdate
- 0x20eaa:$v5_2: ITaskProcessor
- 0x20e70:$v5_3: CommandLineUpdate
- 0x20e9b:$v5_4: DownloadUpdate
- 0x20de4:$v5_5: FileScanning
- 0x21082:$v5_7: RecordHeaderField
- 0x20fac:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
|
| 12.3.37F1.exe.4910000.0.raw.unpack | JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security | |
| 12.3.37F1.exe.4910000.0.raw.unpack | MALWARE_Win_RedLine | Detects RedLine infostealer | ditekSHen | - 0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
- 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
- 0x700:$s3: 83 EC 38 53 B0 A7 88 44 24 2B 88 44 24 2F B0 D7 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
- 0x1ed8a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
- 0x1e9d0:$s5: delete[]
- 0x1de88:$s6: constructor or from DllMain.
|
| 19.2.5999.exe.23715a0.1.raw.unpack | SUSP_XORed_URL_in_EXE | Detects an XORed URL in an executable | Florian Roth | - 0xe0dea:$s1: http://
- 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
- 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
- 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
- 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
- 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF
- 0xe0dea:$f1: http://
|
| 19.2.5999.exe.23715a0.1.raw.unpack | JoeSecurity_Djvu | Yara detected Djvu Ransomware | Joe Security | |
| 19.2.5999.exe.23715a0.1.raw.unpack | MALWARE_Win_STOP | Detects STOP ransomware | ditekSHen | - 0xfe888:$x1: C:\SystemID\PersonalID.txt
- 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC)
- 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\
- 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\
- 0xfecec:$s1: " --AutoStart
- 0xfed00:$s1: " --AutoStart
- 0x102948:$s2: --ForNetRes
- 0x102910:$s3: --Admin
- 0x102d90:$s4: %username%
- 0x102eb4:$s5: ?pid=
- 0x102ec0:$s6: &first=true
- 0x102ed8:$s6: &first=false
- 0xfedf4:$s7: delself.bat
- 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}
- 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}
- 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
|
| 19.2.5999.exe.23715a0.1.raw.unpack | Windows_Ransomware_Stop_1e8d48ff | unknown | unknown | - 0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
- 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
|
| 25.0.5999.exe.400000.8.raw.unpack | SUSP_XORed_URL_in_EXE | Detects an XORed URL in an executable | Florian Roth | - 0xe23ea:$s1: http://
- 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
- 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
- 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
- 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
- 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF
- 0xe23ea:$f1: http://
|
| 25.0.5999.exe.400000.8.raw.unpack | JoeSecurity_Djvu | Yara detected Djvu Ransomware | Joe Security | |
| 25.0.5999.exe.400000.8.raw.unpack | MALWARE_Win_STOP | Detects STOP ransomware | ditekSHen | - 0xffe88:$x1: C:\SystemID\PersonalID.txt
- 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC)
- 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\
- 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\
- 0x1002ec:$s1: " --AutoStart
- 0x100300:$s1: " --AutoStart
- 0x103f48:$s2: --ForNetRes
- 0x103f10:$s3: --Admin
- 0x104390:$s4: %username%
- 0x1044b4:$s5: ?pid=
- 0x1044c0:$s6: &first=true
- 0x1044d8:$s6: &first=false
- 0x1003f4:$s7: delself.bat
- 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}
- 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}
- 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
|
| 25.0.5999.exe.400000.8.raw.unpack | Windows_Ransomware_Stop_1e8d48ff | unknown | unknown | - 0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
- 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
|
| 25.0.5999.exe.400000.5.raw.unpack | Windows_Ransomware_Stop_1e8d48ff | unknown | unknown | - 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
|
| 12.3.37F1.exe.2eb9e80.1.raw.unpack | JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security | |
| 12.3.37F1.exe.2eb9e80.1.raw.unpack | MALWARE_Win_RedLine | Detects RedLine infostealer | ditekSHen | - 0x34f22:$pat14: , CommandLine:
- 0x23e04:$v2_1: ListOfProcesses
- 0x222ba:$v4_3: base64str
- 0x22279:$v4_4: stringKey
- 0x222c4:$v4_5: BytesToStringConverted
- 0x222af:$v4_6: FromBase64
- 0x23ac1:$v4_8: procName
- 0x20e82:$v5_1: DownloadAndExecuteUpdate
- 0x20eaa:$v5_2: ITaskProcessor
- 0x20e70:$v5_3: CommandLineUpdate
- 0x20e9b:$v5_4: DownloadUpdate
- 0x20de4:$v5_5: FileScanning
- 0x21082:$v5_7: RecordHeaderField
- 0x20fac:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
|
| 25.0.5999.exe.400000.4.unpack | SUSP_XORed_URL_in_EXE | Detects an XORed URL in an executable | Florian Roth | - 0xe0dea:$s1: http://
- 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
- 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
- 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
- 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
- 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF
- 0xe0dea:$f1: http://
|
| 25.0.5999.exe.400000.4.unpack | JoeSecurity_Djvu | Yara detected Djvu Ransomware | Joe Security | |
| 25.0.5999.exe.400000.4.unpack | MALWARE_Win_STOP | Detects STOP ransomware | ditekSHen | - 0xfe888:$x1: C:\SystemID\PersonalID.txt
- 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC)
- 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\
- 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\
- 0xfecec:$s1: " --AutoStart
- 0xfed00:$s1: " --AutoStart
- 0x102948:$s2: --ForNetRes
- 0x102910:$s3: --Admin
- 0x102d90:$s4: %username%
- 0x102eb4:$s5: ?pid=
- 0x102ec0:$s6: &first=true
- 0x102ed8:$s6: &first=false
- 0xfedf4:$s7: delself.bat
- 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}
- 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}
- 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
|
| 25.0.5999.exe.400000.4.unpack | Windows_Ransomware_Stop_1e8d48ff | unknown | unknown | - 0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
|
| 12.2.37F1.exe.5f8cf50.6.unpack | JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security | |
| 12.2.37F1.exe.5f8cf50.6.unpack | MALWARE_Win_RedLine | Detects RedLine infostealer | ditekSHen | - 0x33122:$pat14: , CommandLine:
- 0x22004:$v2_1: ListOfProcesses
- 0x204ba:$v4_3: base64str
- 0x20479:$v4_4: stringKey
- 0x204c4:$v4_5: BytesToStringConverted
- 0x204af:$v4_6: FromBase64
- 0x21cc1:$v4_8: procName
- 0x1f082:$v5_1: DownloadAndExecuteUpdate
- 0x1f0aa:$v5_2: ITaskProcessor
- 0x1f070:$v5_3: CommandLineUpdate
- 0x1f09b:$v5_4: DownloadUpdate
- 0x1efe4:$v5_5: FileScanning
- 0x1f282:$v5_7: RecordHeaderField
- 0x1f1ac:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
|
| 12.2.37F1.exe.400000.0.unpack | JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security | |
| 12.2.37F1.exe.400000.0.unpack | MALWARE_Win_RedLine | Detects RedLine infostealer | ditekSHen | - 0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
- 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
- 0x700:$s3: 83 EC 38 53 B0 A7 88 44 24 2B 88 44 24 2F B0 D7 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
- 0x1ed8a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
- 0x1e9d0:$s5: delete[]
- 0x1de88:$s6: constructor or from DllMain.
|
| 25.0.5999.exe.400000.10.raw.unpack | SUSP_XORed_URL_in_EXE | Detects an XORed URL in an executable | Florian Roth | - 0xe23ea:$s1: http://
- 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
- 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
- 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
- 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
- 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF
- 0xe23ea:$f1: http://
|
| 25.0.5999.exe.400000.10.raw.unpack | JoeSecurity_Djvu | Yara detected Djvu Ransomware | Joe Security | |
| 25.0.5999.exe.400000.10.raw.unpack | MALWARE_Win_STOP | Detects STOP ransomware | ditekSHen | - 0xffe88:$x1: C:\SystemID\PersonalID.txt
- 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC)
- 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\
- 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\
- 0x1002ec:$s1: " --AutoStart
- 0x100300:$s1: " --AutoStart
- 0x103f48:$s2: --ForNetRes
- 0x103f10:$s3: --Admin
- 0x104390:$s4: %username%
- 0x1044b4:$s5: ?pid=
- 0x1044c0:$s6: &first=true
