Malware Analysis Report

2024-11-15 09:24

Sample ID 241110-vkp4pstrcn
Target RNSM00343.7z
SHA256 173ca0f92742d045715ebb426f110998ab55fe3e8c2694b34dda2024322ad03f
Tags
gandcrab netwire backdoor botnet credential_access defense_evasion discovery execution impact persistence ransomware rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

173ca0f92742d045715ebb426f110998ab55fe3e8c2694b34dda2024322ad03f

Threat Level: Known bad

The file RNSM00343.7z was found to be: Known bad.

Malicious Activity Summary

gandcrab netwire backdoor botnet credential_access defense_evasion discovery execution impact persistence ransomware rat spyware stealer

Netwire family

Gandcrab

NetWire RAT payload

Netwire

Gandcrab family

Deletes shadow copies

Renames multiple (435) files with added filename extension

Renames multiple (299) files with added filename extension

Loads dropped DLL

Drops startup file

Reads user/profile data of web browsers

Executes dropped EXE

Credentials from Password Stores: Windows Credential Manager

Indicator Removal: File Deletion

Enumerates connected drives

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

Sets desktop wallpaper using registry

Drops file in Program Files directory

Program crash

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Modifies system certificate store

Modifies Internet Explorer settings

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: CmdExeWriteProcessMemorySpam

Suspicious use of FindShellTrayWindow

Interacts with shadow copies

Suspicious use of SendNotifyMessage

Opens file in notepad (likely ransom note)

Suspicious behavior: EnumeratesProcesses

Uses Volume Shadow Copy service COM API

Suspicious use of WriteProcessMemory

Checks processor information in registry

Modifies Control Panel

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 17:03

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 17:03

Reported

2024-11-10 17:05

Platform

win7-20240903-en

Max time kernel

151s

Max time network

151s

Command Line

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00343.7z"

Signatures

Gandcrab

ransomware backdoor gandcrab

Gandcrab family

gandcrab

NetWire RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Netwire

botnet stealer netwire

Netwire family

netwire

Deletes shadow copies

ransomware defense_evasion impact execution

Renames multiple (299) files with added filename extension

ransomware

Renames multiple (435) files with added filename extension

ransomware

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\DYEYFMNF-DECRYPT.txt C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Crypmod.aaju-a5f611374478e11c51e8d7017dd7995a23ecec2f14ad48f8466dcf52d1f575d2.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\4409c9554409ceb572.lock C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Crypmod.aaju-a5f611374478e11c51e8d7017dd7995a23ecec2f14ad48f8466dcf52d1f575d2.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\msconfig = "C:\\Users\\Admin\\AppData\\Roaming\\bqdhgan.exe" C:\Users\Admin\AppData\Roaming\bqdhgan.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\G: C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Crypmod.aaju-a5f611374478e11c51e8d7017dd7995a23ecec2f14ad48f8466dcf52d1f575d2.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Crypmod.aaju-a5f611374478e11c51e8d7017dd7995a23ecec2f14ad48f8466dcf52d1f575d2.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Crypmod.aaju-a5f611374478e11c51e8d7017dd7995a23ecec2f14ad48f8466dcf52d1f575d2.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Crypmod.aaju-a5f611374478e11c51e8d7017dd7995a23ecec2f14ad48f8466dcf52d1f575d2.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Crypmod.aaju-a5f611374478e11c51e8d7017dd7995a23ecec2f14ad48f8466dcf52d1f575d2.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Crypmod.aaju-a5f611374478e11c51e8d7017dd7995a23ecec2f14ad48f8466dcf52d1f575d2.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Crypmod.aaju-a5f611374478e11c51e8d7017dd7995a23ecec2f14ad48f8466dcf52d1f575d2.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Crypmod.aaju-a5f611374478e11c51e8d7017dd7995a23ecec2f14ad48f8466dcf52d1f575d2.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Crypmod.aaju-a5f611374478e11c51e8d7017dd7995a23ecec2f14ad48f8466dcf52d1f575d2.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Crypmod.aaju-a5f611374478e11c51e8d7017dd7995a23ecec2f14ad48f8466dcf52d1f575d2.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Crypmod.aaju-a5f611374478e11c51e8d7017dd7995a23ecec2f14ad48f8466dcf52d1f575d2.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Crypmod.aaju-a5f611374478e11c51e8d7017dd7995a23ecec2f14ad48f8466dcf52d1f575d2.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Crypmod.aaju-a5f611374478e11c51e8d7017dd7995a23ecec2f14ad48f8466dcf52d1f575d2.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Crypmod.aaju-a5f611374478e11c51e8d7017dd7995a23ecec2f14ad48f8466dcf52d1f575d2.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Crypmod.aaju-a5f611374478e11c51e8d7017dd7995a23ecec2f14ad48f8466dcf52d1f575d2.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Crypmod.aaju-a5f611374478e11c51e8d7017dd7995a23ecec2f14ad48f8466dcf52d1f575d2.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Crypmod.aaju-a5f611374478e11c51e8d7017dd7995a23ecec2f14ad48f8466dcf52d1f575d2.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Crypmod.aaju-a5f611374478e11c51e8d7017dd7995a23ecec2f14ad48f8466dcf52d1f575d2.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Crypmod.aaju-a5f611374478e11c51e8d7017dd7995a23ecec2f14ad48f8466dcf52d1f575d2.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Crypmod.aaju-a5f611374478e11c51e8d7017dd7995a23ecec2f14ad48f8466dcf52d1f575d2.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Crypmod.aaju-a5f611374478e11c51e8d7017dd7995a23ecec2f14ad48f8466dcf52d1f575d2.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Crypmod.aaju-a5f611374478e11c51e8d7017dd7995a23ecec2f14ad48f8466dcf52d1f575d2.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Crypmod.aaju-a5f611374478e11c51e8d7017dd7995a23ecec2f14ad48f8466dcf52d1f575d2.exe N/A

