Analysis
-
max time kernel
119s -
max time network
156s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
26-07-2021 13:00
Static task
static1
Behavioral task
behavioral1
Sample
c5dccb1aec2c6493cdd02d9571df26c995de9934394ffbad030667e34b099e71.sample.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
c5dccb1aec2c6493cdd02d9571df26c995de9934394ffbad030667e34b099e71.sample.exe
Resource
win10v20210410
General
-
Target
c5dccb1aec2c6493cdd02d9571df26c995de9934394ffbad030667e34b099e71.sample.exe
-
Size
252KB
-
MD5
056fa68a3a2b65e4677f685746283209
-
SHA1
991f7fa89b13f94a5de106950c14a2f0321069f6
-
SHA256
c5dccb1aec2c6493cdd02d9571df26c995de9934394ffbad030667e34b099e71
-
SHA512
cca455cacc8bedb3766762327b3b7e640386d16470a538335f119dda3369a7e1963561ea7a9fd112327a0a5ccbeb464ac2f7ab274fbc968dec159a6270ac2061
Malware Config
Extracted
C:\$Recycle.Bin\S-1-5-21-2513283230-931923277-594887482-1000\how_recover+gap.txt
http://vr6g2curb2kcidou.encpayment23.com/AD7D2BC4DB652761
http://vr6g2curb2kcidou.expay34.com/AD7D2BC4DB652761
http://psbc532jm8c.hsh73cu37n1.net/AD7D2BC4DB652761
https://vr6g2curb2kcidou.onion.to/AD7D2BC4DB652761
http://vr6g2curb2kcidou.onion/AD7D2BC4DB652761
Extracted
C:\Users\Admin\Desktop\Howto_RESTORE_FILES.html
http://vr6g2curb2kcidou.onion/AD7D2BC4DB652761
http://vr6g2curb2kcidou.encpayment23.com/AD7D2BC4DB652761
http://vr6g2curb2kcidou.expay34.com/AD7D2BC4DB652761
http://psbc532jm8c.hsh73cu37n1.net/AD7D2BC4DB652761
https://vr6g2curb2kcidou.onion.to/AD7D2BC4DB652761
Signatures
-
suricata: ET MALWARE AlphaCrypt CnC Beacon 5
-
suricata: ET MALWARE AlphaCrypt CnC Beacon 6
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 5 IoCs
Processes:
bcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exepid process 516 bcdedit.exe 1140 bcdedit.exe 928 bcdedit.exe 1784 bcdedit.exe 736 bcdedit.exe -
Executes dropped EXE 1 IoCs
Processes:
gabnnacroic.exepid process 1704 gabnnacroic.exe -
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
gabnnacroic.exedescription ioc process File renamed C:\Users\Admin\Pictures\CompressEnter.crw => C:\Users\Admin\Pictures\CompressEnter.crw.vvv gabnnacroic.exe File renamed C:\Users\Admin\Pictures\MoveInstall.png => C:\Users\Admin\Pictures\MoveInstall.png.vvv gabnnacroic.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2020 cmd.exe -
Drops startup file 2 IoCs
Processes:
gabnnacroic.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\how_recover+gap.html gabnnacroic.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\how_recover+gap.txt gabnnacroic.exe -
Loads dropped DLL 1 IoCs
Processes:
c5dccb1aec2c6493cdd02d9571df26c995de9934394ffbad030667e34b099e71.sample.exepid process 1732 c5dccb1aec2c6493cdd02d9571df26c995de9934394ffbad030667e34b099e71.sample.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
gabnnacroic.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run gabnnacroic.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Acrndtd = "C:\\Users\\Admin\\AppData\\Roaming\\gabnnacroic.exe" gabnnacroic.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 5 myexternalip.com 8 myexternalip.com -
Drops file in Program Files directory 64 IoCs
Processes:
