troldesh | 455a080282959c3fc4af1e52ba883f3d724e2b61ea9d4fdb5fc9407f059e9111

Analysis

max time kernel
70s
max time network
65s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
10-11-2024 17:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RNSM00340.7z
Size

3.1MB
MD5

aac03184203913f26f08ad45d715ba23
SHA1

c3263e9d6da37be63cc30f8767b952ef83dc9fea
SHA256

455a080282959c3fc4af1e52ba883f3d724e2b61ea9d4fdb5fc9407f059e9111
SHA512

f392221a6d846104a6f84a470b65df4d6c13fabfb63dc23f7562f61d151cc2555ecb8d93a824ab551375c7ae405269bb1aca4c3c52ebb18d1683df193ade5180
SSDEEP

49152:d1UMyUYbDLnhpHHshGB9e8le81V6uaVieuJm95PHVPG7R11QAwvwwX9+LZtgoeh:OUYjDssBIED1JMis5Y7hDO19+3gbh

Score

10^/10

troldesh discovery persistence ransomware spyware stealer trojan upx

Malware Config

Signatures

Troldesh family
troldesh
Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
ransomware trojan troldesh
Renames multiple (146) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Executes dropped EXE 6 IoCs

pid	Process
2556	Trojan-Ransom.MSIL.Rensen.a-7bf5623f0a10dfa148a35bebd899b7758612f1693d2a9910f716cf15a921a76a.exe
2600	Trojan-Ransom.Win32.Encoder.jdx-06c8e0f6fa2616f4fa92c610a1faea23887ac31db8fa78cede49b6b8c80ec22f.exe
2992	Trojan-Ransom.Win32.GandCrypt.frh-2e7ddeea92385b0acef13e1167926fbb9fb90e15ce2d30da6b397515587f3074.exe
2164	Trojan-Ransom.Win32.Shade.oxa-c8467cc1d148c7212715df7db077db2c47b98a4ff77da2c721466cf4d1c948ef.exe
2588	Trojan-Ransom.Win32.Gen.irn-ca8b0ebbb30f371219c2ae79cdc0bd1dd3114cdf27821e71cfbcc11f9daca30e.exe
1376	chrst.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\""	Trojan-Ransom.Win32.Shade.oxa-c8467cc1d148c7212715df7db077db2c47b98a4ff77da2c721466cf4d1c948ef.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2164-240-0x0000000000400000-0x000000000061A000-memory.dmp	upx
behavioral1/memory/2164-289-0x0000000000400000-0x000000000061A000-memory.dmp	upx
behavioral1/memory/2164-290-0x0000000000400000-0x000000000061A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Encoder.jdx-06c8e0f6fa2616f4fa92c610a1faea23887ac31db8fa78cede49b6b8c80ec22f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.GandCrypt.frh-2e7ddeea92385b0acef13e1167926fbb9fb90e15ce2d30da6b397515587f3074.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Shade.oxa-c8467cc1d148c7212715df7db077db2c47b98a4ff77da2c721466cf4d1c948ef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Gen.irn-ca8b0ebbb30f371219c2ae79cdc0bd1dd3114cdf27821e71cfbcc11f9daca30e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chrst.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 5 IoCs

pid	Process
2600	Trojan-Ransom.Win32.Encoder.jdx-06c8e0f6fa2616f4fa92c610a1faea23887ac31db8fa78cede49b6b8c80ec22f.exe
2992	Trojan-Ransom.Win32.GandCrypt.frh-2e7ddeea92385b0acef13e1167926fbb9fb90e15ce2d30da6b397515587f3074.exe
2588	Trojan-Ransom.Win32.Gen.irn-ca8b0ebbb30f371219c2ae79cdc0bd1dd3114cdf27821e71cfbcc11f9daca30e.exe
2164	Trojan-Ransom.Win32.Shade.oxa-c8467cc1d148c7212715df7db077db2c47b98a4ff77da2c721466cf4d1c948ef.exe
1376	chrst.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
1376	chrst.exe
1376	chrst.exe
1376	chrst.exe
1376	chrst.exe
1376	chrst.exe
1376	chrst.exe
1376	chrst.exe
1376	chrst.exe
1376	chrst.exe
1376	chrst.exe
1376	chrst.exe
1376	chrst.exe
1376	chrst.exe
1376	chrst.exe
1376	chrst.exe
1376	chrst.exe
1376	chrst.exe
1376	chrst.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeRestorePrivilege	2488	7zFM.exe
Token: 35	2488	7zFM.exe
Token: SeSecurityPrivilege	2488	7zFM.exe
Token: SeDebugPrivilege	2544	taskmgr.exe
Token: SeDebugPrivilege	1376	chrst.exe

