Overview

overview

10

Static

static

1

RNSM00345.7z

windows7-x64

10

Analysis

  • max time kernel
    237s
  • max time network
    240s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    10-11-2024 16:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RNSM00345.7z

  • Size

    3.0MB

  • MD5

    2936f6c721739b8fb55452e0916e6e1b

  • SHA1

    47c23c9bf2692ea1cab5a0f6f59fd47f6da642ea

  • SHA256

    49c4f9e21ec3b698c60215cb6072f73f25b6d7dd09064be86e1dfc184f50b06c

  • SHA512

    f4874e79a8b69d8bd46e6b261e8b42aa557e11ddb328e0cf1901c9dd265e8c321e1a42cb0a060a0e99400b7f0af5c85abf70348206a8659fa465fdf879bf1016

  • SSDEEP

    49152:91t6JJ+UADa5weGrqFva0dVF6xfikl/Jcjdh9vS44IVJeQz1JkRKpUg3oEaL:9LeA+GeHlL0iSqjdbvST4JR1pGEaL

Score
10/10
nanocoretroldeshdefense_evasiondiscoveryevasionkeyloggerpersistenceransomwarespywarestealertrojanupx

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

95.141.43.202:1860

127.0.0.1:1860
Mutex

47fe2d4d-2c23-4594-9173-9c075887e2b5

Attributes
  • activate_away_mode

    true

  • backup_connection_host

    127.0.0.1

  • backup_dns_server

    8.8.4.4

  • buffer_size

    65535

  • build_time

    2018-08-26T00:46:44.118475836Z

  • bypass_user_account_control

    true

  • bypass_user_account_control_data

  • clear_access_control

    true

  • clear_zone_identifier

    false

  • connect_delay

    4000

  • connection_port

    1860

  • default_group

    NOVEMBER

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    47fe2d4d-2c23-4594-9173-9c075887e2b5

  • mutex_timeout

    5000

  • prevent_system_sleep

    false

  • primary_connection_host

    95.141.43.202

  • primary_dns_server

    8.8.8.8

  • request_elevation

    true

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    true

  • set_critical_process

    true

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8000

Signatures

  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

    keyloggertrojanstealerspywarenanocore
  • Nanocore family
    nanocore
  • Troldesh family
    troldesh
  • Troldesh, Shade, Encoder.858

    Troldesh is a ransomware spread by malspam.

    ransomwaretrojantroldesh
  • Executes dropped EXE 8 IoCs
  • Loads dropped DLL 7 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • System Binary Proxy Execution: Verclsid 1 TTPs 1 IoCs

    Adversaries may abuse Verclsid to proxy execution of malicious code.