gabnnacroic.exedescription ioc process File opened for modification C:\Program Files\VideoLAN\VLC\lua\meta\art\how_recover+gap.txt gabnnacroic.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\diner_s.png gabnnacroic.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\pause_rest.png gabnnacroic.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_rainy.png gabnnacroic.exe File opened for modification C:\Program Files\7-Zip\Lang\br.txt gabnnacroic.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Notes_btn-back-static.png gabnnacroic.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\btn-back-static.png gabnnacroic.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\he\LC_MESSAGES\how_recover+gap.txt gabnnacroic.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\how_recover+gap.txt gabnnacroic.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Perf_Scenes_Subpicture1.png gabnnacroic.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\how_recover+gap.html gabnnacroic.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ro\LC_MESSAGES\how_recover+gap.html gabnnacroic.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\bn_IN\LC_MESSAGES\how_recover+gap.html gabnnacroic.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\id\LC_MESSAGES\how_recover+gap.html gabnnacroic.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\css\calendar.css gabnnacroic.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\18.png gabnnacroic.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\how_recover+gap.txt gabnnacroic.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Title_Page_Ref_PAL.wmv gabnnacroic.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Postage_ButtonGraphic.png gabnnacroic.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\how_recover+gap.txt gabnnacroic.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\Passport.wmv gabnnacroic.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\sl\LC_MESSAGES\how_recover+gap.html gabnnacroic.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\how_recover+gap.txt gabnnacroic.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\how_recover+gap.txt gabnnacroic.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\how_recover+gap.txt gabnnacroic.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\how_recover+gap.html gabnnacroic.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\lt\LC_MESSAGES\how_recover+gap.html gabnnacroic.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\lv\LC_MESSAGES\how_recover+gap.txt gabnnacroic.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-correct.avi gabnnacroic.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\VSTO\how_recover+gap.txt gabnnacroic.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\how_recover+gap.txt gabnnacroic.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationLeft_SelectionSubpicture.png gabnnacroic.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\tet\how_recover+gap.txt gabnnacroic.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\css\picturePuzzle.css gabnnacroic.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\flower_s.png gabnnacroic.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\how_recover+gap.txt gabnnacroic.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\5.png gabnnacroic.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\prev_down.png gabnnacroic.exe File opened for modification C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\enu-dsk\how_recover+gap.html gabnnacroic.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\PreviousMenuButtonIcon.png gabnnacroic.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\how_recover+gap.html gabnnacroic.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\how_recover+gap.html gabnnacroic.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\fur\how_recover+gap.txt gabnnacroic.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\hy\how_recover+gap.html gabnnacroic.