Suspicious use of FindShellTrayWindow 60 IoCs

pid	Process
2488	7zFM.exe
2488	7zFM.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe

Suspicious use of SendNotifyMessage 57 IoCs

pid	Process
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe
2544	taskmgr.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2992	Trojan-Ransom.Win32.GandCrypt.frh-2e7ddeea92385b0acef13e1167926fbb9fb90e15ce2d30da6b397515587f3074.exe
2164	Trojan-Ransom.Win32.Shade.oxa-c8467cc1d148c7212715df7db077db2c47b98a4ff77da2c721466cf4d1c948ef.exe
2164	Trojan-Ransom.Win32.Shade.oxa-c8467cc1d148c7212715df7db077db2c47b98a4ff77da2c721466cf4d1c948ef.exe
2164	Trojan-Ransom.Win32.Shade.oxa-c8467cc1d148c7212715df7db077db2c47b98a4ff77da2c721466cf4d1c948ef.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 2580 wrote to memory of 2556	2580	cmd.exe	36
PID 2580 wrote to memory of 2556	2580	cmd.exe	36
PID 2580 wrote to memory of 2556	2580	cmd.exe	36
PID 2580 wrote to memory of 2600	2580	cmd.exe	37
PID 2580 wrote to memory of 2600	2580	cmd.exe	37
PID 2580 wrote to memory of 2600	2580	cmd.exe	37
PID 2580 wrote to memory of 2600	2580	cmd.exe	37
PID 2580 wrote to memory of 2992	2580	cmd.exe	38
PID 2580 wrote to memory of 2992	2580	cmd.exe	38
PID 2580 wrote to memory of 2992	2580	cmd.exe	38
PID 2580 wrote to memory of 2992	2580	cmd.exe	38
PID 2580 wrote to memory of 2588	2580	cmd.exe	39
PID 2580 wrote to memory of 2588	2580	cmd.exe	39
PID 2580 wrote to memory of 2588	2580	cmd.exe	39
PID 2580 wrote to memory of 2588	2580	cmd.exe	39
PID 2580 wrote to memory of 2164	2580	cmd.exe	40
PID 2580 wrote to memory of 2164	2580	cmd.exe	40
PID 2580 wrote to memory of 2164	2580	cmd.exe	40
PID 2580 wrote to memory of 2164	2580	cmd.exe	40
PID 2600 wrote to memory of 1304	2600	Trojan-Ransom.Win32.Encoder.jdx-06c8e0f6fa2616f4fa92c610a1faea23887ac31db8fa78cede49b6b8c80ec22f.exe	41
PID 2600 wrote to memory of 1304	2600	Trojan-Ransom.Win32.Encoder.jdx-06c8e0f6fa2616f4fa92c610a1faea23887ac31db8fa78cede49b6b8c80ec22f.exe	41
PID 2600 wrote to memory of 1304	2600	Trojan-Ransom.Win32.Encoder.jdx-06c8e0f6fa2616f4fa92c610a1faea23887ac31db8fa78cede49b6b8c80ec22f.exe	41
PID 2600 wrote to memory of 1304	2600	Trojan-Ransom.Win32.Encoder.jdx-06c8e0f6fa2616f4fa92c610a1faea23887ac31db8fa78cede49b6b8c80ec22f.exe	41
PID 1304 wrote to memory of 2624	1304	cmd.exe	43
PID 1304 wrote to memory of 2624	1304	cmd.exe	43
PID 1304 wrote to memory of 2624	1304	cmd.exe	43
PID 1304 wrote to memory of 1376	1304	cmd.exe	44
PID 1304 wrote to memory of 1376	1304	cmd.exe	44
PID 1304 wrote to memory of 1376	1304	cmd.exe	44
PID 1304 wrote to memory of 1376	1304	cmd.exe	44
PID 2556 wrote to memory of 2576	2556	Trojan-Ransom.MSIL.Rensen.a-7bf5623f0a10dfa148a35bebd899b7758612f1693d2a9910f716cf15a921a76a.exe	45
PID 2556 wrote to memory of 2576	2556	Trojan-Ransom.MSIL.Rensen.a-7bf5623f0a10dfa148a35bebd899b7758612f1693d2a9910f716cf15a921a76a.exe	45
PID 2556 wrote to memory of 2576	2556	Trojan-Ransom.MSIL.Rensen.a-7bf5623f0a10dfa148a35bebd899b7758612f1693d2a9910f716cf15a921a76a.exe	45

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00340.7z"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2488