    defense_evasion
  • Suspicious use of SetThreadContext 1 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 38 IoCs
    adwarespyware
  • Modifies registry class 1 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00345.7z"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1964
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2736
  • C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2644
    • C:\Users\Admin\Desktop\00345\HEUR-Trojan-Ransom.MSIL.Blocker.gen-bcffc2239f4dd8663a8244cf15911bbb5fa1f1dc98b76db17944959cc29f3832.exe
      HEUR-Trojan-Ransom.MSIL.Blocker.gen-bcffc2239f4dd8663a8244cf15911bbb5fa1f1dc98b76db17944959cc29f3832.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      PID:2136
    • C:\Users\Admin\Desktop\00345\HEUR-Trojan-Ransom.MSIL.Crypmod.gen-412c928c7456959175b85a59095189010653c3870385d917878e3cab8ad8f4b6.exe
      HEUR-Trojan-Ransom.MSIL.Crypmod.gen-412c928c7456959175b85a59095189010653c3870385d917878e3cab8ad8f4b6.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2300
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c copy "HEUR-Trojan-Ransom.MSIL.Crypmod.gen-412c928c7456959175b85a59095189010653c3870385d917878e3cab8ad8f4b6.exe" "C:\Users\Admin\AppData\Local\StanMatt.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:408
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\AppData\Local\StanMatt.exe"
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1104
        • C:\Users\Admin\AppData\Local\StanMatt.exe
          "C:\Users\Admin\AppData\Local\StanMatt.exe"
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2196
          • C:\Users\Admin\AppData\Local\StanMatt.exe
            "C:\Users\Admin\AppData\Local\StanMatt.exe"
            5⤵
            • Executes dropped EXE
            • Checks whether UAC is enabled
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            PID:1512
    • C:\Users\Admin\Desktop\00345\HEUR-Trojan-Ransom.Win32.Blocker.gen-927d7a1b2dfe3f79170802472a02f630ba1197be5c39b8abdfb0095384a96217.exe
      HEUR-Trojan-Ransom.Win32.Blocker.gen-927d7a1b2dfe3f79170802472a02f630ba1197be5c39b8abdfb0095384a96217.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2656
      • C:\Users\Admin\AppData\Local\Easy Speed Test\Easy Speed Test.exe
        "C:\Users\Admin\AppData\Local\Easy Speed Test\Easy Speed Test.exe" /firstrun
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1876
        • C:\Program Files\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://results.heasyspeedtest.co/s?uid=84f6a679-88f4-4c60-ba12-55e9e6f956d5&uc=20181101&source=d-lp0-bb8-sbe&i_id=speedtest_&ap=appfocus1
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2508
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2508 CREDAT:275457 /prefetch:2
            5⤵
            • System Location Discovery: System Language Discovery
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:976
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2508 CREDAT:930822 /prefetch:2
            5⤵
              PID:3032
      • C:\Users\Admin\Desktop\00345\HEUR-Trojan-Ransom.Win32.Generic-19d9ec2713d913d5325a72ce646351a2384d86efd5dcecebb354ef2bc9e801a2.exe
        HEUR-Trojan-Ransom.Win32.Generic-19d9ec2713d913d5325a72ce646351a2384d86efd5dcecebb354ef2bc9e801a2.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:1712
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Desktop\00345\HEUR-Trojan-Ransom.Win32.Generic-19d9ec2713d913d5325a72ce646351a2384d86efd5dcecebb354ef2bc9e801a2.exe"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:892
          • C:\Windows\system32\choice.exe
            choice /C Y /N /D Y /T 3
            4⤵
              PID:2212
        • C:\Users\Admin\Desktop\00345\Trojan-Ransom.Win32.Shade.pbt-ea06a7494932ab6c092151d25da6161eaf724f04881ff07f2f30cfc622eec33e.exe
          Trojan-Ransom.Win32.Shade.pbt-ea06a7494932ab6c092151d25da6161eaf724f04881ff07f2f30cfc622eec33e.exe
          2⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: CmdExeWriteProcessMemorySpam
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of UnmapMainImage
          PID:804
      • C:\Windows\system32\verclsid.exe
        "C:\Windows\system32\verclsid.exe" /S /C {0B2C9183-C9FA-4C53-AE21-C900B0C39965} /I {0C733A8A-2A1C-11CE-ADE5-00AA0044773D} /X 0x401
        1⤵
        • System Binary Proxy Execution: Verclsid
        PID:1732
      • C:\Windows\system32\AUDIODG.EXE
        C:\Windows\system32\AUDIODG.EXE 0x7c
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:868
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\4D69F9E1-559C-46CF-82AC-67913DB47C55\Logs\Admin\KB_259521344.dat
        1⤵
        • Modifies registry class
        PID:2360
        • C:\Windows\system32\NOTEPAD.EXE
          "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\4D69F9E1-559C-46CF-82AC-67913DB47C55\Logs\Admin\KB_259521344.dat
          2⤵
            PID:2108