Indicator Removal: File Deletion

defense_evasion

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\HELP_RESTORE_FILES.bmp" C:\Users\Admin\AppData\Roaming\bqdhgan.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\pidor.bmp" C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Crypmod.aaju-a5f611374478e11c51e8d7017dd7995a23ecec2f14ad48f8466dcf52d1f575d2.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\VideoLAN\VLC\locale\nn\LC_MESSAGES\HELP_RESTORE_FILES.txt C:\Users\Admin\AppData\Roaming\bqdhgan.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\applet\HELP_RESTORE_FILES.txt C:\Users\Admin\AppData\Roaming\bqdhgan.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\HELP_RESTORE_FILES.txt C:\Users\Admin\AppData\Roaming\bqdhgan.exe N/A
File created C:\Program Files\Microsoft Games\Hearts\es-ES\HELP_RESTORE_FILES.txt C:\Users\Admin\AppData\Roaming\bqdhgan.exe N/A
File created C:\Program Files\Mozilla Firefox\defaults\HELP_RESTORE_FILES.txt C:\Users\Admin\AppData\Roaming\bqdhgan.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\he\HELP_RESTORE_FILES.txt C:\Users\Admin\AppData\Roaming\bqdhgan.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\it\HELP_RESTORE_FILES.txt C:\Users\Admin\AppData\Roaming\bqdhgan.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\META-INF\HELP_RESTORE_FILES.txt C:\Users\Admin\AppData\Roaming\bqdhgan.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\33.png C:\Users\Admin\AppData\Roaming\bqdhgan.exe N/A
File created C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\HELP_RESTORE_FILES.txt C:\Users\Admin\AppData\Roaming\bqdhgan.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\HELP_RESTORE_FILES.txt C:\Users\Admin\AppData\Roaming\bqdhgan.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\HELP_RESTORE_FILES.txt C:\Users\Admin\AppData\Roaming\bqdhgan.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\trad_m.png C:\Users\Admin\AppData\Roaming\bqdhgan.exe N/A
File opened for modification C:\Program Files\Microsoft Office\Office14\1033\Mso Example Intl Setup File B.txt C:\Users\Admin\AppData\Roaming\bqdhgan.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\installation_telemetry.json C:\Users\Admin\AppData\Roaming\bqdhgan.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationLeft_SelectionSubpicture.png C:\Users\Admin\AppData\Roaming\bqdhgan.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\th.pak C:\Users\Admin\AppData\Roaming\bqdhgan.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ro\LC_MESSAGES\HELP_RESTORE_FILES.txt C:\Users\Admin\AppData\Roaming\bqdhgan.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\square_s.png C:\Users\Admin\AppData\Roaming\bqdhgan.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\js\settings.js C:\Users\Admin\AppData\Roaming\bqdhgan.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\on_desktop\slideshow_glass_frame.png C:\Users\Admin\AppData\Roaming\bqdhgan.exe N/A
File created C:\Program Files\DVD Maker\es-ES\HELP_RESTORE_FILES.txt C:\Users\Admin\AppData\Roaming\bqdhgan.exe N/A
File created C:\Program Files\Windows Photo Viewer\en-US\HELP_RESTORE_FILES.txt C:\Users\Admin\AppData\Roaming\bqdhgan.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\HELP_RESTORE_FILES.txt C:\Users\Admin\AppData\Roaming\bqdhgan.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\logo.png C:\Users\Admin\AppData\Roaming\bqdhgan.exe N/A
File created C:\Program Files\Microsoft Office\Office14\HELP_RESTORE_FILES.txt C:\Users\Admin\AppData\Roaming\bqdhgan.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\README.txt C:\Users\Admin\AppData\Roaming\bqdhgan.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ext.txt C:\Users\Admin\AppData\Roaming\bqdhgan.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\HELP_RESTORE_FILES.txt C:\Users\Admin\AppData\Roaming\bqdhgan.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\HELP_RESTORE_FILES.txt C:\Users\Admin\AppData\Roaming\bqdhgan.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_precomp_matte.wmv C:\Users\Admin\AppData\Roaming\bqdhgan.exe N/A
File opened for modification C:\Program Files\StopRead.dot C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Crypmod.aaju-a5f611374478e11c51e8d7017dd7995a23ecec2f14ad48f8466dcf52d1f575d2.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\HELP_RESTORE_FILES.txt C:\Users\Admin\AppData\Roaming\bqdhgan.exe N/A
File opened for modification C:\Program Files\ResumeLimit.raw.dyeyfmnf C:\Users\Admin\AppData\Roaming\bqdhgan.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bPrev-hot.png C:\Users\Admin\AppData\Roaming\bqdhgan.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\js\picturePuzzle.js C:\Users\Admin\AppData\Roaming\bqdhgan.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationRight_ButtonGraphic.png C:\Users\Admin\AppData\Roaming\bqdhgan.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\js\RSSFeeds.js C:\Users\Admin\AppData\Roaming\bqdhgan.exe N/A
File opened for modification C:\Program Files\Windows Media Player\Network Sharing\wmpnss_color32.jpg C:\Users\Admin\AppData\Roaming\bqdhgan.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\button_left_mouseover.png C:\Users\Admin\AppData\Roaming\bqdhgan.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-split.avi C:\Users\Admin\AppData\Roaming\bqdhgan.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\HELP_RESTORE_FILES.txt C:\Users\Admin\AppData\Roaming\bqdhgan.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationRight_ButtonGraphic.png C:\Users\Admin\AppData\Roaming\bqdhgan.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF\HELP_RESTORE_FILES.txt C:\Users\Admin\AppData\Roaming\bqdhgan.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\km\LC_MESSAGES\HELP_RESTORE_FILES.txt C:\Users\Admin\AppData\Roaming\bqdhgan.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\sv\HELP_RESTORE_FILES.txt C:\Users\Admin\AppData\Roaming\bqdhgan.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\button-highlight.png C:\Users\Admin\AppData\Roaming\bqdhgan.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_winxp_olv.css C:\Users\Admin\AppData\Roaming\bqdhgan.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\tt\LC_MESSAGES\HELP_RESTORE_FILES.txt C:\Users\Admin\AppData\Roaming\bqdhgan.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\requests\status.json C:\Users\Admin\AppData\Roaming\bqdhgan.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\js\weather.js C:\Users\Admin\AppData\Roaming\bqdhgan.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\js\calendar.js C:\Users\Admin\AppData\Roaming\bqdhgan.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\icon.png C:\Users\Admin\AppData\Roaming\bqdhgan.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ga.txt C:\Users\Admin\AppData\Roaming\bqdhgan.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\HELP_RESTORE_FILES.txt C:\Users\Admin\AppData\Roaming\bqdhgan.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota\HELP_RESTORE_FILES.txt C:\Users\Admin\AppData\Roaming\bqdhgan.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.descriptorProvider.exsd C:\Users\Admin\AppData\Roaming\bqdhgan.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\HELP_RESTORE_FILES.txt C:\Users\Admin\AppData\Roaming\bqdhgan.exe N/A
File created C:\Program Files\Windows NT\HELP_RESTORE_FILES.txt C:\Users\Admin\AppData\Roaming\bqdhgan.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\HELP_RESTORE_FILES.txt C:\Users\Admin\AppData\Roaming\bqdhgan.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\scrapbook.png C:\Users\Admin\AppData\Roaming\bqdhgan.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_frame-imageMask.png C:\Users\Admin\AppData\Roaming\bqdhgan.exe N/A
File opened for modification C:\Program Files\GrantUnpublish.mpg C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Crypmod.aaju-a5f611374478e11c51e8d7017dd7995a23ecec2f14ad48f8466dcf52d1f575d2.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\lt\HELP_RESTORE_FILES.txt C:\Users\Admin\AppData\Roaming\bqdhgan.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Blocker.fgpq-db8c0fc8427546ed54664fba24bdc7aa335eedb34b21c0d9a030dbc4f2bd7aef.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Crypmod.aaju-a5f611374478e11c51e8d7017dd7995a23ecec2f14ad48f8466dcf52d1f575d2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\bqdhgan.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\00343\HEUR-Trojan-Ransom.Win32.GandCrypt.gen-c172830fb9300fbab22bfa145a9fa36ae19d96996c78753d711e1a0428caddca.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\00343\Trojan-Ransom.MSIL.Agent.fqkb-e5c4fb99d5b4cb4621314bbce112f2f926f3e7458d6a1b036b3007deea98cc69.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Bitman.gb-afaba2400552c7032a5c4c6e6151df374d0e98dc67204066281e30e6699dbd18.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Bitman.gb-afaba2400552c7032a5c4c6e6151df374d0e98dc67204066281e30e6699dbd18.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\bqdhgan.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\DllHost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\00343\HEUR-Trojan-Ransom.Win32.Generic-b4a2e30684a0a53ca2ba256520aadbcbc2874808d6afb1ea8f8c54917ea00b13.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Crypmod.aaju-a5f611374478e11c51e8d7017dd7995a23ecec2f14ad48f8466dcf52d1f575d2.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Crypmod.aaju-a5f611374478e11c51e8d7017dd7995a23ecec2f14ad48f8466dcf52d1f575d2.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Crypmod.aaju-a5f611374478e11c51e8d7017dd7995a23ecec2f14ad48f8466dcf52d1f575d2.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\System32\vssadmin.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\WallpaperStyle = "0" C:\Users\Admin\AppData\Roaming\bqdhgan.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\TileWallpaper = "0" C:\Users\Admin\AppData\Roaming\bqdhgan.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{EAD96831-9F85-11EF-8320-E61828AB23DD} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0ef61bf9233db01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\MINIE C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000048073e4e52334f4c8b03ea8eb6cc2ab300000000020000000000106600000001000020000000260e9facef4fcdf3c6ea62c0b31dbdcc72ac8b4157d3f1e0ba0ce1e982c674db000000000e800000000200002000000073b1f7351262835ddceca1a175e930d4fbf257c8880effbce4669b57f69da08f2000000061038d219773dd1572a1009f9c8b284579b36cd13c818cf5d7a69906271b952d40000000fc0619a54f1ed7a0ca3435743fec02ac58b08d1b13a814ce84e9ff21db223342760ceef63f7102ce83e86f604f4a76aa6f20792986d10100e2adfa72d5dc5070 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000048073e4e52334f4c8b03ea8eb6cc2ab30000000002000000000010660000000100002000000099f643a6ac7d11998e16bf702753ecb39f7ee5baf4952a683aa83d24ce5ce44f000000000e80000000020000200000005cc964c08f821f238734ac51f220087e548ceda82c1824a4173f12e28c23bcf99000000096363a23fb31647db1db548d01ebd6d48cdffc06a7f3b29d3c8b4949e34307d24a3f5fa7be3cedf651942abdd4c83ad9098b7884d4c500681bfe954e23766e896e832e13322ad2073ca894178b96489b0a20d7936d3a1dff1a2428c62f90abafb7d9386dc652157bc4b6760a7973d12eb3aba84d06f1edba4c5d65cd2f410634ca7298883e957d6102586210e8e160a640000000932544f6a5e318dea54c4f56de90d81b429ac8c9aab416d421c8556f4d028622a7caa0a109ffbd38280422f2b1c469207c889f7ffb5fda8640c40956815524e4 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\7E784A101C8265CC2DE1F16D47B440CAD90A1945\Blob = 190000000100000010000000e559465e28a60e5499846f194087b0e50300000001000000140000007e784a101c8265cc2de1f16d47b440cad90a19451d0000000100000010000000d06bc27453aa4f6d586437e5d3b37798140000000100000014000000bea8a07472506b44b7c923d8fba8ffb3576b686c090000000100000020000000301e06082b0601050507030406082b0601050507030106082b060105050703030b000000010000004a00000045007100750069006600610078002000530065006300750072006500200047006c006f00620061006c002000650042007500730069006e006500730073002000430041002d00310000000f0000000100000010000000824bae7c7cb3a15ce851a396760574a320000000010000009402000030820290308201f9a003020102020101300d06092a864886f70d0101040500305a310b3009060355040613025553311c301a060355040a1313457175696661782053656375726520496e632e312d302b06035504031324457175696661782053656375726520476c6f62616c2065427573696e6573732043412d31301e170d3939303632313034303030305a170d3230303632313034303030305a305a310b3009060355040613025553311c301a060355040a1313457175696661782053656375726520496e632e312d302b06035504031324457175696661782053656375726520476c6f62616c2065427573696e6573732043412d3130819f300d06092a864886f70d010101050003818d0030818902818100bae717900265b134553c49c251d5dfa7d1378fd1e781734152609b9da1172678adc7b1e8269432b5de338d3a2fdbf29a7a5a7398a35ce9fb8a731b5ce7c3bf806ccda9f4d62bc0f7f999aa63a2b147020fd4e4513a123c6c8a5a548470dbc1c590cf7245cba859c0cd339d3fa396eb8533211c3e1e3e606e769c6785c5c8c3610203010001a3663064301106096086480186f8420101040403020007300f0603551d130101ff040530030101ff301f0603551d23041830168014bea8a07472506b44b7c923d8fba8ffb3576b686c301d0603551d0e04160414bea8a07472506b44b7c923d8fba8ffb3576b686c300d06092a864886f70d01010405000381810030e20151aac7ea5fdab9d0650f30d63eda0d14496e9193271431efc4f72d45f8ecc7bfa2410d23b492f9190067bd01afcde071fc5acf64c4e09698d0a340e2018aef2707f165018a442d06657552c0861020215f6c6b0f6cae091caff2a21834c475a4731cf18ddcefadf9b376b492bfdc95101ebecbc83b5a8460195694a955 C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Crypmod.aaju-a5f611374478e11c51e8d7017dd7995a23ecec2f14ad48f8466dcf52d1f575d2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Crypmod.aaju-a5f611374478e11c51e8d7017dd7995a23ecec2f14ad48f8466dcf52d1f575d2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Crypmod.aaju-a5f611374478e11c51e8d7017dd7995a23ecec2f14ad48f8466dcf52d1f575d2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Crypmod.aaju-a5f611374478e11c51e8d7017dd7995a23ecec2f14ad48f8466dcf52d1f575d2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Crypmod.aaju-a5f611374478e11c51e8d7017dd7995a23ecec2f14ad48f8466dcf52d1f575d2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Crypmod.aaju-a5f611374478e11c51e8d7017dd7995a23ecec2f14ad48f8466dcf52d1f575d2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\7E784A101C8265CC2DE1F16D47B440CAD90A1945 C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Crypmod.aaju-a5f611374478e11c51e8d7017dd7995a23ecec2f14ad48f8466dcf52d1f575d2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\7E784A101C8265CC2DE1F16D47B440CAD90A1945\Blob = 0f0000000100000010000000824bae7c7cb3a15ce851a396760574a30b000000010000004a00000045007100750069006600610078002000530065006300750072006500200047006c006f00620061006c002000650042007500730069006e006500730073002000430041002d0031000000090000000100000020000000301e06082b0601050507030406082b0601050507030106082b06010505070303140000000100000014000000bea8a07472506b44b7c923d8fba8ffb3576b686c1d0000000100000010000000d06bc27453aa4f6d586437e5d3b377980300000001000000140000007e784a101c8265cc2de1f16d47b440cad90a194520000000010000009402000030820290308201f9a003020102020101300d06092a864886f70d0101040500305a310b3009060355040613025553311c301a060355040a1313457175696661782053656375726520496e632e312d302b06035504031324457175696661782053656375726520476c6f62616c2065427573696e6573732043412d31301e170d3939303632313034303030305a170d3230303632313034303030305a305a310b3009060355040613025553311c301a060355040a1313457175696661782053656375726520496e632e312d302b06035504031324457175696661782053656375726520476c6f62616c2065427573696e6573732043412d3130819f300d06092a864886f70d010101050003818d0030818902818100bae717900265b134553c49c251d5dfa7d1378fd1e781734152609b9da1172678adc7b1e8269432b5de338d3a2fdbf29a7a5a7398a35ce9fb8a731b5ce7c3bf806ccda9f4d62bc0f7f999aa63a2b147020fd4e4513a123c6c8a5a548470dbc1c590cf7245cba859c0cd339d3fa396eb8533211c3e1e3e606e769c6785c5c8c3610203010001a3663064301106096086480186f8420101040403020007300f0603551d130101ff040530030101ff301f0603551d23041830168014bea8a07472506b44b7c923d8fba8ffb3576b686c301d0603551d0e04160414bea8a07472506b44b7c923d8fba8ffb3576b686c300d06092a864886f70d01010405000381810030e20151aac7ea5fdab9d0650f30d63eda0d14496e9193271431efc4f72d45f8ecc7bfa2410d23b492f9190067bd01afcde071fc5acf64c4e09698d0a340e2018aef2707f165018a442d06657552c0861020215f6c6b0f6cae091caff2a21834c475a4731cf18ddcefadf9b376b492bfdc95101ebecbc83b5a8460195694a955 C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Crypmod.aaju-a5f611374478e11c51e8d7017dd7995a23ecec2f14ad48f8466dcf52d1f575d2.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bqdhgan.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bqdhgan.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bqdhgan.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bqdhgan.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bqdhgan.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bqdhgan.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bqdhgan.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bqdhgan.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bqdhgan.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bqdhgan.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bqdhgan.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bqdhgan.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bqdhgan.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bqdhgan.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bqdhgan.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bqdhgan.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bqdhgan.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bqdhgan.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bqdhgan.exe N/A