- 0x1044d8:$s6: &first=false
- 0x1003f4:$s7: delself.bat
- 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}
- 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}
- 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
|
| 25.0.5999.exe.400000.10.raw.unpack | Windows_Ransomware_Stop_1e8d48ff | unknown | unknown | - 0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
- 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
|
| 12.2.37F1.exe.4b70000.5.unpack | JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security | |
| 12.2.37F1.exe.4b70000.5.unpack | MALWARE_Win_RedLine | Detects RedLine infostealer | ditekSHen | - 0x3400a:$pat14: , CommandLine:
- 0x22eec:$v2_1: ListOfProcesses
- 0x213a2:$v4_3: base64str
- 0x21361:$v4_4: stringKey
- 0x213ac:$v4_5: BytesToStringConverted
- 0x21397:$v4_6: FromBase64
- 0x22ba9:$v4_8: procName
- 0x1ff6a:$v5_1: DownloadAndExecuteUpdate
- 0x1ff92:$v5_2: ITaskProcessor
- 0x1ff58:$v5_3: CommandLineUpdate
- 0x1ff83:$v5_4: DownloadUpdate
- 0x1fecc:$v5_5: FileScanning
- 0x2016a:$v5_7: RecordHeaderField
- 0x20094:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
|
| 12.2.37F1.exe.400000.0.raw.unpack | JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security | |
| 12.2.37F1.exe.400000.0.raw.unpack | MALWARE_Win_RedLine | Detects RedLine infostealer | ditekSHen | - 0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
- 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
- 0x1300:$s3: 83 EC 38 53 B0 A7 88 44 24 2B 88 44 24 2F B0 D7 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
- 0x2018a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
- 0x1fdd0:$s5: delete[]
- 0x1f288:$s6: constructor or from DllMain.
|
| 11.2.uucbfdt.710e67.1.raw.unpack | JoeSecurity_SmokeLoader_2 | Yara detected SmokeLoader | Joe Security | |
| 12.2.37F1.exe.4b70ee8.4.unpack | JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security | |
| 12.2.37F1.exe.4b70ee8.4.unpack | MALWARE_Win_RedLine | Detects RedLine infostealer | ditekSHen | - 0x33122:$pat14: , CommandLine:
- 0x22004:$v2_1: ListOfProcesses
- 0x204ba:$v4_3: base64str
- 0x20479:$v4_4: stringKey
- 0x204c4:$v4_5: BytesToStringConverted
- 0x204af:$v4_6: FromBase64
- 0x21cc1:$v4_8: procName
- 0x1f082:$v5_1: DownloadAndExecuteUpdate
- 0x1f0aa:$v5_2: ITaskProcessor
- 0x1f070:$v5_3: CommandLineUpdate
- 0x1f09b:$v5_4: DownloadUpdate
- 0x1efe4:$v5_5: FileScanning
- 0x1f282:$v5_7: RecordHeaderField
- 0x1f1ac:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
|
| 13.3.405E.exe.820000.0.raw.unpack | JoeSecurity_SmokeLoader_2 | Yara detected SmokeLoader | Joe Security | |
| 13.2.405E.exe.400000.0.unpack | JoeSecurity_SmokeLoader_2 | Yara detected SmokeLoader | Joe Security | |
| 19.2.5999.exe.23715a0.1.unpack | SUSP_XORed_URL_in_EXE | Detects an XORed URL in an executable | Florian Roth | - 0xdf7ea:$s1: http://
- 0xfd898:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
- 0xfdf28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
- 0xfdf4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
- 0x101b2b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
- 0xffa26:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF
- 0xdf7ea:$f1: http://
|
| 19.2.5999.exe.23715a0.1.unpack | JoeSecurity_Djvu | Yara detected Djvu Ransomware | Joe Security | |
| 19.2.5999.exe.23715a0.1.unpack | MALWARE_Win_STOP | Detects STOP ransomware | ditekSHen | - 0xfd288:$x1: C:\SystemID\PersonalID.txt
- 0xfd734:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC)
- 0xfd0f0:$x3: e:\doc\my work (c++)\_git\encryption\
- 0x102f28:$x3: E:\Doc\My work (C++)\_Git\Encryption\
- 0xfd6ec:$s1: " --AutoStart
- 0xfd700:$s1: " --AutoStart
- 0x101348:$s2: --ForNetRes
- 0x101310:$s3: --Admin
- 0x101790:$s4: %username%
- 0x1018b4:$s5: ?pid=
- 0x1018c0:$s6: &first=true
- 0x1018d8:$s6: &first=false
- 0xfd7f4:$s7: delself.bat
- 0x1017f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}
- 0x101820:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}
- 0x101848:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
|
| 19.2.5999.exe.23715a0.1.unpack | Windows_Ransomware_Stop_1e8d48ff | unknown | unknown | - 0x102f28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
