Overview

overview

10

Static

static

1

RNSM00311.7z

windows7-x64

10

Analysis

  • max time kernel
    128s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    12-11-2024 20:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RNSM00311.7z

  • Size

    2.2MB

  • MD5

    572cd40b7a7090ce2326bedb2814a25c

  • SHA1

    b4a708bceb8e61dd7786f62de9226030149bdb05

  • SHA256

    7bf491bb387ecafe6a7e6fb0fdd3800b41f87e1562aeaa32aee681abca5c2b8b

  • SHA512

    a2b073c7dcd849ec57e837637e4193fec94839c1ec4a9c528d52ccb423a141b6d27f52df4929a603e332f46eb3bd6d4be44a4a358699552d35d5f113a61c3073

  • SSDEEP

    49152:igq6Mo3K+1CnzdeTFKipvylCXcR/SoXezXb1tkzv5xHIHupYiCo3SQB4anid:igXWGYderqsXcR/AzLvC5xHIE+oManid

Score
10/10
adwindglobeimposterwannacrydiscoverypersistenceransomwarespywarestealertrojanupxworm

Malware Config

Signatures

  • AdWind

    A Java-based RAT family operated as malware-as-a-service.

    trojanadwind
  • Adwind family
    adwind
  • Class file contains resources related to AdWind 1 IoCs
  • GlobeImposter

    GlobeImposter is a ransomware first seen in 2017.

    ransomwareglobeimposter
  • Globeimposter family
    globeimposter
  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Wannacry family
    wannacry
  • Renames multiple (2301) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Blocklisted process makes network request 2 IoCs
  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 10 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Drops desktop.ini file(s) 28 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 35 IoCs
    adwarespyware
  • Modifies registry class 12 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 9 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 56 IoCs

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00311.7z"
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2068
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2632
  • C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2664
    • C:\Users\Admin\Desktop\00311\HEUR-Trojan-Ransom.Win32.Generic-51d8402c6464a6b0d8d8cda2fee0e1ca0987fd28223b00cb9f1875c4bf918cd9.exe
      HEUR-Trojan-Ransom.Win32.Generic-51d8402c6464a6b0d8d8cda2fee0e1ca0987fd28223b00cb9f1875c4bf918cd9.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      • Suspicious behavior: EnumeratesProcesses
      PID:2652
    • C:\Users\Admin\Desktop\00311\HEUR-Trojan-Ransom.Win32.Generic-71f0eb0165b5bea0a83474dc6266878520d2d729a22b5d8c04f474661bb020ac.exe
      HEUR-Trojan-Ransom.Win32.Generic-71f0eb0165b5bea0a83474dc6266878520d2d729a22b5d8c04f474661bb020ac.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      • Suspicious use of WriteProcessMemory
      PID:1636
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\word.vbs"
        3⤵
        • Blocklisted process makes network request
        • System Location Discovery: System Language Discovery
        PID:540
    • C:\Users\Admin\Desktop\00311\HEUR-Trojan-Ransom.Win32.Generic-98a51834e5c13771074cc4751e433b6a64710c81f0016f60b6f7d7617cf75212.exe
      HEUR-Trojan-Ransom.Win32.Generic-98a51834e5c13771074cc4751e433b6a64710c81f0016f60b6f7d7617cf75212.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1964
    • C:\Users\Admin\Desktop\00311\HEUR-Trojan-Ransom.Win32.Generic-9d31801102b6a42befd6def95c56512fd6b2e96e0146ec3b961ef643b785893b.exe
      HEUR-Trojan-Ransom.Win32.Generic-9d31801102b6a42befd6def95c56512fd6b2e96e0146ec3b961ef643b785893b.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      • Suspicious behavior: EnumeratesProcesses
      PID:2008
    • C:\Users\Admin\Desktop\00311\Trojan-Ransom.Win32.Foreign.nxzy-8b7d9c9f41456051c42ce99b4730157622fd54c8e60b60727c6ad732d66b8b8c.exe
      Trojan-Ransom.Win32.Foreign.nxzy-8b7d9c9f41456051c42ce99b4730157622fd54c8e60b60727c6ad732d66b8b8c.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      • Suspicious use of SendNotifyMessage
      PID:2044
    • C:\Users\Admin\Desktop\00311\Trojan-Ransom.Win32.Foreign.nzde-6fd04b0c6ea295f5617f83896b8ce243909a77a9da4e876c0f8e6e414bdeffc3.exe
      Trojan-Ransom.Win32.Foreign.nzde-6fd04b0c6ea295f5617f83896b8ce243909a77a9da4e876c0f8e6e414bdeffc3.exe
      2⤵
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      • Suspicious use of SetWindowsHookEx
      PID:1688
    • C:\Users\Admin\Desktop\00311\Trojan-Ransom.Win32.Hermez.it-b346ad4facc9d94e4578d9ab137ced84fcbcebf55165d36ded1121af3562f143.exe
      Trojan-Ransom.Win32.Hermez.it-b346ad4facc9d94e4578d9ab137ced84fcbcebf55165d36ded1121af3562f143.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      • Suspicious use of WriteProcessMemory
      PID:2848
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\13121514131815151312.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2148
      • C:\Windows\M-50502538652086560246582646528040\windrv.exe
        C:\Windows\M-50502538652086560246582646528040\windrv.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2952
    • C:\Users\Admin\Desktop\00311\Trojan-Ransom.Win32.Purgen.ahp-94d545f285cae53f4efd484ebbe3c2c6c3e4542ded732f6985945e7ae62ab4e0.exe
      Trojan-Ransom.Win32.Purgen.ahp-94d545f285cae53f4efd484ebbe3c2c6c3e4542ded732f6985945e7ae62ab4e0.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops desktop.ini file(s)
      • Drops file in Program Files directory
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      • Suspicious behavior: RenamesItself
      PID:2916
    • C:\Users\Admin\Desktop\00311\Trojan-Ransom.Win32.Wanna.c-94cce9146c9a203b351105cfa453166e7ef7548116e0756d9ff314f55201fd55.exe
      Trojan-Ransom.Win32.Wanna.c-94cce9146c9a203b351105cfa453166e7ef7548116e0756d9ff314f55201fd55.exe
      2⤵
      • Executes dropped EXE
      • Sets desktop wallpaper using registry
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: CmdExeWriteProcessMemorySpam
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      PID:2012
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Public\Desktop\READ__ME.html
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2484
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2484 CREDAT:275457 /prefetch:2
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:1248
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2484 CREDAT:537613 /prefetch:2
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:2336