N/A N/A C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Crypmod.aaju-a5f611374478e11c51e8d7017dd7995a23ecec2f14ad48f8466dcf52d1f575d2.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Bitman.gb-afaba2400552c7032a5c4c6e6151df374d0e98dc67204066281e30e6699dbd18.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\bqdhgan.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bqdhgan.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bqdhgan.exe N/A
N/A N/A C:\Users\Admin\Desktop\00343\Trojan-Ransom.MSIL.Agent.fqkb-e5c4fb99d5b4cb4621314bbce112f2f926f3e7458d6a1b036b3007deea98cc69.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2704 wrote to memory of 3056 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\00343\HEUR-Trojan-Ransom.Win32.GandCrypt.gen-c172830fb9300fbab22bfa145a9fa36ae19d96996c78753d711e1a0428caddca.exe
PID 2704 wrote to memory of 3056 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\00343\HEUR-Trojan-Ransom.Win32.GandCrypt.gen-c172830fb9300fbab22bfa145a9fa36ae19d96996c78753d711e1a0428caddca.exe
PID 2704 wrote to memory of 3056 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\00343\HEUR-Trojan-Ransom.Win32.GandCrypt.gen-c172830fb9300fbab22bfa145a9fa36ae19d96996c78753d711e1a0428caddca.exe
PID 2704 wrote to memory of 3056 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\00343\HEUR-Trojan-Ransom.Win32.GandCrypt.gen-c172830fb9300fbab22bfa145a9fa36ae19d96996c78753d711e1a0428caddca.exe
PID 2704 wrote to memory of 1424 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\00343\HEUR-Trojan-Ransom.Win32.Generic-b4a2e30684a0a53ca2ba256520aadbcbc2874808d6afb1ea8f8c54917ea00b13.exe
PID 2704 wrote to memory of 1424 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\00343\HEUR-Trojan-Ransom.Win32.Generic-b4a2e30684a0a53ca2ba256520aadbcbc2874808d6afb1ea8f8c54917ea00b13.exe
PID 2704 wrote to memory of 1424 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\00343\HEUR-Trojan-Ransom.Win32.Generic-b4a2e30684a0a53ca2ba256520aadbcbc2874808d6afb1ea8f8c54917ea00b13.exe
PID 2704 wrote to memory of 1424 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\00343\HEUR-Trojan-Ransom.Win32.Generic-b4a2e30684a0a53ca2ba256520aadbcbc2874808d6afb1ea8f8c54917ea00b13.exe
PID 2704 wrote to memory of 3064 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\00343\Trojan-Ransom.MSIL.Agent.fqkb-e5c4fb99d5b4cb4621314bbce112f2f926f3e7458d6a1b036b3007deea98cc69.exe
PID 2704 wrote to memory of 3064 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\00343\Trojan-Ransom.MSIL.Agent.fqkb-e5c4fb99d5b4cb4621314bbce112f2f926f3e7458d6a1b036b3007deea98cc69.exe
PID 2704 wrote to memory of 3064 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\00343\Trojan-Ransom.MSIL.Agent.fqkb-e5c4fb99d5b4cb4621314bbce112f2f926f3e7458d6a1b036b3007deea98cc69.exe
PID 2704 wrote to memory of 3064 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\00343\Trojan-Ransom.MSIL.Agent.fqkb-e5c4fb99d5b4cb4621314bbce112f2f926f3e7458d6a1b036b3007deea98cc69.exe
PID 2704 wrote to memory of 664 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Bitman.gb-afaba2400552c7032a5c4c6e6151df374d0e98dc67204066281e30e6699dbd18.exe
PID 2704 wrote to memory of 664 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Bitman.gb-afaba2400552c7032a5c4c6e6151df374d0e98dc67204066281e30e6699dbd18.exe
PID 2704 wrote to memory of 664 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Bitman.gb-afaba2400552c7032a5c4c6e6151df374d0e98dc67204066281e30e6699dbd18.exe
PID 2704 wrote to memory of 664 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Bitman.gb-afaba2400552c7032a5c4c6e6151df374d0e98dc67204066281e30e6699dbd18.exe
PID 2704 wrote to memory of 624 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Blocker.fgpq-db8c0fc8427546ed54664fba24bdc7aa335eedb34b21c0d9a030dbc4f2bd7aef.exe
PID 2704 wrote to memory of 624 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Blocker.fgpq-db8c0fc8427546ed54664fba24bdc7aa335eedb34b21c0d9a030dbc4f2bd7aef.exe
PID 2704 wrote to memory of 624 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Blocker.fgpq-db8c0fc8427546ed54664fba24bdc7aa335eedb34b21c0d9a030dbc4f2bd7aef.exe
PID 2704 wrote to memory of 624 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Blocker.fgpq-db8c0fc8427546ed54664fba24bdc7aa335eedb34b21c0d9a030dbc4f2bd7aef.exe
PID 2704 wrote to memory of 1572 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Crypmod.aaju-a5f611374478e11c51e8d7017dd7995a23ecec2f14ad48f8466dcf52d1f575d2.exe
PID 2704 wrote to memory of 1572 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Crypmod.aaju-a5f611374478e11c51e8d7017dd7995a23ecec2f14ad48f8466dcf52d1f575d2.exe
PID 2704 wrote to memory of 1572 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Crypmod.aaju-a5f611374478e11c51e8d7017dd7995a23ecec2f14ad48f8466dcf52d1f575d2.exe
PID 2704 wrote to memory of 1572 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Crypmod.aaju-a5f611374478e11c51e8d7017dd7995a23ecec2f14ad48f8466dcf52d1f575d2.exe
PID 624 wrote to memory of 1564 N/A C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Blocker.fgpq-db8c0fc8427546ed54664fba24bdc7aa335eedb34b21c0d9a030dbc4f2bd7aef.exe C:\Windows\SysWOW64\WerFault.exe
PID 624 wrote to memory of 1564 N/A C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Blocker.fgpq-db8c0fc8427546ed54664fba24bdc7aa335eedb34b21c0d9a030dbc4f2bd7aef.exe C:\Windows\SysWOW64\WerFault.exe
PID 624 wrote to memory of 1564 N/A C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Blocker.fgpq-db8c0fc8427546ed54664fba24bdc7aa335eedb34b21c0d9a030dbc4f2bd7aef.exe C:\Windows\SysWOW64\WerFault.exe
PID 624 wrote to memory of 1564 N/A C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Blocker.fgpq-db8c0fc8427546ed54664fba24bdc7aa335eedb34b21c0d9a030dbc4f2bd7aef.exe C:\Windows\SysWOW64\WerFault.exe
PID 664 wrote to memory of 2044 N/A C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Bitman.gb-afaba2400552c7032a5c4c6e6151df374d0e98dc67204066281e30e6699dbd18.exe C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Bitman.gb-afaba2400552c7032a5c4c6e6151df374d0e98dc67204066281e30e6699dbd18.exe
PID 664 wrote to memory of 2044 N/A C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Bitman.gb-afaba2400552c7032a5c4c6e6151df374d0e98dc67204066281e30e6699dbd18.exe C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Bitman.gb-afaba2400552c7032a5c4c6e6151df374d0e98dc67204066281e30e6699dbd18.exe
PID 664 wrote to memory of 2044 N/A C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Bitman.gb-afaba2400552c7032a5c4c6e6151df374d0e98dc67204066281e30e6699dbd18.exe C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Bitman.gb-afaba2400552c7032a5c4c6e6151df374d0e98dc67204066281e30e6699dbd18.exe
PID 664 wrote to memory of 2044 N/A C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Bitman.gb-afaba2400552c7032a5c4c6e6151df374d0e98dc67204066281e30e6699dbd18.exe C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Bitman.gb-afaba2400552c7032a5c4c6e6151df374d0e98dc67204066281e30e6699dbd18.exe
PID 664 wrote to memory of 2044 N/A C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Bitman.gb-afaba2400552c7032a5c4c6e6151df374d0e98dc67204066281e30e6699dbd18.exe C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Bitman.gb-afaba2400552c7032a5c4c6e6151df374d0e98dc67204066281e30e6699dbd18.exe
PID 664 wrote to memory of 2044 N/A C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Bitman.gb-afaba2400552c7032a5c4c6e6151df374d0e98dc67204066281e30e6699dbd18.exe C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Bitman.gb-afaba2400552c7032a5c4c6e6151df374d0e98dc67204066281e30e6699dbd18.exe
PID 664 wrote to memory of 2044 N/A C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Bitman.gb-afaba2400552c7032a5c4c6e6151df374d0e98dc67204066281e30e6699dbd18.exe C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Bitman.gb-afaba2400552c7032a5c4c6e6151df374d0e98dc67204066281e30e6699dbd18.exe
PID 664 wrote to memory of 2044 N/A C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Bitman.gb-afaba2400552c7032a5c4c6e6151df374d0e98dc67204066281e30e6699dbd18.exe C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Bitman.gb-afaba2400552c7032a5c4c6e6151df374d0e98dc67204066281e30e6699dbd18.exe
PID 664 wrote to memory of 2044 N/A C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Bitman.gb-afaba2400552c7032a5c4c6e6151df374d0e98dc67204066281e30e6699dbd18.exe C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Bitman.gb-afaba2400552c7032a5c4c6e6151df374d0e98dc67204066281e30e6699dbd18.exe
PID 664 wrote to memory of 2044 N/A C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Bitman.gb-afaba2400552c7032a5c4c6e6151df374d0e98dc67204066281e30e6699dbd18.exe C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Bitman.gb-afaba2400552c7032a5c4c6e6151df374d0e98dc67204066281e30e6699dbd18.exe
PID 2044 wrote to memory of 2164 N/A C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Bitman.gb-afaba2400552c7032a5c4c6e6151df374d0e98dc67204066281e30e6699dbd18.exe C:\Users\Admin\AppData\Roaming\bqdhgan.exe
PID 2044 wrote to memory of 2164 N/A C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Bitman.gb-afaba2400552c7032a5c4c6e6151df374d0e98dc67204066281e30e6699dbd18.exe C:\Users\Admin\AppData\Roaming\bqdhgan.exe
PID 2044 wrote to memory of 2164 N/A C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Bitman.gb-afaba2400552c7032a5c4c6e6151df374d0e98dc67204066281e30e6699dbd18.exe C:\Users\Admin\AppData\Roaming\bqdhgan.exe
PID 2044 wrote to memory of 2164 N/A C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Bitman.gb-afaba2400552c7032a5c4c6e6151df374d0e98dc67204066281e30e6699dbd18.exe C:\Users\Admin\AppData\Roaming\bqdhgan.exe
PID 2044 wrote to memory of 1676 N/A C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Bitman.gb-afaba2400552c7032a5c4c6e6151df374d0e98dc67204066281e30e6699dbd18.exe C:\Windows\SysWOW64\cmd.exe
PID 2044 wrote to memory of 1676 N/A C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Bitman.gb-afaba2400552c7032a5c4c6e6151df374d0e98dc67204066281e30e6699dbd18.exe C:\Windows\SysWOW64\cmd.exe
PID 2044 wrote to memory of 1676 N/A C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Bitman.gb-afaba2400552c7032a5c4c6e6151df374d0e98dc67204066281e30e6699dbd18.exe C:\Windows\SysWOW64\cmd.exe
PID 2044 wrote to memory of 1676 N/A C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Bitman.gb-afaba2400552c7032a5c4c6e6151df374d0e98dc67204066281e30e6699dbd18.exe C:\Windows\SysWOW64\cmd.exe
PID 2164 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Roaming\bqdhgan.exe C:\Users\Admin\AppData\Roaming\bqdhgan.exe
PID 2164 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Roaming\bqdhgan.exe C:\Users\Admin\AppData\Roaming\bqdhgan.exe
PID 2164 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Roaming\bqdhgan.exe C:\Users\Admin\AppData\Roaming\bqdhgan.exe
PID 2164 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Roaming\bqdhgan.exe C:\Users\Admin\AppData\Roaming\bqdhgan.exe
PID 2164 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Roaming\bqdhgan.exe C:\Users\Admin\AppData\Roaming\bqdhgan.exe
PID 2164 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Roaming\bqdhgan.exe C:\Users\Admin\AppData\Roaming\bqdhgan.exe
PID 2164 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Roaming\bqdhgan.exe C:\Users\Admin\AppData\Roaming\bqdhgan.exe
PID 2164 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Roaming\bqdhgan.exe C:\Users\Admin\AppData\Roaming\bqdhgan.exe
PID 2164 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Roaming\bqdhgan.exe C:\Users\Admin\AppData\Roaming\bqdhgan.exe
PID 2164 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Roaming\bqdhgan.exe C:\Users\Admin\AppData\Roaming\bqdhgan.exe
PID 2528 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Roaming\bqdhgan.exe C:\Windows\System32\vssadmin.exe
PID 2528 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Roaming\bqdhgan.exe C:\Windows\System32\vssadmin.exe
PID 2528 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Roaming\bqdhgan.exe C:\Windows\System32\vssadmin.exe
PID 2528 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Roaming\bqdhgan.exe C:\Windows\System32\vssadmin.exe
PID 1572 wrote to memory of 2064 N/A C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Crypmod.aaju-a5f611374478e11c51e8d7017dd7995a23ecec2f14ad48f8466dcf52d1f575d2.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 1572 wrote to memory of 2064 N/A C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Crypmod.aaju-a5f611374478e11c51e8d7017dd7995a23ecec2f14ad48f8466dcf52d1f575d2.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 1572 wrote to memory of 2064 N/A C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Crypmod.aaju-a5f611374478e11c51e8d7017dd7995a23ecec2f14ad48f8466dcf52d1f575d2.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 1572 wrote to memory of 2064 N/A C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Crypmod.aaju-a5f611374478e11c51e8d7017dd7995a23ecec2f14ad48f8466dcf52d1f575d2.exe C:\Windows\SysWOW64\wbem\wmic.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00343.7z"