- 0xc1ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
|
| 30.3.gecbfdt.710000.0.raw.unpack | JoeSecurity_SmokeLoader_2 | Yara detected SmokeLoader | Joe Security | |
| 30.0.gecbfdt.700e67.4.raw.unpack | JoeSecurity_SmokeLoader_2 | Yara detected SmokeLoader | Joe Security | |
| 25.0.5999.exe.400000.7.raw.unpack | SUSP_XORed_URL_in_EXE | Detects an XORed URL in an executable | Florian Roth | - 0xe23ea:$s1: http://
- 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
- 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
- 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
- 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
- 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF
- 0xe23ea:$f1: http://
|
| 25.0.5999.exe.400000.7.raw.unpack | JoeSecurity_Djvu | Yara detected Djvu Ransomware | Joe Security | |
| 25.0.5999.exe.400000.7.raw.unpack | MALWARE_Win_STOP | Detects STOP ransomware | ditekSHen | - 0xffe88:$x1: C:\SystemID\PersonalID.txt
- 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC)
- 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\
- 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\
- 0x1002ec:$s1: " --AutoStart
- 0x100300:$s1: " --AutoStart
- 0x103f48:$s2: --ForNetRes
- 0x103f10:$s3: --Admin
- 0x104390:$s4: %username%
- 0x1044b4:$s5: ?pid=
- 0x1044c0:$s6: &first=true
- 0x1044d8:$s6: &first=false
- 0x1003f4:$s7: delself.bat
- 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}
- 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}
- 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
|
| 25.0.5999.exe.400000.7.raw.unpack | Windows_Ransomware_Stop_1e8d48ff | unknown | unknown | - 0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
- 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
|
| 25.0.5999.exe.400000.9.unpack | SUSP_XORed_URL_in_EXE | Detects an XORed URL in an executable | Florian Roth | - 0xe0dea:$s1: http://
- 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
- 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
- 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
- 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
- 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF
- 0xe0dea:$f1: http://
|
| 25.0.5999.exe.400000.9.unpack | JoeSecurity_Djvu | Yara detected Djvu Ransomware | Joe Security | |
| 25.0.5999.exe.400000.9.unpack | MALWARE_Win_STOP | Detects STOP ransomware | ditekSHen | - 0xfe888:$x1: C:\SystemID\PersonalID.txt
- 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC)
- 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\
- 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\
- 0xfecec:$s1: " --AutoStart
- 0xfed00:$s1: " --AutoStart
- 0x102948:$s2: --ForNetRes
- 0x102910:$s3: --Admin
- 0x102d90:$s4: %username%
- 0x102eb4:$s5: ?pid=
- 0x102ec0:$s6: &first=true
- 0x102ed8:$s6: &first=false
- 0xfedf4:$s7: delself.bat
- 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}
- 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}
- 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
|
| 25.0.5999.exe.400000.9.unpack | Windows_Ransomware_Stop_1e8d48ff | unknown | unknown | - 0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
|
| 12.2.37F1.exe.5f55530.7.raw.unpack | JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security | |
| 12.2.37F1.exe.5f55530.7.raw.unpack | MALWARE_Win_RedLine | Detects RedLine infostealer | ditekSHen | - 0x35e0a:$pat14: , CommandLine:
- 0x6c942:$pat14: , CommandLine:
- 0x24cec:$v2_1: ListOfProcesses
- 0x5b824:$v2_1: ListOfProcesses
- 0x231a2:$v4_3: base64str
- 0x59cda:$v4_3: base64str
- 0x23161:$v4_4: stringKey
- 0x59c99:$v4_4: stringKey
- 0x231ac:$v4_5: BytesToStringConverted
- 0x59ce4:$v4_5: BytesToStringConverted
- 0x23197:$v4_6: FromBase64
- 0x59ccf:$v4_6: FromBase64
- 0x249a9:$v4_8: procName
- 0x5b4e1:$v4_8: procName
- 0x21d6a:$v5_1: DownloadAndExecuteUpdate
- 0x588a2:$v5_1: DownloadAndExecuteUpdate
- 0x21d92:$v5_2: ITaskProcessor
- 0x588ca:$v5_2: ITaskProcessor
- 0x21d58:$v5_3: CommandLineUpdate
- 0x58890:$v5_3: CommandLineUpdate
- 0x21d83:$v5_4: DownloadUpdate
|
| 12.2.37F1.exe.4a8a18e.3.unpack | JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security | |
