Analysis

  • max time kernel
    64s
  • max time network
    67s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    12-11-2024 19:56

General

  • Target

    RNSM00313.7z

  • Size

    776KB

  • MD5

    33010f7b6871b4a6d48ad986a7454f44

  • SHA1

    d9890107f31ad288ddfcb9209ca161ae650b8b99

  • SHA256

    6c00dc53bbc28ea49a1998bde2de32e6b343cb5f8c10675fd324ceee1babf569

  • SHA512

    cc7b63824fcb81bfadf2b981ca2790faeaa0b426b942c8bab1eaae78fcff0077e052490f8d369d235cc13a1374da85bdde6c174413b6ec0aee02c5a0369eda9b

  • SSDEEP

    12288:gO2/uqGkN9vJUzF//JNI6/QOLW3qx6LSYv/oOn7WAL7PjUBqy+dM9l89nEwKrx3M:6FGkk/XPJL8tv/l73jU0K9+uwo3M

Malware Config

Signatures

  • GandCrab payload 6 IoCs
  • Gandcrab

    Gandcrab is a Trojan horse that encrypts files on a computer.

  • Gandcrab family
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Drops file in Drivers directory 20 IoCs
  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 9 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • System Location Discovery: System Language Discovery 1 TTPs 45 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
  • Modifies registry class 6 IoCs
  • Opens file in notepad (likely ransom note) 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of FindShellTrayWindow 43 IoCs
  • Suspicious use of SendNotifyMessage 45 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00313.7z"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2060
  • C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe
    "C:\Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe"
    1⤵
    • Drops file in Drivers directory
    • Drops startup file
    • Executes dropped EXE
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    PID:2792
  • C:\Users\Admin\Desktop\00313\Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe
    "C:\Users\Admin\Desktop\00313\Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe"
    1⤵
    • Executes dropped EXE
    • Adds Run key to start application
    • Enumerates connected drives
    • System Location Discovery: System Language Discovery
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2988
    • C:\Windows\SysWOW64\nslookup.exe
      nslookup zonealarm.bit ns1.cloud-name.ru
      2⤵
      • System Location Discovery: System Language Discovery
      PID:632
    • C:\Windows\SysWOW64\nslookup.exe
      nslookup ransomware.bit ns2.cloud-name.ru
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2960
    • C:\Windows\SysWOW64\nslookup.exe
      nslookup zonealarm.bit ns2.cloud-name.ru
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1372
    • C:\Windows\SysWOW64\nslookup.exe
      nslookup ransomware.bit ns1.cloud-name.ru
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2380
    • C:\Windows\SysWOW64\nslookup.exe
      nslookup zonealarm.bit ns1.cloud-name.ru
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2036
    • C:\Windows\SysWOW64\nslookup.exe
      nslookup ransomware.bit ns2.cloud-name.ru
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3000
    • C:\Windows\SysWOW64\nslookup.exe
      nslookup zonealarm.bit ns2.cloud-name.ru
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2020
    • C:\Windows\SysWOW64\nslookup.exe
      nslookup ransomware.bit ns1.cloud-name.ru
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1812
    • C:\Windows\SysWOW64\nslookup.exe
      nslookup zonealarm.bit ns1.cloud-name.ru
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2388
    • C:\Windows\SysWOW64\nslookup.exe
      nslookup ransomware.bit ns2.cloud-name.ru
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2772
    • C:\Windows\SysWOW64\nslookup.exe
      nslookup zonealarm.bit ns2.cloud-name.ru
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1716
    • C:\Windows\SysWOW64\nslookup.exe
      nslookup ransomware.bit ns1.cloud-name.ru
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2256
    • C:\Windows\SysWOW64\nslookup.exe
      nslookup zonealarm.bit ns1.cloud-name.ru
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2112
    • C:\Windows\SysWOW64\nslookup.exe
      nslookup ransomware.bit ns2.cloud-name.ru
      2⤵
      • System Location Discovery: System Language Discovery
      PID:304
    • C:\Windows\SysWOW64\nslookup.exe
      nslookup zonealarm.bit ns2.cloud-name.ru
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2740
    • C:\Windows\SysWOW64\nslookup.exe
      nslookup ransomware.bit ns1.cloud-name.ru
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2704
    • C:\Windows\SysWOW64\nslookup.exe
      nslookup zonealarm.bit ns1.cloud-name.ru
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2724
    • C:\Windows\SysWOW64\nslookup.exe
      nslookup ransomware.bit ns2.cloud-name.ru
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2500
    • C:\Windows\SysWOW64\nslookup.exe
      nslookup zonealarm.bit ns2.cloud-name.ru
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2544