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2544

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2580
- C:\Users\Admin\Desktop\00340\Trojan-Ransom.MSIL.Rensen.a-7bf5623f0a10dfa148a35bebd899b7758612f1693d2a9910f716cf15a921a76a.exe
  Trojan-Ransom.MSIL.Rensen.a-7bf5623f0a10dfa148a35bebd899b7758612f1693d2a9910f716cf15a921a76a.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2556
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
    dw20.exe -x -s 404
    3⤵
    PID:2576
- C:\Users\Admin\Desktop\00340\Trojan-Ransom.Win32.Encoder.jdx-06c8e0f6fa2616f4fa92c610a1faea23887ac31db8fa78cede49b6b8c80ec22f.exe
  Trojan-Ransom.Win32.Encoder.jdx-06c8e0f6fa2616f4fa92c610a1faea23887ac31db8fa78cede49b6b8c80ec22f.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of WriteProcessMemory
  PID:2600
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\8A55.tmp\ExtraTools.bat Trojan-Ransom.Win32.Encoder.jdx-06c8e0f6fa2616f4fa92c610a1faea23887ac31db8fa78cede49b6b8c80ec22f.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1304
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8A55.tmp\ErOne.vbs"
      4⤵
      PID:2624
  - - C:\Users\Admin\AppData\Local\Temp\8A55.tmp\chrst.exe
      chrst.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: CmdExeWriteProcessMemorySpam
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1376
- C:\Users\Admin\Desktop\00340\Trojan-Ransom.Win32.GandCrypt.frh-2e7ddeea92385b0acef13e1167926fbb9fb90e15ce2d30da6b397515587f3074.exe
  Trojan-Ransom.Win32.GandCrypt.frh-2e7ddeea92385b0acef13e1167926fbb9fb90e15ce2d30da6b397515587f3074.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of SetWindowsHookEx
  PID:2992
- C:\Users\Admin\Desktop\00340\Trojan-Ransom.Win32.Gen.irn-ca8b0ebbb30f371219c2ae79cdc0bd1dd3114cdf27821e71cfbcc11f9daca30e.exe
  Trojan-Ransom.Win32.Gen.irn-ca8b0ebbb30f371219c2ae79cdc0bd1dd3114cdf27821e71cfbcc11f9daca30e.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2588
- C:\Users\Admin\Desktop\00340\Trojan-Ransom.Win32.Shade.oxa-c8467cc1d148c7212715df7db077db2c47b98a4ff77da2c721466cf4d1c948ef.exe
  Trojan-Ransom.Win32.Shade.oxa-c8467cc1d148c7212715df7db077db2c47b98a4ff77da2c721466cf4d1c948ef.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of SetWindowsHookEx
  PID:2164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8A55.tmp\ErOne.vbs

Filesize
59B

MD5
a764fe63c6cc48c851f0d2a8ba73c2b7

SHA1
e16351bd38ebcac7e182905767f9b36e078fb5d5

SHA256
8c4d90a5343cea107fad96e842404522aadfc416e7cf84adc58fe2ba72bbc919

SHA512
b0a93898c66c2ff97f9d8cb1f75364a6c4a0ad5cf3158815f94ffb900796065c8e0d384b392d59bf2b01419adb8c65d2dc846ddebaaea971d64c3300edc63571

Download Submit
C:\Users\Admin\AppData\Local\Temp\8A55.tmp\ExtraTools.bat

Filesize
817B

MD5
8f07fa594d84c6e234b336def0b47cdc

SHA1
34b88980635c3f2367af03caedc01d50b5e4624a

SHA256
dd79d7a80a9087e1fced76ade08394843eab01a8ce263dc2306f46435b451f77

SHA512
c33fd26b5399771f4bf9877d717bb730a8101b9f6bd24847084c50b066db7f6e43d56cbf44792eedc94d117c50a988f5d4a46127a34a2115c50fbb4a67ed2047

Download Submit
C:\Users\Admin\AppData\Local\Temp\8A55.tmp\chrst.exe

Filesize
130KB

MD5
c657daf595b5d535ccc757ad837eebe8

SHA1
894e953e86e54a830a14fac94e57569d184a9c09

SHA256
a02565ec78fa1221433e720bd57b044938345b8c65a73143bd9ff73529767526

SHA512
21a26bc146dd2a915c17b268b13edc565e9a582d11c1714d89741f4156a880dfe35415d4920a6326d164519f4b28b6371ef9c7bfdb5e19080448bd77b4a20a4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\8A55.tmp\firefox32.exe