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Circle_ButtonGraphic.png gabnnacroic.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\how_recover+gap.html gabnnacroic.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\how_recover+gap.txt gabnnacroic.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\flower.png gabnnacroic.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\play_down.png gabnnacroic.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-full.png gabnnacroic.exe File opened for modification C:\Program Files\Common Files\SpeechEngines\Microsoft\how_recover+gap.txt gabnnacroic.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationRight_ButtonGraphic.png gabnnacroic.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\how_recover+gap.txt gabnnacroic.exe File opened for modification C:\Program Files\Google\how_recover+gap.html gabnnacroic.exe File opened for modification C:\Program Files\7-Zip\Lang\gu.txt gabnnacroic.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\mr\LC_MESSAGES\how_recover+gap.txt gabnnacroic.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\zu\LC_MESSAGES\how_recover+gap.txt gabnnacroic.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\console_view.png gabnnacroic.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\js\how_recover+gap.txt gabnnacroic.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-new_partly-cloudy.png gabnnacroic.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\how_recover+gap.html gabnnacroic.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\how_recover+gap.txt gabnnacroic.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Notes_LOOP_BG_PAL.wmv gabnnacroic.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-over-DOT.png gabnnacroic.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 624 vssadmin.exe 1320 vssadmin.exe -
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0c22efd2582d701 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b02e9fe2c9041842933c5d709b805a270000000002000000000010660000000100002000000027c58eddb9d2ddad3e09c181f30591e2bbe01f40c239a931fb3157d20d0caf66000000000e800000000200002000000095aac1831c860a67aab48fa1c0c4055dcd376a723ffe8daf370960a2d50ebef790000000980be95fbe8f48b3a0ee35b0ef7cad67b2220af940ea7939597497a4798032ff8f626d671097747629479ffbf0288e5116b6190920442525535ab5f7a432bb3a46033d940851261c6ab4cf8afe175971430fb85e2ef4d937282b51ba16caf2e98eff6d485d6dda69ecdf9ffc6c9dbc3499d7e141ad542c19b7ee8ecd1f89fa333fa81e1f4322ce0044bcc42c1545d2b84000000073d2239a2e44a86441e179a392684e9921f80a87e3782b225dbc838af002f0c07881de4574400ad585128842f26d0b543addc34e13df90119a1c8cd6edbfe946 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "334072712" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{27EA9651-EE19-11EB-8528-FAFEA7710D2E} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b02e9fe2c9041842933c5d709b805a270000000002000000000010660000000100002000000079d44cf61cab8f2bafb495abaecbe5e64a225e16bfaaf853ea2fe8cd52a03ef0000000000e800000000200002000000035f68a5c8b881ae65916b165bea770dfd28cc66913f02623d88741123931342b200000004cdf06cd05df5c0cc87ee5d42c300c9784416bc2979730671fd6e4b87569e4c14000000029d4a0902a0b76fe6ae0fef7dfb76a1b32f4d6ad04438475a63d16b3f0f384aba6c81299beca324aae44341871ecf023911c495ef9a813a42cd0c59e952b5904 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe -
Processes:
gabnnacroic.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C gabnnacroic.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 gabnnacroic.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 gabnnacroic.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 gabnnacroic.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 gabnnacroic.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 1476 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
gabnnacroic.exepid process 1704 gabnnacroic.exe 1704 gabnnacroic.exe 1704 gabnnacroic.exe 1704 gabnnacroic.exe 1704 gabnnacroic.exe 1704 gabnnacroic.exe 1704 gabnnacroic.exe 1704 gabnnacroic.exe 1704 gabnnacroic.exe 1704 gabnnacroic.exe 1704 gabnnacroic.exe 1704 gabnnacroic.exe 1704 gabnnacroic.exe 1704 gabnnacroic.exe 1704 gabnnacroic.exe 1704 gabnnacroic.exe 1704 gabnnacroic.exe 1704 gabnnacroic.exe 1704 gabnnacroic.exe 1704 gabnnacroic.exe 1704 gabnnacroic.exe 1704 gabnnacroic.exe 1704 gabnnacroic.exe 1704 gabnnacroic.exe 1704 gabnnacroic.exe 1704 gabnnacroic.exe 1704 gabnnacroic.exe 1704 gabnnacroic.exe 1704 gabnnacroic.exe 1704 gabnnacroic.exe 1704 gabnnacroic.exe 1704 gabnnacroic.exe 1704 gabnnacroic.exe 1704 gabnnacroic.exe 1704 gabnnacroic.exe 1704 gabnnacroic.exe 1704 gabnnacroic.exe 1704 gabnnacroic.exe 1704 gabnnacroic.exe 1704 gabnnacroic.exe 1704 gabnnacroic.exe 1704 gabnnacroic.exe 1704 gabnnacroic.exe 1704 gabnnacroic.exe 1704 gabnnacroic.exe 1704 gabnnacroic.exe 1704 gabnnacroic.exe 1704 gabnnacroic.exe 1704 gabnnacroic.exe 1704 gabnnacroic.exe 1704 gabnnacroic.exe 1704 gabnnacroic.exe 1704 gabnnacroic.exe 1704 gabnnacroic.exe 1704 gabnnacroic.exe 1704 gabnnacroic.exe 1704 gabnnacroic.exe 1704 gabnnacroic.exe 1704 gabnnacroic.exe 1704 gabnnacroic.exe 1704 gabnnacroic.exe 1704 gabnnacroic.exe 1704 gabnnacroic.exe 1704 gabnnacroic.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
c5dccb1aec2c6493cdd02d9571df26c995de9934394ffbad030667e34b099e71.sample.exegabnnacroic.exevssvc.exedescription pid process Token: SeDebugPrivilege 1732 c5dccb1aec2c6493cdd02d9571df26c995de9934394ffbad030667e34b099e71.sample.exe Token: SeDebugPrivilege 1704 gabnnacroic.exe Token: SeBackupPrivilege 1556 vssvc.exe Token: SeRestorePrivilege 1556 vssvc.exe Token: SeAuditPrivilege 1556 vssvc.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
iexplore.exeDllHost.exepid process 1792 iexplore.exe 1832 DllHost.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid process 1792 iexplore.exe 1792 iexplore.exe 556 IEXPLORE.EXE 556 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 52 IoCs
Processes:
c5dccb1aec2c6493cdd02d9571df26c995de9934394ffbad030667e34b099e71.sample.exegabnnacroic.exeiexplore.exedescription pid process target process PID 1732 wrote to memory of 1704 1732 c5dccb1aec2c6493cdd02d9571df26c995de9934394ffbad030667e34b099e71.sample.exe gabnnacroic.exe PID 1732 wrote to memory of 1704 1732 c5dccb1aec2c6493cdd02d9571df26c995de9934394ffbad030667e34b099e71.sample.exe gabnnacroic.exe PID 1732 wrote to memory of 1704 1732 c5dccb1aec2c6493cdd02d9571df26c995de9934394ffbad030667e34b099e71.sample.exe gabnnacroic.exe PID 1732 wrote to memory of 1704 1732 c5dccb1aec2c6493cdd02d9571df26c995de9934394ffbad030667e34b099e71.sample.exe gabnnacroic.exe PID 1732 wrote to memory of 2020 1732 c5dccb1aec2c6493cdd02d9571df26c995de9934394ffbad030667e34b099e71.sample.exe cmd.exe PID 1732 wrote to memory of 2020 1732 c5dccb1aec2c6493cdd02d9571df26c995de9934394ffbad030667e34b099e71.sample.exe cmd.exe PID 1732 wrote to memory of 2020 1732 c5dccb1aec2c6493cdd02d9571df26c995de9934394ffbad030667e34b099e71.sample.exe cmd.exe PID 1732 wrote to memory of 2020 1732 c5dccb1aec2c6493cdd02d9571df26c995de9934394ffbad030667e34b099e71.sample.exe cmd.exe