    • C:\Windows\SysWOW64\nslookup.exe
      nslookup ransomware.bit ns1.cloud-name.ru
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2892
    • C:\Windows\SysWOW64\nslookup.exe
      nslookup zonealarm.bit ns1.cloud-name.ru
      2⤵
      • System Location Discovery: System Language Discovery
      PID:688
    • C:\Windows\SysWOW64\nslookup.exe
      nslookup ransomware.bit ns2.cloud-name.ru
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1496
    • C:\Windows\SysWOW64\nslookup.exe
      nslookup zonealarm.bit ns2.cloud-name.ru
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2096
    • C:\Windows\SysWOW64\nslookup.exe
      nslookup ransomware.bit ns1.cloud-name.ru
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1668
    • C:\Windows\SysWOW64\nslookup.exe
      nslookup zonealarm.bit ns1.cloud-name.ru
      2⤵
      • System Location Discovery: System Language Discovery
      PID:300
    • C:\Windows\SysWOW64\nslookup.exe
      nslookup ransomware.bit ns2.cloud-name.ru
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1432
    • C:\Windows\SysWOW64\nslookup.exe
      nslookup zonealarm.bit ns2.cloud-name.ru
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2716
    • C:\Windows\SysWOW64\nslookup.exe
      nslookup ransomware.bit ns1.cloud-name.ru
      2⤵
      • System Location Discovery: System Language Discovery
      PID:444
    • C:\Windows\SysWOW64\nslookup.exe
      nslookup zonealarm.bit ns1.cloud-name.ru
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1572
    • C:\Windows\SysWOW64\nslookup.exe
      nslookup ransomware.bit ns2.cloud-name.ru
      2⤵
      • System Location Discovery: System Language Discovery
      PID:944
    • C:\Windows\SysWOW64\nslookup.exe
      nslookup zonealarm.bit ns2.cloud-name.ru
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1860
    • C:\Windows\SysWOW64\nslookup.exe
      nslookup ransomware.bit ns1.cloud-name.ru
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1592
    • C:\Windows\SysWOW64\nslookup.exe
      nslookup zonealarm.bit ns1.cloud-name.ru
      2⤵
      • System Location Discovery: System Language Discovery
      PID:760
    • C:\Windows\SysWOW64\nslookup.exe
      nslookup ransomware.bit ns2.cloud-name.ru
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2208
    • C:\Windows\SysWOW64\nslookup.exe
      nslookup zonealarm.bit ns2.cloud-name.ru
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2628
    • C:\Windows\SysWOW64\nslookup.exe
      nslookup ransomware.bit ns1.cloud-name.ru
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1396
    • C:\Windows\SysWOW64\nslookup.exe
      nslookup zonealarm.bit ns1.cloud-name.ru
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2056
    • C:\Windows\SysWOW64\nslookup.exe
      nslookup ransomware.bit ns2.cloud-name.ru
      2⤵
      • System Location Discovery: System Language Discovery
      PID:884
    • C:\Windows\SysWOW64\nslookup.exe
      nslookup zonealarm.bit ns2.cloud-name.ru
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1616
    • C:\Windows\SysWOW64\nslookup.exe
      nslookup ransomware.bit ns1.cloud-name.ru
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2588
    • C:\Windows\SysWOW64\nslookup.exe
      nslookup zonealarm.bit ns1.cloud-name.ru
      2⤵
      • System Location Discovery: System Language Discovery
      PID:840
    • C:\Windows\SysWOW64\nslookup.exe
      nslookup ransomware.bit ns2.cloud-name.ru
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2820
    • C:\Windows\SysWOW64\nslookup.exe
      nslookup zonealarm.bit ns2.cloud-name.ru
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2948
  • C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    1⤵
      PID:2688
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Dont_Worry.txt
      1⤵
      • Opens file in notepad (likely ransom note)
      • Suspicious use of FindShellTrayWindow
      PID:2336
    • C:\Windows\Explorer.EXE
      "C:\Windows\Explorer.EXE"
      1⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3068
      • C:\Users\Admin\AppData\Roaming\Microsoft\sbuhay.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\sbuhay.exe"
        2⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        PID:1756
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\Dont_Worry.txt
        2⤵
        • Opens file in notepad (likely ransom note)
        • Suspicious use of FindShellTrayWindow
        PID:988

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\$Recycle.Bin\Dont_Worry.txt

      Filesize

      738B

      MD5

      7854423ffc1ddebaf6d2aa0319df9da6

      SHA1

      102f885e12ab54c45788d080dfbfc259719c8897

      SHA256

      d00e18a6aabc9c410cf6ed54974e57d13a29d30cf561e21f3f2d6155fbc2a07d

      SHA512

      0d7b9473e003df7184d88c57c1f2a82c7afce00c560c8b8bf3d111551e89a0b651ec1fbccad8d6aa7042bcf23ba96a804cbc3b5b73466ea8b74bc18f2cc8345d