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Users\Admin\Desktop\00343\HEUR-Trojan-Ransom.Win32.GandCrypt.gen-c172830fb9300fbab22bfa145a9fa36ae19d96996c78753d711e1a0428caddca.exe

HEUR-Trojan-Ransom.Win32.GandCrypt.gen-c172830fb9300fbab22bfa145a9fa36ae19d96996c78753d711e1a0428caddca.exe

C:\Users\Admin\Desktop\00343\HEUR-Trojan-Ransom.Win32.Generic-b4a2e30684a0a53ca2ba256520aadbcbc2874808d6afb1ea8f8c54917ea00b13.exe

HEUR-Trojan-Ransom.Win32.Generic-b4a2e30684a0a53ca2ba256520aadbcbc2874808d6afb1ea8f8c54917ea00b13.exe

C:\Users\Admin\Desktop\00343\Trojan-Ransom.MSIL.Agent.fqkb-e5c4fb99d5b4cb4621314bbce112f2f926f3e7458d6a1b036b3007deea98cc69.exe

Trojan-Ransom.MSIL.Agent.fqkb-e5c4fb99d5b4cb4621314bbce112f2f926f3e7458d6a1b036b3007deea98cc69.exe

C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Bitman.gb-afaba2400552c7032a5c4c6e6151df374d0e98dc67204066281e30e6699dbd18.exe

Trojan-Ransom.Win32.Bitman.gb-afaba2400552c7032a5c4c6e6151df374d0e98dc67204066281e30e6699dbd18.exe

C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Blocker.fgpq-db8c0fc8427546ed54664fba24bdc7aa335eedb34b21c0d9a030dbc4f2bd7aef.exe

Trojan-Ransom.Win32.Blocker.fgpq-db8c0fc8427546ed54664fba24bdc7aa335eedb34b21c0d9a030dbc4f2bd7aef.exe

C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Crypmod.aaju-a5f611374478e11c51e8d7017dd7995a23ecec2f14ad48f8466dcf52d1f575d2.exe

Trojan-Ransom.Win32.Crypmod.aaju-a5f611374478e11c51e8d7017dd7995a23ecec2f14ad48f8466dcf52d1f575d2.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 624 -s 116

C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Bitman.gb-afaba2400552c7032a5c4c6e6151df374d0e98dc67204066281e30e6699dbd18.exe

C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Bitman.gb-afaba2400552c7032a5c4c6e6151df374d0e98dc67204066281e30e6699dbd18.exe

C:\Users\Admin\AppData\Roaming\bqdhgan.exe

C:\Users\Admin\AppData\Roaming\bqdhgan.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\Desktop\00343\TROJAN~2.EXE >> NUL

C:\Users\Admin\AppData\Roaming\bqdhgan.exe

C:\Users\Admin\AppData\Roaming\bqdhgan.exe

C:\Windows\System32\vssadmin.exe

"C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SysWOW64\wbem\wmic.exe

"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://3kxwjihmkgibht2s.wh47f2as19.com/?enc=1N9dsduqYSk1zVrHVCN5rFFyk15mRyJKgq

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2124 CREDAT:275457 /prefetch:2