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    7634c2fd51d96de62a4b9a66db26ed51

    SHA1

    f90569284d56ef6f281f97cc8dac8f5aab475d00

    SHA256

    597ea281c7b7378c43c2e0437890c3cf86d9af2f00535f8e5dd8e5d2008748af

    SHA512

    6dd03aab53215cec18fd35f766ea321d9697ff6914638acce048c99cbf91483f1bd8c5444d4684f23fd952a9825daa9efb176d804b1f2ba49c9a29f3bcc10108

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    07663f534a09b775c01e3ccfe7b48997

    SHA1

    18c525bf558d4cdc996a6d1172f611e40794139b

    SHA256

    8706525e1b7f881b06c0eea204cafef18ceceb84159c8faf2461baeca49d4d4c

    SHA512

    b97ec96697635d7437221e40d4ec3a86a3e7d6cb6d96a7097f04504506195961a8b6ba335b42ea24576057bb13bdf08e2ddf53c4fd9c0c0a3e86fda8851bafd1

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    08e54007d74fedf6267bd2660129d9a4

    SHA1

    a3db5e821d5daad4cc562b199aeafd1439df1a1f

    SHA256

    cd0db5a4a9361e7e00574026f06d3a9b962363f775720da6c02e55b44cc1249b

    SHA512

    7e686cd22625f922f63132135bbae4b0b8549254a78a4d637fcc6ef6704c9a4f23b959c6bef1edcd3fa7653d8c59fe71df3e88006e896effc0087d13ad5cbd34

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    6c86c2568e1b7df6a83d84910594cc23

    SHA1

    fcfd53339dfa62287c953f82b15bed44f64fea94

    SHA256

    fd931c24a2def9a613801f330d7a7c54b67f8314cfda38f5586b171036ce79c2

    SHA512

    61d61248ddae99641602a60c6d58f0517710e5cc316abb3dbf5ee7aa075bc65c54d486dc6a0093b5def2ef421681f513b2a10637a4c4ddcdce90a04c981b569f

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    f5e158c519ae41ecdbc142fdb93a6e64

    SHA1

    290ca9b4013af53b84e510c5ebe235ca9e6e9972

    SHA256

    c34d7a461431bab9b4534b6dd156cb054053f10d0ad31509f4a442af887ab9fb

    SHA512

    3208150755ec125349be7414977aac9130b85c4470c693f770b12df871e88a7e2393aeb12842b883eb7526a613011db304bcb4787b9d7e7b13d2a9ec2cce0e6e

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    b0a2d19f2b2035f40e53464bfae516a7