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          342B

          MD5

          7e99b15ab1fcb0ae5fd050ac1c6d1ca4

          SHA1

          fd3341c652cce0de0f070c6a532deb7b7cb70b19

          SHA256

          2c9bc70fed8ca9740c4a6eb73ea38d6c6287d5c0a70cff5dcb17b49d1370a77f

          SHA512

          45a48a73e7ca9efae89d8293b74b6999278a8440677129d2acb938cca18e0c299c5cdc3b60dde5d7c68df73c29bfca3362857c035e65d0130c8961f196638914

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          342B

          MD5

          2ad40c0fbf67be7f5f7e72c3fbb9b9b2

          SHA1

          af52e3df2fa83adb6037d70f50ba8cc19f276ad6

          SHA256

          2af6fb51fbcb154cd2cafd78726293abb9775ad863b2bf23969534d5bc515777

          SHA512

          f8af34034e65c30393c5eb2b23d94358024bb6285622e2ba429162028e6fef5a78faf88940bccb43720a02340bbb0cd6dc811a88e7d135a525c5dad8f4677f75

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          342B

          MD5

          cf410f1aa47bef9cdc256673a17043a1

          SHA1

          18e39ea08103a568fb6b868d841f68b5d87483c2

          SHA256

          eaa25c04e20ffb877412ca860f7dee58050a48bbdea4071979a72bce6d115a1e

          SHA512

          ae162e106956fdced960f33659cf7913d67be01d79c77fc9b1eb572ec752be278a0af9bd7e118fb37370c5d4e06efb54d36ff816a66c901027f119a6167ef24a

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          342B

          MD5

          506e1511209dff8d006851afe4a1c35a

          SHA1

          776118c14b8c3defcca7b00226565b6ea16cbeae

          SHA256

          f0836c2073213b7bbbbd3f1db28e23829ed7a840478afeee37307ed90c356825

          SHA512

          043f7a8c3fbf311b060e181bc5503978e2f8fa68bdc526b1910a439c19bd4aad20979cbec8ad11930fcc766dc768034aa752a0173ab965867011aa76ac622519

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          342B

          MD5

          d824e549230ac7ca72009679f4ffd11b

          SHA1

          b34800626b80fdb6bc3a1fa396744e1099f26183

          SHA256

          610019b23065ca4f373b58ea8de2fb3e8ffd042cab089dcef59e4dca5f7caaf7

          SHA512

          5fecb16adc6dc46c5efa93534f7375695ac03233b4bf181c892e2fe8e9466c587b2520308ac8ac5cfb2285e8cbe1b19a316a869433fbcf34c661f1ef9f3eeb1f

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          342B

          MD5

          a6a41769f69f5789830b49db8a3b49e6

          SHA1

          1a95e4378892ab3e42254215046d8175b37e9266

          SHA256

          2aec307553b059e220e401f27efb426409f30349f7aaba6e191d1cf3153b3fd9

          SHA512

          d7561801a258b58c448507e8899a0a097cc23c4d34e3ed1fd8c75eff09dfaec3daa2564bed51bdbb49b82aa774f3c58f173a582a7bbbef69942759a07445d823

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          342B

          MD5

          58eaeff52926a4268c43fb14570783a5

          SHA1

          7514eedd91752036323b2fac0bee85f23052fdcd

          SHA256

          e63e10654f74437d5318178a2a4b10fd13bb072be3fb9f89efbc3523ef36a99e

          SHA512

          5a579b1702cb5d6b20dc19c567bbb09b8a16257a039abe8762003436f81db4165e462a3257b56442fc32c2a8eb745c113b7a5bd359f5ff986917fab554c3fbab

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          342B

          MD5

          7e19766d25f151192a91b15308360238

          SHA1

          747a14dac60fd99dc41af847e3222606242f5a8b

          SHA256

          dc516e5df5d9d6147485f565bc7b5fbaf1dea0e7ca00d44eac329cf3e1df4567

          SHA512

          fc452649534826dfbf725aec524019ece3d9a576bdea8b43cb65b9f2b713892e0f0f90567193aee5c93c2e942d6501f23c67b732c3c46facd244939d71cffb25