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\HELP_RESTORE_FILES.txt

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x508

Network

Country Destination Domain Proto
US 8.8.8.8:53 fingers1.ddns.net udp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:80 ipinfo.io tcp
US 8.8.8.8:53 epmhyca5ol6plmx3.wh47f2as19.com udp
US 8.8.8.8:53 7tno4hib47vlep5o.7hwr34n18.com udp
US 8.8.8.8:53 epmhyca5ol6plmx3.tor2web.blutmagie.de udp
US 8.8.8.8:53 epmhyca5ol6plmx3.tor2web.fi udp
US 8.8.8.8:53 www.2mmotorsport.biz udp
DE 77.75.249.22:80 www.2mmotorsport.biz tcp
DE 77.75.249.22:443 www.2mmotorsport.biz tcp
DE 77.75.249.22:443 www.2mmotorsport.biz tcp
DE 77.75.249.22:443 www.2mmotorsport.biz tcp
DE 77.75.249.22:443 www.2mmotorsport.biz tcp
US 8.8.8.8:53 www.haargenau.biz udp
CH 217.26.63.20:80 www.haargenau.biz tcp
CH 217.26.63.20:443 www.haargenau.biz tcp
CH 217.26.63.20:443 www.haargenau.biz tcp
US 8.8.8.8:53 www.bizziniinfissi.com udp
US 8.8.8.8:53 www.holzbock.biz udp
CH 94.126.20.68:80 www.holzbock.biz tcp
CH 94.126.20.68:443 www.holzbock.biz tcp
US 8.8.8.8:53 r11.o.lencr.org udp
GB 2.23.210.75:80 r11.o.lencr.org tcp
US 8.8.8.8:53 www.schreiner-freiamt.ch udp
CH 94.126.20.68:443 www.schreiner-freiamt.ch tcp
US 8.8.8.8:53 www.fliptray.biz udp
US 8.8.8.8:53 www.pizcam.com udp
CH 185.177.62.27:80 www.pizcam.com tcp
CH 185.177.62.27:443 www.pizcam.com tcp
CH 185.177.62.27:443 www.pizcam.com tcp
CH 185.177.62.27:443 www.pizcam.com tcp
CH 185.177.62.27:443 www.pizcam.com tcp
US 8.8.8.8:53 www.swisswellness.com udp
DE 83.138.86.12:80 www.swisswellness.com tcp
DE 83.138.86.12:80 www.swisswellness.com tcp
US 8.8.8.8:53 www.hotelweisshorn.com udp
US 8.8.8.8:53 www.whitepod.com udp
CH 83.166.138.7:80 www.whitepod.com tcp
CH 83.166.138.7:443 www.whitepod.com tcp
CH 83.166.138.7:443 www.whitepod.com tcp
CH 83.166.138.7:443 www.whitepod.com tcp
CH 83.166.138.7:443 www.whitepod.com tcp
US 8.8.8.8:53 www.hardrockhoteldavos.com udp
US 18.207.88.16:80 www.hardrockhoteldavos.com tcp
US 18.207.88.16:443 www.hardrockhoteldavos.com tcp
US 8.8.8.8:53 www.hardrockhotels.com udp
US 151.101.67.52:443 www.hardrockhotels.com tcp
US 151.101.67.52:443 www.hardrockhotels.com tcp
US 151.101.67.52:443 www.hardrockhotels.com tcp
US 151.101.67.52:443 www.hardrockhotels.com tcp
US 8.8.8.8:53 www.belvedere-locarno.com udp
US 104.26.6.206:80 www.belvedere-locarno.com tcp
US 104.26.6.206:443 www.belvedere-locarno.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.227:80 c.pki.goog tcp
US 8.8.8.8:53 www.hotelfarinet.com udp
US 15.197.195.78:80 www.hotelfarinet.com tcp
US 8.8.8.8:53 www.hrk-ramoz.com udp
HK 156.235.147.122:80 www.hrk-ramoz.com tcp
US 8.8.8.8:53 www.morcote-residenza.com udp
CH 194.191.24.37:80 www.morcote-residenza.com tcp
CH 194.191.24.37:443 www.morcote-residenza.com tcp
GB 2.23.210.75:80 r11.o.lencr.org tcp
US 8.8.8.8:53 www.seitensprungzimmer24.com udp
DE 136.243.162.140:80 www.seitensprungzimmer24.com tcp
DE 136.243.162.140:443 www.seitensprungzimmer24.com tcp
US 8.8.8.8:53 seitensprungzimmer24.com udp
DE 136.243.162.140:443 seitensprungzimmer24.com tcp
US 8.8.8.8:53 www.arbezie-hotel.com udp
FR 213.186.33.5:80 www.arbezie-hotel.com tcp
FR 213.186.33.5:443 www.arbezie-hotel.com tcp
FR 213.186.33.5:443 www.arbezie-hotel.com tcp
FR 213.186.33.5:443 www.arbezie-hotel.com tcp
FR 213.186.33.5:443 www.arbezie-hotel.com tcp
FR 213.186.33.5:443 www.arbezie-hotel.com tcp
US 8.8.8.8:53 www.aubergemontblanc.com udp
CH 83.166.138.13:80 www.aubergemontblanc.com tcp
CH 83.166.138.13:443 www.aubergemontblanc.com tcp
CH 83.166.138.13:443 www.aubergemontblanc.com tcp
CH 83.166.138.13:443 www.aubergemontblanc.com tcp
CH 83.166.138.13:443 www.aubergemontblanc.com tcp
US 8.8.8.8:53 www.torhotel.com udp
CH 128.65.195.228:80 www.torhotel.com tcp
CH 128.65.195.228:80 www.torhotel.com tcp
US 8.8.8.8:53 www.alpenlodge.com udp
CH 217.26.55.76:80 www.alpenlodge.com tcp
CH 217.26.55.76:443 www.alpenlodge.com tcp
CH 217.26.55.76:443 www.alpenlodge.com tcp
CH 217.26.55.76:443 www.alpenlodge.com tcp
CH 217.26.55.76:443 www.alpenlodge.com tcp
US 8.8.8.8:53 www.aparthotelzurich.com udp
DE 213.239.221.71:80 www.aparthotelzurich.com tcp
DE 213.239.221.71:443 www.aparthotelzurich.com tcp
US 8.8.8.8:53 r10.o.lencr.org udp
GB 2.23.210.82:80 r10.o.lencr.org tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.19.117.18:80 crl.microsoft.com tcp
US 8.8.8.8:53 www.bnbdelacolline.com udp
CH 128.65.195.174:80 www.bnbdelacolline.com tcp
CH 128.65.195.174:443 www.bnbdelacolline.com tcp
CH 128.65.195.174:443 www.bnbdelacolline.com tcp
CH 128.65.195.174:443 www.bnbdelacolline.com tcp
US 8.8.8.8:53 3kxwjihmkgibht2s.wh47f2as19.com udp
CH 128.65.195.174:443 www.bnbdelacolline.com tcp
US 8.8.8.8:53 www.elite-hotel.com udp
CH 80.74.144.93:80 www.elite-hotel.com tcp
CH 80.74.144.93:443 www.elite-hotel.com tcp
CH 80.74.144.93:443 www.elite-hotel.com tcp
CH 80.74.144.93:443 www.elite-hotel.com tcp
CH 80.74.144.93:443 www.elite-hotel.com tcp
US 8.8.8.8:53 www.bristol-adelboden.com udp
IE 52.17.119.105:80 www.bristol-adelboden.com tcp
IE 52.17.119.105:443 www.bristol-adelboden.com tcp
IE 52.17.119.105:443 www.bristol-adelboden.com tcp
IE 52.17.119.105:443 www.bristol-adelboden.com tcp
IE 52.17.119.105:443 www.bristol-adelboden.com tcp
US 8.8.8.8:53 www.nationalzermatt.com udp
CH 94.126.23.52:80 www.nationalzermatt.com tcp
CH 94.126.23.52:443 www.nationalzermatt.com tcp
CH 94.126.23.52:443 www.nationalzermatt.com tcp
CH 94.126.23.52:443 www.nationalzermatt.com tcp
CH 94.126.23.52:443 www.nationalzermatt.com tcp
US 8.8.8.8:53 www.waageglarus.com udp
US 8.8.8.8:53 www.limmathof.com udp
US 198.49.23.144:80 www.limmathof.com tcp
US 198.49.23.144:443 www.limmathof.com tcp
US 8.8.8.8:53 www.apartmenthaus.com udp
CH 217.26.60.27:80 www.apartmenthaus.com tcp
CH 217.26.60.27:443 www.apartmenthaus.com tcp
CH 217.26.60.27:443 www.apartmenthaus.com tcp
CH 217.26.60.27:443 www.apartmenthaus.com tcp
CH 217.26.60.27:443 www.apartmenthaus.com tcp
US 8.8.8.8:53 www.berginsel.com udp
CH 80.74.145.65:80 www.berginsel.com tcp
CH 80.74.145.65:443 www.berginsel.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 berginsel-oberems.ch udp
CH 80.74.145.65:443 berginsel-oberems.ch tcp
US 8.8.8.8:53 www.chambre-d-hote-chez-fleury.com udp
IE 52.215.95.29:80 www.chambre-d-hote-chez-fleury.com tcp
IE 52.215.95.29:443 www.chambre-d-hote-chez-fleury.com tcp
US 8.8.8.8:53 www.hotel-blumental.com udp
CH 94.126.21.30:80 www.hotel-blumental.com tcp
CH 94.126.21.30:443 www.hotel-blumental.com tcp
CH 94.126.21.30:443 www.hotel-blumental.com tcp
US 8.8.8.8:53 crl.geotrust.com udp
SE 192.229.221.95:80 crl.geotrust.com tcp
US 8.8.8.8:53 www.facebook.com udp
GB 163.70.151.35:80 www.facebook.com tcp
GB 163.70.151.35:443 www.facebook.com tcp
SE 192.229.221.95:80 crl.geotrust.com tcp
US 8.8.8.8:53 www.la-fontaine.com udp
DE 213.199.57.77:80 www.la-fontaine.com tcp
DE 213.199.57.77:443 www.la-fontaine.com tcp
DE 213.199.57.77:443 www.la-fontaine.com tcp
DE 213.199.57.77:443 www.la-fontaine.com tcp
DE 213.199.57.77:443 www.la-fontaine.com tcp
US 8.8.8.8:53 www.mountainhostel.com udp
IE 52.215.95.29:80 www.mountainhostel.com tcp
IE 52.215.95.29:443 www.mountainhostel.com tcp
US 8.8.8.8:53 www.hotelalbanareal.com udp
DE 18.193.36.153:80 www.hotelalbanareal.com tcp
DE 18.193.36.153:443 www.hotelalbanareal.com tcp
DE 18.193.36.153:443 www.hotelalbanareal.com tcp
DE 18.193.36.153:443 www.hotelalbanareal.com tcp
DE 18.193.36.153:443 www.hotelalbanareal.com tcp
US 8.8.8.8:53 www.geneva.frasershospitality.com udp
US 8.8.8.8:53 www.luganohoteladmiral.com udp
CH 185.181.206.95:80 www.luganohoteladmiral.com tcp
CH 185.181.206.95:443 www.luganohoteladmiral.com tcp
CH 185.181.206.95:443 www.luganohoteladmiral.com tcp
CH 185.181.206.95:443 www.luganohoteladmiral.com tcp
CH 185.181.206.95:443 www.luganohoteladmiral.com tcp
US 8.8.8.8:53 www.bellevuewiesen.com udp
GB 159.65.93.218:80 www.bellevuewiesen.com tcp
GB 159.65.93.218:443 www.bellevuewiesen.com tcp
GB 159.65.93.218:443 www.bellevuewiesen.com tcp
GB 159.65.93.218:443 www.bellevuewiesen.com tcp
GB 159.65.93.218:443 www.bellevuewiesen.com tcp
US 8.8.8.8:53 www.hoteltruite.com udp
NL 37.48.65.136:80 www.hoteltruite.com tcp
NL 37.48.65.136:443 www.hoteltruite.com tcp
US 8.8.8.8:53 r11.o.lencr.org udp
GB 2.23.210.82:80 r11.o.lencr.org tcp
US 8.8.8.8:53 survey-smiles.com udp
US 199.59.243.227:80 survey-smiles.com tcp
US 8.8.8.8:53 www.hotelgarni-battello.com udp
US 8.8.8.8:53 www.seminarhotel.com udp
CH 151.248.236.144:80 www.seminarhotel.com tcp
CH 151.248.236.144:443 www.seminarhotel.com tcp
US 8.8.8.8:53 www.roemerturm.ch udp
CH 151.248.236.144:443 www.roemerturm.ch tcp
US 8.8.8.8:53 www.kroneregensberg.com udp
CH 217.26.60.254:80 www.kroneregensberg.com tcp
CH 217.26.60.254:443 www.kroneregensberg.com tcp
CH 217.26.60.254:443 www.kroneregensberg.com tcp
CH 217.26.60.254:443 www.kroneregensberg.com tcp
CH 217.26.60.254:443 www.kroneregensberg.com tcp
US 8.8.8.8:53 www.puurehuus.com udp
CH 217.26.54.189:80 www.puurehuus.com tcp
CH 217.26.54.189:443 www.puurehuus.com tcp
CH 217.26.54.189:443 www.puurehuus.com tcp
CH 217.26.54.189:443 www.puurehuus.com tcp
CH 217.26.54.189:443 www.puurehuus.com tcp
US 8.8.8.8:53 www.hotel-zermatt.com udp
CH 82.220.37.45:80 www.hotel-zermatt.com tcp
CH 82.220.37.45:443 www.hotel-zermatt.com tcp
CH 82.220.37.45:443 www.hotel-zermatt.com tcp
CH 82.220.37.45:443 www.hotel-zermatt.com tcp
CH 82.220.37.45:443 www.hotel-zermatt.com tcp
US 8.8.8.8:53 www.stchristophesa.com udp
CH 83.166.133.76:80 www.stchristophesa.com tcp
CH 83.166.133.76:443 www.stchristophesa.com tcp
CH 83.166.133.76:443 www.stchristophesa.com tcp
CH 83.166.133.76:443 www.stchristophesa.com tcp
CH 83.166.133.76:443 www.stchristophesa.com tcp
US 8.8.8.8:53 www.nh-hotels.com udp
GB 104.78.166.83:80 www.nh-hotels.com tcp
GB 104.78.166.83:80 www.nh-hotels.com tcp
US 8.8.8.8:53 www.schwendelberg.com udp
CH 193.17.199.27:80 www.schwendelberg.com tcp
US 8.8.8.8:53 www.stalden.com udp
CH 193.33.128.144:80 www.stalden.com tcp
CH 193.33.128.144:443 www.stalden.com tcp
CH 193.33.128.144:443 www.stalden.com tcp
CH 193.33.128.144:443 www.stalden.com tcp
CH 193.33.128.144:443 www.stalden.com tcp
US 8.8.8.8:53 www.vignobledore.com udp
GB 213.129.84.57:80 www.vignobledore.com tcp
GB 213.129.84.57:443 www.vignobledore.com tcp
US 8.8.8.8:53 www.eyholz.com udp
CH 81.201.201.94:80 www.eyholz.com tcp
CH 81.201.201.94:443 www.eyholz.com tcp
CH 81.201.201.94:443 www.eyholz.com tcp
CH 81.201.201.94:443 www.eyholz.com tcp
CH 81.201.201.94:443 www.eyholz.com tcp
US 8.8.8.8:53 www.flemings-hotel.com udp
NL 188.227.206.226:80 www.flemings-hotel.com tcp
NL 188.227.206.226:80 www.flemings-hotel.com tcp
US 8.8.8.8:53 www.hiexgeneva.com udp
CH 81.23.73.70:80 www.hiexgeneva.com tcp
CH 81.23.73.70:443 www.hiexgeneva.com tcp
US 8.8.8.8:53 www.expressgeneva.com udp
CH 81.23.73.70:443 www.expressgeneva.com tcp
US 8.8.8.8:53 www.petit-paradis.com udp
GB 185.151.30.132:80 www.petit-paradis.com tcp
GB 185.151.30.132:443 www.petit-paradis.com tcp
GB 185.151.30.132:443 www.petit-paradis.com tcp
GB 185.151.30.132:443 www.petit-paradis.com tcp
GB 185.151.30.132:443 www.petit-paradis.com tcp
US 8.8.8.8:53 www.berghaus-toni.com udp
US 34.149.87.45:80 www.berghaus-toni.com tcp
US 34.149.87.45:443 www.berghaus-toni.com tcp
US 8.8.8.8:53 www.hotelglanis.com udp
US 34.149.87.45:80 www.hotelglanis.com tcp
US 34.149.87.45:443 www.hotelglanis.com tcp
US 8.8.8.8:53 www.16eme.com udp
US 34.149.87.45:80 www.16eme.com tcp
US 34.149.87.45:443 www.16eme.com tcp
US 8.8.8.8:53 www.staubbach.com udp
DE 104.248.24.229:80 www.staubbach.com tcp
DE 104.248.24.229:443 www.staubbach.com tcp
US 8.8.8.8:53 www.samnaunerhof.com udp
AT 94.198.139.116:80 www.samnaunerhof.com tcp
AT 94.198.139.116:443 www.samnaunerhof.com tcp
US 8.8.8.8:53 www.airporthotelbasel.com udp
US 104.17.182.58:80 www.airporthotelbasel.com tcp
US 104.17.182.58:443 www.airporthotelbasel.com tcp
US 8.8.8.8:53 www.elite-biel.com udp
CH 94.126.23.52:80 www.elite-biel.com tcp
CH 94.126.23.52:443 www.elite-biel.com tcp
CH 94.126.23.52:443 www.elite-biel.com tcp
CH 94.126.23.52:443 www.elite-biel.com tcp
CH 94.126.23.52:443 www.elite-biel.com tcp
US 8.8.8.8:53 www.aubergecouronne.com udp
FR 87.98.154.146:80 www.aubergecouronne.com tcp