    SHA1

    44068b3666c1852543b9efb68a7af6fc6d188cf8

    SHA256

    cd8616d9460a1ba92719306e44e1efb372a53b82709c2f544197e06db30c7d22

    SHA512

    ca496fa4017f1a272199d9120dc33ddedfd39cd45c28e08cafe32ae6c8d3f62f95443fc1b0b8ee960d6c5d1b7587381469c983bbb782558848283a1f389d52fa

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    80e59f9ec690ff17e512b51602c7b6eb

    SHA1

    f9da2eb40b3801bbd869baf5c4659c31fb802c35

    SHA256

    225c2a5d880b073b2acfa9bb81c8bbbce881fe9e6cbeaa6b42ef1138b2d8b422

    SHA512

    c0f97262f4db181222c49d36827ce104aaa9b9d9d94eddb38f0c3c4a6f2a4c77680750a3c4e2fb4e338132f015d9b3f291b1d48ae8c864a1a47b8b9e84948052

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    219c10e828f9b6cc8d1edcbecaaa9008

    SHA1

    0452da8c5db645a901cfa344d80d44a0882ca3a4

    SHA256

    b0a0b70612a0afd2f8808575970c19374c1625ae232e4496c321ea74f8349257

    SHA512

    9def1b13df3920d25088ea58f406cf0dd0cf7435e698ce481877d3195397cf4493154ac92bab78c05c7205571b2b8506d24d7d5e1001f4d3a8c7ea96c14d2a39

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\13121514131815151312.bat
    Filesize

    362B

    MD5

    5c8cc2f1625ec2c4fcf9d23374b6301f

    SHA1

    b2506c0c9d08e7d445e80b379d7349cf5d387f9b

    SHA256

    ceb3cdb1ab3fee6c99bb69a7c0338c7443507d146e153b6eb74c24757b072093

    SHA512

    7435b24c979d61011a4bb502fd662e2e9b6a7ad9c5ff0aa72d63b5711b4a24bdbbd7638900eaa029efc6bb55c6ed45c319e5e3ed2787e003c632ab2e29b35a1c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\CabFDA2.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\TarFE14.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    Download Submit

  • C:\Users\Admin\AppData\Roaming\ntfsmgr.jar
    Filesize

    474KB

    MD5

    78017058d2d6b5ff37c68b64e4aaf0f2

    SHA1

    43a6e556d0ea4ca5212e777addb43f59197156a3

    SHA256

    0f6e8888104ccb2a2c1000d01327c667d5d0739dd21dd62ea53a8492521c872a

    SHA512

    0a8fbf1795d6286af1dc58ee63882161cb81f8ba84bbbdcc873e3f0fa1d0b2b8496a0f58e6091d96a5d73c789751a7c5fdc6bbdbcc8161f9f560b897161b344d

    Download Submit

  • C:\Users\Admin\AppData\Roaming\word.vbs
    Filesize

    882KB

    MD5

    53c5df6bf9c79014a6437d6d8190e4cf

    SHA1

    518ad26dbf6310edccc826ba4eeee4d4a0ae1f2d

    SHA256

    f9a12de8bbffc106f1e3db1a544b305b90e61cc634f2849194d7307cb77bf766

    SHA512

    2c0128c0ac5b7283987c2470f807830e17cb49d917768d5ea58e15ad447c088a40beb112428b98cb91e121b1c7e81d20352314506dc0a57dbc1e544d3284737b

    Download Submit

  • C:\Users\Admin\Desktop\00311\HEUR-Trojan-Ransom.Win32.Generic-51d8402c6464a6b0d8d8cda2fee0e1ca0987fd28223b00cb9f1875c4bf918cd9.exe
    Filesize

    372KB

    MD5

    ded0f095edbbaf7f73f60220d0d5644b

    SHA1

    998d12496a4858925a96c2e83da40cc643658299

    SHA256

    51d8402c6464a6b0d8d8cda2fee0e1ca0987fd28223b00cb9f1875c4bf918cd9

    SHA512

    21f5a96314ff898789c1ae51b1228794e58393db47a71515eb09e3686160cca4410f8c9a8541e1ff11dea40b87fe8f4bccf168321c1b8b5f7ef090a262214623

    Download Submit

  • C:\Users\Admin\Desktop\00311\HEUR-Trojan-Ransom.Win32.Generic-71f0eb0165b5bea0a83474dc6266878520d2d729a22b5d8c04f474661bb020ac.exe
    Filesize