PID 1704 wrote to memory of 516 1704 gabnnacroic.exe bcdedit.exe PID 1704 wrote to memory of 516 1704 gabnnacroic.exe bcdedit.exe PID 1704 wrote to memory of 516 1704 gabnnacroic.exe bcdedit.exe PID 1704 wrote to memory of 516 1704 gabnnacroic.exe bcdedit.exe PID 1704 wrote to memory of 624 1704 gabnnacroic.exe vssadmin.exe PID 1704 wrote to memory of 624 1704 gabnnacroic.exe vssadmin.exe PID 1704 wrote to memory of 624 1704 gabnnacroic.exe vssadmin.exe PID 1704 wrote to memory of 624 1704 gabnnacroic.exe vssadmin.exe PID 1704 wrote to memory of 1140 1704 gabnnacroic.exe bcdedit.exe PID 1704 wrote to memory of 1140 1704 gabnnacroic.exe bcdedit.exe PID 1704 wrote to memory of 1140 1704 gabnnacroic.exe bcdedit.exe PID 1704 wrote to memory of 1140 1704 gabnnacroic.exe bcdedit.exe PID 1704 wrote to memory of 928 1704 gabnnacroic.exe bcdedit.exe PID 1704 wrote to memory of 928 1704 gabnnacroic.exe bcdedit.exe PID 1704 wrote to memory of 928 1704 gabnnacroic.exe bcdedit.exe PID 1704 wrote to memory of 928 1704 gabnnacroic.exe bcdedit.exe PID 1704 wrote to memory of 1784 1704 gabnnacroic.exe bcdedit.exe PID 1704 wrote to memory of 1784 1704 gabnnacroic.exe bcdedit.exe PID 1704 wrote to memory of 1784 1704 gabnnacroic.exe bcdedit.exe PID 1704 wrote to memory of 1784 1704 gabnnacroic.exe bcdedit.exe PID 1704 wrote to memory of 736 1704 gabnnacroic.exe bcdedit.exe PID 1704 wrote to memory of 736 1704 gabnnacroic.exe bcdedit.exe PID 1704 wrote to memory of 736 1704 gabnnacroic.exe bcdedit.exe PID 1704 wrote to memory of 736 1704 gabnnacroic.exe bcdedit.exe PID 1704 wrote to memory of 1476 1704 gabnnacroic.exe NOTEPAD.EXE PID 1704 wrote to memory of 1476 1704 gabnnacroic.exe NOTEPAD.EXE PID 1704 wrote to memory of 1476 1704 gabnnacroic.exe NOTEPAD.EXE PID 1704 wrote to memory of 1476 1704 gabnnacroic.exe NOTEPAD.EXE PID 1704 wrote to memory of 1792 1704 gabnnacroic.exe iexplore.exe PID 1704 wrote to memory of 1792 1704 gabnnacroic.exe iexplore.exe PID 1704 wrote to memory of 1792 1704 gabnnacroic.exe iexplore.exe PID 1704 wrote to memory of 1792 1704 gabnnacroic.exe iexplore.exe PID 1792 wrote to memory of 556 1792 iexplore.exe IEXPLORE.EXE PID 1792 wrote to memory of 556 1792 iexplore.exe IEXPLORE.EXE PID 1792 wrote to memory of 556 1792 iexplore.exe IEXPLORE.EXE PID 1792 wrote to memory of 556 1792 iexplore.exe IEXPLORE.EXE PID 1704 wrote to memory of 1320 1704 gabnnacroic.exe vssadmin.exe PID 1704 wrote to memory of 1320 1704 gabnnacroic.exe vssadmin.exe PID 1704 wrote to memory of 1320 1704 gabnnacroic.exe vssadmin.exe PID 1704 wrote to memory of 1320 1704 gabnnacroic.exe vssadmin.exe PID 1704 wrote to memory of 1584 1704 gabnnacroic.exe cmd.exe PID 1704 wrote to memory of 1584 1704 gabnnacroic.exe cmd.exe PID 1704 wrote to memory of 1584 1704 gabnnacroic.exe cmd.exe PID 1704 wrote to memory of 1584 1704 gabnnacroic.exe cmd.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
gabnnacroic.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System gabnnacroic.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" gabnnacroic.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c5dccb1aec2c6493cdd02d9571df26c995de9934394ffbad030667e34b099e71.sample.exe"C:\Users\Admin\AppData\Local\Temp\c5dccb1aec2c6493cdd02d9571df26c995de9934394ffbad030667e34b099e71.sample.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\gabnnacroic.exeC:\Users\Admin\AppData\Roaming\gabnnacroic.exe2⤵
- Executes dropped EXE
- Modifies extensions of user files
- Drops startup file
