Analysis Overview
SHA256
173ca0f92742d045715ebb426f110998ab55fe3e8c2694b34dda2024322ad03f
Threat Level: Known bad
The file RNSM00343.7z was found to be: Known bad.
Malicious Activity Summary
Netwire family
Gandcrab
NetWire RAT payload
Netwire
Gandcrab family
Deletes shadow copies
Renames multiple (435) files with added filename extension
Renames multiple (299) files with added filename extension
Loads dropped DLL
Drops startup file
Reads user/profile data of web browsers
Executes dropped EXE
Credentials from Password Stores: Windows Credential Manager
Indicator Removal: File Deletion
Enumerates connected drives
Adds Run key to start application
Looks up external IP address via web service
Suspicious use of SetThreadContext
Sets desktop wallpaper using registry
Drops file in Program Files directory
Program crash
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Suspicious behavior: GetForegroundWindowSpam
Modifies system certificate store
Modifies Internet Explorer settings
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious use of FindShellTrayWindow
Interacts with shadow copies
Suspicious use of SendNotifyMessage
Opens file in notepad (likely ransom note)
Suspicious behavior: EnumeratesProcesses
Uses Volume Shadow Copy service COM API
Suspicious use of WriteProcessMemory
Checks processor information in registry
Modifies Control Panel
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-11-10 17:03
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 17:03
Reported
2024-11-10 17:05
Platform
win7-20240903-en
Max time kernel
151s
Max time network
151s
Command Line
Signatures
Gandcrab
Gandcrab family
NetWire RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Netwire
Netwire family
Deletes shadow copies
Renames multiple (299) files with added filename extension
Renames multiple (435) files with added filename extension
Credentials from Password Stores: Windows Credential Manager
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\DYEYFMNF-DECRYPT.txt | C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Crypmod.aaju-a5f611374478e11c51e8d7017dd7995a23ecec2f14ad48f8466dcf52d1f575d2.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\4409c9554409ceb572.lock | C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Crypmod.aaju-a5f611374478e11c51e8d7017dd7995a23ecec2f14ad48f8466dcf52d1f575d2.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Bitman.gb-afaba2400552c7032a5c4c6e6151df374d0e98dc67204066281e30e6699dbd18.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\bqdhgan.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msconfig = "C:\\Users\\Admin\\AppData\\Roaming\\bqdhgan.exe" | C:\Users\Admin\AppData\Roaming\bqdhgan.exe | N/A |
Enumerates connected drives
Indicator Removal: File Deletion
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\HELP_RESTORE_FILES.bmp" | C:\Users\Admin\AppData\Roaming\bqdhgan.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\pidor.bmp" | C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Crypmod.aaju-a5f611374478e11c51e8d7017dd7995a23ecec2f14ad48f8466dcf52d1f575d2.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 664 set thread context of 2044 | N/A | C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Bitman.gb-afaba2400552c7032a5c4c6e6151df374d0e98dc67204066281e30e6699dbd18.exe | C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Bitman.gb-afaba2400552c7032a5c4c6e6151df374d0e98dc67204066281e30e6699dbd18.exe |
| PID 2164 set thread context of 2528 | N/A | C:\Users\Admin\AppData\Roaming\bqdhgan.exe | C:\Users\Admin\AppData\Roaming\bqdhgan.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\VideoLAN\VLC\locale\nn\LC_MESSAGES\HELP_RESTORE_FILES.txt | C:\Users\Admin\AppData\Roaming\bqdhgan.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\jre\lib\applet\HELP_RESTORE_FILES.txt | C:\Users\Admin\AppData\Roaming\bqdhgan.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\HELP_RESTORE_FILES.txt | C:\Users\Admin\AppData\Roaming\bqdhgan.exe | N/A |
| File created | C:\Program Files\Microsoft Games\Hearts\es-ES\HELP_RESTORE_FILES.txt | C:\Users\Admin\AppData\Roaming\bqdhgan.exe | N/A |
| File created | C:\Program Files\Mozilla Firefox\defaults\HELP_RESTORE_FILES.txt | C:\Users\Admin\AppData\Roaming\bqdhgan.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\locale\he\HELP_RESTORE_FILES.txt | C:\Users\Admin\AppData\Roaming\bqdhgan.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\locale\it\HELP_RESTORE_FILES.txt | C:\Users\Admin\AppData\Roaming\bqdhgan.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\META-INF\HELP_RESTORE_FILES.txt | C:\Users\Admin\AppData\Roaming\bqdhgan.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\33.png | C:\Users\Admin\AppData\Roaming\bqdhgan.exe | N/A |
| File created | C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\HELP_RESTORE_FILES.txt | C:\Users\Admin\AppData\Roaming\bqdhgan.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\HELP_RESTORE_FILES.txt | C:\Users\Admin\AppData\Roaming\bqdhgan.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\HELP_RESTORE_FILES.txt | C:\Users\Admin\AppData\Roaming\bqdhgan.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\trad_m.png | C:\Users\Admin\AppData\Roaming\bqdhgan.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\Office14\1033\Mso Example Intl Setup File B.txt | C:\Users\Admin\AppData\Roaming\bqdhgan.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\installation_telemetry.json | C:\Users\Admin\AppData\Roaming\bqdhgan.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationLeft_SelectionSubpicture.png | C:\Users\Admin\AppData\Roaming\bqdhgan.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\th.pak | C:\Users\Admin\AppData\Roaming\bqdhgan.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\locale\ro\LC_MESSAGES\HELP_RESTORE_FILES.txt | C:\Users\Admin\AppData\Roaming\bqdhgan.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\square_s.png | C:\Users\Admin\AppData\Roaming\bqdhgan.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\js\settings.js | C:\Users\Admin\AppData\Roaming\bqdhgan.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\on_desktop\slideshow_glass_frame.png | C:\Users\Admin\AppData\Roaming\bqdhgan.exe | N/A |
| File created | C:\Program Files\DVD Maker\es-ES\HELP_RESTORE_FILES.txt | C:\Users\Admin\AppData\Roaming\bqdhgan.exe | N/A |
| File created | C:\Program Files\Windows Photo Viewer\en-US\HELP_RESTORE_FILES.txt | C:\Users\Admin\AppData\Roaming\bqdhgan.exe | N/A |
| File created | C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\HELP_RESTORE_FILES.txt | C:\Users\Admin\AppData\Roaming\bqdhgan.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\logo.png | C:\Users\Admin\AppData\Roaming\bqdhgan.exe | N/A |
| File created | C:\Program Files\Microsoft Office\Office14\HELP_RESTORE_FILES.txt | C:\Users\Admin\AppData\Roaming\bqdhgan.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\README.txt | C:\Users\Admin\AppData\Roaming\bqdhgan.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\ext.txt | C:\Users\Admin\AppData\Roaming\bqdhgan.exe | N/A |
| File created | C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\HELP_RESTORE_FILES.txt | C:\Users\Admin\AppData\Roaming\bqdhgan.exe | N/A |
| File created | C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\HELP_RESTORE_FILES.txt | C:\Users\Admin\AppData\Roaming\bqdhgan.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_precomp_matte.wmv | C:\Users\Admin\AppData\Roaming\bqdhgan.exe | N/A |