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          342B

          MD5

          a53fa8da1660fb7940aef5fd28683e02

          SHA1

          dc6f0d7631eac739db38f180a991ff4c6eb0f535

          SHA256

          34300f14ea037c050f816695d66327de5f04b1425d62fe6742129c2d3db4c49d

          SHA512

          3d036320ca2c93dae55df530a44e45091a9a3044ac28833208d0d0297bf5aa13b38d51296d622cfe413472c58b979349ba084c26ea662eab1c5ff71d0a3f4c49

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          342B

          MD5

          c3d52b9a7184727c4400be85310c6e47

          SHA1

          ce4c97700b783588d857f17384e6212f47ef7019

          SHA256

          82b30395fecfc591825f2e1d4cf70cb17811398ad5e9dd75b762e87e6a162745

          SHA512

          ddaec4064e1913b28c7cae2d60834a212e57105c24bd01cfc7b81fbceb9d9a54feb86647111ab2251e47d12005d22bf70739f0c0cdf4980a7afa8e7afedee19b

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
          Filesize

          342B

          MD5

          6037c508e77c158b79fed7e729082dd3

          SHA1

          f0a9cf2bc7596462f8e668ad2a6596a0aecddc64

          SHA256

          3d516ee1e12c431594dc8890ca9ae5e8ce1600d9ca97bf5feaf683121e3a91db

          SHA512

          81942a50d5ee1a1916f659bfed4d1e9637ca56c50a3fa075131367f1b49e6e220449754b632878ebeec89677b55868f6e2f9850394806c988aa4a2349fb9471f

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Cab5572.tmp
          Filesize

          70KB

          MD5

          49aebf8cbd62d92ac215b2923fb1b9f5

          SHA1

          1723be06719828dda65ad804298d0431f6aff976

          SHA256

          b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

          SHA512

          bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Tar55D3.tmp
          Filesize

          181KB

          MD5

          4ea6026cf93ec6338144661bf1202cd1

          SHA1

          a1dec9044f750ad887935a01430bf49322fbdcb7

          SHA256

          8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

          SHA512

          6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

          Download Submit

        • C:\Users\Admin\AppData\Roaming\4D69F9E1-559C-46CF-82AC-67913DB47C55\Logs\Admin\KB_259521344.dat
          Filesize

          44B

          MD5

          e77b98c53c8c9bd1a97363740a3e2b76

          SHA1

          614216feb4c3d9f4c9d617c3af7ccd74d12870ca

          SHA256

          c9b4fa1a75b4d279fc62a4f8a6a6bab379cb5da2636940786dc888618a8d5710

          SHA512

          fadcc1d0fbee0243b9553643572cafebd7233e8afa450269d83ad320d8567672f338b881f48635cc4ed936f024248abc081d4e84aead3a79624bbaa7392e60e4

          Download Submit

        • C:\Users\Admin\Desktop\00345\HEUR-Trojan-Ransom.MSIL.Blocker.gen-bcffc2239f4dd8663a8244cf15911bbb5fa1f1dc98b76db17944959cc29f3832.exe
          Filesize

          209KB

          MD5

          9b977c56b49865fc900226514ba0ec5a

          SHA1

          aa3318226f15e56f570c8da76f4432e204492911

          SHA256

          bcffc2239f4dd8663a8244cf15911bbb5fa1f1dc98b76db17944959cc29f3832

          SHA512

          0c6b527b0a26aa6ca25676ae2b62ccdda135a97260183a28757ddf82efd1fef739bfbc56ea7ccd9875601081284a02a9b3c8980efd1cccc7ef7ec928ebfb2e3c

          Download Submit

        • C:\Users\Admin\Desktop\00345\HEUR-Trojan-Ransom.MSIL.Crypmod.gen-412c928c7456959175b85a59095189010653c3870385d917878e3cab8ad8f4b6.exe
          Filesize