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set {current} bootems off3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\System32\vssadmin.exe"C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set {current} advancedoptions off3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set {current} optionsedit off3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set {current} bootstatuspolicy IgnoreAllFailures3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set {current} recoveryenabled off3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Howto_RESTORE_FILES.txt3⤵
- Opens file in notepad (likely ransom note)
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\Howto_RESTORE_FILES.html3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1792 CREDAT:275457 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\vssadmin.exe"C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Roaming\GABNNA~1.EXE3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\C5DCCB~1.EXE2⤵
- Deletes itself
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}1⤵
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015MD5
2902de11e30dcc620b184e3bb0f0c1cb
SHA15d11d14a2558801a2688dc2d6dfad39ac294f222
SHA256e6a7f1f8810e46a736e80ee5ac6187690f28f4d5d35d130d410e20084b2c1544
SHA512efd415cde25b827ac2a7ca4d6486ce3a43cdcc1c31d3a94fd7944681aa3e83a4966625bf2e6770581c4b59d05e35ff9318d9adaddade9070f131076892af2fa0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015MD5
21d79a5f0e741333cb77d78a368bd0df
SHA126d39adefea9e2f5f18654df3c65e851fa5eae82
SHA2564100071004e1590bb098323a0e1a357259715224d1ee343913aacaca4dc37d15
SHA51296b20c1da916590c658575a11886594834c7e7757ee03d20b23d715711b795069419ab560c7a7b0a936baa5ceedac165a920abd77cf8bf65627452a98e3d4201
-
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\how_recover+gap.htmlMD5
19bc53b2e2c4270b34d865aba9bf85cd
SHA1415658613f394b782d6d7300b8b70237ba3d7def
SHA2560be92300c1ff95613e5dedad221ed94166e028699f9951f592ca681e1a38f57f
SHA5120260331d58c4ef18b15a10500cc5bc1678def3298201f8a95f2e658af94111315d7bb3d7422783d7d58a3697d98b4a83b57057e4ed72441b0a880771f51fde9a
-
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\how_recover+gap.txtMD5
d313ea55677ccc777157e300e32642bd
SHA1e6d37e8c7f2c93083588a42bbbe15b998d4b5727
SHA256aade73b75788f14901ba75c255ab7bef51ba184ee45504548f9af63f2aea1ed5
SHA51218f09f8d48b2135004c66994d8015c2f56b52ff4e1890c703d09270c40df8f0338df01fe850491489c92f0461fb2f5bf7688ea285cb92b6268dffafe0c485472
-
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\how_recover+gap.htmlMD5
19bc53b2e2c4270b34d865aba9bf85cd
SHA1415658613f394b782d6d7300b8b70237ba3d7def
SHA2560be92300c1ff95613e5dedad221ed94166e028699f9951f592ca681e1a38f57f
SHA5120260331d58c4ef18b15a10500cc5bc1678def3298201f8a95f2e658af94111315d7bb3d7422783d7d58a3697d98b4a83b57057e4ed72441b0a880771f51fde9a
-
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\how_recover+gap.txtMD5
d313ea55677ccc777157e300e32642bd
SHA1e6d37e8c7f2c93083588a42bbbe15b998d4b5727
SHA256aade73b75788f14901ba75c255ab7bef51ba184ee45504548f9af63f2aea1ed5
SHA51218f09f8d48b2135004c66994d8015c2f56b52ff4e1890c703d09270c40df8f0338df01fe850491489c92f0461fb2f5bf7688ea285cb92b6268dffafe0c485472
-
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\how_recover+gap.htmlMD5
19bc53b2e2c4270b34d865aba9bf85cd
SHA1415658613f394b782d6d7300b8b70237ba3d7def
SHA2560be92300c1ff95613e5dedad221ed94166e028699f9951f592ca681e1a38f57f
SHA5120260331d58c4ef18b15a10500cc5bc1678def3298201f8a95f2e658af94111315d7bb3d7422783d7d58a3697d98b4a83b57057e4ed72441b0a880771f51fde9a
-