| File opened for modification | C:\Program Files\StopRead.dot | C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Crypmod.aaju-a5f611374478e11c51e8d7017dd7995a23ecec2f14ad48f8466dcf52d1f575d2.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\HELP_RESTORE_FILES.txt | C:\Users\Admin\AppData\Roaming\bqdhgan.exe | N/A |
| File opened for modification | C:\Program Files\ResumeLimit.raw.dyeyfmnf | C:\Users\Admin\AppData\Roaming\bqdhgan.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bPrev-hot.png | C:\Users\Admin\AppData\Roaming\bqdhgan.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\js\picturePuzzle.js | C:\Users\Admin\AppData\Roaming\bqdhgan.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationRight_ButtonGraphic.png | C:\Users\Admin\AppData\Roaming\bqdhgan.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\js\RSSFeeds.js | C:\Users\Admin\AppData\Roaming\bqdhgan.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\Network Sharing\wmpnss_color32.jpg | C:\Users\Admin\AppData\Roaming\bqdhgan.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\button_left_mouseover.png | C:\Users\Admin\AppData\Roaming\bqdhgan.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-split.avi | C:\Users\Admin\AppData\Roaming\bqdhgan.exe | N/A |
| File created | C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\HELP_RESTORE_FILES.txt | C:\Users\Admin\AppData\Roaming\bqdhgan.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationRight_ButtonGraphic.png | C:\Users\Admin\AppData\Roaming\bqdhgan.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF\HELP_RESTORE_FILES.txt | C:\Users\Admin\AppData\Roaming\bqdhgan.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\locale\km\LC_MESSAGES\HELP_RESTORE_FILES.txt | C:\Users\Admin\AppData\Roaming\bqdhgan.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\locale\sv\HELP_RESTORE_FILES.txt | C:\Users\Admin\AppData\Roaming\bqdhgan.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\button-highlight.png | C:\Users\Admin\AppData\Roaming\bqdhgan.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_winxp_olv.css | C:\Users\Admin\AppData\Roaming\bqdhgan.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\locale\tt\LC_MESSAGES\HELP_RESTORE_FILES.txt | C:\Users\Admin\AppData\Roaming\bqdhgan.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\lua\http\requests\status.json | C:\Users\Admin\AppData\Roaming\bqdhgan.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\js\weather.js | C:\Users\Admin\AppData\Roaming\bqdhgan.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\js\calendar.js | C:\Users\Admin\AppData\Roaming\bqdhgan.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\icon.png | C:\Users\Admin\AppData\Roaming\bqdhgan.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\ga.txt | C:\Users\Admin\AppData\Roaming\bqdhgan.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\HELP_RESTORE_FILES.txt | C:\Users\Admin\AppData\Roaming\bqdhgan.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota\HELP_RESTORE_FILES.txt | C:\Users\Admin\AppData\Roaming\bqdhgan.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.descriptorProvider.exsd | C:\Users\Admin\AppData\Roaming\bqdhgan.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\HELP_RESTORE_FILES.txt | C:\Users\Admin\AppData\Roaming\bqdhgan.exe | N/A |
| File created | C:\Program Files\Windows NT\HELP_RESTORE_FILES.txt | C:\Users\Admin\AppData\Roaming\bqdhgan.exe | N/A |
| File created | C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\HELP_RESTORE_FILES.txt | C:\Users\Admin\AppData\Roaming\bqdhgan.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\scrapbook.png | C:\Users\Admin\AppData\Roaming\bqdhgan.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_frame-imageMask.png | C:\Users\Admin\AppData\Roaming\bqdhgan.exe | N/A |
| File opened for modification | C:\Program Files\GrantUnpublish.mpg | C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Crypmod.aaju-a5f611374478e11c51e8d7017dd7995a23ecec2f14ad48f8466dcf52d1f575d2.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\locale\lt\HELP_RESTORE_FILES.txt | C:\Users\Admin\AppData\Roaming\bqdhgan.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Blocker.fgpq-db8c0fc8427546ed54664fba24bdc7aa335eedb34b21c0d9a030dbc4f2bd7aef.exe |
System Location Discovery: System Language Discovery
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Crypmod.aaju-a5f611374478e11c51e8d7017dd7995a23ecec2f14ad48f8466dcf52d1f575d2.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Crypmod.aaju-a5f611374478e11c51e8d7017dd7995a23ecec2f14ad48f8466dcf52d1f575d2.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Crypmod.aaju-a5f611374478e11c51e8d7017dd7995a23ecec2f14ad48f8466dcf52d1f575d2.exe | N/A |
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\vssadmin.exe | N/A |
Modifies Control Panel
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\WallpaperStyle = "0" | C:\Users\Admin\AppData\Roaming\bqdhgan.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\TileWallpaper = "0" | C:\Users\Admin\AppData\Roaming\bqdhgan.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{EAD96831-9F85-11EF-8320-E61828AB23DD} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0ef61bf9233db01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\MINIE | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000048073e4e52334f4c8b03ea8eb6cc2ab300000000020000000000106600000001000020000000260e9facef4fcdf3c6ea62c0b31dbdcc72ac8b4157d3f1e0ba0ce1e982c674db000000000e800000000200002000000073b1f7351262835ddceca1a175e930d4fbf257c8880effbce4669b57f69da08f2000000061038d219773dd1572a1009f9c8b284579b36cd13c818cf5d7a69906271b952d40000000fc0619a54f1ed7a0ca3435743fec02ac58b08d1b13a814ce84e9ff21db223342760ceef63f7102ce83e86f604f4a76aa6f20792986d10100e2adfa72d5dc5070 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000048073e4e52334f4c8b03ea8eb6cc2ab30000000002000000000010660000000100002000000099f643a6ac7d11998e16bf702753ecb39f7ee5baf4952a683aa83d24ce5ce44f000000000e80000000020000200000005cc964c08f821f238734ac51f220087e548ceda82c1824a4173f12e28c23bcf99000000096363a23fb31647db1db548d01ebd6d48cdffc06a7f3b29d3c8b4949e34307d24a3f5fa7be3cedf651942abdd4c83ad9098b7884d4c500681bfe954e23766e896e832e13322ad2073ca894178b96489b0a20d7936d3a1dff1a2428c62f90abafb7d9386dc652157bc4b6760a7973d12eb3aba84d06f1edba4c5d65cd2f410634ca7298883e957d6102586210e8e160a640000000932544f6a5e318dea54c4f56de90d81b429ac8c9aab416d421c8556f4d028622a7caa0a109ffbd38280422f2b1c469207c889f7ffb5fda8640c40956815524e4 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\7E784A101C8265CC2DE1F16D47B440CAD90A1945\Blob = 