    • C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormToolImages.jpg

      Filesize

      8KB

      MD5

      ff1338a11f94082f67937a83776f02da

      SHA1

      09043ad356cf938c83609cc7ab7be27777a41b4b

      SHA256

      a9159189383c14acf86b00d2fc21e07a5e17aa0fa6cb42bbc4c1e6e2d0ede13a

      SHA512

      eceff60455bdd79b6c2f40e541d72afa373b0f1d1b4cdf69b5d7f1baedb99a54279cc93b341d65d51a1ff61e7c4941fe684ba93d082cba0031f944d0f5ba5cde

    • C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\ViewHeaderPreview.jpg

      Filesize

      4KB

      MD5

      dc718aadf43d3363c39e98699a00b14e

      SHA1

      f8e286409bac40a2be56124fdd1b7ea457eddbd4

      SHA256

      c55eeb82c9719956f8f9417c656117b3500a8e753e7cec0cfcd18a1d6bd18987

      SHA512

      ca9cf32ebe6bbeb242569fc7a0ce88488e554728df8635872e9068f5149801d7aba0facc011622c46f133119c33569d4af805011bdadf54ad3b0248f80399edd

    • C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_GreenTea.gif

      Filesize

      23KB

      MD5

      c742d1ceafb9462c599168674faefc63

      SHA1

      b31b3f5eceb1cff906b0c7995b08de42e44f2a3b

      SHA256

      060cf458a582b92a99df8e817bcb380f30211b7e376f5facf1244bf2b8898e0a

      SHA512

      a1fb7a1907ceac6dd9ca88249de425e0d1c5d10e58c5646da5aba75ed09b25e9a99a6879382fb96aaeefec03ff3d4c14defa6391e8b3792e23be03682be6c393

    • C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_LightSpirit.gif

      Filesize

      9KB

      MD5

      0f62f8d8536823d327458f2d2804d19d

      SHA1

      a4f92667c115a770f3b5c19df094218691b7fd02

      SHA256

      49ecb57fc094902a7bc7deedebd1502bd4b4ba5badaa819c01d0e267e93e7b17

      SHA512

      bcc68d33f2154521d34148f131947020413cc8cc86587dc19272b1eb474755ce17f4e527d599d94604da8409d2749be6eb870d48a1c73df3df36a2cf5db1df9c

    • C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_OliveGreen.gif

      Filesize

      16KB

      MD5

      646a9223ae5a84df24791bdc00ff5dbd

      SHA1

      91c2f838a4d6df5bad265f2dbac447233da6d009

      SHA256

      8ce111e8660c02649728bb4a87f8d6c7ab8288f5be8822b905046e346a270b2f

      SHA512

      c6ae662850944ec0b7ab4cdb71c43d42d9a789d8e27c55aa98fcd023c0632bc9b6fe88c5462eb444adfc90139b192346f409db9a2d21953a8fd5f3bd7c57f616

    • C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_Premium.gif

      Filesize

      7KB

      MD5

      fb3f6ad769af2880b23a62ba1af0ffdb

      SHA1

      e64ea2daf5d0a3a4f2d229265d1dc431715a5851

      SHA256

      1a493b9724d9197ca930018343b5488d159ac33754e0f919f56d17a5584e8b01

      SHA512

      965ba4daebaa967add6e472dd8390c71d215e19701990bbb9c7e8b695a122971a1546be97c2359111cfb07f75eca0a4b55983daee840e76aa04921743a7044f9

    • C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_SlateBlue.gif

      Filesize

      21KB

      MD5

      d72e6eb8a8309941a2b380b2ca30821e

      SHA1

      0fd5fbd7deee6cd07e4a74b57b5a60616cd8ef5f

      SHA256

      552d92940dae28fbe3a63956003296849610db505919ae717d88d1ba4ddf1612

      SHA512

      51e010650f64ee46f272ad7abc0af57c246d237bd76133c6e95c54f4fa88612561c3e26d44b6642b24b94ce5fcf44f96c5707ec66d1f694fde42edc1743d1b2a

    • C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_TexturedBlue.gif

      Filesize

      7KB

      MD5

      7103f26ea8f2ac5c440dbf18273f99d4

      SHA1

      4011bc112336f109c6bcd8c1b21df4de3635cd3c

      SHA256

      4636e3b31395c0f0c196b815284abb70971d446d2d8837c242c1751f1810ae27

      SHA512

      8afe492bd4cef43dc052b2149826dad46d89887f6302d1dd719640ad47bd486f2000ba64779fa92ed5e5e26781057e5b2ef138873ee44e66582b0025b8f9647a

    • C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_VelvetRose.gif

      Filesize

      16KB

      MD5

      ab4732bc1776ea4d8a9557ca50efb8bb

      SHA1

      6d1860d6aea68563ade6d018f553071b33e1ba7f

      SHA256

      59537f3abb0ae75741f7123f303b7f30a49c8570f0c05854d3d02b3172a345fb

      SHA512

      04cfdc6b0b98afa1de8a0701636cb41fe5d91b62a715b1e6fac01b0a0b1b0148af2d24fc65a561383f82ee5d170aa0be79323a9a37568753d7d9aed7a8b0159d