Filesize
62KB

MD5
866604f3adb9207e29505012215f203f

SHA1
718b342c3bc42f3e73c4014c2b105c4d467b0ba6

SHA256
978ed9b9c86653e8f10feb9e7f93eb32f2dadeec42ccce498403e96b7bb3e3c9

SHA512
cdcdd94e2a4c550a819a28085fe543ed944da298da1409ed111380fbde89f6976a4c7d040750307579b007b4551aa86182d453408436bd7aef35423c49b60f79

Download Submit
C:\Users\Admin\Desktop\00340\Trojan-Ransom.MSIL.Rensen.a-7bf5623f0a10dfa148a35bebd899b7758612f1693d2a9910f716cf15a921a76a.exe

Filesize
96KB

MD5
60335edf459643a87168da8ed74c2b60

SHA1
61f3e01174a6557f9c0bfc89ae682d37a7e91e2e

SHA256
7bf5623f0a10dfa148a35bebd899b7758612f1693d2a9910f716cf15a921a76a

SHA512
b4e5e4d4f0b4a52243d6756c66b4fe6f4b39e64df7790072046e8a3dadad3a1be30b8689a1bab8257cc35cb4df652888ddf62b4e1fccb33e1bbf1f5416d73efb

Download Submit
C:\Users\Admin\Desktop\00340\Trojan-Ransom.Win32.Encoder.jdx-06c8e0f6fa2616f4fa92c610a1faea23887ac31db8fa78cede49b6b8c80ec22f.exe

Filesize
280KB

MD5
0210d88f1a9c5a5a7eff5c44cf4f7fbc

SHA1
83bff855966cf72a2dd85acae7187caeab556abf

SHA256
06c8e0f6fa2616f4fa92c610a1faea23887ac31db8fa78cede49b6b8c80ec22f

SHA512
42445a8d1a3662e16ee1f5129b8792a47c8b17992940e1ba97a96c11d038d0d5088ca00719c6031e204adefbb18672c58113ac5de66b016a63e330b672fde132

Download Submit
C:\Users\Admin\Desktop\00340\Trojan-Ransom.Win32.GandCrypt.frh-2e7ddeea92385b0acef13e1167926fbb9fb90e15ce2d30da6b397515587f3074.exe

Filesize
1.3MB

MD5
2eecbe16892ecae0e09ddc9cf9d84657

SHA1
91b8d87d844fe0fc9f2e3175d485168c8a100593

SHA256
2e7ddeea92385b0acef13e1167926fbb9fb90e15ce2d30da6b397515587f3074

SHA512
014b43f234f8187bb4c65633aa957abdf44acafbf8b539700a8a08703e67c7bceae7db7e8086978ec56cc250d5e783b5816b37d5bb6ddaa2e8cfb9b7a9a242f5

Download Submit
C:\Users\Admin\Desktop\00340\Trojan-Ransom.Win32.Gen.irn-ca8b0ebbb30f371219c2ae79cdc0bd1dd3114cdf27821e71cfbcc11f9daca30e.exe

Filesize
1.0MB

MD5
1833aaec4050f44cb067e7583e159e92

SHA1
bcb22c5894c3a42a8e5eac9aa18a79a5a252f083

SHA256
ca8b0ebbb30f371219c2ae79cdc0bd1dd3114cdf27821e71cfbcc11f9daca30e

SHA512
1e05ba9e70d27559182ab8f397ace2070bfdb69c7d6aa0cefee5e24d19900affd1458df2378328e33c0874137d1d75add6151e2eb7d2a8f4613c197114e3018b

Download Submit
C:\Users\Admin\Desktop\00340\Trojan-Ransom.Win32.Shade.oxa-c8467cc1d148c7212715df7db077db2c47b98a4ff77da2c721466cf4d1c948ef.exe

Filesize
1.8MB

MD5
97f5363fde5840aa0955fa7973b55bd6

SHA1
5fe349614aacd19fca5a55c700ef3f68c495f807

SHA256
c8467cc1d148c7212715df7db077db2c47b98a4ff77da2c721466cf4d1c948ef

SHA512
25d2d54719c92df1b867fb915e259b480394e904ff4580591c483e1a70a71ed55ccafc0aac524baae6a823c4c1da105caebb58e6e5f65139aa76bb3683018eea

Download Submit
memory/1376-71-0x0000000000850000-0x0000000000878000-memory.dmp

Filesize
160KB

Download
memory/2164-240-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2164-289-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2164-290-0x0000000000400000-0x000000000061A000-memory.dmp

Filesize
2.1MB

Download
memory/2544-10-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2544-12-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2544-11-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2588-33-0x0000000001390000-0x00000000014A2000-memory.dmp

Filesize
1.1MB

Download