190000000100000010000000e559465e28a60e5499846f194087b0e50300000001000000140000007e784a101c8265cc2de1f16d47b440cad90a19451d0000000100000010000000d06bc27453aa4f6d586437e5d3b37798140000000100000014000000bea8a07472506b44b7c923d8fba8ffb3576b686c090000000100000020000000301e06082b0601050507030406082b0601050507030106082b060105050703030b000000010000004a00000045007100750069006600610078002000530065006300750072006500200047006c006f00620061006c002000650042007500730069006e006500730073002000430041002d00310000000f0000000100000010000000824bae7c7cb3a15ce851a396760574a320000000010000009402000030820290308201f9a003020102020101300d06092a864886f70d0101040500305a310b3009060355040613025553311c301a060355040a1313457175696661782053656375726520496e632e312d302b06035504031324457175696661782053656375726520476c6f62616c2065427573696e6573732043412d31301e170d3939303632313034303030305a170d3230303632313034303030305a305a310b3009060355040613025553311c301a060355040a1313457175696661782053656375726520496e632e312d302b06035504031324457175696661782053656375726520476c6f62616c2065427573696e6573732043412d3130819f300d06092a864886f70d010101050003818d0030818902818100bae717900265b134553c49c251d5dfa7d1378fd1e781734152609b9da1172678adc7b1e8269432b5de338d3a2fdbf29a7a5a7398a35ce9fb8a731b5ce7c3bf806ccda9f4d62bc0f7f999aa63a2b147020fd4e4513a123c6c8a5a548470dbc1c590cf7245cba859c0cd339d3fa396eb8533211c3e1e3e606e769c6785c5c8c3610203010001a3663064301106096086480186f8420101040403020007300f0603551d130101ff040530030101ff301f0603551d23041830168014bea8a07472506b44b7c923d8fba8ffb3576b686c301d0603551d0e04160414bea8a07472506b44b7c923d8fba8ffb3576b686c300d06092a864886f70d01010405000381810030e20151aac7ea5fdab9d0650f30d63eda0d14496e9193271431efc4f72d45f8ecc7bfa2410d23b492f9190067bd01afcde071fc5acf64c4e09698d0a340e2018aef2707f165018a442d06657552c0861020215f6c6b0f6cae091caff2a21834c475a4731cf18ddcefadf9b376b492bfdc95101ebecbc83b5a8460195694a955 | C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Crypmod.aaju-a5f611374478e11c51e8d7017dd7995a23ecec2f14ad48f8466dcf52d1f575d2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 | C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Crypmod.aaju-a5f611374478e11c51e8d7017dd7995a23ecec2f14ad48f8466dcf52d1f575d2.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Crypmod.aaju-a5f611374478e11c51e8d7017dd7995a23ecec2f14ad48f8466dcf52d1f575d2.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Crypmod.aaju-a5f611374478e11c51e8d7017dd7995a23ecec2f14ad48f8466dcf52d1f575d2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 | C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Crypmod.aaju-a5f611374478e11c51e8d7017dd7995a23ecec2f14ad48f8466dcf52d1f575d2.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 | C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Crypmod.aaju-a5f611374478e11c51e8d7017dd7995a23ecec2f14ad48f8466dcf52d1f575d2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\7E784A101C8265CC2DE1F16D47B440CAD90A1945 | C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Crypmod.aaju-a5f611374478e11c51e8d7017dd7995a23ecec2f14ad48f8466dcf52d1f575d2.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\7E784A101C8265CC2DE1F16D47B440CAD90A1945\Blob = 0f0000000100000010000000824bae7c7cb3a15ce851a396760574a30b000000010000004a00000045007100750069006600610078002000530065006300750072006500200047006c006f00620061006c002000650042007500730069006e006500730073002000430041002d0031000000090000000100000020000000301e06082b0601050507030406082b0601050507030106082b06010505070303140000000100000014000000bea8a07472506b44b7c923d8fba8ffb3576b686c1d0000000100000010000000d06bc27453aa4f6d586437e5d3b377980300000001000000140000007e784a101c8265cc2de1f16d47b440cad90a194520000000010000009402000030820290308201f9a003020102020101300d06092a864886f70d0101040500305a310b3009060355040613025553311c301a060355040a1313457175696661782053656375726520496e632e312d302b06035504031324457175696661782053656375726520476c6f62616c2065427573696e6573732043412d31301e170d3939303632313034303030305a170d3230303632313034303030305a305a310b3009060355040613025553311c301a060355040a1313457175696661782053656375726520496e632e312d302b06035504031324457175696661782053656375726520476c6f62616c2065427573696e6573732043412d3130819f300d06092a864886f70d010101050003818d0030818902818100bae717900265b134553c49c251d5dfa7d1378fd1e781734152609b9da1172678adc7b1e8269432b5de338d3a2fdbf29a7a5a7398a35ce9fb8a731b5ce7c3bf806ccda9f4d62bc0f7f999aa63a2b147020fd4e4513a123c6c8a5a548470dbc1c590cf7245cba859c0cd339d3fa396eb8533211c3e1e3e606e769c6785c5c8c3610203010001a3663064301106096086480186f8420101040403020007300f0603551d130101ff040530030101ff301f0603551d23041830168014bea8a07472506b44b7c923d8fba8ffb3576b686c301d0603551d0e04160414bea8a07472506b44b7c923d8fba8ffb3576b686c300d06092a864886f70d01010405000381810030e20151aac7ea5fdab9d0650f30d63eda0d14496e9193271431efc4f72d45f8ecc7bfa2410d23b492f9190067bd01afcde071fc5acf64c4e09698d0a340e2018aef2707f165018a442d06657552c0861020215f6c6b0f6cae091caff2a21834c475a4731cf18ddcefadf9b376b492bfdc95101ebecbc83b5a8460195694a955 | C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Crypmod.aaju-a5f611374478e11c51e8d7017dd7995a23ecec2f14ad48f8466dcf52d1f575d2.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Bitman.gb-afaba2400552c7032a5c4c6e6151df374d0e98dc67204066281e30e6699dbd18.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\bqdhgan.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00343.7z"
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Users\Admin\Desktop\00343\HEUR-Trojan-Ransom.Win32.GandCrypt.gen-c172830fb9300fbab22bfa145a9fa36ae19d96996c78753d711e1a0428caddca.exe
HEUR-Trojan-Ransom.Win32.GandCrypt.gen-c172830fb9300fbab22bfa145a9fa36ae19d96996c78753d711e1a0428caddca.exe
C:\Users\Admin\Desktop\00343\HEUR-Trojan-Ransom.Win32.Generic-b4a2e30684a0a53ca2ba256520aadbcbc2874808d6afb1ea8f8c54917ea00b13.exe
HEUR-Trojan-Ransom.Win32.Generic-b4a2e30684a0a53ca2ba256520aadbcbc2874808d6afb1ea8f8c54917ea00b13.exe
C:\Users\Admin\Desktop\00343\Trojan-Ransom.MSIL.Agent.fqkb-e5c4fb99d5b4cb4621314bbce112f2f926f3e7458d6a1b036b3007deea98cc69.exe
Trojan-Ransom.MSIL.Agent.fqkb-e5c4fb99d5b4cb4621314bbce112f2f926f3e7458d6a1b036b3007deea98cc69.exe
C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Bitman.gb-afaba2400552c7032a5c4c6e6151df374d0e98dc67204066281e30e6699dbd18.exe
Trojan-Ransom.Win32.Bitman.gb-afaba2400552c7032a5c4c6e6151df374d0e98dc67204066281e30e6699dbd18.exe
C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Blocker.fgpq-db8c0fc8427546ed54664fba24bdc7aa335eedb34b21c0d9a030dbc4f2bd7aef.exe
Trojan-Ransom.Win32.Blocker.fgpq-db8c0fc8427546ed54664fba24bdc7aa335eedb34b21c0d9a030dbc4f2bd7aef.exe
C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Crypmod.aaju-a5f611374478e11c51e8d7017dd7995a23ecec2f14ad48f8466dcf52d1f575d2.exe
Trojan-Ransom.Win32.Crypmod.aaju-a5f611374478e11c51e8d7017dd7995a23ecec2f14ad48f8466dcf52d1f575d2.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 624 -s 116
C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Bitman.gb-afaba2400552c7032a5c4c6e6151df374d0e98dc67204066281e30e6699dbd18.exe
C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Bitman.gb-afaba2400552c7032a5c4c6e6151df374d0e98dc67204066281e30e6699dbd18.exe
C:\Users\Admin\AppData\Roaming\bqdhgan.exe
C:\Users\Admin\AppData\Roaming\bqdhgan.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\Desktop\00343\TROJAN~2.EXE >> NUL
C:\Users\Admin\AppData\Roaming\bqdhgan.exe
C:\Users\Admin\AppData\Roaming\bqdhgan.exe
C:\Windows\System32\vssadmin.exe
"C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\SysWOW64\wbem\wmic.exe
"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://3kxwjihmkgibht2s.wh47f2as19.com/?enc=1N9dsduqYSk1zVrHVCN5rFFyk15mRyJKgq
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2124 CREDAT:275457 /prefetch:2
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\HELP_RESTORE_FILES.txt
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x508
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | fingers1.ddns.net | udp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.59.81:80 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | epmhyca5ol6plmx3.wh47f2as19.com | udp |
| US | 8.8.8.8:53 | 7tno4hib47vlep5o.7hwr34n18.com | udp |