    • C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIcons.jpg

      Filesize

      6KB

      MD5

      f8b48ff399879463b24320a3f6f95e5f

      SHA1

      31e92d63a47795a0e965fa44389b675419e2406d

      SHA256

      aa98a5736746aba566f4e79a10cfe1629546f29b11efa15f0f544664ef47aa68

      SHA512

      c3af8b27e1609f567dcc49d3c670e70c413f0e1ccc5de024c022091f2a1876908f7089fc7db7563030220ffc59eb401022760bc0be0abe24e8ee31a9dc784aaf

    • C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMV12\Microsoft.Office.InfoPath.xml

      Filesize

      248KB

      MD5

      fd05ac3aba645998561da31810b0a488

      SHA1

      836dc1f973b190408480bfb6ee803551f23b0ed5

      SHA256

      202cd943e129775947367177b712b32530b40fb32ef548f05cba902d856edd3e

      SHA512

      50af8854026c2e50971fd98a7ac7efc0ce8af044e1d2f6c378de0067cb0f2d81f379f435e44ee0a5ab2ff76d295ad2f225bc09a1c2d3a458f698c974d684ad0a

    • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

      Filesize

      13KB

      MD5

      79218353e126f9d5c9a4ca6e9b867974

      SHA1

      fae7528d18aaec9bed9734d784b58114259572f3

      SHA256

      5e35ad3b5a248057f8e5ae6b00ee74f9a1fe04e656c1c95968e289cb0e215e1c

      SHA512

      f747ab7ac020b1c528301c9ac01dc8ee092a0df5c618d79950c1774fcd585bac6c5808b416f80d66a78e2a9b998fe0b07e7b3a5e0ae020226e5287e0f04c0510

    • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

      Filesize

      10KB

      MD5

      b3bac3bb1c9553de510e859ed4574e9b

      SHA1

      ec886048805f5412799694f5a6dccef2a015f7f3

      SHA256

      5e033f8db1a5058f10678fcc047a621839a63c874184f43ff596425ef345c00f

      SHA512

      a9500087bd9743ac214a391c7800f7e53b3fcd0348703b1d54418259f4c8f002e0858799bc658eb54eb8c4a9cdded93d49468add0f202a8b2cfb4d49d68e6ee3

    • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

      Filesize

      12KB

      MD5

      c6227af1bd1230846c90d4a878dbab45

      SHA1

      f29e52a8d770e3deb511fa54de34f74b14fea388

      SHA256

      60e7f25483de01dfa3edb3e68764f9dcda27fc3f5fe9efa7a950d2713df8e891

      SHA512

      9ffca7e53f39a1e7632035d54df1b0098704e451a3c23b9ab129644b4f8c29cab1957c825559684609665036d55ec15632f348328c767370bded25c5dbcfa6ab

    • C:\ProgramData\Microsoft\Windows\Caches\{07060702-62E9-40C1-8DB2-3263C50BD613}[email protected]

      Filesize

      3KB

      MD5

      2b80fa2c3ac6103aade81f26c778d882

      SHA1

      c340f61ca3adc0576505138001e469dd890c8a29

      SHA256

      e62265b2fc997b2e5c2053f6bf23f7b85e7323e97eef703500ecaa1709115d5d

      SHA512

      8b97cde6b645833a00e2f4955d696f57d7b3c5c9c1fccaad3fc93c6456b1b2aee5a7c3a89770bc61c311627a311ce8de3cb2fede5b7df53412a924877f6d9db2

    • C:\ProgramData\Microsoft\Windows\Caches\{0D117D84-DD73-4973-9E97-7931BACD5E7C}[email protected]

      Filesize

      2KB

      MD5

      a48f08e0ae3758a727f3197d9e35ac34

      SHA1

      3f97d32adf64f57b3c91c54f87cfc7ee1907e0f4

      SHA256

      a3186f521a14ae68ee47ee4b2acf51f8b1b39351a471a3e9f0e04669b8ca3d02

      SHA512

      9430cc009edb99d6daad5f942cf6ddeb9c0181383dc4ecfd880ec570a029b5aad981cbe6fcb3904ab8bfa58fe0f9b762b8f4846ebd660b7f526b3ba3d6ecae18

    • C:\ProgramData\Microsoft\Windows\Caches\{0D117D84-DD73-4973-9E97-7931BACD5E7C}[email protected]

      Filesize

      2KB

      MD5

      eacd38852b81dd1b6e89fecfe423aa90

      SHA1

      744724c24830b9429868e8b3b10daabcf67b8222

      SHA256

      77b5acdc2dfc5b39525b94ef96f3e667c3bdb2e132f3183dc3190b83227324ef

      SHA512

      0d59e22989b856c74e9212e595b8b26c155b579be51907606b7f6c95472ca4bf66e51a9ad2b7bf6d86cbcae68f14d651c6116abe098a32c937aa083d2928426c