| 12.2.37F1.exe.4a8a18e.3.unpack | MALWARE_Win_RedLine | Detects RedLine infostealer | ditekSHen | - 0x3400a:$pat14: , CommandLine:
- 0x22eec:$v2_1: ListOfProcesses
- 0x213a2:$v4_3: base64str
- 0x21361:$v4_4: stringKey
- 0x213ac:$v4_5: BytesToStringConverted
- 0x21397:$v4_6: FromBase64
- 0x22ba9:$v4_8: procName
- 0x1ff6a:$v5_1: DownloadAndExecuteUpdate
- 0x1ff92:$v5_2: ITaskProcessor
- 0x1ff58:$v5_3: CommandLineUpdate
- 0x1ff83:$v5_4: DownloadUpdate
- 0x1fecc:$v5_5: FileScanning
- 0x2016a:$v5_7: RecordHeaderField
- 0x20094:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
|
| 12.2.37F1.exe.4b70000.5.raw.unpack | JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security | |
| 12.2.37F1.exe.4b70000.5.raw.unpack | MALWARE_Win_RedLine | Detects RedLine infostealer | ditekSHen | - 0x35e0a:$pat14: , CommandLine:
- 0x24cec:$v2_1: ListOfProcesses
- 0x231a2:$v4_3: base64str
- 0x23161:$v4_4: stringKey
- 0x231ac:$v4_5: BytesToStringConverted
- 0x23197:$v4_6: FromBase64
- 0x249a9:$v4_8: procName
- 0x21d6a:$v5_1: DownloadAndExecuteUpdate
- 0x21d92:$v5_2: ITaskProcessor
- 0x21d58:$v5_3: CommandLineUpdate
- 0x21d83:$v5_4: DownloadUpdate
- 0x21ccc:$v5_5: FileScanning
- 0x21f6a:$v5_7: RecordHeaderField
- 0x21e94:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
|
| 12.2.37F1.exe.4a8b076.2.raw.unpack | JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security | |
| 12.2.37F1.exe.4a8b076.2.raw.unpack | MALWARE_Win_RedLine | Detects RedLine infostealer | ditekSHen | - 0x34f22:$pat14: , CommandLine:
- 0x23e04:$v2_1: ListOfProcesses
- 0x222ba:$v4_3: base64str
- 0x22279:$v4_4: stringKey
- 0x222c4:$v4_5: BytesToStringConverted
- 0x222af:$v4_6: FromBase64
- 0x23ac1:$v4_8: procName
- 0x20e82:$v5_1: DownloadAndExecuteUpdate
- 0x20eaa:$v5_2: ITaskProcessor
- 0x20e70:$v5_3: CommandLineUpdate
- 0x20e9b:$v5_4: DownloadUpdate
- 0x20de4:$v5_5: FileScanning
- 0x21082:$v5_7: RecordHeaderField
- 0x20fac:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
|
| 25.2.5999.exe.400000.0.unpack | SUSP_XORed_URL_in_EXE | Detects an XORed URL in an executable | Florian Roth | - 0xe0dea:$s1: http://
- 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
- 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
- 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
- 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
- 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF
- 0xe0dea:$f1: http://
|
| 25.2.5999.exe.400000.0.unpack | JoeSecurity_Djvu | Yara detected Djvu Ransomware | Joe Security | |
| 25.2.5999.exe.400000.0.unpack | MALWARE_Win_STOP | Detects STOP ransomware | ditekSHen | - 0xfe888:$x1: C:\SystemID\PersonalID.txt
- 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC)
- 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\
- 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\
- 0xfecec:$s1: " --AutoStart
- 0xfed00:$s1: " --AutoStart
- 0x102948:$s2: --ForNetRes
- 0x102910:$s3: --Admin
- 0x102d90:$s4: %username%
- 0x102eb4:$s5: ?pid=
- 0x102ec0:$s6: &first=true
- 0x102ed8:$s6: &first=false
- 0xfedf4:$s7: delself.bat
- 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}
- 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}
- 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
|
| 25.2.5999.exe.400000.0.unpack | Windows_Ransomware_Stop_1e8d48ff | unknown | unknown | - 0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
- 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
|
| 25.0.5999.exe.400000.6.unpack | SUSP_XORed_URL_in_EXE | Detects an XORed URL in an executable | Florian Roth | - 0xe0dea:$s1: http://
- 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
- 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
- 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
- 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
- 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF
- 0xe0dea:$f1: http://
|
| 25.0.5999.exe.400000.6.unpack | JoeSecurity_Djvu | Yara detected Djvu Ransomware | Joe Security | |
| 25.0.5999.exe.400000.6.unpack | MALWARE_Win_STOP | Detects STOP ransomware | ditekSHen | - 0xfe888:$x1: C:\SystemID\PersonalID.txt
- 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC)