| US | 8.8.8.8:53 | epmhyca5ol6plmx3.tor2web.blutmagie.de | udp |
| US | 8.8.8.8:53 | epmhyca5ol6plmx3.tor2web.fi | udp |
| US | 8.8.8.8:53 | www.2mmotorsport.biz | udp |
| DE | 77.75.249.22:80 | www.2mmotorsport.biz | tcp |
| DE | 77.75.249.22:443 | www.2mmotorsport.biz | tcp |
| DE | 77.75.249.22:443 | www.2mmotorsport.biz | tcp |
| DE | 77.75.249.22:443 | www.2mmotorsport.biz | tcp |
| DE | 77.75.249.22:443 | www.2mmotorsport.biz | tcp |
| US | 8.8.8.8:53 | www.haargenau.biz | udp |
| CH | 217.26.63.20:80 | www.haargenau.biz | tcp |
| CH | 217.26.63.20:443 | www.haargenau.biz | tcp |
| CH | 217.26.63.20:443 | www.haargenau.biz | tcp |
| US | 8.8.8.8:53 | www.bizziniinfissi.com | udp |
| US | 8.8.8.8:53 | www.holzbock.biz | udp |
| CH | 94.126.20.68:80 | www.holzbock.biz | tcp |
| CH | 94.126.20.68:443 | www.holzbock.biz | tcp |
| US | 8.8.8.8:53 | r11.o.lencr.org | udp |
| GB | 2.23.210.75:80 | r11.o.lencr.org | tcp |
| US | 8.8.8.8:53 | www.schreiner-freiamt.ch | udp |
| CH | 94.126.20.68:443 | www.schreiner-freiamt.ch | tcp |
| US | 8.8.8.8:53 | www.fliptray.biz | udp |
| US | 8.8.8.8:53 | www.pizcam.com | udp |
| CH | 185.177.62.27:80 | www.pizcam.com | tcp |
| CH | 185.177.62.27:443 | www.pizcam.com | tcp |
| CH | 185.177.62.27:443 | www.pizcam.com | tcp |
| CH | 185.177.62.27:443 | www.pizcam.com | tcp |
| CH | 185.177.62.27:443 | www.pizcam.com | tcp |
| US | 8.8.8.8:53 | www.swisswellness.com | udp |
| DE | 83.138.86.12:80 | www.swisswellness.com | tcp |
| DE | 83.138.86.12:80 | www.swisswellness.com | tcp |
| US | 8.8.8.8:53 | www.hotelweisshorn.com | udp |
| US | 8.8.8.8:53 | www.whitepod.com | udp |
| CH | 83.166.138.7:80 | www.whitepod.com | tcp |
| CH | 83.166.138.7:443 | www.whitepod.com | tcp |
| CH | 83.166.138.7:443 | www.whitepod.com | tcp |
| CH | 83.166.138.7:443 | www.whitepod.com | tcp |
| CH | 83.166.138.7:443 | www.whitepod.com | tcp |
| US | 8.8.8.8:53 | www.hardrockhoteldavos.com | udp |
| US | 18.207.88.16:80 | www.hardrockhoteldavos.com | tcp |
| US | 18.207.88.16:443 | www.hardrockhoteldavos.com | tcp |
| US | 8.8.8.8:53 | www.hardrockhotels.com | udp |
| US | 151.101.67.52:443 | www.hardrockhotels.com | tcp |
| US | 151.101.67.52:443 | www.hardrockhotels.com | tcp |
| US | 151.101.67.52:443 | www.hardrockhotels.com | tcp |
| US | 151.101.67.52:443 | www.hardrockhotels.com | tcp |
| US | 8.8.8.8:53 | www.belvedere-locarno.com | udp |
| US | 104.26.6.206:80 | www.belvedere-locarno.com | tcp |
| US | 104.26.6.206:443 | www.belvedere-locarno.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.187.227:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | www.hotelfarinet.com | udp |
| US | 15.197.195.78:80 | www.hotelfarinet.com | tcp |
| US | 8.8.8.8:53 | www.hrk-ramoz.com | udp |
| HK | 156.235.147.122:80 | www.hrk-ramoz.com | tcp |
| US | 8.8.8.8:53 | www.morcote-residenza.com | udp |
| CH | 194.191.24.37:80 | www.morcote-residenza.com | tcp |
| CH | 194.191.24.37:443 | www.morcote-residenza.com | tcp |
| GB | 2.23.210.75:80 | r11.o.lencr.org | tcp |
| US | 8.8.8.8:53 | www.seitensprungzimmer24.com | udp |
| DE | 136.243.162.140:80 | www.seitensprungzimmer24.com | tcp |
| DE | 136.243.162.140:443 | www.seitensprungzimmer24.com | tcp |
| US | 8.8.8.8:53 | seitensprungzimmer24.com | udp |
| DE | 136.243.162.140:443 | seitensprungzimmer24.com | tcp |
| US | 8.8.8.8:53 | www.arbezie-hotel.com | udp |
| FR | 213.186.33.5:80 | www.arbezie-hotel.com | tcp |
| FR | 213.186.33.5:443 | www.arbezie-hotel.com | tcp |
| FR | 213.186.33.5:443 | www.arbezie-hotel.com | tcp |
| FR | 213.186.33.5:443 | www.arbezie-hotel.com | tcp |
| FR | 213.186.33.5:443 | www.arbezie-hotel.com | tcp |
| FR | 213.186.33.5:443 | www.arbezie-hotel.com | tcp |
| US | 8.8.8.8:53 | www.aubergemontblanc.com | udp |
| CH | 83.166.138.13:80 | www.aubergemontblanc.com | tcp |
| CH | 83.166.138.13:443 | www.aubergemontblanc.com | tcp |
| CH | 83.166.138.13:443 | www.aubergemontblanc.com | tcp |
| CH | 83.166.138.13:443 | www.aubergemontblanc.com | tcp |
| CH | 83.166.138.13:443 | www.aubergemontblanc.com | tcp |
| US | 8.8.8.8:53 | www.torhotel.com | udp |
| CH | 128.65.195.228:80 | www.torhotel.com | tcp |
| CH | 128.65.195.228:80 | www.torhotel.com | tcp |
| US | 8.8.8.8:53 | www.alpenlodge.com | udp |
| CH | 217.26.55.76:80 | www.alpenlodge.com | tcp |
| CH | 217.26.55.76:443 | www.alpenlodge.com | tcp |
| CH | 217.26.55.76:443 | www.alpenlodge.com | tcp |
| CH | 217.26.55.76:443 | www.alpenlodge.com | tcp |
| CH | 217.26.55.76:443 | www.alpenlodge.com | tcp |
| US | 8.8.8.8:53 | www.aparthotelzurich.com | udp |
| DE | 213.239.221.71:80 | www.aparthotelzurich.com | tcp |
| DE | 213.239.221.71:443 | www.aparthotelzurich.com | tcp |
| US | 8.8.8.8:53 | r10.o.lencr.org | udp |
| GB | 2.23.210.82:80 | r10.o.lencr.org | tcp |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 2.19.117.18:80 | crl.microsoft.com | tcp |
| US | 8.8.8.8:53 | www.bnbdelacolline.com | udp |
| CH | 128.65.195.174:80 | www.bnbdelacolline.com | tcp |
| CH | 128.65.195.174:443 | www.bnbdelacolline.com | tcp |
| CH | 128.65.195.174:443 | www.bnbdelacolline.com | tcp |
| CH | 128.65.195.174:443 | www.bnbdelacolline.com | tcp |
| US | 8.8.8.8:53 | 3kxwjihmkgibht2s.wh47f2as19.com | udp |
| CH | 128.65.195.174:443 | www.bnbdelacolline.com | tcp |
| US | 8.8.8.8:53 | www.elite-hotel.com | udp |
| CH | 80.74.144.93:80 | www.elite-hotel.com | tcp |
| CH | 80.74.144.93:443 | www.elite-hotel.com | tcp |
| CH | 80.74.144.93:443 | www.elite-hotel.com | tcp |
| CH | 80.74.144.93:443 | www.elite-hotel.com | tcp |
| CH | 80.74.144.93:443 | www.elite-hotel.com | tcp |
| US | 8.8.8.8:53 | www.bristol-adelboden.com | udp |
| IE | 52.17.119.105:80 | www.bristol-adelboden.com | tcp |
| IE | 52.17.119.105:443 | www.bristol-adelboden.com | tcp |
| IE | 52.17.119.105:443 | www.bristol-adelboden.com | tcp |
| IE | 52.17.119.105:443 | www.bristol-adelboden.com | tcp |
| IE | 52.17.119.105:443 | www.bristol-adelboden.com | tcp |
| US | 8.8.8.8:53 | www.nationalzermatt.com | udp |
| CH | 94.126.23.52:80 | www.nationalzermatt.com | tcp |
| CH | 94.126.23.52:443 | www.nationalzermatt.com | tcp |
| CH | 94.126.23.52:443 | www.nationalzermatt.com | tcp |
| CH | 94.126.23.52:443 | www.nationalzermatt.com | tcp |
| CH | 94.126.23.52:443 | www.nationalzermatt.com | tcp |
| US | 8.8.8.8:53 | www.waageglarus.com | udp |
| US | 8.8.8.8:53 | www.limmathof.com | udp |
| US | 198.49.23.144:80 | www.limmathof.com | tcp |
| US | 198.49.23.144:443 | www.limmathof.com | tcp |
| US | 8.8.8.8:53 | www.apartmenthaus.com | udp |
| CH | 217.26.60.27:80 | www.apartmenthaus.com | tcp |
| CH | 217.26.60.27:443 | www.apartmenthaus.com | tcp |
| CH | 217.26.60.27:443 | www.apartmenthaus.com | tcp |
| CH | 217.26.60.27:443 | www.apartmenthaus.com | tcp |
| CH | 217.26.60.27:443 | www.apartmenthaus.com | tcp |
| US | 8.8.8.8:53 | www.berginsel.com | udp |
| CH | 80.74.145.65:80 | www.berginsel.com | tcp |
| CH | 80.74.145.65:443 | www.berginsel.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | berginsel-oberems.ch | udp |
| CH | 80.74.145.65:443 | berginsel-oberems.ch | tcp |
| US | 8.8.8.8:53 | www.chambre-d-hote-chez-fleury.com | udp |
| IE | 52.215.95.29:80 | www.chambre-d-hote-chez-fleury.com | tcp |
| IE | 52.215.95.29:443 | www.chambre-d-hote-chez-fleury.com | tcp |
| US | 8.8.8.8:53 | www.hotel-blumental.com | udp |
| CH | 94.126.21.30:80 | www.hotel-blumental.com | tcp |