    • C:\ProgramData\Microsoft\Windows\Caches\{50BC2B31-83AC-4CEA-AE2D-B6C712F47ADA}[email protected]

      Filesize

      2KB

      MD5

      7941dc853474a85ffd1f7355458eb890

      SHA1

      9bb70ecebf33fe2f7e65b1f97d290822ead20ffe

      SHA256

      e836c54e733beb54125ef1ff57215b9a3f535c8d1d777ccee85efc39dfa109b7

      SHA512

      c1ca7e21cab84a738c53ee359208af35c102218e1f6ac117ea8b3cdb72ae5b9bc631b7f7d2f102c88c6aa1c4a02218889dbb168e845c30b8eb41697d86b8bb58

    • C:\ProgramData\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}[email protected]

      Filesize

      191KB

      MD5

      f2ec120a92b723b6b684e03d058bf507

      SHA1

      e399b0a4c2da12928086038fc4ee1b44768b2ae3

      SHA256

      55ee2e24f42b5ebac07437639a4c6a756cf5bc33ee1f82ac5ad6f1e9349fe7d4

      SHA512

      4d92dd103060363fb545e9b26b835779a8eb9f20ef8bd72ed300f2dc68e544f6ec2f90435b30970c05da1f1df56e1644fa31e16858b1e00d7e3e22bbf9db1aff

    • C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}[email protected]

      Filesize

      406KB

      MD5

      520cd9b3b53d322aa8f96d553f160a71

      SHA1

      8305602a325b580acdfb07f9659c7d02a284e1de

      SHA256

      2da2dbcb4247dcbb1b587c70cfced2175ce73e40e4b4170b93ebe5e68a98c47f

      SHA512

      284748d328a2b89f82ff051ed3ece3bedb3cc10970d467e22b3fc8cf760dc18294be171da5aa13521bcb65a770b434c92b9e68d98f53678b1218a67e363b515d

    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_2

      Filesize

      9KB

      MD5

      38e420844fdd5e31e8fea8653d169b0a

      SHA1

      70527d2856f41931d5c4806dd033a4d0fa12fdd5

      SHA256

      631da3b1118b2545f06e8377f2624bb6bd7fd455f4f9a0c8293d153dc6e8fcb0

      SHA512

      a265027b0295fd6565f64e14b1b0f54cb7005971f8b1995cfb3c4fd912a75cba540f2fee020181282276026c0ca47008e5e0ee9a881c88859c99705240d65afc

    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_0

      Filesize

      9KB

      MD5

      768f3572b3c1f9ddd6f3205371d1608a

      SHA1

      92da5e50b441eca04bbbf2dc251a991d88ca60ad

      SHA256

      d422942ad0b497140a383798a6e1f30b202a4817c412fbc1f721f46430fb948a

      SHA512

      4b05f446edcb19746a796d0ad3ff8950502a25d1aadf2b31e1f70ee459808e178794dda1dba1618696a93549d2db288905704dd9e8a4167166cb18b475bb0651

    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_1

      Filesize

      265KB

      MD5

      4f05826a6acbe367623844aa10ae7856

      SHA1

      0234b38535cee833dd4aa8ceee5b850bd4ec2026

      SHA256

      29879e6ee4b6acf1cef4fd375e8bc2e33592893f4d022b1252ac8d7315ef6016

      SHA512

      df0e2e3c34919c3a69ff6cf0a5e8b6aab26416c8178daa9ac87c7aec46969d435e7479f79faedbb19f8bda1da77659764acffb6f7a3769ae16c24faa6d6718ef

    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_3

      Filesize

      9KB

      MD5

      9496c9a347b61f3cbb440fe0a4d9ff81

      SHA1

      efbc6c774984f59bbe08087a570321fff38c87f5

      SHA256

      d1a0b3f9ca47d086c6536ebfca0b66545e8e3e60cc04106e2a4a2d10119d6fb3

      SHA512

      24558d5781719d328701403a06c0603f236246c03c1cb37c8655645404d6a120e9cc7addb53c466a433729e940d7f54512415b156e31289f4824ae05a62dd2b0

    • C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\edbres00001.jrs

      Filesize

      2.0MB

      MD5

      ae90134934deed3e22a35d28dcd7db00

      SHA1

      0c0585277efed2a414d3d3a82401dac79cfed459

      SHA256

      47e1dcfc8ad546da9b7f26b62d6ecfe0924941c1c1e75ac71b769483abdf967e

      SHA512

      291d44b97c0de886b3a2c4b4ccafdc796aa63b447c8f624e364205ad6b9b2169445032a530f270786146687571f6fc0d61d1cfb52687e43ae0a5344938c94600