Files

memory/2952-12-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/2952-13-0x0000000140000000-0x00000001405E8000-memory.dmp

C:\Users\Admin\Desktop\00343\HEUR-Trojan-Ransom.Win32.GandCrypt.gen-c172830fb9300fbab22bfa145a9fa36ae19d96996c78753d711e1a0428caddca.exe

MD5 0a20ff394f286a6aaae2347df50074c6
SHA1 8734bc341b95255b8b927fdd8f0015bb24602cb6
SHA256 c172830fb9300fbab22bfa145a9fa36ae19d96996c78753d711e1a0428caddca
SHA512 1dea58773387ad540bf6f2453dff07ac9dbd77455294a309b4dcd1b3a064311ad0dd361ca32282bdd0ca7dab9d1d65359516f4ce8df557ff99745666c9c6b768

C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Crypmod.aaju-a5f611374478e11c51e8d7017dd7995a23ecec2f14ad48f8466dcf52d1f575d2.exe

MD5 bdc7130f8edce09b538b6ec22ea7a1aa
SHA1 254bc06fcd8d5929a9cec304cec82951ba46f1a0
SHA256 a5f611374478e11c51e8d7017dd7995a23ecec2f14ad48f8466dcf52d1f575d2
SHA512 d054c46c77566fa22ad4e8bfa9585be860873f838da32a2e7ce2d44ac1d85941fe1e3e02920b544f653b5939b802e40407c5f0c27de58a73d94e392ad7058cc5

C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Blocker.fgpq-db8c0fc8427546ed54664fba24bdc7aa335eedb34b21c0d9a030dbc4f2bd7aef.exe

MD5 4ef5f0a660c9ae3e32eb109e1e7bfa30
SHA1 b02b7fde30930161726fdd7e872da43b271f2c3b
SHA256 db8c0fc8427546ed54664fba24bdc7aa335eedb34b21c0d9a030dbc4f2bd7aef
SHA512 6a49b7d2c46e072f329f75b0ab74e011aee16cd35ba9a83734294fcbb3ad73539a8545f27695d58aa9d9150114c8f344a3b193b2e6005edb3085eba0906e9a81

C:\Users\Admin\Desktop\00343\Trojan-Ransom.MSIL.Agent.fqkb-e5c4fb99d5b4cb4621314bbce112f2f926f3e7458d6a1b036b3007deea98cc69.exe

MD5 b066f6b9d71f198cb851eba5aa19f8af
SHA1 fe1072d6f69e8f817940d05f76272c7498c2de46
SHA256 e5c4fb99d5b4cb4621314bbce112f2f926f3e7458d6a1b036b3007deea98cc69
SHA512 4a90e4378272e8ab2865c020cf2b3b390a2a8753289da8f1925383be56a42878cfe6f3bae34b7cafe1412b05bee63b8e05c675ca64e7ee44389580dff24a7d77

C:\Users\Admin\Desktop\00343\Trojan-Ransom.Win32.Bitman.gb-afaba2400552c7032a5c4c6e6151df374d0e98dc67204066281e30e6699dbd18.exe

MD5 6d3d62a4cff19b4f2cc7ce9027c33be8
SHA1 e906fa3d51e86a61741b3499145a114e9bfb7c56
SHA256 afaba2400552c7032a5c4c6e6151df374d0e98dc67204066281e30e6699dbd18
SHA512 973643639cb02491b86d5b264ee8118a67d8a83453307aea95de2f4c6aa55819d37730c41dc3338116ebe86f9a4f2bba7d9537ea744ae08b9755f05c15153fad

C:\Users\Admin\Desktop\00343\HEUR-Trojan-Ransom.Win32.Generic-b4a2e30684a0a53ca2ba256520aadbcbc2874808d6afb1ea8f8c54917ea00b13.exe

MD5 c3682297d1ea552008780bf09c25170b
SHA1 9cd31edb83e500ddd4baa5b88e0a08cf2bb2d762
SHA256 b4a2e30684a0a53ca2ba256520aadbcbc2874808d6afb1ea8f8c54917ea00b13
SHA512 6276df414771e23d564c9bd273c706e14643099fb0801dcc82de4c54353eedc4cb170cff8f8e78b201512a6ea9f2fcbeb00776ca9ccf70bbb7606b56367c9274

memory/2044-38-0x0000000000400000-0x0000000000472000-memory.dmp

memory/2044-37-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2044-35-0x0000000000400000-0x0000000000472000-memory.dmp

memory/2044-33-0x0000000000400000-0x0000000000472000-memory.dmp

memory/2044-31-0x0000000000400000-0x0000000000472000-memory.dmp

memory/2044-29-0x0000000000400000-0x0000000000472000-memory.dmp

memory/2044-27-0x0000000000400000-0x0000000000472000-memory.dmp

memory/2044-41-0x0000000000400000-0x0000000000472000-memory.dmp

memory/664-40-0x0000000000400000-0x0000000000448000-memory.dmp

memory/3064-42-0x0000000000050000-0x00000000000CE000-memory.dmp

memory/2044-49-0x0000000000400000-0x0000000000472000-memory.dmp

memory/2164-67-0x0000000000400000-0x0000000000448000-memory.dmp

memory/2528-71-0x0000000000400000-0x0000000000472000-memory.dmp

memory/2528-75-0x0000000000400000-0x0000000000472000-memory.dmp

memory/2528-69-0x0000000000400000-0x0000000000472000-memory.dmp

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\HELP_RESTORE_FILES.txt

MD5 e4c60e9e806a4b8a659fc02b2b679356
SHA1 01b9831dfde476a186130e86f10e693280c863fb
SHA256 315a0faec125b16842eca93001a60d5d5ad23838b8a047e45ae6d5e6ea9ac4fe
SHA512 fcd2235c22f99105d2aba494a36a55a305d761088af6291cba07610a4cc6c23ade5500cce97160a2242f472ab9235a49d83cef007aab8d5ee5e8910833765ebb

memory/1424-296-0x0000000000400000-0x00000000004A9000-memory.dmp

memory/1572-294-0x0000000000400000-0x000000000049A000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-312935884-697965778-3955649944-1000\DYEYFMNF-DECRYPT.txt

MD5 367e7d0c9ba9133fd44b9097ef82e024
SHA1 1394d3c8958e13ee76d4f068bfa5c556b591833b
SHA256 de12844f1115a2f7f2646e163aa3d1030478abca6b5b59b18fb05849553901f5
SHA512 e644f2a06a1cb24bbb660f67cf3c3f7507e6d9a553b829ab02d41179a1cbeb2331f10007fe5b8af186455039a482b88cd97d0f02f5900aa5555d25b3e9f43a16

C:\$Recycle.Bin\HELP_RESTORE_FILES.txt

MD5 4f27999363123f86ba9fb08a1ae38c7a
SHA1 c609cab697a2c3548037b8b268522fd3d8fdd285
SHA256 af656447ded964e4c45602c1f60fc11572c82a7549ffe19ce8db5e50fa3e2ce0
SHA512 c7a5baefbfabf6d59cbb37706756388032377a11a81d9250a5b7d0f05d108f7ab35574bd96309466ab166b0c032d8471744ca1ea2e5324be67b2480617e34802

C:\$Recycle.Bin\S-1-5-21-312935884-697965778-3955649944-1000\HELP_RESTORE_FILES.txt

MD5 967cc7812f640502b823c190c85d9043
SHA1 0450c572de11873709f262e2eddbf26f16be1059
SHA256 898eb523165f96fa2df6467fa687da264a8a7a7945d177287f4a55cbda3ff1c3
SHA512 6b182ef2e82319337d71b3f2d42607971d42843cd25fc5b9c8f16f315777becd5de054c25dcf8a161df4637801f7b8dd3932fbff052ef16ee3b0a5019be4dcc4

C:\Program Files\CheckpointReset.aif.ecc

MD5 df72ac2132edbe2ba8a59563288b2073
SHA1 0b78e42e35f0e683ff9ab4984d21655fe18d7e74
SHA256 45d66fac203e3038c0a0a9057743969a9c5452a623d2f837536b10d865fd6cf1
SHA512 f2c69601aae99c9eab0aa10261c97a6f91ee3c987fc466d0f070dd2895f4745042e4ba8eabbf2c52ced7ec496bfe3e9419c86e16dab58185047256ab85cec8a4

C:\Program Files\ConvertRemove.avi.ecc

MD5 4f4d49b78a64326b3534c6f6f72679ce
SHA1 dd2be44d6dc74dbb929493130e9333713fd925e8
SHA256 8e11aee35d7e1eecb4d0b3df38d5f3ba9aa3d85dcfa72857c982576c1523f6c0
SHA512 742a1b37d44c01c02bd77a1703178feba94a6d0ea0a7e9609fc6c550773e8795fcc4a9a1d073091927ad44bdeef4c9fb65ea82afa802239940b4988925624a54

C:\Program Files\DismountSwitch.M2T.ecc

MD5 232348c8375bcd5bc3625f7687a92701
SHA1 f0f44ce1648337f7b3e5a71ce17f1549bf3471eb
SHA256 992226e4c6dd36a279e765b52f2facd818f5514338eb1a382aabb9d47a082651
SHA512 4739ac8dfd64b4da71aefc3276b2bda117ceca146881a79c7d774182f123e615ff78e7188bc929e11cddde4e559296a51d6ee6c119323dea3af36ecef00e8007

C:\Program Files\ExitReset.eps.ecc

MD5 28ec1b70659d9b9e90d3ded7baa37495
SHA1 8800d60aaa7d33be74932835ca2c560e0a0e29b0
SHA256 d100dcc9d5c9f078b3812ab3b921bcd5c20a419067564921b3fe8ffe646df212
SHA512 75ac348aeff4aab8b171960630e141e29e55134f3375b5ac427e0396cda1fa334740f533723892c19533c465dbd622d22940aaf77255d1e31392fa56fba7a142