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\how_recover+gap.txtMD5
d313ea55677ccc777157e300e32642bd
SHA1e6d37e8c7f2c93083588a42bbbe15b998d4b5727
SHA256aade73b75788f14901ba75c255ab7bef51ba184ee45504548f9af63f2aea1ed5
SHA51218f09f8d48b2135004c66994d8015c2f56b52ff4e1890c703d09270c40df8f0338df01fe850491489c92f0461fb2f5bf7688ea285cb92b6268dffafe0c485472
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\2HJ5PQ1O.txtMD5
00129db4dd04e040a48ea45c149f9330
SHA18ab4b27548f0754e99262416e00d69acf82a339c
SHA2566c07155a1fd5a5adde6dbd8e685a9d50ae34a0b097a7e732f81940e377169597
SHA5126de407c566ab8b21d40b565d80411c886e51b5e319e7c64affc8804e25f907f8c6cb7d321efe1d5079342ce791d7b175df1fb03e838a2443d6064efc12563827
-
C:\Users\Admin\AppData\Roaming\gabnnacroic.exeMD5
056fa68a3a2b65e4677f685746283209
SHA1991f7fa89b13f94a5de106950c14a2f0321069f6
SHA256c5dccb1aec2c6493cdd02d9571df26c995de9934394ffbad030667e34b099e71
SHA512cca455cacc8bedb3766762327b3b7e640386d16470a538335f119dda3369a7e1963561ea7a9fd112327a0a5ccbeb464ac2f7ab274fbc968dec159a6270ac2061
-
C:\Users\Admin\AppData\Roaming\gabnnacroic.exeMD5
056fa68a3a2b65e4677f685746283209
SHA1991f7fa89b13f94a5de106950c14a2f0321069f6
SHA256c5dccb1aec2c6493cdd02d9571df26c995de9934394ffbad030667e34b099e71
SHA512cca455cacc8bedb3766762327b3b7e640386d16470a538335f119dda3369a7e1963561ea7a9fd112327a0a5ccbeb464ac2f7ab274fbc968dec159a6270ac2061
-
C:\Users\Admin\Desktop\Howto_RESTORE_FILES.bmpMD5
96e8f7307ced22a54bac8124a96dc232
SHA1e0ebab78f98690c623810e024717c59bec35c542
SHA256e851dd21dc7c05689f47bf69a0864b015ac9ff25d8c21d52c1f694dfede74f02
SHA5122a312f724eef9d40c59c156dd9fd3d6f7cccfc9e913884cf4dde72a85739b89b5e618d44a95949bb415acb71785aa9509ebb82e89af6a8d19f5526b3a9542986
-
C:\Users\Admin\Desktop\Howto_RESTORE_FILES.htmlMD5
19bc53b2e2c4270b34d865aba9bf85cd
SHA1415658613f394b782d6d7300b8b70237ba3d7def
SHA2560be92300c1ff95613e5dedad221ed94166e028699f9951f592ca681e1a38f57f
SHA5120260331d58c4ef18b15a10500cc5bc1678def3298201f8a95f2e658af94111315d7bb3d7422783d7d58a3697d98b4a83b57057e4ed72441b0a880771f51fde9a
-
C:\Users\Admin\Desktop\Howto_RESTORE_FILES.txtMD5
d313ea55677ccc777157e300e32642bd
SHA1e6d37e8c7f2c93083588a42bbbe15b998d4b5727
SHA256aade73b75788f14901ba75c255ab7bef51ba184ee45504548f9af63f2aea1ed5
SHA51218f09f8d48b2135004c66994d8015c2f56b52ff4e1890c703d09270c40df8f0338df01fe850491489c92f0461fb2f5bf7688ea285cb92b6268dffafe0c485472
-
\Users\Admin\AppData\Roaming\gabnnacroic.exeMD5
056fa68a3a2b65e4677f685746283209
SHA1991f7fa89b13f94a5de106950c14a2f0321069f6
SHA256c5dccb1aec2c6493cdd02d9571df26c995de9934394ffbad030667e34b099e71
SHA512cca455cacc8bedb3766762327b3b7e640386d16470a538335f119dda3369a7e1963561ea7a9fd112327a0a5ccbeb464ac2f7ab274fbc968dec159a6270ac2061
-
memory/516-67-0x0000000000000000-mapping.dmp
-
memory/556-77-0x0000000000000000-mapping.dmp
-
memory/624-68-0x0000000000000000-mapping.dmp
-
memory/736-72-0x0000000000000000-mapping.dmp
-
memory/928-70-0x0000000000000000-mapping.dmp
-
memory/1140-69-0x0000000000000000-mapping.dmp
-
memory/1320-80-0x0000000000000000-mapping.dmp
-
memory/1476-73-0x0000000000000000-mapping.dmp
-
memory/1584-84-0x0000000000000000-mapping.dmp
-
memory/1704-62-0x0000000000000000-mapping.dmp
-
memory/1732-60-0x0000000075971000-0x0000000075973000-memory.dmpFilesize
8KB
-
memory/1784-71-0x0000000000000000-mapping.dmp
-
memory/1792-75-0x0000000000000000-mapping.dmp
-
memory/1832-79-0x0000000000260000-0x0000000000262000-memory.dmpFilesize
8KB
-
memory/1832-82-0x0000000000320000-0x0000000000321000-memory.dmpFilesize
4KB
-
memory/2020-65-0x0000000000000000-mapping.dmp