    • C:\Users\Admin\AppData\Roaming\Microsoft\sbuhay.exe

      Filesize

      258KB

      MD5

      b36e32f3dc68d1670518889f01cb9cb5

      SHA1

      0ba69817c2d26d34778674c5ffb3b9d192d871c9

      SHA256

      dfae30c29c69a6431828b83dddf0386b5b692c86a56fa844e8f31a05cbc25ec6

      SHA512

      09f46b47cabbbf271604615ede79b293af3fb1bce86ab2db609fe9d0656e6ea54ab30a877a44f01faf29ca6464525da87a7e3a5b97d378a4dcf3305ff975923c

    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite

      Filesize

      49KB

      MD5

      77e729b1c721183a0d034d3a663030c0

      SHA1

      f209303904e7805fbc27854f3597e01ff87d030b

      SHA256

      d2c5a49efca00a83a06ede90a2e11d26018b66ee980b884d7784472a10d891a0

      SHA512

      7df6388e6d2e858d4c1a40b715d0de2a4c6bd6dff50838270a4443c8309a145bde2bd521f5c9b7fb22ba1cc49046a2daa800a0bf79adce4eb01fd5f91d557095

    • C:\Users\Admin\Desktop\00313\Trojan-Ransom.Win32.GandCrypt.abw-053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131.exe

      Filesize

      258KB

      MD5

      314e24a6def3af01f320ae5384c494e8

      SHA1

      15de9768f8ae8dcc462a9d33382bd86ecd5925ac

      SHA256

      053b9fdab60ab124178e23b4598f2b10e71b2caf1abcfa51c857f0801f555131

      SHA512

      9f86fc4e295fa39db1c297dfd0d5745f55bacb74c6ab19bdb0b03c12d4c4e77957cb4712e8f6f7d866b3fefd0ce114a2d99b0e8ccaffc3c05d7054d75241ae0c

    • C:\Users\Admin\Desktop\[email protected]

      Filesize

      22KB

      MD5

      b876e23387c04f12102fe432af83fa15

      SHA1

      5ba5aa4402458cd712fd428e6939b4069cb5d342

      SHA256

      a833b1e0280b7b843c403b1855d3e07fdd25d3b2eeab281d9bd64c9b4dc6e929

      SHA512

      5ad0648499d301c865967cdc4ff087f9d04a2b3630539e51bf146119ff6fc85cf2522dcbd0c62498c8ef4940cb5fa314ead876c343217eab80e60e945b238e5e

    • C:\Users\Admin\Desktop\[email protected]

      Filesize

      237KB

      MD5

      f6376b2b1d788f5fc49f1da14a4477ab

      SHA1

      be81e1657bf0ef57c913b90892e98a7dccaadcf5

      SHA256

      9cdd75ae28c58b8d829c9bea863288009c23316de21ca7d96c2dfd64e885cb0c

      SHA512

      f8dfc2fe3792be1927d5678348e94918d7f8662188b5ce735294b5a104391bfab4da5a188fe32abae658073fd7f4657edfe394eb8770c4dc9e7d013241ebf77f

    • C:\Users\Admin\Desktop\[email protected]

      Filesize

      128KB

      MD5

      583ec09249dee1d00a6d860eac0b3ddb

      SHA1

      58740aa50ab6365f168b9cd9a36c47ec98ab83c7

      SHA256

      3a3873924166782dc63a1ec701259eaf06b0bec7813260af001ee74c2ebe9d6e

      SHA512

      180b294a0f217454e2f28a01bd574d0540d1e56c3fa58af22d90ee99c5bcee0feb25cda3c996dbc59313919fb83e14b93b6c0c0b2606a2ea415dfca1b7814624

    • C:\Users\Admin\Desktop\[email protected]

      Filesize

      328KB

      MD5

      9dca826121e257eece58603b62b3be66

      SHA1

      bc78af91586197d9f7c63d49f0790ca200ee3904

      SHA256

      e09c86ef4893921ebb97eb353dd665d7cd47cf91c0be8c9470621fd0882ad7d8

      SHA512

      72996e44fc4477128e48732e6a1ad3d642dadf8ed710b0be9322f690ae7e47bfa3848d2094002aa97528878ebecd86e0064c681d1c0e1b8464c25466b78dcfeb

    • C:\Users\Admin\Desktop\[email protected]

      Filesize

      246KB

      MD5

      b0d7b22856fc95a759870ca73f9eb72c

      SHA1

      f3cc6e454ce905937bd15e3909c854e0d128fedf

      SHA256

      e3cf76b93ff6b6e6fff4093de9af293af1d656e88fe9c6f6c501b0cf9f715156

      SHA512

      c3f06cf5312512f9676baf2dfabc3712e4845d9415a65bed768cc16deb3d7226dea540c7186dbfd32e1502075cd018bd357b20f6e1a9ecb5806b991dba785955