C:\Program Files\FormatRestore.mov.ecc

MD5 a4c087affd57197df36ea07cbec7725d
SHA1 9f4e77fbddbc9a5aa0d70ec57a7b690b474715df
SHA256 9b8dd5d613512730b887bff9655ceef6541aeb7033b145f871087ccba3966772
SHA512 74a735b9ce1926146c2087dc045bacc0fb8105e83b435a4eabd316cc07da095f03f6d58f87ebeb07af68a0b1633bf39508187fd163e7a6a34c3131d42f339f6a

C:\Program Files\FormatUnregister.wmv.ecc

MD5 3af2a37b98432facd3444c513fa7fa7d
SHA1 089a17905cac44d3ae71c06842cfbeea83ce2bde
SHA256 ababa94681f91548b20e6cb3f333b6e5412609f9303c061cf5498a995acc56ce
SHA512 bf445835ec7944467130cedf4d4a528d507e02d4d946e04579e2a2a4df7c85715d045117e0a8c04a8e8b101ea4068a5d3c7c62e124f0f202be5c8a4ff04eac76

memory/2528-638-0x0000000000400000-0x0000000000472000-memory.dmp

C:\Users\Admin\AppData\Roaming\key.dat

MD5 480da7382c47bd6f4d41d80f11ce2d01
SHA1 3cfdf6b4b277ba455b349b976b8a2b6ba68879b2
SHA256 7bfcabf3fd1cfb69d4a8b7ef453ddcb8fa31655ca0ffc9fb26fc60d089ee5cd0
SHA512 702d764256775500ab416ea5a29175d56836bd726e6a414d990ea9a92d35efe166b448fca0d6506757bace091b645e9d8cb91e4154244bb1ac552556627acfd8

C:\Program Files\PingClose.m4a.dyeyfmnf

MD5 bf2381fe95cf44032751cf8d92388a2b
SHA1 1eefe968f57321bb6d0609b6947fa691abcb7818
SHA256 0b866f77f9c6e59e89c863d7fc8be5282bc8a65005abee94add50fca1123bb9e
SHA512 95a2b5392c9f5a651c3353a84617b6aafbcc22a6740e3dcbf025c265b8bcb6c6da2a1c5af1e2033ad5cdd95ba380798d3a023ca26c6fcef66d0daa98cddbb09f

C:\Program Files\ResumeLimit.raw.dyeyfmnf

MD5 52b4a861e17ccb97f99ee5226c44c8b8
SHA1 205db453061e7878b5db0922f386f5013bd3716d
SHA256 504e45eb1426d09e0e557c70288bbeb7bee58004ba54eb66da9ea0aff1423631
SHA512 b3316249909178f058a1201d85625b989fa440be5fb2f49e51f5b55afbec9fef2ba53604dbc92f7b375d4841d0b33978883bbb0d213095d76565d3e0de0d466f

C:\Program Files\SelectCompress.zip.dyeyfmnf

MD5 2ec0000ad61d8a86caeeb06fc707ba7e
SHA1 e812a8d7550a11538dd92cf8001be3930ff07f78
SHA256 547b242c30bec3abe7ee328c9aa404714deff63c053335b121162af14e9d1908
SHA512 37c8d55d5cac8fb0f2f56c1e07aae4e8c82470aa43e2a860d13fb4bed2b0db7fd29d10f790244ebee335a5863f1c7c8540ddf0538e0d936dc0922156bfaa6eae

C:\Program Files\SetOut.dwg.dyeyfmnf

MD5 8e7f9b4e56c361da0fe043cfde36cd99
SHA1 926530ba6c683b449b8cc01f312cc7aea969ca80
SHA256 6df8fec69633b1caaac38980cb6ecd9d9c5e4e704ddaaa0a5c3bfd1d8fa2ed4d
SHA512 e4917b73411e8623ba504176c59b1b2fd273ee9c055d034dd2607560e1032e063833323cb1bdf0595855fb54f72a13919edd99e444c8d21a4aa60587c4cd52c0

C:\Program Files\SubmitDisconnect.docx.dyeyfmnf

MD5 1716230df2184b26bb7e99434b7a33ff
SHA1 60fe3383f710fbb07a880f4ff8d857187ed9dcf7
SHA256 6c959e21abbc4415fe1564d7141921c6115eba3bb47449e99994aa6bfe053543
SHA512 1999d3bcdf3d942ca22d970a970d2882fac883b580c559c40d1858319cb70b9316326b0ec246f094b950330d2b2e7f11b4c29128ae1bcf4126f29a6464630135

C:\Users\Admin\Desktop\00343\DO_NOT_DELETE.xtc

MD5 7a69352cb1b550ff1febaa10805143fb
SHA1 8ed64855e5090002bcdc979e6d8c4785faf2c978
SHA256 ba0ac5c3317aaf44d121e3d09b70d79d9ca246bc9966694126156b586d8bfb0e
SHA512 e46f2dd59715948fe49ea82b83c4a7adf683913f7976310e113a2012a6fd47b67cfbe404f078b47800bea754fb2f5974b4488924094c8f4cb6784aa39a2db0b5

C:\Program Files\WatchDebug.mov.dyeyfmnf

MD5 2ebfefae94f0da0c6305f62fc511dc05
SHA1 54fcb561c98f63899411505048cc410c279a14fc
SHA256 460758f80fab747b02e9707167abd1f09e96a59ec13f5ec7d22ab3e93457f453
SHA512 f94b4641fd2ad27209825a7b2e992111bd7ae512972810a7e607feeeadca67872b25c1747bc539c7a1e52dec48dc490d148a5cfa6e3a7bcd8353e2283b30cca2

C:\Users\Admin\Documents\RECOVERY_KEY.TXT

MD5 c57085bdf49f036337f379ca97fe61f5
SHA1 d3842e758d3d2e312531c63e5c357773704a5ecd
SHA256 ab439a7d46f62fa1152614f50e27cb106f67bd0c1edea9e1bbe61d82f5147fd6
SHA512 e0d620045df0c7a6acd6b8a03724d1ddb9c1d6008d81ead96efdba7175285a0c72a6cd72d4319798dde56c78a1f71571920ca7faee94aeeead31f0e9d5ef57df

C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\DYEYFMNF-DECRYPT.txt

MD5 d359765c9e2b8d95278ed914f9087b61
SHA1 2d2f95c8be128e4e2b50acfd27ec250cfd78d605
SHA256 08a698cd4c3d8480e5ee46756b7f8428dcd375a130945f542e471930fa33877e
SHA512 b940b03cf606e133f1e8213a69babaff93930a7eaf02293e46aef5f8b03d4c61f2872917cfbb09aec02ba6790b3dd72d5bff3478959687b3a583ead869d36e12

C:\Recovery\DYEYFMNF-DECRYPT.txt

MD5 81948025ba0dc27075c2799790c8634a
SHA1 500766e1e8ef9bc5cb28c515b0949a8bbb25bb96
SHA256 0871ee3674ef356da267e7659fddea5a911812791d00e18b0d9d17caf63d8bf8
SHA512 cc7ca313f75a087bb19df3bec626239e349ccc61fbd11b67c4274cb9c619d000af6ae39ca0309e128b96431cfd602b18c686ac2751578a17acf7bcb136b283d5

C:\Users\Admin\AppData\DYEYFMNF-DECRYPT.txt

MD5 2fc094e9309c028001aec6957aa10da1
SHA1 1c6fd459f984f7181b34bbd0cd4a79b703ab386e
SHA256 0190dbf9e4125b6a6e829c8516c8c00738a2c63eb1cc121f08407606c308c44c
SHA512 c8dc801d1aa96b4afd18f6da9def1e718caad62a3ef40232d622f6bedae17d7c357f8b8cc4970f0b7ee00a6793af377e8b0d749c56a1bd38d0d867a4dc3ae08f

C:\Users\Admin\Contacts\DYEYFMNF-DECRYPT.txt

MD5 bcec440af38433db7827c42a208de9c8
SHA1 e645432680445178f3d21dc411213e7beef3eb6e
SHA256 64b2ba76131aea34a40f25a211ee8c28a1b20ea60b9bf462bc53956d911b4da9
SHA512 28704b817e1b7e6a07e243665a06515c3b77e06c037fc875f16903a749d99a2509a94e83927e27850a84d2161e9f398b5bbe3945d520eb7ff35bef8dd7ba97de

C:\Users\Admin\Desktop\00343\DYEYFMNF-DECRYPT.txt

MD5 32768b6489c26a45a3a17e235a17f40f
SHA1 574f5fe4e109475e9573a74702ced00bd0e68339
SHA256 888dbe8d2b600e685989c5401ec9d6d2a0dcce20447f686b92f09ee2a316578a
SHA512 d9667fde1e0f63b72f55e525edff8c592118a0072d930f673b7153384be0666a2ec45e37e8d23ebba516b5fd5bc4047b2b46ab0dfb54ceaacc950d2ce4f51f14

C:\Users\Admin\Desktop\CheckpointRemove.zip.dyeyfmnf

MD5 73bdba903f6a2c0253f2073fc710720e
SHA1 e500256875c3168979a6076acd962821bc07bcb6
SHA256 60e1c38e0643f3bc2d99d0a028bf4f853b29493b0d0a874ebbbb846638cf0e11
SHA512 486a4df2d40d16a97f2450c47234adf1bfb3405760b4602c4caaae97ef084529d72b2b8adf856c8fefac2bd80e88d1961827493599304da52bd427edc47ac704

C:\Users\Admin\Desktop\GetClose.xlsx.dyeyfmnf

MD5 2e2f7046deacfe52615a0b37604281dd
SHA1 a43e4bde79955df0d7fac4a6db988a9995cfd08d
SHA256 b127178e2f5104ea47e4ba3f2535859a1ed43be67de34f8aa0d70e370a9c2600
SHA512 b128a82e4e0c2d4dd98ac6abed788e080f4cbbadd24dd07d0389c796e90dfadea63a764f4d86a4a5277fc6c3a5165a1d32c246bb8bb3c1029ff51f1259959ec7

C:\Users\Admin\Desktop\InvokeEnable.docx.dyeyfmnf

MD5 21fb19a4d1aa47e1cbd0cb800c23543e
SHA1 06858d2eb7d1a0165fd27ff1fde5a342516fcaf1
SHA256 93932ab0e0e29cde57b2b140cd528db99095912aa9d0b68d43eb73ec778bfe25
SHA512 adce946de88667c8b040ff8fdde0e1cc4a1276fd0d660eb003bac2716b2a7747a418a183225aec12cb3154bf2230596debf06f4d87bc7b765113ebae81580b34

C:\Users\Admin\Desktop\InvokeWatch.svgz.dyeyfmnf

MD5 895ffbdec213bbe77519b5cb1cc46344
SHA1 52c00c170e7797d6f0af9cb3de5bc11f4ae6ef62
SHA256 19fe952e01b8c638e5400ba8e73248da9c18b81cb5f65d72940707dbc41a2373
SHA512 b9c793133ec8d802da27abe90314f8aa1291c1cefb1731cd8f46913482857eec4a95b69bd45c21ae45a7fd2b468aca8b775577defe5a12abdd4e14d44e46ae48