- 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\
- 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\
- 0xfecec:$s1: " --AutoStart
- 0xfed00:$s1: " --AutoStart
- 0x102948:$s2: --ForNetRes
- 0x102910:$s3: --Admin
- 0x102d90:$s4: %username%
- 0x102eb4:$s5: ?pid=
- 0x102ec0:$s6: &first=true
- 0x102ed8:$s6: &first=false
- 0xfedf4:$s7: delself.bat
- 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}
- 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}
- 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
|
| 25.0.5999.exe.400000.6.unpack | Windows_Ransomware_Stop_1e8d48ff | unknown | unknown | - 0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
|
| 25.0.5999.exe.400000.5.unpack | SUSP_XORed_URL_in_EXE | Detects an XORed URL in an executable | Florian Roth | - 0xe0dea:$s1: http://
- 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
- 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
- 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
- 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
- 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF
- 0xe0dea:$f1: http://
|
| 25.0.5999.exe.400000.5.unpack | JoeSecurity_Djvu | Yara detected Djvu Ransomware | Joe Security | |
| 25.0.5999.exe.400000.5.unpack | MALWARE_Win_STOP | Detects STOP ransomware | ditekSHen | - 0xfe888:$x1: C:\SystemID\PersonalID.txt
- 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC)
- 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\
- 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\
- 0xfecec:$s1: " --AutoStart
- 0xfed00:$s1: " --AutoStart
- 0x102948:$s2: --ForNetRes
- 0x102910:$s3: --Admin
- 0x102d90:$s4: %username%
- 0x102eb4:$s5: ?pid=
- 0x102ec0:$s6: &first=true
- 0x102ed8:$s6: &first=false
- 0xfedf4:$s7: delself.bat
- 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}
- 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}
- 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
|
| 25.0.5999.exe.400000.5.unpack | Windows_Ransomware_Stop_1e8d48ff | unknown | unknown | - 0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
|
| 25.0.5999.exe.400000.10.unpack | SUSP_XORed_URL_in_EXE | Detects an XORed URL in an executable | Florian Roth | - 0xe0dea:$s1: http://
- 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
- 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
- 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
- 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
- 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF
- 0xe0dea:$f1: http://
|
| 25.0.5999.exe.400000.10.unpack | JoeSecurity_Djvu | Yara detected Djvu Ransomware | Joe Security | |
| 25.0.5999.exe.400000.10.unpack | MALWARE_Win_STOP | Detects STOP ransomware | ditekSHen | - 0xfe888:$x1: C:\SystemID\PersonalID.txt
- 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC)
- 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\
- 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\
- 0xfecec:$s1: " --AutoStart
- 0xfed00:$s1: " --AutoStart
- 0x102948:$s2: --ForNetRes
- 0x102910:$s3: --Admin
- 0x102d90:$s4: %username%
- 0x102eb4:$s5: ?pid=
- 0x102ec0:$s6: &first=true
- 0x102ed8:$s6: &first=false
- 0xfedf4:$s7: delself.bat
- 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}
- 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}
- 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
|
| 25.0.5999.exe.400000.10.unpack | Windows_Ransomware_Stop_1e8d48ff | unknown | unknown | - 0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
|
| 25.0.5999.exe.400000.7.unpack | SUSP_XORed_URL_in_EXE | Detects an XORed URL in an executable | Florian Roth | - 0xe0dea:$s1: http://
- 0xfee98:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
- 0xff528:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
- 0xff54b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
- 0x10312b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
- 0x101026:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF
- 0xe0dea:$f1: http://
|
| 25.0.5999.exe.400000.7.unpack | JoeSecurity_Djvu | Yara detected Djvu Ransomware | Joe Security | |