    • C:\Users\Admin\Desktop\[email protected]

      Filesize

      201KB

      MD5

      0c428b2413b9dac8d07308c3459a18b1

      SHA1

      77b4bd2afc5c3e92245d0dd5ee49971ebbb05151

      SHA256

      0197a0ea68d31334a6de8db7e19a5cbc7ceee86a2a542921ccb504189aebbd3b

      SHA512

      0fd768368dbe6a8305d251275aecb24df745be9cd1af471bfcb7b47df67ae24578c4da371599cd1e7717e6657f1979e2af565befa35f84592b7371e302c043bc

    • C:\Users\Admin\Desktop\[email protected]

      Filesize

      319KB

      MD5

      44ce84f1b19f772654a2acee347cd2a2

      SHA1

      01232b8010a9bfbb943538c2ad76eb74e52c8beb

      SHA256

      f8577014fff7632dcf2abe1e3342e2fa9bd14343db94eafb5e2d18ce65c50d36

      SHA512

      de788e3de62bc03d7c91ba52bba2a7e80454c311f7dfce6ea411015fc90e9e7c69db5cee37cc6edd9490dc9025e80dd81c8eb4a7471d5519a5cf56cbe22d9216

    • C:\Users\Admin\Desktop\[email protected]

      Filesize

      210KB

      MD5

      cfa4eedb02ecb09302c27392ac45ab8a

      SHA1

      458630cdb18611d1f0bed83ead6685a4786dc1a0

      SHA256

      15b626a5e3f9f7cc0abe406c36d5b4b2f47fa314070054d3d4dbf253b2730fb3

      SHA512

      1fc0afc8d891dca35ae21a6df3a31e24b86e6986bf5a7bdec4ca95f3cde66ee916d1fecf6637a2c9328f47e4cc39e0c4a8d83bb54794c43d773ea8ee37ac0848

    • C:\Users\Admin\Desktop\[email protected]

      Filesize

      17KB

      MD5

      05dd2a86d0819a64ee4147b966def608

      SHA1

      27feda7aa02265c17161f4eebcfba9281969b0c4

      SHA256

      3ffdb45b84b24b753d2e66334ada430c76917bd3a744276ec19863fd13a0faee

      SHA512

      aa80726120aa3209804a1ada61d9c94dd21836caa2cc04ea3b40ef03f8bfc855c995359ba612bee9a85de98bb60dd5b115732018f0021e599c167c70cab11787

    • C:\Users\Admin\Desktop\[email protected]

      Filesize

      283KB

      MD5

      0c6c1e90e5250d3fff1cddc1b1cf5204

      SHA1

      3c496687b0efdb0f86e90fdb1f32460ffe575637

      SHA256

      0c704e059058a3dba4d8594c119947b9fb75565f73ed6baf5da2a33fbfbe8841

      SHA512

      846d2a73199a94d90e3a72d6045eef650c2d980f1776af344560f777b5036b7cea2d443e2b510c00205f5a76de8c6a1f6c82f6cb50bd3a98edcdd50bb47a2195

    • C:\Users\Admin\Desktop\[email protected]

      Filesize

      17KB

      MD5

      72f74d0ec5e85728a9c301dd8dc78244

      SHA1

      b13a3f739e43932397edfa3212aa6d0ef36d96cb

      SHA256

      065308d90c692f7fc02719e9dc60071524f709bb2d14eb1ab9c001f79898f537

      SHA512

      a4ede483761e6d72e512e43865c6ab5a813ded1a2ab03e42d6bb44a9ff9fbc9ad7d71fabed1690ba081eb5ad4c0c96472dbbfb063c17789279a5b6956e45a50c

    • C:\Users\Public\Desktop\Adobe Reader [email protected]

      Filesize

      3KB

      MD5

      7b6a6fda31cea706baeff6a36eb5b3c7

      SHA1

      06dc9933b2a6e105cc1096fe76691e530c191b93

      SHA256

      e010c2e31c22b56285e8dff4daf333b22fffb468a8df9c411ea175af62b30014

      SHA512

      f093a80eba669763247f85b91115f8304177ae04fd436662099c13acd95c6644516f1dbb685f0e46fe438fbdcc6831f6a89fe42a2c1528f9db6c53f64a2cb847

    • C:\Users\Public\Desktop\[email protected]

      Filesize

      2KB

      MD5

      4bcf454bb318f56a4190f4a469dab94a

      SHA1

      8dc8f2e9af4306f92b35529c95e2eb3ea967009b

      SHA256

      2dc8a5ed6e69f598c06b060a2504144ef65d5507d59b2c479c55377275a93e67

      SHA512

      8c0e83582a5c15efbee22e2fd2d51aa1625274530bac6c7bd0466dd8dcab6b7fb0d3998a795079e3557d9e521178d1a0dea4a436b0abd9a744ae70e15654131c