| CH | 94.126.21.30:443 | www.hotel-blumental.com | tcp |
| CH | 94.126.21.30:443 | www.hotel-blumental.com | tcp |
| US | 8.8.8.8:53 | crl.geotrust.com | udp |
| SE | 192.229.221.95:80 | crl.geotrust.com | tcp |
| US | 8.8.8.8:53 | www.facebook.com | udp |
| GB | 163.70.151.35:80 | www.facebook.com | tcp |
| GB | 163.70.151.35:443 | www.facebook.com | tcp |
| SE | 192.229.221.95:80 | crl.geotrust.com | tcp |
| US | 8.8.8.8:53 | www.la-fontaine.com | udp |
| DE | 213.199.57.77:80 | www.la-fontaine.com | tcp |
| DE | 213.199.57.77:443 | www.la-fontaine.com | tcp |
| DE | 213.199.57.77:443 | www.la-fontaine.com | tcp |
| DE | 213.199.57.77:443 | www.la-fontaine.com | tcp |
| DE | 213.199.57.77:443 | www.la-fontaine.com | tcp |
| US | 8.8.8.8:53 | www.mountainhostel.com | udp |
| IE | 52.215.95.29:80 | www.mountainhostel.com | tcp |
| IE | 52.215.95.29:443 | www.mountainhostel.com | tcp |
| US | 8.8.8.8:53 | www.hotelalbanareal.com | udp |
| DE | 18.193.36.153:80 | www.hotelalbanareal.com | tcp |
| DE | 18.193.36.153:443 | www.hotelalbanareal.com | tcp |
| DE | 18.193.36.153:443 | www.hotelalbanareal.com | tcp |
| DE | 18.193.36.153:443 | www.hotelalbanareal.com | tcp |
| DE | 18.193.36.153:443 | www.hotelalbanareal.com | tcp |
| US | 8.8.8.8:53 | www.geneva.frasershospitality.com | udp |
| US | 8.8.8.8:53 | www.luganohoteladmiral.com | udp |
| CH | 185.181.206.95:80 | www.luganohoteladmiral.com | tcp |
| CH | 185.181.206.95:443 | www.luganohoteladmiral.com | tcp |
| CH | 185.181.206.95:443 | www.luganohoteladmiral.com | tcp |
| CH | 185.181.206.95:443 | www.luganohoteladmiral.com | tcp |
| CH | 185.181.206.95:443 | www.luganohoteladmiral.com | tcp |
| US | 8.8.8.8:53 | www.bellevuewiesen.com | udp |
| GB | 159.65.93.218:80 | www.bellevuewiesen.com | tcp |
| GB | 159.65.93.218:443 | www.bellevuewiesen.com | tcp |
| GB | 159.65.93.218:443 | www.bellevuewiesen.com | tcp |
| GB | 159.65.93.218:443 | www.bellevuewiesen.com | tcp |
| GB | 159.65.93.218:443 | www.bellevuewiesen.com | tcp |
| US | 8.8.8.8:53 | www.hoteltruite.com | udp |
| NL | 37.48.65.136:80 | www.hoteltruite.com | tcp |
| NL | 37.48.65.136:443 | www.hoteltruite.com | tcp |
| US | 8.8.8.8:53 | r11.o.lencr.org | udp |
| GB | 2.23.210.82:80 | r11.o.lencr.org | tcp |
| US | 8.8.8.8:53 | survey-smiles.com | udp |
| US | 199.59.243.227:80 | survey-smiles.com | tcp |
| US | 8.8.8.8:53 | www.hotelgarni-battello.com | udp |
| US | 8.8.8.8:53 | www.seminarhotel.com | udp |
| CH | 151.248.236.144:80 | www.seminarhotel.com | tcp |
| CH | 151.248.236.144:443 | www.seminarhotel.com | tcp |
| US | 8.8.8.8:53 | www.roemerturm.ch | udp |
| CH | 151.248.236.144:443 | www.roemerturm.ch | tcp |
| US | 8.8.8.8:53 | www.kroneregensberg.com | udp |
| CH | 217.26.60.254:80 | www.kroneregensberg.com | tcp |
| CH | 217.26.60.254:443 | www.kroneregensberg.com | tcp |
| CH | 217.26.60.254:443 | www.kroneregensberg.com | tcp |
| CH | 217.26.60.254:443 | www.kroneregensberg.com | tcp |
| CH | 217.26.60.254:443 | www.kroneregensberg.com | tcp |
| US | 8.8.8.8:53 | www.puurehuus.com | udp |
| CH | 217.26.54.189:80 | www.puurehuus.com | tcp |
| CH | 217.26.54.189:443 | www.puurehuus.com | tcp |
| CH | 217.26.54.189:443 | www.puurehuus.com | tcp |
| CH | 217.26.54.189:443 | www.puurehuus.com | tcp |
| CH | 217.26.54.189:443 | www.puurehuus.com | tcp |
| US | 8.8.8.8:53 | www.hotel-zermatt.com | udp |
| CH | 82.220.37.45:80 | www.hotel-zermatt.com | tcp |
| CH | 82.220.37.45:443 | www.hotel-zermatt.com | tcp |
| CH | 82.220.37.45:443 | www.hotel-zermatt.com | tcp |
| CH | 82.220.37.45:443 | www.hotel-zermatt.com | tcp |
| CH | 82.220.37.45:443 | www.hotel-zermatt.com | tcp |
| US | 8.8.8.8:53 | www.stchristophesa.com | udp |
| CH | 83.166.133.76:80 | www.stchristophesa.com | tcp |
| CH | 83.166.133.76:443 | www.stchristophesa.com | tcp |
| CH | 83.166.133.76:443 | www.stchristophesa.com | tcp |
| CH | 83.166.133.76:443 | www.stchristophesa.com | tcp |
| CH | 83.166.133.76:443 | www.stchristophesa.com | tcp |
| US | 8.8.8.8:53 | www.nh-hotels.com | udp |
| GB | 104.78.166.83:80 | www.nh-hotels.com | tcp |
| GB | 104.78.166.83:80 | www.nh-hotels.com | tcp |
| US | 8.8.8.8:53 | www.schwendelberg.com | udp |
| CH | 193.17.199.27:80 | www.schwendelberg.com | tcp |
| US | 8.8.8.8:53 | www.stalden.com | udp |
| CH | 193.33.128.144:80 | www.stalden.com | tcp |
| CH | 193.33.128.144:443 | www.stalden.com | tcp |
| CH | 193.33.128.144:443 | www.stalden.com | tcp |
| CH | 193.33.128.144:443 | www.stalden.com | tcp |
| CH | 193.33.128.144:443 | www.stalden.com | tcp |
| US | 8.8.8.8:53 | www.vignobledore.com | udp |
| GB | 213.129.84.57:80 | www.vignobledore.com | tcp |
| GB | 213.129.84.57:443 | www.vignobledore.com | tcp |
| US | 8.8.8.8:53 | www.eyholz.com | udp |
| CH | 81.201.201.94:80 | www.eyholz.com | tcp |
| CH | 81.201.201.94:443 | www.eyholz.com | tcp |
| CH | 81.201.201.94:443 | www.eyholz.com | tcp |
| CH | 81.201.201.94:443 | www.eyholz.com | tcp |
| CH | 81.201.201.94:443 | www.eyholz.com | tcp |
| US | 8.8.8.8:53 | www.flemings-hotel.com | udp |
| NL | 188.227.206.226:80 | www.flemings-hotel.com | tcp |
| NL | 188.227.206.226:80 | www.flemings-hotel.com | tcp |
| US | 8.8.8.8:53 | www.hiexgeneva.com | udp |
| CH | 81.23.73.70:80 | www.hiexgeneva.com | tcp |
| CH | 81.23.73.70:443 | www.hiexgeneva.com | tcp |
| US | 8.8.8.8:53 | www.expressgeneva.com | udp |
| CH | 81.23.73.70:443 | www.expressgeneva.com | tcp |
| US | 8.8.8.8:53 | www.petit-paradis.com | udp |
| GB | 185.151.30.132:80 | www.petit-paradis.com | tcp |
| GB | 185.151.30.132:443 | www.petit-paradis.com | tcp |
| GB | 185.151.30.132:443 | www.petit-paradis.com | tcp |
| GB | 185.151.30.132:443 | www.petit-paradis.com | tcp |
| GB | 185.151.30.132:443 | www.petit-paradis.com | tcp |
| US | 8.8.8.8:53 | www.berghaus-toni.com | udp |
| US | 34.149.87.45:80 | www.berghaus-toni.com | tcp |
| US | 34.149.87.45:443 | www.berghaus-toni.com | tcp |
| US | 8.8.8.8:53 | www.hotelglanis.com | udp |
| US | 34.149.87.45:80 | www.hotelglanis.com | tcp |
| US | 34.149.87.45:443 | www.hotelglanis.com | tcp |
| US | 8.8.8.8:53 | www.16eme.com | udp |
| US | 34.149.87.45:80 | www.16eme.com | tcp |
| US | 34.149.87.45:443 | www.16eme.com | tcp |
| US | 8.8.8.8:53 | www.staubbach.com | udp |
| DE | 104.248.24.229:80 | www.staubbach.com | tcp |
| DE | 104.248.24.229:443 | www.staubbach.com | tcp |
| US | 8.8.8.8:53 | www.samnaunerhof.com | udp |
| AT | 94.198.139.116:80 | www.samnaunerhof.com | tcp |
| AT | 94.198.139.116:443 | www.samnaunerhof.com | tcp |
| US | 8.8.8.8:53 | www.airporthotelbasel.com | udp |
| US | 104.17.182.58:80 | www.airporthotelbasel.com | tcp |
| US | 104.17.182.58:443 | www.airporthotelbasel.com | tcp |
| US | 8.8.8.8:53 | www.elite-biel.com | udp |
| CH | 94.126.23.52:80 | www.elite-biel.com | tcp |
| CH | 94.126.23.52:443 | www.elite-biel.com | tcp |
| CH | 94.126.23.52:443 | www.elite-biel.com | tcp |
| CH | 94.126.23.52:443 | www.elite-biel.com | tcp |
| CH | 94.126.23.52:443 | www.elite-biel.com | tcp |
| US | 8.8.8.8:53 | www.aubergecouronne.com | udp |
| FR | 87.98.154.146:80 | www.aubergecouronne.com | tcp |
Files
memory/2952-12-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/2952-13-0x0000000140000000-0x00000001405E8000-memory.dmp
C:\Users\Admin\Desktop\00343\HEUR-Trojan-Ransom.Win32.GandCrypt.gen-c172830fb9300fbab22bfa145a9fa36ae19d96996c78753d711e1a0428caddca.exe