          584KB

          MD5

          943b3c4bb05f14a97baf7e2d42c699e6

          SHA1

          809523d91479ce1d7797e86499987b5a3546ee33

          SHA256

          412c928c7456959175b85a59095189010653c3870385d917878e3cab8ad8f4b6

          SHA512

          dd3dca0524d1f83f85a8ebcfce950e12f2a4b0aab5adc3361027fb959ca91878562c38a09d1ecb6d35fad961cc59bfa2fad1edc731d8ba3d0f7b7cdbf13731a8

          Download Submit

        • C:\Users\Admin\Desktop\00345\HEUR-Trojan-Ransom.Win32.Blocker.gen-927d7a1b2dfe3f79170802472a02f630ba1197be5c39b8abdfb0095384a96217.exe
          Filesize

          1.5MB

          MD5

          f4df21de4567021dff918303db49eaf6

          SHA1

          88e4accf304f039e3d249fc9af34d8a099c595dd

          SHA256

          927d7a1b2dfe3f79170802472a02f630ba1197be5c39b8abdfb0095384a96217

          SHA512

          ecf4d5bfe512629bbe2e25dc68a41c4b2a1e70729e8538f2783d38cd36c5909bd9f3474ee9593d8eea52a1f7dfa73582fb5b22c9925cf116af43b39bc6d997ea

          Download Submit

        • C:\Users\Admin\Desktop\00345\HEUR-Trojan-Ransom.Win32.Generic-19d9ec2713d913d5325a72ce646351a2384d86efd5dcecebb354ef2bc9e801a2.exe
          Filesize

          276KB

          MD5

          61e69b6ecf176fc74179fffab0fc4292

          SHA1

          1d1b849a27f48671f96b34a1e3c86840721a7277

          SHA256

          19d9ec2713d913d5325a72ce646351a2384d86efd5dcecebb354ef2bc9e801a2

          SHA512

          5c6722fbe227fd76e2ad968975ead2f543d8f492d96cea1bda5b62660d7026eb25c5b9318a979fd28c8ba674fef3f54b087e00a673250a7b73cf1f814f5ecae6

          Download Submit

        • C:\Users\Admin\Desktop\00345\Trojan-Ransom.Win32.Shade.pbt-ea06a7494932ab6c092151d25da6161eaf724f04881ff07f2f30cfc622eec33e.exe
          Filesize

          1.3MB

          MD5

          c90cf61a0eaa05c312f7b77a09127bc9

          SHA1

          cb63424ccc3f5606ba789cf69b57356c35e89f15

          SHA256

          ea06a7494932ab6c092151d25da6161eaf724f04881ff07f2f30cfc622eec33e

          SHA512

          9db8e3533122e8f0cdd3b097dc56236d27bee5daf42f8d5eb912db52293e4a4b2357a6c97816e527caab791f920538b133b3432dbcb65331d5bf2b197733a937

          Download Submit

        • \Users\Admin\AppData\Local\Easy Speed Test\Easy Speed Test.exe
          Filesize

          2.7MB

          MD5

          8052003e500e26d2c4c0659cf06fc246

          SHA1

          25a98e3553be7cfade033c504d9a2068517a229e

          SHA256

          2908a84aa26483bcaccb06f6f2c8f9c97a70ed45927df43dd48f04caa16f6dd0

          SHA512

          349a58b2bff78b8385c8623fedce1d909297c2bec4568f87035891c9020c13bd052a296c48754a1a1b20fa2021330f697ef60c82376ab5d5a388c539e4fb3404

          Download Submit

        • \Users\Admin\AppData\Local\Temp\nsy2B56.tmp\System.dll
          Filesize

          11KB

          MD5

          a4dd044bcd94e9b3370ccf095b31f896

          SHA1

          17c78201323ab2095bc53184aa8267c9187d5173

          SHA256

          2e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc

          SHA512

          87335a43b9ca13e1300c7c23e702e87c669e2bcf4f6065f0c684fc53165e9c1f091cc4d79a3eca3910f0518d3b647120ac0be1a68eaade2e75eaa64adfc92c5a