| 25.0.5999.exe.400000.7.unpack | MALWARE_Win_STOP | Detects STOP ransomware | ditekSHen | - 0xfe888:$x1: C:\SystemID\PersonalID.txt
- 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC)
- 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\
- 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\
- 0xfecec:$s1: " --AutoStart
- 0xfed00:$s1: " --AutoStart
- 0x102948:$s2: --ForNetRes
- 0x102910:$s3: --Admin
- 0x102d90:$s4: %username%
- 0x102eb4:$s5: ?pid=
- 0x102ec0:$s6: &first=true
- 0x102ed8:$s6: &first=false
- 0xfedf4:$s7: delself.bat
- 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}
- 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}
- 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
|
| 25.0.5999.exe.400000.7.unpack | Windows_Ransomware_Stop_1e8d48ff | unknown | unknown | - 0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
|
| 25.0.5999.exe.400000.6.raw.unpack | SUSP_XORed_URL_in_EXE | Detects an XORed URL in an executable | Florian Roth | - 0xe23ea:$s1: http://
- 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
- 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
- 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
- 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
- 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF
- 0xe23ea:$f1: http://
|
| 25.0.5999.exe.400000.6.raw.unpack | JoeSecurity_Djvu | Yara detected Djvu Ransomware | Joe Security | |
| 25.0.5999.exe.400000.6.raw.unpack | MALWARE_Win_STOP | Detects STOP ransomware | ditekSHen | - 0xffe88:$x1: C:\SystemID\PersonalID.txt
- 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC)
- 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\
- 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\
- 0x1002ec:$s1: " --AutoStart
- 0x100300:$s1: " --AutoStart
- 0x103f48:$s2: --ForNetRes
- 0x103f10:$s3: --Admin
- 0x104390:$s4: %username%
- 0x1044b4:$s5: ?pid=
- 0x1044c0:$s6: &first=true
- 0x1044d8:$s6: &first=false
- 0x1003f4:$s7: delself.bat
- 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}
- 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}
- 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
|
| 25.0.5999.exe.400000.6.raw.unpack | Windows_Ransomware_Stop_1e8d48ff | unknown | unknown | - 0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
- 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
|
| 25.2.5999.exe.400000.0.raw.unpack | SUSP_XORed_URL_in_EXE | Detects an XORed URL in an executable | Florian Roth | - 0xe23ea:$s1: http://
- 0x100498:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
- 0x100b28:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
- 0x100b4b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
- 0x10472b:$s1: \xE8\xF4\xF4\xF0\xBA\xAF\xAF
- 0x102626:$s2: \xE8\xF4\xF4\xF0\xF3\xBA\xAF\xAF
- 0xe23ea:$f1: http://
|
| 25.2.5999.exe.400000.0.raw.unpack | JoeSecurity_Djvu | Yara detected Djvu Ransomware | Joe Security | |
| 25.2.5999.exe.400000.0.raw.unpack | MALWARE_Win_STOP | Detects STOP ransomware | ditekSHen | - 0xffe88:$x1: C:\SystemID\PersonalID.txt
- 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC)
- 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\
- 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\
- 0x1002ec:$s1: " --AutoStart
- 0x100300:$s1: " --AutoStart
- 0x103f48:$s2: --ForNetRes
- 0x103f10:$s3: --Admin
- 0x104390:$s4: %username%
- 0x1044b4:$s5: ?pid=
- 0x1044c0:$s6: &first=true
- 0x1044d8:$s6: &first=false
- 0x1003f4:$s7: delself.bat
- 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}
- 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1}
- 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
|
| 25.2.5999.exe.400000.0.raw.unpack | Windows_Ransomware_Stop_1e8d48ff | unknown | unknown | - 0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
- 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
|
| Click to see the 120 entries |
Edit tour
file.exe (PID: 5540 cmdline: 
explorer.exe (PID: 3452 cmdline: 
37F1.exe (PID: 1760 cmdline: 
405E.exe (PID: 3244 cmdline: 
45DE.exe (PID: 5516 cmdline: 
WerFault.exe (PID: 5348 cmdline: 
49F6.exe (PID: 1324 cmdline: 
regsvr32.exe (PID: 1276 cmdline: 
5487.exe (PID: 1272 cmdline: 
cmd.exe (PID: 5960 cmdline: 
5999.exe (PID: 1244 cmdline: 