| MD5 | 0a20ff394f286a6aaae2347df50074c6 |
| SHA1 | 8734bc341b95255b8b927fdd8f0015bb24602cb6 |
| SHA256 | c172830fb9300fbab22bfa145a9fa36ae19d96996c78753d711e1a0428caddca |
| SHA512 | 1dea58773387ad540bf6f2453dff07ac9dbd77455294a309b4dcd1b3a064311ad0dd361ca32282bdd0ca7dab9d1d65359516f4ce8df557ff99745666c9c6b768 |
C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Crypmod.aaju-a5f611374478e11c51e8d7017dd7995a23ecec2f14ad48f8466dcf52d1f575d2.exe
| MD5 | bdc7130f8edce09b538b6ec22ea7a1aa |
| SHA1 | 254bc06fcd8d5929a9cec304cec82951ba46f1a0 |
| SHA256 | a5f611374478e11c51e8d7017dd7995a23ecec2f14ad48f8466dcf52d1f575d2 |
| SHA512 | d054c46c77566fa22ad4e8bfa9585be860873f838da32a2e7ce2d44ac1d85941fe1e3e02920b544f653b5939b802e40407c5f0c27de58a73d94e392ad7058cc5 |
C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Blocker.fgpq-db8c0fc8427546ed54664fba24bdc7aa335eedb34b21c0d9a030dbc4f2bd7aef.exe
| MD5 | 4ef5f0a660c9ae3e32eb109e1e7bfa30 |
| SHA1 | b02b7fde30930161726fdd7e872da43b271f2c3b |
| SHA256 | db8c0fc8427546ed54664fba24bdc7aa335eedb34b21c0d9a030dbc4f2bd7aef |
| SHA512 | 6a49b7d2c46e072f329f75b0ab74e011aee16cd35ba9a83734294fcbb3ad73539a8545f27695d58aa9d9150114c8f344a3b193b2e6005edb3085eba0906e9a81 |
C:\Users\Admin\Desktop\00343\Trojan-Ransom.MSIL.Agent.fqkb-e5c4fb99d5b4cb4621314bbce112f2f926f3e7458d6a1b036b3007deea98cc69.exe
| MD5 | b066f6b9d71f198cb851eba5aa19f8af |
| SHA1 | fe1072d6f69e8f817940d05f76272c7498c2de46 |
| SHA256 | e5c4fb99d5b4cb4621314bbce112f2f926f3e7458d6a1b036b3007deea98cc69 |
| SHA512 | 4a90e4378272e8ab2865c020cf2b3b390a2a8753289da8f1925383be56a42878cfe6f3bae34b7cafe1412b05bee63b8e05c675ca64e7ee44389580dff24a7d77 |
C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Bitman.gb-afaba2400552c7032a5c4c6e6151df374d0e98dc67204066281e30e6699dbd18.exe
| MD5 | 6d3d62a4cff19b4f2cc7ce9027c33be8 |
| SHA1 | e906fa3d51e86a61741b3499145a114e9bfb7c56 |
| SHA256 | afaba2400552c7032a5c4c6e6151df374d0e98dc67204066281e30e6699dbd18 |
| SHA512 | 973643639cb02491b86d5b264ee8118a67d8a83453307aea95de2f4c6aa55819d37730c41dc3338116ebe86f9a4f2bba7d9537ea744ae08b9755f05c15153fad |
C:\Users\Admin\Desktop\00343\HEUR-Trojan-Ransom.Win32.Generic-b4a2e30684a0a53ca2ba256520aadbcbc2874808d6afb1ea8f8c54917ea00b13.exe
| MD5 | c3682297d1ea552008780bf09c25170b |
| SHA1 | 9cd31edb83e500ddd4baa5b88e0a08cf2bb2d762 |
| SHA256 | b4a2e30684a0a53ca2ba256520aadbcbc2874808d6afb1ea8f8c54917ea00b13 |
| SHA512 | 6276df414771e23d564c9bd273c706e14643099fb0801dcc82de4c54353eedc4cb170cff8f8e78b201512a6ea9f2fcbeb00776ca9ccf70bbb7606b56367c9274 |
memory/2044-38-0x0000000000400000-0x0000000000472000-memory.dmp
memory/2044-37-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2044-35-0x0000000000400000-0x0000000000472000-memory.dmp
memory/2044-33-0x0000000000400000-0x0000000000472000-memory.dmp
memory/2044-31-0x0000000000400000-0x0000000000472000-memory.dmp
memory/2044-29-0x0000000000400000-0x0000000000472000-memory.dmp
memory/2044-27-0x0000000000400000-0x0000000000472000-memory.dmp
memory/2044-41-0x0000000000400000-0x0000000000472000-memory.dmp
memory/664-40-0x0000000000400000-0x0000000000448000-memory.dmp
memory/3064-42-0x0000000000050000-0x00000000000CE000-memory.dmp
memory/2044-49-0x0000000000400000-0x0000000000472000-memory.dmp
memory/2164-67-0x0000000000400000-0x0000000000448000-memory.dmp
memory/2528-71-0x0000000000400000-0x0000000000472000-memory.dmp
memory/2528-75-0x0000000000400000-0x0000000000472000-memory.dmp
memory/2528-69-0x0000000000400000-0x0000000000472000-memory.dmp
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\HELP_RESTORE_FILES.txt
| MD5 | e4c60e9e806a4b8a659fc02b2b679356 |
| SHA1 | 01b9831dfde476a186130e86f10e693280c863fb |
| SHA256 | 315a0faec125b16842eca93001a60d5d5ad23838b8a047e45ae6d5e6ea9ac4fe |
| SHA512 | fcd2235c22f99105d2aba494a36a55a305d761088af6291cba07610a4cc6c23ade5500cce97160a2242f472ab9235a49d83cef007aab8d5ee5e8910833765ebb |
memory/1424-296-0x0000000000400000-0x00000000004A9000-memory.dmp
memory/1572-294-0x0000000000400000-0x000000000049A000-memory.dmp
F:\$RECYCLE.BIN\S-1-5-21-312935884-697965778-3955649944-1000\DYEYFMNF-DECRYPT.txt
| MD5 | 367e7d0c9ba9133fd44b9097ef82e024 |
| SHA1 | 1394d3c8958e13ee76d4f068bfa5c556b591833b |
| SHA256 | de12844f1115a2f7f2646e163aa3d1030478abca6b5b59b18fb05849553901f5 |
| SHA512 | e644f2a06a1cb24bbb660f67cf3c3f7507e6d9a553b829ab02d41179a1cbeb2331f10007fe5b8af186455039a482b88cd97d0f02f5900aa5555d25b3e9f43a16 |
C:\$Recycle.Bin\HELP_RESTORE_FILES.txt
| MD5 | 4f27999363123f86ba9fb08a1ae38c7a |
| SHA1 | c609cab697a2c3548037b8b268522fd3d8fdd285 |
| SHA256 | af656447ded964e4c45602c1f60fc11572c82a7549ffe19ce8db5e50fa3e2ce0 |
| SHA512 | c7a5baefbfabf6d59cbb37706756388032377a11a81d9250a5b7d0f05d108f7ab35574bd96309466ab166b0c032d8471744ca1ea2e5324be67b2480617e34802 |
C:\$Recycle.Bin\S-1-5-21-312935884-697965778-3955649944-1000\HELP_RESTORE_FILES.txt
| MD5 | 967cc7812f640502b823c190c85d9043 |
| SHA1 | 0450c572de11873709f262e2eddbf26f16be1059 |
| SHA256 | 898eb523165f96fa2df6467fa687da264a8a7a7945d177287f4a55cbda3ff1c3 |
| SHA512 | 6b182ef2e82319337d71b3f2d42607971d42843cd25fc5b9c8f16f315777becd5de054c25dcf8a161df4637801f7b8dd3932fbff052ef16ee3b0a5019be4dcc4 |
C:\Program Files\CheckpointReset.aif.ecc
| MD5 | df72ac2132edbe2ba8a59563288b2073 |
| SHA1 | 0b78e42e35f0e683ff9ab4984d21655fe18d7e74 |
| SHA256 | 45d66fac203e3038c0a0a9057743969a9c5452a623d2f837536b10d865fd6cf1 |
| SHA512 | f2c69601aae99c9eab0aa10261c97a6f91ee3c987fc466d0f070dd2895f4745042e4ba8eabbf2c52ced7ec496bfe3e9419c86e16dab58185047256ab85cec8a4 |
C:\Program Files\ConvertRemove.avi.ecc
| MD5 | 4f4d49b78a64326b3534c6f6f72679ce |
| SHA1 | dd2be44d6dc74dbb929493130e9333713fd925e8 |
| SHA256 | 8e11aee35d7e1eecb4d0b3df38d5f3ba9aa3d85dcfa72857c982576c1523f6c0 |
| SHA512 | 742a1b37d44c01c02bd77a1703178feba94a6d0ea0a7e9609fc6c550773e8795fcc4a9a1d073091927ad44bdeef4c9fb65ea82afa802239940b4988925624a54 |
C:\Program Files\DismountSwitch.M2T.ecc
| MD5 | 232348c8375bcd5bc3625f7687a92701 |
| SHA1 | f0f44ce1648337f7b3e5a71ce17f1549bf3471eb |
| SHA256 | 992226e4c6dd36a279e765b52f2facd818f5514338eb1a382aabb9d47a082651 |
| SHA512 | 4739ac8dfd64b4da71aefc3276b2bda117ceca146881a79c7d774182f123e615ff78e7188bc929e11cddde4e559296a51d6ee6c119323dea3af36ecef00e8007 |
C:\Program Files\ExitReset.eps.ecc
| MD5 | 28ec1b70659d9b9e90d3ded7baa37495 |
| SHA1 | 8800d60aaa7d33be74932835ca2c560e0a0e29b0 |
| SHA256 | d100dcc9d5c9f078b3812ab3b921bcd5c20a419067564921b3fe8ffe646df212 |
| SHA512 | 75ac348aeff4aab8b171960630e141e29e55134f3375b5ac427e0396cda1fa334740f533723892c19533c465dbd622d22940aaf77255d1e31392fa56fba7a142 |
C:\Program Files\FormatRestore.mov.ecc
| MD5 | a4c087affd57197df36ea07cbec7725d |
| SHA1 | 9f4e77fbddbc9a5aa0d70ec57a7b690b474715df |
| SHA256 | 9b8dd5d613512730b887bff9655ceef6541aeb7033b145f871087ccba3966772 |
| SHA512 | 74a735b9ce1926146c2087dc045bacc0fb8105e83b435a4eabd316cc07da095f03f6d58f87ebeb07af68a0b1633bf39508187fd163e7a6a34c3131d42f339f6a |
C:\Program Files\FormatUnregister.wmv.ecc
| MD5 | 3af2a37b98432facd3444c513fa7fa7d |
| SHA1 | 089a17905cac44d3ae71c06842cfbeea83ce2bde |
| SHA256 | ababa94681f91548b20e6cb3f333b6e5412609f9303c061cf5498a995acc56ce |
| SHA512 | bf445835ec7944467130cedf4d4a528d507e02d4d946e04579e2a2a4df7c85715d045117e0a8c04a8e8b101ea4068a5d3c7c62e124f0f202be5c8a4ff04eac76 |
memory/2528-638-0x0000000000400000-0x0000000000472000-memory.dmp
C:\Users\Admin\AppData\Roaming\key.dat
| MD5 | 480da7382c47bd6f4d41d80f11ce2d01 |