    2.6MB

    MD5

    192eeddeda5355c02c8f4a49eece80ca

    SHA1

    11fa902d639304e4323587bf69b5335c43e728f9

    SHA256

    71f0eb0165b5bea0a83474dc6266878520d2d729a22b5d8c04f474661bb020ac

    SHA512

    8eaca4794e00f310b839de240e8c05f0c3ad2675ddd88c6cdedc1af83fe553af25ac433bb3dbb0a9e0c34fa8eb30a9f8672d546e26fefde2f8cbb6edec83bb11

    Download Submit

  • C:\Users\Admin\Desktop\00311\HEUR-Trojan-Ransom.Win32.Generic-98a51834e5c13771074cc4751e433b6a64710c81f0016f60b6f7d7617cf75212.exe
    Filesize

    729KB

    MD5

    71e634e83bc4e7d23047ebd7d394cc57

    SHA1

    b0bec180453d388f0fda7b73e2fd0d9735db45dc

    SHA256

    98a51834e5c13771074cc4751e433b6a64710c81f0016f60b6f7d7617cf75212

    SHA512

    ca62cf08b4863e801d4318345b8f1e7963e85a0c57330148f5dea51a0e9ec005824c4c36e6471f15cf9896b7d2cbf5772be1f39fafeeb3de8252d941b1564ba8

    Download Submit

  • C:\Users\Admin\Desktop\00311\HEUR-Trojan-Ransom.Win32.Generic-9d31801102b6a42befd6def95c56512fd6b2e96e0146ec3b961ef643b785893b.exe
    Filesize

    720KB

    MD5

    cb9754ce43d0d1829bc985a6548744df

    SHA1

    19b92a2802cdea2aa02bd5f32e3e76e5d83cb2b5

    SHA256

    9d31801102b6a42befd6def95c56512fd6b2e96e0146ec3b961ef643b785893b

    SHA512

    7b429434bbb8874b38f213dad547c7b461e031693e21db28d95ad6357ac9efd9349539e35f14fe0df484d7fc634a8f9a678889079369e7cfa7963073207007f7

    Download Submit

  • C:\Users\Admin\Desktop\00311\Trojan-Ransom.Win32.Foreign.nxzy-8b7d9c9f41456051c42ce99b4730157622fd54c8e60b60727c6ad732d66b8b8c.exe
    Filesize

    400KB

    MD5

    36cbe99d3ea1bb3a761da0c24876ae44

    SHA1

    70bd34026b685558e483492400f7ab77ce4313c7

    SHA256

    8b7d9c9f41456051c42ce99b4730157622fd54c8e60b60727c6ad732d66b8b8c

    SHA512

    8d2b5331e08def2efa10658d0e235d93ebc507385e5ffeeedf81c51e1f99227320a3390d767b067b5e3f7a7f529f81caf3cbaba6cbcd4020d604c21eb83a0560

    Download Submit

  • C:\Users\Admin\Desktop\00311\Trojan-Ransom.Win32.Foreign.nzde-6fd04b0c6ea295f5617f83896b8ce243909a77a9da4e876c0f8e6e414bdeffc3.exe
    Filesize

    554KB

    MD5

    00fe617be3854f8b3eb373e8272148dd

    SHA1

    75a36a4911cd17f4997f3f683ac36d941a51d4d4

    SHA256

    6fd04b0c6ea295f5617f83896b8ce243909a77a9da4e876c0f8e6e414bdeffc3

    SHA512

    c1185a94cfdda9134bcb4d26354a0ef4832bcf91cc6c19dd4bfcc9da0b0919fe9abc23d5120a9f9deb7e3c84fc71d081d32bf2b584dc76e3008f26474f56cb66

    Download Submit

  • C:\Users\Admin\Desktop\00311\Trojan-Ransom.Win32.Hermez.it-b346ad4facc9d94e4578d9ab137ced84fcbcebf55165d36ded1121af3562f143.exe
    Filesize

    221KB

    MD5

    9fb0b009139775cb05c6aa4e6f2d0a96

    SHA1

    9ccbc77032e1e85a52ea68ec8e0ebb752637e5c6

    SHA256

    b346ad4facc9d94e4578d9ab137ced84fcbcebf55165d36ded1121af3562f143

    SHA512

    6945e149fbcd5fec092cd37097c5ae4dd4a0541fa789765718395bdac5869d6de17f6770d9d5b72cce17b7b0284afcec7605f9735ec5907a8a87197604b5edbf

    Download Submit

  • C:\Users\Admin\Desktop\00311\Trojan-Ransom.Win32.Purgen.ahp-94d545f285cae53f4efd484ebbe3c2c6c3e4542ded732f6985945e7ae62ab4e0.exe
    Filesize