C:\Users\Admin\Desktop\ReceiveSelect.mp4.dyeyfmnf

MD5 2f88520f2558068d475a38ce5ddf1bee
SHA1 7f740f28c597f45738215a776c31e7e4f326a6af
SHA256 4620ea8e92da844d7442ff2b0053279e1539934304ca90b855a1ec83b22bfd68
SHA512 f48831cbfead922fd78e3bb2bf003f62636b1dca10e53a4a3b7ab2d372490208b78071f29289676e1307dc0c653379512bf00f850aa9a78119d55e379e13651b

C:\Users\Admin\Desktop\UnblockRedo.crw.dyeyfmnf

MD5 8f0c9dae8e64fe32e2529145c4835062
SHA1 37cf06ddc2c4f8d19786de32d0ddad72e8479f1e
SHA256 568bbfbeed9ca35e0da9ba63ad00705cad3986dd8f567b4a1091278796379009
SHA512 13a1cb356da3ce4b6cbc2fcc2c801592c57c4c3ea1b0e30e506873253fd9b94b5e87573e2d40643471d4e5a532b88cbadf40a54795fe16aaf1d94702cdade9b7

C:\Users\Admin\Documents\DismountDisconnect.docx.dyeyfmnf

MD5 c8cbde298298978627bed799b0f9e7c6
SHA1 2334f0bf061cec9cec2ff26bb6a23c1390a107a8
SHA256 d490e14f4ac17af9615db14dc4a37e6973fd0a553b71aaed90cad2aac1049678
SHA512 54975feef6ebb221ebf7a796c74f50d1d03dc133634bf4438dd66a317ad859f15956af7730e149d8cf1279d6911abb312ba71c01be4168fdf0c54a24671045ec

C:\Users\Admin\Documents\ConfirmMove.xlsx.dyeyfmnf

MD5 23163b20fa42dbfcf0528261e0704ddc
SHA1 9266965c7e289d41f91c7c4bae3e20f038e55ec1
SHA256 a72fcd83c46e547bdc01a883596b1c52ab2d5c40ba22f1868f3758ee8350618f
SHA512 0053d487b1aef259fde117e773b99bf8e19b4ce3196630dfa6165070a3dc1cb5aeeb2df0096a548c5e35f3c3c54f163b42bdd5d4c1d80345fe370a18eaeda0d6

C:\Users\Admin\Documents\AssertDeny.xlsx.dyeyfmnf

MD5 8f998db19b6c19187b6b0cd73096bf35
SHA1 1c89571e88841acc50f27a318aaf1efd2acfdea0
SHA256 a507da7fe1de2230d41248945ffbfaf5e5d8a670e3dfb75563f8c891d9cfe9ee
SHA512 c27b54caba08687f250d9468f12a44b79d049e00157cc01be3d21d244702932fb155cc8def143499c903b49f43e14f6b7ec598e755f639305c535d1b2accbc30

C:\Users\Admin\Desktop\WriteSearch.mp4.dyeyfmnf

MD5 a3f6a04257c90732ccebb32e88fb3835
SHA1 eb6b0491f9916c97cea2c01194e0285c5afd0d06
SHA256 bfb164232f8fb648c6bace71739597d8c1f179a795476fd8d4661308ad11cd09
SHA512 bd8b83164a835f6ecaea09cc7cdb6ce7312acc9a05c8613b5677081f1c482908fc728753206c939202b6756b2ef02951c50b18c8210720be0956c1d45800268d

C:\Users\Admin\Desktop\WaitReceive.mp4.dyeyfmnf

MD5 c4f8d968b0b1e43c0c5db96ee28614fd
SHA1 39639a762bb56091347911ef62c6793d49028542
SHA256 c04009ea16d9fc6eb72d4813fb869a37ff3dea0b18b2d8479c3903ee62392064
SHA512 93fe5f718285f1171dcf21bc6734c2d8d96af62e849298bfd2daf81b16215ee572b0df148ce02b8553a3715e2a159f5ef0a94a013da7ae8725646117199910aa

C:\Users\Admin\Documents\DYEYFMNF-DECRYPT.txt

MD5 50d091ae26be4319e8712c99b966a876
SHA1 41a68290e6e25627800cb61fe06545bf933b9b69
SHA256 8e2005e16540e30d9876ea7314acbb6a34c98003151c81dcc47829a5b73f3174
SHA512 87a3c2cf32787b09d18cd64b0e6c50ce86c8bf6f68423415f68c91e3e0eaa6b211869f82f33bad6eb3f63986f34d7e3f6a8a9365cb553bd8b5c9c3ca819e55f4

C:\Users\Admin\Documents\ImportBackup.pptm.dyeyfmnf

MD5 a24de58249de87f7a60118ee7cf7355a
SHA1 d6f8d955c1d73aa74f740638452531bd533cd3d4
SHA256 bd7356447194aad54ea5310d1597e217899288d61228b6167a118d71a6d05a58
SHA512 44e767294ed0b32ab8a8db9d44a69ea517604689aad73ee37cd6c7fa2fff357bf39c2232a09aad71dc9edb7ff030b88718172570c88aed9ffc37dc7a76f2823e

C:\Users\Admin\Documents\ProtectConfirm.xlsm.dyeyfmnf

MD5 71b7cea122dd389cac2845bcc84b9f08
SHA1 966df0beb7a1314dd2ac1c23d370fb7844a6c9f3
SHA256 0200780cae4797ea983aa0cee666378a6d912e3e32cccf86f6d1f9d52f90a6bd
SHA512 baffdcee95ff37128c2b4a1963578ed9eb75c988ad8f09c6ec2013c123676a103fa9bc66cc069ece4b920e92f8913df4edfb83afe8309b383afd9b2351b34ff3

C:\Users\Admin\Documents\ReadLimit.docm.dyeyfmnf

MD5 6c2a863d2355baf68507dc82cdf6879e
SHA1 9f6db3fd4c148876d7218ab807c2de505054ba0d
SHA256 589bd7d23de5a8f4b2aaac61360da028dda14826292f5836a9426bd4c83613ee
SHA512 d3865bc1d61dbeee0f26379b73685d9bfa9a9bedbfcc6e9ec476567b85684e780de0c2a08db5cc176abe60a8e8024a35167eba2e59cbc087f743f2085c1812c5

memory/2528-3200-0x0000000000400000-0x0000000000472000-memory.dmp

memory/2528-3206-0x0000000000400000-0x0000000000472000-memory.dmp

memory/3056-3210-0x0000000000400000-0x0000000000451000-memory.dmp

memory/1572-3211-0x0000000000400000-0x000000000049A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tar56AC.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\Local\Temp\Cab56A9.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 ac7131d72d304c62c1539ff17817c9fa
SHA1 7563bf18ee7acf8ec83f59855494012bd24c1500
SHA256 21d4ca494e0b9604b32c9c2a08361111c6c27f51ae2645e481ed7cc8bd62e287
SHA512 070f932d1c3fe633da53213d4f7a4c099b0f254e3b1f09731074177ba6823491c2e42ceabf716bbcbccc0f303e83a10a03bd438ef5274d345b745d8a09160e07

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 51729a24fd36f970536676f710c08d25
SHA1 f761b6abbd3953ce4a95b91c12f4ba4fbd49317f
SHA256 4c0b87a61417d6ced4a9cf01fec0f839c1c84e33f08615f779c0cd9b604959c7
SHA512 f4b6cdacab11aaaae772e65670309f378609b1d94546020023e49e2099e38afbe18154784d180f1932b3374918b621fcc8f95811a43394a3b6eb12c0e13100f7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 49de457b101795ed5ef20beb747bbbdb
SHA1 c5376efd1e7d1f399000fe07956f7193efe08626
SHA256 32e78307d1a2324ffb81a0e06ac5506b855890e2e19f9fa35aae51a3a4a6654e
SHA512 7b55469b5c8677974da2b2baddfb82053cbeb14a9e88fd30a50b5dee80823367b3269d0ba6b17f71bb6fabe288d628dd46d5c656f9b8881b8b83024293db5560

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 780e96a9e216b12df3d9fc41c6c3c5de
SHA1 4be5ad70dfb2a794d21b490a0e8cd7d63877f2c7
SHA256 88c5ca57faedef01e10a4c919b8ab81d995bb4524ead024464c14990cfa9b64f
SHA512 1e5a5d96495a6fc18856fd26b62d0280766af4d0ffb8fe7637f62c6a35ac4553e3bc54f136fffd3d8d149e9a62e90682d751ca86e71b4fadf4b914377bf171b7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f500271b51a0267c9cea330b6b7ab9e7
SHA1 df339ee6b5a3262b51165d33cb02aa7c0bb90330
SHA256 d1f6684dc216ab3993f927edcd880ce1dcf6eb48b9d385f9200786b68be0c3e3
SHA512 e7e5ac47d00b905e5d9866bdfcc30523c090071b2911420b1f7c6fcb254840aa63109f7b94aa44c692e6defd91f27c2f24fbea317866709a64c6e119cd2ca9d6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6f1d073f0f09948a4080c0c5553eac40
SHA1 16c17554083e026fe22761bc8ce078111af2cbb6
SHA256 2a830129dee0d669c096b8804c0ae8ca0b0d49c5e0b85708724f8d800691bae7
SHA512 88b82a7b2a8b7b2d6584af7dc77ed8c4053f645d6e2e61a1dce3b3585f5434cd2e2207bc727259e83b0cd088fd5725f2f4439a16a925a1df15701f78477116b8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 920fcee256b07b7c910aa39f571e2585
SHA1 3e74a4f23a74199f1a16164fa41bad16735ddef6
SHA256 fe4e8a45c9b1f8537b5e65b055aa27d54f148144e19b7f6f9e0f52e052a94b23
SHA512 2fcd43f7da4fdb2ed1feb5d9f8ffef9d43f40261588d058c8f8e7e60f433fec5922d65fa3609c365f98e02e9901d1f2a6554e1ec911cd0b5829af09c1ee9154b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 2a70668f6cc8eba2fb3061a1cffaee07
SHA1 697baacf481407da38898ca606003fbe54184757
SHA256 3e49b6ffbf47211b4a35ea322a96a081a32fa935c854f7b0a4942a42c37feff3
SHA512 09bff548f582686f406f6d54dae24b1a7587c163de38e090decae2da6cd5313344030684ac69709c82e2b9546ce9ca299681b3d262ce891370f5933d678e8d62

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d619e038ca43050f8667909bfccfe443
SHA1 093ead664f64d8281c8457bda83b3eb97251648f
SHA256 daa517207cdbb47e7569a479e6355b36c705a4f64f747055161a222c05932fe2
SHA512 6b6bbcd2c2b799d6a1043bbc5185f2adfd462e7c10e3c7841df6545224c1a2707c51210daae69464fd9ddf8b38864784f77cf5134352d2d52f89e006b7c887a5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f4e37fb7076b7ea0fc1f96f151db4c45
SHA1 c68b5b563b66db536359583b3d90042a418eda40
SHA256 12c2ff83f6d0ccf49c75ff9818f509b64c14731ea828a675740fc611582917c4
SHA512 7740ac7cad84fcf6b93a0062782f89a5d03829446b3bd7419ffc2ddc0bfb6f97b3f189abaf160eb96d80c4b22a78d5b131c6ac668d3eb87809bdecdf95616cfc