| SHA1 | 3cfdf6b4b277ba455b349b976b8a2b6ba68879b2 |
| SHA256 | 7bfcabf3fd1cfb69d4a8b7ef453ddcb8fa31655ca0ffc9fb26fc60d089ee5cd0 |
| SHA512 | 702d764256775500ab416ea5a29175d56836bd726e6a414d990ea9a92d35efe166b448fca0d6506757bace091b645e9d8cb91e4154244bb1ac552556627acfd8 |
C:\Program Files\PingClose.m4a.dyeyfmnf
| MD5 | bf2381fe95cf44032751cf8d92388a2b |
| SHA1 | 1eefe968f57321bb6d0609b6947fa691abcb7818 |
| SHA256 | 0b866f77f9c6e59e89c863d7fc8be5282bc8a65005abee94add50fca1123bb9e |
| SHA512 | 95a2b5392c9f5a651c3353a84617b6aafbcc22a6740e3dcbf025c265b8bcb6c6da2a1c5af1e2033ad5cdd95ba380798d3a023ca26c6fcef66d0daa98cddbb09f |
C:\Program Files\ResumeLimit.raw.dyeyfmnf
| MD5 | 52b4a861e17ccb97f99ee5226c44c8b8 |
| SHA1 | 205db453061e7878b5db0922f386f5013bd3716d |
| SHA256 | 504e45eb1426d09e0e557c70288bbeb7bee58004ba54eb66da9ea0aff1423631 |
| SHA512 | b3316249909178f058a1201d85625b989fa440be5fb2f49e51f5b55afbec9fef2ba53604dbc92f7b375d4841d0b33978883bbb0d213095d76565d3e0de0d466f |
C:\Program Files\SelectCompress.zip.dyeyfmnf
| MD5 | 2ec0000ad61d8a86caeeb06fc707ba7e |
| SHA1 | e812a8d7550a11538dd92cf8001be3930ff07f78 |
| SHA256 | 547b242c30bec3abe7ee328c9aa404714deff63c053335b121162af14e9d1908 |
| SHA512 | 37c8d55d5cac8fb0f2f56c1e07aae4e8c82470aa43e2a860d13fb4bed2b0db7fd29d10f790244ebee335a5863f1c7c8540ddf0538e0d936dc0922156bfaa6eae |
C:\Program Files\SetOut.dwg.dyeyfmnf
| MD5 | 8e7f9b4e56c361da0fe043cfde36cd99 |
| SHA1 | 926530ba6c683b449b8cc01f312cc7aea969ca80 |
| SHA256 | 6df8fec69633b1caaac38980cb6ecd9d9c5e4e704ddaaa0a5c3bfd1d8fa2ed4d |
| SHA512 | e4917b73411e8623ba504176c59b1b2fd273ee9c055d034dd2607560e1032e063833323cb1bdf0595855fb54f72a13919edd99e444c8d21a4aa60587c4cd52c0 |
C:\Program Files\SubmitDisconnect.docx.dyeyfmnf
| MD5 | 1716230df2184b26bb7e99434b7a33ff |
| SHA1 | 60fe3383f710fbb07a880f4ff8d857187ed9dcf7 |
| SHA256 | 6c959e21abbc4415fe1564d7141921c6115eba3bb47449e99994aa6bfe053543 |
| SHA512 | 1999d3bcdf3d942ca22d970a970d2882fac883b580c559c40d1858319cb70b9316326b0ec246f094b950330d2b2e7f11b4c29128ae1bcf4126f29a6464630135 |
C:\Users\Admin\Desktop\00343\DO_NOT_DELETE.xtc
| MD5 | 7a69352cb1b550ff1febaa10805143fb |
| SHA1 | 8ed64855e5090002bcdc979e6d8c4785faf2c978 |
| SHA256 | ba0ac5c3317aaf44d121e3d09b70d79d9ca246bc9966694126156b586d8bfb0e |
| SHA512 | e46f2dd59715948fe49ea82b83c4a7adf683913f7976310e113a2012a6fd47b67cfbe404f078b47800bea754fb2f5974b4488924094c8f4cb6784aa39a2db0b5 |
C:\Program Files\WatchDebug.mov.dyeyfmnf
| MD5 | 2ebfefae94f0da0c6305f62fc511dc05 |
| SHA1 | 54fcb561c98f63899411505048cc410c279a14fc |
| SHA256 | 460758f80fab747b02e9707167abd1f09e96a59ec13f5ec7d22ab3e93457f453 |
| SHA512 | f94b4641fd2ad27209825a7b2e992111bd7ae512972810a7e607feeeadca67872b25c1747bc539c7a1e52dec48dc490d148a5cfa6e3a7bcd8353e2283b30cca2 |
C:\Users\Admin\Documents\RECOVERY_KEY.TXT
| MD5 | c57085bdf49f036337f379ca97fe61f5 |
| SHA1 | d3842e758d3d2e312531c63e5c357773704a5ecd |
| SHA256 | ab439a7d46f62fa1152614f50e27cb106f67bd0c1edea9e1bbe61d82f5147fd6 |
| SHA512 | e0d620045df0c7a6acd6b8a03724d1ddb9c1d6008d81ead96efdba7175285a0c72a6cd72d4319798dde56c78a1f71571920ca7faee94aeeead31f0e9d5ef57df |
C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\DYEYFMNF-DECRYPT.txt
| MD5 | d359765c9e2b8d95278ed914f9087b61 |
| SHA1 | 2d2f95c8be128e4e2b50acfd27ec250cfd78d605 |
| SHA256 | 08a698cd4c3d8480e5ee46756b7f8428dcd375a130945f542e471930fa33877e |
| SHA512 | b940b03cf606e133f1e8213a69babaff93930a7eaf02293e46aef5f8b03d4c61f2872917cfbb09aec02ba6790b3dd72d5bff3478959687b3a583ead869d36e12 |
C:\Recovery\DYEYFMNF-DECRYPT.txt
| MD5 | 81948025ba0dc27075c2799790c8634a |
| SHA1 | 500766e1e8ef9bc5cb28c515b0949a8bbb25bb96 |
| SHA256 | 0871ee3674ef356da267e7659fddea5a911812791d00e18b0d9d17caf63d8bf8 |
| SHA512 | cc7ca313f75a087bb19df3bec626239e349ccc61fbd11b67c4274cb9c619d000af6ae39ca0309e128b96431cfd602b18c686ac2751578a17acf7bcb136b283d5 |
C:\Users\Admin\AppData\DYEYFMNF-DECRYPT.txt
| MD5 | 2fc094e9309c028001aec6957aa10da1 |
| SHA1 | 1c6fd459f984f7181b34bbd0cd4a79b703ab386e |
| SHA256 | 0190dbf9e4125b6a6e829c8516c8c00738a2c63eb1cc121f08407606c308c44c |
| SHA512 | c8dc801d1aa96b4afd18f6da9def1e718caad62a3ef40232d622f6bedae17d7c357f8b8cc4970f0b7ee00a6793af377e8b0d749c56a1bd38d0d867a4dc3ae08f |
C:\Users\Admin\Contacts\DYEYFMNF-DECRYPT.txt
| MD5 | bcec440af38433db7827c42a208de9c8 |
| SHA1 | e645432680445178f3d21dc411213e7beef3eb6e |
| SHA256 | 64b2ba76131aea34a40f25a211ee8c28a1b20ea60b9bf462bc53956d911b4da9 |
| SHA512 | 28704b817e1b7e6a07e243665a06515c3b77e06c037fc875f16903a749d99a2509a94e83927e27850a84d2161e9f398b5bbe3945d520eb7ff35bef8dd7ba97de |
C:\Users\Admin\Desktop\00343\DYEYFMNF-DECRYPT.txt
| MD5 | 32768b6489c26a45a3a17e235a17f40f |
| SHA1 | 574f5fe4e109475e9573a74702ced00bd0e68339 |
| SHA256 | 888dbe8d2b600e685989c5401ec9d6d2a0dcce20447f686b92f09ee2a316578a |
| SHA512 | d9667fde1e0f63b72f55e525edff8c592118a0072d930f673b7153384be0666a2ec45e37e8d23ebba516b5fd5bc4047b2b46ab0dfb54ceaacc950d2ce4f51f14 |
C:\Users\Admin\Desktop\CheckpointRemove.zip.dyeyfmnf
| MD5 | 73bdba903f6a2c0253f2073fc710720e |
| SHA1 | e500256875c3168979a6076acd962821bc07bcb6 |
| SHA256 | 60e1c38e0643f3bc2d99d0a028bf4f853b29493b0d0a874ebbbb846638cf0e11 |
| SHA512 | 486a4df2d40d16a97f2450c47234adf1bfb3405760b4602c4caaae97ef084529d72b2b8adf856c8fefac2bd80e88d1961827493599304da52bd427edc47ac704 |
C:\Users\Admin\Desktop\GetClose.xlsx.dyeyfmnf
| MD5 | 2e2f7046deacfe52615a0b37604281dd |
| SHA1 | a43e4bde79955df0d7fac4a6db988a9995cfd08d |
| SHA256 | b127178e2f5104ea47e4ba3f2535859a1ed43be67de34f8aa0d70e370a9c2600 |
| SHA512 | b128a82e4e0c2d4dd98ac6abed788e080f4cbbadd24dd07d0389c796e90dfadea63a764f4d86a4a5277fc6c3a5165a1d32c246bb8bb3c1029ff51f1259959ec7 |
C:\Users\Admin\Desktop\InvokeEnable.docx.dyeyfmnf
| MD5 | 21fb19a4d1aa47e1cbd0cb800c23543e |
| SHA1 | 06858d2eb7d1a0165fd27ff1fde5a342516fcaf1 |
| SHA256 | 93932ab0e0e29cde57b2b140cd528db99095912aa9d0b68d43eb73ec778bfe25 |
| SHA512 | adce946de88667c8b040ff8fdde0e1cc4a1276fd0d660eb003bac2716b2a7747a418a183225aec12cb3154bf2230596debf06f4d87bc7b765113ebae81580b34 |
C:\Users\Admin\Desktop\InvokeWatch.svgz.dyeyfmnf
| MD5 | 895ffbdec213bbe77519b5cb1cc46344 |
| SHA1 | 52c00c170e7797d6f0af9cb3de5bc11f4ae6ef62 |
| SHA256 | 19fe952e01b8c638e5400ba8e73248da9c18b81cb5f65d72940707dbc41a2373 |
| SHA512 | b9c793133ec8d802da27abe90314f8aa1291c1cefb1731cd8f46913482857eec4a95b69bd45c21ae45a7fd2b468aca8b775577defe5a12abdd4e14d44e46ae48 |
C:\Users\Admin\Desktop\ReceiveSelect.mp4.dyeyfmnf
| MD5 | 2f88520f2558068d475a38ce5ddf1bee |
| SHA1 | 7f740f28c597f45738215a776c31e7e4f326a6af |
| SHA256 | 4620ea8e92da844d7442ff2b0053279e1539934304ca90b855a1ec83b22bfd68 |
| SHA512 | f48831cbfead922fd78e3bb2bf003f62636b1dca10e53a4a3b7ab2d372490208b78071f29289676e1307dc0c653379512bf00f850aa9a78119d55e379e13651b |
C:\Users\Admin\Desktop\UnblockRedo.crw.dyeyfmnf
| MD5 | 8f0c9dae8e64fe32e2529145c4835062 |
| SHA1 | 37cf06ddc2c4f8d19786de32d0ddad72e8479f1e |
| SHA256 | 568bbfbeed9ca35e0da9ba63ad00705cad3986dd8f567b4a1091278796379009 |
| SHA512 | 13a1cb356da3ce4b6cbc2fcc2c801592c57c4c3ea1b0e30e506873253fd9b94b5e87573e2d40643471d4e5a532b88cbadf40a54795fe16aaf1d94702cdade9b7 |
C:\Users\Admin\Documents\DismountDisconnect.docx.dyeyfmnf
| MD5 | c8cbde298298978627bed799b0f9e7c6 |
| SHA1 | 2334f0bf061cec9cec2ff26bb6a23c1390a107a8 |
| SHA256 | d490e14f4ac17af9615db14dc4a37e6973fd0a553b71aaed90cad2aac1049678 |