          Download Submit

        • \Users\Admin\AppData\Local\Temp\nsy2B56.tmp\npHelper.dll
          Filesize

          330KB

          MD5

          04b6fbef6c229230313beda281aa422d

          SHA1

          9b23da2fb50ca31938ad5312ae7f174b291fc19f

          SHA256

          b0457bc4367bbb67b9b995af5368cd7806c8ee67526318dc9cb82eea29415ea0

          SHA512

          f342263f7eddc9ec68854ea78d91cd80f16462bb33028d986179cd761ed657650a500b7b3ba59a5d253de091b8c20fefacfed9646d88e09469f371f8ceba65d4

          Download Submit

        • \Users\Admin\AppData\Local\Temp\nsy2B56.tmp\nsDialogs.dll
          Filesize

          9KB

          MD5

          0d45588070cf728359055f776af16ec4

          SHA1

          c4375ceb2883dee74632e81addbfa4e8b0c6d84a

          SHA256

          067c77d51df034b4a614f83803140fbf4cd2f8684b88ea8c8acdf163edad085a

          SHA512

          751ebf4c43f100b41f799d0fbf8db118ea8751df029c1f4c4b0daeb0fef200ddf2e41c1c9c55c2dc94f2c841cf6acb7df355e98a2e5877a7797f0f1d41a7e415

          Download Submit

        • memory/804-55-0x0000000000400000-0x0000000000607000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/804-50-0x0000000000400000-0x0000000000607000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/804-51-0x0000000000400000-0x0000000000607000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/804-693-0x0000000000400000-0x0000000000607000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/804-56-0x0000000000400000-0x0000000000607000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/804-52-0x0000000000400000-0x0000000000607000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/804-53-0x0000000000400000-0x0000000000607000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/1512-698-0x0000000000400000-0x0000000000438000-memory.dmp

          Filesize

          224KB

          Download

        • memory/1512-700-0x0000000000400000-0x0000000000438000-memory.dmp

          Filesize

          224KB

          Download

        • memory/1512-705-0x00000000004E0000-0x00000000004EA000-memory.dmp

          Filesize

          40KB

          Download

        • memory/1512-704-0x00000000003E0000-0x00000000003FE000-memory.dmp

          Filesize

          120KB

          Download

        • memory/1512-703-0x00000000003D0000-0x00000000003DA000-memory.dmp

          Filesize

          40KB

          Download

        • memory/1512-701-0x0000000000400000-0x0000000000438000-memory.dmp

          Filesize

          224KB

          Download

        • memory/1712-82-0x0000000000150000-0x0000000000156000-memory.dmp

          Filesize

          24KB

          Download

        • memory/1712-62-0x00000000005E0000-0x000000000063A000-memory.dmp

          Filesize

          360KB

          Download

        • memory/1712-48-0x0000000000220000-0x000000000026A000-memory.dmp

          Filesize

          296KB

          Download

        • memory/1712-59-0x0000000000140000-0x0000000000146000-memory.dmp

          Filesize

          24KB

          Download

        • memory/2196-692-0x0000000000CF0000-0x0000000000D88000-memory.dmp

          Filesize

          608KB

          Download

        • memory/2300-60-0x0000000000380000-0x00000000003A0000-memory.dmp

          Filesize

          128KB

          Download

        • memory/2300-29-0x0000000001140000-0x00000000011D8000-memory.dmp

          Filesize

          608KB

          Download

        • memory/2736-12-0x0000000140000000-0x00000001405E8000-memory.dmp

          Filesize

          5.9MB

          Download

        • memory/2736-10-0x0000000140000000-0x00000001405E8000-memory.dmp

          Filesize

          5.9MB

          Download

        • memory/2736-11-0x0000000140000000-0x00000001405E8000-memory.dmp

          Filesize

          5.9MB

          Download