    • C:\Users\Public\Desktop\Google [email protected]

      Filesize

      3KB

      MD5

      1c23a921de0997f4e588a10aa17261ed

      SHA1

      23b5dd5dd40532879a0e74f4bfe71b003b7d6c6b

      SHA256

      fa4ada9dbb16728020a22f554f247e42c132482c438d0d43694db2e5a9fa2aef

      SHA512

      c3b071a3c765a59d5acd5e8a51a16f02ee3281fc3668663ab9f03280b7712bd1c80c35bd8c532d9666c2345ad72d21c5715e3d5d9c99ff512f9d4de032fd0275

    • C:\Users\Public\Desktop\VLC media [email protected]

      Filesize

      2KB

      MD5

      984603b2e3637492c106e1aa03b9a1a2

      SHA1

      33c3b728e54d3e2d1b561639032f77d67fcd6b1d

      SHA256

      c7d749b47afc2de4cbafd35a1b781a90f29fb1b0c9c126769990d15fdd1c018e

      SHA512

      c72c8da205235d40520e1f0fe91f5378738ac7f2ae321e8212245e0ff3beac977586072cff46588fde3d12c45ed42940a3bfcf76226aabb8eaf5b22f59d9edfc

    • C:\Windows\Microsoft.NET\Framework64\v3.5\SQL\fr\SqlPersistenceProviderLogic.sql

      Filesize

      14KB

      MD5

      b553b63041a28d7e5b52e19b9651329b

      SHA1

      7f4899945d9148bbc9b4dbd20775049fa69f0d28

      SHA256

      08ca31cd6e055cd6fbfce197d71727b5f8d6a19389f64f573815ff12ff841f7e

      SHA512

      688ad6acc4a8ff13fc14bd432866b9236694bd5b4fb16c85c7c02a4dea3cf4da64d327417d073bc6725236873c1aeb442f46a3442bf840175a930c1d02878004

    • C:\Windows\Microsoft.NET\Framework\v3.5\SQL\fr\SqlPersistenceProviderLogic.sql

      Filesize

      14KB

      MD5

      ee21f1e7fc3c8e3f5dff68e21fff8833

      SHA1

      53f70f590cd7b7280704a2b501510846b879fc17

      SHA256

      8566b4a7cbe31829d236f19ad36f17b06d8608fd51b372301248f0ffcb74c1b7

      SHA512

      14218f5abcb3b8767777a865cee71bfff243303815a986937af1e6517c59035953cbc84c2d02da6f4909867e67e2744a146610e39cffe2379176bb4c4a94c1cd

    • \Users\Admin\Desktop\00313\HEUR-Trojan-Ransom.Win32.Crypmod.vho-1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4.exe

      Filesize

      2.2MB

      MD5

      f5f2f6c370db4b38bdf8032ea3ef2a64

      SHA1

      b5e188540539bc2b1d128f408160fa91e724c84b

      SHA256

      1f4e927f6e5ff4ae660f4d99194a9a7c05d5d829c6c3dbe1ee52a00fc740d6a4

      SHA512

      f2216faac5d07fb2d6f3faf6cf1e18e94c0ada8aba35a8d2d8491efd1ada526d5358a592b6877a9783cc9b5e81dd54fec8b9969ffd650c0f8aff2e3243dbe18c

    • memory/1756-13323-0x00000000002C0000-0x00000000002D7000-memory.dmp

      Filesize

      92KB

    • memory/1756-13325-0x0000000000400000-0x0000000001CC5000-memory.dmp

      Filesize

      24.8MB

    • memory/1756-13404-0x0000000000400000-0x0000000001CC5000-memory.dmp

      Filesize

      24.8MB

    • memory/2792-15643-0x0000000000400000-0x000000000064A000-memory.dmp

      Filesize

      2.3MB

    • memory/2792-12143-0x0000000000400000-0x000000000064A000-memory.dmp

      Filesize

      2.3MB

    • memory/2792-7749-0x0000000000400000-0x000000000064A000-memory.dmp

      Filesize

      2.3MB

    • memory/2792-14701-0x0000000000400000-0x000000000064A000-memory.dmp

      Filesize

      2.3MB

    • memory/2792-2374-0x0000000000400000-0x000000000064A000-memory.dmp

      Filesize

      2.3MB

    • memory/2988-3357-0x0000000000400000-0x0000000001CC5000-memory.dmp

      Filesize

      24.8MB

    • memory/2988-419-0x00000000001F0000-0x0000000000207000-memory.dmp

      Filesize

      92KB

    • memory/2988-417-0x0000000000400000-0x0000000001CC5000-memory.dmp

      Filesize

      24.8MB

    • memory/3068-14611-0x00000000040A0000-0x00000000040B0000-memory.dmp

      Filesize

      64KB