| SHA512 | 54975feef6ebb221ebf7a796c74f50d1d03dc133634bf4438dd66a317ad859f15956af7730e149d8cf1279d6911abb312ba71c01be4168fdf0c54a24671045ec |
C:\Users\Admin\Documents\ConfirmMove.xlsx.dyeyfmnf
| MD5 | 23163b20fa42dbfcf0528261e0704ddc |
| SHA1 | 9266965c7e289d41f91c7c4bae3e20f038e55ec1 |
| SHA256 | a72fcd83c46e547bdc01a883596b1c52ab2d5c40ba22f1868f3758ee8350618f |
| SHA512 | 0053d487b1aef259fde117e773b99bf8e19b4ce3196630dfa6165070a3dc1cb5aeeb2df0096a548c5e35f3c3c54f163b42bdd5d4c1d80345fe370a18eaeda0d6 |
C:\Users\Admin\Documents\AssertDeny.xlsx.dyeyfmnf
| MD5 | 8f998db19b6c19187b6b0cd73096bf35 |
| SHA1 | 1c89571e88841acc50f27a318aaf1efd2acfdea0 |
| SHA256 | a507da7fe1de2230d41248945ffbfaf5e5d8a670e3dfb75563f8c891d9cfe9ee |
| SHA512 | c27b54caba08687f250d9468f12a44b79d049e00157cc01be3d21d244702932fb155cc8def143499c903b49f43e14f6b7ec598e755f639305c535d1b2accbc30 |
C:\Users\Admin\Desktop\WriteSearch.mp4.dyeyfmnf
| MD5 | a3f6a04257c90732ccebb32e88fb3835 |
| SHA1 | eb6b0491f9916c97cea2c01194e0285c5afd0d06 |
| SHA256 | bfb164232f8fb648c6bace71739597d8c1f179a795476fd8d4661308ad11cd09 |
| SHA512 | bd8b83164a835f6ecaea09cc7cdb6ce7312acc9a05c8613b5677081f1c482908fc728753206c939202b6756b2ef02951c50b18c8210720be0956c1d45800268d |
C:\Users\Admin\Desktop\WaitReceive.mp4.dyeyfmnf
| MD5 | c4f8d968b0b1e43c0c5db96ee28614fd |
| SHA1 | 39639a762bb56091347911ef62c6793d49028542 |
| SHA256 | c04009ea16d9fc6eb72d4813fb869a37ff3dea0b18b2d8479c3903ee62392064 |
| SHA512 | 93fe5f718285f1171dcf21bc6734c2d8d96af62e849298bfd2daf81b16215ee572b0df148ce02b8553a3715e2a159f5ef0a94a013da7ae8725646117199910aa |
C:\Users\Admin\Documents\DYEYFMNF-DECRYPT.txt
| MD5 | 50d091ae26be4319e8712c99b966a876 |
| SHA1 | 41a68290e6e25627800cb61fe06545bf933b9b69 |
| SHA256 | 8e2005e16540e30d9876ea7314acbb6a34c98003151c81dcc47829a5b73f3174 |
| SHA512 | 87a3c2cf32787b09d18cd64b0e6c50ce86c8bf6f68423415f68c91e3e0eaa6b211869f82f33bad6eb3f63986f34d7e3f6a8a9365cb553bd8b5c9c3ca819e55f4 |
C:\Users\Admin\Documents\ImportBackup.pptm.dyeyfmnf
| MD5 | a24de58249de87f7a60118ee7cf7355a |
| SHA1 | d6f8d955c1d73aa74f740638452531bd533cd3d4 |
| SHA256 | bd7356447194aad54ea5310d1597e217899288d61228b6167a118d71a6d05a58 |
| SHA512 | 44e767294ed0b32ab8a8db9d44a69ea517604689aad73ee37cd6c7fa2fff357bf39c2232a09aad71dc9edb7ff030b88718172570c88aed9ffc37dc7a76f2823e |
C:\Users\Admin\Documents\ProtectConfirm.xlsm.dyeyfmnf
| MD5 | 71b7cea122dd389cac2845bcc84b9f08 |
| SHA1 | 966df0beb7a1314dd2ac1c23d370fb7844a6c9f3 |
| SHA256 | 0200780cae4797ea983aa0cee666378a6d912e3e32cccf86f6d1f9d52f90a6bd |
| SHA512 | baffdcee95ff37128c2b4a1963578ed9eb75c988ad8f09c6ec2013c123676a103fa9bc66cc069ece4b920e92f8913df4edfb83afe8309b383afd9b2351b34ff3 |
C:\Users\Admin\Documents\ReadLimit.docm.dyeyfmnf
| MD5 | 6c2a863d2355baf68507dc82cdf6879e |
| SHA1 | 9f6db3fd4c148876d7218ab807c2de505054ba0d |
| SHA256 | 589bd7d23de5a8f4b2aaac61360da028dda14826292f5836a9426bd4c83613ee |
| SHA512 | d3865bc1d61dbeee0f26379b73685d9bfa9a9bedbfcc6e9ec476567b85684e780de0c2a08db5cc176abe60a8e8024a35167eba2e59cbc087f743f2085c1812c5 |
memory/2528-3200-0x0000000000400000-0x0000000000472000-memory.dmp
memory/2528-3206-0x0000000000400000-0x0000000000472000-memory.dmp
memory/3056-3210-0x0000000000400000-0x0000000000451000-memory.dmp
memory/1572-3211-0x0000000000400000-0x000000000049A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Tar56AC.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\Local\Temp\Cab56A9.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | ac7131d72d304c62c1539ff17817c9fa |
| SHA1 | 7563bf18ee7acf8ec83f59855494012bd24c1500 |
| SHA256 | 21d4ca494e0b9604b32c9c2a08361111c6c27f51ae2645e481ed7cc8bd62e287 |
| SHA512 | 070f932d1c3fe633da53213d4f7a4c099b0f254e3b1f09731074177ba6823491c2e42ceabf716bbcbccc0f303e83a10a03bd438ef5274d345b745d8a09160e07 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | a266bb7dcc38a562631361bbf61dd11b |
| SHA1 | 3b1efd3a66ea28b16697394703a72ca340a05bd5 |
| SHA256 | df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e |
| SHA512 | 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 51729a24fd36f970536676f710c08d25 |
| SHA1 | f761b6abbd3953ce4a95b91c12f4ba4fbd49317f |
| SHA256 | 4c0b87a61417d6ced4a9cf01fec0f839c1c84e33f08615f779c0cd9b604959c7 |
| SHA512 | f4b6cdacab11aaaae772e65670309f378609b1d94546020023e49e2099e38afbe18154784d180f1932b3374918b621fcc8f95811a43394a3b6eb12c0e13100f7 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 49de457b101795ed5ef20beb747bbbdb |
| SHA1 | c5376efd1e7d1f399000fe07956f7193efe08626 |
| SHA256 | 32e78307d1a2324ffb81a0e06ac5506b855890e2e19f9fa35aae51a3a4a6654e |
| SHA512 | 7b55469b5c8677974da2b2baddfb82053cbeb14a9e88fd30a50b5dee80823367b3269d0ba6b17f71bb6fabe288d628dd46d5c656f9b8881b8b83024293db5560 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 780e96a9e216b12df3d9fc41c6c3c5de |
| SHA1 | 4be5ad70dfb2a794d21b490a0e8cd7d63877f2c7 |
| SHA256 | 88c5ca57faedef01e10a4c919b8ab81d995bb4524ead024464c14990cfa9b64f |
| SHA512 | 1e5a5d96495a6fc18856fd26b62d0280766af4d0ffb8fe7637f62c6a35ac4553e3bc54f136fffd3d8d149e9a62e90682d751ca86e71b4fadf4b914377bf171b7 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f500271b51a0267c9cea330b6b7ab9e7 |
| SHA1 | df339ee6b5a3262b51165d33cb02aa7c0bb90330 |
| SHA256 | d1f6684dc216ab3993f927edcd880ce1dcf6eb48b9d385f9200786b68be0c3e3 |
| SHA512 | e7e5ac47d00b905e5d9866bdfcc30523c090071b2911420b1f7c6fcb254840aa63109f7b94aa44c692e6defd91f27c2f24fbea317866709a64c6e119cd2ca9d6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6f1d073f0f09948a4080c0c5553eac40 |
| SHA1 | 16c17554083e026fe22761bc8ce078111af2cbb6 |
| SHA256 | 2a830129dee0d669c096b8804c0ae8ca0b0d49c5e0b85708724f8d800691bae7 |
| SHA512 | 88b82a7b2a8b7b2d6584af7dc77ed8c4053f645d6e2e61a1dce3b3585f5434cd2e2207bc727259e83b0cd088fd5725f2f4439a16a925a1df15701f78477116b8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 920fcee256b07b7c910aa39f571e2585 |
| SHA1 | 3e74a4f23a74199f1a16164fa41bad16735ddef6 |
| SHA256 | fe4e8a45c9b1f8537b5e65b055aa27d54f148144e19b7f6f9e0f52e052a94b23 |
| SHA512 | 2fcd43f7da4fdb2ed1feb5d9f8ffef9d43f40261588d058c8f8e7e60f433fec5922d65fa3609c365f98e02e9901d1f2a6554e1ec911cd0b5829af09c1ee9154b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC
| MD5 | 2a70668f6cc8eba2fb3061a1cffaee07 |
| SHA1 | 697baacf481407da38898ca606003fbe54184757 |
| SHA256 | 3e49b6ffbf47211b4a35ea322a96a081a32fa935c854f7b0a4942a42c37feff3 |
| SHA512 | 09bff548f582686f406f6d54dae24b1a7587c163de38e090decae2da6cd5313344030684ac69709c82e2b9546ce9ca299681b3d262ce891370f5933d678e8d62 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC
| MD5 | e4a68ac854ac5242460afd72481b2a44 |
| SHA1 | df3c24f9bfd666761b268073fe06d1cc8d4f82a4 |
| SHA256 | cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f |
| SHA512 | 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d619e038ca43050f8667909bfccfe443 |
| SHA1 | 093ead664f64d8281c8457bda83b3eb97251648f |
| SHA256 | daa517207cdbb47e7569a479e6355b36c705a4f64f747055161a222c05932fe2 |
| SHA512 | 6b6bbcd2c2b799d6a1043bbc5185f2adfd462e7c10e3c7841df6545224c1a2707c51210daae69464fd9ddf8b38864784f77cf5134352d2d52f89e006b7c887a5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f4e37fb7076b7ea0fc1f96f151db4c45 |
| SHA1 | c68b5b563b66db536359583b3d90042a418eda40 |
| SHA256 | 12c2ff83f6d0ccf49c75ff9818f509b64c14731ea828a675740fc611582917c4 |
| SHA512 | 7740ac7cad84fcf6b93a0062782f89a5d03829446b3bd7419ffc2ddc0bfb6f97b3f189abaf160eb96d80c4b22a78d5b131c6ac668d3eb87809bdecdf95616cfc |