    53KB

    MD5

    4d3b771abcfd283072fe1083617b09cb

    SHA1

    2464704ea9021ca7ab2ef2f1b98a18c8a272a205

    SHA256

    94d545f285cae53f4efd484ebbe3c2c6c3e4542ded732f6985945e7ae62ab4e0

    SHA512

    b52a4dd4202a05fbd2e059e6f42639dfa70077b29ed57e35a6002f780fe7392a966c84fafea2551456cae9a7e875f70e4093cbb7a98148b8cd1bb39dd7f07148

    Download Submit

  • C:\Users\Admin\Desktop\00311\Trojan-Ransom.Win32.Wanna.c-94cce9146c9a203b351105cfa453166e7ef7548116e0756d9ff314f55201fd55.exe
    Filesize

    240KB

    MD5

    9d3c57bdc6649b6640d97212f646f42a

    SHA1

    914e398d393d570363574835689403ad360ce17b

    SHA256

    94cce9146c9a203b351105cfa453166e7ef7548116e0756d9ff314f55201fd55

    SHA512

    3949f5938a5aee40d88023e78180dee8d3f850a40f9b7f6d89c587567dfe4fb347506616805bd6c4dbfa131961fdc3197eee00cd9263fe19da3d75dda672d774

    Download Submit

  • C:\Users\Admin\Desktop\00311\c.wnry
    Filesize

    780B

    MD5

    d4037fd3f683af5df645c55727d0cd42

    SHA1

    e9e97ab055a95803bf710a16db37a80dac4b8850

    SHA256

    33c6cf37d9ae81ced22eece74fb080b4f2d1c920bd3ccef8c0e0b6e4914953dc

    SHA512

    4929049e10f34b2435a46a343ab9793ff5072d4f9b1aa4cbac3e8dc7495ce4c046213ad1beca0178f7646526ed0ab55bb0a843b6143032c574fcccec7085ce0c

    Download Submit

  • C:\Users\Public\Videos\READ__ME.html
    Filesize

    2KB

    MD5

    e1d9e758b6fc5c5d656f15200b4cb175

    SHA1

    45a9caffb4ba7a8280003edbfef3fbe6ab11e415

    SHA256

    d9a127fe680721e083bbd50e6edb0cbb57fa1a49e75b26d5e5b2a2f68ed98b20

    SHA512

    9e8d409788fc58ae18174cff6e150bb258ea5aee442b6d2df0410557b4ea14ca4e214cc915152d2409edce2789286f580b167600daa079fd6ce712a10edcdc76

    Download Submit

  • memory/1688-353-0x0000000045480000-0x0000000045511000-memory.dmp

    Filesize

    580KB

    Download

  • memory/1688-233-0x0000000045480000-0x0000000045511000-memory.dmp

    Filesize

    580KB

    Download

  • memory/2008-50-0x0000000000400000-0x00000000004BA000-memory.dmp

    Filesize

    744KB

    Download

  • memory/2044-1929-0x0000000000400000-0x0000000000479000-memory.dmp

    Filesize

    484KB

    Download

  • memory/2044-1258-0x0000000000400000-0x0000000000479000-memory.dmp

    Filesize

    484KB

    Download

  • memory/2044-2248-0x0000000000400000-0x0000000000479000-memory.dmp

    Filesize

    484KB

    Download

  • memory/2044-2792-0x0000000000400000-0x0000000000479000-memory.dmp

    Filesize

    484KB

    Download

  • memory/2632-18-0x0000000140000000-0x00000001405E8000-memory.dmp

    Filesize

    5.9MB

    Download

  • memory/2632-19-0x0000000140000000-0x00000001405E8000-memory.dmp

    Filesize

    5.9MB

    Download

  • memory/2652-51-0x0000000000400000-0x00000000004C4000-memory.dmp

    Filesize

    784KB

    Download

  • memory/2652-53-0x0000000000400000-0x00000000004C4000-memory.dmp

    Filesize

    784KB

    Download

  • memory/2652-34-0x0000000000400000-0x00000000004C4000-memory.dmp

    Filesize

    784KB

    Download

  • memory/2848-356-0x0000000000400000-0x000000000043D000-memory.dmp

    Filesize

    244KB

    Download

  • memory/2916-35-0x0000000000400000-0x000000000040E200-memory.dmp

    Filesize

    56KB

    Download

  • memory/2916-264-0x0000000000400000-0x000000000040E200-memory.dmp

    Filesize

    56KB

    Download

  • memory/2952-4533-0x0000000000400000-0x000000000043D000-memory.dmp

    Filesize

    244KB

    Download